Policy Monitor

Policy Monitor — March 2020

Privacy concerns raised over Iran’s COVID-19 app as links to developer behind recent data leaks revealed.

As the Iranian calendar year came to a close this March, there were few signs of the traditional Nowruz celebration as the country continued its fight against the spread of COVID-19. Though some good news emerged from the crisis this month with a number of prisoners with security and political charges being granted temporary release, there is still little evidence to suggest that sufficient and effective measures are being taken by the government to contain the virus.

This of course is not a problem exclusive to Iran, and the number of cases and deaths continue to rise globally. But Iran has faced questions from some quarters for potentially playing down the impact of the virus in an effort to keep the country’s economy moving, and for reacting too slowly to its spread. These policy failures have been compounded by the added pressure of sanctions, which have further disrupted access to the purchase of medicine and other vital supplies for Iran’s healthcare system.

Meanwhile, the internet continues to offer a vital lifeline during this crisis, further highlighting the urgent need for citizens’ digital rights to be fully upheld and protected.

This month we saw connection speeds slowing down to cope with increased traffic, alongside major data leaks from forked Telegram clients. While much of political life seems to have ground to a halt as a result of the COVID-19 outbreak and the Nowruz holidays, the Iranian Parliament attempted to carry on its business by holding sessions online.

Our Network Monitor supplements this report with a technical analysis of network disruptions and internet shutdowns. Take a look at it to get a better sense of how COVID-19-related slowdowns affected Iranian users.

Iran’s Parliament Temporarily Moves Online

On 17 March the first online parliamentary test session was held with reportedly 76 MPs and Speaker Ali Larijani present. The decision was made following a ban on public meetings by the “National Coronavirus Task Force”. Two further parliamentary sessions were held online in March. However, none of the sessions were quorate — reportedly due to MPs encountering technical difficulties when joining — and were therefore not officially recognised, as votes could not be taken. The sessions were held using a dedicated platform known as “Majles-yar” and hosted by Irancell.

The first in-person parliamentary session since the closure on 25 February has now been held on 7 April with a limited number of MPs present and headed by Deputy Speaker Masoud Pezeshkain, following Larijani contracting COVID-19 in early April.

According to a tweet by ICT Minister Mohammad-Javad Azari Jahromi, the ICT Ministry has also been holding meetings online.

“Free Broadband Internet” for Iranian Users for a Limited Time

On 7 March, Jahromi tweeted that following “numerous’’ requests, broadband providers were giving free 100GB packages to their users for two weeks, which was extended until 26 March by some ISPs.

The free internet package increased the traffic load on the national network which resulted in ISPs slowing down internet speeds to cope with the increased traffic. The March edition of our Network Monitor has more details on this month’s network disruptions and shutdowns.

Data From 42 Million Iranian Telegram Users Leaked Online

According to a report by Comparitech on 30 March, data from 42 million Iranian users from Telegram clones or “forks” (unofficial and unaffiliated versions of the app) including user IDs, telephone numbers, usernames, and hashes and secret keys.

Compatitech added that a group known as “Hunting System” (Persian:سامانه شکار) posted the data on Elasticsearch, which could be viewed without a password or authentication. It has been confirmed that the data was exposed for “around 11 days” before it was removed from Elasticsearch on 25, however, before it was removed unauthorised users had already accessed the data and one user had posted the data on a hacker forum.

The filtering of Telegram has led to many Iranain users to move to unsecure clone versions of the app which do not have the same security measures, putting their data at risk. Those whose data has been leaked are now vulnerable to phishing and SIM swap attacks. Iranian users must be notified of this leak immediately and should be allowed access to secure messaging apps in an unhindered fashion.

Google Removes Iran’s Covid-19 “Diagnosis” App from The Google Play Store

Iranian COVID-19 App known as AC19

On 9 March, Google removed Iran’s COVID-19 “diagnosis” app known as AC19. The app, which claims to “diagnose” COVID-19 through a series of yes or no questions collected mobile phone numbers and real-time geo-location as well as other personal data from individuals, raising concerns about data privacy and surveillance.

To date, Google has not commented on the reasons behind the decision to remove the app. Claims made about the app containing malware or spyware have been challenged by a security expert, who commented that the collection of geo-location data was made through “legitimate permission prompt that users had to agree [to]”, similar to many other Android apps. Instead, some reports suggest that the removal of the app was due to its “misleading claims’’ about diagnosing COVID-19, as part of a wider crackdown on apps making false or misleading claims amid the pandemic.

However, Jahromi made clear that geolocation data was being collected and used when he tweeted maps on 9 March and 11 March with “hotspots” which he claimed were produced using data from 3.5 million AC19 users to identify locations with heavy footfall, seeking to minimise unnecessary travel.

Jahromi tweets a map of infection hotspots on 11 March using “data from 3.5 million AC19 users”

Concerns remain raised about the privacy and the security of the app for users given the lack of clarity from the app and the government on continued tracking of users and the collection and storing of their location data, preventing users from being able to give informed consent to the app. Given Iran’s track record on surveillance and the absence of any meaningful data protection laws and safeguards for users, there is also the increased risk from the government potentially exploiting this data for surveillance purposes, which could last beyond the duration of the pandemic.

These concerns are heightened as it has been revealed that the AC19 app was developed by Smart Land Strategy, the company behind clone Telegram apps Hotgram and Golden Telegram which have weak and unsatisfactory security practices, highlighted in the recent data leak containing information from 42 million Iranian users collected through these apps (see cybersecurity and cybercrime section). These clone apps were removed from the Google Play Store due to concerns about spyware and malware spreading through app installations. AC19 is still available on Cafe Bazaar and online.

During these unprecedented times, technology is serving as an invaluable tool to help understand and prevent the spread of the virus, and to collect crucial data about its prevalence and spread. Across the world, many countries have deployed apps or relied on other data sources to better understand the viruses symptoms and spread. This has opened up a debate around balancing issues of surveillance, privacy, and public health.

Although these questions are challenging, it is clear that any methods for surveilling users to collect data on the virus must be built with public trust and government transparency about its use at the forefront. So far, the Iranian government has failed to offer this. This is especially important given the lack of legal data protections in the country. Until such meaningful protections are in place, users and rights activists will continue to maintain a degree of scepticism about the intent and scope of these measures.

Domestic Messaging App “Soroush” Advertised for Auction

On 8 March reports based on an auction advertisement confirmed that domestic messaging app Soroush is being sold. Soroush, which is backed by the state broadcasting organisation The Islamic Republic of Iran Broadcasting (IRIB) who own majority shares in the app, was marketed as a replacement for Telegram in the aftermath of its filtering in 2018.

According to Soroush’s Managing Director Morteza Rahimi, the sale is to “increase investment” so that “services can expand”.

The use of domestic messaging apps continues to be a concern due to lack of privacy measures which can allow government surveillance. While Iranian citizens currently have a choice to use foreign messaging apps, it may be likely that domestic messaging will be pushed more aggressively by the government if new legislation is passed, limiting options for Iranian users.