With our ever increasing dependency on online and digital services, there has been a global rise in the number of data leaks, leaving users and businesses more vulnerable to cyber attacks.
This problem is no different in Iran, which has experienced a series of major data leaks in recent years. A particularly significant data leak incident took place in March this year, when the data from 42 million Iranian Telegram users was leaked online, a figure that could represent up to half of the country’s population. Within days, yet another data leak affected the ‘Sib’ app, with the leaked data from the reportedly being posted online for sale for $500.
So far, the response from Iranian authorities has been inadequate, failing to take actions to prevent similar leaks in the future or to safeguard users that have found their sensitive data readily available online against potential online attacks.
We believe that Iranian internet users are made particularly more vulnerable to these data leaks due to two facts that persist in the landscape of Iran’s internet policy: lack of comprehensive and meaningful data protection frameworks in Iran, and a far-reaching internet localisation agenda implemented under the National Information Network.
In this edition of Filterwatch, we examine a number of recent major data leak incidents in Iran, the effects of the National Information Network on online privacy and data protection, and outline the steps that need to be taken by policy-makers and tech companies in order to protect Iranains from similar leaks in the future.
How was the Data Leaked Online?
On 31 March it was revealed that data from 42 million Iranian Telegram users had been leaked online. According to security researcher Bob Diachenko, the data was posted online by a group known as Samaneh Shekar (‘Hunting System’). The data was posted as a cluster on Elasticsearch – an open source search engine for data and analytics –- and did not require a password or authentication to access.
The data remained exposed online for 11 days before it was reported to the hosting provider by Diachenko, and the Elasticsearch cluster was eventually deleted on 25 March. According to Diachenko, after contacting MAHER – Iran’s computer emergency response team – the server for Hunting System was taken down. However, before the data disappeared, it had already been accessed and posted on at least one other hacker forum, and was being sold online.
The data set is described as containing 42 million user data records originating from Iran, including account IDs and usernames, phone numbers, and hashes (unique codes relating to the accounts stored on the server).
In a statement, Telegram announced that the leaked information was scraped from two popular ‘forked’ versions of Telegram known as HotGram and Golden Telegram (also known as Talagram or Telegram Talaei). The two apps were created using Telegram’s open source code following the blocking of the official Telegram app in 2018, and were believed to have ties to Iran’s security and intelligence organisations. We previously raised concerns about the two apps’ security when they first emerged. The servers for the two apps, based inside Iran, were “turned off” in June 2019 by their developer company.
Telegram’s statement has not been independently verified. Some reports also suggest that the leaked data include user account details “associated with active users of the official Telegram app”, and that user records were “accessed as recently as March 2020”.
Those whose data has been leaked are now said to be vulnerable to phishing and SIM swap attacks, and the leaked information can be used to target these accounts.
Further investigations reported that the server was registered under the name of Manouchehr Hashemloo, who was using the same email address as a well-known Iranian hacker known as ArYaIeIrAN. The hacker is said to be associated with a government-sponsored hacking group known as Charming Kitten, which has previously been involved with operations targeting activists and journalists.
Iranian Government’s Inadequate Response
The authorities’ responses to the data leak were wholly inadequate, as various organisations failed adequately to prioritise the security and safety of those whose data was compromised. Standard response practices were not followed, and potentially at-risk individuals were not notified. The developers behind the two apps – Smart Land Solutions – appear to have offered no reaction.
On 31 March – the same that the data leak was made public – Amir Nazemi, Deputy ICT Minister and Head of the Information Technology Organisation of Iran, tweeted that the website named “[Samaneh] Shekar”, hosted by an Iranian company known as Raspina, has been identified and was being reported to the prosecutor’s office for legal proceedings. A day after Nazemi’s tweet, Raspina denied providing hosting services to the website, stating that it only provided co-location services.
In another tweet on 1 April, Nazemi sought to address those questioning the lack of action about the incident stating that according to the Supreme Council for Cyberspace’s (SCC) 44th resolution, Iran’s Cyber Police (FATA), is responsible for dealing with data security issues in the private sector.
MAHER also published a statement addressed to government organisations and business owners. In the statement they blamed the data leaks on unsecure or low-security data clusters. MAHER further announced that from March 31 it had begun observing any unsecure data banks and would notify their owners (should they be identifiable). It was added that if the issue was not rectified by those responsible after they were notified, they would be referred to the prosecutor’s office.
However, MAHER reiterated that the SCC’s resolution for “National System for Prevention and Combating Incidents in Cyberspace” referred incidents relating to private businesses (such as apps or private banks) to Iran’s Cyber Police (FATA).
FATA has made no public statements about the data leaks, nor provided any information about if and how victims of the data leak would be notified. Also significant is the fact that the developer company for the two forked Telegram apps, Smart Land Solutions, has not reacted to the incident nor been held accountable by FATA or other authorities. Some have interpreted this as a further indication that the apps were linked to the government.
Iran Does not have a Data Protection Framework
The response from the Iranian government and relevant authorities towards data leaks has been disjointed and inadequate. It has failed to identify how or who was behind the data leak, or to make a statement on how subsequent threats to users will be appropriately addressed. Iran’s total lack of comprehensive or meaningful legal data protections for users is a primary contributor to the lack of action in this situation.
The only attempt so far to introduce data protection measures was made in 2018, when the ICT Ministry introduced the draft “Data Protection and Online Privacy Bill”. This bill has failed to make any progress since it was sent to the Cabinet for approval in 2018, despite the fact that its provisions prioritised internet localisation over user security. A few other pieces of legislation such as the Computer Crimes Law (CCL) (2009/2010) and the Electronic Commerce Law (ECL) (2004) make limited reference to data protection and privacy, but are very limited in scope and application.
The CCL, for example, sets out criminal penalties for defamation and theft of data “belonging to others”. Article 1 criminalises “illegal access” to computer and telecommunication systems “protected by security measures”, but fails to define “security measures” and appears only to apply to government data and not to individuals or non-governmental bodies. Further provisions of the CCL prohibit the implementation of basic security measures, rendering users vulnerable to data leaks as well as surveillance. Article 10, for instance, prohibits “concealing data, changing passwords, and/or encoding data that could deny access of authorised individuals to data, computer and telecommunication systems”. It is worth noting, however, that we have not yet observed the enforcement of this article in practice.
The ECL contains some privacy and data protection provisions, however, these only apply to online commerce and transactions and do not have wider da. These are consequently insufficient to address the complex issues of the right to privacy online and data protection raised by general data leaks.
While the “Data Protection and Online Privacy Bill” remains dormant, the SCC has adopted other concerning measures that drastically depart from the principles of data protection and privacy. In August 2019 the SCC approved the text of the ‘Digital Identity Verification Resolution’, which was published in October 2019.
Some of the resolution’s main objectives are:
- every online interaction between entities (including individuals, parties, objects or services) must be conducted using a valid ID;
- individuals will be identified using two sets of information managed by the ICT Ministry known as an entity’s “essential identity information” and their attributes. The essential identity is one’s fixed legal identity and attributes are qualifications acquired by an entity over time.
- the National Centre for Cyberspace (NCC), working with the cooperation of the Executive and Judiciary should, within six months of the communication date of the resolution, draft the required regulations and legislation for establishing a Valid Identity System in Iranian cyberspace;
- the NCC should provide a report on the implementation of the resolution every six months to the SCC.
Though the resolution is not law, the SCC is the highest ranking internet policy making body in Iran with its mandate from the Supreme Leader. As such its authority cannot be disputed, and the resolution appears to be binding on the government.
The lack of codified processes for ensuring user security and privacy means that domestic apps and other online services need not to prioritise privacy and security safeguards, and will not be penalised for it This lack of legal protection combined with the legal history in Iran means that in the event of data leaks or security breaches, no legal action is taken and tech companies and the government’s ICT organisations cannot be held accountable. The sole recourse remains an active decision by government authorities to investigate, which has not been efficient or effective at putting users first as in the Telegram case.
National Information Network is not Compatible with Data Protection
One way to explain Iran’s data protection and online legal vacuum is to view it not as an accident or oversight, but rather as a feature of the Iranian government’s long-term internet policy agenda.
For decades, various government administrations have been pursuing a localised, self-contained internet, which is now known as the National Information Network (NIN). Government rhetoric promotes the NIN project as a “secure” and “clean” internet, better protected from cyber attacks and allowing access only to approved materials that promote “social harmony”. At the same time, the NIN also serves to downgrade the already limited digital rights of all Iranian citizens.
By placing internet infrastructure and services inside the country, the government can exercise more effective control over what citizens can access online, and further monitor their behavior without restrictions imposed by international services. We saw some evidence of the NIN’s functionality during the November 2019 near-total Internet shutdown. As international websites and apps were disconnected, some banking services, hospitals, and universities claimed to remain online during the shutdown, as they were connected to the NIN and used domestic hosting services.
As evidenced in the recent resolution on online identity, the NIN is slowly building an internet environment which is also designed for high visibility, traceability and monitoring of users. So long as no data protection laws are put in place, there will be no frameworks to ensure that this information is collected and processed in compliance with individuals’ right to privacy, or to ensure that its use and disclosure is limited, and is not misused. In this situation, the government enjoys far fewer restraints in its capacities to monitor and surveil citizens. It is clear that the goal of making all online interactions traceable (as per SCC’s resolution on “Valid Online Identity Systems”) and localised,is not compatible with a meaningful data protection framework.
The state’s surveillance apparatus is fundamentally incompatible with data protection regimes. Data protection seeks to protect personal information or personal data whereas state surveillance around the world relies on insecurity of data and lack of individual privacy in online services . Various attempts at definitions have been made across different legislation to define the term ‘personal data’ but international standards such as those established under GDPR refer to “ … any information relating to an identified or identifiable natural person (‘data subject’); … who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (General Data Protection Regulation (2018), Article 4).
Therefore, in order for data protection frameworks to be effective, provisions must be put in place for data to be stored securely through “pseudoanonymity” or “functional nonidentifiability”, using methods such as encryption to allow for the privacy of users.
The “Verified Online Identity System” negates such practices by creating government-regulated online identity profiles, without which individuals cannot appear online. The resolution neglects to make any recommendations or provisions setting out how this information will be collected, processed and stored safely and securely, nor does it grant the data owner rights and control over their own personal data. Therefore, failing to put in place measures to hold the government accountable for ensuring the security and the use of this daya. Once again, it also fails to consider measures for data leaks and breaches, putting absolutely no effort towards ensuring Iranians’ online users safety and security
Given that the NIN is being implemented via a programme of enforced data localisation policies, thereby creating a system of constant oversight over citizen’s online behaviours and can cut them off from the global Internet, it is perhaps unsurprising that the Iranian government has been resistant to the notion of introducing meaningful data protection legislation. This lack of regulation and legislation however also has a knock on effect on the private sector, and fails to ensure proper regulation of private tech companies to ensure they sufficiently guarantee the data security and privacy of their users.
What Comes Next?
As we have seen, the failure of the Iranian government to update its legislation in line with technological advancements has had considerable consequences for its citizens. Despite continued calls for data protection legislation to be put in place, there has been little attempt from the government to make progress on the implementation of any data protection laws.
The fact that this legislative process has seemingly fallen into a permanent state of limbo suggests that the state may have realised that any meaningful data protection legislation could threaten or undermine its broader project to develop the NIN, which ultimately seeks to make all citizens visible and traceable online. With this in mind, there cannot be any comprehensive, meaningful data protection legislation which can adequately and sufficiently ensure the security of online users to international standards or provide them with remedies if their security is compromised.
Therefore, the implementation of the NIN, which at its core negates the notion of online privacy and robust security measures for users must be stopped. Further, the government must ensure that appropriate legislation that can comprehensively protect user data to be put in place without delay. This could start with addressing the progress of the Data Protection and Privacy Bill. It is extremely important to note that the bill, in its current form, does not go far enough to create a data protection framework that is in line with recognised internationally set standards for ensuring user privacy and security, but is a start for the country in this area. The bill can be improved upon and be amended to address its shortcomings before it is progressed further and is passed into law. The combination of these two efforts can hold data controllers and processors, including the government itself, to a high standard for security practices as well as holding them accountable for any failures so that a trustworthy online environment which respects citizens’ digital rights is created
Things to look out for in the future:
In light of the current data protection situation in Iran, we make the following recommendations to be considered and implemented by various stakeholders in order to address the shortcomings in the current system and uphold the digital rights of Iranian citizens:
- In the absence of a legal data protection framework, tech companies must recognise their responsibility to prioritise the security and privacy of their users’ data; in doing so they must outline and adhere to clear data protection practice which they should also make available to their users.
- The Iranian government must immediately pass comprehensive data protection and online privacy legislation in line with international standards to include:
- Implementation of standardised practices ensure domestic apps are sufficiently secure, and that processes for data;
- A clear process for informing data owners of any data breaches and leaks of personally identifiable information;
- Legally enforceable remedies be made available to those whose data has been compromised
- Upcoming legislation such as the deeply problematic “Managing Social Messaging Apps” must be abandoned due to their infringement on user’s right to privacy and as well as its lack of security and safety considerations.
- Data protection and online privacy legislation can only exist in name while the NIN project is still being pursued, therefore the practice of internet localisation in Iran must be stopped in order to uphold the digital rights of Iranian users.
- Digital rights advocates and activists must be made aware of the dangers of upcoming programmes such as “legal VPNs” and inform Iranian users of their risks to their online privacy.
By Melody Kazemi, Kaveh Azarhoosh & James Marchant,