Policy Monitor

Policy Monitory – February 2022

Despite public outcry and civil society mobilization against it, the draconian ‘User Protection and Core Online Services Bill’ won a committee vote in February 2022 and will advance to a parliament-wide debate and likely vote. The bill provides legal reinforcement to the centralisation, localisation and surveillance goals of the NIN.

This February, while the world focused on the invasion of the Ukraine by Russian forces and the crisis that unfolded in its aftermath, in a stunning development in Iran, the dangerous internet restriction legislation, the so-called “User Protection” Bill – which stands to further curtail the rights of Iranians – was ratified by the Joint Parliamentary Committee in a sudden vote, only for the vote to be revoked by the Parliamentary authorities within hours. The fate of the Bill is to be determined after the Budget for the next Iranian calendar year (21 March 2022) is passed, but what the final version of the Bill will contain and how or if it will be passed remains more unclear than ever. 

Against the backdrop of the developments surrounding the Bill, slow international internet speeds remained a top issue among Iranians, forcing authorities to deny claims of intentional disruptions. Our monthly Network Monitor has more details about these disruptions. 

Latest Developments on the Progress of Iran’s “User Protection” Bill 

In a sudden move on 22 February, the Joint Parliamentary Committee for reviewing the so-called “User Protection” Bill ratified it with 18 votes in favour and 1 against. The vote is said to have taken place at short notice, and according to Committee member Jalal Rashidi Kouchi MP, the only member who voted against the Bill, other members “were not aware of which version of the Bill they were voting on.” However, the next day the vote was revoked by the Majles (parliament) due to procedural irregularities. 

According to the Head of the Joint Committee, Reza Taghipur, the Bill is to be reviewed again after the Majles ratifies the national Budget for the next Iranian calendar year (March 2022 – March 2023). He also added that the Bill had gone through yet another name change, and is now titled “Cyberspace Regulatory System” (Persian: نظام تنظیم مقررات فضای مجازی). 

There has been widespread condemnation and backlash from social media users about the progress of the Bill, and from members of the previous administration’s ICT Ministry, and Iran’s private tech sector. However, the most significant opposition came from the Secretary to the Supreme Council for Cyberspace (SCC), Abolhassan Firouzabadi, who stated that progress of the Bill is not “advisable” considering the public backlash and that the government should propose an alternative. 

The fate of the bill is somewhat unclear until the Majles resumes its work after the Iranian New Year break. So far, however, it appears that progress will continue, but there is now more vocal opposition than ever. 

Secretary to the Supreme Council for Cyberspace: “Legal VPNs to be Followed Up Next Year” 

On 14 February the Secretary to the SCC, Abolhassan Firouzabadi, stated in an interview with Iranian tech outlet Digiato that the ‘legal VPN’ scheme was going to be followed up “at the start of the next [Iranian] calendar year”. 

Firouzabadi emphasised that the scheme was being discussed with the ICT Ministry and there would be a follow up in the next few months. Legal VPNs have been discussed for a number of years under previous government administrations. These government-sanctioned VPNs would allow for certain people and professions to have access to the global internet with fewer restrictions as approved by Iranian authorities, an integral part of “layered filtering” under the National Information Network (NIN). 

“Data Protection” Bill First Introduced Under Previous Government to Be Placed Back on the Parliamentary Agenda 

On 9 February Deputy ICT Minister and Head of the Information Technology Organisation, Mohammad Khansari, stated in an interview with Iranian news outlet, Mehr, that the ICT Ministry had been reviewing the “Data Protection” Bill in the hopes that it would be proposed to Majles. 

The “Data Protection and Privacy” Bill referenced by Khonsari, was drafted under the previous government and under the previous ICT Minister, Mohammad Javad Azari-Jahromi in 2018, however, the Bill did not progress beyond the Cabinet stage of the legislative process. Filterwatch has already written about the contents of this Bill. 

According to Khansari the Bill has undergone some changes, but the latest draft is not yet publicly available, though Khansari stated that the Bill will be published once it is finalised by the ICT Ministry. 

Given the political alignment between the government and the Majles compared to the previous administration, the prospect of this Bill progressing further is greatly increased. However, without access to the latest version of the Bill, it is not possible to assess how much protection is afforded to Iranians online, and how it will overlap with the so called “User Protection” Bill. 

Draft National Budget Dedicates 2% of Online Transactions to Iran’s Cyber Police 

During the review and approval process of Iran’s national Budget for the next Iranian calendar year (March 2022- March 2023), on 28 February the Parliamentary Reconciliation Commission included an additional clause to the draft Budget which stated that all banks and credit institutions to pay 2% of their online earnings to the Treasury which is to be used by Iran’s Cyber Police, FATA. 

FATA is instrumental in the suppression of freedom of expression and online freedoms, though the exact budget dedicated to the force is currently unclear. Filterwatch’s quarterly FATAwatch documents the arrests and activities made by FATA Police. 

The review process of the details of the draft Budget still needs to be finalised by the Majles (parliament), which then needs to be sent to the Guardian Council for final approval. 

Iran’s Audio-Visual Regulatory Authority Issues a Ban on the Publication of Images and Videos on Recent Honour Killing in Iran 

On 6 February, a day after the brutal and violent murder and beheading of a 17 year old child-bride by her husband in the city of Ahvaz, Khuzestan Province, Iran’s Audio-Visual Regulatory Organisation (SATRA) which operates under the Islamic Republic of Iran Broadcasting (IRIB) issued a ban against users publishing visual content relating to the murder. 

While content moderation against violent content is not uncommon, the announcement from SATRA may be used to censor online content and suppress the media from reporting on such incidents. On the same day Iran’s Press Supervisory Board seized the news outlet, Rokna, for “publishing content contrary to public decency.” 

The decision and SATRA’s warning come in an effort to control and censor the online attention being given to honour killings, violence against women and child marriages – which are among major concerns in Iran and have appeared in the news a number of times in recent months – and to control the narrative surrounding these events. Men convicted for committing these crimes are often afforded lenient and light sentences. 

Iran’s ICT Minister Calls for Private Sector to Create Services and Online Content 

During a launch event for telecommunication services on 7 February, Iran’s ICT Minister, Eisa Zarepour confirmed that the government will be relying on the private tech sector in order to expand the content and services layer of the country’s internet, as defined by the SCC resolution on the National Information Network (NIN). Zarepour added that a financial package is also to be announced in support of these projects. 

The emphasis placed on the role of Iran’s private tech sector comes following a wave of arrests, fines, and blockings issued against Iran’s private online platforms and businesses in order to bring them under further government control, which underscores the fact that this sector is becoming increasingly crucial in realising the next stage of the NIN. Filterwatch will be publishing an in-depth report on these developments in the coming months. 

Unsecured Elasticsearch Cluster Found Online Exposed Data of Millions of Iranians 

On 23 February Cyber Threat Researcher, Bob Diachenko reported that an unprotected Elasticsearch cluster had exposed the personal data of millions of Iranians, including over 46 million Instagram accounts, over a million Twitter accounts, and over 180 thousand Telegram accounts in addition to phone locations, and car details. 

According to Diachenko, the cluster has been destroyed, however it was hosted on a server owned secnerd.ir. It is unclear who is behind the data cluster, however, Iranian’s have been subject to major data leaks such as the Telegram data leak in March 2020. 

Low International Internet Speeds Continue to Dominate Discussions 

During a Cabinet meeting on 23 February, Iranian President Ebrahim Raisi acknowledged the need for providing “high speed internet” in the country, which has become a dominant concern. Concerns about the future of internet speeds began following a report from the tech news website, Zoomit published on 10 October 2021 explaining that the drop in network quality is due to the fact that since Raisi’s arrival in office, the SCC has not issued a licence for the Telecommunication Infrastructure Company (TIC)  to increase their purchase of global bandwidth to meet rising domestic demand. As a result, operators have been downgrading the speed and quality of their services in order to continue to be able to meet their customers’ needs. 

Iranian officials, including the Head of the TIC have denied that international bandwidth purchase was reduced, while last month Zarepour blamed slow speeds on the distribution of data across the country and bottlenecks in the capital city of Tehran. In February Zarepour also denied that the government had asked the SCC to reduce international bandwidth and added that the ICT Ministry discussed the issue of increasing bandwidth capacity at the SCC.

However, the claims by Iranian officials do not match the realities of constant throttling of international platforms and access to the global internet. The government and SCC policies have already emphasised the need for domestic internet traffic to overtake international traffic in the next Iranian calendar year. The constant reduced traffic speeds are one tactic that can be used to divert and force traffic towards Iranian platforms and alternatives.

About the author

Melody Kazemi

Filterwatch