Analytical Summary
The Iranian government embarked on a new path in 2023, enacting laws and policies that aimed to restrict the hardware and software choices of its citizens in the long run. The authorities seek to monitor citizens’ through tracking software, heighten control over hardware imports, coerce them to adopting and using their favored applications, and force all entities with citizen data to surrender it for free to create a new information system.
What has been termed the “Citizens’ Lifestyle Tracking System” in the Seventh Development Plan is set to enhance the government’s ability to catalog and collect information on its citizens (such as their preferences, opinions, and lifestyle habits). Such a development could lead to widespread pressure on citizens during protests.
Additionally, expansive laws have been drafted for user identity verification, tiered internet access, and increased restrictions on compulsory hijab opponents in the form of plans to combat hijab non-compliance (which will make things even harder than before for women in cyberspace). Furthermore, the consolidation of key internet players like Minister of Communications Isa Zarehpour and Mohammad Amin Aghamiri will expedite the approval and implementation of these infrastructures.
The Iranian government has also learned from its prior experiences and managed to, occasionally, disconnect the internet in some specific areas and silence the opposition’s voices from the outside world. The SIAM system which was revealed in an Intercept report, can disrupt internet access at a time and location of the operator’s choosing, was tried out in Sistan and Baluchistan in the past year, and it’s likely to be used in other parts of Iran in the future. Furthermore, Filter Watch’s research revealed that, in the last year, some provinces experienced consistent patterns of outage and disruption, at specific times and with varying degrees of severity.
In another striking development last year, the Iranian parliament ratified a security pact between Iran and Russia in late 2023, which has many vague clauses, but the brief excerpts that Digiato and other media outlets have released imply they have ambiguous terms and expressions that allow for wide-ranging interpretation and enable both sides to collaborate widely.
Furthermore, documents reviewed by Filterwatch reveal that there has been an ongoing request since 2016 to register electronic devices such as servers, tablets, electronic boards, various memory types, hard drives, network cards, and motherboards. However, for reasons not detailed in the documents, these items have not been consistently registered at customs upon their importation into the country.
Consequently, on October 16, 2022, the Ministry of Communications expressed concerns to the Director-General of the Office of Regulations, Exports, and Imports within the Ministry of Industry, Mine and Trade. The complaint highlighted the issue of server importers not responding to product registration inquiries. The Ministry urged the enforcement of a directive issued in 2016, which mandates the registration of these electronic goods. This step is seen as essential to ensure proper tracking and compliance of imported electronic devices.
Meanwhile, while the government concentrates on security matters and surveilling citizens, private and public firms have also lost citizens’ data, and in the last year, different hacking groups have executed several massive hacks of citizen information. Hackers also penetrated the national fuel network for the second time. The government’s negligence and an increase in emigration of technical IT experts in the past year has exacerbated this failure.
Right to Internet Access
A New Pattern of Internet Outages
There were some clear patterns of internet outages in Iran in 2023. In provinces like Sistan and Baluchistan and Alborz, the outage had a fixed start and end time that, with some exceptions, was repeated throughout the year. For Sistan and Baluchistan, the pattern started on September 30, 2022 (known as “Bloody Friday”): internet went off every Friday morning before the sermon of Abdolhamid Ismaeilzehi, a Sunni preacher, at Zahedan’s main mosque and came back in the afternoon. In Alborz Province, severe disruptions started at midnight and lasted around three hours.
Iran’s internet faced the most severe disruptions in the last year at times when protests were expected to increase, such as : the anniversary of the 2019 internet outages, the birthday of Kian Pirfalak, the anniversary of the death of Jina Mahsa Amini, the execution of three protestors in the autumn of 2022,2022 protesters, and President Ebrahim Rai’si’s trip to Kurdistan.
In recent years, official statements have revealed that the Supreme National Security Council, which includes the Interior Minister and representatives from the ministries of Communications and Information, the Revolutionary Guards, and the military, ordered the internet outages in previous years. In 2023, proof was first obtained that showed that the Radio Communications Regulatory Organization was the operative branch for internet cutoff and disturbance orders, at least in Sistan and Baluchistan.
The Intercept reported on October 28, 2022, that this Organization had a digital system named SIAM that could reduce network speed and surveil users’ online activity. This tool could be employed to suppress protesters. Filter Watch’s research revealed that the Radio Communications Regulatory Organization, which managed SIAM, was behind the weekly internet outages in Sistan and Baluchistan that occurred every Friday morning (with a few exceptions).
Increase in Internet Prices
In recent years, the government has tried out various alternatives to filtering. It has divided domestic and international traffic into different price plans, and cut down the bandwidth for foreign websites that are popular compared to local ones.. These are two key government actions to persuade users to access the national information network. The first action, by lowering the cost of domestic internet, aims at the users’ budget, while the second action, by limiting the speed and bandwidth, affects the services’ accessibility.
This year, the price of internet access increased 34 percent, while the price of domestic traffic stood still to remain within the means of Iranian households.
Report of the Electronic Commerce Association
In June/July 2023, Iran’s Electronic Commerce Association of Iran, which consists of the largest tech companies in the nation, examined the internet in Iran using technical data from internet oversight bodies. It looked at the internet’s network disruption, censorship, and speed, and called the internet in Iran “in crisis.”
Top officials of the Ministry of Communications and its subsidiary organizations rejected the report, but after meetings with those who produced it, improved certain issues, such as one caused by http/3 protocol which reduced quality and speed of communications.
The International Telecommunication Union
Internet Outages
The internet in Iran faced at least 60 thousand minutes of blackout in 2023, and most of it affected provinces where ethnic and religious minorities lived. The International Telecommunication Union has not commented on this, even though it had criticized and denounced an internet blackout in Gaza on October 28, 2023.
Satellite Internet: Starlink
People discussed Starlink satellite service in Iran, as a way to connect to the internet fast and without censorship, beginning in late 2022.
The Radio Regulations Board of the International Telecommunication Union discussed Starlink satellite internet services for Iran in mid-2022, arguing: “Doubts and uncertainties remain as to whether the transfer of internet data is permitted or not, but communication with a foreign-based IXP in a country which has declared this service to be illicit in its own jurisdiction should not be possible.”
In other words, the International Telecommunication Union said that the Islamic Republic of Iran has not authorized Starlink satellite services in its jurisdiction, and that connecting to Starlink terminals within Iran’s jurisdiction is illegal.
Internet freedom organizations believe the Union’s decision is at odds with its main goals, including its efforts to secure “meaningful connectivity” as well as sustainable development, and neglects the wider consequences of Iran’s restrictive internet policies such as the violation of millions of Iranians’ right to information and communication.
According to Article 35 of the Union’s charter, member countries have a right to “suspend telecoms services in general, or a particular kind of correspondence, but they must inform the other member countries and Secretary General as a matter of urgency.” It appears that Iran, as a member of the Union, has not yet done this.
Despite the Union taking up this issue in another meeting from October 23 to 27, 2023, no decision has been made on the matter, and debates and conversations continue.
Internet Policy
In 2023, most of the laws approved by the government, or those which moved toward approval, were to maintain hijab, penalize those who resist forced veiling, monitor mandatory attire, create a tiered internet access based on citizens’ profession, and interfere in citizens’ everyday lives.
The Seventh Development Plan: A System for Gauging Lifestyle
The Seventh Development Plan bill, which envisions the development of Iran’s infrastructure in a five-year period (2023 through 2028), has garnered attention for elements like national information network و expansion, the widening of electronic government, growing the database on Iranian citizens, and above all, the “People’s Lifestyle System.” The plan requires all data centers – public or private – to consistently store all their data in a single system. This data will then be accessible to the Lifestyle System through the national information network, seperate from the internet.
These programs qualify the government of Iran as a surveillance state which can learn about and watch over all the aspects of citizens’ lives.. Apart from the violation of privacy, the data yielded by these processes will be used for machine learning, raising the possibility of artificial intelligence control over important public choices.
This system follows part of a policy of rolling out “smart government” in Iran which, by encouraging citizens to use electronic services, collects all their information in a centralized system, and may use the information to profile citizens with greater precision and speed.
Tiered Internet
The government has advancing tiered internet access, which limits the content access based on profession content. This year, schemes of an “internet for technologists” and an “internet for university professors” were implemented which provide special access to filtered sites for particular groups of users.
These projects, first mentioned by Isa Zarehpour in February/March 2023, joined the larger scale “internet for journalists” which had existed since the time of former Telecommunications MInister Mohammad Javad Azeri Jahromi. Experts have termed these initiatives as internet access discrimination and“digital capitulation.”
In August/September 2023, during Cristian Ronaldo’s trip to Iran, Ezatollah Zarghami spoke of the need to launch a simcard for foreign tourists and those active in the tourism industry, such as hotel proprietors and guides, which would not filter social networks.
Expedited Localization
The national information network, a key tool for controlling citizen’s access and the main infrastructure for state programs to track citizens, progressed with great speed in 2023. In March/April 2023, Minister of Communications Isa Zarehpour said the national information network had gone from 23 to 60 percent completion and promised 75 percent progress by the end of the Iranian year.
In 2023, the government rolled out financial incentives to draw citizens to domestic messaging apps. With the development of electronic government and online provision of state services, Iran is now a step closer to daily tracking of citizens, an objective foreseen in the Seventh Development Plan.
The consolidation of government and internet decision-makers like Issah Zarehpour and Mohammad Amin Aghameyri, who support internet restrictions, also affected the pace of these changes.
The White Plan
The White Plan is a scheme implemented under the supervision of the Fashion and Clothing Working Group, affiliated with the Ministry of Culture and Islamic Guidance, and the General Prosecutor. The Working Group announced on June 10, 2023, that the plan targets “unlicensed” and “underground” activities, as well as those “without scientific standards,” besides unlicensed work in fashion and clothing. The statement warned that judicial authorities would deal with violating groups.
Mohammad Mehdi Ismaeli, the Minister of Culture and Islamic Guidance, presented a report on the White Plan’s activities to the Parliament’ Article 90 Commission on November 20, 2023. It was determined that the plan would be continued under the Public Culture Council, which is part of the Supreme Cultural Revolution Council.
Imported Hardware Registration
The government has kept trying to identify and counter protesters by passing laws and using digital systems, besides tracking them in the real world. In March 2023, Filter Watch first obtained documents showing that the Ministry of Communications is pursuing a scheme to track hardware imported into Iran through a way similar to the one for registering cell phones: any communication device with a SIM card will need an identification code and a fee to access service in the country.
The government had talked about this idea since 2017, it first implemented it with the launch of a special customs fee on information technology in the Payam Free Economic Zone, or Payam Airport. It had started cellphone registration in 2017 under Mohammad Javad Azeri Jahromi’s telecommunications ministry, and this year it ended with the service cut-off to the iPhone 14, which is unregistrable.
This restriction will ultimately result in a controlled cellphone market and drive users to domestic cellphones with manipulated operating systems, which the Ministry of Communications’ national information network is obligated to carry out in the architectural plan.
The hijab and Chastity Bill
The government passed the Hijab and Chastity Bill (also called “Bill for the Support of the Family through Promoting the Culture of Chastity and the Hijab”) in mid-2023.
It was one of the laws that set some internet-related penalties to restrict women who opposed the forced hijab.The bill increased penalties for not wearing the mandatory hijab or promoting not wearing it.
Specifically, posting any image or content with hijab violations, and also opposing the forced hijab, on any platform or messaging app, is a crime under vague terms that can be interpreted differently such as “lack of chastity, nudity, hijablessness, and poor dress.” The bill stipulates the deletion of personal pages and the loss of social network accounts as penalties.
The Guardian Council sent this law back to the parliament in late 2023, but out of over 100 objections the Council raised, none related to digital limits on women.
Given the publication of content which is criminal and in violation of public morality and chastity, FARAJA has made this page inaccessible until further notice, in accordance with the ruling of a judicial authority.
Even before such a bill had been passed,The government had already taken judicial actions against page admins over the hijab in the last part of the previous year. The bill aimed to authorize these actions as a matter of hijab explicitly.
Filter Watch’s investigations show that in the past year, at least 35 user accounts belonging to beauty salons and clothing sellers had been shut down with a judicial response: the hashtag “#Islamic_hijab”(حجاب اسلامی in Persian) and the message “This page has been seized by the public order police at the ruling of a judicial authority” were seen on them.
Cybersecurity and Privacy
The Nazer App
The Iranian authorities first implemented the Nazer Plan (Persian for “Observer”) on April 13, 2023, to enforce the mandatory hijab law. Nazer 4” targeted users and celebrities who dot wear the mandatory hijab or encouraged others to not.
On April 24, 2023, Vahid Majid, the police chief of the Cyber Police of the Islamic Republic of Iran (FATA), announced the types of online activities that would be targeted by the authorities: “encouraging others to hijab non-compliance, exhibitionism, vulgar modeling, obscene and immoral live streams, and body sculpting.”
The Nazer app is a tool that the authorities use to monitor and report hijab violations. It allows government agents and authorized personnel to upload photos and videos of offenders and track their location. The app was exposed by activists who advocate for clothing freedom in 2023.
The Filter Watch website conducted a technical analysis of the app and found that it does not require users to provide a facial photo of the alleged violator. The only exception is when reporting a car’s license plate number. This makes the app vulnerable to abuse.
Facial Recognition
Iranian authorities had boasted about their facial recognition technology before the Women, Life, Freedom movement. They claimed that they used this technology to identify and punish those who defied the compulsory hijab law.
However, the Filter Watch website has not yet found conclusive proof to back up these assertions, even though the authorities have made significant investment on this technology.
In emails from a Prosecutor’s Office published by hackers, there is some evidence to show that Iran has been developing such systems since 2015. Filter Watch also published a report listing the names of the companies involved in these sorts of projects.
One claim made by police was that law enforcement forces could identify people through the “Nazer 1” program and “advanced technology and equipment.” Filter Watch’s technical investigations show that license plates can be uploaded to the application, but there is no system for facial recognition.
Prosecutor’s Office Hack
In 2023, Filter Watch investigated a batch of 80,000 emails that the hacker group Anonymous Iran Ops hacked from a Prosecutor’s Office in October/November 2022. It revealed its findings, which expose the Prosecutor’s Office strategies for suppressing dissent, the mechanisms and procedures of censorship, and the extent of collaboration between the Prosecutor’s Office and different public and private firms.
According to Filter Watch’s study of the emails, the companies Niafam, Yaftar, Tuning Yar Sharif Technologies, and the Duran Group are among the private-sector players acting to restrict users. Besides them, the General Prosecutor’s office, the Supreme Cyberspace Council, and the Filtering Committee all play a role.
Identity Fraud: Key Technique for Social Engineering
In 2023, a wave of cyberattacks in the form of identity fraud targeted those associated with the Women, Life, Freedom movement. Filter Watch investigated these.
Using fraudulent identities, the attackers impersonated organizations like the Atlantic Council, one of the US-based think tanks which had worked on the Women, Life, Freedom movement, to induce victims – including artists, religious and ethnic minorities, and lawyers – to click on a malicious link. These operations were distinguished from previous ones by their use of advanced social engineering techniques to gain victims’ trust. Technically speaking, they were not sophisticated.
Iran-Russia Cooperation
A letter of understanding on Iran-Russia collaboration in cybersecurity was approved by the Parliament in the final days of 2023. Though details of the nine-article agreement are not entirely clear, according to generalities which have been published, the collaboration is to include combating cybercrime, information exchange, and “the publication of information harmful to the social-political system and spiritual, moral, and cultural environment of governments.”
Parliament representatives and legal experts opposed to the letter of agreement say that scope and limits of the information to be shared between Iran and Russia have not been specified, nor have the details of the cooperation.
Besides this, programs for financial exchange with a common Iran-Russia cryptocurrency, to be based on Iranian gold, took shape in 2023.
Iran and Russia also work together on issues of suppressing dissent, as well as methods of monitoring and tracking them. China is another partner that, based on its expertise, cooperates with Iran to limit the internet through domestic networks and platforms.
System Hacks: Widespread Information Leaks
Major hacks of the national fuel system, insurance firms (115 million records from 19 companies), the Snappfood databank (with 880 million order records from 20 million users), and the Tapsi internet taxi company (with data on 33 million drivers and riders) all impacted Iran’s cyberspace this year.
Two hacker groups, Gonjeshk Parandeh and IRLeaks, took responsibility for these cyberattacks. Gonjesh Parandeh also hacked the fuel system in 2022. The IRLeaks group launched attacks with the aim of obtaining ransom payments.
