Following in the wake of June’s presidential election, July saw Iran undergo a series of significant political and policy developments. The Supreme Council for Cyberspace (SCC) released the text for its most recent resolutions, including one on the “Protection of Children and Teenagers in Cyberspace”, suggesting the future implementation of a “layered filtering” system for under-18s. Significantly, the dangerous “User Protection and Core Online Services” bill returned to Majles where MPs voted in favour of the bill being considered via a designated commission instead of a parliamentary vote, in accordance with Article 85 of Iran’s Constitution.
Also this month, outgoing ICT Minister Mohammad-Javad Azari Jahromi attended his final public session in the Majles to answer MP’s questions about Telegram’s operations in Iran. The session took place at the same time as water shortage protests broke out in Khuzestan province, where protestors were met with a violent crackdown by the authorities. The crackdown was accompanied once again by localised internet shutdowns, which were used to silence protestors, prevent the sharing of information, and limit efforts to document human rights abuses. Jahromi left the Majles session without addressing the ongoing events in Khuzestan.
The events of this final month of Rouhani’s administration neatly encapsulate its legacy – internet shutdowns, the expansion of information controls, and the continuation of human rights abuses in online and offline spaces. This legacy will continue to affect the lives and freedoms of Iranians going forward, with the notorious human rights violator Ebrahim Raisi continuing from where they left off. Raisi was responsible for ordering thousands of executions in the 1980s as a member of Tehran’s Death Commission, and also served as Iran’s Chief Justice during the deadly November 2019 protests.
Supreme Council for Cyberspace Releases Text for the Latest Approved Resolutions
In July, the Supreme Council for Cyberspace (SCC) published the text of two resolutions which were approved in June 2021, during the final SCC meeting chaired by outgoing President Hassan Rouhani.
The first is titled the “Protection of Teenagers and Children in Cyberspace” resolution, and the second being parts one and two of the resolution on “The Vision for Cyberspace on the Horizon of 2031/2032”.
“Protection of Teenagers and Children in Cyberspace”
The resolution sets out a series of objectives, policies, executive actions, and assigns responsibilities to governmental and state authorities to establish a “protected online environment” for children and teenagers. This will be based on the “layered filtering” system, which assigns different levels of access to online content based on users’ attributes, including gender, age, occupation and social status. Under this resolution, under-18s will have access to content as determined by the Islamic Development Organisation, the Ministry of Culture and Islamic Guidance, the Education Ministry, and the Islamic Republic of Iran Broadcasting (IRIB).
Similar schemes already exist in the form of student, children, and family SIM cards provided by the ICT Ministry and ISPs such as Hamrah-e-Aval (MCI) and Irancell. These SIMs permit access to only pre-selected, whitelisted content, generally limited to domestic platforms and content.
The goal of the resolution is to “create a designated cyberspace for children and teenagers with an Islamic-Iranian framework for the appropriate use of cyberspace, and harm-prevention.”
The resolution applies to anyone under 18 years of age. It defines a “protected environment” as “an ecosystem on the National Information Network (NIN) that provides levels of access to information, services, and communication according to gender, age, and other social and cultural requirements for children and teenagers”.
The “management and leadership” for the implementation of this resolution has been assigned to the National Center for Cyberspace (NCC), through the creation of a new committee. This committee is to be made up of representatives from the Ministry of Culture and Islamic Guidance, Ministry of Education, the ICT Ministry, as well as representatives from a number of other ministries, Islamic Republic of Iran Broadcasting (IRIB), the Judiciary, the Police, Islamic Development Organisation, two members from the SCC, two private sector representatives, and University faculty members as appointed by the SCC Secretary and NCC Head NCC.
The creation and the implementation of this bill’s requisite infrastructure is required to take place within six months after the the formation of the said committee. This will include the development of core services, the creation of new features including parental controls, ID verification, and licensing, and the implementation of “layered access”.
The creation of criteria for validating “protected content and services”, the approval of black- and whitelists, and the development of an oversight and classification system for online content and services will be undertaken in collaboration between the Islamic Development Organisation, the Ministry of Culture and Islamic Guidance, the Education Ministry, and the IRIB.
The resolution also calls for “effective interaction and synergy” with international service providers and international organisations, to seek their compliance with Iranian standards. This engagement is to take place via the ICT Ministry, Foreign Ministry and MCI, and the Ministry for Industries and Mines Ministry.
“The Vision for Cyberspace on the Horizon of 2031/2032 (Parts One and Two)”
The published text of the resolution is limited to two pages, containing only the first two of the resolution’s four sections. These sections respectively focus on the “Values” and the “Vision” guiding the Iranian state’s management of cyberspace. The latter two sections which have not been included in this version of the published resolution concern “Aims” and “Strategies”.
According to the resolution, the “Values” and “Vision” are informed by “observing the strategies of other countries”, as well as “an analysis of the current and desired situation” and “the country’s laws, and the rulings of Iran’s Supreme Leader”.
Examples from among the 18 “Values” underpinning Iran’s management of cyberspace include: “Islamic beliefs, [and the] rules, ethics, and values of the Islamic Revolution”; “national security”; “healthy content”; “self-sufficiency”; “independence”, “national sovereignty”, and the “denial of foreign domination.”
The vision for 2031/2032 for Iran’s internet is primarily grounded in the idea of “self-sufficiency”, and developing an online ecosystem imbued with “Islamic-Iranian values” to meet the needs of Iranian users. The document also articulates an ambition to “achieve first place in the provision of online services in West and Southwest Asia”, though the resolution does not clarify how this goal to be achieved, or the metrics to measure its success. Lastly, the document claims that the development of the National Information Network (NIN) will result in “safer and more reliable” national digital infrastructure.
The resolution provides no details on how these visions are to be realised. However, it is likely that these will be detailed in the not-yet approved “Aims” and “Strategies” components of the resolution. This resolution does, however, make clear that the SCC is setting long-term objectives for the development of Iran’s internet, which go on to inform the policy decisions made by government ministries and state organisations.
Localised Internet Shutdown Implemented Amid Protests in Khuzestan Province
On the evening of 15 July, reports emerged of protests breaking out in a number of cities across the southwestern province of Khuzestan, with footage of the protests circulating on social media the next day.
The protests were sparked by a severe water crisis which has prevented many of the province’s inhabitants from being able to reliably access clean drinking water and for agricultural means. This crisis comes in the midst of what Energy Minister Reza Ardakanian has described as Iran’s “driest [year] in 50 years”.
On Sunday 18 July, the cybersecurity and digital rights researcher Amir Rashidi confirmed intermittent disruptions to mobile internet access in Khuzestan province, with disruptions particularly notable on two of the country’s main internet providers MTN-Irancell and MCI. Rashidi notes that another unique feature of the Khuzestan disruptions is their levels of hyper-localisation: they are imposed specifically on those areas experiencing protests and unrest, and for varying periods of time to allow security forces to disperse gathering crowds.
The limitation of mobile services is particularly significant in this part of the country, with internet users in Khuzestan dependent on mobile services for connectivity; according to Iran’s Communication Authority (CRA), mobile internet penetration rates in the province are at 105.97%, compared to fixed broadband penetration rates of 7.97%. Rashidi also added that connectivity to domestic services and apps remained via the National Information Network.
As protests continued in Khuzestan, they also spread to other parts of the country, accompanied with further internet disruptions. At least eight people have been killed according to Amnesty International, and 361 have been arrested according to the Human Rights Activists News Agency (HRANA). These figures are likely to increase as more information becomes available.Further details can be found in our Khuzestan Shutdown Monitor and our July Network Monitor.
MPs Vote to Review the “Core Online Services” Bill Under Article 85 of the Constitution
On 28 July, MPs approved for the “User Protection and Core Online Services” bill (typically referred to as “طرح صیانت” in Persian) to be reviewed under Article 85 of Iran’s Constitution, with 121 votes in favour. Under Article 85, the bill will be reviewed and approved by a designated Majles committee (rather than at a public session) before being sent to the Guardian Council for approval. The bill can then come into force for a “trial period” (typically between three to five years), before being approved by the Majles. This trial period can also be extended. The decision removes any meaningful parliamentary oversight over the bill and further removes transparency from the legislative process, and limits all opportunities for scrutiny or public engagement of this significant and potentially very dangerous bill.
The latest available iteration of the bill (dated 15 July 2021) has undergone a number of changes since the previous draft. While the bill is still subject to further amendments as it goes through parliamentary procedures, some of the most concerning and significant proposals are detailed below. While the bill uses the word “protection” in its title, this is misleading given the essence of the bill’s contents, and so hereafter we will refer to it as the “online services” bill. Some of the main thematic issues in the bill are outlined below:
- The Supreme Regulatory Commission (SRC), as previously mentioned, will continue to be granted a broad mandate to take charge of both regulatory and policy decisions, with multiple duties and powers overlapping with the SCC, the ICT Ministry, and the Communication Regulatory Authority (CRA). Some of the commission’s areas of authority include: setting tariffs for services, preparation and approval criteria in relation to market activity, such as ownership and management of dominant services and making proposals to the Competition Council, and preparation and approval of criteria for overseeing intellectual property rights, are among some of its responsibilities set out under Article 4 of the bill.
Despite the technical nature of these matters, only a fraction of the commission’s 22 members have relevant knowledge or experience in these areas (such as the representatives from Iran’s ICT Guild, or the ICT Ministry). As a result, decision-making on such matters would not only be stymied by the diverging interests of various representatives on the committee, but would also be limited by representatives’ lack of subject matter expertise – the costs of which would be borne by Iranian internet users and businesses.
Additionally, membership of the commission includes those outside government roles, such as representatives from the Judiciary, the Armed Forces, Passive Defence Organisation, the IRGC, and the IRIB. Therefore, the Majles will not be able to hold many members of the commission accountable for their decisions, despite the powers set to be held by the body.
- The filtering of international platforms is a leading concern among Iranian internet users, and the provisions contained in the bill will only serve to heighten these fears. In the latest draft of the bill, under Chapter 3, Article 12, the operation of all domestic and internationally-hosted “core services” in Iran is subject to compliance with the country’s laws, and their registration with a portal for such services.
International platforms wishing to obtain an operation license must appoint a legal representative and “accept the requirements of the commission.” Should they fail to do so within four months of the bill coming into force, they will be filtered once an “adequate foreign or domestic replacement” is determined by the commission, or else within one year. Alternatively, instead of the platform being filtered, its traffic will be throttled, and the ICT Ministry will be required to develop an alternative replacement within eight months.
It is highly unlikely that international services and platforms will comply, either due to their unwillingness to comply with the Iranian state’s onerous human rights restrictions, or else due to ongoing US sanctions. As a result, Iranian users will be pushed further towards using domestic services, which come with numerous compromises to users’ security, and privacy, and which offer further opportunities for state surveillance and information controls.
- Article 25(2) of the bill requires services to verify their users’ identities. The SCC has already set out the requirements for ID verification in its resolution passed in August 2019. Filterwatch has previously warned about the threat posed by the NIN to privacy and online anonymity, and to the security of Iranian internet users. These threats are particularly pronounced for marginalised an at-risk communities such as religious minorities or refugees, who may lack access to a legal ID. For these communities, these resolutions risk excluding them completely from accessing essential services. More broadly, these requirements will pose severe threats to civil society, activists, and human rights defenders working inside the country.
- The implementation of “Legal VPNs” is also indirectly discussed in the bill. Under Article 33 of the bill, “any unauthorised activity, in relation to the production, distribution, and reproduction of circumvention tools such as VPNs” is prohibited and can lead to imprisonment or a financial penalty. However under Article 4(17) of the bill, the SRC is assigned with responsibility for “preparing and approving the terms” for access to circumvention tools and VPNs.
The development of “legal VPNs” – or government-authorised VPNs – has been ongoing since Ahmadinejad’s government. Filterwatch has previously written about the dangers of this scheme, and how it can be used as a means for implementing a system of “layered filtering.”
- Control over Internet gateways is set to be handed over to the Armed Forces. The latest amendments to the bill state that control over Iran’s internet gateways are to be handed over to a “working group for a safe border gateway”. This working group is set to be comprised of the head of the NCC and representatives from the Armed Forces, the IRGC’s intelligence agency, the Ministry of Intelligence, the ICT Ministry, the Judiciary, and the Passive Defence Organisation.
The working group will be assigned responsibility to “manage” the traffic entering and exiting the country. This group is not subject to any checks and balances and lacks any accountability mechanisms. Handing power over international gateways to this working group increases the risk of internet shutdowns and throttling, while limiting transparency over their implementation.
The bill also asks for gateways not to be controlled by the private sector once the bill comes into law. Iran’s gateways are currently under the control of the Telecommunication Infrastructure Company (TIC), which operates under the ICT Ministry; the inclusion of this clause speaks to some of the technical inconsistencies contained in the bill. However, assigning such powers to the armed forces in Iran, and in particular IRGC’s intelligence agency, with its history of surveillance and human rights abuses can be identified as one of the worrying aspects of this proposed bill.
As mentioned earlier, the bill still needs to pass through further stages in the parliamentary process before it is passed into law. During this time, the text of the bill is still subject to change. According to the Parliamentary Research Centre, the bill is to be discussed by a “joint commission made up of various parliamentary committees”, while Majid Nasirai, the spokesperson for the Parliamentary Cultural Committee has said that the bill is being discussed at the Cultural Committee. Given these conflicting reports over the bill’s next steps, we still lack clarity over the legislative path the bill will take.
The draft bill has been met with significant criticisms from members of the public, as well as representatives from Iran’s technology sector including from Arvan Cloud, Aparat, Snapp and DigiKala, among others. A petition against the bill hosted on the Iranian website Karzar has so far gained over 930,000 signatures. Tehran’s ICT Guild has called on the Raisi administration to revoke the bill.
It is important to note that much of the bill’s contents which has provoked criticism from inside Iran are already goals and measures which have been initiated by the SCC, Rouhani’s administration, or the judiciary. In particular resolutions from SCC with a focus on aims and objectives of NIN, support for domestic messaging apps, establishing an online identity system, those hinting at creation of layered filtering, and resolutions supporting Iran’s Cyber Police, FATA’s, role in policing online activities have all outlined the same goals and measures as this proposed bill.
Filterwatch will continue to monitor developments on the bill’s progress, and will provide further information and analysis as more details become available.
Outgoing ICT Minister Called to Majles for Questions Over Telegram’s Operation in Iran
On 19 July the outgoing ICT Minister Mohammad-Javad Azari Jahromi was summoned to a public session in Majles to answer MPs’ questions about the operation of the messaging app Telegram in Iran. Jahromi was asked “[What is] the reason for not explaining and clarifying the provisions of the contract with Telegram, and why was traffic for the app charged at the international rate despite Telegram having Content Delivery Networks [CDNs] in the country?”.
The question refers to Telegram placing 70 CDNs in Iran in 2017. Jahromi responded that negotiations with Telegram took place under the supervision of the Prosecutor-General. Following reports from the negotiations, the SCC issued a license for Telegram to place its CDNs inside the country, which were “paid for by Telegram” according to Jaromi.
According to Jahromi, as a result of Telegram operating CDNs inside Iran for nine months, Iran saved “2.7 million euros” in payments for international bandwidth. He added that more than 70 summarised take-down requests were sent to Telegram, of which “five were blocked.” He added that there was “no contract with Telegram, but an understanding”, however “[Telegram] did not accept our security issues.” The app was later blocked as the result of a judicial order in April 2018.
At the end of the session, MPs expressed dissatisfaction with Jahromi’s responses, voting to give him a “yellow card”. This appearance was Jahromi’s final Majles appearance as ICT Minister within the Rouhani administration.
The session provided limited information and transparency about Telegram’s relationship with the Iranian government. Jahromi’s answers raise a number of questions for Telegram’s leadership. It is clear that the current lack of transparency from Telegram regarding its dealings with Iran may have placed Iranian internet users, their privacy and their right to access information at risk. Therefore Telegram has a clear and undeniable responsibility to clarify to the internet users inside Iran the terms which it agreed to with Iranian authorities. Filterwatch calls on both Telegram and Iranian authorities to provide more details about these arrangements, including in relation to Iran’s takedown requests, and Telegram’s compliance.
At the same time as the session was held, an internet shutdown was imposed in Khuzestan province in response to spreading protests about water shortages. None of the members of Parliament raised the issue and Jahromi did not mention the situation in Khuzestan during his Majles appearance.
State Developed Dating Platform “Hamdam” is Launched
On 12 July, Iran’s first “official and licensed” dating platform “Hamdam” (Persian: همدم) was launched. The platform was developed by Tebyan Cultural Institute, which is affiliated with the Islamic Development Organisation and is under the supervision of Iran’s Supreme Leader, Ali Khamenei. The app is said to have also been approved by Iran’s Cyber Police, FATA, and the Judiciary and is available as a web application, and for both Android and iOS devices via Iranian app stores such as Cafe Bazaar, where it currently shows the app having had over 50,000 downloads.
According to Hamdam’s head of Product Development, Zohreh Hosseini, the app “uses artificial intelligence to help individuals find matches” and is an expansion of Tebyan’s existing “Hamsan” relationship and matchmaking website.
The app has been accused of plagiarising the design, logo, and the name of a pre-existing sexual health and women’s rights app, also named Hamdam. This app was created by the Iran Cubator in a collaboration between activists at United for Iran and Spectrum.
The Hamdam Logos: Left, Women’s Rights and Health App, Right, Iran’s Dating App Logo
The app requires users to provide a number of personal details in order to create a profile. It also asks users for their national ID numbers for the purpose of “verification”. Hosseini stated that other details such as education would be verified “as much as possible”. The app also makes use of GPS location services.
Given the sensitivity of the information shared on dating platforms like this, and the platform’s direct relationship with state-affiliated institutions, it is extremely important that the platform provides clarity over its data collection, security, and retention practices. Based on the information available on the platform’s website, this is not currently the case. Given the high number of serious data breaches in Iran in recent years, the app’s lack of proper data protection policies is alarming.
Azad University Students Encounter Problems Logging into University Portal Once Again
On 19 July it was reported that a number of Azad University students faced difficulties in logging into the university’s online portal in time for selecting their modules for the summer term. Some reported being forced to download domestic messaging apps in order to receive a verification code for the portal. Some students did not receive a code despite downloading the app, or instead received expired codes that did not allow them access.
In May, a number of Azad University students reported being forced to download the Iranian messaging app iGap in order to receive a verification code for logging onto the university’s online portal. The introduction of further measures to incentivise users to download domestic communications apps is troubling, and appears to be part of a concerted strategy to change users’ online behaviours. These domestic apps frequently lack adequate privacy or security protections, and are vulnerable to government data requests.
Filterwatch reiterates that measures like those described above to effectively mandate the use of such apps in order to access key services are unfair and dangerous for users. Such practices should be halted immediately, and users should not be forced to download unsafe messaging apps (or other domestic apps) in order to gain access to essential services.
Iran’s Transport Ministry hit by “Cyber-attack”
On 9 and 10 July, Iran’s Transport Ministry’s systems were hit by “cyber attacks”. The attack on 9 July caused delays and disruptions to train services and left passengers stranded, according to a now inaccessible report from Fars News. Notices on station boards showed the trains’ status as “suspended” and a message claiming “delays due to cyber attacks” asked passengers to “call 64411”, a number connected to the office of Iran’s Supreme Leader.
On 10 July the Transport Ministry’s website was taken down “due to a cyber disruption” according to local news. However, Iranian authorities did not confirm the source of the attack, nor ransom demands. Cyber-threat and security analysts at SentinelOne were not able to “tie this activity to a previously identified threat group, nor to additional attacks.”
11 People Arrested in Connection with Online Gambling
On 20 July Colonel Ramin Pashaei, Deputy Head of Social Affairs for FATA, confirmed that 11 people were arrested in connection to their operation of online football betting and gambling websites. The arrests come following the completion of various football leagues in Iran.
According to Pashaei “coaches, managers, and players who have more interactions with such matters provided reports [on gambling] to FATA, which helped to identify websites and led to the arrest of their administrators.”
In recent months, FATA has become increasingly focused on a crackdown on online gambling and betting. Last year, MPs attempted to introduce a new bill to create harsher penalties for gamblers, including the death penalty for repeat offenders.