This article examines the new resolution by Iran’s Supreme Council of Cyberspace (SCC) regarding the prohibition of VPNs (Virtual Private Networks). It discusses the legality of this resolution, the operations of VPN providers, the challenges they face, and offers recommendations for safer VPN choices.
On the first day of Esfand 1402 (February 20, 2024), news of the new resolution by the Supreme Council of Cyberspace became the top headline in domestic media—a resolution that sparked numerous reactions and was critically analyzed by digital rights activists and many legal experts.
Mohammad Amin Aghamiri, Secretary of the SCC and head of the National Cyberspace Center, announced on February 20 the implementation of Resolution No. 3 from the council’s 96th meeting. This meeting, focused on “Examining Strategies to Increase the Share of Domestic Traffic and Combat Filter-Breakers,” had its resolution approved by Ali Khamenei, the Supreme Leader of the Islamic Republic, on January 9.
It’s worth noting that the idea of a filtered and monitorable internet service has been discussed in the executive and legislative bodies of the Islamic Republic for over five years. However, under President Ebrahim Raisi’s administration, it quickly materialized into a new SCC resolution in the final months of 2024.
Is This Resolution Legal?
Clause 6 of this resolution explicitly states that the use of “circumvention tool” (a term the government has recently adopted instead of VPNs) is prohibited unless there is a legal permit.
Despite the SCC lacking legislative authority to impose bans, including on VPNs, government officials clarified in response to reactions that the clause targets governmental institutions and organizations, not individual users. However, the frequent and widespread disruptions to VPN services suggest a strong intent to restrict VPN use and further limit users’ access to the internet.
A seven-member working group will decide which institutions or individuals can use these circumvention tools”—a decision that, in another view, exacerbates the class-based nature of the internet in Iran and its discriminatory access.
Another part of the resolution emphasizes that to counter foreign sanctions in the technology domain, the Ministry of Information and Communications Technology is obliged to provide “anti-sanction” services free of charge. Additionally, if the private sector wishes, the ministry must grant the necessary permits and facilitate their activities in providing anti-sanction services.
These resolutions have been approved by the SCC while the use of VPNs has not been criminalized by legislative bodies. In other words, judicial authorities have no law concerning the crime mentioned in this resolution, and individuals referred to the judiciary on this charge should, according to the law, be acquitted.
After the protests of December 2017 and November 2019, and amid widespread internet shutdowns, VPN production and distribution in Iran surged. But with the onset of the “Woman, Life, Freedom” protests in late September 2022, the demand for VPNs to access free information grew into a digital movement. This movement inspired many Iranians to actively provide secure VPNs, supporting the free flow of information across the country.
These individuals, often dedicating hours to voluntarily source VPNs, face numerous threats and pressures from the Islamic Republic.
Despite the efforts of groups working to provide secure VPNs to Iranians, estimates and available data indicate that Iranian mobile phones are among the most infected worldwide. This high infection rate is due to malware, the use of insecure VPNs, and unreliable domestic applications.
What Should We Consider When Obtaining a Secure VPN?
One point users should consider when using VPNs is the permissions these software applications request on users’ phones and computers. Users should check what parts of their device the VPNs access before using them.
For example, it’s unnecessary for a VPN to access a user’s geographic location or camera. Similarly, a VPN does not need access to your photo and video gallery to establish a connection.
Users should carefully review a VPN’s website. Many insecure tools lack an accessible website and customer support.
Another point to watch for is unusual information in the developer’s introduction of the VPN on Google Play or the Apple App Store.
An easily noticeable factor is whether the VPN is “open-source,” allowing independent digital security experts to access and review its security features.
When downloading a VPN from the Apple App Store or Google Play, the description section will indicate whether the VPN in question is open-source.
The Puzzle of the “National Information Network”
These decisions by the SCC can be seen, in a broader picture, as a step toward establishing a type of limited and insecure internet in the country, referred to as the “National Information Network.” For a long time, this has been the government’s primary goal in the domain of internet access.
Increasing restrictions on VPNs place at least two crucial pieces of the National Information Network puzzle together.
First, establishing a tiered internet and selectively providing circumvention tools to individuals aligned with or harmless to the government, through which the identities of these filter-breaker users become known to the authorities, leading to increased monitoring and control over user-generated content.
Second, wearing down users with the complications of using foreign applications and pushing them toward domestic platforms. The more the use of domestic applications expands, the easier and less costly it becomes for the government to monitor, control, and censor user content.
