 Good evening. Thank you for joining us tonight here at the CCC in Hamburg and Also, thank you for everyone tuning in around the world via our live stream I'm very very honored and excited to introduce our new next guest Masa Alimadani It was my attempt to say the name Masa Alimadani She's an Iranian-Canadian Researcher and activist Masa is finishing her master's degree and is a research assistant at the data active lab both at the University of Amsterdam and Her focus is on freedom of expression and access to information in Iran She's also the editor of the global voices Iran and And today she will be sharing some of her research findings with us about census the censorship situation in Iran on mobile platforms With that I would like to ask you to help me welcome Masa Alimadani Thank you, Sonia for that nice introduction And thank you all for coming to the session. I know there's a lot of awesome competing sessions happening right now and So just to introduce you a little bit to the Iranian internet ecosystem So there are some Realities you should know about it Yes, if you're thinking of traveling to Iran, I tell this to everyone do you go it's awesome. It's amazing It's a beautiful country Although taking to consideration the type of work you do and the type of public profile You have when you do go if you do go do you set up to a relays because that's really helpful to people accessing the internet in Iran and one of the things you should know that the Iranian internet is often known as the filter net and Filter net sort of has been the name ascribed to the internet because of the censorship that it happens in Iran and I think all over out of the whole world Iran would come second after China in the terms of the Pervasiveness of censorship and internet internet controls around the world Something that you might not know is that it's also known as the condonet and cond means slow and The fact that the internet is often Throttled in Iran and the speeds are very slow and the fact that it can be very frustrating sometimes to upload a page It also has the name of connet So This talk was sort of described as a talk on mobile censorship and how there's a focus on that But I just want to take a sort of broader view and to look at more general look at internet policy in Iran and Just before I sort of delve into it The reason why I really wanted to give this talk at a conference like the CCC is because I know this is a community full of lots of different Expertise in terms of digital security in terms of circumvention So bringing awareness and sort of knowledge and focus on Iran I think is kind of exciting in a community like this because a lot of help and a lot of aid can go towards Access to internet in Iran from a group of people like you So just a broad look at what the internet infrastructure is like in Iran is the ministry of information communication and technology runs the telecommunications company of Iran and This Company is also responsible for the main ISP of Iran, which is the data communication company of Iran So in effect they control all internet traffic that goes into Iran and all ISP's both private and government are controlled through the data communication company of Iran and So this company in effect becomes the point where filtering can occur and the blocking of pages or the block listing of keywords occurs and Oftentimes the telecommunication company uses proxy servers for surveillance by logging all unencrypted Internet traffic that goes on in Iran, which is why it's really important for pages that are being used especially by Iranians If not everywhere else in the world to have HTTPS for all mobile applications to be using encryption technology And things like that now all of these things are really concerning as it is the fact that the Government has so much access to data over the internet. What's even more concerning is Looking at this chart here So this is the overall View of the institutions responsible for internet policy in Iran and you see at the very top There is a supreme leader Although Iran does have an elected president Ultimately the supreme leader has the veto power and is in effect really the official head of state And so while the Ministry of ICT is part of the elected administration The supreme leader has ultimate power and what is particularly Concerning here is while we have the Ministry of ICT here on the right And then you have the telecommunications company and then you have the ISP provider in Iran You then have the revolutionary guards, which are a paramilitary Organization in Iran who are not accountable to the elected government. They're ultimately only accountable to the supreme leader and They own the largest share of the telecommunications company of Iran And this is particularly concerning because a group like the revolutionary guards are the ones who are oftentimes responsible for various surveillance programs for arrests of dissidents They're one of their offshoots the besiege were the ones on the streets Arresting and beating up protesters during the 2009 green movement. So the fact that they have access to this kind of data It's very concerning and why things like digital security are of the utmost importance in Iran and so just a little brief overview of why This sort of history started in Iran. It's not always been like this This started during the reformist era in Iran Which were the late 90s and this was a period where well relative to the Iranian context Which is a Islamic theocracy there was more progressive politics and The hard line elements which aren't often accountable to the electorate in Iran Kind of clashed with the reformist government that was in power And so the surge in reformist journalists that were in Traditional print media meant that they could start migrating online in the early 2000s late 90s when blogging was becoming really popular and the technology to use Persian Unicode was becoming more pervasive and so during this time the government sort of realized that there's this space that's not being controlled at all and so Filtering of pages started early on in 2001, but there was no real systematic procedure for this filtering And so they came up with the cybercrimes law in 2006 but that sort of lay floating around until 2009 when the internet became a really big deal because Well, I'm sure some of you have heard of the Twitter revolution Which sort of came out of the 2009 green movement and it was at that point when Iranians were coming out on mass onto the streets Protesting what they claimed to be the fraudulent election that the Iranian government shut down the internet And so after this period they codified the cybercrimes law to sort of ensure a more systematic way of filtering various pages including Twitter and Facebook that came out of it and then Following this you had the revolutionary guards establishment of Gerda, which is a cyber command Center, which is now responsible for the arrests of many different bloggers and activists in Iran And then in 2011 because there wasn't enough Control over the internet. They set up the fatta a police force from the police forces and while they do sort of take care of things like Cybercrime in terms of banking and identity theft. They also are responsible for the arrests of various bloggers There was one popular case in 2012 of satire behishti who had public dissident posts against the government and then finally in 2012 the supreme leader who has Quite a grand name of his own decided to set up a very sci-fi-esque body at least in the English language called the supreme council of cyberspace and This this body Basically would be responsible for all of the internet policy in Iran and this really marked a turning point in Iran where cyberspace and the internet became a key issue of national security Where not only were there concerns of cyber attacks from the United States and Israel there was also big concerns of dissidents and various movements that could sort of emerge through social media and the blogs and so all the decision-making would occur through The members that they decided to appoint to this council and it's a mixed bag of different ministers as well as unelected officials and experts and so Over the years they've had various different programs to try to control the internet and Most recently last March they came up with another grand-sounding program called spider and spider was a project of the Revolutionary Guards where they sort of talked about doing blanket surveillance over all social media activities activities of Iranians which technically If any of you know anything about how Facebook or how Twitter works. It's quite hard Posts are private. It's hard to delve into them Anyways, so what is key to understanding About the internet climate right now is that there is a moderate president Rouhani who came into power on a platform of many different progressive policies one of which was Internet freedom and so they've had many different progressive moments They shut down the hard-line judiciary's attempts to block WhatsApp for example and They've promised not to really Shut down any other platform or censor anything Unluster is a legitimate replacement for them and this is a quote by the minister of ICT but at the same time they've been trying to cater to some of the hard-line elements and try to sort of balance out their internet freedom policies with programs like intelligent filtering which would mean not some blocking entire platforms outright, but blocking individual pages and This program about 66 million dollars has been spent on this program from the ICT budget and Overall, it's been a bit of a failure. I worked on a piece of research with Frederick Jacobs that sort of Underlined how the intelligence filtering on Instagram, which was the most tangible result of this form of control was only occurring because Instagram had failed to Release the the HTTPS on the mobile API. So they were able to enable Intelligent filtering on the mobile application, but not on the browser Later on people found out that there were still disruptions and images weren't loading to Instagram even after Instagram enabled HTTPS over the mobile API and It turned out that this was just collateral damage From the fact that some of the images on Instagram are also hosted on Facebook, which is outright blocked in Iran So right now we're about to go up to a election in Iran It's in February. It's the parliamentary elections and typically during these sensitive moments in Iran they start playing around with the internet and this happened in 2013 there was significant throttling of the internet leading up to the elections and Right now there have been some things spotted, although it's speculation whether or not it's related to the elections at all Some websites with foreign SSL certificates are being blocked There was one example of a popular blogger based in Iran named Jadi who has a SSL certificate from Cloudflare and his website was blocked and You'll notice that local Certificates won't be blocked because ultimately they're controlled by the government. This is a Diagram formed by small media that sort of explains how the certificate authorities are ultimately in the hands of the government and data could potentially be shared There was also a throttling of TLS in November and the best example of this was Over-tour direct connections, which you see experience a significant drop Also, so the shift towards the mobile application and the fact that Iranians are Increasingly accessing the web through their phones means that there's been sort of a increased focus by the government on mobile apps And in order to sort of talk to this They've been coming up with local alternatives like we chat has dialogue Which sort of you can see from the interface that this local version is imitating That application Instagram had lens or But you kind of see that it's not working as effectively because if you look at the cafe Bazaar stats Which is a platform where Iranians download their apps? Lenzor only has about 50,000 users. Well, Instagram has more than 9 million Viber had another imitation app called Salam and Salam was speculated to be developed by the besiege And so popular apps right now There's WhatsApp and there's the Viber and telegram in terms of chats and communication Telegram is the most popular right now and that's mainly because Viber has been heavily tampered with and a lot of people don't trust Viber anymore because the media has sort of Disparaged it in its connection with Israel and the Israeli Defense Forces and What's up the second most? Popular app has been experiencing lots of network disruptions and So with this increasing shift towards telegram the media has been focusing on also Highlighting that telegram is a place of moral corruption There this is a picture from a semi-official news source Farce news sort of depicting how someone could be drowning in telegram so Telegram in Iran is really controversial not only because the government's really concerned about it, but It has a really confusing and weird relationship with Iran Starting in August bots and stickers started getting censored in Iran And the bots and stickers are one of the reasons why telegram is really popular in Iran because the bots allow Iranians to access content on the internet without using a VPN and the stickers are oftentimes fun and kind of Rude and in Persian which not a lot of apps have and so it's really popular But these got censored in August and the ministry announced that the censorship was occurring because of cooperation with telegram But telegram was very quick to deny this Pavel Durov came out and said that they had not entered into any agreements and On top of that there's a respective community of security experts have really criticized the Critography and the security behind telegram and this is especially worrisome when you hear things like 30% of telegram data is now being stored in Iran Which was an announcement by the Ministry of ICT in Iran But then again telegram was very quick to deny this again saying that this is 100% bullshit And so what the telegram story continues? I Think it was in late November Pavel Durov made an announcement saying that the Ministry of ICT had come to him demanding spying and censorship capabilities from telegram Which was really weird because beforehand they thought they were working together And there's all sorts of like conspiracy theories about how Pavel Durov got on a plane It went to Tehran to meet with the Minister of ASEE No one really knows what happened all speculations and rumors. Anyways, he comes out with this announcement and Then a few weeks later. He's like, oh that was a fake email Which is really odd and concerning and no other Like internet company has ever had anything happen like this He said that he received a fake email the ministry didn't actually contact him. He never released the email It's all very strange and it led to several advocacy organizations asking for more transparency from telegram and But telegram continues to be one of the most popular apps in Iran What's notable about telegram is that this sort of sets a precedent for other internet companies inside of Iran especially as we move towards the removal of sanctions and Companies like Facebook and Twitter will be able to do business with Iran potentially And so noting these kinds of behaviors and sort of holding them to account is really important and One last application that's sort of gaining ground in Iran and that highlights one of the sort of habits of Iranians is this phone and this phone is sort is this local app and Security researcher Kevin Mistin who I don't know if he's here or not But he's somewhere here in the venue has done some really cool work into looking at what exactly this phone is because it's sort of this rising app that's gaining a lot of popularity and It apparently has connections the developers are loosely connected to the government and It turns out that the actual data collection over the ISP is connected to Iran's telecommunications company which is very concerning but Small media recently did a report asking Iranians what they thought about What they thought about The security of the apps that are used and the tendency is that they either don't know or it doesn't really factor in as a big issue so security is a very low priority for Iranians even though It should be higher on their list they generally tend to go for usability and fun features and this kind of Brings me to the takeaways of this talk, which is internet control in Iran is quite pervasive but it's not as sophisticated as they would like and It's especially important now because there's been more arrests of various bloggers various people who work in the tech industry in Iran and This might be particularly problematic as we move towards the parliamentary elections and Yeah, if you do particular research if you do any collection of data on circumvention tools I think this is a very exciting time to be looking at Iran's internet ecosystem Thank you Thank you We have five minutes now for question answers. So if you have questions for Marsup, please go to one of the four microphones And I would like to ask you to please say your question slowly into the microphone because it's being recorded Okay, we're sad with yes that microphones So one thing first is a statement not a question if you if you are in Iran Do not ever use your banking whatever banking without VPN and then Because they're gonna block it you're gonna have to go to back to your bank and like reopen it but the question is Do you know how much do you know about the relationships with other governments like foreign governments or foreign companies on the filters that were and like further developments because I know from Rodin Schwartz like a year ago when I was there they were talking about the relationship with the with the filters in I don't know Syria maybe and that they're not officially related, but they were sort of used Yeah I'm not a particular expertise expert on Syria But I do know that they have exchanged technology and knowledge with the Syrian government because they are very close with the Assad regime and I meant I meant more specifically like companies in Europe and in the US Yeah, so because of sanctions, I know the US don't really I do know Europe is does work, but I know the The country that they turn to most for censorship technology would be China And I know that in the past that they heavily relied on Chinese technology for censorship and surveillance material But recently they've been shifting towards local vendors and using more locally grown technology Although it's hard to say I don't have direct insight into what technology and where it's coming from, but Maybe you have more insight and can tell me Thank you next question, please Could you get a little closer to the microphone, please And my question was and when you go back to Iran, do you have any repression or problems? Do I personally? Yes, personally. I haven't gone back to Iran since 2010 and Because I do things like come and talk here on a recorded video. I generally don't It was my question exactly and we should be aware that it's no democratic So if they catch you they do whatever they want with you, it's not like we control the police Yeah, I mean, and that's also another point. I want to make there's a lot of awesome Unknown people doing work and doing research and activism on the Iranian internet that remain Anonymous and use pseudonyms and can't do things like come here and talk so Yeah, that's a decision. I've made there's other people doing really amazing work That you probably will never see on a platform like this Okay, may I may I ask for the next question, please? Thank you Yeah, thanks for the great talk. I have a question about the certificate authorities there in the Iranian state You said that foreign certificate authorities are blocked by the governmental filters With your demonstration of one side of this blogger Are there any certificate authorities in Iran not connected to the government or not? A force to giving the private key to the government so that maybe foreign sites could just adjust their Certificate to an Iranian free or Libra CA and get and so could do an access for the people there That's a really good question. I don't think I have the knowledge or expertise to fully answer it But I will point you towards the small media report that really delved into this they did like months of research and I think the person you would probably want to talk to would be I mean, so Betty I could only sort of guess and I'm not sure if it's Broad broadly done on every website because there's obviously a lot of websites using foreign SSL Certificates that are not blocked, but if it's sensitive, it's more likely to get blocked in Iran Thank you very much Thank you. Are there any questions from the internet? Yes, okay the internet, please So question since they see there seems to be a lot of trouble politically wise. Is there a hacker scene in Iran? Like there is in Europe or in the USA Yeah, yeah, there is a hacker scene and there's Like an emerging open-source community doing a lot of cool work Yeah, totally the scene exists. I'm sure a lot of them would have loved to have been here and The internet again a lot of people in Iran. I know use VPNs. Have you heard of VPN providers cooperating with the government? Yeah, that's another big security Concern that I didn't cover in this talk, which is that like using VPNs is ubiquitous basically in Iran even members of the government use it. I think there was even a photo of Someone in one of the ministries They had this iPhone on their desktop and it was pictured in a famous photo that went viral But one of the concerns is like the government is actually providing their own VPN so they can access data on what people are connecting to through their own Backdoor VPNs We have one more question and that's here in the back, please that you yeah Hi so I have I was wondering if you have concrete cases about government monitoring data or Using that as evidence in court cases Because we have always been speculating that these guys Will go through the messages that we send and then they are going to use it against us But we have never been able to prove it. Do you have any kind of case study on that? there is the one really famous one that I'm sure you've heard of of the the Sony Ericsson case or I think I'm getting the company right back in 2009 where they tracked it through the cell phone company So that's the most concrete case but I suppose there aren't that many and that's That many known and that's one of the problems with Installing sort of a culture of digital security in Iran because most people are afraid of physical surveillance They think that if they're arrested and they take their computers physically, that's the actual concern not so much using encrypted email or encrypted chat So that might be part of it and I'm sure there are I couldn't Name them to you right now, but the most famous would be from 2009 when they were working With Ericsson. Okay. Thank you Thank you so much for coming today