preroll music
Herald: Good evening, thank
you for joining us tonight,
here at the CCC in Hamburg.
And also thank you for everyone
tuning in around the
world via our livestream.
I'm very, very honored and excited
to introduce our new... next guest,
Mahsa Alimardani?
laughs
- it was my attempt to say the name Mahsa
Alimardani - she's an Iranian-Canadian
researcher and activist.
Mahsa is finishing her master's
degree and is a research assistant
at the Deja Active Lab, both at
the university of Amsterdam,
and her focus is on freedom of
expression and access to information
in Iran. She's also the editor
of the Global Voices Iran
and today she will be sharing some
of her research findings with us
about the censorship situation
in Iran on mobile platforms.
With that I would like to ask you to
help me welcome Mahsa Alimardani!
applause
Mahsa Alimardani: Thank you Sonia,
for the nice introduction,
and thank you all for
coming to this session,
I know there's a lot of awesome
computing sessions happening right now.
And, so, just to introduce you a little
bit to the Iranian internet ecosystem.
So, there are some realities,
you should know about it.
decent laughter
Yes, if you're thinking of traveling to
Iran I'd tell this to everyone: Do go!
It's awesome, it's amazing,
it's a beautiful country.
Although, take into consideration
the type of work that you do and
the type of public profile
you have when you do go.
If you do go do set up TOR relays
'cause that's really helpful to people
accessing the internet in Iran.
And one of the things you should
know that the Iranian internet,
it's often known as the Filter Net.
And Filter Net sort of has been the name
ascribed to the internet
because of the censorship
that happens in Iran.
I think out of the whole
world Iran would come
second after China in the terms
of the pervasiveness of censorship
and internet controls around the world.
Something that you might not know is
that it is also known as the "Kondnet"
and "kond" means "slow".
The fact that the internet
is often throttled in Iran,
and the speeds are very slow,
and the fact that it can be very
frustrating sometimes to upload a page
it also has the name of "Kondnet".
So, this talk will sort of describe this,
I'll talk on Mobile Censorship
and how they will focus on that.
I just wanna take a sort of broader view
and to look at more general
look at internet policy in Iran
and just before I sort of delve into it...
The reason why I really
wanted to get this talk at
a conference like the CCC is
because I know this is a community
full of lots of different
expertise in terms of
Digital Security,
in terms of Circumvention.
So, bringing awareness and sort
of knowledge in focus on Iran
I think is kind of exciting
in a community like this
'cause a lot of help and
a lot of aid can go towards
access to internet in Iran
from a group of people like you.
So: just a broad look at what the internet
infrastructure's like in Iran is.
The Ministry of Information,
Communication and Technology (ICT)
runs the Telecommunications
Company of Iran
and this company is also responsible
for the main ISP of Iran which is the
Data Communication Company of Iran.
So, in effect they control all
internet traffic that goes into Iran
and all ISP's both private and
government are controlled through
the Data Communication Company of Iran.
So this company in effect becomes
the point where filtering can occur
and the blocking of pages or
the blacklisting of keywords occurs.
Oftentimes the Telecommunications
Company uses proxy servers
for surveillance by logging all
unencrypted internet traffic that goes on
in Iran which is why it's really important
for pages that are being used
especially by Iranians if not
everywhere else in the world
to have https for all
Mobile Applications to be using
encryption technology
and things like that.
Now, all of these things
are really concerning as it is
the fact that the government has so
much access to data over the internet.
What's even more concerning
is looking at this chart here.
So this is the overall view
of the institutions responsible
for internet policy in Iran.
And you see at the very top
there is the Supreme Leader. Although
Iran does have no active president,
ultimately, the Supreme Leader
has the Veto Power
and is in effect really
the official Head Of State.
And so while the ministry of ICT is part
of the elected administration
the Supreme Leader has ultimate power.
And what is particularly
concerning here is while we have
the ministry of ICT here on the right
and then you have the Telecommunications
Company. And then you have
the ISP provider in Iran. You then
have the Revolutionary Guards
which are a para-military
organization in Iran
who are not accountable
to the elected government.
They're ultimately only accountable
to the Supreme Leader.
They own the largest share of the
Telecommunications Company of Iran.
This is particularly concerning because
a group like the Revolutionary Guards
are the ones who are oftentimes
responsible for
various surveillance programs,
for arrests of dissidents.
One of their offshoots, the Basij
were the ones on the streets,
arresting and beating up protesters
during the 2009 Green Movement.
So the fact that they have access to
this kind of data it's very concerning
in why things like digital security are of
the upmost importance in Iran.
Just a little brief overview of why
this sort of history started in Iran.
It's not always been like this.
This started during the Reformer's era
in Iran which were the late 90ies.
This was a period where
relative to the Iranian context
which is a Islamic theocracy there was
more progressive politics
and the hardline elements which aren't
often accountable to the electorate
in Iran kind of clashed with the
Reformer's Government that was in power
and so the surge in Reformer's
jounalists that were
in traditional print media meant
that they could start migrating online
in the early 2000's, late 90ies, when
blogging was becoming really popular
and the technology to use Persian unicode
was becoming more pervasive.
During this time the government
sort of realized that there's
this space that's not
being controlled at all.
And so filtering of pages
started early on in 2001
but there was no real systematic
procedure for this filtering.
So they came up with the
Cybercrimes Law in 2006.
But that sort of lay
floating around until 2009
when the internet became
a really big deal because,
I'm sure some of you have
heard of the Twitter Revolution
which sort of came out after 2009
Green Movement. And it was at that point
- when Iranians were coming out en masse
onto the streets protesting
what they claimed to be a fraudulent
election - that the Iranian Government
shut down the internet. And so
after this period they codified
the Cybercrimes Law to sort of ensure
a more systematic way of filtering
various pages including Twitter
and Facebook, that came out of it.
And then following this you
had the Revolutionary Guard's
establishment of Gerdab which is
a Cyber Command Center
which is now responsible for
the arrest of many different bloggers
and activists in Iran. And then in 2011
because there wasn't enough
control over the internet
they set up the FATA, a police force,
from the police forces.
While they do sort of take care
of things like cybercrime
in terms of banking, in identity theft,
they also are responsible
for the arrests of various bloggers.
There was one popular case in 2012
of Sattar Beheshti, who had public
dissident posts against the government.
And then finally in 2012
the Supreme Leader who has
quite a grand name of its own decided
to setup a very Sci-fi-esque body
- at least in the English language -
called the Supreme Council of Cyberspace.
audience amused
This body basically would be responsible
for all of the Internet Policy
in Iran. And this really marked
a turning point in Iran where
cyberspace and internet became
a key issue of National Security;
not only were there concerns
of cyber attacks from the United States
and Israel, there was also
big concerns of dissidents
and various movements that could
sort of emerge through Social Media
and the blogs. And so all the
decision making would occur through
the members that they decided to appoint
to this council. And it's a mixed bag
of different ministers as well as
unelected officials and experts.
Over the years they've had various
different programs to try to control
the internet and most recently
in last March they came up with
another grand sounding
program called Spider.
Spider was a project of the Revolutionary
Guards where they sort of
talked about doing blanket surveillance
over all Social Media activities,
activities of Iranians which technically
- if any of you know anything about
how Facebook or how Twitter works -
it's quite hard. If posts are private
it's hard to delve into them.
Anyways, so what is key to understanding
about the internet climate right now
is that there is a moderate president
Rohani who came into power
on a platform of many
different progressive policies
one of which was Internet Freedom.
And so they've had many
different progressive moments.
They shut down the hardline judiciary's
attempts to block Whatsapp e.g.
and they've promised not to really
shut down any other platform
or censor anything unless there is
a legitimate replacement for them
and this is a quote by
the minister of ICT.
But at the same time
they've been trying to cater to
some of the hardline elements
and try to sort of balance out
their Internet Freedom policies with
programs like intelligent filtering,
which would mean not blocking
entire platforms outright but
blocking individual pages.
This program... about 66 Mio. Dollars
has been spent on this program
from the ICT budget. And overall
it's been a bit of a failure.
I worked on a piece of research
with Frederic Jacobs that sort of
underlined how the intelligent filtering
on Instagram, which was
the most tangible,
resolved of this form of control.
was only occuring because
Instagram had failed to release
the https on the Mobile API.
So they were able to enable
intelligent filtering on the mobile
application but not on the browser.
Later on people found out that there was
still disruptions and images
weren't loading to Instagram even
after Instagram enabled https
over the Mobile API. And it turned out that
this was just collateral damage
from the fact that some of the
images on Instagram were also hosted
on Facebook which is
outright blocked in Iran.
So right now we're about to go
up to a election in Iran.
It's in February,
it's the Parliamentary Elections.
And typically during these
sensitive moments in Iran
they start playing around
with the internet and
this happened in 2013. There was
a significant throttling of the internet
leading up to the elections.
And right now there have been
some things spotted although
it's speculation whether or not
it's related to the elections at all.
Some websites with foreign
SSL certificates are being blocked.
There was one example of a
popular blogger based in Iran
named Jadi who has a
SSL certificate from Cloudflare
and his website was blocked.
And you'll notice that local certificates
won't be blocked because ultimately
they're controlled by the government.
This is a diagram formed by Smallmedia
that sort of explains how
the certificate authorities are ultimately
in the hands of the government
and data could potentially be shared.
There is also throttling of TLS in
November and the best example of this
was over TOR direct connections which,
you see, experienced a significant drop.
The shift towards mobile applications
and the fact that Iranians are
increasingly accessing the web through
their phones means that there's been
sort of a increased focus by
the government on mobile apps.
In order to sort of talk to this they've been
coming up with local alternatives
like WeChat has Dialog which sort of
you can see from the interface
that this local version is imitating that
application. Instagram had Lenzor.
But you kind of see that it's not
working as effectively because
if you look at the Cafe Bazaar Stats,
which is a platform where Iranians
download their apps, Lenzor
only has about 50000 users
while Instagram has
more than 9 Mio.
Viber had another imitation
out called Salam.
Salam was speculated to be
developed by the Basij.
So popular apps right now have...
there's Whatsapp and there's Viber
and Telegram in terms of
chats and communication.
Telegram is the most popular right now
and that's mainly because
Viber has been heavily
tampered with and
a lot of people don't trust Viber anymore
because the media has sort of
disparaged it in connection with Israel
and the Israeli Defense Forces (IDF).
And Whatsapp the second most
popular app has been experiencing
lots of network disruptions.
And so with this increasing shift
towards Telegram the media
has been focusing on also
highlighting that Telegram is
a place of moral corruption.
This is a picture from a semi-official
news source, FARS News,
sort of depicting how someone could be
dramming in Telegram.
So Telegram in Iran is really
controversial not only because
the government's really
concerned about it but
it had a really confusing
and weird relationship with Iran.
Starting in August, Bots and Stickers
started getting censored in Iran.
And the Bots and Stickers are one of the
reasons why Telegram is really popular
in Iran because the Bots allowed Iranians
to access content on the internet
without using a VPN
and the Stickers are oftentimes fun
and kind of rude and in Persian
which not a lot of apps have.
And so it's really popular.
But these got censored in August.
And the ministry announced that
the censorship was occuring
because of cooperation with Telegram,
but Telegram was very quick to deny this.
Pavel Durov came up and said that they
had not entered in to any agreements.
On top of that there's a respected community
of security experts have really
critizised the cryptography and
the security behind Telegram.
And this is especially worrysome
when you hear things like
30% of Telegram data is now being
stored in Iran which was a
announcement by the ministry of ICT
in Iran. But then again
Telegram was very quick to deny this,
again, saying that this is 100% bullshit.
laughter
And so the Telegram story continues.
I think it was in late November,
Pavel Durov made a announcement
saying that the ministry of ICT
had come to him demanding spying and
censorship capabilities from Telegram
which is really weird because
beforehand they thought they were
working together. And there's all sorts of
conspiracy theories about
how Pavel Durov got on a plane and went
to Tehran to meet with the minister Vaezi.
Noone really knows what happened,
all speculations and rumours.
Anyways, he comes out with this
announcement and then a few weeks later
it's like: "Oh, that was a fake email",
which is really odd and concerning
and no other internet company has ever
had anything happen like this.
He said that he received the fake email,
the ministry didn't actually contact him.
He never released the email.
It's all very strange and it led to
several advocacy organizations asking
for more transparency from Telegram.
But Telegram continues to be one of the
most popular apps in Iran.
What's notable about Telegram is that that
sort of sets a precedent for other
internet companies inside of Iran
especially as we move towards the removal
of sanctions. And companies like Facebook
and Twitter will be able to do business
with Iran potentially. And so noting these
kinds of behaviours and sort of holding
them to account is really important.
One last application that sort of
gaining ground in Iran and that
highlights one of the sort
of habits of Iranians is
Bisphone. Bisphone is this local app and
Security Researcher Kevin Miston
who I don't know if he's here [in the
hall] or not, but he's somewhere here
in the venue, has done some really cool
work into looking what exactly Bisphone is
'cause it's sort of this rising app
that's gaining a lot of popularity.
It apparently has connections, the
developers are loosely connected to
the government. It turns out that the
actual data collection over the ISPs is
connected to Iran's Telecommunications
Company. Which is very concerning but
Smallmedia recently did a report asking
Iranians what they thought about the
security of the apps that they use and the
tendency is that they either don't know
or it doesn't really
factor in as a big issue.
So security is a very low
priority for Iranians even though
it should be higher on their list.
They generally tend to go for
usability and fun features.
This kind of brings me
to the take aways of this talk which is:
Internet control in Iran is
quite pervasive, but it's not as
sophisticated as they would like.
It's especially important now
'cause there's been more arrests
of various bloggers, various people
who work in the Tech industry in Iran.
This might be particularly
problematic as we move towards
the Parliamentary Elections.
If you do particular research,
if you do any collection of data
and circumvention tools I think this is a
very exciting time to be looking at Iran's
internet ecosystem. Thank you!
applause
Herald: Thank you, we have 5
minutes now for question/answers.
So if you have questions for Mahsa
please go to one of the 4 microphones.
And I would like to ask you to
please say your question slowly
into the microphone because
it's being recorded.
audience mumbles amused
Question: Shall I start?
H: Ok we'll start with, yes, that microphone.
Q: So one thing first as a statement
not a question. If you are in Iran, do not
ever use your banking, whatever banking...
Mahsa: whispering Who's talking?
Q: ...without VPN. And then... because
they're gonna block it. You're gonna
have to go back to your bank and reopen
it. But the question is: Do you know...
how much do you know about the
relationships with other governments like
foreign governments or foreign companies
on the filters, there were... and like
further developments. Because I know from
Rohde&Schwarz like a year ago,
when I was there, they were talking about
the relationship with the filters in
I-don't-know Syria, maybe. And that they're
not officially related but they were used?
Mahsa: Yeah, I'm not a particular expert
on Syria but I do know that they have
exchanged technology and knowledge with
the Syrian Government 'cause they are
very close with the Assad Regime.
Q: I meant more specifically like
companies in Europe and in the US.
M: Yeah, so because of sanctions
I know the US don't really...
I do know Europe... is...
does work, but I know
the country that they turn to most for
censorship technology would be China.
And I know that in the past that they
heavily relied on Chinese technology
for censorship and surveillance material
but recently they've been shifting towards
local vendors and using more
locally grown technology.
Although it's hard to say. I don't have
direct insight into what technology
and where it's coming from. Maybe you
have more insight and can tell me.
H: Thank you, next question, please.
Q: Thank you to bring us the awareness
that we have to fight for our freedom
in internet or also to fight
leaders which try to...
H: Could you get a little closer to
the microphone, please!
Q: My question was: When you go back to
Iran, do you have any repression or
problems?
M: Do I personally?
Q: Yes. personally.
M: I haven't gone back to Iran since 2010
because I do things like come and
talk here on a recorded video
audience amused
I generally don...
applause
Q: It was my question exactly, and you
should be aware that it's no democratic
there so if they catch you they do
whatever they want with you.
It's not, like, we control the police...
M: Yeah, I mean that's also another point
I wanna make: There's a lot of
awesome unknown people doing work
and doing research and activism on the
Iranian internet that remain anonymous
and use pseudonyms and can't do
things like come here and talk, so
that's a decision I've made. There's other
people doing really amazing work that you
probably will never see
on a platform like this.
applause
H: Okay, may I ask on the next
question, please. Thank you.
Q: Yeah, thanks for the great talk! I have
a question about the certificate authorities
there in the Iranian State. You said that
foreign certificate authorities are
blocked by the governmental filters.
With your demonstration of one site...
of this blogger. Are there any certificate
authorities in Iran not connected to
the government, or not... are forced to
giving the private key to the government,
so that maybe foreign sites could just
adjust their certificate to an Iranian
free or libre CA and so could do an
access for the people there?
M: That's a really good question. I don't
think I have the knowledge or expertise
to fully answer it. But I will point you
towards the Smallmedia report that
really delved into this. They did like
months of research. I think the person
you would probably wanna talk to
would be Amin Sabeti. I could only
sort of guess and I'm not sure if
it's broadly done on every website,
'cause there's obviously a lot of websites
using foreign SSL certificates that
are not blocked, but if it's sensitive
it's more likely to get blocked in Iran.
Q: Thank you very much.
H: Thank you, are there any questions
from the internet?
looking out for Signal Angel
Yes? Aah, ok. The internet, please!
Signal Angel: So, question.
Since there seems to be a lot
of trouble politically-wise,
is there a hacker scene in Iran? Like
there is in Europe or in the USA?
M: Yeah, yeah there is a hacker scene
and there's a, like an emerging
open source community doing a lot of
cool work. Yeah, totally the scene exists.
I'm sure a lot of them would
have loved to have been here.
H: And the internet, again!
S: A lot of people in Iran, I know,
use VPNs. Have you heard of VPN providers
cooperating with the government?
M: Yeah, that's another big security
concern that I didn't cover in this talk,
w hich is like using VPNs is ubiquitous,
basically, in Iran. Even
members of the government use it.
I think there was even a photo of...
someone in one of the ministries, they
had Psiphon on their desktop and
it was pictured on a famous photo that
went viral. But one of the concerns is
like, the government is actually providing
their own VPN so they can access data
and what people are connecting to
through their own backdoored VPNs.
H: We have one more question, and that's
here in the back, please. You, yeah.
Q: Hi, so I have... I was wondering
if you have concrete cases
about government monitoring data or
using that as evidence in court cases.
Because we have always been
speculating that these guys
will go through the messages that we send
and then they're gonna use it against us.
But we have never been able
to prove it. Do you have
any kind of cases study on that?
M: There is the one really famous one that
I'm sure you've heard of,
the Sony-Ericsson case
- I think I'm getting the company right -
back in 2009 where they tracked
through the cell phone company.
So that's the most concrete case.
But I suppose there aren't
that many known,
and that's one of the problems with
installing sort of a culture of digital
security in Iran. Because most people
are afraid of physical surveillance,
this thing that if they're arrested and
they take their computers physically
- that's the actual concern, not so much
using encrypted email or encrypted chat.
So that might be part of it.
I'm sure there are. I couldn't
name them to you right now but the most
famous would be from 2009 when they were
working with Ericsson.
Q: Thank you.
H: Ok, thank you!
applause
H: And with that one more warm applause
for Mahsa. Thank you so much for
coming today, Mahsa, thank you!
postroll music
created by c3subtitles.de in 2016