<i>preroll music</i>

Herald: Good evening, thank
you for joining us tonight,

here at the CCC in Hamburg.
And also thank you for everyone

tuning in around the
world via our livestream.

I'm very, very honored and excited
to introduce our new... next guest,

Mahsa Alimardani?
<i>laughs</i>

- it was my attempt to say the name Mahsa
Alimardani - she's an Iranian-Canadian

researcher and activist.

Mahsa is finishing her master's
degree and is a research assistant

at the Deja Active Lab, both at
the university of Amsterdam,

and her focus is on freedom of
expression and access to information

in Iran. She's also the editor
of the Global Voices Iran

and today she will be sharing some
of her research findings with us

about the censorship situation
in Iran on mobile platforms.

With that I would like to ask you to
help me welcome Mahsa Alimardani!

<i>applause</i>

Mahsa Alimardani: Thank you Sonia,
for the nice introduction,

and thank you all for
coming to this session,

I know there's a lot of awesome
computing sessions happening right now.

And, so, just to introduce you a little
bit to the Iranian internet ecosystem.

So, there are some realities,
you should know about it.

<i>decent laughter</i>

Yes, if you're thinking of traveling to
Iran I'd tell this to everyone: Do go!

It's awesome, it's amazing,
it's a beautiful country.

Although, take into consideration
the type of work that you do and

the type of public profile
you have when you do go.

If you do go do set up TOR relays
'cause that's really helpful to people

accessing the internet in Iran.

And one of the things you should
know that the Iranian internet,

it's often known as the Filter Net.

And Filter Net sort of has been the name
ascribed to the internet

because of the censorship
that happens in Iran.

I think out of the whole
world Iran would come

second after China in the terms
of the pervasiveness of censorship

and internet controls around the world.

Something that you might not know is
that it is also known as the "Kondnet"

and "kond" means "slow".

The fact that the internet
is often throttled in Iran,

and the speeds are very slow,

and the fact that it can be very
frustrating sometimes to upload a page

it also has the name of "Kondnet".

So, this talk will sort of describe this,
I'll talk on Mobile Censorship

and how they will focus on that.
I just wanna take a sort of broader view

and to look at more general
look at internet policy in Iran

and just before I sort of delve into it...

The reason why I really
wanted to get this talk at

a conference like the CCC is
because I know this is a community

full of lots of different
expertise in terms of

Digital Security,
in terms of Circumvention.

So, bringing awareness and sort
of knowledge in focus on Iran

I think is kind of exciting
in a community like this

'cause a lot of help and
a lot of aid can go towards

access to internet in Iran
from a group of people like you.

So: just a broad look at what the internet
infrastructure's like in Iran is.

The Ministry of Information,
Communication and Technology (ICT)

runs the Telecommunications
Company of Iran

and this company is also responsible

for the main ISP of Iran which is the
Data Communication Company of Iran.

So, in effect they control all
internet traffic that goes into Iran

and all ISP's both private and
government are controlled through

the Data Communication Company of Iran.

So this company in effect becomes
the point where filtering can occur

and the blocking of pages or
the blacklisting of keywords occurs.

Oftentimes the Telecommunications
Company uses proxy servers

for surveillance by logging all
unencrypted internet traffic that goes on

in Iran which is why it's really important
for pages that are being used

especially by Iranians if not
everywhere else in the world

to have https for all
Mobile Applications to be using

encryption technology
and things like that.

Now, all of these things
are really concerning as it is

the fact that the government has so
much access to data over the internet.

What's even more concerning
is looking at this chart here.

So this is the overall view
of the institutions responsible

for internet policy in Iran.
And you see at the very top

there is the Supreme Leader. Although
Iran does have no active president,

ultimately, the Supreme Leader
has the Veto Power

and is in effect really
the official Head Of State.

And so while the ministry of ICT is part
of the elected administration

the Supreme Leader has ultimate power.
And what is particularly

concerning here is while we have
the ministry of ICT here on the right

and then you have the Telecommunications
Company. And then you have

the ISP provider in Iran. You then
have the Revolutionary Guards

which are a para-military
organization in Iran

who are not accountable
to the elected government.

They're ultimately only accountable
to the Supreme Leader.

They own the largest share of the
Telecommunications Company of Iran.

This is particularly concerning because
a group like the Revolutionary Guards

are the ones who are oftentimes
responsible for

various surveillance programs,
for arrests of dissidents.

One of their offshoots, the Basij
were the ones on the streets,

arresting and beating up protesters
during the 2009 Green Movement.

So the fact that they have access to
this kind of data it's very concerning

in why things like digital security are of
the upmost importance in Iran.

Just a little brief overview of why

this sort of history started in Iran.
It's not always been like this.

This started during the Reformer's era
in Iran which were the late 90ies.

This was a period where
relative to the Iranian context

which is a Islamic theocracy there was
more progressive politics

and the hardline elements which aren't
often accountable to the electorate

in Iran kind of clashed with the
Reformer's Government that was in power

and so the surge in Reformer's
jounalists that were

in traditional print media meant
that they could start migrating online

in the early 2000's, late 90ies, when
blogging was becoming really popular

and the technology to use Persian unicode
was becoming more pervasive.

During this time the government
sort of realized that there's

this space that's not
being controlled at all.

And so filtering of pages
started early on in 2001

but there was no real systematic
procedure for this filtering.

So they came up with the
Cybercrimes Law in 2006.

But that sort of lay
floating around until 2009

when the internet became
a really big deal because,

I'm sure some of you have
heard of the Twitter Revolution

which sort of came out after 2009
Green Movement. And it was at that point

- when Iranians were coming out en masse
onto the streets protesting

what they claimed to be a fraudulent
election - that the Iranian Government

shut down the internet. And so
after this period they codified

the Cybercrimes Law to sort of ensure
a more systematic way of filtering

various pages including Twitter
and Facebook, that came out of it.

And then following this you
had the Revolutionary Guard's

establishment of Gerdab which is
a Cyber Command Center

which is now responsible for
the arrest of many different bloggers

and activists in Iran. And then in 2011

because there wasn't enough
control over the internet

they set up the FATA, a police force,
from the police forces.

While they do sort of take care
of things like cybercrime

in terms of banking, in identity theft,
they also are responsible

for the arrests of various bloggers.
There was one popular case in 2012

of Sattar Beheshti, who had public
dissident posts against the government.

And then finally in 2012
the Supreme Leader who has

quite a grand name of its own decided
to setup a very Sci-fi-esque body

- at least in the English language -
called the Supreme Council of Cyberspace.

<i>audience amused</i>

This body basically would be responsible
for all of the Internet Policy

in Iran. And this really marked
a turning point in Iran where

cyberspace and internet became
a key issue of National Security;

not only were there concerns
of cyber attacks from the United States

and Israel, there was also
big concerns of dissidents

and various movements that could
sort of emerge through Social Media

and the blogs. And so all the
decision making would occur through

the members that they decided to appoint
to this council. And it's a mixed bag

of different ministers as well as
unelected officials and experts.

Over the years they've had various
different programs to try to control

the internet and most recently
in last March they came up with

another grand sounding
program called Spider.

Spider was a project of the Revolutionary
Guards where they sort of

talked about doing blanket surveillance
over all Social Media activities,

activities of Iranians which technically

- if any of you know anything about
how Facebook or how Twitter works -

it's quite hard. If posts are private
it's hard to delve into them.

Anyways, so what is key to understanding
about the internet climate right now

is that there is a moderate president
Rohani who came into power

on a platform of many
different progressive policies

one of which was Internet Freedom.

And so they've had many
different progressive moments.

They shut down the hardline judiciary's
attempts to block Whatsapp e.g.

and they've promised not to really
shut down any other platform

or censor anything unless there is
a legitimate replacement for them

and this is a quote by
the minister of ICT.

But at the same time
they've been trying to cater to

some of the hardline elements
and try to sort of balance out

their Internet Freedom policies with
programs like intelligent filtering,

which would mean not blocking
entire platforms outright but

blocking individual pages.

This program... about 66 Mio. Dollars
has been spent on this program

from the ICT budget. And overall
it's been a bit of a failure.

I worked on a piece of research
with Frederic Jacobs that sort of

underlined how the intelligent filtering
on Instagram, which was

the most tangible,
resolved of this form of control.

was only occuring because
Instagram had failed to release

the https on the Mobile API.
So they were able to enable

intelligent filtering on the mobile
application but not on the browser.

Later on people found out that there was
still disruptions and images

weren't loading to Instagram even
after Instagram enabled https

over the Mobile API. And it turned out that
this was just collateral damage

from the fact that some of the
images on Instagram were also hosted

on Facebook which is
outright blocked in Iran.

So right now we're about to go
up to a election in Iran.

It's in February,
it's the Parliamentary Elections.

And typically during these
sensitive moments in Iran

they start playing around
with the internet and

this happened in 2013. There was

a significant throttling of the internet
leading up to the elections.

And right now there have been
some things spotted although

it's speculation whether or not
it's related to the elections at all.

Some websites with foreign
SSL certificates are being blocked.

There was one example of a
popular blogger based in Iran

named Jadi who has a
SSL certificate from Cloudflare

and his website was blocked.
And you'll notice that local certificates

won't be blocked because ultimately
they're controlled by the government.

This is a diagram formed by Smallmedia
that sort of explains how

the certificate authorities are ultimately
in the hands of the government

and data could potentially be shared.

There is also throttling of TLS in
November and the best example of this

was over TOR direct connections which,
you see, experienced a significant drop.

The shift towards mobile applications
and the fact that Iranians are

increasingly accessing the web through
their phones means that there's been

sort of a increased focus by
the government on mobile apps.

In order to sort of talk to this they've been
coming up with local alternatives

like WeChat has Dialog which sort of
you can see from the interface

that this local version is imitating that
application. Instagram had Lenzor.

But you kind of see that it's not
working as effectively because

if you look at the Cafe Bazaar Stats,
which is a platform where Iranians

download their apps, Lenzor
only has about 50000 users

while Instagram has
more than 9 Mio.

Viber had another imitation
out called Salam.

Salam was speculated to be
developed by the Basij.

So popular apps right now have...
there's Whatsapp and there's Viber

and Telegram in terms of
chats and communication.

Telegram is the most popular right now
and that's mainly because

Viber has been heavily
tampered with and

a lot of people don't trust Viber anymore
because the media has sort of

disparaged it in connection with Israel
and the Israeli Defense Forces (IDF).

And Whatsapp the second most
popular app has been experiencing

lots of network disruptions.
And so with this increasing shift

towards Telegram the media
has been focusing on also

highlighting that Telegram is
a place of moral corruption.

This is a picture from a semi-official
news source, FARS News,

sort of depicting how someone could be
dramming in Telegram.

So Telegram in Iran is really
controversial not only because

the government's really
concerned about it but

it had a really confusing
and weird relationship with Iran.

Starting in August, Bots and Stickers
started getting censored in Iran.

And the Bots and Stickers are one of the
reasons why Telegram is really popular

in Iran because the Bots allowed Iranians
to access content on the internet

without using a VPN
and the Stickers are oftentimes fun

and kind of rude and in Persian
which not a lot of apps have.

And so it's really popular.
But these got censored in August.

And the ministry announced that
the censorship was occuring

because of cooperation with Telegram,
but Telegram was very quick to deny this.

Pavel Durov came up and said that they
had not entered in to any agreements.

On top of that there's a respected community
of security experts have really

critizised the cryptography and
the security behind Telegram.

And this is especially worrysome
when you hear things like

30% of Telegram data is now being
stored in Iran which was a

announcement by the ministry of ICT
in Iran. But then again

Telegram was very quick to deny this,
again, saying that this is 100% bullshit.

<i>laughter</i>
And so the Telegram story continues.

I think it was in late November,

Pavel Durov made a announcement
saying that the ministry of ICT

had come to him demanding spying and
censorship capabilities from Telegram

which is really weird because
beforehand they thought they were

working together. And there's all sorts of
conspiracy theories about

how Pavel Durov got on a plane and went
to Tehran to meet with the minister Vaezi.

Noone really knows what happened,
all speculations and rumours.

Anyways, he comes out with this
announcement and then a few weeks later

it's like: "Oh, that was a fake email",
which is really odd and concerning

and no other internet company has ever
had anything happen like this.

He said that he received the fake email,
the ministry didn't actually contact him.

He never released the email.
It's all very strange and it led to

several advocacy organizations asking
for more transparency from Telegram.

But Telegram continues to be one of the
most popular apps in Iran.

What's notable about Telegram is that that
sort of sets a precedent for other

internet companies inside of Iran
especially as we move towards the removal

of sanctions. And companies like Facebook
and Twitter will be able to do business

with Iran potentially. And so noting these
kinds of behaviours and sort of holding

them to account is really important.

One last application that sort of
gaining ground in Iran and that

highlights one of the sort
of habits of Iranians is

Bisphone. Bisphone is this local app and
Security Researcher Kevin Miston

who I don't know if he's here [in the
hall] or not, but he's somewhere here

in the venue, has done some really cool
work into looking what exactly Bisphone is

'cause it's sort of this rising app
that's gaining a lot of popularity.

It apparently has connections, the
developers are loosely connected to

the government. It turns out that the
actual data collection over the ISPs is

connected to Iran's Telecommunications
Company. Which is very concerning but

Smallmedia recently did a report asking
Iranians what they thought about the

security of the apps that they use and the
tendency is that they either don't know

or it doesn't really
factor in as a big issue.

So security is a very low
priority for Iranians even though

it should be higher on their list.
They generally tend to go for

usability and fun features.
This kind of brings me

to the take aways of this talk which is:
Internet control in Iran is

quite pervasive, but it's not as
sophisticated as they would like.

It's especially important now
'cause there's been more arrests

of various bloggers, various people
who work in the Tech industry in Iran.

This might be particularly
problematic as we move towards

the Parliamentary Elections.

If you do particular research,
if you do any collection of data

and circumvention tools I think this is a
very exciting time to be looking at Iran's

internet ecosystem. Thank you!

<i>applause</i>

Herald: Thank you, we have 5
minutes now for question/answers.

So if you have questions for Mahsa
please go to one of the 4 microphones.

And I would like to ask you to
please say your question slowly

into the microphone because
it's being recorded.

<i>audience mumbles amused</i>

Question: Shall I start?
H: Ok we'll start with, yes, that microphone.

Q: So one thing first as a statement
not a question. If you are in Iran, do not

ever use your banking, whatever banking...
Mahsa: <i>whispering</i> Who's talking?

Q: ...without VPN. And then... because
they're gonna block it. You're gonna

have to go back to your bank and reopen
it. But the question is: Do you know...

how much do you know about the
relationships with other governments like

foreign governments or foreign companies
on the filters, there were... and like

further developments. Because I know from
Rohde&Schwarz like a year ago,

when I was there, they were talking about
the relationship with the filters in

I-don't-know Syria, maybe. And that they're
not officially related but they were used?

Mahsa: Yeah, I'm not a particular expert
on Syria but I do know that they have

exchanged technology and knowledge with
the Syrian Government 'cause they are

very close with the Assad Regime.

Q: I meant more specifically like
companies in Europe and in the US.

M: Yeah, so because of sanctions
I know the US don't really...

I do know Europe... is...
does work, but I know

the country that they turn to most for
censorship technology would be China.

And I know that in the past that they
heavily relied on Chinese technology

for censorship and surveillance material
but recently they've been shifting towards

local vendors and using more
locally grown technology.

Although it's hard to say. I don't have
direct insight into what technology

and where it's coming from. Maybe you
have more insight and can tell me.

H: Thank you, next question, please.

Q: Thank you to bring us the awareness
that we have to fight for our freedom

in internet or also to fight
leaders which try to...

H: Could you get a little closer to
the microphone, please!

Q: My question was: When you go back to
Iran, do you have any repression or

problems?
M: Do I personally?

Q: Yes. personally.
M: I haven't gone back to Iran since 2010

because I do things like come and
talk here on a recorded video

<i>audience amused</i>
I generally don...

<i>applause</i>

Q: It was my question exactly, and you
should be aware that it's no democratic

there so if they catch you they do
whatever they want with you.

It's not, like, we control the police...
M: Yeah, I mean that's also another point

I wanna make: There's a lot of
awesome unknown people doing work

and doing research and activism on the
Iranian internet that remain anonymous

and use pseudonyms and can't do
things like come here and talk, so

that's a decision I've made. There's other
people doing really amazing work that you

probably will never see
on a platform like this.

<i>applause</i>

H: Okay, may I ask on the next
question, please. Thank you.

Q: Yeah, thanks for the great talk! I have
a question about the certificate authorities

there in the Iranian State. You said that
foreign certificate authorities are

blocked by the governmental filters.
With your demonstration of one site...

of this blogger. Are there any certificate
authorities in Iran not connected to

the government, or not... are forced to
giving the private key to the government,

so that maybe foreign sites could just
adjust their certificate to an Iranian

free or libre CA and so could do an
access for the people there?

M: That's a really good question. I don't
think I have the knowledge or expertise

to fully answer it. But I will point you
towards the Smallmedia report that

really delved into this. They did like
months of research. I think the person

you would probably wanna talk to
would be Amin Sabeti. I could only

sort of guess and I'm not sure if
it's broadly done on every website,

'cause there's obviously a lot of websites
using foreign SSL certificates that

are not blocked, but if it's sensitive
it's more likely to get blocked in Iran.

Q: Thank you very much.
H: Thank you, are there any questions

from the internet?
<i>looking out for Signal Angel</i>

Yes? Aah, ok. The internet, please!
Signal Angel: So, question.

Since there seems to be a lot
of trouble politically-wise,

is there a hacker scene in Iran? Like
there is in Europe or in the USA?

M: Yeah, yeah there is a hacker scene
and there's a, like an emerging

open source community doing a lot of
cool work. Yeah, totally the scene exists.

I'm sure a lot of them would
have loved to have been here.

H: And the internet, again!
S: A lot of people in Iran, I know,

use VPNs. Have you heard of VPN providers
cooperating with the government?

M: Yeah, that's another big security
concern that I didn't cover in this talk,

w hich is like using VPNs is ubiquitous,
basically, in Iran. Even

members of the government use it.
I think there was even a photo of...

someone in one of the ministries, they
had Psiphon on their desktop and

it was pictured on a famous photo that
went viral. But one of the concerns is

like, the government is actually providing
their own VPN so they can access data

and what people are connecting to
through their own backdoored VPNs.

H: We have one more question, and that's
here in the back, please. You, yeah.

Q: Hi, so I have... I was wondering
if you have concrete cases

about government monitoring data or

using that as evidence in court cases.

Because we have always been
speculating that these guys

will go through the messages that we send
and then they're gonna use it against us.

But we have never been able
to prove it. Do you have

any kind of cases study on that?
M: There is the one really famous one that

I'm sure you've heard of,
the Sony-Ericsson case

- I think I'm getting the company right -
back in 2009 where they tracked

through the cell phone company.
So that's the most concrete case.

But I suppose there aren't
that many known,

and that's one of the problems with
installing sort of a culture of digital

security in Iran. Because most people
are afraid of physical surveillance,

this thing that if they're arrested and
they take their computers physically

- that's the actual concern, not so much
using encrypted email or encrypted chat.

So that might be part of it.
I'm sure there are. I couldn't

name them to you right now but the most
famous would be from 2009 when they were

working with Ericsson.
Q: Thank you.

H: Ok, thank you!
<i>applause</i>

H: And with that one more warm applause
for Mahsa. Thank you so much for

coming today, Mahsa, thank you!

<i>postroll music</i>

created by c3subtitles.de in 2016