Q&A: Amid growing censorship and malicious VPNs, protestors combat Iran’s ‘climate of fear’
Internet shutdowns, blocked platforms, malicious apps and a government set on stifling dissent — this is the current state of protest in Iran.
Since the death of 22-year-old Mahsa Amini in police custody last fall, Iranians have marched in the thousands against repressive hijab laws and to show displeasure with the regime of Iran’s supreme leader, Ayatollah Ali Khamenei. Having once taken over the streets of Tehran, the protests have now become more disparate, individualistic.
Building a snowman to depict a famous political prisoner. Publicly disavowing hijab rules. Dancing, hair down, in public.
Mani Mostofi has worked with some of those protestors. As director of the Miaan Group, a human rights organization focused on Iran, he and his team have been in touch with Iranians on the ground — documenting arrests; distributing VPNs, or virtual private networks; and working with protestors to secure social media accounts. In an interview with the Click Here podcast, Mostofi discusses the current state of Iran’s internet censorship, malicious VPNs, and how a combination of online and in-person repression has created a “climate of fear.”
This interview has been edited for length and clarity.
Click Here: When we spoke with a source in Iran this past fall, we had some pretty severe connection issues, in part because the government was slowing down the internet. What obstacles have you faced while working with protestors on the ground?
Mani Mostofi: We were doing a lot of network monitoring, so we were looking at connectivity during the protests. And what we were seeing was a range of ways of disrupting access to the internet. So there were internet shutdowns often targeting mobile data, and what an internet shutdown looks like in Iran is that you could use Iranian messaging apps, but you couldn't use WhatsApp or Telegram or internationally based Western apps. So we were in communication as much as possible under those circumstances with activists on the ground.
CH: And are you seeing differences between the fall and now in terms of digital connectivity or the way authorities are focused on what we think of as smaller protests?
MM: Yes, so Iran has been involved in different forms of censorship for a really long time. [The regime] can censor specific websites. It can censor specific applications. And then they do things which we could put under the category of internet shutdowns and disruptions. So these are ways of trying to fundamentally limit access — either in targeted ways or nationwide. What that means is nobody can access the internet of the world, but they could access the National Information Network, which is the main project of the Iranian government to facilitate all its controls.
The National Information Network is an internet that's inside the country, and it's designed around an infrastructure with entry points to the international internet that the government controls. And then it has all the services and conveniences the people expect from the internet mirrored domestically. So you could have your version of domestic Uber or Wikipedia or Google. Digital services are mirrored to some extent as part of this national information.
CH: So it’s a little bit like the great firewall of China.
MM: It's not a little bit — it's modeled on it. They see China as their role model when it comes to internet controls. And the major disruption periods like shutdowns or other sorts of disruptions are also partly calibrated to get people to give up on the international apps and move to the new ones.
CH: So the protests have died down and we're seeing these sort of individual protests happening, right? These small acts of civil disobedience that are going viral. Are you seeing a change in the tactics that are being used against the protestors?
MM: Yes. Iran is constantly evolving its tactics. Every time since 2019 when there's been a sizable protest movement, we've seen some sort of internet shutdown or disruption. What we saw with the most recent protests is much more diversification of the tools that they're using. So for example, they're doing internet shutdowns, but they're doing it on a curfew basis — so only during certain hours. They're also very focused on mobile data, and the reason for that focus — and the curfew focus — is they're trying to minimize disruption to the economy.
In 2019, the disruption was in the billions of dollars, and it was probably the same under the recent protests, even though we don't have solid projections yet. But businesses don't run as much on mobile data. The banks work on fixed internet [desktop computers on WiFi, not mobile phones]. So by being more surgical, which is really what we've seen, they're able to minimize disruption.
CH: What about VPNs? We often see people in countries like Iran use VPNs to access sites like WhatsApp or Telegram, which are blocked. How is the government dealing with that?
MM: The Iranian government has always disrupted VPNs, but now what we see is like a daily aggressive effort on their part to do it. Basically, they can find where a VPN is located and they can cut off that IP address. And we were seeing some major VPNs, like Google’s Outline, that were only functional for about two hours and then they would go down. And then someone would have to create a new IP address with Outline, and about two hours later that would be down.
The number one thing we heard from people inside of Iran was: "Do you have a VPN that works? None of my VPNs work." [Some] VPNs are working, but what's happening is that a user has to basically try four, five, six VPNs, so they find the one that allows them to use some application like WhatsApp or Signal or Telegram. Our fear is that they start using the domestic, government-approved VPNs, which are slowly being rolled out, because the chances of surveillance on those are pretty high.
CH: Surveillance within VPNs? Tell me a bit more about that.
MM: Yeah, I mean definitely. State-sponsored hackers have used the desire for people to get online against users and activists. So when Elon Musk announced that StarLink was going to be available inside Iran, circulating on social media sites were files that were being advertised as, "if you download this file onto your phone or your computer, you can get onto Starlink." And those files contained malware, and they were able to steal data off the user's device.
Then we saw a couple months later, the attack of a very popular VPN called Argo VPN, which was doing better than other VPNs and getting people online during all of this crisis. And all of a sudden fake versions of our Argo VPN were circulating, and those fake versions were forms of spyware. So that type of state-sponsored hacking and surveillance has definitely ramped up in this era, and it very strategically uses people's own desperation to get online against them to make the internet less secure for them.
CH: I guess what I'm wondering is how people in Iran are responding to this. Have they gotten creative in terms of VPNs?
MM: What I can say is there are VPNs being made inside and outside of Iran. And all these VPNs had to become more creative in how they deliver their services, how they structure their architecture. So for example, the internet privacy organization Tor — they're famous for their Tor Onion, which is a multi-layered, encryption-based search engine — they also have their own VPN. And what their VPN has that makes it relatively successful inside of Iran is the sheer number of IP addresses. It’s massive.
They have essentially a software that anyone — me or you — can just download and put on our computer. And the Tor VPN network can connect to our personal computers. So there's personal computers or small servers in the thousands and thousands and thousands that are on this Tor network — it's called the Snowflake Network — and because of that, it's just harder for the Iranian government to catch up.
CH: Would it be possible for the Iranian government to shut down those IP addresses, even if they do number in the thousands?
MM: Generally speaking, it's a cost-benefit analysis for them. They could eventually block that VPN. It's just, like, how much energy do they need to put into doing it successfully? And at a certain point, what the VPN providers or the security providers are trying to do is just outpace the Iranian government's resources.
What I would say is more important is the actual confiscation of devices. [The regime] arrested tens of thousands of people during these protests, and the first thing they did was confiscate their device. And then the second thing they would try to do was to get inside all of their social media channels — WhatsApp, Twitter, Instagram. Now we're hearing [that] a vast majority of arrests of protestors was at their home, which means they were identifying people who participated and then waited to get them later. But when they got to your home, they would essentially come and download your memory from your phone or your laptop almost immediately. So they wouldn't wait till they got to the interrogation location.
CH: I just wonder if, in a sense, when these protests are right in front of you, it’s easier [as the government] to just focus on the people on the street. But I’m wondering if the civil disobedience has them more on edge because you never know when it's going to pop up.
MM: Generally speaking, their attacks on the internet have slowed a little as mass protests have dissipated. That said, the overall repressive nature of the internet is notably and measurably worse than it was before these protests started. They're very good at creating a climate of fear.
Will Jarvis is a podcast producer for the Click Here podcast. Before joining Recorded Future News, he produced podcasts and worked on national news magazines at National Public Radio, including Weekend Edition, All Things Considered, The National Conversation and Pop Culture Happy Hour. His work has also been published in The Chronicle of Higher Education, Ad Age and ESPN.