Technology companies offering services to Iran must ensure that any contracts they secure do not enable human rights violations through state-directed espionage or oppression, Dr. Mohamad Nayyeri, a visiting lecturer in law at the London School of Economics and co-director of London-based NGO Justice for Iran, has said.
Iran’s government has been heavily criticized by the United Nations, world leaders and international human rights bodies for using internet blackouts to conceal violent police crackdowns on peaceful anti-government protests, which have left hundreds of people dead. Whistleblowers in Iran have also accused the government of creating software to spy on political activists and human rights lawyers in the country.
The warning follows a 2017 complaint — believed to be the first of its kind involving Iran — filed by Justice for Iran, REDRESS and the Paris-based International Federation of Human Rights (FIDH), against Italian telecommunications company Italtel.
The NGOs lodged the complaint in Italy with the Organization for Economic Cooperation and Development (OECD) after growing concerns about the terms of a deal between Italtel and the Telecommunications Company of Iran (TCI).
Speaking to Kayhan Life, Dr. Nayyeri said JFI, REDRESS and FIDH had been monitoring deals made in Iran following the implementation of the Joint Comprehensive Plan Of Action in January 2016, which enabled companies around the world to trade with the country. The investigation identified several agreements which appeared to pose potential risks in causing or contributing to human rights abuses in Iran.
“The Italtel-TCI agreement stood out for us, and we found it extremely concerning for two main reasons. First, TCI has a monopoly over fixed-line telecom infrastructure and is owned and controlled by a consortium led by the Islamic Revolutionary Guard Corps (IRGC). As Iran’s most powerful military and security entity operating under the direct command of Iran’s Supreme Leader, it has been responsible for crushing political dissent and civil liberties throughout the country and in cyberspace,” Nayyeri said.
“The second reason is in relation to what Italtel agreed to provide to TCI. The agreement included some high-risk services and technologies that would equip Iranian security authorities including the IRGC with sophisticated means of not only monitoring and controlling telecommunications and cyberspace, but also more easily restricting the flow of information during times of widespread protest and political unrest.”
The complaint against Italtel alleged that the company had breached OECD guidelines — which Italy has signed up to and where Italtel is headquartered — by failing to carry out appropriate human rights due diligence investigations before entering into the agreement with TCI.
Although the complaint was not upheld, the action drew Italtel’s attention to the direct link between TCI’s board of directors and the IRGC, which led to Italtel altering its behavior.
“Following the complaint, and arguably as a result of that, Italtel decided that they had to conduct a reassessment of the risks. Italtel also withdrew some of the items it had previously offered to provide to Iran,” Nayyeri said. “The original agreement included internet backbone technology. But now in a U-turn, Italtel changed its mind and declared that it would not perform that activity, or deliver that system. This was an important outcome with regard to the potential abuse of Italtel’s technology by TCI.”
Internet backbones are infrastructures which provide high speed data transmission lines. As the largest data connections online, they provide a country with access to the global internet. However, this access can also be restricted by governments, affecting Iranians’ internet access and impacting their human rights.
Anicée Van Engeland, an associate professor at Cranfield Defense and Security, a university based at the UK Ministry of Defense’s Defense Academy, also expressed concern about the close connection between Iran’s government, its military arm and technology providers operating in the country.
“When looking at cyber, the authorities use triangulation to track dissidents online, thereby impacting freedom of expression. This is worrying as the online space for protest has shrunk, unless one has access to virtual private networks (VPNs),” Ms. Van Engeland told Kayhan Life.
“The newly elected President Ebrahim Raisi has been clear about his wish to use the law and courts to control freedom of expression and other human rights. His overall aim is to bring back the country on the original path of the Islamic republic of Iran, using the rule of law — as he understands it — to do so. In that regard, it is highly likely that tech companies and services provided to Iran will be used to track down those who do not match the expected citizen profile.”
Ongoing attempts by the Iranian government to collect and store data about its citizens have been documented by researchers. A regime-run hacking group called Charming Kitten was discovered in April 2020, which cyber experts concluded was an Iranian government spying operation. The unsecured server had stored information collected from 42 million Telegram accounts, nearly all located in Iran.
According to US cybercrime intelligence company Intel471, the Iranian government has also developed malware and software for domestic espionage purposes, stealing sensitive information from its citizens and tracking Iranians abroad. The IRGC has also been implicated in several data grabs, including gaining unauthorized access to services and websites to spy on Iran’s population.
While Iran has implemented several laws which have data protection provisions, experts say the measures are inadequate. Furthermore, the 2019 draft Personal Data Protection Act which claims to protect individuals’ rights and personal data online could enable more surveillance and censorship, according to London-based human rights organization Article 19, which promotes and defends freedom of expression and information. The organization has accused the Iranian government of creating legislation with vague clauses which could hand over greater online control to the state and endanger the lives of journalists and campaigners under surveillance.
“There are basic protections in [Iran’s] Constitution and in a variety of laws, but they are currently insufficient to protect access and usage. The 2019 protection bill is insufficient as data can still be collected for national security purposes. While this is also the case in France or the UK, the concept of national security is defined differently, and combined with Iran’s laws on political crimes, the bill –- if it were to become law — would complete a legal architecture aimed at criminalizing political opposition,” Van Engeland said.
“This use of the law to protect the Islamic Republic of Iran has existed since the inception of the regime and a large part of the legitimacy of the authorities lie in their compliance with the law: they wish to appear respectful of the rule of law, but their understanding of the rule of law is rather descriptive, stripping it of its human rights content.”
As the final stage of the nuclear deal negotiations in Vienna between Iran, the US and EU powers gets underway, any implementation of the deal — which is likely to include the lifting of US sanctions on Iran — could reopen the country for business and entice technology companies to Iran. Without the right checks and balances in place, these companies may become part of state-sanctioned oppression in Iran.
“It is about time that states and supranational intuitions such as the EU enacted mandatory due diligence legislation, so due diligence expectations are not left to voluntary mechanisms that do not legally require companies to respect human rights,” Nayyeri said.