Iran’s government gains access to the social media accounts of those it arrests. Tech companies seem ill-equipped to stop it
In between being blindfolded, locked in solitary confinement and interrogated in a wheelchair while on hunger strike after her arrest in late September, Negin says she had a realization: Iranian officials were using her private Telegram chats, phone logs and text messages to incriminate her.
“They told me ‘do you think you can get out of here alive? We want to execute you. Your sentence is the death penalty. We have evidence, we are aware of everything,'” said Negin, whose name CNN changed at her request, for her safety.
Negin, who says she has been accused by Iranian authorities of running an anti-regime activist group on Telegram (an allegation she denies), said she has “some friends” who were political prisoners. “They put in front of me transcribed transcripts of my phone conversations with these friends,” she said, and “asked me what my relationship with these people was.”
Negin believes Iranian agents hacked into her Telegram account on July 12, when she realized another IP address was accessing it. While Negin was in prison, she said, Iranian authorities reactivated her Telegram account to see who was trying to contact her and reveal the network of activists she was in contact with.
Negin was one of hundreds of protesters detained in Iran’s notoriously brutal Evin prison in northern Tehran during the first weeks of demonstrations following Mahsa Amini’s death in custody. Amini, a 22-year-old woman, had been detained by Iran’s morality police for apparently not wearing the hijab properly.
As protests spread across the country, much of the attention has focused on the Iranian government’s efforts to shut down the internet. But behind the scenes, some worry that the government is using technology in another way: accessing mobile applications to monitor and suppress dissent.
Human rights activists inside and outside Iran have warned for years about the Iranian regime’s ability to remotely access and manipulate protesters’ cellphones. And technology companies may not be well equipped to handle such incidents, experts say.
Amir Rashidi, director of digital rights and security at human rights organization Miaan Group, said the methods described by Negin fit the Iranian regime’s playbook.
“I have documented many of these cases myself,” he said. “They have access to everything beyond your imagination.”
CNN has reached out to the Iranian government for comment on Negin’s claims, but has not heard back.
The Iranian government may have used similar hacking tactics to monitor the Telegram and Instagram accounts of Nika Shahkarami, the 16-year-old protester who died after a demonstration in Tehran on September 20. Iranian authorities have always denied any involvement in her death, but an earlier CNN investigation found evidence suggesting she was arrested at the protests shortly before she went missing.
Iranian authorities have still not responded to CNN’s repeated inquiries about Nika’s death.
At least one technology company, Meta, has now opened an internal investigation into activity on Nika’s Instagram account after her disappearance, CNN has learned.
After Nika went missing, her aunt and other protesters told CNN that her popular Instagram and Telegram accounts had been disabled. A week later, the family learned that she had died. But the mystery of who had deactivated her social media accounts remained.
On October 12, two of Nika’s friends noticed her Telegram account briefly back online, they told CNN. Nika’s Instagram account was also briefly restored on October 28, more than a month after her disappearance and death, according to a screenshot obtained and verified by CNN.
As with Negin’s case, the reactivation of Nika’s accounts raises questions about whether Iranian authorities were responsible for accessing her social media profiles, allegedly to phish other protesters or compromise her after her death.
“Telegram is everything in Iran,” Rashidi explained. “It was more than just a messaging app before it was blocked, and yet they managed to maintain their presence in Iran by simply adding a proxy option to the app.”
“If users don’t have access to something due to censorship, they still have access to Telegram,” he continued. “As a result, there is a lot of user data in Telegram, which is why the Iranian government is interested in hacking Telegram.”
There are different ways authorities can gain access to a person’s accounts or contact network, according to experts. Negin said, for example, that authorities “kept creating Telegram accounts using my SIM card to see who I’m in contact with.” In other cases, authorities may try to opt for the two-factor authentication process, which is designed to provide greater security by sending text messages or emails with a login code.
“Usually what happens is they do the target phone number, then they send a login request to Telegram,” Rashidi told CNN. “If you don’t have 2-step verification, they will intercept your text message, read the login code and easily get into your account.”
That’s why some Iranian activists cheered when Google introduced Google Authenticator to the country in 2016. It’s a two-step verification process that adds a layer of security for cellphone users.
Crucially, however, the Iranian regime does not even need telecommunications companies to cooperate with them, according to Rashidi. “The Iranian government runs the entire telecommunications infrastructure in Iran,” he said.
After Nika’s disappearance, Meta launched an investigation into whether Nika herself had deactivated the account or whether someone else was responsible. The investigation lasted nine days, from Oct. 6 to Oct. 14, according to a Meta source who spoke to CNN on condition of anonymity.
The bottom line: “While we cannot share specific details about Nika Shahkarami’s account for privacy and security reasons, we can confirm that Meta did not initially disable it,” a Meta spokesperson told CNN.
Meta also confirmed to CNN that Nika’s account “was briefly reactivated and recalled for less than 24 hours” on October 27 “as a result of an internal processing error, which we resolved by re-deactivating the account.” Meta told CNN they found this error after CNN contacted them for this investigation.
Meta also said they received word from Nika’s family via one of the company’s trusted partners in Iran that they wanted Nika’s Instagram account to remain offline.
However, references in Iranian state media indicate that authorities gained access to Nika’s Instagram account and direct messages, saying they had permission from the judiciary to access them.
A relative of Nika, who spoke on condition of anonymity for fear of repercussions, told CNN that prosecutors in Tehran have kept Nika’s phone on hold since her death. “We went to the prosecutor’s office and found that Nika’s phone is with Mr Shahriari (name of the prosecutor); I saw with my own eyes that it was in their hands, the family member said.
Meta’s investigation highlights both the seriousness of the matter and the limitations US technology companies appear to have in addressing activists’ concerns about Iran’s handling of accounts.
Mahsa Alimardani, senior internet researcher at Article 19, a free speech organization, also raised concerns about Telegram. “Once we asked them to reverse some edits made to a person’s account after her death and they were no help. They didn’t get back to us. They did not try to fix the problem. No kind of support or help for that,” Alimardani said.
In response to CNN’s request for comment, Telegram spokesperson Remi Vaughn said: “We routinely process dozens of similar cases referred to us by activists from trusted organizations and disable access to compromised accounts. In every case we investigated, either the device had been confiscated or the user had unknowingly enabled such access – by not entering a 2-step verification password or using a malicious app pretending to be Telegram.”
“In countries with authoritarian rule, such as Iran, the government can potentially intercept all SMS messages,” Vaughn continued. “It is therefore important for users to enable two-step verification, which requires an additional user-created password to be entered each time they log in, in addition to the SMS login code. It is also important that such users use official Telegram apps from trusted sources.”
“To protect protesters, we have blocked thousands of posts that had attempted to de-anonymize protesters and could have reached hundreds of thousands if not for our intervention. We always proactively monitor parts of our platform to find such abuse, she concluded.
“Tech companies need to work with civil society,” Rashidi said. “There are so many issues that they can work with us on them to make sure that these platforms are safe, especially for those who are at risk.”