How Iran is accessing the social media accounts of protesters to incriminate them, experts say

Share
  • December 19, 2022



CNN
 — 

In between being blindfolded, locked in solitary confinement, and interrogated in a wheelchair while she was on a hunger strike following her late September arrest, Negin says she had a realization: Iranian officials were using her private Telegram chats, phone logs and text messages to incriminate her.

“They told me ‘Do you think you can get out of here alive? We will execute you. Your sentence is death penalty. We have evidence, we are aware of everything,’” said Negin, whose name CNN changed at her request, for her safety.

Negin, who says she has been accused by Iranian authorities of running an anti-regime activist group on Telegram (an allegation she denies), said she has “some friends” who were political prisoners. “They put in front of me transcribed printouts of my phone conversations with those friends,” she said, and “questioned me on what my relationship with those people were.”

Negin thinks Iranian agents hacked into her Telegram account on July 12, when she realized another IP address had accessed it. While Negin was in prison, she said, Iranian authorities reactivated her Telegram account to see who tried to contact her and reveal the network of activists with whom she was in touch.

Negin was one of hundreds of protesters detained at Iran’s notoriously brutal Evin prison in northern Tehran in the first few weeks of demonstrations following the death in custody of Mahsa Amini. Amini, a 22-year-old woman, had been apprehended by Iran’s morality police for apparently not wearing her hijab properly.

A view of the entrance of Evin prison in Tehran, Iran October 17, 2022.

As protests spread in the country, much of the attention has focused on the Iranian government’s efforts to shut down the internet. But behind the scenes, some worry the government is using technology in another way: accessing mobile applications to surveil and suppress dissent.

Human rights activists inside and outside of Iran have been warning for years about the Iranian regime’s ability to remotely access and manipulate protesters’ cell phones. And tech companies may not be well equipped to handle such incidents, experts say.

Amir Rashidi, Director of Digital Rights and Security at the human rights organization Miaan Group, said the methods described by Negin match the Iranian regime’s playbook.

“I myself documented many of these cases,” he said. “They have access to anything beyond your imagination.”

CNN has reached out to the Iranian government for comment about Negin’s allegations but has not heard back.

The Iranian government may have used similar hacking tactics to surveil the Telegram and Instagram accounts of Nika Shahkarami, the 16-year-old protester who died after a demonstration in Tehran on September 20. The Iranian authorities have always denied any involvement in her death, but a previous CNN investigation found evidence suggesting she was detained at the protests shortly before she went missing.

Iranian authorities still have not responded to CNN’s repeated inquiries about Nika’s death.

At least one tech company, Meta, has now opened an internal inquiry into activity on Nika’s Instagram account after her disappearance, CNN has learned.

Screenshot of the Instagram account of Nika Shakharami before it was disabled. CNN has obscured the user names and profile pictures of commenters to protect their privacy.

After Nika went missing, her aunt and other protesters told CNN that her popular Instagram and Telegram accounts had been disabled. A week later, her family learned that she was dead. But the mystery over who had deactivated her social media accounts remained.

On October 12, two of Nika’s friends noticed her Telegram account briefly back online, they told CNN. Nika’s Instagram account was also briefly restored on October 28, more than a month after her disappearance and death, according to a screengrab obtained and verified by CNN.

As with Negin’s case, the reactivation of Nika’s accounts raises questions about whether Iranian authorities were responsible for accessing her social media profiles, allegedly to phish other protesters or compromise her after her death.

“Telegram is everything in Iran,” explained Rashidi. “It was more than just a messaging app before being blocked and still they managed to maintain their presence in Iran by just simply adding a proxy option in the app.”

“If users don’t have access to anything because of censorship, they still have access to Telegram,” he continued. “As results there are a lot of users’ data in Telegram and that’s why the Iranian government is interested in hacking Telegram.”

There are different ways the government could gain access to a person’s accounts or their network of contacts, according to experts. Negin, for example, said authorities “kept creating Telegram accounts using my SIM card, in order to see who I am in contact with.” In other cases, authorities could attempt to co-opt the two-factor authentication process, which is designed to provide greater security by texting or emailing a login code.

“Usually what happens is, they do the target phone number, then they send a login request to Telegram,” Rashidi told CNN. “If you don’t have 2-step verification, then they will intercept your text message, read the login code and easily get into your account.”

That’s why some Iranian activists cheered when Google introduced Google Authenticator in the country in 2016. It’s a two-step verification process that adds a layer of security for mobile phone users.

Crucially, however, the Iranian regime doesn’t even need telecommunication companies to work with them, according to Rashidi. “The Iranian government is running the entire telecommunication infrastructure in Iran,” he said.

After Nika’s disappearance, Meta launched an investigation into whether Nika herself had disabled the account or whether someone else was responsible. The investigation lasted nine days, from October 6 to October 14, according to a source at Meta who spoke to CNN on condition of anonymity.

The conclusion: “While we can’t share specific details about Nika Shahkarami’s account for privacy and security reasons, we can confirm Meta didn’t originally disable it,” a Meta spokesperson told CNN.

Meta also confirmed to CNN that Nika’s account “was briefly reactivated and memorialized for less than 24 hours” on October 27 “as a result of an internal process error, which we addressed by re-disabling the account.” Meta told CNN it found this error after CNN reached out for this investigation.

Meta also said it received direction from Nika’s family via one of the company’s trusted partners in Iran that they wanted Nika’s Instagram account to stay offline.

However, references in Iranian state media indicate authorities did access Nika’s Instagram account and direct messages, stating they had permission from the judiciary to access them.

A relative of Nika, who wanted to remain anonymous for fear of repercussions, told CNN the Tehran prosecutor’s office has been holding Nika’s phone since her death. “We went to the prosecutor’s office and found out that Nika’s phone is with Mr Shahriari (name of the prosecutor); I saw with my own eyes that it was in their hands,” the family member said.

Meta’s investigation highlights both the seriousness of the case and the limitations that American tech companies appear to have in addressing activists’ concerns about Iran’s handling of accounts.

Mahsa Alimardani, senior internet researcher at Article 19, a freedom of expression organization, also raised concerns about Telegram. “One time we asked them to reverse some edits that were done on a person’s account after her death, and they were not helpful. They didn’t get back to us. They didn’t try to fix the issue. No kind of support or help into that,” Alimardani said.

In response to CNN’s request for comment, Telegram spokesperson Remi Vaughn said: “We routinely process dozens of similar cases referred to us by activists from trusted organizations and disable access to compromised accounts. In every case we’ve investigated, either the device had been confiscated or the user had unwittingly made such access possible — by not setting a 2-Step Verification password or using a malicious app impersonating Telegram.”

“In countries with authoritarian rule, such as Iran, authorities can potentially intercept any SMS message,” Vaughn continued. “It is therefore important for users to enable Two-Step Verification, which requires an additional user-created password to be entered whenever logging in, in addition to the SMS login code. It is also important that such users use official Telegram apps from trusted sources.”

“To protect protesters, we have blocked thousands of posts that had attempted to deanonymize protestors and could have reached hundreds of thousands if not for our intervention. We are always proactively monitoring public-facing parts of our platform to find such misuse,” she concluded.

“Tech companies must work with civil society,” Rashidi said. “There are so many issues that they can work with us on them to make sure these platforms are safe, especially for those who are at risk.”

#Iran #accessing #social #media #accounts #protesters #incriminate #experts