Report: Iran’s Government Accesses Social Media Accounts of Detainees
As protests spread in Iran, some worry the government is using technology to access mobile applications to surveil and suppress dissent.
“They told me ‘Do you think you can get out of here alive? We will execute you. Your sentence is death penalty. We have evidence, we are aware of everything,’” said Negin, whose name CNN changed at her request, for her safety.
Negin, who says she has been accused by Iranian authorities of running an anti-regime activist group on Telegram (an allegation she denies), said she has “some friends” who were political prisoners. “They put in front of me transcribed printouts of my phone conversations with those friends,” she said, and “questioned me on what my relationship with those people were.”
Negin thinks Iranian agents hacked into her Telegram account on July 12, when she realized another IP address had accessed it. While Negin was in prison, she said, Iranian authorities reactivated her Telegram account to see who tried to contact her and reveal the network of activists with whom she was in touch.
Negin was one of hundreds of protesters detained at Iran’s notoriously brutal Evin prison in northern Tehran in the first few weeks of demonstrations following the death in custody of Mahsa Amini.
Amini, a 22-year-old woman, had been apprehended by Iran’s morality police for apparently not wearing her hijab properly.
Human rights activists inside and outside of Iran have been warning for years about the Iranian regime’s ability to remotely access and manipulate protesters’ cell phones. And tech companies may not be well equipped to handle such incidents, experts say.
Amir Rashidi, Director of Digital Rights and Security at the human rights organization Miaan Group, said the methods described by Negin match the Iranian regime’s playbook.
“I myself documented many of these cases,” he said. “They have access to anything beyond your imagination.”
The Iranian government may have used similar hacking tactics to surveil the Telegram and Instagram accounts of Nika Shahkarami, the 16-year-old protester who died after a demonstration in Tehran on September 20. The Iranian authorities have always denied any involvement in her death, but a previous CNN investigation found evidence suggesting she was detained at the protests shortly before she went missing.
Iranian authorities still have not responded to CNN’s repeated inquiries about Nika’s death.
At least one tech company, Meta, has now opened an internal inquiry into activity on Nika’s Instagram account after her disappearance, CNN has learned.
After Nika went missing, her aunt and other protesters told CNN that her popular Instagram and Telegram accounts had been disabled. A week later, her family learned that she was dead. But the mystery over who had deactivated her social media accounts remained.
On October 12, two of Nika’s friends noticed her Telegram account briefly back online, they told CNN. Nika’s Instagram account was also briefly restored on October 28, more than a month after her disappearance and death, according to a screengrab obtained and verified by CNN.
As with Negin’s case, the reactivation of Nika’s accounts raises questions about whether Iranian authorities were responsible for accessing her social media profiles, allegedly to phish other protesters or compromise her after her death.
“Telegram is everything in Iran,” explained Rashidi. “It was more than just a messaging app before being blocked and still they managed to maintain their presence in Iran by just simply adding a proxy option in the app.”
“If users don’t have access to anything because of censorship, they still have access to Telegram,” he continued. “As results there are a lot of users’ data in Telegram and that’s why the Iranian government is interested in hacking Telegram.”
There are different ways the government could gain access to a person’s accounts or their network of contacts, according to experts. Negin, for example, said authorities “kept creating Telegram accounts using my SIM card, in order to see who I am in contact with.” In other cases, authorities could attempt to co-opt the two-factor authentication process, which is designed to provide greater security by texting or emailing a login code.
“Usually what happens is, they do the target phone number, then they send a login request to Telegram,” Rashidi told CNN. “If you don’t have 2-step verification, then they will intercept your text message, read the login code and easily get into your account.”
That’s why some Iranian activists cheered when Google introduced Google Authenticator in the country in 2016. It’s a two-step verification process that adds a layer of security for mobile phone users.
Crucially, however, the Iranian regime doesn’t even need telecommunication companies to work with them, according to Rashidi. “The Iranian government is running the entire telecommunication infrastructure in Iran,” he said.