July 11, 2019
Over the last six years Iran’s digital sector has established itself as a core pillar of the nation’s economy. This largely comes on the back of significant investments in internet infrastructure, which has resulted in near-universal access to mobile internet in urban centers and a dramatic improvement in internet speeds nationwide. At the same time, President Rouhani and the Information and Communications and Technology (ICT) Minister Mohammad-Javad Jahromi have attempted (dubiously) to position themselves as champions of the start-up community.
Yet despite these positive developments, the growth of Iran’s tech sector is being limited by continued low levels of public trust in Iranian technology companies. This comes in part as a result of the Iranian government’s failure to introduce legal protections that can guarantee citizens’ privacy and security online. The public image of Iranian tech companies is further undermined by reports of state-aligned institutions providing support to technologists to develop domestic apps, thereby potentially co-opting them into the state’s surveillance apparatus.
The first issue came to the fore when Google removed two “forked” versions of the messaging app Telegram – Talagram and Hotgram – from its Play Store, citing privacy and security concerns. The apps used Telegram’s application programming interface (API) to provide users with continued access to the platform after its ban in April 2018, and were protected from filtering in return for blocking access to a number of channels, including foreign-based media organizations like BBC Persian. As a result, human rights groups (including Small Media and the Center for Human Rights in Iran) have consistently raised concerns over the surveillance threats posed to app users.
A second incident highlights another vulnerability among Iran’s digital business community – the failure to safeguard consumer data. In April, it came to light that a dataset containing the information of around 300,000 drivers for the ride-sharing company Tap30 had been made available online. Soon after the claims were made, Tap30 was forced to publicly admit the dataset had been stolen from its system. Although similar data leaks have happened in many countries around the world, what is worrying in this instance is the lack of clear judicial procedure for the state to investigate such incidents.
Jahromi the Start-Up Minister
Since being appointed ICT minister following Rouhani’s reelection in 2017, Jahromi has tried to make a name for himself as a young minister in step with Iran’s vibrant start-up community. But he hasn’t always been in entrepreneurs’ good books. As well as coming under fire for failing to prevent the filtering of Telegram, Jahromi has failed the digital community on two other fronts.
Firstly, Jahromi has failed to deliver a regulatory system that can help build trust in Iran’s digital businesses. The public’s lack of faith in domestic businesses to securely host their private information was evident during the initial push for the widespread adoption of domestic messaging apps — so much so that Iran’s Supreme Leader issued a fatwa in support of users’ online privacy in April 2018.
Jahromi reacted by announcing the fast-tracking of his Data Protection and Privacy bill through the Iranian Parliament. However, it has failed to receive approval from Rouhani and his cabinet, and thus has not yet been considered by members of parliament. Approval aside, even if the bill made it through parliament, it fails to counter the most intrusive elements of the 2010 Cyber Crimes Law, and will do little to limit the government’s powers to spy on citizens through domestic service providers.
Lastly, attempting to use Iran’s private sector to develop a surveillance infrastructure is bound to chip away at public trust in domestic tech companies. Indeed, public awareness has been drawn to the government’s financing of domestic tech companies involved in the creation of domestic messaging apps and forked versions of Telegram. In spite of these challenges, paths do exist toward the development of trust in Iran’s tech sector – but it will ultimately fall to key industry players to take the lead.
Where the Government has Failed, Start-ups Could Lead
The vast majority of Iranian tech start-ups are not implicated in Iran’s surveillance structure, nor are they set up to benefit from highly restrictive filtering regimes. With government plans to expand eGovernment services, it is inevitable that private companies will be asked to contribute. As a result, tech start-ups could play a leading role in defining and protecting digital rights in Iran.
The most obvious (and riskiest) route for start-ups is refusing to work with government projects linked to surveillance in the first place. Some tech companies have already done this – on April 14, Hamid Bazargar, the CEO of Tehran-based taxi company Maxim, denied Tehran City Council access to the company’s raw user data, stating that the privacy of its users is a red line it was unwilling to cross. Similarly, on May 26, the online retailer Zanbil.ir refused a request for information from Iran’s Cyber Police (or FATA).
Secondly, companies can go beyond poor legislative requirements by improving their own data protection policies. Basic moves such as providing proper and secure data storage and encrypting user data, as well as outlining and practicing comprehensive and transparent data processing procedures will provide better protections for consumers, and increase public faith in Iran’s domestic tech sector.
As long as tensions with the US do not catastrophically limit the growth of Iran’s digital sector, the digitalization of the economy will continue. Iranian officials are already discussing ambitious plans relating to smart cities and the Internet of Things. Such projects could deliver excellent value to Iranian citizens and the Iranian economy, or they could lead to unprecedented data gathering by the state in collaboration with new digital businesses (or a mixture of the two).
Although there are six pieces of legislation slated to come under parliamentary consideration in the near future, none of the proposed bills go as far as to roll back the intrusive Cyber Crime Law of 2010. If anything, if the bills are passed without major amendments then they could end up further undermining citizens’ digital rights, and stifling the country’s tech sector further.
During Iran’s 2016 parliamentary elections, the pro-reform list of candidates tried to boost support among young voters by highlighting the government’s practice of filtering Telegram, knowing that most of these young voters were opposed to online censorship. The upcoming parliamentary election provides another such opportunity for tech entrepreneurs and the digital sector to raise their concerns about the inactivity and the counter-productive actions of policymakers when it comes to developing much-needed safeguards for privacy and cybersecurity in the digital economy. It is our hope that Iran’s elected representatives listen.