Coverage of the recent cyberattack on October 26 against gas stations across Iran has generated expected outcomes, with images of long lines of cars and endless speculation over the perpetrator. While journalists photograph shut off gas pumps, hardline policymakers in Iran are seizing this opportunity to justify their latest attempt at restricting internet freedom.
Specifically, the cyberattack is already being used as an excuse to push forward the repeatedly stalled Cyberspace Users Rights Protection and Regulation of Key Online Services—euphemistically referred to as the “Protection Bill”—which conservative politicians have been railroading through parliament since July.
The Protection Bill would disrupt access to international services such as photo-sharing app Instagram—the only social media that is not currently blocked in Iran—and messaging apps like WhatsApp. As a law designed to accelerate the National Information Network (NIN)—Iran’s domestic internet, which is separate from the international internet—it would also place control over Iran’s internet infrastructure in the hands of the armed forces and security agencies.
The bill, however, has faced hurdles to advancing—twice failing to come to a committee vote after Iranian activists and citizens loudly objected. Despite the legislation’s unpopularity, lawmakers are set on passing this bill and have jumped on cyber security threats as a convenient way to push back against critics. As Mehrdad Weiss Karami, Secretary of the Parliament’s Joint Commission to review the Protection Bill, said on October 27, a day after the cyberattack: “As soon as people see that the enemy can hit the country in a cyberattack, it shows that we must pay special attention to the areas related to cyber defense and the laws that guarantee it.” Hardline outlet, Kayhan News, which is closely tied to the country’s Supreme Leader Ayatollah Ali Khamenei, similarly called for a redoubling of efforts towards the NIN on October 27.
In reality, the bill’s goal is to increase state control over cyberspace by further localizing services and platforms that Iranian users rely on. It would allow the Iranian government to place bandwidth restrictions on any international services that do not comply with authorities’ demands (namely, to localize their data in Iran). By making it even harder for ordinary Iranians to use common international messaging apps, social media platforms, and other communication tools, lawmakers hope to drive users onto state-controlled Iranian alternatives like local cloud services and messaging apps, thus, making future shutdowns of communication even easier. The bill would also place full control of the internet gateway into the hands of the General Staff of the Armed Forces–Iran’s version of the Joint Chiefs of Staff—turning Iranian cyberspace into an extension of the police state.
The Protection Bill would increase the Islamic Republic’s internet censorship and surveillance capacity without disturbing the daily flow of business or the lives of most Iranian internet users. The only effect the bill would have on cyberattacks, according to internet freedom advocates, would be to make Iranians more vulnerable to them—as increased localization means Iran-based services would have a harder time keeping up with ever-changing international security protocols and updates.
In a country that already struggled with disconnection from the outside world, including seven internet shutdowns over the past five years—primarily during periods of mass street protest and organized dissent, such as the November 2019 protests in which security forces arrested and killed thousands—this proposed legislation is cause for alarm.
In international internet-governance circles, internet localization is seen as positive, fostering domestic technical capacity and economic growth, and are centrally valuable goals that don’t come at the expense of internet freedom. In Iran, unfortunately, every step towards more localization has meant more state capacity to control, monitor, and punish digital content and communication. Ignoring that trend could have ripple effects beyond Iran’s borders.
Repressive governments around the world—from Pakistan to Russia to China—are trying to restrict Internet freedoms, having learned from each other’s experiences. Most of these countries follow the same pattern of developing local internet intent on controlling the flow of information, enforcing data localization requirements for foreign-based firms, building local tools and services, and, finally, encouraging their citizens to use them at the cost of their privacy, security, and safety. Iran’s NIN has been one of the fullest adoptions of this model.
Nevertheless, so far, Iran has not fully succeeded, because as long as there is broad access to the outside world, Iranian users—with the help of circumvention tools—have managed to get around state controls. The Protection Bill represents one of the most aggressive legal attempts by any state to force a restrictive national internet on its population, and no one should be distracted by claims that it would enhance the cyber security of gas stations. If international internet governance and human rights bodies fail to condemn Iran’s Protection Bill and the trend towards restrictive forms of localization, it could see threats to internet freedom ratchet up around the world.
Source » atlanticcouncil