Iran: Cyberspace authorities ‘silently’ usher in draconian internet bill

ARTICLE 19 condemns the absolute lack of due process in the implementation of the draconian Internet User Protection Bill, which is being railroaded into partial implementation through the Supreme Council of Cyberspace (SCC) – despite the Iranian parliament’s lack of political will to ratify it. We call for the removal of the Internet User Protection Bill and an end to the SCC’s role in limiting freedom of expression and access to the internet in Iran. 

Iran’s SCC is technically helmed by the sitting President (currently Ebrahim Raisi), but is very much considered a mouthpiece and functionary of the office of the Supreme Leader. It is led by an unelected direct appointee of the Supreme Leader. On Tuesday, 6 September, Iranian news outlets reported that the SCC had ‘silently’ issued a directive the previous week, consolidating its control over online spaces by implementing 3 articles from the Protection Bill. 

“The SRC’s role in tightening the net in Iran is alarming,” said Saloua Ghazouani, ARTICLE 19’s Director for Middle East and North Africa. ARTICLE 19 has long been calling for a wholescale repeal of all elements of the Bill. However, this new attempt to silently usher in parts of the a Bill – proposals that do not even have enough support to pass through parliament – is an appalling act of circumventing the remaining due process left in the Islamic Republic of Iran. No parts of the Bill should be implemented, and especially not through an unaccountable body like the SRC.”

The 3 articles amongst the 22 of the Protection Bill set out the new role of a sub-group of the SCC, the Supreme Regulatory Commission (SRC). The first article sets out the definition of the SRC; the second its composition; and the third its duties and powers. 

As per the new directive’s Article 3, an executive arm of the SCC, the Supreme Regulatory Commission (SRC) will be repurposed to set bandwidth limits that would in practice determine what online content Iranians can access by ‘managing domestic and international traffic’ and ‘blocking’ platforms. The SRC’s role in regulating bandwidth is a core element of the Protection Bill that has yet to be ratified by the Iranian parliament. 

The SCC’s role in limiting access to global internet 

The SCC was created in 2012 by the Supreme Leader. It maintains the power to issue directives about internet policy that are not law but are binding as the SCC is born out of the Supreme Leader’s edict that says their directives “must be implemented”. 

ARTICLE 19 has reported about the steps the SCC has taken to limit bandwidth, especially since the heavy disruptions in fall of 2021. During October 2021, Iran experienced unprecedented disruptions. Local technology website ZoomIt released an investigative report that argued the disruptions were caused by ‘[international] bandwidth shortage’ in the country. Local internet servicepProviders (ISPs) had told ZoomIt that the ‘quality of service[1]  and  data rate’ of bandwidth provided by the government-run Telecommunication Infrastructure Company of Iran (TIC) , sole provider of bandwidth in Iran, had declined significantly.

Since Ebrahim Raisi took office as president in early August 2021, the SCC has not issued permits for purchase of bandwidth from international providers nor renewed expired permits. Many local media reports in Iran associated the significant problems accessing international internet services with this policy and its quiet but swift implementation. 

The Supreme Regulatory Commission becomes the chief censor

Central to the SRC’s enforcement role will be managing data localisation and internet services and companies complying with the Islamic Republic’s laws. These laws notoriously limit freedom of expression in accordance with the Islamic Republic’s laws on morality and national security, in contravention of international standards. The directive (Article 3) follows that the SRC will set the rules for acquiring permits for all the range of online activities that authorities have been known to monitor and endeavor to control: publication, content and access or sales of all elements of internet infrastructure. The SRC will then be responsible for enforcing and penalising these licensing regulations. 

The SRC will likely follow the mission of the Bill to enforce the Islamic Republic’s long-standing policy of requiring international tech companies to host Iranian users’ data inside the country, have legal representatives in Iran, comply with Iranian laws, and cooperate with the Iranian government in censorship and surveillance. The Protection Bill entailed similar requirements.

While the directive is vague about this, according to the recent draft of the Bill, refusal to comply will result in two censorship techniques implemented by the SRC: initially, throttling and, once the local alternative, the National Information Network (NIN) is developed, full blocking. In practice, however, international tech companies, especially firms with ties to the US, will legally be unable to accept these demands, due to the far-reaching US sanctions regime in place against the Islamic Republic of Iran.

The SRC will also set prices for “all online services” including, but not limited to, internet service providers (ISPs), for charging users for access to “online services”. Violating principles of net neutrality through pricing has long been a cornerstone of promoting the National Information Network (NIN) and incentivising or pushing users onto platforms and services that are controlled or monitored by the state.

Empowering the SRC means even less accountability and due process 

The SRC is known to be a body tightly affiliated and controlled by the allies of the Supreme Leader, Ali Khamenei. Criticisms by public those in Iran’s technology spaces have ridiculed this move that undermines the Islamic Republic’s constitution by delegating powers to one of its unelected and untransparent agencies that overlaps with the responsibilities of all three branches of power. The SRC will essentially be competing for responsibilities legally delegated to the Ministry of Information and Communications Technology (ICT), the Committee Charged with Determining Offensive Content (CCDOC or the ‘filtering committee’), the judiciary, and even the Supreme Council of Cyberspace itself. 

As per Article 2 of the directive, of the 12 voting members of the SRC, eight are direct or indirect appointees of the supreme leader and three are representatives of security agencies and armed forces.