Iran’s “Managing Social Messaging Apps” Bill Returns to Parliament

If passed, the “Managing Social Messaging Apps” bill could heavily diminish digital rights in Iran. We highlight the biggest challenges and some possible solutions.

After a year of slow moving progress, the “Managing Social Messaging Apps” bill returned to the Majles’ Parliamentary Cultural Committee in late 2019. It is the only one of the six ICT-related bills unveiled in 2018 to have made it this far — the other five (detailed in our special report Bills, Bills, Bills: Upcoming Policy Challenges in Iran, and How We Can Resist Them) remain on ice.

The bill’s primary objective is to provide support for the development and promotion of localised, domestically hosted messaging apps, and to restrict foreign messaging apps such as Telegram, WhatsApp and Signal. It also aims to formally define Iran’s “digital borders”, and to strengthen support for a localised, national internet.

With the bill’s prospects for passage through the Majles looking more likely in the wake of Principalist gains in February’s parliamentary elections, we’re taking the opportunity to review its implications, appraise its progress, and explain why the revisions proposed during the 2019 review process have done little to minimise the dangers it poses for digital rights in Iran.

Background // The Bill’s Origins

The first draft of the “Managing Social Messaging Apps” bill was handed to Majles’s Leadership Committee on 18 November 2018, with a total 95 supporting signatures from MPs. It was introduced as one of six major internet-related bills: eGovernance, Electronic Transaction, Electronic Identification, Intermediary Liability, Data Protection and Online Privacy and Managing Social Messaging Applications) unveiled in 2018.

The “Managing Social Messaging Apps” was the only bill out of the six not to be written by the ICT Ministry, but rather by a coalition of MPs belonging to the Majles’ “Cyber Faction”, with members largely (but not exclusively) drawn from the conservative Principlists Grand Coalition. Building on the momentum gained from the judiciary’s decision to filter Telegram in April 2018, the proposed legislation proposes to tightly regulate messaging apps, and create a supportive environment for the creation of domestic messaging services which can be more easily subjected to monitoring and control by state authorities.

Two years later, this is the only bill out of the six on the parliamentary agenda, following its return to the Majles late last year. The draft bill made a reappearance after criticism from some pro-reform MPs and members of Iran’s tech community. It was subsequently handed over for expert review by the Parliamentary Research Centre, as the next step of the legislative process.

The survival of this bill is undeniably important in context of Iran’s ICT policy-making landscape as well as the future of digital rights in the country. The delivery of a large Principalist majority in the 2020 parliamentary elections has reshaped the politics of the legislature. Given the conservative faction’s tough line in support of information controls, we cannot expect that the Majles will act to moderate elements of the draft bill that threaten digital rights.

If the bill is passed, it could also build momentum for further legislative efforts to limit digital rights in Iran. In light of this, it’s now more important than ever for activists, Iranian legislators and those involved in Iran’s tech industry to be alerted to the potential dangers posed by this proposed bill, and to exert their influence to prevent it from progressing further during the last few months of the current Majles session, set to end in May 2020.

The First Draft // Promoting Domestic Messaging, Demoting Digital Rights

The “Managing Social Messaging Apps” bill was brought forward in the name of promoting the use of domestic messaging apps by introducing significant levels of state oversight concerning the operation, use and management of messaging apps, both domestic and foreign. The majority of these tasks were proposed to be undertaken by a new Oversight Committee that deals exclusively with regulating messaging apps. This committee would include some existing members of the Supreme Council for Cyberspace (SCC), and the bill made clear that the committee must follow the SCC’s mandate (Article 4).

The bill also proposed to hand over control of key internet infrastructure — which is currently under the control of Rouhani’s government via the Telecommunication Infrastructure Company — to the military, and to pre-load chosen domestic messaging apps onto Iranian mobile devices.

Armed Forces Assigned Control Over Key Internet Infrastructure

The biggest cause for concern was contained in Article 12 of the original bill. According to this clause, the General Staff of the Armed Forces would take charge of protecting Iran’s “digital borders” and “cyber defence” by controlling the movement of data via international gateways to prevent “data exploitation”. This clause essentially removed the responsibility of the government (through the ICT Ministry and the Telecommunication Infrastructure Company) for matters relating to cybersecurity and defence, assigning this remit instead to an unelected body under the direct influence of the Supreme Leader.

Requirement for Pre-Loading Domestic Apps on Mobile Phones

Article 24 of the bill set out that import licenses and activation of mobile phones would become subject to pre-installation of domestic messaging apps. The decision on issuing import licences for mobile phones would be made by the new supervisory board, who would also decide on giving permission to foreign messaging apps to operate inside Iran. This proposed initiative would effectively result in all new devices being packaged with selected state-approved messaging apps, posing significant threats to users’ privacy.

Support for the Bill Wavers // The Bill is Sent for Expert Review

The proposed involvement of the armed forces in “digital security” signalled the creation of fresh, legally entrenched control and surveillance mechanisms, which would also allow for the monitoring of mobile phones and users of messaging apps led to concerns about the overall intentions of the bill.

This, alongside further concerns around the bill’s lacking practical considerations, such as the impracticality of the application of certain articles of the bill (for example introducing a licence requirement for “creating and administering group chats”) lead to criticism from MPs. With some publicly withdrawing their support, such as Zarabadi, it became apparent that the bill was unlikely to successfully make its way through the Majles in its current form.

Voices outside the Majles echoed similar concerns, with the founder and CEO of Gap Messenger Mahdi Anjidani publicly asking MPs not to support the bill. Following further criticisms, the bill was eventually sent for review by the Parliamentary Research Centre.

The Bill Returns to Majles // Some Important Changes Recommended

The Parliamentary Research Centre’s review was completed in late 2019, and the bill — along with a series of the body’s recommendations — was returned to the Parliamentary Cultural Committee during the final months of 2019 for approval.

Despite a number of suggested amendments, the overall essence of the bill remains the same, with the majority of its articles undergoing only minor changes. The most controversial articles which caused major debate when the bill was first introduced remain unchanged, including the requirement to pre-install domestic messaging apps on mobile devices prior to sale.

At the same time, a number of noteworthy amendments have been proposed to certain articles, which warrant further attention from digital rights advocates and the tech community. The remaining problematic segments of the bill are discussed below:

Supreme National Security Council to Decide on “Protecting Digital Borders”

The biggest alteration proposed by the review relates to the replacement of the General Staff of the Armed Forces from taking outright control of “digital border security” and management of “data movement”.

The recommendation from the Research Centre proposes instead that the Supreme National Security Council (SNSC) is placed in charge of deciding which body or bodies will be assigned these responsibilities, rather than assigning them to the General Staff of the Armed Forces outright. The SNSC is mandated to allocate these responsibilities within three months of the bill’s passage.

The notion of the existence of “digital borders” is misleading, given that the internet is a series of interconnected computers which naturally is not confined by sovereign borders, and its meaning in the context of this bill is not clearly defined. However, in this context, this article appears to relate to the allocation of control over key pieces of network infrastructure governing Iran’s connectivity with the global Internet (including international gateways and Internet Exchange Points). This approach assigns security authorities with responsibility for defending Iran’s imagined ‘digital borders’ in the same way as the country’s real borders. Such an approach advances the state’s objective to impose the ideology of state sovereignty onto digital space.

The amendment proposed in the recent review does not fundamentally alter the implications of the original article — the SNSC is still in charge of national security matters, so the involvement of security forces over ICT Ministry and other internet policy making bodies in this “digital border protection” still remains. The amendment instead is more pragmatic as it gives the SNSC flexibility to define and allocate responsibilities as it sees fit (however there is no guarantee of parliamentary oversight), and confirms the SNSC’s primacy on issues relating to national security — including, as a result of this bill — cyberspace.

Domestic Messaging Apps Can Only Be Established and Owned by Iranians

The law also forbids non-citizens and Iranians possessing dual nationalities from owning domestic messaging apps. The bill states that only “Iranian persons” can own domestic messaging apps, in order to guarantee national security and for “data protection”. This is in line with the SCC’s 2017 resolution on messaging apps. The expert parliamentary suggestion also drops the allowance of “up to 49% foreign investment in domestic messaging apps”, on the basis of security concerns. Instead all investment in messaging apps should be limited to Iranian citizens.

In addition, any foreign messaging apps operating inside Iran are required to appoint an Iranian company to represent them to ensure their compliance with Iranian law, and which would retain liability for their operations.

Groups and Channels with 5,000 Members or Over Must be Registered with a New Organisation

The expert opinion recommends an amendment to the requirement of a licence for creating channels or group chats in both domestic and foreign messaging apps. Instead it proposes that any groups or channels with 5,000 members or more be registered with a new organisation which will be created by the Organisation for Cultural and Islamic Guidance.

If this registration requirement is not met, the group or channel in question will be filtered. The recommendation does not make clear what, if any, requirements exist in order to be able to register with this organisation and who the members of this new organisation are.

This newly proposed amendment brings the bill in line with the SCC’s 2016 announcement ordering Telegram channels with Iranian admins with more than 5,000 to be registered with the Ministry of Culture and Islamic Guidance, failing which they would be faced with criminal prosecution.

It is very clear however that this new article seeks to give legal power to the government to regulate all popular channels and groups accounts, a popular source of news and group mobilisation for Iranian users which Iran’s leadership sees as a threat. These accounts can then be blocked in the name of security and its members and administrators are left without legal protection and defences.

The measures call to mind Iran’s previous attempt to require websites to register officially on its Samandehi platform, as Small Media reported in May 2015. Although the uptake of this was relatively slow, we found that the system did ultimately come to hold sensitive, personally identifiable data of the owners of a significant number of Iran’s most widely accessed websites.

Given the complications that arose with the registration scheme for Telegram channels, we would expect similar implementation challenges in the application of this clause to foreign apps. If deemed unmanageable, this could feasibly lead them to be restricted or filtered altogether in favour of domestic apps. At the same time it is very possible that domestically produced messaging apps could be constructed with these kinds of registration requirements in mind, driving up compliance.

Changes in Members of the Management and Oversight Committee

The recent proposed changes made to the bill extends the powers of the Oversight Committee in comparison to the first draft of the bill. The new recommendation gives the new committee power to give operating licences to messaging apps, manage the fund for supporting messaging apps, identifying breaches and setting financial or other forms of fines among and reporting to the Supreme Council for Cyberspace as to the operation of messaging apps among others.

The recommendation also removes Oversight Committee representation from the Islamic Seminary, the Parliamentary Cultural Committee, and (perhaps most importantly) the representative for domestic messaging apps. This leaves the body with zero industry representation. It instead adds a representative from the Ministry of Industry, Mine and Trade.

The removal of a representative for domestic messaging apps limits their ability to advocate for the rights and needs of their users. As mentioned, a number of industry figures working to produce domestic messaging apps were vocal critics of this bill — not only for reasons relating to handing over control of the internet to security forces but also due to the shortcomings of domestic messaging apps in comparison to their foreign counterparts.

Recent Events and the Future of the Bill // What Can be Done

As mentioned, the recommendations made by the Parliamentary Research Centre are currently being reviewed by the Parliamentary Cultural Committee who have reportedly made some progress having approved the initial articles of the bill.

It remains to be seen what the final draft of the bill will look like as further changes could still be made to the text. It will also need to pass through a vote in Majles before being handed over to the Guardian Council for their approval before it can become law. When the bill was first introduced, the SCC and ICT Ministry officials did not hide their dismay towards Majles seeking to legislate on issues that they believed the SCC holds the mandate to deal with. If the bill passes a parliamentary vote and is passed to the Guardian Council, it would be a real test regarding the legal status and powers of SCC.

What is certain is that the Iranian authorities recognise the importance and the vital role messaging apps in ordinary daily life as well as in social and political movements. Many hardliner and conservative representatives have made clear that they will ensure that at least one piece of legislation concerning messaging apps will pass through Majles to fill this legal gap. This will give the authorities legal instruments to rely on to force users to migrate to domestic apps which lack privacy controls and can more easily be monitored by the government and make it impossible for users to use online platforms freely and securely in the name of “security” and “user protection”.

Recent events such as the internet shutdown ordered by the National Security Council last November as well as the continued internet disruptions especially during times of political turbulence or crisis have revealed the extensive reliance of the Iranian government on restraining its citizens through the internet. This could draw in more support for the bill which seeks to achieve these objectives more quickly by giving legal legitimacy to such actions.

The recent parliamentary election gave a major boost to hardliner MPs. The 2020 parliamentary elections gave a major boost to Principalists in Majles, this faction which previously faced more balanced opposition from pro-reform and other factions of MPs during the previous parliamentary term, now holds a reported 75% of the seats in Majles following the first round of the recent parliamentary election. Among the newly elected MPs are a number of former Islamic Revolutionary Guard Corps (IRGC) commanders who typically support filtering of content and restricting the access of users to the global Internet in the name of “safety” and creating a “clean cyberspace”.

Other individuals voted in during this election also includes known enemies of digital rights and internet freedoms in Iran such as Reza Taghipour, former ICT Minister during Mahmoud Ahmadinejad’s presidency, and a current member of the SCC. Taghipour was a key figure in implementing internet disruptions and restrictions following the 2009 post-election protests, as well as playing a major role in proposing the localisation of the internet in Iran.

It is unlikely that the bill will pass through Majles before the new MPs take over this summer. If so this will give a greater chance to the bill to pass through without any objections when the new parliamentary cycle begins. Therefore, advocacy efforts to prevent this bill from progressing further are urgent and time-limited.

The private sector in Iran should continue to be vocal about their concerns on new legislation. The Iranian private sector still maintains some influence in shaping legislation relating to digital rights and internet freedoms in Iran, which can still influence the outcome of this bill.

International tech firms must be aware of the implications of stopping services for Iranians.

Global tech services must be aware of the digital and human rights implications of restricting access to Iraian users due to US sanctions. They should be more transparent about the details of the sanctions being complied with as well as giving advance notice to users before their services are affected. We have already written about how the lack of transparency by the tech companies in dealing with Iran and compliance with US imposed sanctions is undermining digital rights in Iran.

For more of Small Media’s work exploring the internet policy landscape in Iran, check out the rest of Filterwatch — either here on Medium, or on the Small Media website.