CNN
–
Between being blindfolded, locked in solitary confinement, and interrogated in a wheelchair while she went on hunger strike after her arrest in late September, Njeen says she realized: Iranian officials She was using private Telegram chats, phone records and text messages to incriminate her.
“They said to me, ‘Do you think you can get out of here alive?'” We will execute you. Your punishment is the death penalty. “We have evidence, we know everything,” said Negin, whose name was changed by CNN at her request, for her own safety.
Negin, who says Iranian authorities have accused her of running an anti-regime activist group on Telegram (an allegation she denies), said she had “some friends” who were political prisoners. “They put printouts of my phone conversations with these friends in front of me, and they asked me about my relationship with these people,” she said.
Negin believes her Telegram account was hacked by Iranian agents on July 12, when she realized another IP address had gained access to it. While she was in prison, she said, Iranian authorities reactivated her Telegram account to find out who had tried to contact her and to reveal the network of activists with whom she was in contact.
Negin was one of hundreds of protesters detained in the notoriously brutal Evin prison in northern Tehran in the first few weeks of demonstrations following the defendant’s death in custody. Mahsa Amini. Amini, a 22-year-old woman, was arrested by Iran’s morality police for apparently not wearing her headscarf properly.
As protests spread across the country, much attention has been focused on the Iranian government’s efforts Internet shutdown. Behind the scenes, however, some worry the government is using the technology in another way: access to mobile apps to monitor and suppress dissent.
Human rights activists inside and outside Iran have been warning for years of the Iranian regime’s ability to remotely access and manipulate protesters’ mobile phones. Experts say that technology companies may not be well equipped to deal with such incidents.
Amir Rashidi, director of digital rights and security at the human rights organization Miaan Group, said the methods described by Negin match the Iranian regime’s playbook.
“I myself have documented many of these cases,” he said. “They have access to anything beyond your imagination.”
CNN has reached out to the Iranian government for comment on Negin’s allegations but has not heard back.
The Iranian government may have used similar hacking methods to monitor Telegram and Instagram accounts Nika Shahkramithe 16-year-old protester who died after a demonstration in Tehran on September 20. CNN investigation She found evidence indicating that she had been detained at the protests shortly before her disappearance.
Iranian authorities have yet to respond to CNN’s repeated inquiries about Nika’s death.
CNN has learned that at least one tech company, Meta, has now opened an internal investigation into Nika’s Instagram account activity after her disappearance.
After Nika’s disappearance, her aunt and other protesters told CNN her popular Instagram and Telegram accounts were disabled. A week later, her family learned of her death. But the mystery of who disabled her social media accounts remained.
On Oct. 12, two of Nika’s friends noticed her Telegram account was briefly back online, they told CNN. Nika’s Instagram account was also briefly restored on Oct. 28, more than a month after her disappearance and death, according to a screenshot obtained and verified by CNN.
As with the Negin case, the reactivation of Nika’s accounts raises questions about whether Iranian authorities were responsible for accessing her social media profiles, allegedly for phishing other protesters or compromising her after her death.
“Telegram is everything in Iran,” Al-Rashidi explained. “It was more than just a messaging app before it was banned and they still managed to maintain a presence in Iran just by adding a proxy option in the app.”
He continued, “If users do not have access to anything due to censorship, they can still access Telegram.” “As a result, there is a lot of user data in Telegram and that is why the Iranian government is interested in hacking Telegram.”
There are different ways the government can gain access to a person’s accounts or their network of contacts, according to experts. Negin, for example, said that the authorities “continued to create Telegram accounts using my SIM card, to see who I was in contact with.” In other cases, authorities can try to co-opt the two-factor authentication process, designed to provide greater security, by sending or emailing a login code.
“Usually what happens is that they do the target phone number, and then they send a Telegram login request,” Al-Rashidi told CNN. “If you don’t have 2-Step Verification, they will intercept your text message, read your login code, and easily get into your account.”
That’s why some Iranian activists cheered when Google introduced Google Authenticator in the country in 2016. It’s a two-step verification process that adds a layer of security for mobile phone users.
But crucially, the Iranian regime does not even need telecom companies to work with, according to Al-Rashidi. “The Iranian government runs the entire telecommunications infrastructure in Iran,” he said.
After Nika’s disappearance, Meta launched an investigation as to whether Nika herself deactivated the account or if someone else was responsible. The investigation lasted nine days, from October 6 to October 14, according to a source in meta who spoke to CNN on condition of anonymity.
Conclusion: “While we cannot share specific details about Nika Shahkarami’s account for privacy and security reasons, we can confirm that Meta did not originally deactivate it,” a Meta spokesperson told CNN.
Meta also confirmed to CNN that Nika’s account was “briefly reactivated and held in memory for less than 24 hours” on October 27 “as a result of an internal process error, which we remedied by re-disabling the account.” Meta told CNN that she found the bug after CNN reached out to make this investigation.
Meta also said it had received directions from Nika’s family via a trusted company partner in Iran that they wanted Nika’s Instagram account to remain offline.
However, signs in Iranian state media indicate that authorities have accessed Nika’s Instagram account and direct messages, saying they have judicial permission to access her.
A relative of Nika, who wished to remain anonymous for fear of repercussions, told CNN that the Tehran prosecutor’s office has been holding Nika’s phone since her death. We went to the prosecutor’s office and found out that Nika’s phone is with Shahryari (plaintiff’s name); “I saw with my own eyes that it was in their hands,” said a family member.
The Meta investigation highlights the seriousness of the case and the limitations US tech companies appear to be experiencing in addressing activists’ concerns about Iran’s handling of the accounts.
Mahsa Al-Mardani, a senior internet researcher for ARTICLE 19, the free speech organization, also raised concerns about Telegram. “One time we asked them to reverse some edits that were made on someone’s account after they passed away, and they weren’t helpful. They didn’t get back to us. They didn’t try to fix the problem. There is no kind of support or help with that,” Ali Mardani said.
In response to CNN’s request for comment, Telegram spokesperson Remi Vaughn said: “We routinely process dozens of similar cases referred to us by activists from trusted organizations and disable access to hacked accounts. In every case we investigated, either the device was confiscated or the user unintentionally making this access possible – by not setting a password for 2-Step Verification or using a malicious app impersonating Telegram.”
“In countries with authoritarian rule, such as Iran, the authorities can potentially intercept any SMS,” Vaughn continued. “It is therefore important for users to enable 2-Step Verification, which requires entering an additional user-generated password when logging in, in addition to the SMS login code. It is also important that these users use official Telegram apps from trusted sources.”
To protect the protesters, we have blocked thousands of posts that attempted to hide the identity of the protesters and would have reached hundreds of thousands without our intervention. We always proactively monitor the public-facing parts of our platform to find such misuse.”
“Technology companies should work with civil society,” Al-Rashidi said. “There are many issues they can work with us on to make sure these platforms are secure, especially for those who are at risk.”
“Lifelong food lover. Avid beeraholic. Zombie fanatic. Passionate travel practitioner.”