The Mechanisms of Digital Surveillance

Digital surveillance is not a single tool but a complex ecosystem of technologies, infrastructures, and legal frameworks designed to monitor, track, and identify individuals. For users in Iran, understanding these mechanisms is the first step toward building an effective defense. The surveillance landscape involves multiple layers, from the physical cables of the internet to the applications installed on your smartphone.

This guide breaks down the primary mechanisms of surveillance, explaining how they function technically and how they are specifically applied within the Iranian context (e.g., the National Information Network).

1. Network-Level Surveillance

Network surveillance occurs as data travels between your device and the internet. In Iran, this is heavily centralized, giving the state unique capabilities to monitor traffic at the infrastructure level.

Deep Packet Inspection (DPI)

DPI is a sophisticated method of examining the content of data packets as they pass through a checkpoint on the network. Unlike standard packet filtering, which only looks at the header (where the data is coming from and going to), DPI analyzes the actual "payload" (the content).

• How it works: As your data passes through Iran’s Telecommunication Infrastructure Company (TIC) gateways, DPI equipment inspects the traffic in real-time. It can identify the protocol being used (e.g., OpenVPN, WireGuard, TLS) and even search for specific keywords if the traffic is unencrypted.
• Iranian Context: The Islamic Republic uses DPI primarily for censorship (filtering) and to block censorship circumvention tools (VPNs). However, it is also a surveillance tool. By analyzing traffic patterns ("fingerprinting"), authorities can identify who is using specific encrypted protocols, potentially flagging them for further investigation.

The SIAM System and ISP Interception

Surveillance in Iran often bypasses the need for hacking because the state has direct access to mobile network operators (MNOs) like MCI (Hamrah-e Aval) and Irancell.

• The Mechanism: Systems like SIAM allow the Communications Regulatory Authority (CRA) to remotely manipulate user connections without the user's knowledge.
• Capabilities:
  • Throttling: reducing a user's internet speed to unusable levels to disrupt communication during protests.
  • 2G Downgrade: Forcing a target's phone from secure 4G/LTE networks down to insecure 2G networks. 2G encryption is weak and easily broken, allowing for the interception of SMS (including Two-Factor Authentication codes) and voice calls.
  • Metadata Harvesting: Collecting logs of who you call, when, and where you are located.

IMSI Catchers (Stingrays)

An IMSI Catcher (often called a "Stingray") is a fake cell tower used to intercept mobile traffic in a specific physical location.

• How it works: The device broadcasts a signal stronger than legitimate cell towers. Your phone, programmed to seek the strongest signal, automatically connects to the fake tower.
• Capabilities: Once connected, the device captures your IMSI (International Mobile Subscriber Identity)—a unique ID linked to your SIM card. It can also pinpoint your precise location and, in some cases, intercept unencrypted calls and texts.
• Iranian Context: These devices are frequently deployed during protests (e.g., in vans or on rooftops) to identify attendees. Later, this data is cross-referenced with the Shahkar (SIM registration) system to arrest or intimidate individuals who were present in a specific area.

2. Device and Application Surveillance

Even if the network is secure, your device itself can be compromised or used against you.

Malware and Spyware

State-sponsored actors use sophisticated malware to gain total control over a target's device.

• Zero-Click Exploits: Advanced spyware (like Pegasus) can infect a phone without the user clicking any link, often by exploiting vulnerabilities in apps like iMessage or WhatsApp. Once infected, the attacker can read encrypted messages, turn on the microphone, and view photos.
• Trojanized Apps: A more common threat in Iran involves fake apps. Users searching for "Anti-Filter" tools or VPNs on unofficial channels (like Telegram channels) often download apps infected with malware. These apps may function as a VPN but secretly exfiltrate contacts, files, and location data to the attacker.

Domestic Platforms ("Super-Apps")

The push toward the National Information Network (NIN) involves encouraging or forcing users onto domestic platforms (e.g., domestic messengers, ride-hailing apps, payment services).

• The Risk: Unlike international platforms where the regime must request data (and is often ignored), domestic apps host their servers inside Iran. Intelligence services have direct access to backend databases or can compel companies to hand over user data—chats, location history, and social graphs—without a judicial warrant.
• SDKs and Trackers: Many apps include Software Development Kits (SDKs) for analytics or advertising. These SDKs can harvest location data and unique device identifiers (Ad-IDs) and sell them to data brokers or share them with government contractors.

3. Physical-Digital Convergence

Digital surveillance is increasingly merged with physical monitoring to create a comprehensive profile of a target.

Visual Surveillance and Facial Recognition

Cameras are ubiquitous in urban centers, but their power lies in their integration with digital databases.

• Hybrid Surveillance: While fully automated "live" facial recognition is resource-intensive, Iran employs a "hybrid" approach. Traffic cameras and CCTV footage are analyzed to capture license plates or faces. These are then cross-referenced with the National ID (Kart-e Melli) database and the Shahkar system.
• Enforcement: This mechanism is currently used to enforce hijab laws. A camera identifies a violation, links the face or license plate to a digital identity, and automatically issues an SMS warning or fine.

Location Tracking (Geofencing)

Your physical location is one of the most revealing data points.

• Triangulation: Even without GPS, mobile towers can approximate your location based on signal strength.
• Geofencing: Authorities can draw a virtual perimeter (a "geofence") around a sensitive area (like a protest site or university). They can then query the mobile network to request a list of all IMSIs (SIM cards) that entered that zone during a specific time window.

4. The Role of Identity Systems

The backbone of modern surveillance is the ability to link digital activity to a real-world identity.

• The Shahkar System: In Iran, purchasing a SIM card requires biometric registration and a National ID. The Shahkar system acts as a central authentication hub, verifying that the person using a specific IP address or mobile number is a specific real-world individual. This eliminates anonymity at the ISP level.
• 2FA Interception: Because SIM cards are tied to identity, intercepting SMS-based Two-Factor Authentication (2FA) codes (via the SIAM system or social engineering) allows state actors to hijack accounts on platforms like Telegram or Instagram, bypassing password protections.

Summary of Risks

Understanding these mechanisms is not meant to induce fear, but to enable informed operational security. By knowing how you are watched, you can better choose the tools and behaviors that protect your digital life.