**Download Part 1: **Surveillance Governance and Infrastructures for Interception and Data Access.pdf
**Download Part 2: **The Islamic Republic’s Covert Mechanisms of Surveillance and Interception.pdf
**DownloadPart 3: **Street Surveillance and Identity Discovery in the Islamic Republic.pdf
**DownloadPart 4: **Transnational Proliferation of Surveillance, Interception, and Control Tech.pdf
One of the central components of surveillance and interception of citizens in the Islamic Republic of Iran is the National Information Network (NIN), commonly referred to in public discourse as the National Internet. Internet filtering and censorship as violations of freedom of expression, along with the obstruction of the free flow of information through communication disruptions, platform blocking, and nationwide or localized internet shutdowns, constitute the most visible human rights violations associated with this network.
Less visible, but more structurally significant, is the development of surveillance and intelligence capabilities within the NIN across multiple technical layers, shaped by differing objectives and institutional mandates within the Islamic Republic’s governing apparatus. Some of these systems are designed for mass surveillance, while others enable targeted tracking, espionage, and interception.
Over the past two decades, internet policy in Iran has primarily focused on content blocking and restricting access. Recent experience, however, indicates that content control represents only one layer of this policy framework. What has increasingly gained importance is the ability to identify users, both online and in physical public spaces. This shift in emphasis has altered the logic of state intervention, moving from indiscriminate filtering toward identity based control aimed at the continuous monitoring of citizens’ behavior and everyday life.
Given its physical reach, nationwide coverage, and scale of unique users, the NIN appears to constitute one of the largest and most effective surveillance and intelligence infrastructures operated by an authoritarian state. From a surveillance perspective, the ongoing development of the NIN reflects the emergence of a multilayered and integrated architecture that begins with digital identity authentication, extends through communication infrastructures, and ultimately reaches the identification of individuals in public space. Within this architecture, identity data, communication metadata, and behavioral information are locked together, enabling tracking, behavioral regulation, and the exercise of social control.
In the Islamic Republic of Iran, surveillance and intelligence gathering should therefore be understood not as a byproduct of technological development, but as a strategic objective embedded in higher level legislation, internet governance frameworks, and the design of communication infrastructures. Viewed through this lens, the National Information Network is not merely a project aimed at digital independence or resilience, but the backbone of a national scale surveillance system.
Centralized Authentication and Data Aggregation: The Starting Point of the Chain
At the core of this architecture is an integrated framework of authentication and data aggregation. Authentication, in its basic form, is a standard technical mechanism for securing access. When it is defined as a universal and mandatory requirement for all digital interactions, however, it assumes a fundamentally different function. Once public services, banking systems, communication networks, and domestic platforms are all tied to a shared authentication logic, every digital activity becomes linked to a specific and identifiable individual.
Regulations issued by the Supreme Council of Cyberspace (SCC) concerning the Reliable Digital Identity Framework outline precisely such a structure. The scope of this framework is not limited to government services and in practice extends to economic, social, cultural, and administrative interactions at large. Requiring all interactions to pass through designated gateways and assigning a unique identifier to each individual enables the direct linkage of digital behavior to a real person. In the absence of independent data protection laws and accountable oversight bodies, this concentration of data poses serious risks to privacy.
For the state, selective enforcement depends on knowing who is behind each connection. Indiscriminate filtering can generate political costs, whereas identity based control enables targeted pressure. Centralized authentication, combined with the aggregation of databases and the interconnection of systems, allows the state to repurpose access itself as an instrument of digital repression against users.
In practice, this framework relies on a set of interconnected systems. Platforms such as Shahkar, Hamta, Siam, Sana, Hoda, and Samava each complete a part of this puzzle. While these systems are formally presented as tools for service provision or market regulation, their integration with telecommunications infrastructure and identity registries transforms them into mechanisms of monitoring. The outcome of this integration is the production of identity and behavioral profiles that can serve as the basis for security decisions or the imposition of restrictions.
The Seventh Development Plan: Accelerating Data Aggregation
The Seventh Development Plan has accelerated this trajectory. Its emphasis on smart government, digital services, and data integration has, in practice, driven the expansion of data driven systems across the state apparatus. A prominent example is the planned creation of the “Lifestyle Monitoring and Assessment System,” which requires executive bodies and holders of data repositories to provide real time access to their datasets.
The significance of such systems lies not merely in their existence, but in the institutional logic underpinning them. When all data holders are required to share information, the traditional boundaries between different domains of life begin to dissolve. Mandating that “all holders of data repositories” transmit data in real time does not simply introduce a new system; it establishes a data thoroughfare that connects multiple spheres of social life. It is precisely this form of linkage that transforms the Reliable Digital Identity Framework from a technical project into an infrastructure of governance.
Under Articles 667 and 668 of the Iranian Criminal Procedure Code, traffic data and user information must be retained for a minimum period of six months. This includes information such as the origin, route, date, time, duration, volume of communications, and type of service used. In addition, any information related to access service users, including the type of service, technical capabilities employed and their duration, identity details, geographic or postal address, internet protocol information, telephone numbers, and other personal identifiers, is subject to retention. The Shamsa storage system is used as the underlying platform for maintaining this body of data within the framework of lawful interception.
Infrastructure Level Surveillance and Man-in-the-Middle Techniques
Through the use of advanced surveillance techniques and the development of espionage systems, the Islamic Republic of Iran has transformed internet services into an environment for covert control and monitoring of citizens. A range of systems is employed to oversee and monitor online activity. Some are explicitly designed for intelligence collection and surveillance, while others appear to serve different functional purposes yet still incorporate mechanisms that enable varying degrees of access, logging, and control over all or part of a user’s behavior, at least on the device on which they are installed. These include man-in-the-middle techniques, governance compliant client shells, and remote access trojans (RATs).
When implemented at scale and on a sustained basis, man-in-the-middle interception requires structural control over key layers of network traffic, including routing, domain name resolution, and transport layer security. By centralizing traffic flows, standardizing access points, and enabling coordinated intervention, the National Information Network makes such centralized visibility technically feasible.
Methods such as manipulation of the domain name system, interception during the TLS handshake, and the injection of security certificates allow traffic to be redirected to intermediary nodes without the user’s explicit awareness. TLS interception, in particular, enables the inspection or alteration of encrypted sessions, especially when combined with a trusted or coerced certificate authority and deep packet inspection. These techniques shift the point of interception to higher layers of the network stack, embedding surveillance within routine network operations rather than at the application level.
The National Information Network thus constitutes a prerequisite for the sustained deployment of man-in-the-middle (MITM) interception. By consolidating control over traffic exchange points and reducing reliance on external routes, it lowers the technical and operational costs of interception while expanding its scale and persistence. In this configuration, man-in-the-middle interception evolves from a situational tactic into a systematic and institutionalized capability.
Instant Messengers, VPNs, and Pathways of Intrusion
The expansion of end to end encryption in instant messaging has closed off traditional avenues for content interception. The response of the Islamic Republic of Iran to this shift has combined infrastructure level control with intrusion at the user device level. On the one hand, interception at intermediary points is used to extract metadata and regulate communication paths. On the other, malware and spyware are deployed to access data either before encryption or after decryption. When encrypted content cannot be read directly, two options remain: reliance on social engineering and malicious software, or the expansion of infrastructure control to capture data before encryption or at its margins. In practice, these two approaches have advanced simultaneously.
Citizens’ efforts to regain open access to the internet have, in turn, been systematically redirected into channels of monitoring and data extraction. During periods of disruption and internet shutdowns, seemingly benign tools such as VPNs and alternative access applications, including DCHSpy and instances of counterfeit clients claiming association with Starlink, have been circulated. Alongside promises of stable connectivity, these tools enable the collection of user data, the establishment of remote access, and the sustained monitoring of user activity. Taken together, these dynamics point to a troubling convergence of censorship, social engineering, and digital espionage.
Charming Kitten and Persistent Spyware
Within the domain of malware and spyware used for targeted surveillance, monitoring, and interception, operations attributed to Charming Kitten, commonly associated with the Islamic Republic Guard Corps, Intelligence Organization (IRGC-IO) have, in recent years, shifted toward structured and multilayered frameworks. A central example is Bella Ciao, identified as a modular Windows based malware framework that functions as a loading and coordination platform, enabling persistence, covert access, and the deployment of additional surveillance payloads when required.
This approach allows agile tactics by actors aligned with the Islamic Republic of Iran, enabling them to avoid deploying heavy and high risk surveillance malware at the initial stage of compromise. Instead, lightweight and flexible loaders are placed within the target system, establishing a foothold for long term monitoring. One illustrative case is the modular remote access tool 2Ac2 RAT, reportedly developed within the IRGC-IO, for which details of its client server architecture, operator panels, and supported command and module sets have been disclosed. Built around a relay based infrastructure, the tool enables operators to manage multiple infected clients through a centralized control interface.
Such tools more closely resemble mature surveillance implants aligned with state objectives than opportunistic criminal malware. Their architecture and operational discipline are consistent with long term espionage goals and reinforce the profile of APT35 as a persistent threat engaged in sustained monitoring of selected targets. These toolsets should therefore be understood not as isolated activities, but as components of a broader digital surveillance ecosystem within the Islamic Republic of Iran.
Street Level Surveillance and the Integration of Data with Public Space
Identity control does not remain confined to the online sphere. The linkage of identity data with urban surveillance cameras, facial recognition projects, vehicle registration systems, and telecommunications information points to a shift toward a model in which public space and the online environment are fully interconnected. Even with existing technical and algorithmic limitations, this model carries serious implications for the future of civil liberties, as it enables identification, tracking, and the exercise of social control at scale.
Street level surveillance does not necessarily depend on the full maturity of facial recognition technologies. Even when facial recognition algorithms are incomplete or error prone, identification can be achieved through the linkage between systems such as Shahkar and Hamta. One illustrative example is the system used to send hijab related warning text messages, which was implemented in 2025 in cities including Mashhad, Tehran, Shiraz, and Isfahan. In this system, identification was not conducted through facial recognition, but through the analysis of data points such as SIM card IMSI, handset IMEI, vehicle license plates, RFID based records, and their correlation with the registered identity of the owner. This process enabled the extraction of contact information and, in some cases, cross referencing with civil registry records to send warning messages to the individual or their family members.
Systems such as Shahkar, used to match national identification numbers with SIM cards, Hamta, used to track mobile devices, SIM cards registered through smart national ID cards, and urban surveillance cameras connected to traffic violation systems together provide an identity discovery infrastructure without reliance on advanced algorithms.
The “Nazer” Android application offers a further example. Developed by Iranian Police (FARAJA), it allows users to submit images, videos, or location data related to individuals deemed “improperly veiled” or “norm violating” directly to the police. These submissions are analyzed within law enforcement systems and can result in warning messages or financial penalties. From a public policy perspective, this dynamic conveys a clear message. Surveillance is not limited to cameras and officers. Once crowdsourced reporting is introduced, society itself becomes a mechanism for producing operational data, thereby reducing the social cost of enforcement.
This trajectory should be understood within a broader legal and policy context. In particular, when considered alongside the Law on Hijab and Chastity, it reflects the formalization of technological surveillance in public space. This legal framework consolidates the role of state institutions in identification and enforcement and assigns intelligence related responsibilities to bodies such as the Ministry of Intelligence and the IRGC-IO.
External Exchanges with Authoritarian States and the Diffusion of Surveillance and Repressive Technologies
This architecture is not confined to domestic borders. Engagements with China and Russia, both in the transfer of technology and in the adoption of internet governance models, increase the risk of diffusing state centered control frameworks. Technical cooperation, information security agreements, and export facilitation mechanisms together create conditions in which practices of digital repression become transferable. Even where conclusive evidence of large scale exports remains limited, the capacity and intent for such a trajectory are present.
Within these exchanges, two dimensions warrant close attention. The first is the potential diffusion and export of surveillance, censorship, and repression technologies. The second concerns the role of strategic alignment with China and Russia in reinforcing this trajectory and intensifying the fragmentation of the global internet. China has contributed to the expansion of censorship capabilities in Iran, and companies such as ZTE and Huawei have played roles in supplying surveillance systems for monitoring fixed line, mobile, and internet communications, as well as in the development of communications infrastructure. In the case of Russia, the 2021 information security agreement and the 2025 comprehensive security governance agreement emphasize cooperation in information security, cybercrime control, and the exchange of expertise in the management of national internet infrastructures.
Alongside these alliances, state sponsored mechanisms designed to facilitate technology exchange require sustained scrutiny. One such example involves knowledge based companies supported by the Vice Presidency for Science and Technology of the Islamic Republic of Iran, including initiatives such as the Iran Innovation and Technology House. These structures facilitate networks capable of circumventing sanctions and exporting dual use items, which can also be applied to repressive technologies. Lists compiled by the Technology Exchange and Export Development Fund include a significant number of contractors and developers involved in filtering, censorship, and internet repression systems that receive support for international exchanges under the label of knowledge based exports.
Taken together, the actions of the Islamic Republic of Iran in expanding the National Information Network, challenging Starlink within international telecommunications forums, and aligning with China and Russia contribute to the acceleration of internet fragmentation and the promotion of state controlled internet models. This pattern underscores the need for sustained international attention to the role of the Islamic Republic of Iran within the global market for surveillance and repressive technologies.
Conclusion: Mapping the Architecture of Surveillance and Intelligence Gathering in the Islamic Republic of Iran
Taken together, these developments reveal a coherent architecture in which authentication, data aggregation, infrastructure level surveillance, cyber intrusion, and street level control are tightly interconnected. The Islamic Republic of Iran is moving toward a model in which digital identity and urban identity are fused, and control is exercised not solely through censorship, but through the systematic identifiability of citizens. Within this framework, any analysis of internet policy in Iran that does not account for the architecture of authentication, data aggregation, and infrastructure level interception remains incomplete.
Viewed through this lens, the Reliable Digital Identity Framework is not merely a regulatory instrument, the Seventh Development Plan is not simply a development document, man in the middle interception is not only a technical method, APT35 is not just a hacking group, and Nazer is not merely an mobile application. Each constitutes a component of an integrated architecture that begins with data, extends through infrastructure, reaches into public space, and ultimately acquires the capacity for diffusion beyond national borders.
The full report, Policymaking and Institutional Mapping of Citizen Surveillance and Interception pn Citizens in the Islamic Republic of Iran, documents these developments through detailed technical analysis, primary documents, and supporting evidence. Rather than merely cataloging tools and systems, the study demonstrates how policy, law, technology, and security operations intersect to form a coherent surveillance and intelligence architecture. For this reason, the report provides a foundation for future legal, technical, and sanctions related research and contributes to a more precise understanding of the evolving trajectory of internet governance in Iran. The PDF download link to the full report appears below and serves as a key resource for researchers, journalists, and digital rights advocates seeking to understand this transformation.
**Download Part 1: **Surveillance Governance and Infrastructures for Interception and Data Access.pdf
**Download Part 2: **The Islamic Republic’s Covert Mechanisms of Surveillance and Interception.pdf
**DownloadPart 3: **Street Surveillance and Identity Discovery in the Islamic Republic.pdf
**DownloadPart 4: **Transnational Proliferation of Surveillance, Interception, and Control Tech.pdf