Iran’s 'Smart' Instagram Censorship Isn’t That Smart

Iran’s censorship of Instagram focused on fashion, nudity, and Justin Bieber.

|
May 7 2015, 10:30am

Image: Nicolas Raymond/Flickr; Instagram

In October of last year, the Iranian government blocked a popular Instagram page called the Rich Kids of Tehran that featured scantily-clad young Iranian women and luxury cars. In a country where internet censorship is widespread and sophisticated—as well as heavily circumvented by tech savvy citizens—the block did not come as a surprise. But it was much more than routine.

When Iran blocked access to that page, it showed that it was capable of and willing to use a censorship technique that its government officials had been touting for years: smart filtering.

Iran's internet is often referred to as the "filternet" due to the government's heavy hand when it comes to blocking political dissent and online content deemed offensive to the country's conservative religious views. The entirety of Google, Facebook, Twitter, and YouTube have been inaccessible within the country for years.

But over the past two years, government officials have been talking about a technique called smart filtering, in which only certain parts of a social network or website are blocked, leaving the rest freely accessible. Instagram has long been the last Western internet service to remain untouched—and smart filtering might be the reason why.

"The lack of HTTPS on Instagram allowed Iran to not only filter content on the platform, but also find out who is browsing what."

However, it turns out smart filtering isn't actually that smart. Iran's ability to block only certain Instagram profiles, rather than having to block the entire social network, was mostly aided by Instagram's lack of encryption, according to a new report published on Thursday.

"The lack of HTTPS on Instagram allowed Iran to not only filter content on the platform, but also find out who is browsing what," Frederic Jacobs, an independent security researcher, told Motherboard.

The smart filtering of instagram, which was done through the use of Deep Packet Inspection (DPI)—a technology that can monitor which websites users are accessing on a network, and flag unencrypted traffic intended for specific pages or sites—was only possible because most of Instagram's API was not encrypted with HTTPS, according to Jacob's analysis.

The report also shows that Iranian censors were mostly worried about blocking pages of Western celebrities like Justin Bieber and Madonna, as well as profiles that contained provocative pictures of women. The latter included fashion brands such as Vogue and even VICE's own i-D magazine.

Bizarrely, there was very little censorship of political or reformist content, nor did the censors do a very thorough job, according to the two authors of the report, Mahsa Alimardani, an Iranian Internet researcher, and Jacobs. Sometimes, for example, the Instagram page of a fashion brand was blocked while its corresponding site wasn't and viceversa.

"It's really incoherent," Alimardani told Motherboard. "I'm not sure who or what does the filtering but it seems like it's some random guy sitting there and going 'OK, Justin Bieber, we don't like him we're going to filter him.'"

But sometime during the last two weeks, Jacobs noticed, Instagram expanded its use of encryption to include more parts of its API and app. Thanks to this change, Iranian censors cannot easily block only certain profiles anymore, since they are all loaded over HTTPS, Jacobs explained.

With the switch to HTTPS, Instagram effectively made Iran's smart filtering obsolete.

In fact, the pages that Jacobs and Alimardani found were blocked during their analysis in early April are now accessible, according to a test performed for Motherboard by Nariman Gharib, an Iranian researcher based in London.

With the switch to HTTPS, Instagram effectively made Iran's smart filtering obsolete.

"This is a brilliant example of why Internet services should deploy HTTPS," Jacobs said, adding that it's now an "all or nothing" situation for Iran: either the censors block the entire Instagram domain and app, like they do with Twitter or Facebook, or they'll have to resort to more sophisticated and costly techniques such as doing man-in-the-middle attacks using fake or bogus digital certificates.

There is, however, one more possibility: although Iran can no longer block entire pages, it can block specific photographs posted to a user's profile page. This is because photos are still loaded over an unencrypted connection, according to Jacobs.

In fact, this might already be happening. Users inside of Iran who visit the page of Iranian actress Golshifteh Farahani, for example, can only see some pictures, according to Gharib, who accessed the page through a proxy in Iran.

Instagram did not respond to Motherboard's request for comment, but the company has long said that it has been working to expand its implementation of HTTPS. It's unclear why it took so long, however, given that Facebook and Twitter have been fully encrypted for years.

"I definitely think that took way longer that it should have," Jacobs said, but added that he doesn't know enough about the challenges Instagram's engineers faced to blame them for the delay.

"The Iranian government is realizing that their censorship policy isn't working."

The Committee to Determine Instances of Criminal Content (CDICC), also known as the Filtering Committee, did not respond to questions sent via its website's contact form.

"The Iranian government is realizing that their censorship policy isn't working," Alimardani said. "They have no control over the system they're trying to control. By trying something like intelligent filtering they're trying to regain their foothold in censorship."

Yet, thanks to web encryption, this attempt might be already failing.