A photo obtained by The Associated Press from outside Iran depicts an October 1, 2022 protest in Tehran against the death of 22-year-old Mahsa Amini after she was detained by morality police. (AP Photo/Middle East Images, File)

Iran’s seizure of detained journalists’ devices raises fears of fresh arrests, convictions

Five months after the death of a young woman in morality police custody sparked widespread protests, Iranian authorities are charging journalists who covered the uprising with anti-state crimes. In many of these cases, authorities have powerful tools at their disposal to aid in convictions: journalists’ phones and laptops. CPJ counted at least 95 journalists arrested since the start of the protests. More than half — at least 48 — had their devices seized, according to news accounts and interviews with sources inside the country. 

CPJ senior researcher Yeganeh Rezaian knows firsthand what happens when Iranian officials gain access to personal devices. In 2014, Iranian authorities arrested Yeganeh and her husband, Washington Post reporter Jason Rezaian, and seized their iPhones and laptops. Forensic analysis conducted later showed that the Rezaians’ computer files were copied using Disk Drill, a kind of file recovery software for phones and computers developed in the U.S. and widely available online.  

Yeganeh was forced to sign hundreds of pages of printouts of her personal communications, a safeguard, she believes, in case she later claimed that evidence compiled against her was falsified or extracted under duress. She was detained for a total of 72 days and charged with assisting a spy, but never tried. Jason was sentenced to an unspecified prison term in 2015 on espionage charges, and released in 2016.  

“There was nothing problematic or legally forbidden among [my messages],” Yeganeh said. “My only worry was that I didn’t want any of my friends and family [to] get in trouble…I kept whispering to myself, ‘I wish I never saved any phone numbers.’”

Her experience is consistent with accounts from other Iranians who have been released from state custody, and concerning in light of the wave of detentions that propelled Iran to the position of the world’s worst jailer of journalists in CPJ’s 2022 prison census. If Iranian authorities accessed more than 48 devices – some of the detainees surrendered phones, some computers, and some both – they could amass a significant database of personal information about the journalists and their networks. Because security forces are known to deliberately intimidate witnesses to stop details of the detentions getting out, the number of device seizures is likely much higher. 

Under a legal system that has included journalists among those sentenced to corporal punishment or death  — editor Roohollah Zam was executed in 2020 for reporting on Telegram — the stakes could not be higher. Elahe Mohammadi and Niloofar Hamedi, reporters who first covered Amini’s arrest for wearing her compulsory hijab too loosely and helped bring the story of her death to an international audience, were in Qarchak women’s prison in Tehran in February facing a possible death penalty for espionage. Both had their devices seized. 

Iran is hardly the only country that seizes devices for prosecutorial purposes. Police around the world use forensic tools to extract private data from phones and computers during criminal investigations, a concern for journalists, as well as their sources, family, and colleagues. For authorities, devices are a shortcut to obtaining private emails, photos, and location data that would otherwise need to be collected piecemeal from different service providers and social media firms. When state agents have a journalist’s phone, sophisticated forensics can bypass passcodes, enabling authorities to read messages sent via encrypted apps like Signal and WhatsApp; Israeli company Cellebrite claims it can crack any iPhone. 

It’s not clear whether sanctions-hit Iran has been able to add phone-cracking tools to its extensive surveillance arsenal since the intelligence officials of the Islamic Revolutionary Guard Corps arrested the Rezaians more than eight years ago. But the use of Disk Drill to investigate the couple underscores that common consumer software can also be used against the press. 

In many cases, officials don’t need any kind of technology at all to get into a journalist’s phone.   

“You can give us your password the easy way, or the hard way,” one journalist remembers being told by security officials who had seized the individual’s phone and computer in 2019. The journalist spoke to CPJ from outside Iran, but asked not to be named to avoid future repercussions. 

“I didn’t try the hard way,” said the journalist. “They went through my Twitter, WhatsApp, Telegram, and Gmail.”

Like Yeganeh, the journalist recalled being shown pages of private correspondence during interrogation, including WhatsApp messages that agents had retrieved from a backup saved on a device.  

The journalist was ultimately prosecuted for spreading “propaganda,” punishable by one year in prison, and undermining national security, which carries up to five years – the same charges many of the journalists covering recent protests now face. 

“They asked me to sign [the printouts], to use them against me as evidence for my guilt,” the journalist told CPJ. Authorities kept the devices for a month.  

“Two weeks after I was released on bail, I received a call to go to a metro station in the city…Someone came up to me saying ‘Hey, here’s your phone and laptop.’” Fearful that the devices had been infected with spyware, the journalist got rid of them before seeking exile to escape a prison sentence. 

Yeganeh and Jason Rezaian speak about the arrests of Iranian journalists at the 2022 CPJ International Press Freedom Awards on November 17, 2022 in New York City. (Getty Images via AFP/Dimitrios Kambouris)

The Rezaians got their devices back two years after they were confiscated when the Swiss embassy in Iran, acting as an intermediary for United States interests, helped deliver them to the U.S. The forensic analysis showed Iranian authorities had accessed the devices on and off for more than a year. Caches of web browsing history, documents, and system configuration files were viewed intermittently from July 2014 to November 2015, said the analysis, which was conducted by cybersecurity firm Mandiant, a Google subsidiary based in Virginia. 

On July 26, 2014, a removable storage device was connected to Yeganeh’s computer and commands entered to copy files. At the same time, authorities deployed Disk Drill, a program developed under the CleverFiles brand by Virginia-based 508 Software LLC. The same application was run on Jason’s MacBook on July 24. “The file system was most likely copied” to the storage device, the forensic report says of this activity.

CPJ emailed a press contact at CleverFiles and the Iran mission to the United Nations for comment about the use of the technology and Iran’s seizure of journalist devices but received no response. A spokesperson from the U.S. Department of State said in an email that “we continue to take action, including through multilateral measures and UN mechanisms, to hold Iran accountable” for its crackdown on the press. The spokesperson referred questions about U.S. software to the Department of Commerce and the Department of the Treasury but emails to those press contacts were not returned before publication. 

Experts told CPJ it is not uncommon to see software originating in the U.S. in Iran, despite U.S. government sanctions intended to prevent it from getting there. Observers fear the restrictions have had more effect on citizens than the regime, and note there are other ways for Iranian authorities to obtain technology. 

“Some [surveillance technology is] developed inside the country, but some is coming from China and Russia, and it’s quite advanced,” Amir Rashidi, a U.S.-based expert in digital rights and security in Iran, told CPJ. 

Specialist intelligence teams within the IRGC are likely to have more resources at their disposal, Mahsa Alimardani, an Iran expert for international freedom of expression organization Article 19, told CPJ, so whether devices are seized and probed depends on the agency involved, as well as whether they were arrested at home or on the street. 

A memorial to Mahsa Amini, whose death in morality police custody in sparked mass protests in Iran, as pictured in Los Angeles, California on September 29, 2022. (AFP/Ringo Chiu)

As outrage swelled after Amini’s death, Alimardani and others in the rights community tracked the arrest of thousands of protestors at the scenes of demonstrations. Some journalists were swept up, too; others were summoned for interrogation and never returned home. CPJ found more than half of the 95 detained since September — at least 50 — were arrested in their offices, in their homes, or in the homes of friends or families, places where multiple devices could be easily seized by authorities. 

As news outlets shied away from unvarnished protest coverage to avoid irking authorities, many journalists took their reporting to social media, said Yeganeh. CPJ counted more than 20 journalists arrested after posting on platforms like Twitter, Instagram, or Telegram. 

Rashidi told CPJ that authorities could also seize control of social media accounts from devices in their custody, or by remotely intercepting login codes that some services send via text message. “It’s easy for them to intercept those messages and hack into your account,” said Rashidi. 

Digital searches are only one type of surveillance capability available to Iranian authorities, according to Gary Miller, a mobile cybersecurity expert working with the University of Toronto research group Citizen Lab, which published a report on Iranian surveillance last month. 

Miller investigates methods like spyware and interception of messages via telecoms infrastructure – cases in which the targets may never know that their devices have been compromised. However, authorities’ behavior after they seize devices suggests they want to make it clear that they are watching. Alimardani said interrogators sometimes comb through emails in front of detainees and discuss what they found as an intimidation tactic.
 
She and Miller both recommended that journalists in Iran – and those communicating with them – activate the disappearing messages function on services that allow it. 

Some activists have learned that phones can geo-locate them at protests, and leave them at home, according to Rashidi. But authorities appear to be wise to this move, with some now seeing the lack of a phone as a marker of suspicious activity. 

“I saw an indictment where the first piece of evidence was, you didn’t have a phone,” he said, referencing the recent case of someone arrested at a protest. “How can [anyone] defend against that – it’s absurd!” 

Overall, Iranian journalists should be more aware of their digital security, he said. 

“People need to be aware that one tweet might lead to a chain of arrests and information discovery,” said Rashidi. “So much information can be pulled from a phone – it’s in your pocket, you do everything with it.” 

Additional reporting by Yeganeh Rezaian