Iran's Surveillance Architecture: From Morality Police to Total Digital Control

What happens when a Basij officer at a Tehran checkpoint asks you to unlock your phone? He swipes through your apps, checks your photo gallery, opens your messaging history. The whole thing takes maybe ninety seconds. But those ninety seconds sit at the end of a technical pipeline that stretches back two decades, involves Chinese hardware, state-built networks, and mandatory software that has been quietly mapping your digital life for years.

The phone check is the last step. Everything before it is invisible.

The Checkpoint Is the Last Step

At checkpoints across Iranian cities, officers from the Basij militia and the morality police conduct what they call "phone inspections." The practice is not new. It intensified after the 2022 Mahsa Amini protests and has accelerated further since the war began in 2026. Officers look for a specific set of markers: banned applications like Telegram, Signal, and Instagram; VPN software; protest-related images or videos; photos showing women without hijab; and chat histories that contain keywords associated with dissent.

The process appears manual, almost crude. An officer scrolling through a phone with his thumb. But what makes this system effective is not the checkpoint itself. It is the infrastructure behind it. Every Iranian SIM card is registered to a national identity number. Every phone's IMEI is logged. Before the officer even raises his hand, the system may have already flagged the person approaching.

To understand how that works, you need to go deeper.

Building a National Intranet

Think of a country's internet as a highway system. Traffic flows in and out through international gateways, connecting domestic users to the global web. Most countries have dozens or hundreds of these gateways, operated by competing private companies. Iran decided to build something different.

The National Information Network, known in Farsi as the SHOMA network, has been under development since around 2005. The 2009 Green Movement protests, when millions used social media to organize, convinced the regime that controlling the internet was a matter of survival. The project accelerated.

The architecture works like this: Iran's Telecommunication Infrastructure Company, a state entity, holds a legal monopoly on all international bandwidth. No private ISP in Iran can purchase capacity directly from a foreign carrier. Everything flows through TIC. A second gateway operator, the Institute for Research in Fundamental Sciences, serves primarily academic traffic, but TIC dominates commercial connectivity for a country of over 90 million people. All traffic entering or leaving Iran passes through these state-controlled chokepoints. Domestic traffic, meanwhile, flows through a separate layer of infrastructure that the state controls entirely.

The incentive structure reinforces the design. Domestic websites and services hosted on the NIN are faster and cheaper to access. International services are slower and more expensive. This is not a bug. It is the architecture working as intended, pushing users toward domestic platforms where surveillance is easier.

If you think of the global internet as an open ocean, Iran has built a lake. The lake connects to the ocean through a few narrow canals, and every canal has a gatekeeper.

What Deep Packet Inspection Actually Does

The gatekeepers use a technology called deep packet inspection. To understand it, consider how internet traffic moves. Every piece of data you send online gets broken into packets. Each packet has a header, like the address on an envelope, and a payload, which is the actual content. A basic firewall reads the header. It knows where the packet is going but not what it contains.

Deep packet inspection reads the payload too. It opens the envelope.

DPI equipment installed at Iran's international gateways can analyze traffic in real time. When you try to visit a blocked website, the DPI system does not just check the destination address. It examines the traffic patterns, the protocols used, and the content itself. This is how Iran can block not just specific websites but entire categories of applications.

The system goes further. Even when traffic is encrypted, which most modern internet traffic is, the DPI equipment can identify what type of application is generating it. This technique, called protocol fingerprinting, works by analyzing the size, timing, and structure of encrypted packets. A VPN connection has a different traffic signature than a video call, which differs from a web browsing session. Iranian DPI systems have become increasingly sophisticated at recognizing and blocking VPN protocols, forcing users into an arms race where circumvention tools must constantly change their traffic patterns to avoid detection.

During the 2022 Mahsa Amini protests, this capability was deployed with surgical precision. For thirteen consecutive days in September and October 2022, authorities imposed what observers called a "digital curfew," shutting down mobile networks from 4:00 PM local time until midnight while keeping fixed-line internet operational. OONI documented roughly 100 hours of mobile blackout during that period alone. Specific platforms were blocked independently: WhatsApp, Instagram, app stores, and encrypted DNS services. This selective approach demonstrated a level of granular control that goes well beyond a simple on-off switch.

The Chinese Connection

Where does the equipment come from? After Western sanctions cut Iran off from European and American technology suppliers, Chinese companies stepped in to fill the gap. Huawei and ZTE, China's two largest telecommunications equipment manufacturers, have supplied networking hardware to Iranian carriers. In 2010, ZTE signed a contract with the Telecommunication Company of Iran to build a nationwide monitoring system capable of surveilling voice calls, SMS, email, and internet traffic through DPI technology. ZTE used a front company, Beijing 8 Star International, and an Iranian subsidiary to conceal its direct involvement, a deal that eventually led to a 2017 US fine for illegal technology exports to Iran. Huawei, meanwhile, pitched DPI-capable systems to the Iranian ISP MobinNet, with marketing materials emphasizing filtering capabilities and security agency access.

The relationship runs deeper than simple hardware sales. China's own internet censorship system, commonly known as the Great Firewall, is the most sophisticated in the world. It pioneered many of the DPI techniques that Iran now employs. The knowledge transfer may not be formal or documented in public contracts, but the technical lineage is visible in how Iran's system operates: the same combination of DNS filtering, IP blocking, protocol-level interference, and DPI that characterizes Chinese internet censorship appears in Iran's architecture.

This is not a conspiracy. It is a supply chain. When Western sanctions removed one set of suppliers, a Chinese set replaced them. And those suppliers brought with them the technical DNA of the world's most advanced censorship system.

Mandatory Apps and the Data They Collect

The surveillance architecture does not stop at the network level. It extends into every Iranian smartphone through the apps people use daily.

Since Google Play is effectively unavailable due to sanctions and Apple's App Store has limited functionality in Iran, most Iranians download apps through domestic app stores like Cafe Bazaar and Myket. These platforms serve as the primary distribution channel for software, and they operate under Iranian government regulation. Every app distributed through them is subject to approval.

The apps themselves generate continuous data streams tied to real identities. Banking apps, which are essential for daily life as Iran's economy runs increasingly on digital payments, require national ID verification. Ride-hailing services like Snapp, Iran's equivalent of Uber, collect precise location data linked to verified identities. Domestic messaging platforms, which the government has promoted as alternatives to Telegram and WhatsApp, route messages through servers under Iranian jurisdiction.

Each of these data points might seem innocuous on its own. A bank transfer here, a taxi ride there, a message to a friend. But aggregated, they form a detailed map of a person's movements, social connections, financial activity, and communication patterns. The infrastructure to aggregate these data streams exists. Whether and how comprehensively the regime exploits it remains partially opaque, but the technical capability is built into the architecture by design.

Consider what this means at the checkpoint. The officer checking your phone is not starting from zero. Your SIM is registered to your name. Your IMEI identifies your device. Your location history exists in ride-hailing databases. Your financial transactions are logged. Your app download history sits on a domestic server. The physical phone inspection adds one more layer to a profile that may already be extensive.

When the Internet Goes Dark

The NIN architecture enables something else: shutdowns. Because all international traffic passes through a handful of state-controlled gateways, cutting Iran off from the global internet is technically straightforward. Close the gates, and the ocean disappears. The lake remains.

Iran demonstrated this capability most dramatically in November 2019, when authorities shut down the internet almost completely for roughly a week during fuel price protests. The shutdown was one of the most comprehensive ever documented anywhere in the world. NetBlocks, which monitors global internet connectivity, recorded Iranian traffic dropping to near zero.

The system has grown more refined since then. During the 2022 protests, authorities did not simply pull the plug. They deployed targeted shutdowns: mobile data off in specific provinces while fixed-line connections stayed up; certain platforms throttled while others functioned normally; evening shutdowns when protests were expected, with partial restoration during work hours. This selective approach is only possible because the NIN architecture gives the state granular control over different types of traffic and different regions simultaneously.

The domestic layer of the NIN continues to function during international shutdowns. Government services, domestic banking, and approved local platforms remain accessible. This creates a two-tier internet: a controlled domestic space that keeps the economy minimally functional, and an international connection that can be severed at will.

OONI, the Open Observatory of Network Interference, has documented these patterns through a network of volunteer probes inside Iran. Their data shows a system that has moved from blunt shutdowns to precise, surgical interventions, cutting exactly the channels that enable protest coordination while preserving those the regime needs for governance.

Post-2022: The Surveillance Upgrade

The 2022 Mahsa Amini protests were a stress test for the surveillance system, and the system partially failed. Despite internet throttling, protesters used creative workarounds to coordinate. Bluetooth mesh networks, pre-downloaded content, and physical leaflets circumvented digital controls. Social media footage of police brutality spread globally even as domestic access was restricted.

The regime drew lessons. In April 2023, it launched the "Noor plan," deploying surveillance cameras on highways and in urban centers to detect women without hijab. By early 2024, Amirkabir University in Tehran had installed facial recognition cameras at its gates to track female students. A government app called Nazer allows citizens to report hijab violations by specifying location, time, and license plate numbers. A UN report from March 2025 documented the use of drones alongside cameras for enforcement. Traffic police reported sending over one million SMS warnings to women detected unveiled in their cars since the plan's launch. The technology extends the surveillance perimeter beyond the digital realm into physical space.

IMEI tracking has become more aggressive, aided by a system called SIAM. Leaked documents obtained by The Intercept in October 2022 revealed that SIAM, embedded in Iran's cellular networks, can pull a user's family name, nationality, location history, billing information, birth certificate number, employer, and a list of connected IP addresses and WiFi networks. Because every mobile device has a unique IMEI number that is transmitted whenever it connects to a cell network, SIAM can track a specific phone even if the owner swaps SIM cards. This closes a circumvention tactic that protesters used in 2022, switching SIMs to avoid association with flagged numbers.

The crackdown on VPN usage has intensified as well. In 2023, Iran's judiciary announced penalties for VPN sellers under Article 753 of the Islamic Penal Code. In February 2024, the Supreme Council of Cyberspace went further, criminalizing VPN use itself without a government-issued license. The annual market for VPN sales in Iran was estimated at roughly one billion dollars, a measure of how many Iranians rely on circumvention tools. The technical cat-and-mouse game continues. Researchers and circumvention tool developers report that Iran's filtering systems increasingly use advanced traffic analysis methods to identify new VPN protocols more quickly than older signature-based systems could.

Reports from digital rights organizations indicate that monitoring of encrypted messaging platforms has increased since 2022. While end-to-end encryption makes reading message content difficult, metadata, including who communicates with whom, when, and how often, remains accessible to network-level surveillance tools.

The Data a Checkpoint Officer Sees

Return to the checkpoint. The officer takes the phone. What does he see, and what does the system behind him see?

On the device itself, the officer checks the installed app list against a mental or physical blacklist. Telegram, Signal, Instagram, VPN applications, any presence triggers further scrutiny. He opens the photo gallery and scrolls for protest imagery or photos of women without hijab. He checks messaging apps for keywords or forwarded content that matches known dissident material.

But the officer is not working alone. Checkpoint operations can cross-reference individuals against centralized databases. A national ID number, entered into a system, may return flags from previous encounters, protest attendance records compiled from facial recognition cameras, or alerts generated by network-level monitoring. The phone check confirms what the system already suspects.

This is the architecture made visible. Not a single technology but layers of systems, each feeding the next. The NIN provides the network control. DPI provides the traffic analysis. Mandatory apps provide the data streams. IMEI tracking provides device identification. Facial recognition provides physical-world surveillance. And the checkpoint provides the human endpoint where the digital and physical systems converge on a single person holding an unlocked phone.

The woman at the checkpoint who deleted her Telegram history this morning was not being paranoid. She understood, perhaps without knowing the technical details, that the system watching her did not begin when the officer raised his hand. It began the moment she turned on her phone.