Iran's Internet Censorship: NIN, SIAM, and Mobile-Side Surveillance

Iran operates the most heterogeneous of the three major national censorship regimes. Where China's GFW and Russia's TSPU are relatively centralized technical systems, Iran's filtering is spread across a state-mandated domestic intranet (NIN), a regulatory blocklist authority (CCDOC), ISP-level DPI, and — thanks to the 2022 Ariantel leak — a mobile-side surveillance system called SIAM. This post summarizes the four moving parts and what the SIAM documents revealed.

The four actors

• National Information Network (NIN / SHOMA) — a state-controlled domestic intranet designed to remain operable when the global internet is throttled or cut. ArvanCloud is a key technical partner. NIN routes a growing fraction of domestic traffic on closed paths.
• ICRA / CRA (Communications Regulatory Authority) — operates filtering infrastructure at ISPs.
• CCDOC (Committee Charged with Determining Offensive Content) — the executive blocklist authority. Publishes the formal registry of banned domains that ICRA and ISPs enforce.
• SIAM — embedded in Iranian cellular networks. Enables mobile-side surveillance, per-user QoS and blocking, and per-SIM location tracking. Revealed by the 2022 Ariantel leak.

SIAM — what the 2022 leak revealed

SIAM is the most operationally invasive part of Iran's censorship stack because it operates on the mobile network rather than at the internet backbone. The Ariantel leak produced documentation and internal manuals that demonstrated:

• Per-SIM throttling and blocking.A specific mobile number can be reduced to 2G speeds or denied service entirely, at the operator's command, without requiring network-wide intervention.
• Location tracking. SIAM logs per-tower handoffs and exposes a query interface to state requests.
• Per-user content filtering. Specific user accounts can be subjected to harsher filtering rules than the network baseline — useful for targeting protest organizers.
• Remote SMS injection capabilities. The system supports injecting SMS messages into targeted conversations — a capability that would be devastating in protest coordination contexts.

The Intercept's original reporting on the SIAM leak remains the best English-language summary; the GFW Report team has translated and annotated portions of the technical manuals.

Filtering techniques at the backbone

At the ISP level, Iran employs most of the same primitives as other state censors: DNS poisoning, SNI-based TLS filtering, and IP-level blackholing for specific destinations. Two specifics worth calling out:

• Protocol tampering. During protests, ISPs have intermittently downgraded HTTPS to force plaintext HTTP, enabling more aggressive content filtering.
• Network shutdowns. Iran has demonstrated willingness to cut the global internet entirely during politically sensitive periods — November 2019 and September 2022 being the most documented cases. NIN is the infrastructure that allows domestic services to continue functioning during these cuts.

VPN usage and detection in Iran

VPN usage in Iran is extremely high by global standards — most estimates place it above 50% of all internet users. Detection from the destination side is complicated by several factors:

• Most VPN traffic originates from residential Iranian IPs routed through cloud-hosted exits (AWS Frankfurt, Hetzner Germany, OVH France are the top three). The destination server sees a European IP, not an Iranian one.
• Popular circumvention protocols in Iran include V2Ray, Trojan, Xray/REALITY, and AmneziaWG — all actively probed by IPLogs via the REALITY cert-switch and WireGuard handshake detection.
• NIN-routed traffic that never leaves Iran is not visible to foreign detection at all.

References

• The Intercept, "Leaked documents show how Iran's regime spies on Iranians' phones", 2022.
• OONI Iran country page — ongoing measurements.
• Small Media, annual reports on Iran's internet landscape.