Updates, commentary, training and advice on immigration and asylum law
Can the Iranian government see what dissidents post on Facebook?
THANKS FOR READING
Older content is locked
A great deal of time and effort goes into producing the information on Free Movement, become a member of Free Movement to get unlimited access to all articles, and much, much more
TAKE FREE MOVEMENT FURTHER
By becoming a member of Free Movement, you not only support the hard-work that goes into maintaining the website, but get access to premium features;
- Single login for personal use
- FREE downloads of Free Movement ebooks
- Access to all Free Movement blog content
- Access to all our online training materials
- Access to our busy forums
- Downloadable CPD certificates
The Upper Tribunal has put out a country guidance ruling on the Iranian government’s monitoring of dissidents on Facebook. Previous case law on the general human rights situation in Iran continues to hold good, but the new decision makes additional findings on a narrow but important issue: “risk on return arising from a person’s social media use (in particular, Facebook)”. The case is XX (PJAK – sur place activities – Facebook) Iran CG  UKUT 23 (IAC).
The judgment comes with a detailed headnote, reproduced below. We also include some helpful commentary from data privacy experts medConfidential.
No magic power to hack or scrape Facebook
Mr XX is an Iranian Kurd who says he is at risk of persecution if sent back to Iran because of his support for the Kurdistan Free Life Party. His activities in the UK included attending demonstrations and posting “material critical of the Iranian government” on Facebook. Refusing his asylum claim, a First-tier Tribunal found that these activities were “opportunistic” and that XX could and would delete his Facebook account if returned to Iran.
The Upper Tribunal wanted some technical questions resolved before deciding XX’s appeal. These included whether the Iranian authorities can see what people post to private Facebook accounts and retrieve records of such activity even after the account is shut down. The judges consulted Facebook itself — the friendly folks at the European headquarters in Dublin sniffed that they were not obliged to reply, but would cooperate “on a voluntary basis as a one-time goodwill gesture” — and a computer science expert at the University of Cambridge, Dr Richard Clayton.
Interested in refugee law? You might like Colin's book, imaginatively called "Refugee Law" and published by Bristol University Press.
Communicating important legal concepts in an approachable way, this is an essential guide for students, lawyers and non-specialists alike.
The tribunal’s conclusions are set out from paragraph 69 and summarised in the headnote. The gist, to condense further still, is that the Iranian state may talk big but does not have the capacity to conduct “mass surveillance” on the Facebook activities of its citizens abroad. Nor is it possible to simply hack into the account of someone who is of “significant interest”. Attempts at “targeted surveillance” rely on getting their password through a phishing attempt, for example, or simply adding them as a friend.
Someone whose account was not singled out for monitoring in this way can simply close it down before going back to Iran. On the other hand, if the account was being monitored and incriminating material retrieved, then closing it does no good:
The timely closure of an account neutralises the risk consequential on having had a “critical” Facebook account, provided that someone’s Facebook account was not specifically monitored prior to closure. [Emphasis added]
Disputes over risk in such cases will therefore turn on the “nuanced” factual question of whether the person seeking asylum is a big enough fish to be targeted in the first place. It will be no good to point the Iranian government’s claims to be an all-seeing eye.
The expert view
What can usefully be said in response to the Home Office saying that someone is this position can just delete their account? Privacy experts Sam Smith and Phil Booth of medConfidential have a longstanding interest in how data is used and abused in the immigration and asylum context. They make the following points:
We don’t know what we don’t know: Both the company itself and the expert Dr Clayton pointed out that Facebook cannot know or control what third parties do (see paragraphs 31-33).
Third party retention is possible: There are companies whose entire business model is retaining social media data for the US government. Interests aligned to the Russian government scan and retain all posts of interest across multiple social media platforms. A company embedded in the national security ecosystem of the US probably wouldn’t also sell data to Iran, but whether equivalent companies in other countries do is something we cannot assess.
Other copies may exist: Just because an asylum seeker has deleted their Facebook post, doesn’t mean that someone else deleted the copy they took as evidence.
Social media isn’t just Facebook: Beyond Facebook, there are a bunch of companies which scrape groups / hashtags, then offer the data for money.
The Home Office links data on people: The Home Office argues that it should have a “Common Data Platform”, linking together all the data it holds. Its “Data Services and Analytics unit” already holds information on 650 million people – of which only two of the 30-odd data sources are publicly known. Official claims that no-one else is doing the same as the Home Office itself are as unjustified as they are unreasonable.
Looking at Mr XX’s case, the Upper Tribunal agreed that his Facebook activity was “entirely contrived”, and his lawyer conceded that he would delete the account if return to Iran became a prospect. The panel nevertheless allowed his appeal:
Given his attendance at events; and the prominence of the person he has secured a photograph with [a prominent member of the PJAK], we conclude that there is a real risk that he has been the subject of targeted (as opposed to general) surveillance by the Iranian state already. There is no need for the Iranian authorities to have “hacked” his account or “scraped” his “DYI”. His carefully curated (albeit contrived) social graph is, in this particular case, just sufficient in our judgment to establish a risk that he has been subject to surveillance in the past that would have resulted in the downloading and storing of material held against his name.
In those circumstances, XX deleting his Facebook account would serve no purpose: “he is”, the tribunal concluded, “already at risk”.