Updates, commentary, training and advice on immigration and asylum law

Can the Iranian government see what dissidents post on Facebook?

THANKS FOR READING

Older content is locked

A great deal of time and effort goes into producing the information on Free Movement, become a member of Free Movement to get unlimited access to all articles, and much, much more

TAKE FREE MOVEMENT FURTHER

By becoming a member of Free Movement, you not only support the hard-work that goes into maintaining the website, but get access to premium features;

  • Single login for personal use
  • FREE downloads of Free Movement ebooks
  • Access to all Free Movement blog content
  • Access to all our online training materials
  • Access to our busy forums
  • Downloadable CPD certificates

The Upper Tribunal has put out a country guidance ruling on the Iranian government’s monitoring of dissidents on Facebook. Previous case law on the general human rights situation in Iran continues to hold good, but the new decision makes additional findings on a narrow but important issue: “risk on return arising from a person’s social media use (in particular, Facebook)”. The case is XX (PJAK – sur place activities – Facebook) Iran CG [2022] UKUT 23 (IAC).

The judgment comes with a detailed headnote, reproduced below. We also include some helpful commentary from data privacy experts medConfidential.

No magic power to hack or scrape Facebook

Mr XX is an Iranian Kurd who says he is at risk of persecution if sent back to Iran because of his support for the Kurdistan Free Life Party. His activities in the UK included attending demonstrations and posting “material critical of the Iranian government” on Facebook. Refusing his asylum claim, a First-tier Tribunal found that these activities were “opportunistic” and that XX could and would delete his Facebook account if returned to Iran.

The Upper Tribunal wanted some technical questions resolved before deciding XX’s appeal. These included whether the Iranian authorities can see what people post to private Facebook accounts and retrieve records of such activity even after the account is shut down. The judges consulted Facebook itself — the friendly folks at the European headquarters in Dublin sniffed that they were not obliged to reply, but would cooperate “on a voluntary basis as a one-time goodwill gesture” — and a computer science expert at the University of Cambridge, Dr Richard Clayton.

Interested in refugee law? You might like Colin's book, imaginatively called "Refugee Law" and published by Bristol University Press.

Communicating important legal concepts in an approachable way, this is an essential guide for students, lawyers and non-specialists alike.

The tribunal’s conclusions are set out from paragraph 69 and summarised in the headnote. The gist, to condense further still, is that the Iranian state may talk big but does not have the capacity to conduct “mass surveillance” on the Facebook activities of its citizens abroad. Nor is it possible to simply hack into the account of someone who is of “significant interest”. Attempts at “targeted surveillance” rely on getting their password through a phishing attempt, for example, or simply adding them as a friend.

Someone whose account was not singled out for monitoring in this way can simply close it down before going back to Iran. On the other hand, if the account was being monitored and incriminating material retrieved, then closing it does no good:

The timely closure of an account neutralises the risk consequential on having had a “critical” Facebook account, provided that someone’s Facebook account was not specifically monitored prior to closure. [Emphasis added]

Disputes over risk in such cases will therefore turn on the “nuanced” factual question of whether the person seeking asylum is a big enough fish to be targeted in the first place. It will be no good to point the Iranian government’s claims to be an all-seeing eye.

The expert view

What can usefully be said in response to the Home Office saying that someone is this position can just delete their account? Privacy experts Sam Smith and Phil Booth of medConfidential have a longstanding interest in how data is used and abused in the immigration and asylum context. They make the following points:

We don’t know what we don’t know: Both the company itself and the expert Dr Clayton pointed out that Facebook cannot know or control what third parties do (see paragraphs 31-33).

Third party retention is possible: There are companies whose entire business model is retaining social media data for the US government. Interests aligned to the Russian government scan and retain all posts of interest across multiple social media platforms. A company embedded in the national security ecosystem of the US probably wouldn’t also sell data to Iran, but whether equivalent companies in other countries do is something we cannot assess.

Other copies may exist: Just because an asylum seeker has deleted their Facebook post, doesn’t mean that someone else deleted the copy they took as evidence.

Social media isn’t just Facebook: Beyond Facebook, there are a bunch of companies which scrape groups / hashtags, then offer the data for money.

The Home Office links data on people: The Home Office argues that it should have a “Common Data Platform”, linking together all the data it holds. Its “Data Services and Analytics unit” already holds information on 650 million people – of which only two of the 30-odd data sources are publicly known. Official claims that no-one else is doing the same as the Home Office itself are as unjustified as they are unreasonable.

Looking at Mr XX’s case, the Upper Tribunal agreed that his Facebook activity was “entirely contrived”, and his lawyer conceded that he would delete the account if return to Iran became a prospect. The panel nevertheless allowed his appeal:

Given his attendance at events; and the prominence of the person he has secured a photograph with [a prominent member of the PJAK], we conclude that there is a real risk that he has been the subject of targeted (as opposed to general) surveillance by the Iranian state already. There is no need for the Iranian authorities to have “hacked” his account or “scraped” his “DYI”. His carefully curated (albeit contrived) social graph is, in this particular case, just sufficient in our judgment to establish a risk that he has been subject to surveillance in the past that would have resulted in the downloading and storing of material held against his name.

In those circumstances, XX deleting his Facebook account would serve no purpose: “he is”, the tribunal concluded, “already at risk”.

The official headnote

The cases of BA (Demonstrators in Britain – risk on return) Iran CG [2011] UKUT 36 (IAC); SSH and HR (illegal exit: failed asylum seeker) Iran CG [2016] UKUT 308 (IAC); and HB (Kurds) Iran CG [2018] UKUT 430 continue accurately to reflect the situation for returnees to Iran. That guidance is hereby supplemented on the issue of risk on return arising from a person’s social media use (in particular, Facebook) and surveillance of that person by the authorities in Iran.

Surveillance

1) There is a disparity between, on the one hand, the Iranian state’s claims as to what it has been, or is, able to do to control or access the electronic data of its citizens who are in Iran or outside it; and on the other, its actual capabilities and extent of its actions. There is a stark gap in the evidence, beyond assertions by the Iranian government that Facebook accounts have been hacked and are being monitored. The evidence fails to show it is reasonably likely that the Iranian authorities are able to monitor, on a large scale, Facebook accounts. More focussed, ad hoc searches will necessarily be more labour-intensive and are therefore confined to individuals who are of significant adverse interest.  The risk that an individual is targeted will be a nuanced one. Whose Facebook accounts will be targeted, before they are deleted, will depend on a person’s existing profile and where they fit onto a “social graph;” and the extent to which they or their social network may have their Facebook material accessed.

2) The likelihood of Facebook material being available to the Iranian authorities is affected by whether the person is or has been at any material time a person of significant interest, because if so, they are, in general, reasonably likely to have been the subject of targeted Facebook surveillance. In the case of such a person, this would mean that any additional risks that have arisen by creating a Facebook account containing material critical of, or otherwise inimical to, the Iranian authorities would not be mitigated by the closure of that account, as there is a real risk that the person would already have been the subject of targeted on-line surveillance, which is likely to have made the material known.

3) Where an Iranian national of any age returns to Iran, the fact of them not having a Facebook account, or having deleted an account, will not as such raise suspicions or concerns on the part of Iranian authorities.

4) A returnee from the UK to Iran who requires a laissez-passer or an emergency travel document (ETD) needs to complete an application form and submit it to the Iranian embassy in London. They are required to provide their address and telephone number, but not an email address or details of a social media account. While social media details are not asked for, the point of applying for an ETD is likely to be the first potential “pinch point, ” referred to in AB and Others (internet activity – state of evidence) Iran [2015] UKUT 257 (IAC). It is not realistic to assume that internet searches will not be carried out until a person’s arrival in Iran. Those applicants for ETDs provide an obvious pool of people, in respect of whom basic searches (such as open internet searches) are likely to be carried out.

Guidance on Facebook more generally

5) There are several barriers to monitoring, as opposed to ad hoc searches of someone’s Facebook material. There is  no evidence before us that the Facebook website itself has been “hacked,” whether by the Iranian or any other government. The effectiveness of website “crawler” software, such as Google, is limited, when interacting with Facebook. Someone’s name and some details may crop up on a Google search, if they still have a live Facebook account, or one that has only very recently been closed; and provided that their Facebook settings or those of their friends or groups with whom they have interactions, have public settings. Without the person’s password, those seeking to monitor Facebook accounts cannot “scrape” them in the same unautomated way as other websites allow automated data extraction. A person’s email account or computer may be compromised, but it does not necessarily follow that their Facebook password account has been accessed.

6) The timely closure of an account neutralises the risk consequential on having had a “critical” Facebook account, provided that someone’s Facebook account was not specifically monitored prior to closure.

Guidance on social media evidence generally

7) Social media evidence is often limited to production of printed photographs, without full disclosure in electronic format. Production of a small part of a Facebook or social media account, for example, photocopied photographs, may be of very limited evidential value in a protection claim, when such a wealth of wider information, including a person’s locations of access to Facebook and full timeline of social media activities, readily available on the “Download Your Information” function of Facebook in a matter of moments, has not been disclosed.

8) It is easy for an apparent printout or electronic excerpt of an internet page to be manipulated by changing the page source data. For the same reason, where a decision maker does not have access to an actual account, purported printouts from such an account may also have very limited evidential value.

9) In deciding the issue of risk on return involving a Facebook account, a decision maker may legitimately consider whether a person will close a Facebook account and not volunteer the fact of a previously closed Facebook account, prior to application for an ETD: HJ (Iran) v SSHD [2011] AC 596. Decision makers are allowed to consider first, what a person will do to mitigate a risk of persecution, and second, the reason for their actions. It is difficult to see circumstances in which the deletion of a Facebook account could equate to persecution, as there is no fundamental right protected by the Refugee Convention to have access to a particular social media platform, as opposed to the right to political neutrality. Whether such an inquiry is too speculative needs to be considered on a case-by-case basis.

Relevant articles chosen for you
CJ McKinney

CJ McKinney

CJ McKinney is a specialist on immigration law and policy. Formerly the editor of Free Movement, you will find a lot of articles by CJ here on this website! Twitter: @mckinneytweets.

Comments