Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates

Iran

Given the emergency created by the outbreak of COVID-19 in Iran, the government had several options for managing the crisis, including by utilizing the constitutional powers of the Parliament to interpret and apply articles 68 and 79 of the Constitution to postpone the elections and implement temporary measures to impose social distancing and quarantines. Alternatively, it had available the article 176 constitutional authorities of the Supreme National Security Council to manage the crisis as a national security and defense matter under the leadership of the President, the ministers, and other key governmental and defense figures, within the limits provided by the Supreme Leader and through decisions authorized by him, and this is the management path it chose. 

The Supreme National Security Council established the National Headquarters to Combat Corona in February 2020, which is directing the country’s efforts against COVID-19 under the direct leadership of the Minister of Health and Medical Education, and has implemented various other measures including applications and websites for voluntary registration, self-assessments, prevention and statistical information, medical assistance, and infection risk notifications. Many of these measures have become contentious due to the arguable infringement of people’s rights to privacy and data protection under Iranian law, which is discussed in this report. The information provided is based on Iranian legislation, public measures, news sources, and other publicly available information.

I. Introduction

As of May 22, 2020, the Iranian government had announced a total of 131,652 confirmed COVID-19 cases and 7,300 deaths; 102,276 recoveries; and 2,659 patients currently in critical condition.[1] The World Health Organization’s May 22 report on Iran indicated 129,341 total confirmed cases and 7,249 deaths.[2]  

Iranian government officials, including the Ministry of Health and Medical Education, have repeatedly prompted people through text messaging and other methods to participate in providing information by registering with the approved self-assessment applications and websites or to call or respond to calls from dedicated phone numbers. In an attempt to encourage people’s trust to engage with providing their information, the Ministry of Health published its privacy policy, indicating that the Ministry is strictly protective of all individuals’ privacy and personal data, in compliance with the 2017 Decree of the Supreme Administrative Council Concerning the Charter on Citizens’ Rights in the Administrative Systems.[3] 

Iranian government officials have reportedly expressed satisfaction with people’s response to the combination of electronic self-assessments, telephone and in-person medical reviews, and the COVID-19 tests. On April 21, 2020, the Deputy Minister of Health and Medical Education indicated that this combination has provided the government with the COVID-19-related information of over 70 million people (the total Iranian population numbers approx. 84 million).[4] On May 3, 2020, the Iranian President made a general statement during an official meeting with the Supreme Leader and the National Headquarters for Combating Corona that roughly 83% of the Iranian population has followed government requests and guidelines for combating the spread of the coronavirus.[5]

II. Legal Framework

A. Privacy and Data Protection

Pursuant to the Iranian Constitution, statutes, and regulations, people’s dignity, life, property, rights, domicile, and occupation must not be violated, unless sanctioned by law. Although Iran has not passed comprehensive legislation dedicated entirely to privacy rights and data protection, the right to privacy and data protection has been emphasized in various pieces of legislation and in the Constitution. The law holds as private and protected every individual’s private assets, body, character, and places, whether tangible or virtual, where a person can have a reasonable expectation of privacy. This includes personal documents, mail, phones, computers, telephone conversations, and all other data transmitted in a private manner in cyberspace that could be traceable to that individual, such as all personally identifiable information (e.g., an individual’s name, home and work addresses, bank accounts) and sensitive personal data (e.g., information concerning family matters, criminal records, tribal or ethnic origins, moral and religious beliefs, ethical characteristics, sexual habits, genetics, health status, and physical or psychological status).[6] 

Hence, all forms of access and investigation of the aforementioned items or materials, whether for the purpose of searching, collecting, processing, analyzing, using, storing, or sharing it, are generally legally forbidden regardless of whether the intention is good or bad, unless access or inspection is allowed either by informed, express, and written consent of the individual, according to a subject-specific law or regulation, or by a legal order. For example, in ta’zir offenses of the fifth to eighth degrees, the court may, with the offender’s consent, put the offender under the supervision of an electronic system within a specific area.[7]

Any legal access or investigation based on an individual’s informed consent, other laws, or legal orders must be performed within a legally defined scope and is subject to certain requirements. Among others, those requirements include

  • consideration for the individual’s dignity,
  • an adequately secure information system,[8]
  • a clear statement of the purpose of access,
  • a scope limited to what is necessary for achieving the purported purpose,
  • transparency,
  • preserving the data’s integrity with subsequent updates, and
  • anonymization and aggregation to the extent required by law. 

Iranian courts generally enforce measures against cyber violations according to the statutorily defined remedies of the applicable laws or regulations, which may include punitive damages and/or imprisonment as defined under the Cyber Crime Act; sanctions on the violators’ bank accounts, applications, and websites; and other measures. Generally, crimes committed in cyberspace are within the jurisdiction of the Special Cyber Crime Court and the Iranian Cyber Police (a.k.a. FATA).[9]           

B. Data Retention and Location Tracking

The juxtaposition of the general privacy and data protection framework (as explained in Part II(A), above) and the laws and regulations that reserve the government’s right to access private data in situations involving a governmental or public purposes is shown in various statutes and regulations. 

Pursuant to article 150 of the Criminal Procedure Code 2015, controlling an individuals’ telecommunications is prohibited, except when it isnecessary for the national security of the countryor in investigation of certain enumerated crimes, and in the case of such exceptions it must be carried out within a specific scope and timeframe. Furthermore, the Supreme National Security Council (SNSC)[10] is the authority that would determine the conditions and requirements for such access or investigation.[11]

Article 15 of the Law on Release and Freedom of Information 2010 is directed at any governmental or nongovernmental entity that might receive a request for release of information that is entrusted with the respective entity, emphasizing that such entities must refrain from providing any data that might reveal private information of a natural person third party, except if the requester is a public entity and that according to the law the requested information is directly relevant to its responsibilities as a public entity, or when the third party has provided express written consent.[12]

Article 39 of the Charter on Citizens Rights 2017 reiterates that all entities and natural and legal persons must protect the privacy and security of the personal data entrusted to them; however, they must also provide the said data to “judicial institutions and eligible administrative institutions,” upon necessity and request.[13] 

Article 4 of the draft Bill on Protection of Data and Privacy in Cyberspace, which has remained in the legislative process since 2018,[14] would require the consent of individuals to access their private data if access was not due to public concerns and circumstances.[15] Article 6 of the same bill would authorize access to individuals’ private data concerning public issues and circumstances, if the individuals directly or indirectly exposed their data or failed to adjust their settings to prevent third-party access.   

Article 32 of the Cyber Crime Act 2009 requires providers of electronic, internet, or data services to keep all metadata and tracing data for any information that enters their cyberspace, including the data’s type, origin, direction, destination, duration, date, time, etc. This data must be retained for a minimum of six months from the date of creation of the data. The users’ information, such as IP address, personal identity information, geographic location data, phone numbers, etc., must be retained for a minimum of six months from the date of termination of services.[16]    

Generally, in Islamic jurisprudence violating an individual’s private zone, whether that involves a person’s body, private assets, or information, in a manner that is against the individual’s dignity is widely abhorred, and the protection of one’s own and others’ privacy is greatly encouraged; accordingly, a similar approach is visible in Iranian legislations that is substantially motivated by Sharia. However, in both Islamic jurisprudence and Iranian laws and judicial precedent there are principles that grant supreme importance to the benefit of the public and protection of the Islamic system of governance, which, depending on the circumstances, could outweigh the individuals’ privacy and data protection rights if those rights are incompatible with the stated benefits.

A partial oversight measure for this potential incompatibility is that if a governmental entity’s regulations, decisions, or measures or a public nongovernmental entity’s actions infringe a natural or legal person’s privacy and data protection rights, such person has legal standing to hold the governmental or public nongovernmental entities accountable, according to article 12 of the Law on the Organization and Procedure of the Court of Administrative Justice.[17] However, the same statute exempts regulations, decisions, or other measures of a number of indicated entities, which all act in political or judicial capacities, including the Supreme National Security Council. According to some of the available legal interpretations, the reason for this exception is that the regulations, decisions, or measures by the political or judicial entities are not subject to legal action, and the same principle would apply to their sub-entities.[18]   

III. Electronic Measures to Fight COVID-19 Spread

Iran has not adopted any laws, regulations or other public measures[19] that would allow the use of unauthorized or mandatory electronic means to assess general adherence to confinement measures to fight COVID-19 spread. However, it has created a few COVID-19-dedicated applications, websites, and phone services for self-assessments and tracking the spread of the coronavirus. The following apps and websites are operating based on the decisions, support, or authorization of the National Headquarters for Combating Corona;[20] the Ministry of Health and Medical Education, which leads the National Headquarters for Combating Corona; and the Ministry of Information and Communication Technology (ICT).

A. COVID-19 Dedicated Apps and Websites

1. The AC19 App

On or around March 3, 2020, the Iranian Ministry of Health and Medical Education reportedly sent a text message to all cell phones across the country, encouraging people to download the AC19 app (a.k.a. ”the Application for Combating Coronavirus“ or ”the Application Against Coronavirus”). The app allows users to access a COVID-19 self-assessment test, suggesting that it would be a reasonable measure for people with mild symptoms to stay in self-quarantine and to receive an assessment/medical assistance through the application, instead of heading to the hospitals. AC19 is an Android application[21] that is currently available in Café Bazaar, an Iranian website for downloading apps, movies, games, etc., as well as on the AC19 website.[22] The AC19 app was created by the Tehran Headquarters for Combating Corona, the Ministry of Health and Medical Education, and the ICT.[23] 

This app reportedly prompts users to provide permission to access their Android devises’ location, and requests personal information such as the users’ phone numbers, names, and addresses. It also asks questions regarding their COVID-19 medical symptoms and those of their family members and social contacts, as well as information concerning age, gender, weight, etc. The AC19 app has caused contention and mistrust for many users and reporters, for several reasons:

  • The prompt for accessing the user’s location data is from Android and not the Iranian application developers, hence, it is in English unless the users have changed their Android’s settings to Farsi.
  • Users of older Android phones do not receive any prompts at all.
  • According to information published by a London-based security researcher, who downloaded the application and evaluated its programming, it is collecting location data¾coarse location (WiFi and mobile-based), fine location (GPS-based), latitude, and longitude¾with a precision of less than three meters, as well as the live movements of the devices, such as with fitness apps.[24] 

The Islamic Republic News Agency (IRNA), published a response to the foregoing controversy, stating that AC19 is not a spyware/malware, based on the results of the ZDNet/ESET technical and security evaluations of the application, and indicating that such location data collections are a common practice for many widely used applications.[25]

2. The Salamat Website

Following the contentious reactions to the AC19 app, the Ministry of Health and Medical Education published a guideline for the general public and developers of COVID-19 apps and websites, indicating that all developers must comply with the guidelines of the National Headquarters for Combating Corona; must register with Ministry of Health and Medical Education prior to operating; and must not obtain any personally identifiable information from the users, such as the National Identification Codes or phone numbers, but must instead, direct the users whose assessments show a higher probability of  infection to the Salamat.gov.ir website[26] for a unified medical response and registration. 

In the same guideline, the Ministry of Health asked people to register with the Salamat.gov.ir website for self-assessment and medical measures, and stated that a list of authorized COVID-19 apps and websites will be shortly available for the public.[27] In order to do the self-assessment test on the Salamat website the users will have to enter their National Identity Codes and dates of birth, and answer questions regarding their COVID-19 medical symptoms and those of their family members and social contacts. If the assessment shows a high risk of infection, the user will be instructed regarding the closest hospitals and health centers, and a health provider will contact the user through a dedicated (4030) phone number.[28] 

3. The Mask App and Website

Mask is a movement-tracing app that was built for the Ministry of Health and Medical Education by a group of volunteer technical experts from Sharif, Amirkabir, and Shahid Beheshti Universities. It is available on the Mask.ir website[29] and through Café Bazaar. The app’s website educates users regarding the developers, goals, and scope of the app’s access to user data. It provides an infection-risk map that is based on aggregated data obtained from the Ministry of Health and Medical Education and a live contact/infection-risk notification service.  In order to view the map, users do not have to provide personal information. However, to use the self-assessment test, infection-risk notifications, etc., users must register by entering their phone number and authorizing access to their device’s location data. The website states that Mask is trying to obtain from the Ministry of Health and Medical Education a list of phone numbers of those individuals who have been in close contact with confirmed cases within the last two weeks in order to notify them. It adds that their live contact/infection-risk notification service is merely based on the information that users have provided voluntarily, using anonymization, location tracing, Bluetooth, GPS, QR Code, etc.[30] 

4. Website for Coronavirus Self-Assessment, Information, and Registration

The website for coronavirus self-assessment, information, and registration was created with the support of the Deputy of Research and Technology of the Ministry of Health and Medical Education. It contains COVID-19-related educational information, an infection-risk map, and several self-assessment tests, one of which requires the user’s phone number.[31] 

B. Oversight Measures 

Iran is reportedly in the process of considering reform bills that would implement oversight measures concerning cyberspace violations.[32] Meanwhile, currently,

  • if a natural or legal person believes that a government employee has violated his or her privacy or data protection rights, that person has standing to pursue legal action against the government employee, according to the Cyber Crime Act and other subject-matter-specific laws and regulations;[33] and
  • if the violator is a governmental entity or a nongovernmental public entity that is acting in an administrative or executive capacity, persons with standing may file legal actions against such entities, according to article 12 of the Law on the Organization and Procedure of the Court of Administrative Justice, which was enacted pursuant to article 173 of the Constitution.[34]

Aside from the aforementioned legal measures, the Maher Center[35] is responsible for receiving cyberspace complaints, confidentially informing the subject persons of their compromised private data, and notifying the highest authority of the violating governmental entity of the complaints about that entity.[36] Concurrently, the Afta Strategic Management Center of the Office of the President, acting under the Cyberspace Council of the Supreme National Security Council (an SNSC sub-council), was created to act in conjunction with the Maher Center to coordinate the efforts of the three branches of government, their divisions, and nongovernmental public entities in creating a unified response to cyberspace violations.[37]

Back to Top

Prepared by Shadi Karimi
Foreign Law Consultant
June 2020


[1] AC19 Official Coronavirus Daily Reports and Registration Page (website as viewed on May 22, 2020), https://ac19.ir/; 2,311 New COVID-19 Cases; National Death Toll Reaches 7,300, Ministry of Health and Medical Education (May 22, 2020), https://perma.cc/8U5N-736Y (all sources are in Farsi unless otherwise noted) . 

[2] Coronavirus Disease (COVID-19) Situation Report 123, World Health Organization(May 22, 2020), https://perma.cc/YN6N-GJ86 (in English).

[3] Privacy Policy Statement, Ministry of Health and Medical Education, https://perma.cc/F2EJ-P8K4; Decree of the Supreme Administrative Council Concerning the Charter on Citizens’ Rights in the Administrative Systems, Official Gazette of the Islamic Republic of Iran, Apr. 10, 2017, No. 20995, https://perma.cc/HYL4-ST89.

[4] Evaluating Latest Corona Situation with Attendance of Government Officials at Health Commission [Meeting], Parliament News Agency (Apr. 21, 2020), https://perma.cc/ZUM6-DEEL; Details of Ministry of Health Mandates for Corona, Islamic Republic News Agency (Mar. 3, 2020), https://perma.cc/HSP6-FSDW.

[5] 83% of People Have Complied with Health Regulations, Presidential News Center (May 3, 2020), https://perma.cc/J7Q2-5QQ8.

[6] Constitution of the Islamic Republic of Iran 1979, as amended, arts. 22, 25, https://perma.cc/JN9G-4QUV, English translation, https://perma.cc/3CGR-CNRF; Law on Respect for Legitimate Freedoms and Citizens Rights, May 5, 2004, § 8, https://perma.cc/HA44-RJSN; Electronic Commerce Law, Jan. 7, 2004, arts. 1–5, 11, 33–35, 38, 58–60, 71–72, 79, https://perma.cc/U72P-XFF9 (English translation); Cybercrime Act, Dec. 24, 2009, arts. 1, 2, 5, 25, 32, 34, 38, 39, 48, https://perma.cc/723P-9WNU; General Policies for “Security of Production Space and Information Exchange and Communication (Afta),” Feb. 18, 2011, § 1, https://perma.cc/NF7Z-DLDV; Law on the Release and Freedom of Information, Aug. 22, 2009, arts. 13–15, https://perma.cc/M7T4-3PKM; Criminal Procedure Code of Iran 1392 [2014], arts. 4, 40, 150, https://perma.cc/D83H-NQZ8; Law on “Protection of Individuals Who Are Promoting Islamic Ethics,” May 23, 2015, art. 5, Official Gazette of the Islamic Republic of Iran, May 23, 2015, No. 20464, https://perma.cc/4S9R-JB4R; Charter on Citizens Rights, Nov. 2016, arts. 36–40, https://perma.cc/VUW7-PD6Z; Draft of the Bill on the Protection of Data and Privacy in Cyberspace, June 2018, arts. 1–2, 4–8, 12, 14, 19, 26, 27, 67, 68, https://perma.cc/KA2Z-52AT.

[7] Islamic Penal Code of Iran 1392 [2013], art. 62, https://perma.cc/A4PS-C7L4.

[8] A “secure information system” is defined as an information system that is reasonably protected against misuse or penetration; possesses a reasonable level of proper accessibility and administration; is reasonably designed and organized in accordance with the significance of the task; and is in compliance with secure methods. A “secure method” is a method to authenticate the date, correctness, origin, and destination of data messages, as well as to detect errors and modifications in its communication, content, or storage “from a certain point.” A secure message is generated using algorithms or codes, identification words or numbers, encryption, acknowledgement call-back procedures, or similar secure techniques. Data Protection Laws of the World (Iran), DLA Piper(May 23, 2019), https://perma.cc/CGT8-BQRA (in English).

[9] Constitution of the Islamic Republic of Iran arts. 22, 25; Law on Respect for Legitimate Freedoms and Citizens Rights § 8; Electronic Commerce Law arts. 1–5, 11, 33–35, 38, 58–60, 71–72, 79; Cybercrime Act arts. 1–2, 5, 25, 32, 34, 38, 39, 48; General Policies for “Security of Production Space, Information Exchange and Communication (Afta)” § 1; Law on Release and Freedom of Information arts. 13–15; Criminal Procedure Code of Iran arts. 4, 40, 150; Law on “Protection of Individuals Who Are Promoting Islamic Ethics” art. 5; Charter on Citizens Rights arts. 36–40; Draft of the Bill on Protection of Data and Privacy in Cyberspace arts. 1–2, 4–8, 12, 14, 19, 26, 27, 67, 68.

[10] The Supreme National Security Council, led by the Iranian President, is the highest-ranking power after the Supreme Leader in matters of national security against domestic and global threats. The Council’s enumerated constitutional authorities for the main purpose of defending national security are explicitly within the limits provided by the Supreme Leader, and its decisions are enforceable as law after his approval. Among the constitutional authorities granted to the Supreme National Security Council is the power to entrust parts of its responsibilities to sub-councils, in which case those sub-councils remain under the control of the President of the country, or the President can delegate the control to another member of the Supreme National Security Council. The National Headquarters for Combating Corona, as a sub-entity of the Supreme National Security Council, could arguably be considered a political entity as well; hence, it is plausible that it could be immune from citizens’ lawsuits. Constitution of the Islamic Republic of Iran arts. 173, 176; Law on the Organization and Procedure of the Court of Administrative Justice, Mar. 18, 2017, art. 12, https://perma.cc/F9VW-CHVV; Analysis of the Plausibility of Judicial Oversight on the National Headquarters for Combating Corona, Allameh Tabataba’i News Agency (Apr. 9, 2020),https://perma.cc/LBG2-BHDL. According to Article 176 of the Constitution, the Supreme National Security Council consists of the heads of the three branches of the government (the President as the Chairman of the Council, the Speaker of the Parliament, and the Chief Justice), two representatives appointed by the Supreme Leader, the Chief of the General Staff of the Armed Forces, the Chief of the Army, the Chief of the Islamic Revolutionary Guard, the Minister of Foreign Affairs, the Minister of the Interior, the Minister of Intelligence, the Head of the Management and Planning Organization, and the minister of the ministry that is the subject of the Council’s agenda at the time. 

[11] Criminal Procedure Code of Iran arts. 4, 40, 150.

[12] Law on Release and Freedom of Information arts. 13–15.

[13] Charter on Citizens Rights of Nov. 2016, arts. 36–40.

[14] Necessity of Passing Draft Bill on Protection of Data and Privacy in Cyberspace, Islamic Republic News Agency (Feb. 12, 2020), https://perma.cc/9A9H-SDEV.

[15] Draft of the Bill on the Protection of Data and Privacy in Cyberspace arts. 1–2, 4–8, 12, 14, 19, 26, 27, 67, 68.

[16] Cybercrime Act arts. 1, 2, 5, 25, 32, 34, 38, 39, 48, https://perma.cc/723P-9WNU.

[17] Enacted pursuant to article 173 of the Constitution, https://perma.cc/JN9G-4QUV, https://perma.cc/3CGR-CNRF (English translation).

[18] Analysis of the Plausibility of Judicial Oversight of the National Headquarters for Combating Corona, supra note 10.

[19] It is notable that pursuant to the Decree of the Supreme Administrative Council Concerning the Charter on Citizens’ Rights in the Administrative Systems, the government must be fully transparent regarding decisions and measures that would impact people’s rights or benefits; however, again, this law is only applicable to administrative systems and is silent regarding governmental entities such as the Supreme National Security Council and its sub-councils that are acting in a political capacity. Decree of the Supreme Administrative Council Concerning the Charter on Citizens’ Rights in the Administrative Systems art. 1, § 4, Official Gazette of the Islamic Republic of Iran, Apr. 10, 2017, No. 20995, https://perma.cc/HYL4-ST89.   

[20] Reportedly, beginning on February 26, 2020, public sessions of the Parliament were indefinitely terminated (but resumed after 44 days) on the orders of the National Headquarters for Combating Corona, which had been established on February 22, 2020, by an act of the Supreme National Security Council, with the invested authority to create, coordinate, and enforce relevant national guidelines, and utilize national resources to stop the spread of COVID-19.  Because the National Headquarters for Combating Corona is a sub-entity of the Supreme National Security Council, its decisions are equivalent to those of its founding Council and, as such, are deemed valid laws. Depending on the circumstances, those decisions can supersede laws passed by the Parliament. The Head of the staff of the National Headquarters is the Minister of Health and Medical Education. Other members are the Deputy Minister of Health and Medical Education; Spokesperson of the Ministry of Health; Minister of the Interior; Minister of Roads and Urban Development; Minister of Education; Minister of Science, Research and Technology; Minister of Cultural Heritage, Tourism and Handicrafts; Minister of Culture and Islamic Guidance; Chief of the General Staff of the Armed Forces; Attorney General; Head of the Management and Planning Organization; Director General of the Islamic Republic of Iran Broadcasting (IRIB); Head of Iran’s Hajj and Pilgrimage Organization; government’s Spokesperson; and Iran’s Chief of Police.  Who Closed Parliament?, Hamshahri Online (Apr. 8, 2020), https://perma.cc/77EJ-JYWD; Resumption of Parliament’s Public Sessions Awaiting Permission from National Headquarters for Combating Corona, Tabnak World (Apr. 2, 2020), https://perma.cc/7L9W-3NZR; First Open Session of Parliament after Closure, Tasnim News (Apr. 7, 2020), https://perma.cc/SYP8-PXDE; How Did First Sessions of Parliament Go?, Islamic Republic News Agency (Apr. 9, 2020), https://perma.cc/P68E-DULS; Decisions of the National Headquarters for Combating Corona Are as Enforceable for All Governmental Agencies as Decisions of the Supreme National Security Council, Office of the Government Cabinet (Mar. 11, 2020), https://perma.cc/K5GY-3XG7; National Headquarters for Combating Corona Meeting Convened with Supreme Leader in Attendance, Islamic Republic News Agency (Sept. 3, 2020), https://perma.cc/WW5K-9EGJ; Mehdi Moghadasi & Ehsan Akbari, Legal Importance of the Decisions of the Supreme National Security Council: Abstract, 47(4) Pub. L. Stud. (Winter 2017), https://perma.cc/7D8W-AM5L.

[21] According to Statcounter Global Status, over 88% of the Iran’s cell phone subscribers are using Android.  Mobile Operating System Market Share (Iran),Statcounter Global Status (May 22, 2020), https://perma.cc/F5NB-GX3W (in English). 

[22] Application for Combating Corona,Café Bazaar (May 22, 2020), https://perma.cc/4GZ3-8VYH; AC19 Official Coronavirus Daily Reports and Registration Page (website), supra note 1.  

[23] Downloading AC19 Application for Corona, Iranian Labor News Agency (Mar. 16, 2020), https://perma.cc/6NX8-K46V; Application for Combating Corona Released, Peivast Monthly News (Mar. 4, 2020), https://perma.cc/2MQU-JPLK.

[24] David Gilbert, Iran Launched an App That Claimed to Diagnose Coronavirus. Instead, It Collected Location Data on Millions of People, Vice News (Mar. 14, 2020), https://perma.cc/X7WE-AFAC (in English); Zak Doffman, Coronavirus Spy Apps: Israel Joins Iran and China Tracking Citizens’ Smartphones to Fight COVID-19, Forbes (Mar. 14, 2020), https://perma.cc/P6L6-LMNZ (in English); Nariman Gharib, Ministries of Health and Information Communication Technology Spying on People, Telegraph (Mar. 6, 2020), https://perma.cc/4MJB-HQ2Q.

[25] Is the Application to Combat Corona Malware?, Islamic Republic News Agency (Mar. 4, 2020), https://perma.cc/Y597-S5X9; Catalin Cimpanu, Spying Concerns Raised Over Iran's Official COVID-19 Detection App, ZDNet (Mar. 9, 2020), https://perma.cc/Z6NV-FCC9 (in English).

[27] Draft Guidelines for Recognition and Introduction of [Legitimate] Websites, IRIB News (Mar. 10, 2020), https://perma.cc/XQZ4-KRHM.

[28] Necessity of People Joining Salamat Assessment Website to Combat Corona, Iranian Students News Agency (Apr. 11, 2020), https://perma.cc/FQ7K-ENJF.

[30] Questions and Answers, Mask.ir (May 22, 2020), https://perma.cc/JX36-SB4R.

[31] Coronavirus Information, Self-Assessment and Registration (website), https://perma.cc/6S79-E2VJ.

[32] Maher’s Statement Regarding Unauthorized Disclosure of Some Legal Persons in Cyberspace, Information Technology Organization (Apr. 26, 2020), https://ito.gov.ir/fa/news/104852/بیانیه-مرکز-ماهر-در-رابطه-با-روند-افشاء-داده‌های-سازمان‌ها-و-کسب‌وکارها-در-فضای-مجازی .  For more on the Maher Center, see footnote 35, infra.

[33] Cybercrime Act art. 5, https://perma.cc/723P-9WNU.

[34] Constitution of the Islamic Republic of Iran art. 173, https://perma.cc/JN9G-4QUV, https://perma.cc/3CGR-CNRF (English translation); Law on the Organization and Procedure of the Court of Administrative Justice art. 12, https://perma.cc/F9VW-CHVV

[35] The Maher Center is a part of the Information Technology Organization and, as such, a part of the Ministry of Information and Communication Technology. Maher has various subdivisions and governmental and private partners that collectively act as a national information technology Computer Emergency Response Team (CERT). History of the Organization – Information Technology Organization in One Look, Information Technology Organization (Sept. 18, 2019), https://perma.cc/L8TR-ENE5; Maher’s Statement Regarding Unauthorized Disclosure of Some Legal Persons in Cyberspace, supra note 32. 

[36] The National System for the Prevention and Defense against Cyberspace Incidents Was Approved, Presidential News Center (Nov. 6, 2017), https://perma.cc/8HLE-LVN4; Maher’s Statement Regarding Unauthorized Disclosure of Some Legal Persons in Cyberspace, Information Technology Organization (Apr. 26, 2020), https://ito.gov.ir/fa/news/104852/بیانیه-مرکز-ماهر-در-رابطه-با-روند-افشاء-داده‌های-سازمان‌ها-و-کسب‌وکارها-در-فضای-مجازی . See also Maher’s Statement Regarding Unauthorized Disclosure of Some Legal Persons in Cyberspace, note 32, supra. 

[37] About, Afta (website), https://perma.cc/VH4L-Z8MT.

Last Updated: 12/30/2020