XX v The Secretary of State for the Home Department

1. This is the re-making of the decision in the appellant’s appeal against the respondent’s refusal of his protection and human rights claims. The representatives and the Tribunal panel attended the hearing in person, while the appellant attended via Teams . He gave evidence on the third day of the hearing, with the assistance of a Kurdish Sorani interpreter, who also attended via Teams . The parties did not object to the appellant attending and giving evidence via Teams and we were satisfied that he was able to participate effectively in the hearing.

2. We deal with the issues in the following order: (i) the background; (ii) the procedural history to the appeal; (iii) existing country guidance; (iv) the principal questions we have considered; (v) preliminary issues at the hearing; (vi) the evidence; (vii) our findings and conclusions; and (viii) the Country Guidance.

3. The representatives provided written skeleton arguments and made substantial oral submissions. Rather than recite these in detail, we address their substance, and refer to them as necessary, as we progress through the findings and our conclusions. Finally, the error of law decision which this re-making decision follows is set out in the Annex to these reasons. Background

4. The appellant, an Iranian citizen of Kurdish ethnic origin, entered the UK unlawfully on 4 th December 2017. He then claimed asylum, based on his fear of persecution because of his political beliefs, specifically his support for the Kurdistan Free Life Party (Partiya Jiyana Azad a Kurdistanê ‎, (“PJAK”)). He based his claim on his activities in Iran, where he had been persecuted; and in the UK, where he had attended demonstrations and set up a Facebook account, which included material critical of the Iranian government.

5. The respondent refused the appellant’s claim in her decision of 14 th February 2019. The appellant appealed that refusal, and the First-tier Tribunal (“FtT”) Judge rejected his appeal on 12 th April 2019. The FtT Judge regarded the appellant’s narrative of events in Iran as entirely fabricated and found that the appellant had no genuine political adherence to the PJAK, which was manufactured to bolster his asylum claim. His attendance at demonstrations in the UK and his Facebook account were opportunistic. The FtT Judge concluded that the appellant’s activities in the UK would not result in a well-founded fear of persecution on his return to Iran. Faced with return, he would delete his Facebook account, which would have the effect of removing all “likes”, comments, and other contents that the appellant had shared. The FtT Judge reminded herself of the risk factors set out in the Country Guidance case of HB (Kurds) Iran CG [2018] UKUT 00430. While the appellant was likely to be questioned on his return, because of his Kurdish ethnicity, he would not be regarded as having played a leading or organising role in the UK demonstrations he had attended. It was not even clear when and where these demonstrations had occurred and there was no evidence that they had attracted any media attention. None of the other risk factors in HB applied to the appellant.

6. The appellant appealed against the FtT Judge’s decision and FtT Judge J K Swaney granted permission on 10 th May 2019. Her permission to appeal was not limited in its scope. Procedural history of the litigation

7. Three case management review hearings have taken place: on 22 nd October 2019; 8 th June 2020; and 17 th December 2020, to identify and agree the list of factual questions to be put to Facebook about the storage and deletion of information on its website. The Vice President identified the following two issues at the case management hearing on 22 nd October 2019: (i) the extent to which authorities anywhere can recover data which the user has used his best efforts to delete; and (ii) the extent to which Facebook will help the user to do so.

8. On 17 th December 2019, this Tribunal made anonymity directions. By the same date, the parties had agreed, and the respondent had put to Facebook, a list of questions. Facebook did not respond and following the case management review hearing on 8 th June 2020, this Tribunal issued an order to Facebook UK Limited on 3 rd July 2020, requiring a response by 28 th August 2020. Facebook Ireland responded initially on 14 th August 2020. The parties then put further questions to Facebook Ireland on 18 th December 2020, to which Facebook Ireland responded on 22 nd January 2021. This Tribunal issued final directions, following the case management review hearing on 17 th December 2020. Existing country guidance

9. We remind ourselves of some of the principles set out in Country Guidance and reported cases below.

10. BA (Demonstrators in Britain – risk on return) Iran CG [2011] UKUT 36 (IAC) . This case is authority for the finding that the Iranian government is unable to monitor all returnees involved in UK demonstrations. A decision maker must analyse the level of involvement of an individual, including the nature of sur place activities.

11. SSH and HR (illegal exit: failed asylum seeker) Iran CG [2016] UKUT 00308 (IAC) confirms that status as a failed asylum seeker, with no prior adverse interest, will not, of its own, result in a risk to a returnee to Iran.

12. HB sets out particular risk factors for those Iranians of Kurdish ethnic origin returning to Iran, even where political activity is “low level”.

13. The reported case (but not Country Guidance) of AB and Others (internet activity – state of evidence) Iran [2015] UKUT 00257 (IAC) , conceived the notion of a “pinch point” of risk on return at Tehran Airport. Principal questions

14. We consider the following questions and issues: (i) Facebook and other social media (§§69 to 72). (ii) Facebook accounts: their characteristics, publicity and permanence (§§73 to 84). (iii) Iranian state surveillance generally, and of Facebook, in particular (§§85 to 89). (iv) What Facebook material is visible to the Iranian authorities (a) on application for an emergency travel document (“ETD”) and (b) on arrival at an Iranian port of entry (typically Tehran airport)? Will the visibility of material be affected by whether the person was previously a person of interest to the Iranian authorities? (§§90 to 96). (v) Will the fact of having no Facebook account on arrival in Iran cause the Iranian authorities to have suspicion or prompt further investigation? (§97). (vi) To what extent can a person be expected on return to their country of origin not to volunteer the fact of having previously had a Facebook account? (§§98 to 102). (vii) What difference does a Facebook account containing material critical of the Iranian authorities (whether deleted or not) make to the risk faced by someone returning to Iran? (§103). (viii) Does the appellant have a well-founded fear of persecution? (§§104 to 119). Preliminary issues at the hearing.

15. Two issues arose at the start of the hearing, both relating to the scope of our fact-finding. First, the parties disputed the scope of the preserved findings, on which we would base our decision.

16. The findings which the parties agree are preserved are as follows. At §9 of her decision, the FtT Judge outlined the appellant’s circumstances, where she recorded the appellant as being an Iranian citizen of Kurdish ethnic origin. He had lived in Iran with his parents and sister. He did not go to school and could not read or write. He worked as a farmer and smuggled goods over the Iran/Iraq border. He left Iran clandestinely and entered the UK without permission. He then claimed asylum. He was aware of discrimination against the Kurds but did not realise there was anything he could do about it. The FtT Judge recorded the appellant’s claim of adverse attention in Iran because of distributing leaflets on behalf of the PJAK. The FtT Judge did not believe that account. She went on to find, in respect of UK activities, the following: “27. I find the Appellant’s activities as a supporter of PJAK in the UK are merely opportunistic. He told me that he enquired about PJAK in February or March 2018 when he was having his hair cut in Stockton and heard people talking about PJAK. He then told them that he was also a supporter and asked them to let him know about demonstrations and give him a lift to them. In my judgment if the Appellant was genuinely a supporter of PJAK and had risked his life to be involved in activities in Iran with the consequence that he had to flee the country, he would have made an effort to contact PJAK as soon as he arrived in the UK in December 2017. I place little weight on the photographs of demonstrations and printouts from Facebook submitted by the Appellant. All they show is that he was present at some demonstrations and has asked to have his photograph taken with prominent members at meetings. In relation to the demonstrations whilst I accept that he was present I do not find that any of the photographs clearly show that people inside the Iranian embassy have taken photographs of him.

28. Furthermore, I find it lacks credibility that somebody who is illiterate has set up a Facebook account on which he shares messages supportive of Kurdish rights. In addition, I find it inconsistent that the Appellant claims that he does not wish to contact his family in Iran in case it puts them in danger but has no qualms about setting up a public Facebook page publicising his support for PJAK. When asked to explain this, he said that he did not believe this would put them in danger because Etela’aat are only looking for him.”

17. In preserving these findings in his error of law decision, Upper Tribunal Judge Dawson stated, at §20: “20. … The decision is set aside solely in relation to the appellant’s sur place activities and any risks that he would face as a consequence. The judge’s findings as to the basis of the appellant’s support for the PJAK in the United Kingdom (recorded at [27] and [28]) are preserved and, for the avoidance of doubt the judge’s findings on the appellant’s pre-flight activities are also preserved. Directions for a further hearing for the remaking of the decision in the Upper Tribunal will be issued in due course.”

18. The parties disagree on whether it follows that the appellant would close and delete his Facebook account (which the FtT Judge had found at §32 of her decision, but which Judge Dawson did not specifically preserve). Mr Thomann submitted that we must, as a matter of common sense, make such a finding, while Mr Jaffey QC argued that even if the appellant’s sur place activities have been contrived, it does not follow that he would necessarily close or delete his Facebook account, or not volunteer the fact of such activities to the Iranian authorities, as to do so may place him at risk – instead, he may, with good reason, decide to make a “clean breast of it” on his return. We discuss this issue further, below.

19. The second preliminary issue related to Mr Jaffey’s suggestion that we only resolve general questions and remit the questions specific to the appellant’s fear of persecution, and any necessary fact-finding, to the FtT. He suggested this because on the first day of the hearing, the appellant had not adduced any additional evidence about his personal circumstances, that had not been before the FtT Judge.

20. Mr Jaffey accepted that this Tribunal had never given any indication that the appellant’s specific case would not be fully resolved. While this was a case where we are invited to make general findings, it has always been listed as a re-making of the appellant’s appeal.

21. We did not accept that Mr Jaffey’s proposed course was appropriate. On the morning of the first day of the hearing, we directed that the appellant must apply to adduce any additional evidence on which he sought to rely, by 4pm on the second day. He applied at the start of the second day. The respondent did not object and we granted the application. We have been able to make findings on the appellant’s specific circumstances. Evidence

22. We were provided with a core bundle (‘CB’) running to 1,447 pages; a supplementary bundle (‘SB’), which included the appellant’s updated witness statement and excerpts from his Facebook account, on which he was cross-examined; and an authorities bundle. We heard oral evidence from two expert witnesses called by the appellant: Dr Richard Clayton; and Mr James Marchant, who also provided written reports. Given the extent of the written evidence, while we have considered it as a whole, we only refer to a small part of it where discussed by Dr Clayton and Mr Marchant, or where we regard it as necessary. We include excerpts of Facebook Ireland’s responses, which Dr Clayton discusses. We also refer to a report which Dr Clayton cites and which we found to be particularly helpful: ‘Iran and the Soft War for Internet Dominance,’ written by Claudio Guarnieri and Collin Anderson dated August 2016, a copy of which was at pages [576] to [632] CB (https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf)

23. Dr Clayton’s evidence relates to how material published on a Facebook account may be viewed by others; and generally, how people’s personal data (for example, their emails or other messages) may be accessed without their knowledge or consent.

24. Mr Marchant discusses in his evidence the Iranian government’s past record and likely current intentions in monitoring social media activity, including Facebook.

25. We express our gratitude to both witnesses for the candour and clarity of their written reports and oral evidence. They are witnesses who were willing to concede limits in their expertise and we are satisfied that they have attempted to assist this Tribunal as independent experts, to the best of their abilities. Dr Clayton’s evidence

26. Dr Clayton does not profess to be an expert in relation to Iranian politics or state activities, beyond his general reading. His unchallenged expertise is in computer science. He is currently a principal research assistant at the computer laboratory of the University of Cambridge, of status equivalent to that of a Reader. He also acts as the director of the Cambridge Cybercrime Centre which collects, collates and distributes data relating to criminal activity on the internet. His longstanding expertise in industry, before becoming an academic, includes building a computer program business, producing software for Amstrad games machines and a word-processor which was sold to Demon Internet, then the largest UK internet services provider in the mid-1990s, for whom he then worked until 2000. After 2000, he has studied for, and gained, his PhD at Cambridge University, and works in various aspects of computer security. He has acted as specialist adviser to the House of Lords and Commons Select Committees in relation to internet security. He has written or co-authored over 50 peer-reviewed professional publications. We accept, without hesitation, his particular expertise in how personal data, stored in email and social media accounts and on computers, can be accessed and monitored.

27. One of the social media sites that Dr Clayton discusses in his evidence is Facebook. In his first report dated 9 th November 2020, a copy of which was at pages [172] to [179] CB, Dr Clayton deals with the issue of the privacy of users on Facebook, at §§36 to 47: “36. Facebook exists to share information between people (and of course to show them advertisements and thereby make money) … and although there are some simple controls to limit sharing, the platform design is intended to make it easy to share data and hard to limit that sharing.

37. The privacy controls available on Facebook have varied over time and any description of current controls must be caveated by saying that the situation tomorrow may be different – and also that because of those changes, long time users of the platform may have expectations that their data can be seen by rather fewer people than is currently the case.

38. At present data such as lists of ‘friends’ and posts (both text and images) can either be shared with ‘friends’ or with the whole world. Additionally, information on which you can be searched: name, email address, phone number, can be restricted completely, or shared with ‘friends’, or with the whole world. There are more complex, fine-grained controls to add or remove people from sharing lists but they are complex to set up and will be used only exceptionally.

39. Where it gets rather complicated to understand is when people’s ‘friends’ have different settings. So, I might not share my own list of ‘friends’ but one of my ‘friends’ may share their list – and I will appear on that. Additionally, even when ‘friends’ lists are not shared, when you visit my page you will [be] told if we have any mutual ‘friends’.

40. Since, as explained above, a key aspect of monitoring a social network platform is to map the ‘social graph’ (who knows who) and thereby to find new people it might be worth collecting data about. Hence it’s clear that an individual who wanted to be invisible to strangers would not only have to carefully set all of their own sharing options but also cajole their ‘friends’ into checking their privacy settings as well.

41. Besides individual accounts Facebook also operates ‘groups’ where like-minded people can share posts. The posts made in these groups may or may not default to only being visible to group members – and membership of the group may or may not be restricted. It is of course possible to determine what the situation might be, but the likely audience of a particular post will not be immediately apparent at the time it is made – albeit it is possible to delete or restrict the visibility of old posts.

42. At present Facebook has a wide array of complex and sophisticated privacy controls – so complex and sophisticated that it is unlikely that most people select anything other than the most basic ‘share with the whole world’ or ‘share with the people in my list of friends’’, although they may also pay some attention as to whether or not they want to be locatable by email address or phone number.

43. I have written ‘friend’ with quotation marks in my discussion above because on Facebook a ‘friend’ is someone who has asked to be added to your list of ‘friends’ and you have agreed to this. The decision to add may be based on actually knowing the person, or assuming that you do, or may just be based on them having an attractive photograph.

44. LinkedIn, the professional networking site is regularly reported to be overrun with fake profiles operated, it is said, by intelligence agencies – with the aim of establishing initial relationships which may then later be manipulated to the advantage of a foreign state.

45. The Associated Press wrote an article about the LinkedIn issue in June 2019 – it was only ‘news’ because it was claimed that the photo of the attractive female purporting to have the LinkedIn account was believed to have been computer generated: https://apnews . com/article/be2fl9097a4c4fffaa00de67708a60d.

46. I have received invitations from fake Facebook accounts myself – probably because they wanted to send me spam rather than because I am of any interest to an intelligence agency – and it [is] known that this is an issue that it is borderline impossible for Facebook to monitor and block without doing themselves significant commercial damage by making account creation too hard.

47. Thus, although I make some mention below about the possibility of informants infiltrating themselves into groups and asking to become your ‘friend’ it is also possible for people to be socially engineered into forming a ‘friend’ relationship with a completely non-existent person.”

28. Dr Clayton also considers the issue of the identification of Facebook users, through looking at their photographs, at §32 of his first report: “32. Facebook will ‘tag’ photographs of people with their identity – using an automated system for spotting facial similarities (with considerable assistance being given to the automation of Facebook being aware of all of the friends lists held on their system). This system may also provide hints of new people whose data may be of interest.”

29. Dr Clayton clarified in his oral evidence that the tagging of photographs has developed over time. He provided a supplementary letter, following his oral evidence to us, dated 10 th June 2021, which was inserted into page [1465] CB, in which he states: “In my evidence I explained that my understanding was that facial recognition was automatically switched on, but I said that I had not checked this or conducted any tests. In response to a request passed on to me from Mr Thomann, I have now checked the position. In 2019 Facebook retired an old “privacy” setting (this is far from unusual) and offered users a new setting (which my earlier investigation showed is “on” for XX’s account). Facebook’s website contains useful information, and a video, about what this new setting does (and how they were drawing the attention of some of their users to the change): https://about.fb.com/news/2019/09/update-face-recognition / and there is a more detailed list of what it does at https://www.facebook.com/help/122175507864081 The upshot is that at present it will be suggested to “friends” of XX that they tag him if he is recognised (viz: if the facial recognition technology flags a hit) in a picture that they post and XX will be told if he is recognised in any picture posted to a feed that he would be able (given relevant privacy settings) to view. I also think I mis-spoke in my evidence when I said that German regulators were concerned about the use of facial recognition by Facebook. The German regulators were very concerned about what Facebook was doing back in 2012, but in more recent times they do not seem to have expressed an opinion, albeit there are at present considerable concerns being expressed by NGOs and civil society groups in Germany about the use of facial recognition in a wide range of contexts .”

30. At this juncture we pause and turn to deal with the evidence from Facebook, on which Dr Clayton comments.

31. We do not recite the correspondence from Facebook Ireland dated 19 th August 2020 and 22 nd January 2021 at pages [1450] and [1454] CB respectively in full, as several of the answers simply refer to generic policies or refer to earlier answers. The format is to answer, in brief terms, the questions that were posed by the parties to this litigation, because of this Tribunal’s orders. Facebook Ireland, which is the corporate entity with legal accountability for providing Facebook services in the UK and the rest of Europe, does not regard itself as being bound by the Tribunal’s order, but has provided the answers to questions, “on a voluntary basis as a one-time goodwill gesture.” The parties’ questions and Facebook Ireland’s answers to them are set out below. Facebook Ireland’s evidence “(a) What is the process whereby a Facebook user’s personal account (hereafter “account”) is “deleted”? Answer: A Facebook user can deactivate their account temporarily and choose to come back whenever they want. Or they can choose to permanently delete their account by taking the following steps:

1. Select “Settings & Privacy” and then “Settings” at the top right of their screen;

2. Click “Your Facebook Information” in the left column;

3. Click “Deactivation and Deletion”;

4. Choose “Permanently Delete Account”, then click “Continue to Account Deletion”; and

5. Click “Delete Account”, enter their password and then click “Continue”. (b) What is the effect of such a deletion upon the storage of posts by the user a. on his own account and b. on the accounts of others who have reacted to (i.e. “liked”) and/or c. “shared” posts by the former account holder on their own personal accounts? Answer: The effect of permanent deletion of a Facebook user account is as follows:

1. The user cannot reactivate their account.

2. Their profile, photos, posts, videos, and everything else the user added will be permanently deleted. The user will not be able to retrieve anything they have added.

3. The user will no longer be able to use Facebook Messenger.

4. The user will not be able to use Facebook Login for other apps they may have signed up for with their Facebook account, like Spotify or Pinterest. The user may need to contact the apps and websites to recover those accounts.

5. Some information, like messages the user sent to friends, may still be visible to those friends after the user deletes their account. Copies of messages the user has sent are stored in their friends’ inboxes. In addition, when a user chooses to delete something they shared on Facebook, we remove it from the site. (c) Is such deletion permanent and/or “complete”? Answer: Where a Facebook user chooses to delete their account, if it has been less than 30 days since the user initiated the deletion, they can cancel the account deletion. After 30 days, the user’s account and all their information will be permanently deleted, and they will not be able to retrieve their information. It may take up to 90 days from the beginning of the deletion process to delete all the things the user has posted. While Facebook is deleting this information, it is not accessible to other people using Facebook. Copies of the user’s information may remain after the 90 days in backup storage that Facebook uses to recover in the event of a disaster, software error, or other data loss event. Facebook may also keep user information for things like legal issues, terms violations, or harm prevention efforts. Some information, such as messaging history, isn't stored in the user’s account. This means their friends may still have access to messages the user sent after their account has been deleted. For more information, please see Facebook’s Data Policy (available at: https://www.facebook.com/policy.php ). (d) If not, what, if any, “digital footprint” is left by a personal account following deletion? Answer: Please see the answers to questions (b) and (c) above. (f) Is there any distinction in this respect between the posts of an individual which were made available to the public generally and/or those only shared with specific individuals? Answer: The meaning of this question is unclear. However, the Facebook user information which is always included on their public profile, to the extent provided by the user, includes age range, language, country, name, gender, username and user ID (account number), profile picture, cover photo and networks. (l) Are you aware whether the Iranian authorities to have the capacity or ability to access a Facebook account/content once it has been closed down/deleted? Answer: This question relates to the capabilities of a third party (the “ Iranian authorities ”) and therefore Facebook Ireland Limited is not in a position to answer. (m) Are you aware whether the Iranian authorities hold copies of Facebook data e.g. by screen prints/captures or otherwise? Answer: This question relates to the actions of a third party (the “ Iranian authorities ”) and therefore Facebook Ireland Limited is not in a position to answer. (n) Which third parties other than Facebook, if any, store personal account data following the deletion of an account? Answer : This question relates to the actions of third parties and therefore Facebook Ireland Limited is not in a position to answer. (o) Does Facebook receive requests from the Iranian authorities for date concerning individual users (1) prior to and/or (2) after the deletion of their accounts? Answer: Facebook has received requests from Iranian authorities for Facebook user data. There were a total of four such requests between July and December 2019 8 (p) If so, how does Facebook respond to those? Answer: Facebook responds to government requests for data in accordance with applicable law and our Terms of Service. For further information see Facebook’s Transparency Report in respect of Iran: https://transparency.facebook.com/government-data-requests/country/IR “

32. In their letter of 22 nd January 2021, Facebook Ireland states: “ In response to questions 5(b) and (c), you state that a user’s information, once deleted, may remain after 90 days in backup storage that Facebook uses to recover in the event of disaster, software error, or other data loss event. (a) Can you confirm whether such backup storage is made available to state authorities upon request, and if so what conditions attach to such provision? Facebook Ireland will search for and disclose data that is specified with particularity in an appropriate form of legal process and which we are reasonably able to locate and retrieve. However, Facebook Ireland does not retain data for law enforcement purposes unless we receive a valid preservation request before a user has deleted that content from our service. Formal preservation requests can be submitted by law enforcement through Facebook’s Law Enforcement Online Request System, or via post (Facebook Law Enforcement Guidelines). As for “conditions” attaching to provision of data to law enforcement authorities, please see the answer to question (g) below. Please also see the answer to question (e) below regarding emergency requests from law enforcement authorities. In response to question 5(e), it is accepted that the information as to Facebook’s awareness of historic “screen shots” being stored and/or distributed by companies linked to Facebook and/or others relates to third parties. (b) Can you nonetheless confirm whether Facebook Ireland Limited is aware of such storage and distribution by companies linked to it, and/or others? Facebook Ireland reiterates that this question relates to the actions of third parties. Facebook Ireland has no control over this process and is therefore unable to answer this question. In response to question 5(i), it is accepted that the information as to Facebook’s awareness of the Iranian authorities’ capacity or ability to access a Facebook account/content once it has been closed down/deleted relates to the capabilities of third parties. (c) Can you nonetheless confirm whether Facebook Ireland Limited is aware of such a capability? Facebook Ireland is not aware of the Iranian authorities being able to access a Facebook account on the Facebook service once the account has been permanently deleted. Facebook Ireland reiterates that it does not provide governments with direct access or “back doors” to people’s information (se e Our Continuing Commitment to Transparency). (d) Can you confirm whether Facebook Ireland Limited is aware of any third parties storing personal account data following the deletion of an account? This question is broad and vague, and Facebook Ireland is unable to speak to the actions of unnamed third parties. However, before permanent deletion of a Facebook account, users can avail themselves of the “Download Your Information” ” tool to obtain a copy of their Facebook information. A user can download all of the available categories of information at once, or can select specific categories and date ranges. In response to questions (o) and (p), it is noted that Facebook has received requests from the Iranian authorities for Facebook user data, and that there were a total of four such requests between July and December 2019. (e) Can you confirm what the category “Legal Process Request” encompasses? “Legal Process Requests” include requests for user data that are accompanied by formal compulsory legal process, like a search warrant, subpoena, production order and similar instruments (see Facebook’s Transparency Reports ) . “Legal Process Requests” do not include “Emergency Requests”. In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death. Since 2013 Facebook publishes biannual Transparency Reports concerning government authorities’ requests for user data. These Reports set out, for both Legal Process Requests and Emergency Requests, the number of requests received, the number of user/accounts requested, and the percentage of requests where Facebook produced some data. (f) Can you confirm whether the information provided by Facebook Ireland Limited on request includes material in respect of accounts which the user has deleted? Facebook will search for and disclose data that is specified with particularity in an appropriate form of legal process and which we are reasonably able to locate and retrieve. However, Facebook does not retain data for law enforcement purposes unless we receive a valid preservation request before a user has deleted that content from our service. Formal preservation requests can be submitted by law enforcement through Facebook’s Law Enforcement Online Request System, or via post ( Facebook Law Enforcement Guidelines ) . Facebook discloses account records solely in accordance with our terms of service and applicable law. A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of the contents of an account. I note the following statement: When something on Facebook or Instagram is reported to us as violating local law, but doesn’t go against our Community Standards, we may restrict the content’s availability in the country where it is alleged to be illegal. (g) Can you confirm the types of proceedings with respect to which Facebook Ireland Limited has responded favourably to requests for data and/or any criteria applied? As mentioned in Facebook’s Data Policy , we comply with government requests for user information only where we have a good-faith belief that the law requires us to do so. In addition, we assess whether a request is consistent with internationally recognized standards on human rights, including due process, privacy, free expression and the rule of law. We scrutinize every government request we receive to make sure it is legally valid, no matter which government makes the request. When we do comply, we produce only information that is narrowly tailored to respond to that request. If we determine that a government request is deficient, we push back and engage governments to address any apparent deficiencies. Where appropriate, we will legally challenge deficient requests. A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of the contents of an account (see Our Continuing Commitment to Transparency). As noted in the answer to question (e) above, since 2013 Facebook publishes biannual Transparency Reports concerning government authorities’ requests for user data. (h) Can you confirm what, if any, criteria are applied by Facebook to determine whether local laws alleged to be violated comply with its Community Standards? Facebook has developed a set of Community Standards that outline what is and is not allowed on Facebook. The criteria used to assess content on Facebook’s platform against the Community Standards are described at length in Facebook’s Community Standards and Community Standards Enforcement Report . Please also see Facebook’s news room post at: : https:/ /about.fb.com/news/2018/04/comprehensive-community-standards/. When governments believe that something on the internet violates their laws, they may contact companies like Facebook and ask us to restrict access to that content. Similarly, we may receive orders to restrict content from courts in the countries where we provide service, or requests from non-government entities, such as members of the Facebook community, NGOs and charities. If, after careful legal review, we determine that the content is illegal under local law, then we make it unavailable in the relevant country or territory. To learn more about the information Facebook restricts due to local laws, please review ou r Transparency Report – in particular under the heading “ Content Restrictions Based on Local Law ”

33. Dr Clayton agrees with the accuracy of Facebook Ireland’s comments, to which he has added his own, at §§49 to 51 of his first report (pages [176] to [177] CB). “Deletion of Facebook accounts

49. Facebook are of course unable to cause data which has already been collected by a third party to be removed from such third party systems.

50. In particular, such engines are permitted to fetch information from many Facebook pages (there is a fairly obscure privacy setting for determining whether this is allowed for your own pages) and these search engines generally keep a ‘cached’ copy of the page for a period of time.

51. Thus although Facebook removes a deleted account immediately it may be possible to find some of the information about the account in a search engine cache. It is then relevant to note Facebook’s explanation about images being stored on content delivery networks for some time after the deletion of the account. Essentially it is too expensive for Facebook to proactively remove this material so they leave it to age out and be discarded. Hence, the cached material at the search engine may display with the original images.”

34. Facebook users can set up a variety of “privacy” settings, but these are typically complex in nature. As a result, people tend either to have their account privacy setting as entirely “public,” or to have posts shared with their “friends”, because these are default settings set by Facebook and do not require adjustment by the user. However, Dr Clayton’s view is that it is to misunderstand Facebook to think that merely because there is a privacy setting limited to friends, that only those friends can view the material posted by an individual user. Access also depends on the privacy settings of those friends.

35. Dr Clayton adds that even after a Facebook account is deleted, which can be an irrevocable step, there is a delay, during which data which has been “cached” on internet search engines (like Google), which use “crawler software,” may still be accessible for a period. Dr Clayton could not give a confirmed view as to how long any Facebook data was likely to be on a cache on a search engine as he had never done an experiment, but it was generally held for at least a few days after deletion, but it could be for a longer period.

36. He also points out that a person’s closure of their Facebook account will not affect data that has already been accessed and saved locally by a third party. In his experience, data monitoring, as opposed to ad hoc browsing, is not a “real-time” activity. Monitoring involves collection of data at scale, which is obtained and stored “just in case” and analysed later (§24 of his first report at page [174] CB). Dr Clayton continues, at pages [178] to [179] CB: “

64. I have been provided with the decisions from various immigration hearings and appeals which are relevant to the topics I have been asked to provide an expert opinion on. These decisions, and to a certain extent the questions I have been asked to address, show a rather old-fashioned view of social network monitoring.

65. The imagined scenario seems to be that someone arrives at the Iranian border, they reveal that they have a Facebook account and the immigration officer looks at the account and concludes that they have a dangerous subversive in front of them, marches them off to jail and throws away the key.

66. To counter this, it is suggested, the Facebook account should be deleted before the repatriation flight takes off – or more subtly, since duress might cause it to be resurrected, it should be deleted many weeks earlier in anticipation of travel.

67. The modern approach to monitoring, by any regime which sees value in collecting information about its opponents, would be to proactively scoop up any and all information from social networks that it can. There is of course a limit to quite how much data can be collected – monitoring a billion people would be unrealistic, but several tens of millions entirely plausible.

68. The first issue then, when someone arrives at the border, is the effectiveness of the search function – can social media posts be rapidly located and triaged sufficiently well by automated systems to ensure that human interrogators do not waste their valuable time on irrelevancies. In my view, an effective system is well within the capabilities of a country such as Iran.

69. The second issue is the extent to which the material that has been posted by the traveller, and the relationships that they have with people that the regime considers relevant, has been kept sufficiently private that it was never available to be scooped up by the monitoring systems.

70. As I indicated in the section discussing privacy controls, it is possible to set some very fine-grained controls – but most people will go for a broad-brush approach, perhaps choosing to share only with friends. However, since ‘friend’ is in practice ‘random person who once made a request to me’ it would only be the most paranoid of people whose friends consistently [sic] solely of highly trusted confidantes.

71. To summarise the conclusion, social networks are built so that people will share information about themselves. It is unrealistic, this decade, to suppose that anyone who has shared information has managed to keep that information out of the hands of regimes who view them as enemies.”

37. As Dr Clayton reflects, it is not realistic to suppose that closure and deletion of a Facebook account by the time someone arrives at Tehran airport will mitigate any risk to the account user if they have been the target of focussed monitoring. In that case, it is likely to have happened substantially before their return.

38. Dr Clayton explains how information on a person’s Facebook account could be monitored. Crucially, both he and Mr Marchant agree that there is no evidence that Facebook’s website and storage facilities themselves have been accessed illicitly or “hacked,” or that Facebook data can generally be accessed on a bulk, automated basis through “crawler” searches.

39. Instead, access to someone’s Facebook data can be obtained, to varying degrees, by one of three means, all of which are on a targeted basis. First, if a Facebook account has been set as fully public, any Facebook user can search their posts, friends, and some biographical data (as opposed to all their Facebook activity), although their data cannot be “scraped” in the same way as using the “Download Your Information” or “DYI” tool, which must be done by the account holder.

40. Second, if a person’s Facebook account has various privacy settings, preventing a search of their posts, a person wanting to know more about them could send them a “friend” request, using fake details. If accepted, the third party may look through their posts and contacts in the same way as in the first scenario.

41. Third, if a person carrying out surveillance can find out a target’s account name and password, they can download a very wide range of the target’s Facebook data, in a matter of minutes, on to a separate file, using the DYI tool.

42. Dr Clayton goes on to explain how someone’s personal data, including their Facebook password, can be accessed without their consent – how they (as opposed to Facebook) can be “hacked.”

43. A common way is by “phishing,” whereby a target is sent an email encouraging them either to reveal personal information (such as date of birth, often connected with passwords), or even worse, to open a computer program which then allows the information on their computer to be accessed, including their passwords. Software might, for example, take the form of a “keystroke logger,” which logs what is being typed. It then transmits that information, which may include passwords, to the person carrying out the surveillance. The success or otherwise of phishing attempts depends on how targeted they are. Recent research by PayPal indicates that in a clumsy attempt, as few as 10% are successful. In more targeted attempts, called “spear phishing,” the success rate can be as high as 90%. For example, if the recipient of a phishing email sees that the standard of written English is noticeably poor, they are more likely to be alerted to the attack, and not to respond to it. In contrast, if a phishing attack is successful, it is not uncommon for the attackers to send out emails from the victim’s email address to their friends or associates in their list of email contacts.

44. Dr Clayton also discusses how large amounts of data can be extracted swiftly by means of automated software – so-called “scraping.” Some websites allow scraping through “web crawler” software, which may download large amounts of data on an automated basis, often for indexing purposes (internet search engines such as Google use crawler software). Facebook does not allow crawler access to the full range of users’ data. At §§53 to 56, Dr Clayton deals with the situation of the Cambridge Analytica scandal, involving Facebook, where there was an attempt at automated data extraction (page [177] CB): “53. The Cambridge Analytica scandal involved an app, which was installed by several hundred thousand willing participants from 2013 onwards, who answered survey questions to build psychological profiles. Behind the scenes, without permission, the app used a standard Facebook mechanism to collect the personal data of the friends of the people who had installed the app. This data was subsequently used for political advertising.

54. When this came to light in early 2018 Facebook removed the mechanism and gave the impression that this type of sharing was now a thing of the past, not least because they had to pay substantial fines imposed by various regulators.

55. However, an investigation by the New York Times in December 2018 found that Facebook had been sharing personal data, under various arrangements over various timeframes up to around 2017, with over 150 companies – namely for those companies to personalise the information (and adverts) which they served up to their customers. https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html

56. There has been no public statement that I can locate that says that Cambridge Analytica app was the only (ab)user of the Facebook data retrieval mechanism, and although many of the 150+ companies with which Facebook shared data were well-known US corporations, one was Yandex, the Russian Internet services company. So, although it seems unlikely that large amounts of personal data were made available to the Iranian regime by means of the mechanisms I have just described, it cannot be entirely ruled out.”

45. Because Facebook does not generally allow crawler software to “scrape” data, Cambridge Analytica had to extract the data by other means.

46. While Dr Clayton has posited the possibility that other commercial organisations may have access to Facebook data on a bulk basis, he does not suggest that Facebook has provided such data to the Iranian authorities. Indeed, Facebook’s response, already referred to, at Answer 5(o) above, indicates their replies to four specific information requests from the Iranian government in a six-month period in 2019. Facebook also deploys considerable resources to trying to stop crawler access.

47. How then could data extraction from Facebook be automated? Dr Clayton identifies DYI as one possible way, but that needs to be on a user-by-user basis. Automated attacks are likely to face two difficulties, even assuming someone’s Facebook account name and password have been obtained.

48. The first difficulty is that Facebook tries to monitor and stop unusual “scraping” activity, such as large numbers of connected users using the DYI tool, from the same IP address or networked computer. Dr Clayton is not able to comment on the level of activity that would prompt intervention. It is likely to be something of a “cat and mouse” game between Facebook and those attempting to “scrape” data. One way of trying to avoid detection is to use multiple IP addresses either from single or multiple computers, to spread the requests over several different locations and carry out “scraping” over a period, for example, over weeks. Dr Clayton personally has experience of using multiple IP addresses, which is inexpensive and easy for a government or computer laboratory such as his. Although the DYI process or “scraping” can be carried out in moments, in reality, Facebook’s interventions stop or slow down any attempts at “scraping”.

49. The second difficulty, assuming that Facebook passwords have been obtained en masse, is knowing whom to target and what to look for. Given the number of Facebook users, unless parameters are put on an attempt at “scraping”, by reason of the nature of social connections, those monitoring could rapidly end up trying to “scrape” the data of all Facebook users, namely over two billion people, which would clearly be impractical even for a government with dedicated surveillance resources, such as the Iranian authorities.

50. Dr Clayton’s opinion is that human input is needed to consider where to look for the proverbial needle in the haystack. Using his experience of hacking (lawfully) and observing criminal gangs on other social networks, any necessary focus is dependent on what is termed the “social graph,” or how networks of people may be related, and their relative importance. Dr Clayton gives the example of a group of friends who are in regular contact, with one person more on the periphery, with fewer interactions. They may attract less risk of being monitored. Human intervention is more costly than purely automated computer programs, but even with relatively limited resources, Dr Clayton’s team at Cambridge has “scraped” the data of around 10 million messages from a criminal gang who were using a supposedly encrypted chat channel called “Telegram.”

51. Separately, Dr Clayton describes ways of covertly monitoring people’s internet use at §§57 to 63 of his report, (pages [177] to [178] CB), although these comments do not directly relate to the ability of the Iranian government to obtain a person’s Facebook password. He refers to “deep packet inspection” and “man in the middle” attacks: “57. I have been asked to comment on the use of Deep Packet Inspection (DPI) for Internet monitoring.

58. The Internet is a packet-based system and the header of every packet gives the IP address of the destination for the packet, the IP address to which responses should be returned and an indication of the protocol that is in use. This information, which is relatively trivial to collect, can be used to identify the systems, and services being contacted by any user whose traffic is being monitored.

59. A DPI device considers the contents of the packets with a view to determining more detailed information about the communication. Thus, it is possible to pick out which particular web page is being visited, not just which website, or it is possible to scan traffic to see if there are any mentions, for example, of the name of an exiled opposition leader.

60. DPI is ineffective when communications are encrypted but there are still a great many websites on the Internet which do not use encryption. Additionally, it is possible to use a man-in-the-middle attack to view encrypted traffic. Essentially, each end of the communication has an encrypted link to the intervening node, which decrypts the traffic and then re-encrypts it for the second part of the journey – having had the opportunity to inspect it ‘in the clear’ as it passed by.

61. The technical defence against man-in-the-middle attacks is to use security certificates issued by trusted third parties. However, if the third party can be compromised and issues fake certificates then man-in-the-middle attacks can be made to work.

62. The classical example of this type of compromise was in August 2012 when the Dutch certificate issuing company DigiNotar was compromised and a number of fake certificates for email services and for google.com were issued. Investigations found that the main target of the attack was 300,000 Iranian gmail users and is widely believed that the Iranian government was complicit in the compromise of DidiNotar.

63. Returning to DPI specifically – in the current context, this is a technology which is suitable for identifying traffic on a particular network which is worth further investigation. Deploying it on the Iranian Internet would therefore allow the authorities to identify users to add to a watch list, or websites elsewhere in the world which might be blocked, or a list made of those who visited them. As such this is a technology which is more relevant to building watch lists than in day-to-day monitoring social network use.”

52. In his supplemental letter of 14 th April 2021, page [180] CB, Dr Clayton refers to two reports. The first is a report, “Computer Crime in Iran: Risky Online Behaviour” published by a campaigning group called “Article 19” in 2015, where at internal page [23], the report describes the claim of a person interrogated on his return to Iran, who was confronted with material he had posted on Facebook. The report suggests that there might be several reasons (not specified) why information is more publicly available than a Facebook user might intend or be aware. Dr Clayton refers to this as evidence of the likely interest of the Iranian authorities in scraping data.

53. Second, he refers to Guarnieri and Anderson’s report, “Iran and the Soft War for Internet Dominance” to which we now turn. The report gives specific detail of successful phishing attacks. It outlines that, in response to technology attacks upon itself, the Iranian state has actively attacked other companies, organisations and individuals. The authors are careful to qualify the state’s capabilities, (page [576] CB): “While Iran maintains strong technical universities and an extraordinarily active defacement community, the country has not invested in its capacity for internet-based espionage to the same degree as its traditional geopolitical rivals and is less able to seek capabilities abroad from companies … due to its pariah status.”

54. Nevertheless, the report goes on to detail Iranian “intrusion” efforts over a three-year observation period from 2014 to 2016 (page [578] CB). The authors go into a great level of detail about some of attacks they discuss, and they explain that this detail is needed to attribute the attack to the Iranian state, because of the use of proxies and the opaque nature of the activities. When an attack is discovered and/or publicised, attacks may be paused, or operations swiftly closed down. As a result, it may be difficult to construct a cogent narrative of specific state actors. However, by focussing on specific attacks, a pattern can be discerned. Attacks in some cases can be attributed, based on Iranian working patterns. For example, various attacks have paused during Iranian public holidays, when Iranian civil servants are not working, such as Nowruz, the Iranian new year.

55. The authors discuss four attacks, in the period from 2010 to 2016, the first called “Infy” (page [579] CB), which targeted BBC Persian and other journalists with PowerPoint presentations. The presentations contained software which recorded keystrokes and transmitted them to the attacker’s account, to steal credentials for social media and email accounts (page [588] CB).

56. The second attack used software called “Ghambar,” used by a group called “Cleaver” until at least June 2016 and included religious minorities as targets. The software included a keystroke logger and allowed the hacker to take control of infected computers; take screen shots; disable keyboards; and lock out users.

57. The third attack was named “Rocket Kitten,” beginning in April 2014, which made phishing attacks on Israeli academic institutions, and used the compromised website of a British quilting society. It also compromised the accounts of Telegram users and collated the telephone numbers of some 15 million Iranian Telegram users within Iran. The same Iranian proxy group was said to have used a method whereby they successfully obtained a person’s Facebook password, by unknown means, and on an unspecified scale; downloaded their Facebook “DYI;” changed the email address linked to the Facebook account; impersonated the victim and then approached their contacts.

58. Finally, the authors describe a proxy attack called “Sima,” in February 2016, which lasted for a relatively brief period until March 2016, when publicity resulted in it being shut down, where entire personas were generated, with false biographical details and their own websites, using “bait” documents relevant to their victims, such as a real report published by Human Rights Watch. The authors conclude that at least 21 people were compromised in that attack. Mr Marchant’s evidence

59. Mr Marchant does not claim to be a computer expert. His expertise is as the director of research of a campaigning and advocacy organisation for the rights of those wishing to publish social media material, without hindrance, in Iran and the wider Middle East. Consequently, he has practical experience of reviewing, over many years, publicly available material and reports about the Iranian authorities’ attempts to control and limit such freedoms, and the social media trends in Iran and the Iranian diaspora. He has been able to synthesise a large range of public reports in relation to the motives of the Iranian regime, on which he comments in his report. His organisation, Small Media, has also conducted some interviews with individual Iranians, notably members of the LGBTQI+ community, albeit on a limited scale. Mr Marchant is clear that he does not have any access to classified information, nor does he hold any security clearance.

60. In his two reports, the first of which is undated but can be no earlier than 2020, because of its references, at pages [147] to [168] CB; and a supplementary report dated 12 th April 2021 at pages [169] to [171] CB, he deals with evidence of the Iranian authorities’ motivation in seeking to control social media.

61. In his view, the Iranian state perceives all “on-line” activity as a threat to the Iranian state, prompting it to devote significant resources, over an extended period, to develop its own internet or “National Information Network” (“NIN”). Mr Marchant accepts in oral evidence that in its early stages, particularly around 2009, NIN was regarded as something of a joke; and that Iranian government announcements as to when NIN will be complete have shifted from one year to the next. Despite this, he refers to reports of the Iranian state’s capabilities as being extensive, with global reach. He reflects on reports in 2003, that the Iranian state had already filtered 10,000 websites, to prevent them from being accessed by those in Iran, although the BBC report cited for that proposition does not identify its sources. We accept, nevertheless, his analysis that the Iranian state either attempts to block entirely or produce what are called “forked” versions of social media channels (independently built versions of those channels, using their computer code, but modified, which can allow any activity on those channels to be monitored).

62. The Iranian state’s technological attempts are in tandem with its restrictive domestic legislation, notably a 2011 computer crimes law, which has since been criticised as a restriction on freedom of expression by the UN Special Rapporteur.

63. Mr Marchant refers in his initial report, at page [153] CB, to a “military” exercise launched by the Iranian Revolutionary Guard Corps (“IRGC”), named “Eghtedare Sarallah” in 2015, in which the Iranian state claimed to have monitored the accounts of 8 million Iranian Facebook users, but without any other verification of that claim. Nevertheless, there is a consistency in at least the scale of the claims, with the establishment of an Iranian “Cyber Police” called “FATA,” who boasted of recruiting 42,000 volunteers between 2014 and December 2018. Mr Marchant was careful to note that the veracity of the figures could not be confirmed (page [154] CB) and he is unable to comment on the recruitment criteria or process for such volunteers.

64. Mr Marchant is, however, able to comment with direct experience on the model of control of high risk and politically sensitive groups, specifically a survey by Small Media in 2018 of 26 LGBTQI+ Iranian interviewees, one in five of whom reported attempts to entrap them by state agencies.

65. Mr Marchant also refers in his report, at page [154] CB, to the IRGC announcing in May 2016 that they had arrested 170 people who had posted material on Instagram relating to fashion and design; and in 2018, FATA contacting high profile female Instagram bloggers, requiring them to remove content in which they did not wear the legally mandated hijab. Whilst Mr Marchant refers to the Iranian state buying telecommunications network equipment from a Chinese company, ZTE in 2012 (page [155] CB), which is capable of monitoring communications on the network, according to a former project manager of ZTE, Mr Marchant also accepts that there is no clear evidence that Iran has implemented facial recognition technology, to monitor citizens. He is not able to comment in detail on how ZTE surveillance equipment might work.

66. Mr Marchant also refers to a report by the “Centre for Human Rights in Iran” of May 2019, when software was said to be used to target minority groups both within and outside Iran, to gather private information. The minority groups were identified as including Gonabadi Dervishes; Azeri dissidents; women’s rights activists; and student activists.

67. Mr Marchant refers at page 157 [CB] to a report by “Comparitech” in March 2020 that the use of a “forked” version of Telegram was said to have resulted in data from 42 million Iranian Telegram users being leaked online. He also refers to BBC Persian journalists being targeted (page [158] CB), with 157 individuals having their assets in Iran frozen; and a Canadian Iranian technologist who returned to Iran in January 2020 having his telephone, laptop and other information confiscated and being forced by the IRGC to hand over his passwords for his email and social media accounts. This is said to be one of the few occasions of an individual victim speaking openly of being intimidated into spying on the diaspora community, although the method of spying, and whether such spying activity had taken place, were not specified. Mr Marchant fairly accepts in oral evidence that other than the Comparitech report, no other claimed mass leaks of diaspora data have been reported, and even that leak cannot not be verified.

68. Mr Marchant agrees that while the proportion of Facebook users in Iran may be declining, it remains important to the Iranian diaspora community. He also accepts, as a fair characterisation, the Iranian state’s twin approach of targeting individuals; and intimidating the wider diaspora with boasts of activities. The dual approach is necessary as actual, targeted attacks are labour intensive, but he adds that no one to whom he has spoken is blasé about the increasing sophistication of attacks and the nearing to fruition of the NIN project. In the latter case, he gives the specific example, in 2019, of the Iranian state having shut down access to large parts of the internet, in response to public demonstrations, but the Iranian banking system still functioned. He also accepts that Facebook attempts to stop mass DYI downloads and data-scraping; and that state access to Facebook data can only be obtained by open requests (the “Legal Process Request procedure”, referred to by Facebook in their answers), or by user consent, whether extorted or otherwise.