Iran Recording Laws: Privacy Rules and Penalties (2026)

How Iran Approaches Recording and Surveillance

Iran does not have a recording consent framework in the way that Western legal systems define one. There is no statute that spells out whether one party or all parties must agree before a conversation can be recorded. Instead, Iranian law addresses recording through a patchwork of constitutional provisions, penal code articles, and a 2009 cybercrime statute that together create a general prohibition on unauthorized interception.

The practical reality in Iran is dominated by a stark contradiction. On paper, the constitution forbids surveillance and protects the privacy of communications. In practice, the state operates a sophisticated and well-documented surveillance apparatus that monitors phone calls, internet traffic, and mobile device activity on a massive scale, often without judicial oversight.

For ordinary citizens, the legal landscape means that recording someone without their knowledge carries criminal risk. For those concerned about being recorded, the far greater threat comes not from private individuals but from state agencies with broad and largely unchecked monitoring powers.

Constitutional Protections: Article 25

The Constitution of the Islamic Republic of Iran contains a privacy provision that, read on its own, sounds like one of the strongest communications protections in the Middle East.

Article 25 states that the examination, non-delivery, recording, and disclosure of telephone conversations, telegraphic and telex communications, censorship, and "any kind of investigation" are all forbidden unless ordered by law. The language covers virtually every form of communication that existed when the constitution was drafted in 1979.

Article 22 adds that the "dignity, life, property, rights, residence, and occupation of the individual are inviolate, except in cases sanctioned by law." Together, Articles 22 and 25 establish that Iranians have a constitutional right to private communications and that the government cannot lawfully intrude without specific legal authorization.

The critical qualifier is the phrase "except as provided by law." Iranian courts and security agencies have interpreted this exception broadly, treating national security and public order concerns as sufficient legal basis for surveillance activities that would otherwise violate Article 25.

Islamic Penal Code Article 582: Officials Who Record Illegally

What Article 582 Prohibits

Article 582 of the Islamic Penal Code specifically targets government employees and state officials who intercept private communications outside the bounds of what the law permits. The article states:

If any state official or civil servant, in cases other than those permitted by law, opens, seizes, destroys, inspects, records, or intercepts the letter, telegraph, or telephone communications of people, or discloses their contents without their owners' permission, that official shall be sentenced to one to three years' imprisonment or a fine of six to eighteen million rials.

The article covers a wide range of acts: opening physical mail, seizing correspondence, destroying letters, recording phone calls, and disclosing the contents of any intercepted communication. It applies exclusively to people acting in an official government capacity.

Penalties Under Article 582

A state official convicted under Article 582 faces:

• One to three years in prison, or
• A fine of six to eighteen million rials (roughly USD $14 to $43 at current unofficial exchange rates)

The court chooses between imprisonment and a fine. There is no provision for imposing both penalties simultaneously.

The Enforcement Problem

Article 582 was designed to prevent government overreach. In practice, enforcement is rare. Iranian security agencies, including the Ministry of Intelligence and the Islamic Revolutionary Guard Corps (IRGC), conduct surveillance operations that would clearly fall within the scope of Article 582, but prosecutions of officials for illegal wiretapping are virtually nonexistent.

The provision serves more as a theoretical check on power than as an active restraint on state behavior. When the government characterizes surveillance as necessary for national security or public order, the "cases permitted by law" exception in Article 582 effectively swallows the rule.

Computer Crimes Law of 2009: Digital and Telecom Interception

Overview of the Law

Iran's Computer Crimes Law (Law No. 71063), approved by parliament in January 2009 and effective that June, is the primary statute governing electronic surveillance and digital privacy. The law contains 55 sections organized across five parts and has been incorporated into the broader Islamic Penal Code.

Chapter 1 of the law addresses crimes against the confidentiality of data and computer and telecommunications systems. It establishes three categories of offense: unauthorized access, unauthorized interception, and computer espionage.

Article 2: Unauthorized Interception

The unauthorized interception provision criminalizes eavesdropping on the content of non-public communications transmitted through computer systems, telecommunication systems, electromagnetic waves, or optical waves. The law does not require that the interceptor be a government official. Private citizens who illegally intercept electronic or telecommunications content face the same penalties.

The penalty for unauthorized interception is six months to two years in prison or a fine. Some Iranian legal sources cite the fine range as five to twenty million rials, though the exact amount depends on judicial interpretation and periodic legislative adjustments.

Article 21: ISP Data Retention Mandates

Article 21 takes a different approach from the interception prohibition. Rather than restricting surveillance, it requires it. The article mandates that internet service providers retain records of internet traffic data and the personal information of their users. ISPs must store this data and make it available to authorities upon request.

The retention requirement has no specified time limit in the original statute. In practice, Iranian ISPs retain data for extended periods to remain in compliance with CRA directives.

Article 48: VoIP Recording Requirements

Article 48 goes further than the data retention mandate. It requires ISPs to record data from telephone conversations conducted over the internet, meaning Voice over Internet Protocol (VoIP) calls. This provision effectively mandates the capture of content, not just metadata, from internet-based phone calls.

The combination of Articles 21 and 48 creates a legal obligation for private telecommunications companies to function as extensions of the state surveillance system. ISPs that fail to comply face penalties and risk losing their operating licenses.

Other Relevant Provisions

Article 12 addresses computer data theft, carrying penalties of one to twenty million rials in fines if the data owner retains a copy, or 92 days to one year in prison if the data is removed.

The Cyber Crime Act also penalizes unauthorized disclosure of personal information. Publishing another person's images, sounds, or personal secrets without consent carries imprisonment of 61 days to six months or a fine of one to ten million rials.

The SIAM Platform: State Surveillance Infrastructure

What SIAM Is

In 2022, leaked internal documents from Iranian telecom carrier Ariantel revealed the existence of a surveillance platform called SIAM (Subscriber Identity and Activity Monitoring). Researchers at the Citizen Lab at the University of Toronto subsequently published a detailed analysis of the system in January 2023.

SIAM is a web-based program operated by the Communications Regulatory Authority (CRA) that provides direct access to the cellular networks of Iranian mobile operators. The system has approximately 40 distinct surveillance and control functions.

What SIAM Can Do

The platform gives the CRA the ability to:

• Track locations of individual phones or groups of phones by identifying which cell towers they connect to
• Pull call detail records (CDRs) showing who called whom, when, for how long, and from where
• Access internet session logs revealing websites visited and applications used
• Read SMS message content and metadata
• Force network downgrades that push phones from 4G or 3G down to 2G, which makes data connections nearly unusable and exposes voice calls to easier interception because 2G encryption is weak
• Block or redirect calls and manipulate call forwarding settings
• Throttle or block specific applications such as WhatsApp, Telegram, or social media platforms
• Suspend service entirely for targeted phone numbers

No Warrant Required

The leaked documents and subsequent analysis found no mention of judicial warrants, court orders, or oversight mechanisms governing the use of SIAM. The CRA's access is direct and does not appear to require authorization from any judicial body.

All Iranian telecom operators are required to provide the CRA with direct access to their systems for querying customer information and modifying services through web service APIs. This requirement operates outside the framework of lawful intercept standards developed by international bodies like 3GPP and ETSI, which typically mandate judicial oversight.

Additional Surveillance Components

SIAM is part of a broader surveillance ecosystem that includes:

• SHAHKAR: A national database of all mobile subscriber information that prevents unregistered SIM card use
• SHAMSA: A bulk collection system for call detail records and IP detail records
• LI (Legal Intercept) System: A real-time API integration with mobile providers for conducting surveillance

Phone Call Recording: Legal Risks for Individuals

No Formal Consent Framework

Iran does not have a statute that establishes a one-party or all-party consent rule for phone call recording. The legality of recording a phone call depends on how courts apply the general prohibition on interception found in the Computer Crimes Law and the constitutional privacy protections of Article 25.

In the absence of a specific consent framework, the safest legal interpretation is that recording a phone call without the knowledge and agreement of the other party is unlawful. Article 25 of the Constitution prohibits the recording and disclosure of telephone conversations as a general rule, and the Computer Crimes Law criminalizes interception of telecommunications content.

Penalties for Unauthorized Phone Recording

A private citizen who records a phone call without authorization could face:

• Six months to two years in prison under the Computer Crimes Law's unauthorized interception provision
• 61 days to six months in prison or a fine of one to ten million rials under the disclosure provisions if the recording is shared

A government official who records phone calls outside legal authorization faces:

• One to three years in prison or a fine of six to eighteen million rials under Islamic Penal Code Article 582

Evidence Admissibility

Iranian law does not have a clearly codified exclusionary rule comparable to the Fourth Amendment framework in the United States. Courts have discretion in evaluating the admissibility of evidence, and the legal system operates under Islamic jurisprudence principles that give judges significant latitude.

Recordings obtained through unauthorized means may be challenged on the basis that they violate Article 25 of the Constitution. However, Iranian courts have not developed a consistent body of case law establishing firm rules on whether illegally obtained recordings are automatically excluded from proceedings.

In-Person Recording

General Prohibition

The same legal principles that govern phone recording apply to in-person conversations, though with less statutory specificity. Article 25 of the Constitution references telephone, telegraphic, and telex communications but does not explicitly mention face-to-face recording. The Computer Crimes Law focuses on electronic and telecommunications interception.

In-person recording falls into a legal gray area. The constitutional privacy protections of Articles 22 and 25 provide a basis for arguing that secret recording of any private conversation is unlawful. The Cyber Crime Act's provisions on unauthorized disclosure of personal sounds and images would apply if an in-person recording were distributed.

Private vs. Public Settings

Iranian law does not draw a clear statutory line between recording in private and public spaces, unlike many Western legal systems. The general principle under Article 22 of the Constitution is that personal dignity and rights are inviolable, which courts could apply to recording in either setting.

The absence of specific public-space recording legislation means that police and prosecutors have wide discretion in deciding whether to pursue charges related to in-person recording. Context matters: recording a private meeting without consent carries more legal risk than filming a public street scene.

Workplace Recording and Monitoring

No Specific Workplace Privacy Statute

Iran's Labor Code (1990, as amended) does not contain provisions specifically addressing workplace surveillance, employee monitoring, or employer recording of communications. The code focuses on employment terms, safety requirements, and dispute resolution.

In the absence of specific workplace privacy legislation, the general constitutional protections of Articles 22 and 25 technically apply in the workplace. An employer who records employee phone calls or monitors electronic communications without disclosure could face liability under the Computer Crimes Law or the constitutional privacy framework.

Practical Reality

In practice, workplace privacy enforcement is minimal. Iranian employers, particularly state-owned enterprises and companies operating in sensitive sectors, commonly monitor employee communications. The government itself mandates certain forms of workplace surveillance, particularly in industries related to telecommunications, media, and technology.

The 2024 mandate requiring all businesses to install police-approved surveillance cameras and link them to centralized police networks has further expanded the state's ability to monitor workplace activity. Under regulations from the Chamber of Guilds, businesses ranging from supermarkets to restaurants must register their camera systems on a government portal called Saptam, and a police technician connects the system to the police's cloud storage network.

Public Space Surveillance

Expanding Camera Networks

Iran has been rapidly expanding its network of surveillance cameras in public spaces. In 2023, authorities announced that footage from cameras in public places, including subway stations, would be used in combination with facial recognition technology to identify and penalize women who do not comply with mandatory hijab requirements.

The Ministry of Roads and Urban Development has incorporated surveillance equipment into national building standards. Residential complexes and commercial buildings with four or more units must install cameras at entrances, parking lots, corridors, and common spaces. Non-compliance creates obstacles in obtaining building permits.

Legal Basis

There is no single statute that authorizes or regulates public space surveillance in Iran. The expansion of camera networks has been carried out through administrative regulations, ministerial directives, and executive orders rather than through legislation debated and passed by parliament. This approach has allowed the government to rapidly scale its surveillance infrastructure without the constraints of a formal legislative process.

The Cyber Police: FATA

Role and Operations

The Iranian Cyber Police, known by its Farsi acronym FATA, was established in 2011. FATA operates stations in dozens of cities across all 31 provinces and is responsible for investigating cybercrimes, including privacy violations, online fraud, and what the government defines as propaganda against the state.

FATA's mandate extends well beyond traditional cybercrime enforcement. The agency monitors social media activity, tracks online activists, and investigates violations of content restrictions. During periods of political unrest, FATA's monitoring operations intensify significantly.

Civilian Volunteer Network

Since March 2014, FATA has recruited approximately 42,000 civilian volunteers with digital skills to assist in its monitoring operations. The agency has described this program as "society-based policing," with the stated goal of creating a culture where "every citizen is a police officer."

This volunteer network effectively extends the state's surveillance capacity beyond the resources of formal law enforcement. Volunteers report online content and activities that they believe violate Iranian law, creating a distributed monitoring system that supplements FATA's institutional capabilities.

Recent Legislative Developments

The 2025 "Untrue Content" Bill

In 2025, Iran's Ministry of Justice submitted a bill titled the "Bill on Combating the Spread of False News Content in Cyberspace" with "double urgency" status, requiring parliament to vote within 30 days and bypassing normal legislative debate.

The bill would grant service providers and social media platforms the authority to independently block or restrict content they consider "false" without a court order or judicial oversight. Platforms would be required to respond to complaints within 12 hours.

Human rights organizations, including Article 19 and the Center for Human Rights in Iran, have warned that the bill's vague definitions of "false" content would give authorities broad discretion to suppress speech and expand surveillance powers.

The Internet Protection Bill

A separate, longer-standing piece of legislation known as the Internet Protection Bill would require international technology companies to maintain a legal representative in Iran and cooperate with the government in surveilling users and censoring online content. The bill has been under parliamentary consideration since 2022 and has drawn criticism from UN human rights experts.

Data Protection: Gaps in the Law

No Comprehensive Framework

Iran does not have a comprehensive data protection law. The country remains one of the most populous nations in the world without dedicated personal data legislation, alongside the United States, Pakistan, and Bangladesh.

Privacy protections are scattered across multiple laws:

• Constitution Articles 22 and 25: General privacy and communications protections
• Electronic Commerce Law of 2004: Articles 58 and 59 address sensitive data and establish consent requirements for personal data processing
• Computer Crimes Law of 2009: Criminalizes unauthorized access and interception
• Charter of Citizens' Rights (2016): A non-binding document issued by President Rouhani containing 120 articles, including provisions on privacy and data protection that the government has not implemented

Electronic Commerce Law: Articles 58 and 59

Article 58 of the Electronic Commerce Law prohibits storing, processing, or distributing electronic data that reveals ethnic origins, religious beliefs, ethical characteristics, or information about a person's physical, psychological, or sexual condition without explicit consent.

Article 59 permits processing of personal electronic data only with the subject's consent, requires that the purpose of collection be clearly specified and limited to necessity, and grants individuals the right to request complete deletion of their personal data files.

These provisions represent Iran's closest approximation to data protection standards found in frameworks like the European Union's GDPR. However, enforcement is minimal, and no dedicated data protection authority exists to oversee compliance.

Draft Personal Data Protection Act

In 2019, a draft Personal Data Protection and Safeguarding Act was circulated, representing the first attempt at comprehensive data protection legislation. As of 2026, the draft has not been enacted into law.

Penalties Summary

Offense	Law	Penalty
Government official intercepts communications illegally	Islamic Penal Code Art. 582	1 to 3 years prison or 6-18 million rial fine
Eavesdropping on electronic/telecom content	Computer Crimes Law Art. 2	6 months to 2 years prison or fine
Unauthorized access to protected data	Islamic Penal Code Art. 729	91 days to 1 year prison and/or fines
Disclosing personal images, sounds, or secrets	Cyber Crime Act	61 days to 6 months prison or 1-10 million rial fine
Computer data theft (owner retains copy)	Computer Crimes Law Art. 12	1-20 million rial fine
Computer data theft (data removed)	Computer Crimes Law Art. 12	92 days to 1 year prison or 5-20 million rial fine

Business and Compliance Considerations

For Foreign Companies

Foreign businesses operating in Iran face a challenging compliance environment. The absence of a comprehensive data protection law means there are no clear rules governing how companies must handle personal data. At the same time, the Computer Crimes Law imposes criminal penalties for unauthorized access and interception, and ISPs must comply with extensive data retention and VoIP recording mandates.

Companies with employees or operations in Iran should assume that electronic communications conducted through Iranian telecommunications infrastructure are subject to government monitoring. The SIAM platform and associated surveillance tools give the CRA direct access to mobile communications, and ISPs are legally required to retain and hand over user data.

For Individuals

Anyone visiting or living in Iran should be aware that:

• Recording conversations without the other party's knowledge carries criminal penalties
• Mobile phone communications are subject to state interception without warrant requirements
• VPN use without a license is illegal, and authorities actively block unauthorized VPN services
• Internet shutdowns occur frequently, with 34 documented shutdowns in 2023 alone
• The government has the technical capability to downgrade mobile connections, intercept SMS messages, and track physical locations through cell tower data