Architecture of Control — Chronology, Routing Logic, and Enforcement Mechanics in Iran’s 2025–2026 Internet Blackouts
This chapter isolates the infrastructural and operational architecture of the Iranian shutdown regime rather than revisiting the humanitarian or diplomatic implications already established. The core technical finding is that Iran did not rely on a single blackout method across 2025–2026. It employed at least two distinct shutdown models: a more visible hard-disconnect sequence during the January 2026 protest crisis, and a more selective gateway-filtering / whitelisting sequence during the June 2025 war and the renewed wartime blackout that began on 28 February 2026. That distinction matters because a routing-withdrawal blackout and a gateway-filtered blackout produce different signatures, different survivability patterns, and different implications for who remains connected. The public record now supports reading the Iranian system not as an improvised on/off switch, but as a layered communications-governance stack built around choke-point control, route management, selective exception handling, and punitive legal enforcement A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026 What we know about Iran’s Internet shutdown – Cloudflare – January 2026 From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
A useful starting point is topology. According to Kentik’s January network analysis, Iran’s international internet has for years been funneled primarily through two external gateways: the Telecommunication Infrastructure Company (TIC) and the Institute for Research in Fundamental Sciences (IPM). TIC now carries the overwhelming share of international traffic, while IPM retains a technically distinct research and university-oriented connection. During shutdown conditions, this dual-gateway structure creates a strategic asymmetry: the state does not need to physically dismantle the whole national network to suppress international access. It can instead pressure or manipulate the dominant gateway, preserve small islands of exception traffic, and use the secondary path for controlled institutional restoration. In practical terms, the architecture reduces the problem of nationwide digital coercion to the management of a very small number of upstream chokepoints From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
The January 2026 shutdown demonstrates how that architecture was activated. The U.N. Fact-Finding Mission states that on the evening of 8 January 2026 the Iranian government imposed a total internet, mobile, and landline communications shutdown, cutting people off from the outside world and leaving them unable to contact loved ones inside or outside the country Iran: UN Fact-Finding Mission calls for immediate restoration of internet access and adherence to international human rights law – OHCHR – January 2026 A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. Cloudflare’s telemetry places the collapse in a tighter technical sequence: at 11:50 UTC the announced IPv6 address space of Iranian networks dropped by 98.5%; between 16:30 and 17:00 UTC total traffic fell by nearly 90% across major providers including MCCI, IranCell, and TCI; and by around 18:45 UTC internet traffic from Iran had dropped to “effectively zero” What we know about Iran’s Internet shutdown – Cloudflare – January 2026
That sequence is revealing because it shows the shutdown was not a single instantaneous event. It unfolded in stages. First came the IPv6 withdrawal signal; then traffic degradation across the largest access networks; then the full collapse of observable external traffic. Kentik independently observed the same basic rhythm, recording that TIC (AS49666) began withdrawing IPv6 BGP routes at 11:42 UTC, after which traffic began to plummet at 16:30 UTC and had “all but ceased” by 18:45 UTC. It also observed TIC disconnecting from a subset of transit providers, including Rostelecom and Gulf Bridge International, later in the evening Iran Goes Dark as Government Cuts Itself Off from Internet – Kentik Network Analysis Center – January 2026 From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
Yet the most important mechanical insight from January 2026 is not merely that traffic disappeared; it is that reachability and routing did not disappear in the same way. Kentik reports that despite the loss of numerous BGP adjacencies and the collapse of observable traffic, the vast majority of Iranian IPv4 routes continued to be propagated globally. In its rendering of IODA data, active probing fell to zero while routed IPv4 space in BGP remained almost entirely intact at 98.14%. That is a different signature from the classic 2019 model, where route withdrawals themselves signaled the blackout. In January 2026, the network still appeared largely present in global routing terms even while ordinary users were functionally cut off. This is the clearest evidence that the blackout had migrated from a crude route-withdrawal model to an edge-control model in which the state preserves external route visibility while blocking actual user traffic at or near the national gateway From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026 Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026
That same Kentik analysis gives the next piece of the architecture: whitelisting. Because IPv4 routes remained visible, authorities retained the ability to grant access selectively rather than universally. Kentik explicitly interprets this as Iran’s move toward an internet “whitelisting” regime in which approved users or services keep access while the broader population is denied it. The analysis also recorded a tiny amount of residual traffic continuing to move in and out of the country, along with a multi-hour restoration to certain universities via AS6736 (IPM) on 9 January, and a later diurnal traffic pattern on AS49666 that Kentik assessed was likely proxied traffic for whitelisted individuals or services. This means the blackout was not “nationally total” in the literal sense of zero packets for zero users; it was nationally total in the sense of a population-scale denial regime with exception channels From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
A second important layer is the role of the National Information Network (NIN). Kentik notes that domestic communication services also experienced extended disruption during the January blackout, including Iran’s National Information Network. It further points back to earlier technical mapping showing that the NIN was implemented through routing RFC1918 private address space (10.x.x.x) between Iranian autonomous systems, allowing domestic devices to remain reachable internally while being non-routable from the public internet. That arrangement matters because it allows the state to preserve a bounded national digital space even when foreign-facing connectivity is suppressed. In other words, the blackout mechanism does not simply sever the country from the world; it can re-tier the network into external denial plus internal survivability From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
The chronology after 8 January shows that restoration itself became a control instrument. Cloudflare recorded brief windows of minimal connectivity on 9 January, including a spike in access to 1.1.1.1 and short-lived restoration for several Iranian university networks such as the University of Tehran Informatics Center, Sharif University of Technology, Tehran University of Medical Science, and Tarbiat Modares University, before those flows again disappeared What we know about Iran’s Internet shutdown – Cloudflare – January 2026. The emerging pattern was not normal recovery from accidental outage. It was interruptible, testable, reversible, and segmented. An academic synthesis posted on arXiv later summarized public data from IODA, Cloudflare, and Kentik as showing early restoration signs between 18 and 26 January, but those signs were unstable and repeatedly fell back toward near-zero levels Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026. That kind of jagged, selective “restoration” is analytically different from repair after physical damage; it is more consistent with iterative policy tuning inside a controlled filtering regime.
The June 2025 war is the bridge between the January protest blackout and the wartime blackout that began on 28 February 2026. The best current synthesis of the June 2025 event is the multi-stakeholder report by Miaan Group with contributors including Cloudflare, Kentik, OONI, Psiphon, and Tor. That report characterizes the June episode as a “stealth blackout” that differed sharply from 2019. Instead of severing BGP routes across the board, authorities used a more centralized border-control system that combined DNS poisoning, protocol whitelisting, and Deep Packet Inspection (DPI). The report’s wording is important: the objective was to sever the population’s connection to the global internet while maintaining the illusion of normal connectivity for outside observers. Traffic to the global internet fell by about 90%, but domestic services remained selectively alive Report on Iran’s Blackout of the Global Internet – Miaan Group – October 2025 Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026
That is the operational template that appears to have re-emerged on 28 February 2026. The Tor Project’s February operations update states that on 28 February and 1 March its Snowflake graphs showed the effects of “yet another shutdown in Iran,” this time associated with military attacks by the United States and Israel Snowflake Daily Operations February 2026 update – Tor Project Forum – March 2026. Kentik’s March analysis is even more specific: it describes the current blackout as a continuation of the newer style first seen in the Twelve-Day War of 2025, emphasizes that IPv4 routes remain globally propagated, and records only a trickle of residual traffic moving through Iran’s new blocking system. That residual traffic, Kentik argues, is best explained by whitelisted people and organizations rather than by ordinary national restoration Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026 Snowflake Daily Operations February 2026 update – Tor Project Forum – March 2026
The wartime blackout therefore appears to be structurally narrower but politically more sophisticated than the old full-route cut model. Instead of making the entire country obviously vanish from the internet, the state can keep the national network advertised, preserve selected domestic services, retain a trickle of authorized external connectivity, and still deny practical access to the overwhelming majority of users. Kentik notes that even inside this residual trickle there were further drops on 2 March, 5 March, and 15 March; one of those later dips reportedly coincided with a crackdown on whitelisted users or organizations sharing access. It also observed that Pars Oil & Gas Company (AS51554) was offline from 28 February to 8 March, and that since 11 January this network had been withdrawing routes nightly around 17:00 local time until 08:00 local time the next day. Those details matter because they show the shutdown regime was not merely national in scale; it was also granular, able to impose differentiated exposure across sectors, organizations, and time windows Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026
The legal architecture behind these shutdowns is at least as important as the routing architecture. The U.N. Fact-Finding Mission reports that on 15 October 2025 Iran’s Parliament enacted the “Law on Intensifying the Punishment for Espionage and Collaboration with the Zionist Regime and Hostile States Against National Security and Interests.” The Mission states that this law automatically classifies espionage and “cooperation with [a] hostile government” as “corruption on earth,” a capital offense. Crucially for communications control, the report states that the law also criminalizes the sharing of images or videos with foreign media and the use or possession of unlicensed satellite internet tools such as Starlink; if the alleged offender is found to be an “enemy agent,” the offense may lead to the death penalty A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. This is not a marginal provision. It converts communications work, evidence transmission, and satellite circumvention from mere regulatory violations into potential national-security crimes.
The Special Rapporteur’s March report adds another layer: the domestic legal framework already required prior authorization for demonstrations, broadly criminalized group activity deemed to disrupt national security, and under the 2025 Espionage Law made participation in unauthorized wartime marches punishable by 5–10 years’ imprisonment A/HRC/61/59 Advance Unedited Version – OHCHR – March 2026. In operational terms, that means connectivity denial and assembly denial are not separate systems. They are joined. The legal code narrows the space for collective physical action; the digital code narrows the space for collective informational action; and the espionage framing allows both to be folded into the same national-security narrative.
The punitive dimension does not end with shutdown authority. The Fact-Finding Mission also documents that during and after the June 2025 hostilities, authorities combined a total internet shutdown with the continued blocking of social-media platforms and the deactivation of the SIM cards of journalists and human-rights defenders. Interviewees reported that to have their SIM cards restored they were forced to delete social-media posts, publish content supporting the government, take down their profiles, or both A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. This matters analytically because it shows that the blackout architecture is not just about packet filtering. It is also about identity-layer coercion. The state can remove service from the line, the device, the subscriber, the platform account, or the cross-border data path, and can then restore it conditionally on behavioral compliance.
The observed mechanics can be summarized compactly:
| Phase | Dominant technical signature | What stayed visible | What users experienced | Best-supported sources |
|---|---|---|---|---|
| 8 January 2026 protest blackout | IPv6 withdrawal, rapid traffic collapse, selective transit disconnections | Most IPv4 routes still globally visible | Near-total loss of public connectivity, with tiny institutional exceptions | Cloudflare – January 2026; Kentik – January 2026 |
| 18–26 January 2026 controlled thaw | Jagged partial restoration, intermittent reachability spikes | Some university / gateway activity | Patchy, reversible, non-universal re-access | arXiv – March 2026; Cloudflare – January 2026 |
| From 28 February 2026 wartime blackout | Stealth blackout / gateway filtering with residual whitelisted flows | IPv4 propagation and trace residual traffic | Persistent mass denial with narrow exception channels | Kentik – March 2026; Tor Project – March 2026 |
On state rationale versus observed operational outcome, the cleanest way to frame the evidence is through a limited Analysis of Competing Hypotheses. The wartime justification visible in the technical literature is that restrictions were intended to deter or absorb Israeli cyberattacks and reduce adversary advantage. The arXiv synthesis states that the government justified the restrictions as a means of deterring cyberattacks from Israel Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026. But the observed network outcome documented across Cloudflare, Kentik, Tor, and the U.N. record is more specific than that rationale. What the system consistently produced was: (1) population-scale denial of global connectivity, (2) selective exception traffic for institutions or approved users, (3) preservation of enough routing visibility to allow differentiated restoration, and (4) legal exposure for alternative communications paths such as satellite internet and foreign-media transmission A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026 From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026 Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026
The highest-confidence reading of Chapter I, then, is technical rather than rhetorical. Iran’s blackout system in 2025–2026 operated as a graduated control architecture. Its components were gateway concentration, route manipulation, edge filtering, protocol control, selective whitelisting, domestic-network survivability, subscriber-level punishment, and security-law deterrence. The system did not simply turn the internet off. It sorted connectivity into categories: unavailable for most, revocable for some, and persistent for a narrow set of approved pathways. That is the core architectural pattern established by the live source record as of 10 April 2026.
Index
Chapter I — Architecture of Control: Chronology and Mechanics of Iran’s Internet Blackouts (2025–2026)
• Verified timeline of shutdowns across protest and wartime phases
• Technical and legal instruments of connectivity suppression
• State rationale vs. observed operational outcomes
Chapter II — Competing Strategic Explanations: Security Doctrine vs. Population Control
• Five-hypothesis framework (wartime defense, repression, narrative monopoly, systemic incapacity, hybrid model)
• Bayesian weighting and evidentiary comparison
• Civilian impact and regional comparison with warning-system infrastructures
Chapter III — Geopolitical Implications and Policy Leverage
• Internet access as a domain of modern warfare and governance
• Diplomatic omissions in ceasefire frameworks
• Strategic policy options: sanctions, conditionality, and digital rights enforcement
Architecture of Control — Chronology, Routing Logic, and Enforcement Mechanics in Iran’s 2025–2026 Internet Blackouts
This chapter isolates the infrastructural and operational architecture of the Iranian shutdown regime rather than revisiting the humanitarian or diplomatic implications already established. The core technical finding is that Iran did not rely on a single blackout method across 2025–2026. It employed at least two distinct shutdown models: a more visible hard-disconnect sequence during the January 2026 protest crisis, and a more selective gateway-filtering / whitelisting sequence during the June 2025 war and the renewed wartime blackout that began on 28 February 2026. That distinction matters because a routing-withdrawal blackout and a gateway-filtered blackout produce different signatures, different survivability patterns, and different implications for who remains connected. The public record now supports reading the Iranian system not as an improvised on/off switch, but as a layered communications-governance stack built around choke-point control, route management, selective exception handling, and punitive legal enforcement A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026 What we know about Iran’s Internet shutdown – Cloudflare – January 2026 From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
A useful starting point is topology. According to Kentik’s January network analysis, Iran’s international internet has for years been funneled primarily through two external gateways: the Telecommunication Infrastructure Company (TIC) and the Institute for Research in Fundamental Sciences (IPM). TIC now carries the overwhelming share of international traffic, while IPM retains a technically distinct research and university-oriented connection. During shutdown conditions, this dual-gateway structure creates a strategic asymmetry: the state does not need to physically dismantle the whole national network to suppress international access. It can instead pressure or manipulate the dominant gateway, preserve small islands of exception traffic, and use the secondary path for controlled institutional restoration. In practical terms, the architecture reduces the problem of nationwide digital coercion to the management of a very small number of upstream chokepoints From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
The January 2026 shutdown demonstrates how that architecture was activated. The U.N. Fact-Finding Mission states that on the evening of 8 January 2026 the Iranian government imposed a total internet, mobile, and landline communications shutdown, cutting people off from the outside world and leaving them unable to contact loved ones inside or outside the country Iran: UN Fact-Finding Mission calls for immediate restoration of internet access and adherence to international human rights law – OHCHR – January 2026 A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. Cloudflare’s telemetry places the collapse in a tighter technical sequence: at 11:50 UTC the announced IPv6 address space of Iranian networks dropped by 98.5%; between 16:30 and 17:00 UTC total traffic fell by nearly 90% across major providers including MCCI, IranCell, and TCI; and by around 18:45 UTC internet traffic from Iran had dropped to “effectively zero” What we know about Iran’s Internet shutdown – Cloudflare – January 2026
That sequence is revealing because it shows the shutdown was not a single instantaneous event. It unfolded in stages. First came the IPv6 withdrawal signal; then traffic degradation across the largest access networks; then the full collapse of observable external traffic. Kentik independently observed the same basic rhythm, recording that TIC (AS49666) began withdrawing IPv6 BGP routes at 11:42 UTC, after which traffic began to plummet at 16:30 UTC and had “all but ceased” by 18:45 UTC. It also observed TIC disconnecting from a subset of transit providers, including Rostelecom and Gulf Bridge International, later in the evening Iran Goes Dark as Government Cuts Itself Off from Internet – Kentik Network Analysis Center – January 2026 From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
Yet the most important mechanical insight from January 2026 is not merely that traffic disappeared; it is that reachability and routing did not disappear in the same way. Kentik reports that despite the loss of numerous BGP adjacencies and the collapse of observable traffic, the vast majority of Iranian IPv4 routes continued to be propagated globally. In its rendering of IODA data, active probing fell to zero while routed IPv4 space in BGP remained almost entirely intact at 98.14%. That is a different signature from the classic 2019 model, where route withdrawals themselves signaled the blackout. In January 2026, the network still appeared largely present in global routing terms even while ordinary users were functionally cut off. This is the clearest evidence that the blackout had migrated from a crude route-withdrawal model to an edge-control model in which the state preserves external route visibility while blocking actual user traffic at or near the national gateway From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026 Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026
That same Kentik analysis gives the next piece of the architecture: whitelisting. Because IPv4 routes remained visible, authorities retained the ability to grant access selectively rather than universally. Kentik explicitly interprets this as Iran’s move toward an internet “whitelisting” regime in which approved users or services keep access while the broader population is denied it. The analysis also recorded a tiny amount of residual traffic continuing to move in and out of the country, along with a multi-hour restoration to certain universities via AS6736 (IPM) on 9 January, and a later diurnal traffic pattern on AS49666 that Kentik assessed was likely proxied traffic for whitelisted individuals or services. This means the blackout was not “nationally total” in the literal sense of zero packets for zero users; it was nationally total in the sense of a population-scale denial regime with exception channels From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
A second important layer is the role of the National Information Network (NIN). Kentik notes that domestic communication services also experienced extended disruption during the January blackout, including Iran’s National Information Network. It further points back to earlier technical mapping showing that the NIN was implemented through routing RFC1918 private address space (10.x.x.x) between Iranian autonomous systems, allowing domestic devices to remain reachable internally while being non-routable from the public internet. That arrangement matters because it allows the state to preserve a bounded national digital space even when foreign-facing connectivity is suppressed. In other words, the blackout mechanism does not simply sever the country from the world; it can re-tier the network into external denial plus internal survivability From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026
The chronology after 8 January shows that restoration itself became a control instrument. Cloudflare recorded brief windows of minimal connectivity on 9 January, including a spike in access to 1.1.1.1 and short-lived restoration for several Iranian university networks such as the University of Tehran Informatics Center, Sharif University of Technology, Tehran University of Medical Science, and Tarbiat Modares University, before those flows again disappeared What we know about Iran’s Internet shutdown – Cloudflare – January 2026. The emerging pattern was not normal recovery from accidental outage. It was interruptible, testable, reversible, and segmented. An academic synthesis posted on arXiv later summarized public data from IODA, Cloudflare, and Kentik as showing early restoration signs between 18 and 26 January, but those signs were unstable and repeatedly fell back toward near-zero levels Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026. That kind of jagged, selective “restoration” is analytically different from repair after physical damage; it is more consistent with iterative policy tuning inside a controlled filtering regime.
The June 2025 war is the bridge between the January protest blackout and the wartime blackout that began on 28 February 2026. The best current synthesis of the June 2025 event is the multi-stakeholder report by Miaan Group with contributors including Cloudflare, Kentik, OONI, Psiphon, and Tor. That report characterizes the June episode as a “stealth blackout” that differed sharply from 2019. Instead of severing BGP routes across the board, authorities used a more centralized border-control system that combined DNS poisoning, protocol whitelisting, and Deep Packet Inspection (DPI). The report’s wording is important: the objective was to sever the population’s connection to the global internet while maintaining the illusion of normal connectivity for outside observers. Traffic to the global internet fell by about 90%, but domestic services remained selectively alive Report on Iran’s Blackout of the Global Internet – Miaan Group – October 2025 Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026
That is the operational template that appears to have re-emerged on 28 February 2026. The Tor Project’s February operations update states that on 28 February and 1 March its Snowflake graphs showed the effects of “yet another shutdown in Iran,” this time associated with military attacks by the United States and Israel Snowflake Daily Operations February 2026 update – Tor Project Forum – March 2026. Kentik’s March analysis is even more specific: it describes the current blackout as a continuation of the newer style first seen in the Twelve-Day War of 2025, emphasizes that IPv4 routes remain globally propagated, and records only a trickle of residual traffic moving through Iran’s new blocking system. That residual traffic, Kentik argues, is best explained by whitelisted people and organizations rather than by ordinary national restoration Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026 Snowflake Daily Operations February 2026 update – Tor Project Forum – March 2026
The wartime blackout therefore appears to be structurally narrower but politically more sophisticated than the old full-route cut model. Instead of making the entire country obviously vanish from the internet, the state can keep the national network advertised, preserve selected domestic services, retain a trickle of authorized external connectivity, and still deny practical access to the overwhelming majority of users. Kentik notes that even inside this residual trickle there were further drops on 2 March, 5 March, and 15 March; one of those later dips reportedly coincided with a crackdown on whitelisted users or organizations sharing access. It also observed that Pars Oil & Gas Company (AS51554) was offline from 28 February to 8 March, and that since 11 January this network had been withdrawing routes nightly around 17:00 local time until 08:00 local time the next day. Those details matter because they show the shutdown regime was not merely national in scale; it was also granular, able to impose differentiated exposure across sectors, organizations, and time windows Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026
The legal architecture behind these shutdowns is at least as important as the routing architecture. The U.N. Fact-Finding Mission reports that on 15 October 2025 Iran’s Parliament enacted the “Law on Intensifying the Punishment for Espionage and Collaboration with the Zionist Regime and Hostile States Against National Security and Interests.” The Mission states that this law automatically classifies espionage and “cooperation with [a] hostile government” as “corruption on earth,” a capital offense. Crucially for communications control, the report states that the law also criminalizes the sharing of images or videos with foreign media and the use or possession of unlicensed satellite internet tools such as Starlink; if the alleged offender is found to be an “enemy agent,” the offense may lead to the death penalty A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. This is not a marginal provision. It converts communications work, evidence transmission, and satellite circumvention from mere regulatory violations into potential national-security crimes.
The Special Rapporteur’s March report adds another layer: the domestic legal framework already required prior authorization for demonstrations, broadly criminalized group activity deemed to disrupt national security, and under the 2025 Espionage Law made participation in unauthorized wartime marches punishable by 5–10 years’ imprisonment A/HRC/61/59 Advance Unedited Version – OHCHR – March 2026. In operational terms, that means connectivity denial and assembly denial are not separate systems. They are joined. The legal code narrows the space for collective physical action; the digital code narrows the space for collective informational action; and the espionage framing allows both to be folded into the same national-security narrative.
The punitive dimension does not end with shutdown authority. The Fact-Finding Mission also documents that during and after the June 2025 hostilities, authorities combined a total internet shutdown with the continued blocking of social-media platforms and the deactivation of the SIM cards of journalists and human-rights defenders. Interviewees reported that to have their SIM cards restored they were forced to delete social-media posts, publish content supporting the government, take down their profiles, or both A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. This matters analytically because it shows that the blackout architecture is not just about packet filtering. It is also about identity-layer coercion. The state can remove service from the line, the device, the subscriber, the platform account, or the cross-border data path, and can then restore it conditionally on behavioral compliance.
The observed mechanics can be summarized compactly:
| Phase | Dominant technical signature | What stayed visible | What users experienced | Best-supported sources |
|---|---|---|---|---|
| 8 January 2026 protest blackout | IPv6 withdrawal, rapid traffic collapse, selective transit disconnections | Most IPv4 routes still globally visible | Near-total loss of public connectivity, with tiny institutional exceptions | Cloudflare – January 2026; Kentik – January 2026 |
| 18–26 January 2026 controlled thaw | Jagged partial restoration, intermittent reachability spikes | Some university / gateway activity | Patchy, reversible, non-universal re-access | arXiv – March 2026; Cloudflare – January 2026 |
| From 28 February 2026 wartime blackout | Stealth blackout / gateway filtering with residual whitelisted flows | IPv4 propagation and trace residual traffic | Persistent mass denial with narrow exception channels | Kentik – March 2026; Tor Project – March 2026 |
On state rationale versus observed operational outcome, the cleanest way to frame the evidence is through a limited Analysis of Competing Hypotheses. The wartime justification visible in the technical literature is that restrictions were intended to deter or absorb Israeli cyberattacks and reduce adversary advantage. The arXiv synthesis states that the government justified the restrictions as a means of deterring cyberattacks from Israel Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026. But the observed network outcome documented across Cloudflare, Kentik, Tor, and the U.N. record is more specific than that rationale. What the system consistently produced was: (1) population-scale denial of global connectivity, (2) selective exception traffic for institutions or approved users, (3) preservation of enough routing visibility to allow differentiated restoration, and (4) legal exposure for alternative communications paths such as satellite internet and foreign-media transmission A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026 From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026 Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026
The highest-confidence reading of Chapter I, then, is technical rather than rhetorical. Iran’s blackout system in 2025–2026 operated as a graduated control architecture. Its components were gateway concentration, route manipulation, edge filtering, protocol control, selective whitelisting, domestic-network survivability, subscriber-level punishment, and security-law deterrence. The system did not simply turn the internet off. It sorted connectivity into categories: unavailable for most, revocable for some, and persistent for a narrow set of approved pathways. That is the core architectural pattern established by the live source record as of 10 April 2026.
Architecture of Control
Iran’s 2025–2026 Layered Communication Blackout Regime: Technical Chronology & Enforcement Mechanics
UPDATED: 10 April 2026
| Concept / Sequence | Theme | Mechanics | Key Data | Relationships | Iteration Stage | Analytical Insight | Status |
|---|---|---|---|---|---|---|---|
| Phase 1: Tactical Hard Disconnect (January 2026) | |||||||
| BGP/IPv6 Withdrawal | Routing Layer | Immediate BGP signal drop | 98.5% IPv6 drop | Causal → Traffic |
|
First signal of the shutdown; preceded actual traffic collapse by hours. | Resolved |
| Mass Traffic Collapse | Access Layer | Provider-side disconnection | <10% Traffic | Hierarchical |
|
Population-scale denial used to prevent image/video transmission during protests. | Resolved |
| Phase 2: The Whitelisting Regime (June 2025 – 2026) | |||||||
| Stealth Blackout | Gateway Layer | Gateway DPI + Filtering | 98.14% IPv4 active | Synergistic |
|
Preserves global routing visibility to hide the blackout from automated monitors. | Active |
| Conditional Access | Identity Layer | Protocol Whitelisting | Jagged recovery | Causal |
|
Access granted only to universities/state agencies via AS6736 (IPM). | Monitoring |
| Phase 3: Legal & Enforcement Architecture | |||||||
| Espionage Law 2025 | Legal Layer | Capital punishment for data | 15 Oct 2025 Act | Causal → Risk |
|
Criminalizes Starlink and sharing footage as “Corruption on Earth.” | Escalated |
Analysis compiled April 2026. Zero external dependencies.
Competing Strategic Explanations — Security Doctrine, Population Control, and the Strategic Logic of Iran’s Blackout Regime
The analytical problem in this chapter is not whether the blackouts happened; that is already established by the live record. The narrower question is why the Islamic Republic of Iran used them in the particular form observed across 2025–2026, and which explanation best fits the full evidentiary pattern. The official and technical record now available supports five mutually exclusive but partially overlapping hypotheses: wartime defense, repression, narrative monopoly, systemic incapacity, and a hybrid regime-security model. The U.N. Fact-Finding Mission explicitly situates the 28 December 2025 protests and the hostilities that began on 28 February 2026 inside a common investigative frame of “recent and ongoing serious human rights violations,” while also recording that the Government of Iran briefed the Mission on both the domestic protest events and the later armed conflict with Israel and the United States A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. That single-source continuity matters because it permits an explanation test across two very different crises rather than treating each shutdown as an isolated episode.
My weighting method here is a structured inferential exercise rather than a claim of mathematical certainty. I begin with roughly even priors across the five hypotheses, then update them against three classes of evidence: first, whether the explanation fits both the protest and wartime episodes; second, whether it explains the persistence of selective or unequal connectivity noted in the public record; and third, whether it predicts the observed asymmetry between denying citizens connectivity and preserving limited official, institutional, or whitelisted pathways. On that basis, my current posterior estimate is: Hybrid regime-security model 0.34, repression 0.24, narrative monopoly 0.19, wartime defense 0.14, and systemic incapacity 0.09. These are analytic judgments, not official numbers, but each is grounded in the source record discussed below.
Hypothesis 1: Wartime Defense
Under the wartime defense hypothesis, the blackout was primarily a military-security instrument designed to reduce adversary targeting, constrain open-source exploitation, complicate foreign cyber operations, and shrink the attack surface during periods of active hostilities. This explanation has some real evidentiary support. The public technical literature describing the January 2026 shutdown states that the government justified the restrictions as a means of deterring cyberattacks from Israel, and the U.N. Fact-Finding Mission confirms that the later armed conflict with Israel and the United States began on 28 February 2026, creating a setting in which defensive cyber and communications restrictions were at least plausibly available to decision-makers as a national-security tool Iran’s January 2026 Internet Shutdown: Public Data, Censorship Methods, and Circumvention Techniques – arXiv – March 2026 A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. The hypothesis also gains limited strength from the fact that neighboring states maintain official early-warning and alerting mechanisms precisely because missile and air threats impose real demands on fast, centralized civilian messaging. Saudi Arabia’s National Early Warning Platform states that it uses Cell Broadcast Technology to send warning messages, with a distinctive alert tone, to mobile phones on regulated networks National Early Warning Platform – Saudi Civil Defense – January 2026.
The problem for the wartime-defense hypothesis is not that it is impossible, but that it is incomplete. It explains why a state under attack might tighten or compartmentalize networks, yet it does not by itself explain why the same blackout instrument was also deployed in response to the protests that began on 28 December 2025 A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. Nor does it explain why the U.N. Fact-Finding Mission linked the wartime repression of June 2025 to a total internet shutdown, continued blocking of social-media platforms, and SIM-card deactivations of journalists and human-rights defenders, with reported restoration conditioned on deletion of posts or publication of pro-government content A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. A pure defense model predicts broad, temporally bounded security restrictions; it does not naturally predict behavior-conditioned reconnection. For that reason, I assign this hypothesis only a moderate-to-low posterior probability despite its obvious prima facie plausibility during active hostilities.
Hypothesis 2: Repression
Under the repression hypothesis, the blackouts were primarily designed to suppress mobilization, fragment protest coordination, isolate victims, obstruct evidence flows, and reduce the visibility of state violence. This explanation fits the January 2026 episode strongly because the U.N. Human Rights Council convened a special session on 23 January 2026 specifically to address the deteriorating human-rights situation in Iran, and the Fact-Finding Mission was then tasked to conduct an urgent investigation into alleged violations and crimes connected to the protests that began on 28 December 2025 A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. The same report records that on the evening of 8 January 2026 the government imposed a total internet, mobile, and landline communications shutdown, and an OHCHR press release states that people were cut off from the outside world and unable to contact loved ones inside or outside Iran Iran: UN Fact-Finding Mission calls for immediate restoration of internet access and adherence to international human rights law – OHCHR – January 2026. These are classic repression-compatible effects because they atomize the population at the exact moment collective action, witness reporting, and cross-border contact matter most.
This hypothesis also fits the legal environment unusually well. The Fact-Finding Mission reports that Iran’s Parliament adopted the Law on Intensifying the Punishment for Espionage and Collaboration with the Zionist Regime and Hostile States Against National Security and Interests on 15 October 2025, and that the law criminalizes the sharing of images or videos with foreign media as well as the use or possession of unlicensed satellite internet tools such as Starlink A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. When a state both severs the normal internet and criminalizes alternative evidence-transmission channels, the combined design strongly favors a repression interpretation. Even so, repression alone still leaves one explanatory gap: it captures the silencing function but not fully the selectivity of who stays connected and why. That gap leads directly to the next hypothesis.
Hypothesis 3: Narrative Monopoly
Under the narrative-monopoly hypothesis, the blackout was less about stopping all communications than about restructuring who may speak, what information may circulate, and which nodes remain audible in the public sphere. This hypothesis gains force from two pieces of evidence in the live record. First, the U.N. Fact-Finding Mission states that during and after the June 2025 hostilities the authorities combined shutdowns with the continued blocking of social-media platforms and SIM-card deactivation for journalists and human-rights defenders A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. Second, the same record indicates that reconnection or restoration could be tied to deletion of content or publication of pro-government messaging A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. That is analytically different from simple repression. Repression tries to mute; narrative monopoly tries to replace, filter, and hierarchize speech.
This explanation also better matches the technical evidence that blackouts in Iran increasingly preserve limited or selective connectivity rather than extinguishing all routing visibility. The public technical analyses from Kentik and related synthesis work indicate that recent Iranian shutdowns have not always taken the form of full route withdrawal; instead they have left parts of the network visible while limiting who can actually use international connectivity From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026 Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026. A system that leaves selected institutional or privileged pathways open is not just blocking information; it is curating it. The weakness of this hypothesis is that it still does not entirely explain why so much effort would be invested in blackout architecture during kinetic conflict unless regime security and state security were being treated as partially identical objectives. That is why I rank it below the hybrid model but above pure wartime defense.
Hypothesis 4: Systemic Incapacity
The systemic-incapacity hypothesis argues that the blackouts reflected bureaucratic fragility, poor crisis management, weak civilian-protection doctrine, and institutional inability to operate a modern emergency-warning system without defaulting to blunt communications suppression. This hypothesis should not be dismissed too quickly because the comparative record shows that functional warning systems require not just political will but integrated institutional design. Israel’s Home Front Command officially offers a location-based app providing alerts for “rocket and missile attacks,” “infiltration of a hostile aerial vehicle,” “earthquakes,” and “tsunamis,” while the National Emergency Portal says alerts are delivered through multiple channels including the app and the website Download the Home Front Command App – Israel National Emergency Portal – November 2023 National Emergency Portal | Means of Alerts – Israel National Emergency Portal – March 2026. Saudi Arabia has an official Cell Broadcast warning platform National Early Warning Platform – Saudi Civil Defense – January 2026, Kuwait’s General Civil Defence Department publishes a warning-siren guide with three distinct alarm tones and associated protective actions Safety Guide for Emergency – Ministry of Interior, Kuwait – undated PDF live as of April 2026, Qatar’s National Command Center states that it receives warnings through an early warning system and responds through multilingual emergency services National Command Center (NCC) – Ministry of Interior, Qatar – 2024 PDF live as of April 2026, and Bahrain’s national portal says the MyGov app provides real-time alerts and siren notifications during emergencies Emergencies – Bahrain National Portal – July 2025.
By contrast, I did not find an equivalent official Iranian public-warning architecture in the live source set reviewed for this chapter. That absence leaves room for an incapacity explanation: perhaps the state lacks a civilian-warning model robust enough to preserve public safety under attack while keeping national-security controls intact. But this hypothesis weakens sharply when placed beside the coercive legal and behavioral evidence. A state suffering mere incapacity does not normally criminalize alternative satellite access, deactivate SIM cards of sensitive users, or condition restoration on deletion of content A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. Incapacity may exist as a contributing condition, especially in civilian protection, but the live record does not support it as the primary driver.
Hypothesis 5: Hybrid Regime-Security Model
The hybrid regime-security model holds that the blackouts were designed to serve both external defense and internal control simultaneously, with state security and regime security treated as operationally inseparable. This is the hypothesis that best fits the total pattern. It explains why shutdowns appear in both protest and wartime conditions A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. It explains why the system suppresses the general public but preserves narrow channels of connectivity for approved actors, because a hybrid model seeks continuity of command, propaganda, surveillance, and elite coordination while denying those same capacities to the wider population From Stealth Blackout to Whitelisting: Inside the Iranian Shutdown – Kentik – January 2026 Internet and Airstrikes: Tracking Iran’s Extended Communication Blackout – Kentik – March 2026. It also explains why the legal regime merges communications, evidence-sharing, foreign contact, and satellite access into a national-security category A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026.
The hybrid model is stronger than a vague “both/and” compromise because it makes a sharper structural claim: under this doctrine, the population itself becomes part of the battlespace. Connectivity is not merely infrastructure; it is a governable variable whose distribution can be tightened, segmented, and selectively restored in pursuit of military, political, and informational ends at once. That claim is strongly supported by the fact that the same U.N. machinery investigating protest repression is also documenting repression “during and after the June 2025 hostilities” A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. In other words, the record does not show two separate doctrines accidentally using the same tool. It shows one integrated coercive architecture migrating across two theaters of crisis. That is why I assign this hypothesis the highest posterior weight.
Bayesian Weighting Table
| Hypothesis | Posterior estimate | Main supporting evidence | Main weakness |
|---|---|---|---|
| Hybrid regime-security model | 0.34 | Fits protest + wartime episodes; explains selective connectivity; explains legal coercion around foreign contact and satellite tools | Hard to distinguish fully from repression plus defense without internal documents |
| Repression | 0.24 | Strong fit for protest phase, total communications shutdown, evidence obstruction effects | Less complete on selective survival of privileged connectivity |
| Narrative monopoly | 0.19 | Explains blocking, SIM deactivation, behavior-conditioned restoration, selective speech hierarchy | Needs security overlay to explain wartime timing |
| Wartime defense | 0.14 | Plausible under live hostilities and cyber-risk claims | Poor fit for protest episode and content-conditioned reconnection |
| Systemic incapacity | 0.09 | Helps explain lack of visible civilian-warning architecture | Too weak to explain punitive and selective enforcement |
The table should be read as a structured analytic device, not a substitute for newly released internal records. But it shows why the policy debate should not remain trapped in a false binary between “national security” and “human rights abuse.” The current evidence points toward a model in which national-security language functions as the legitimating vocabulary for a broader regime-security project.
Civilian Impact Through Regional Comparison
The regional comparison sharpens the explanatory result because it reveals what a state oriented toward civilian warning normally builds. Israel’s official portal says the Home Front Command app delivers location-based alerts, and its “Means of Alerts” page states that alerts are distributed through multiple channels Download the Home Front Command App – Israel National Emergency Portal – November 2023 National Emergency Portal | Means of Alerts – Israel National Emergency Portal – March 2026. Saudi Arabia says its platform broadcasts emergency messages through Cell Broadcast Service to phones on mobile networks National Early Warning Platform – Saudi Civil Defense – January 2026, and its warning-sirens page says residents are to use shelters or homes and follow civil-defense instructions through multiple information channels Warning Sirens – Saudi Civil Defense – January 2026. Kuwait describes three warning tones with corresponding protective responses and directs people toward shelters and official instructions Safety Guide for Emergency – Ministry of Interior, Kuwait – undated PDF live as of April 2026. Qatar’s National Command Center says it receives warnings through the early warning system and responds around the clock in numerous languages, including Persian National Command Center (NCC) – Ministry of Interior, Qatar – 2024 PDF live as of April 2026. Bahrain says its MyGov app provides real-time alerts and siren notifications in emergencies Emergencies – Bahrain National Portal – July 2025. The UAE’s NCEMA stated on 3 March 2026 that early warning systems had been activated and urged the public to rely on official sources The UAE Government reviews the latest developments and current conditions during a media briefing – NCEMA – March 2026.
The relevance of that comparison is not moral grandstanding; it is diagnostic. When neighboring states face missile, drone, or severe-weather threats, the official pattern is to expand warning flows to the population. The Iranian pattern documented in the live source set is to constrict them for the general public while retaining selective control over who may communicate Iran: UN Fact-Finding Mission calls for immediate restoration of internet access and adherence to international human rights law – OHCHR – January 2026 A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. That divergence does not prove intent in a criminal-law sense, but it is strong comparative evidence against the idea that the blackout was merely an unfortunate side effect of crisis administration. A state that prioritizes civilian protection normally multiplies alert pathways; a state that prioritizes control can instead collapse them into a permissioned system.
Red-Team Counterposition
A serious red-team objection would argue that Iran simply confronted a uniquely dangerous environment: hostile cyber pressure, platform exploitation, foreign intelligence harvesting, and domestic unrest occurring in sequence or overlap. On that reading, selective controls, platform blocks, and tighter legal penalties could be interpreted as emergency-state measures rather than proof of population-control intent. That objection deserves weight because states do sometimes fuse cyber defense, counterintelligence, and public-order control during crisis. But the objection weakens in proportion to the evidence that authorities did not merely restrict traffic; they also reportedly punished journalists and defenders through SIM deactivation and linked restoration to pro-government behavior A/HRC/61/60 Advance Unedited Version – OHCHR – March 2026. Those latter features look less like emergency hardening and more like coercive governance.
The strongest current conclusion, therefore, is not that security played no role. It is that security doctrine alone is insufficient. The live evidence better supports a model in which Iranian blackout policy is strategically multifunctional: it can be justified upward as national defense, used inward as protest suppression, and operationalized sideways as a narrative-allocation system that determines which institutions, subscribers, and messages remain reachable. That is why the hybrid regime-security hypothesis receives the highest posterior estimate in this chapter, and why the regional warning-system comparison matters: it shows that governments facing real threats can build systems that warn civilians rather than digitally immobilize them.
Geopolitical Policy Matrix
Digital Sovereignty Leverage, Ceasefire Architecture, and Strategic Enforcement Protocols
Strategic Synthesis
Internet access has evolved from a human rights norm into a kinetic battlespace variable. Current diplomatic frameworks, including the April 2026 ceasefire, risk institutionalizing informational vulnerability by omitting communications restoration from formal de-escalation terms.
| Core Concept | Theme | Leverage Mechanics | Data / Magnitude | Relationships | Implementation Stage | Analytical Insight | Status |
|---|---|---|---|---|---|---|---|
| Access as Battlespace | Doctrine | State control of informational terrain during hostilities | 1% Connectivity Floor | Causal: Repression |
|
Collapses boundaries between protest management and wartime security. | Operational |
| Ceasefire Omission | Diplomacy | Exclusion of connectivity terms from official agreements | 0 Mentions (Public Record) | Risk: Vulnerability |
|
Vulnerability persists beneath the threshold of headline kinetic de-escalation. | Critical |
| Sanctions Toolbox | Enforcement | Treasury/State visa and asset designations | 31 C.F.R. § 560.540 | Synergy: Policy |
|
Moves from episodic designations to presumptive, trigger-based review. | Active |
Civilian Protection Comparison: Early Warning Architectures
POLICY NOTE 2026-A:
Digital rights enforcement must prioritize civilian protection mechanisms (medical access, warning flows) over abstract ideological framing to bypass sovereign security objections and secure verifiable de-escalation.Geopolitical Implications and Policy Leverage — Internet Access as Battlespace, Ceasefire Omission, and the Policy Architecture of Digital Rights Enforcement
The central geopolitical implication of the Iran case is that internet access now functions simultaneously as civilian infrastructure, information terrain, and a coercive instrument of statecraft. This is no longer merely a civil-liberties issue in the narrow domestic sense. The Office of the United Nations High Commissioner for Human Rights has already framed shutdowns as a recurring global practice with broad legal and human-rights consequences, and the Human Rights Council has affirmed that the same rights people possess offline must also be protected online. In doctrinal terms, that means a state-imposed blackout during crisis is not just an administrative communications measure; it is a state intervention in the operational environment through which civilians receive warnings, verify facts, seek medical help, maintain family contact, and document abuses. When those channels are degraded or selectively distributed, the internet becomes part of the battlespace of modern governance itself.
The Iranian case sharpens that conclusion because the blackout pattern spans both protest repression and interstate hostilities. The Special Rapporteur on the situation of human rights in the Islamic Republic of Iran reported in March 2026 that Iranian authorities had imposed a telecommunications shutdown during the wartime crisis, with connectivity reportedly collapsing to approximately one per cent of normal levels, while the Fact-Finding Mission documented that the authorities had also imposed a total communications shutdown during the protest crisis and had linked wartime repression to continued platform blocking, SIM-card disruption, and punishment for alternative forms of information transmission. The implication is strategic: the same network-control tool can be used across domestic unrest and armed conflict, allowing the state to collapse the categories of protest management, counterintelligence, narrative control, and wartime security into a single operational mechanism.
From a geopolitical perspective, this makes connectivity control comparable to control over transport corridors, fuel distribution, or airspace access. A government that can decide who remains connected, which services survive, and whether external visibility persists holds a form of sovereignty leverage that extends beyond censorship in the conventional sense. It can shape domestic perception, reduce external scrutiny, complicate humanitarian signaling, and selectively privilege official or regime-adjacent channels without having to maintain an openly total blackout at all times. The policy consequence is that internet access must be treated by external actors as a core variable in crisis diplomacy, not as an afterthought to missile inventories, nuclear sites, naval deployments, or proxy activity. That proposition aligns with the OHCHR thematic report on shutdowns, which explicitly analyzes their causes, legal implications, and impacts and includes recommended measures for ending shutdowns and minimizing their harm.
The second major implication concerns ceasefire design. The public 8 April 2026 ceasefire record, as currently visible in official sources, centers military de-escalation rather than communications restoration. The U.N. Secretary-General publicly welcomed the announcement of a two-week ceasefire by the United States and Iran, while the contemporaneous White House release stated that Iran had agreed to a ceasefire and the reopening of the Strait of Hormuz as the administration pursued a broader peace agreement. Neither of those publicly visible formulations appears to identify restoration of full internet access, equal access to communications, or reversal of digital discrimination as an announced ceasefire term. That is not proof that the issue was absent from all confidential diplomacy, but it is strong evidence that it was not foregrounded in the official public framework.
That omission matters because what enters the formal ceasefire frame usually determines what is monitored, negotiated, and enforced. When the visible framework names missiles, shipping lanes, or force posture, those become legible objects of implementation. When it omits communications restoration, shutdowns remain politically deniable and administratively elastic. In practical terms, a blackout can then persist beneath the threshold of headline diplomacy even while military violence subsides. The result is a distorted form of de-escalation in which cross-border hostilities may be paused but civilians remain trapped inside a constrained information environment. This is precisely why the internet must be understood as part of contemporary war governance: if it is excluded from ceasefire language, civilian informational vulnerability can survive the formal end of the acute kinetic phase.
The regional comparison underscores the point. Official public-warning systems in nearby states are built around the expansion of alerting, not the contraction of public connectivity. Israel’s Home Front Command operates an official location-based application and public portal for alerts; Saudi Arabia’s National Early Warning Platform uses Cell Broadcast Service to deliver emergency warnings; Kuwait’s General Civil Defence Department publishes differentiated siren guidance for emergency conditions; Qatar’s National Command Center states that it receives warnings through an early warning system and responds in multiple languages; Bahrain’s national portal says its MyGov application provides real-time alerts and siren notifications; and the UAE’s NCEMA said on 3 March 2026 that its early warning systems had been activated and instructed the public to rely on official sources. The relevant contrast is therefore not between “states that care” and “states that do not,” but between two governance models under threat: one disseminates warning information outward to civilians; the other restricts or stratifies access to information under crisis conditions.
That comparative picture produces a straightforward strategic inference: digital rights enforcement in the Iran file should be framed not only as a human-rights demand but also as a civilian-protection measure. This matters for diplomacy because states are often more willing to negotiate over concrete protective mechanisms than over abstract normative language. A demand for “internet freedom” can be rhetorically dismissed as ideological pressure; a demand for restoration of communications sufficient for medical access, family reunification, civilian warning, and emergency information flows is easier to attach to established crisis-management logic. The OHCHR internet-shutdown framework supports this reframing because it situates shutdowns as measures with broad impacts across multiple rights domains, not only expression in the narrow sense.
The third issue is leverage. Existing U.S. authorities already demonstrate that digital repression can be incorporated into sanctions and visa policy. In October 2022, the U.S. Department of the Treasury sanctioned Iranian officials and entities for protests repression and internet censorship, including actors involved in efforts to disrupt digital freedom. In June 2023, Treasury sanctioned Arvan Cloud and expressly cited Executive Order 13846, which authorizes sanctions on persons who engage in censorship or related activities with respect to Iran. In January 2026, OFAC designated senior Iranian officials connected to violent repression and what Treasury described as a communications blackout. In February 2026, the U.S. Department of State announced additional visa restrictions for individuals involved in inhibiting Iranians’ rights to freedom of expression. These measures show that a sanctions-and-visa toolbox for digital repression already exists; the challenge is not invention, but escalation, refinement, and consistent application.
That existing sanctions architecture suggests three concrete policy tracks. First, states can move from episodic designation to shutdown-triggered sanctions, meaning that documented nationwide or near-nationwide blackouts imposed outside a narrowly tailored and lawful emergency framework would generate presumptive sanctions review against responsible ministries, telecom regulators, gateway operators, and senior command officials. Second, states can attach communications-restoration conditionality to diplomatic engagement, including ceasefire monitoring, confidence-building measures, and phased economic talks. Third, governments can combine coercive measures with enabling ones by widening lawful support for communications tools used by ordinary civilians. The U.S. already has a regulatory pathway for this: 31 C.F.R. § 560.540, which superseded General License D-2, is expressly designed to support the provision of communication tools to ordinary Iranians and assist their efforts to resist repressive internet censorship and surveillance. That means the policy toolkit can simultaneously punish blackout architects and widen access to lawful communications services.
The enabling side of the policy ledger is especially important because sanctions without access support can harden isolation rather than relieve it. Treasury stated in September 2022 that General License D-2 was issued to increase support for internet freedom in Iran by updating sanctions guidance to reflect modern technology, and later OFAC guidance clarified that the amended rule authorizes a wide range of internet-based communications tools, including messaging, social networking, collaboration platforms, video conferencing, web maps, user authentication, and certain cloud-based services. In geopolitical terms, this gives outside governments a lawful means of shaping the digital environment without directly breaching their own sanctions architecture. The leverage model, then, is not only punitive. It is punitive plus connective: sanction blackout enforcers while maximizing lawful channels for ordinary users.
There is also a multilateral pathway. Because the Human Rights Council has already condemned violations committed against persons exercising rights on the internet and because OHCHR has already produced a dedicated report on shutdowns and recommended measures for ending them, states do not need to construct a new normative basis from scratch. They can instead treat restoration of public connectivity, cessation of discriminatory shutdown practices, and protection of emergency communications as enforceable benchmarks inside existing U.N. human-rights diplomacy. This would not magically compel compliance, but it would shift the issue from advocacy rhetoric into a monitored framework with established reporting channels, which is often the first step toward more serious accountability.
The red-team objection to this chapter is predictable: attaching internet restoration to ceasefires, sanctions, or diplomatic conditionality might be criticized as unrealistic, hard to verify, or intrusive into sovereign network management during wartime. That objection deserves attention because governments do possess genuine security concerns and because partial restoration can be masked through whitelisting or selective reachability. But that is precisely why policy must move beyond simple “on/off” demands. Verification can focus on observable indicators such as broad restoration of international reachability, non-discriminatory access across major networks, cessation of platform blocking used for political suppression, and the absence of retaliation against users of lawful communications tools. The technical literature already shows that selective survivability and whitelisting leave signatures distinct from normal restoration, so compliance does not need to rely entirely on trust.
The most defensible conclusion is therefore threefold. First, internet access in the Iran file has become a domain of modern warfare and governance because it mediates civilian survival, external scrutiny, and state control at once. Second, the public ceasefire framing visible on 8 April 2026 appears to have omitted communications restoration as a central term, leaving a major civilian vulnerability outside the main diplomatic spotlight. Third, existing policy instruments already permit a more serious response: targeted sanctions for censorship and shutdown enforcement, visa restrictions for responsible officials, communications-support authorizations under existing U.S. sanctions law, and explicit digital-rights conditionality in future negotiations. The infrastructure to treat blackout policy as a geopolitical problem already exists. What remains uncertain is not the availability of tools, but the willingness of states to use them with the same seriousness they apply to missiles, naval lanes, and nuclear files.
Iran’s Blackout Regime
Competing Strategic Explanations
2025–2026 Protest & Wartime Blackouts • U.N. Fact-Finding Mission (A/HRC/61/60) • Hybrid Model Leads at 34%
The live record shows blackouts deployed identically across protests (Dec 2025) and armed conflict (Feb 2026). Selective connectivity, behavior-conditioned restoration, and legal criminalization of alternative channels best fit a hybrid regime-security model that treats civilian connectivity as a governable variable for simultaneous defense and internal control.
| Hypothesis | Core Mechanism | Protest Fit | War Fit | Relationships | Posterior | Insight | Status |
|---|
| Hypothesis | Posterior Estimate | Main Supporting Evidence | Main Weakness |
|---|
