Tech

Three Alternets and a Closed Door: Decree 1667, Shaanxi Telecom and Iran's 48th Day Offline

Within a single week in April 2026, three parallel primary documents crossed the transom: a Shaanxi Telecom notice killing VPN 'airports,' a NetBlocks log ticking Iran past 1,128 hours offline, and the live consequences of Russia's Decree 1667. Read together, they are the clearest available picture of what 'digital sovereignty' has become — a legitimate concept in principle, an infrastructure of surveillance in practice, and a template being exported along the Belt and Road.

By Moemedi Michael PoncanaGlobal10-minute read18 Apr 2026☆ Save ↗ Share ⎙ Print

On Wednesday 16 April 2026, NetBlocks logged Iran's nationwide internet shutdown at its 48th consecutive day — 1,128 hours — making it the longest nationwide disruption ever recorded in any country, at a running cost Afshin Kolahi has estimated at USD 70–80 million a day once indirect losses are counted (Al Jazeera, 5 April 2026; IranWire citing NetBlocks, April 2026). The same afternoon, in a meeting room at 11 Chegongzhuang Avenue in Beijing's Xicheng District, the Cyberspace Administration of China convened a symposium on "General Secretary Xi Jinping's key thoughts on national cyber power" (CAC, calendar notice, 16 April 2026). Eight days earlier, on 8 April, Shaanxi Telecom had circulated an internal notice — subsequently obtained and translated by China Digital Times — instructing its infrastructure customers to terminate, on pain of immediate IP shutdown, "any form of circumvention business," euphemistically known in mainland China as "airports." And six weeks before that, on 1 March, Russian Government Decree No. 1667 — signed by Prime Minister Mikhail Mishustin on 27 October 2025 and in force until 1 March 2032 — formalised Roskomnadzor's authority, alongside the FSB and the Ministry of Digital Development, to reroute traffic in real time and switch the Russian segment into isolation mode on its own signature (Realnoe Vremya, April 2026; TAdviser, April 2026).

The immediate story is three national infrastructures converging. The structural story is that "digital sovereignty" — a concept with a legitimate Westphalian pedigree and real Global-South purchase — has, in the hands of Moscow, Beijing and Tehran, been operationalised as a surveillance architecture whose components are traceable to named decrees, named CAs, named TSPU boxes, and named Chinese vendors. The analytical framework built to understand private-media systems applies here with different legitimations but similar structural outcomes: ownership concentration, sourcing control, the cost of dissent, and ideological framing now operate on both sides of the digital Iron Curtain. The end users are losing in both systems.

What happened this month

In Moscow the enforcement tempo is industrial. Since early 2026, according to a Mediazona investigation summarised in zona.media on 7 April, magistrates' courts in Moscow and St Petersburg have been convicting internet service providers whose traffic bypassed the TSPU ("Technical Means of Countering Threats") deep-packet-inspection boxes that Roskomnadzor has installed at every ISP since the 2019 Sovereign Internet Law. Every case recorded a guilty verdict and a fine. Mass mobile-internet shutdowns — justified as a counter-drone measure — have become a daily feature across the federation. Nearly one million websites are currently subject to pre-trial blocking at the request of Roskomnadzor, the Prosecutor-General's Office and affiliated agencies (Human Rights Watch, "Disrupted, Throttled, and Blocked," July 2025; zona.media, 7 April 2026). The state messenger Max launched in 2025 as the intended domestic replacement for Telegram and WhatsApp; Signal has been blocked since summer 2024; YouTube has been throttled since the same period (Freedom House, Freedom on the Net 2025).

In Beijing the tempo is selective and surgical. The 8 April Shaanxi Telecom notice, dissected by China Digital Times on 9 April and corroborated by Vision Times on 11 April, goes after the supply chain rather than the end user: the commodity IaaS resellers — Qihang CDN the named example — whose bare-metal servers host the OpenVPN, Trojan-Go and Shadowsocks endpoints of the "airport" grey market (advertised at RMB 15–188 a month). Detection by upstream DPI triggers "immediate IP block and server shutdown." The move is consistent with the trajectory Foreign Policy's Matt Sheehan mapped in February: a draft cyber-security-law amendment that raises penalties for circumvention tools and broadens extra-territorial enforcement, effective 1 January 2026 (Foreign Policy, 24 February 2026; Latham & Watkins client advisory, January 2026). Freedom House's 2025 report notes that some Chinese provincial governments now block "ten times more websites than the national-level Great Firewall." The Firewall, in 2026, is federated.

In Tehran the tempo is absolute. Iran's National Information Network (NIN), first conceptualised in 2005 and accelerated after the 2009 Green Movement, is in April 2026 operating as what the Filterwatch research collective has called an "absolute digital isolation" architecture: NIN whitelisting, DPI, Starlink jamming, and a tiered "white SIM" regime granting elites — security-cleared officials, state media, selected influencers — unrestricted access while the rest of the country is funnelled through domestic mirrors of Google, WhatsApp and ChatGPT (Foreign Policy, 24 February 2026; Rest of World, April 2026). Access Now and the #KeepItOn coalition have demanded immediate restoration (Access Now, Rising Repression Meets Global Resistance: Internet Shutdowns in 2025, 31 March 2026). On 6 March Human Rights Watch warned that the shutdown was masking "escalating risks to civilians." The Islamic Revolutionary Guard Corps says it will not lift the blackout until "calm is restored" — PressTV's phrasing, 12 January 2026 — a formulation whose elasticity is the point.

What the primary documents actually say

Three documents are load-bearing. Russia's Decree No. 1667 (27 October 2025, in force 1 March 2026) replaces the 2019 sovereign-internet framework's ad-hoc exercises with a permanent, signed "centralised management of the public communications network." Its operative clauses empower Roskomnadzor to unilaterally reroute traffic, cut off peering with foreign networks, and enforce TSPU compliance on pain of ISP criminal liability. The decree is in force until 1 March 2032 — a seven-year horizon that is itself a legislative declaration: the temporary measure is now permanent furniture. On the trust layer, Russia's Ministry of Digital Development has maintained its own TLS certificate authority (the Russian Trusted Root CA, launched March 2022 after sanctions cut Russian entities off from DigiCert and Sectigo renewals), and Russian browsers Yandex and Atom are shipped with it pre-trusted; Chrome and Firefox are not (EFF, "You Should Not Trust Russia's New Trusted Root CA," 2022; Feisty Duck newsletter 87, 2022). A user inside Russia who resolves Sberbank's domain today does so through a certificate chain the Electronic Frontier Foundation warned four years ago would give the state "the technical ability to intercept HTTPS traffic." Decree 1667 is the routing half of that architecture. The CA is the interception half.

China's primary document for the week is the Shaanxi Telecom notice dated 8 April 2026, first published in redacted form by China Digital Times. It reads as a compliance escalation under the amended Cyber-security Law that took effect on 1 January (Latham & Watkins, "China's Cybersecurity Law Amendments Increase Penalties, Broaden Extraterritorial Enforcement"). What it does is shift enforcement from the end user — historically the weakest point, because individual arrests make international headlines — to the infrastructure layer, where a provincial telecom can liquidate a thousand airport operators before any of their users notices. That is a regulatory design choice. It is also a surveillance-capitalism choice: the same DPI stack that blocks Shadowsocks logs who tried.

Iran's primary documents are two. Article 19's 13 February 2026 report, Tightening the Net: China's Infrastructure of Oppression in Iran, documents that Iran's Supreme Council of Cyberspace — chaired by Ali Khamenei — structurally mirrors China's Cyberspace Administration under Xi Jinping; that ZTE, Huawei, Tiandy and Hikvision continue operations inside Iran through front companies despite sanctions; and that NIN is "closely aligned" with the Great Firewall in design and doctrine. Separately, the Citizen Lab's leaked-document analysis of Russian firm PROTEI's contract with Iranian mobile operator Ariantel, corroborated by Washington Post reporting on 6 March 2026, establishes that Russia is the third vendor in the stack — supplying lawful-intercept software to the same network Chinese vendors built.

The structural frame: sovereignty as ideology filter

The legitimate core of "digital sovereignty" is not hard to state. Milton Mueller's Networks and States (MIT, 2010) and Laura DeNardis's The Global War for Internet Governance (Yale, 2014) both observed that the internet's early architecture embedded a specific political economy — US-incorporated root-zone administration, English-centric naming, private-sector governance through ICANN — which a multipolar world would inevitably contest. Mueller's follow-up, Will the Internet Fragment? (Polity, 2017), defended the legitimacy of Brazilian, Indian and African demands for jurisdictional leverage over the platforms that dominate their publics. The principle that a state has a right to regulate infrastructure on its territory is not a Russian or Chinese invention; it is what Rwanda invokes to require local data residency, what Nigeria invokes to tax Meta, what the EU invokes for its DSA. The ideological move works by riding legitimate concepts across the line into control. "Anti-communism" did this in 1988; "sovereignty" does it in 2026.

Where sovereignty-as-principle ends and sovereignty-as-surveillance begins is a question of primary documents, not rhetoric. Decree 1667's text, Shaanxi Telecom's notice, the Supreme Council of Cyberspace's whitelist architecture: each moves past jurisdictional regulation into what Jonathan Zittrain's The Future of the Internet — And How to Stop It (Yale, 2008) called "tethered appliance-isation" of whole national networks — systems engineered so that permission to speak flows downward from a single regulator. Christopher Yoo's work on network non-neutrality (George Washington Law Review, 2013) predicted the inverse: once intermediate layers of the stack can discriminate among content, the state will eventually discover those layers. Russia, China and Iran have discovered them and legislated against them leaving the jurisdiction.

The multipolar test — and this is the test the Monexus mandate insists on — is whether the Global South should build comparable infrastructure. The answer encoded in the primary record is: the infrastructure is not sovereignty. NIN did not keep the Israeli-US strikes of February 2026 from connecting; it kept Iranian citizens from co-ordinating health services during them. Decree 1667 does not defend the Russian segment from NATO cyber operations; Atlantic Council's Reassessing RuNet brief (2025) notes RuNet remains routable through hundreds of foreign peering points. The Great Firewall does not stop Chinese capital moving abroad; it stops Chinese journalism moving home. Sovereignty means the right to regulate. Surveillance means the capacity to coerce. The three alternets have optimised for the second at the expense of the first.

Historical precedent: from RuNet 2019 to NIN 2026

The arc begins with Russia's 2019 Sovereign Internet Law, passed two years after the Telegram-blocking fiasco of 2017–2018 in which Roskomnadzor's IP-range blocks took down whole chunks of the commercial internet without touching Telegram itself. The lesson the FSB drew was infrastructural: blacklists are brittle; deep-packet inspection, paid for by the state and bolted onto every ISP, is not. The 2019 law authorised TSPU; the 2022 invasion accelerated it; the 2025 decree made it permanent. China's analogous arc is longer — Golden Shield from 1998, the Great Firewall by 2003, the 2017 Cybersecurity Law, the 2021 Data Security Law, the 2026 amendments — but the direction is identical: from user-level enforcement (arresting a blogger) to infrastructure-level enforcement (delisting an ASN). Iran's arc tracks Beijing's at roughly a five-year lag, with Chinese vendors supplying the lift; Article 19's February report is the documentary proof.

What is new in 2026 is not any of the three alternets individually. It is the traceability: every claim above can be linked to a dated decree, a known vendor, a named CA root, a NetBlocks time-series. The opacity has broken down, and with it the plausible deniability that allowed these systems to be described, in diplomatic venues, as ordinary regulation.

What it means for information control going forward

Three implications. First, the vendor layer is where accountability is possible and fragile. Article 19's 13 February recommendation — targeted sanctions on non-Iranian companies supplying the Iranian stack, calibrated to avoid cutting off civil society's own tools — is the operative policy. Chinese vendors are the weakest link because they are the most exposed to secondary-sanctions leverage; Russian vendors like PROTEI are the hardest because Russia is already comprehensively sanctioned. The 2026 hybrid stacks mean targeting one vendor affects all three alternets, which is either a feature or a bug depending on where in the Global South the policy is read.

Second, Article 19's data makes a harder argument about directionality: the "sovereignty" discourse that Global-South governments have legitimately used to push back on US-centric internet governance is being colonised by authoritarian infrastructure vendors who offer a turnkey version. A ministry in Accra or Jakarta that wants local data residency and tax authority over Meta does not structurally need the Shaanxi Telecom architecture. But the Shaanxi Telecom architecture is the version for which training, financing and maintenance contracts are available. That is the export market that should concern the Non-Aligned Movement's 2026 successors more than the UN cyber-norms process does.

Third, and most important for readers outside NATO capitals: the point of the multipolar lens is not to choose a side between Western platform capitalism and authoritarian state capture. It is to name what both arrangements share — the capacity of a small number of unaccountable actors, private or public, to decide what the user sees. Decree 1667 and the Anthropic supply-chain-risk designation are not mirror images; the moral asymmetry is real. But the structural logic is the same: the user is the object, not the subject, of the system. The coercion dynamics are planetary, and "sovereignty" is now the rhetorical envelope into which they are posted.

On 16 April NetBlocks logged Iran at 1,128 hours. On 16 April the CAC held its Xi-Jinping-thought-on-cyber-power symposium. On 16 April Russian ISPs continued paying fines for traffic that escaped a TSPU box. Three states, three legitimations, one architectural pattern. The door is closing and it is closing on the same side.

That is the story.