Skip to content

CONCEPT Cited by 2 sources

Whitelist Internet access

Whitelist Internet access is a censorship architecture in which connectivity is granted by explicit allowance, not denial: only a curated list of approved domains / services is reachable, and only a curated list of users (via approved SIM cards, accounts, or device IDs) is permitted to connect at all. Everything not on the whitelist is silently dropped.

It is the most extreme point on the filtering-based shutdown spectrum — tighter than Great-Firewall-style blacklisting, which permits by default and denies known-bad. Whitelisting flips the default and denies by default, permitting only known-approved.

The canonical form (Iran, 2026)

The February 28, 2026 Iran shutdown was implemented with the whitelist architecture: "'whitelists' and 'white SIM cards' restricting access to only approved Internet sites by selected users." From Cloudflare Radar's vantage point:

  • Traffic from Iran fell to well under 1% of previous levels.
  • Only "small amounts of Web and DNS traffic" egressed the country.
  • IPv4 announcements stayed consistent and IPv6 announcements remained in a "consistently volatile" state — neither consistent with BGP-driven shutdown, both consistent with edge-filtering + allowlisting.

Why whitelisting over blacklisting

Blacklist-based censorship must enumerate and filter new adversarial surfaces as they appear (new domains, new VPN providers, new protocols). Whitelisting inverts the cost:

  • Filter scope shrinks to a curated permit list — everything else is dropped implicitly, so the censor's operational cost stops growing with the adversary's creativity.
  • Residual traffic is predictable — the population of reachable endpoints is bounded, making load planning and surveillance tractable.
  • Collateral economic damage is dampened — government, military, banking, and critical-service endpoints can stay on the whitelist, preserving state operations while the general population is offline.
  • Politically sustainable for longer — the combination of low collateral + tight adversary containment lets the state hold the shutdown for weeks or months, not hours or days.

The trade-off: whitelisting is operationally expensive to stand up initially. Every approved SIM card, every approved domain, every approved service endpoint is a manual (or semi-manual) allowance. Once the list exists, maintaining it is cheap; building it from scratch in an emergency is not. Evidence of a functioning whitelist is therefore also evidence of pre-existing censorship infrastructure.

"White SIM cards"

The white-SIM mechanism binds the allowlist to a physical subscriber identity rather than a dynamic network address. Approved users — government employees, military personnel, key businesses, selected journalists — are issued SIM cards whose IMSI / subscriber profile the operator flags as unrestricted. Everyone else's SIMs are dropped at the carrier edge.

This is a structural barrier to circumvention because the line between "can access the Internet" and "cannot" is drawn at the carrier before any IP-layer shenanigans become possible. VPNs and obfuscation don't help if the SIM itself is rate-limited or null-routed at the carrier.

Detection signature from external observatories

Whitelisting produces a distinctive signal:

  • BGP routes stay announced — the country is still on the global routing table.
  • Traffic collapses to a stable, nonzero floor — usually <1% of baseline — rather than dropping cleanly to zero.
  • The floor is composed of familiar endpoints — disproportionately banks, government portals, payment systems, essential logistics — and unusual absences of the rest.
  • The duration extends for weeks — whitelisting is operationally sustainable for long durations in a way that cruder mechanisms are not.

Walk-back is selective by design

Just as the whitelist's selectivity is what makes the shutdown sustainable, that same selectivity is what makes the eventual relaxation diagnostic. When the state lifts a whitelist-based shutdown, it can choose to:

  • Loosen by region — relax the filter at carrier edges in the capital first, leaving rural networks restricted. Iran's May 26 2026 partial restoration was this shape: 91.6% of recovered HTTP requests originated from Tehran. See concepts/capital-localized-internet-restoration.
  • Widen the SIM-cohort allowlist — admit additional subscriber cohorts to the white-SIM cohort. Externally invisible from packet observatories.
  • Expand the approved-domain list — let a bigger set of services through. Visible as new domains appearing in the recovered traffic mix.
  • Lower the rate limit on existing approved cohorts — raises throughput per approved user without admitting new users. Visible as the same source ASNs producing more traffic.

The first option (per-region) is the most external-observable of the four; combined with Cloudflare Radar's per-region breakdown, it produces the capital-localised restoration signature. The whitelist architecture is what makes that selectivity possible — a route-withdrawal shutdown has no equivalent walk-back primitive.

Seen in

  • sources/2026-04-28-cloudflare-q1-2026-internet-disruption-summary — canonical wiki instance; Iran's February 28 2026 nationwide shutdown used "'whitelists' and 'white SIM cards' restricting access to only approved Internet sites by selected users." Traffic fell to <1% of previous levels; the shutdown remained largely in place through late April (two months and counting), making it "one of the longest sustained Internet disruptions observed in recent years." The white-SIM + whitelist pair is the observed mechanism behind that sustainability.
  • sources/2026-05-27-cloudflare-irans-internet-is-partially-restored-cloudflare-radar-data-shows — duration update + first walk-back snapshot. Iran's whitelist-based shutdown reached 87 days before its first partial restoration on May 26 2026. The walk-back was geographically selective (91.6% Tehran-localised, per concepts/capital-localized-internet-restoration) — externally visible evidence that the whitelist architecture supports per-region relaxation as a recovery mode. Whether the loosening involved widening the SIM cohort, expanding approved domains, raising the rate limit, or simply turning off the filter inside Tehran was not externally characterised.
Last updated · 542 distilled / 1,571 read