Dictators Used Sandvine Tech to Censor the Internet. The US Finally Did Something About It

When the Egyptian government shut down the internet in 2011 to give itself cover to crush a popular protest movement, it was Nora Younis who got the word out. Younis, then a journalist with daily newspaper Al-Masry Al-Youm, found a working internet connection at the InterContinental Cairo Semiramis Hotel that overlooked Tahrir Square, the heart of the protests. From the balcony, she filmed as protesters were shot and run down with armored vehicles, posting the footage to the newspaper’s website, where it was picked up by global media.

In 2016, with Egypt having slid back into the authoritarianism that prompted the uprising, Younis launched her own media platform, Al-Manassa, which combined citizen journalism with investigative reporting. The following year, Almanassa.com suddenly disappeared from the Egyptian internet, along with a handful of other independent publications. It was still available overseas, but domestic users couldn’t see it. Younis’ team moved their site to a new domain. That, too, was rapidly blocked, so they moved again and were blocked again. After three years and more than a dozen migrations to new domains and subdomains, they asked for help from the Swedish digital forensics nonprofit Qurium, which figured out how the blocks were being implemented—using a network management tool provided by a Canadian tech company called Sandvine.

Sandvine is well known in digital rights circles, but unlike leading villains of the spyware world such as NSO Group or Candiru, it’s often floated below the eyeline of lawmakers and regulators. The company, owned by the private equity group Francisco Partners, mainly sells above-board technology to internet service providers and telecom companies to help them run their networks. But it has often sold that technology to regimes that have abused it, using it to censor, shut down, and surveil activists, journalists, and political opponents.

On Monday, after years of lobbying from digital rights activists, the US Department of Commerce added Sandvine to its Entity List, effectively blacklisting it from doing business with American partners. The department said that the company’s technology was “used in mass-web monitoring and censorship” in Egypt, “contrary to the national security and foreign policy interests of the United States.” Digital rights activists say it’s a major victory because it shows that companies can’t avoid responsibility when they sell potentially dangerous products to clients who are likely to abuse them.

“Better late than never,” Tord Lundström, Qurium’s technical director, says. “Sandvine is a shameless example of how technology is not neutral when seeking profit at all costs.”

”We are aware of the action announced by the US Commerce Department, and we’re working closely with government officials to understand, address, and resolve their concerns,” says Sandvine spokesperson Susana Schwartz. “Sandvine solutions help provide a reliable and safe internet, and we take allegations of misuse very seriously.”

Sandvine’s flagship product is deep packet inspection, or DPI, a common tool used by ISPs and telecom companies to monitor traffic and prioritize certain types of content. DPI lets network administrators see what’s in a packet of data flowing on the network in real time, so it can intercept or divert it. It can be used, for example, to give priority to traffic from streaming services over static web pages or downloads, so that users don’t see glitches in their streams. It has been used in some countries to filter out child sexual abuse images.

But the technology can also be used to divert traffic away from sites or social media platforms and into dead ends, effectively censoring them. It’s the main technology used by Roskomnadzor, the Russian state censor, to shut off or throttle sites the government has banned.

“On paper, it’s technology that has legitimate aims, but it can be abused on a mass scale if it’s given to the wrong hands,” says Marwa Fatafta, Middle East and North Africa policy and advocacy director at digital rights group Access Now, which has been lobbying the US government to take action against Sandvine. “If you’re selling your technology to repressive governments that you know have a dismal record of human rights, you know that your technology will end up being abused.”

This dual use has made authoritarian governments enthusiastic adopters of DPI. In 2017, according to Bloomberg and Qurium, Sandvine was among the tools used by the government in Azerbaijan to black out livestreaming services and social media sites during anti-corruption protests, and to later block access to a major opposition newspaper.

In 2018, the Canadian cybersecurity research center Citizen Lab found that Sandvine’s tools had been used to deploy “nation-state spyware” onto users’ devices in Syria and Turkey.

In 2020, Sandvine’s DPI tool was used to shut down the internet during anti-government protests in Belarus. The outcry that followed led to the company canceling its contract with the government in Minsk. However, Sandvine apparently continued to seek contracts in places that routinely censor the internet. In 2022, a Bloomberg investigation found that the company had been pursuing business in Russia, where the government has been rolling out a massive system of decentralized censorship, often using DPI. Sandvine has reportedly now largely pulled out of the Russian market after sanctions were imposed on the country following the full-scale invasion of Ukraine.

In Egypt, Sandvine has provided a key tool in the government’s attempt to strangle independent voices, allegedly helping to block hundreds of sites, including Al-Manassa. The impact has been devastating for independent sites, Younis says. The constant disruption has cut them off from audiences and revenue streams, making it hard to sustain themselves financially. Many independent media outlets have shut down.

“This, of course, has definitely had a lot of impact on people’s awareness in access to information and their ability to hold officials accountable,” Younis says. “There are parliamentary elections, presidential elections—many times where maybe things would have been different if there was free access to information.”

The technical censorship is only part of the Egyptian government’s far broader crackdown on independent media and political opponents, which includes physical and legal intimidation. But Younis, like others, thought that the involvement of a Western tech company meant that she might have an avenue to seek redress. Two years ago, she started speaking with rights groups in Canada and the US to try to figure out whether she could sue Sandvine, which has never responded to any of her requests to speak. She was advised against it, on the grounds that she could open herself up to expensive counter-litigation. She lobbied Canadian diplomats, who were sympathetic but said they couldn’t help. “Their heart’s in the right place, but they say that the laws in Canada don’t work like that,” she says.

This speaks to the difficulty in regulating so-called dual-use technologies—tools whose danger depends on the context in which they’re deployed. In the US and European Union, lawmakers have begun to expand older restrictions covering dual-use technologies that could be used as, or to build, weapons to cover surveillance and censorship. But the process has been slow. NSO Group, whose Pegasus spyware has been implicated in the surveillance of hundreds of human rights activists, journalists, and politicians all over the world, was added to the Entity List only in late 2021, years after the scandal broke.

Victims of the censorship tools, including Younis, had little hope that Sandvine would be sanctioned, and Monday’s announcement took them by surprise. (Qurium’s Lundström’s first response via Signal on Tuesday morning was simply: “Oh fucking yeah.”)

Being added to the Entity List means that any American company that wants to work with Sandvine will need to seek a special license. “It is essentially a ban,” says Natalia Krapiva, tech legal counsel at Access Now. “There is a presumption that [licenses] will not be approved.”

That means Sandvine could struggle to access US technology services and infrastructure.

“It’s a big deal for companies to be going and asking for a license to do business with a company that the US government says represents a risk to our national security interests and foreign policy,” Krapiva says.

The Department of Commerce’s decision is, she adds, “hugely significant. It is a huge victory for all of us: civil society, victims of this technology, and the regimes that they were supplying into. … [Sandvine] could have stuck with sort of normal, civilian purposes. Instead, they chose to sell to dictators and facilitate censorship and repression. And so finally, they paid some price.”