(Bloomberg) — In 2017, the Canadian technology firm Sandvine merged with a Silicon Valley rival, Procera Networks. Both companies sold a powerful internet monitoring tool called deep packet inspection technology that can manage network traffic, block malware and spam and — more controversially — be used by national governments to censor the web. Following the merger, Sandvine relocated its headquarters to the US and started marketing itself in a country that it had tried and failed to crack during its 20-year history: Russia.
During meetings and product demonstrations in Moscow in 2018, Sandvine representatives promoted the advantages of deep packet inspection. They told prospective clients that it could be used to block or slow access to specific websites, discover the location of particular people and support local law enforcement, according to company documents reviewed by Bloomberg News and three people familiar with the matter.
The company ultimately struck deals to sell its equipment to two telecommunications providers: Megafon, Russia’s second-largest mobile operator, and Tele2 Russia, a company controlled by the Russian government, according to internal records. Since Russia’s invasion of Ukraine, Sandvine has pulled back on its Russia work, stopping all sales in the country, a spokesperson said. In addition, the spokesperson said the company’s equipment was used in Russia for billing and “quality of service” and not to censor the internet.Sandvine’s experience in Russia comes amid a broader reckoning on the use of deep packet inspection equipment. The technology has many legitimate uses, but it has also been deployed in other countries, including Belarus, Egypt and Jordan, for internet censorship, Bloomberg News has reported.
Before the company pulled out of Russia and even since then, some Sandvine employees have expressed concerns during internal meetings that the company’s technology could be used in the country to enable censorship, according to three people familiar with the discussions. And at least three articles detailing some of Sandvine’s business ties to Russia were removed from the company’s website, according to the people.More generally, the US Commerce Department recently finalized a rule that would control the export of deep packet inspection systems that could enable “large-scale government surveillance,” according to a department spokesperson. Such controls are needed from many allied countries, the spokesperson said, “in order to keep sensitive technologies out of dangerous hands.”
Last year, the EU introduced export controls on deep packet inspection equipment and other technologies, though the new rules apply primarily to governments and their proxies and not to commercial uses.
It’s not clear how the new export rules would impact Sandvine, which has deferred to customers on what websites should be blocked, not wanting to play “world police,” according to records reviewed by Bloomberg.A company spokesperson declined to comment on the new government edicts, or on the articles that were allegedly removed from the company’s website.
The goal of the company’s equipment, the spokesperson said, is “to make the internet work more smoothly.” Local authorities often seek to remove illegal or objectionable content, such as child pornography, the spokesperson said. “National views on other types of content (content for mature audiences, gambling) may vary and Sandvine recognizes the rights of nations to implement their own social norms.”
Sandvine never agreed to provide censorship tools in Russia, the spokesperson said. If a company tried to reconfigure the technology for that purpose, Sandvine would have considered it a misuse and terminated the contract, the spokesperson said.Natalia Krapiva, legal counsel for the digital rights group Access Now, said it’s difficult to monitor how Russian-controlled businesses use technologies such as Sandvine’s. “Sandvine put its trust in a Russian state-controlled company not to abuse the equipment,” she said.
“This repression has been going on for years,” she added. “It wasn’t a secret for anyone.”
Sandvine’s business in Russia highlighted a need for tougher controls on exports of US technologies, said Michael McFaul, former US ambassador to Russia and director of Stanford’s Freeman Spogli Institute for International Studies. Failure to do so, he said, would undermine the Biden administration’s reported efforts to counter advances in Chinese technology and stop the spread of its authoritarian governance model.
“If the Biden administration wants to have credibility in trying to block the sale of Chinese surveillance technologies to autocracies, Washington must do more to stop the sale of American technologies to dictators,” McFaul said. “It’s that simple.”
A representative for Russia’s Foreign Ministry didn’t respond to a request for comment.
In August 2020, Bloomberg reported that the government of Belarus used Sandvine’s equipment to restrict access to outside news and social-media websites during the country’s disputed presidential election. Afterward, Sandvine cut ties with the country, saying that it abhors the “use of technology to suppress the free flow of information resulting in human-rights violations.”
A subsequent Bloomberg investigation, in October 2020, found that Sandvine’s equipment was used to block an LGBTQ website in Jordan and independent news sites in Egypt, in addition to being deployed for a social media blackout in Azerbaijan.
Markéta Gregorová, a member of the European parliament, said deep packet inspection equipment was mentioned in the EU’s regulation because of the abuse of Sandvine’s equipment in Belarus.
U.S. Tech Is Used to Censor the Web From Algeria to Uzbekistan
Sandvine, founded in 2001 in Waterloo, Canada, tried for years to sell to leading telecommunications providers in Russia but backed off after it became clear it would have to follow government censorship requirements, said Don Bowman, a co-founder of Sandvine who is no longer with the company.
“They had some sort of global blacklist,” said Bowman, referring to the Russian government. He added that Canadian export controls may have prevented such deals. Prospective Russian clients were also asking for the ability to track emails and messages sent using the social media app Telegram, “and we didn’t have that technical capability,” Bowman said.
In 2017, Sandvine was acquired by Francisco Partners, which merged Sandvine with another company, Procera Networks, that sold deep packet inspection technology. Procera, for its part, had established a foothold in Russia in 2012, deploying its equipment in telecommunications networks across the country in what it described at the time as the first installation of its kind.
Following the Francisco Partners takeover, Sandvine began pursuing deals in Russia again, using Procera’s network of contacts as a way into the market, according to four people familiar with the company’s business in the country.
A representative for Francisco Partners said Sandvine “has never had a big presence in Russia” and added that Francisco had “directed its portfolio companies to cease all business in Russia and exit the market” following the Ukraine invasion.
Alexey Telkov, Tele2 Russia’s chief technology officer, said his company began integrating Sandvine equipment about four years ago; a second phase of the project was completed in 2020, according to the documents. He said in a recent interview that the company originally intended to use Sandvine’s gear partly to enforce government internet censorship blacklists. The telecom had problems installing Sandvine’s equipment, he said, adding that it ended up being used to manage network traffic and ensure customers pay correct fees for internet use. A MegaFon representative didn’t respond to requests for comment.
While Sandvine says it has monitored its technology to ensure it wasn’t misused, the spokesperson acknowledged it was worried about that possibility. In 2021, as Russia tightened its grip on internet freedoms, Sandvine’s senior executives held meetings with Tele2 and Megafon and “received assurances” that Sandvine’s technology “was not and would not be misused in order to aid Russia’s internet censorship,” according to the Sandvine spokesperson. The meetings had been arranged after “it became known that the Russian government was using internet blocking technology to suppress free speech,” the spokesperson added.In addition, Sandvine has a business ethics committee to ensure oversight of sales, according to the spokesperson.
However, an internal document presented during an ethics committee meeting in 2020, which was reviewed by Bloomberg, shows that censorship isn’t the purview of that committee. “Every sovereign country dictates its own policy in what to allow or not allow,” the document says.
About the time Sandvine’s deals in Russia were being rolled out, its chief technical officer, Alexander Haväng, told the ethics committee that it wouldn’t be able to control customers’ use of the technology to block access to websites. “We want to control our products to the furthest extent that we can to protect against legal, ethical and reputational risk. The problem is, we don’t want to play world police,” Haväng said, according to a recording reviewed by Bloomberg.
Last June, Haväng praised Russia’s internet regulator on LinkedIn after it fined Facebook and Telegram for failing to remove content banned by Russia’s government.“In the ‘my-country-my-rules-and-I-will-keep-my-country-safe-first’ corner today we find Russia,” according to the post, which was later deleted. “All governments have the safety and security of their citizens and the sovereignty of their nation as priority #1, not profits.”The Sandvine spokesperson said Haväng’s post didn’t represent Sandvine’s view.While Sandvine’s work has received recent scrutiny, there are many other manufacturers of deep packet inspection equipment. In 2012, Wired reported that California-based Cisco Systems Inc., Israel’s Allot and China’s Huawei Technologies Co. sold deep packet inspection equipment to Russia. In response to questions for this article, Amy Lucas, a Cisco spokesperson, declined to comment on specific sales in Russia, but said the company “is stopping all business operations, including sales and services, in Russia and Belarus for the foreseeable future.” Allot and Huawei declined to comment.Researchers at Censored Planet, a group at the University of Michigan that monitors internet censorship, reported in 2019 that internet providers in Russia were building a “national censorship apparatus” using commercially available deep packet inspection equipment. The researchers said they had identified more than 130,000 websites that Russia has blacklisted, which included some news and politics websites. Russia has only stepped up those restrictions since invading Ukraine. In late February, the country began blocking platforms such as Facebook and Twitter, later expanding that effort to cover several Western news websites, according to Alp Toker, director of London-based internet monitoring firm NetBlocks.
Such restrictions in Russia and elsewhere are what prompted governments on both sides of the Atlantic to try to control the technology that may be facilitating the repression. Gregorová, the European parliament member, led the effort in the EU to reform export regulations for so-called dual-use technology, which can be used for civilian and military purposes. Even so, she said the EU rules leave too much gray area because in some cases the onus remains on the customer not to abuse the equipment.
“How do you differentiate commercial use from evil use?” she asked. “In the end, it’s in the hands of the customer.”
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.
