Sandvine

Overview

Sandvine Incorporated is a Canadian network equipment company specializing in deep packet inspection (DPI) technology and network policy enforcement. Founded in 2001 and headquartered in Waterloo, Ontario, the company was originally focused on legitimate network management, traffic shaping, bandwidth optimization, and quality of service for ISPs.

The company's trajectory changed significantly in 2017 when private equity firm Francisco Partners acquired Sandvine and merged it with Procera Networks, another DPI vendor. Francisco Partners is the same firm that owned a controlling stake in NSO Group from 2014 to 2019, creating a private equity portfolio that simultaneously included two of the most controversial surveillance technology companies in the world.

Sandvine's PacketLogic platform provides ISPs and governments with the ability to inspect, classify, and manipulate internet traffic in real time at line speed. While marketed primarily as network management and optimization tools, enabling traffic shaping, bandwidth management, and quality of service, the same deep packet inspection capabilities have been documented enabling internet censorship, population-scale surveillance, and the active deployment of government spyware in countries with authoritarian governments.

The dual-use nature of DPI technology means that tools sold for "network management" can be configured for mass surveillance, content censorship, and even offensive cyber operations with minimal modification. The technical capabilities are identical, only the policy configuration determines whether the equipment optimizes Netflix streaming or blocks independent journalism.

In February 2024, the U.S. Commerce Department placed Sandvine on the Entity List for enabling human rights abuses, specifically citing the company's role in internet censorship in Egypt. This was a landmark action, the first time a network equipment company was designated for enabling internet censorship rather than offensive hacking capabilities. The Entity List designation effectively cuts Sandvine off from U.S. technology supply chains, prohibiting American companies from selling components or technology to Sandvine without a special license.

Data Collection Practices

Sandvine's deep packet inspection technology provides comprehensive visibility into internet traffic at a scale that dwarfs endpoint surveillance tools:

Deep packet inspection analyzes the content and metadata of every data packet traversing a network, identifying the application, protocol, content type, and often the specific content of internet communications. DPI can inspect traffic from:

• Web browsing (HTTP and HTTPS metadata)
• Social media platforms
• Messaging applications
• Email in transit
• Video and audio streaming services
• VoIP and video calling
• File sharing and cloud storage
• VPN and circumvention tool usage

When deployed at ISP or national gateway level, Sandvine's DPI technology can monitor the internet activity of an entire country's population simultaneously.

Traffic classification categorizes all internet activity by application, protocol, and content type. This creates a comprehensive view of what every user on a network is doing online, which websites they visit, which apps they use, what content they consume, who they communicate with, and when they are active.

The classification engine identifies thousands of applications and protocols, enabling granular control over internet traffic. This capability is what makes Sandvine equipment equally useful for ISP quality-of-service management and government censorship, the same classification that prioritizes video streaming traffic can also identify and block access to opposition news websites.

Network-level surveillance through PacketLogic provides the ability to monitor internet activity of entire populations when deployed at ISP or national gateway level. In Egypt, Sandvine equipment was deployed at major ISP connection points operated by Telecom Egypt, providing visibility into the internet activity of tens of millions of users.

Unlike endpoint surveillance (which requires compromising individual devices), network-level DPI provides passive surveillance of all traffic without any interaction with or modification of target devices. Users have no way to detect that their traffic is being inspected.

Content manipulation capabilities go beyond passive monitoring. PacketLogic can actively modify internet traffic in transit:

• Inject content into unencrypted HTTP sessions
• Redirect users to different websites (used for spyware delivery)
• Modify web pages in transit (used for cryptocurrency mining injection)
• Block access to specific URLs, domains, or IP addresses
• Throttle or degrade specific services (used during protests to disable social media)
• Insert tracking identifiers into web requests

This active manipulation capability transforms Sandvine from a monitoring tool into an offensive weapon capable of delivering malware, stealing credentials, and controlling information access for entire populations.

Encrypted traffic analysis through metadata analysis, traffic pattern recognition, and Server Name Indication (SNI) inspection allows Sandvine equipment to identify and classify encrypted traffic. Even when content encryption (HTTPS/TLS) prevents reading the actual data, Sandvine can determine:

• Which websites and services users access (via SNI and DNS metadata)
• When they access them and for how long
• How much data is transferred
• Traffic patterns that identify specific applications
• VPN and circumvention tool usage (enabling selective blocking)

Known Clients & Government Contracts

Sandvine's clients include ISPs and governments worldwide, with a documented pattern of deployment in countries with authoritarian governance:

Egypt represents the most thoroughly documented case of Sandvine equipment being used for surveillance and censorship. Citizen Lab's 2018 "Bad Traffic" investigation revealed that Sandvine PacketLogic devices were deployed in Egypt's telecommunications infrastructure to:

• Block access to over 500 websites including Al Jazeera, HuffPost Arabic, Mada Masr (independent Egyptian journalism), and Human Rights Watch
• Redirect users to pages containing affiliate advertising, generating revenue from manipulated traffic
• Inject cryptocurrency mining scripts into users' web browsing sessions, hijacking their computing resources
• Block VPN services and circumvention tools

The censorship infrastructure affects tens of millions of Egyptian internet users and has been in continuous operation since at least 2018.

Turkey used Sandvine/Procera Networks equipment for some of the most aggressive documented uses of DPI technology. Citizen Lab documented that PacketLogic devices in Turkey performed network injection attacks to distribute FinFisher spyware to targeted users, redirecting targets' legitimate download requests to deliver malware instead of the intended software.

This technique, known as "network injection", is particularly insidious because the target believes they are downloading legitimate software from a trusted source. The redirection occurs invisibly at the ISP level.

Turkey also used the equipment to censor opposition media, block Wikipedia (2017-2020), throttle Twitter and social media during political crises, and monitor journalists and political opposition.

Belarus deployed Sandvine technology for internet throttling and service disruption during the mass pro-democracy protests following the disputed August 2020 presidential election.

The equipment was used to restrict access to:

• Independent media outlets reporting on election irregularities
• Social platforms, particularly Telegram (used for protest coordination)
• VPN services that would allow circumvention of censorship
• Messaging applications used for civilian communication

The internet restrictions during the Belarus protests directly impaired the ability of citizens to document police violence, coordinate peaceful assembly, and communicate with the outside world.

UAE and Saudi Arabia have deployed Sandvine equipment for network management and content filtering. In both countries, content filtering extends well beyond traditional ISP management to include:

• Censorship of political speech and government criticism
• Blocking of LGBTQ+ content and advocacy
• Suppression of independent journalism
• Monitoring of human rights defenders and activists

Pakistan has used DPI technology compatible with Sandvine's products for internet throttling and content censorship, particularly targeting social media platforms and messaging services during politically sensitive periods.

Major ISPs worldwide use Sandvine for legitimate network management purposes including traffic optimization, bandwidth allocation, and quality of service management.

The commercial ISP market represents the majority of Sandvine's revenue and provides the commercial justification for the company's existence. The surveillance and censorship deployments represent a smaller but far more consequential portion of the business, both in terms of human rights impact and, ultimately, in the regulatory consequences that led to the Entity List designation.

Privacy Incidents & Litigation

Citizen Lab "Bad Traffic" Investigation (March 2018): Citizen Lab researchers at the University of Toronto published their landmark investigation documenting that Sandvine PacketLogic devices were being used in Turkey to redirect targets to government spyware (FinFisher), and in Egypt to inject cryptocurrency mining and affiliate advertising scripts into users' web traffic.

This was the first public documentation of Sandvine equipment being used for offensive purposes. The research was conducted through network measurement techniques that identified the specific hardware and software involved, providing irrefutable technical evidence.

Sandvine initially disputed the findings, issuing a statement claiming the report was "misleading" and denying that its technology was used for the purposes documented by Citizen Lab.

This denial was contradicted by the irrefutable technical evidence, Citizen Lab's researchers identified specific PacketLogic device signatures in the network traffic, and was later independently confirmed by additional researchers, Bloomberg's own investigation, and ultimately the U.S. government's Entity List designation.

Egypt Internet Censorship (2018-present): Sandvine equipment in Egypt has been used to block access to over 500 websites, including:

• News organizations: Al Jazeera, HuffPost Arabic, Mada Masr, Daily News Egypt
• Human rights organizations: Human Rights Watch, Reporters Without Borders
• VPN providers and circumvention tools: Tor Project, multiple commercial VPNs
• Political opposition and civil society websites

The censorship infrastructure affects tens of millions of Egyptian internet users and operates without judicial oversight or transparency.

U.S. Commerce Department Entity List (February 2024): The Commerce Department's Bureau of Industry and Security placed Sandvine on the Entity List, finding that the company's technology was used to "enable mass web monitoring and censorship to the detriment of human rights."

This designation was historic, the first time a network equipment company was blacklisted specifically for enabling internet censorship. The Entity List placement effectively cuts Sandvine off from American technology supply chains, preventing U.S. companies from selling components, software, or technology to Sandvine without a special license.

Belarus Internet Shutdown (August 2020): During mass protests against the Lukashenko regime following a disputed election, Sandvine equipment was used to implement internet throttling and selective service disruption targeting social media and messaging platforms. Telegram, which protesters used for coordination, was specifically targeted.

The internet restrictions during the protests contributed to an information blackout that impaired documentation of police violence and complicated international observation of the crisis.

Spyware Deployment Infrastructure: Sandvine's network injection capabilities have been documented as the delivery mechanism for government spyware in multiple countries. By redirecting download requests at the network level, Sandvine equipment can serve malware to targeted users without any interaction with or modification of their devices.

This makes Sandvine equipment a critical upstream component of state-sponsored malware campaigns, without the network injection capability, delivering spyware like FinFisher requires more complex and detectable methods.

Francisco Partners Ownership Controversy: Sandvine's parent company, Francisco Partners, also invested in NSO Group (2014-2019), creating a private equity portfolio that included multiple surveillance technology companies used for human rights abuses.

Bloomberg's 2020 investigation documented that Francisco Partners faced pressure from investors and civil society organizations to divest its surveillance technology holdings, but the firm's response was slow and focused on reputation management rather than substantive change.

Qurium/Media Foundation Reports: The Swedish digital rights organization Qurium (Media Foundation) has published multiple technical reports documenting Sandvine equipment's role in internet censorship and surveillance across multiple countries, providing independent corroboration of Citizen Lab's findings and documenting additional deployments.

Access Now Internet Shutdown Documentation: The digital rights organization Access Now has documented Sandvine equipment's role in internet shutdowns and throttling events across multiple countries, adding to the body of evidence about the company's technology being used to suppress information access during politically sensitive periods.

Threat Score Analysis

Sandvine receives a composite threat score of 73/100, reflecting its role in enabling network-level surveillance and internet censorship at population scale:

• Data Collection (80/100): Deep packet inspection provides complete visibility into internet traffic, enabling the monitoring of all online activity for entire national populations when deployed at ISP or gateway level. The technology's ability to inspect encrypted traffic metadata extends its surveillance capabilities even as encryption adoption grows. No endpoint compromise is needed, the surveillance is entirely passive and undetectable by targets.

• Third-Party Sharing (72/100): Sandvine sells DPI technology to governments with documented records of internet censorship and surveillance, including Egypt, Turkey, and Belarus. The technology effectively shares private internet activity data with government surveillance programs on a population-wide basis.

• Breach History (45/100): Sandvine's own systems have not suffered major documented breaches. However, the network-level deployment of its technology creates systemic vulnerability, compromise of PacketLogic infrastructure at an ISP could expose the internet activity of millions of users. The active content manipulation capability means that a compromised Sandvine deployment could be weaponized to inject malware into the traffic of an entire ISP's customer base.

• Government Contracts (80/100): Sandvine's technology is deployed by governments for censorship and surveillance purposes, serving as critical infrastructure for internet control in authoritarian states. The U.S. Entity List designation confirms the severity of its government surveillance enablement, the U.S. government itself has determined that Sandvine's technology enables human rights abuses.

• Transparency (25/100): Sandvine provides minimal transparency about its government clients or the human rights impact of its technology. The company initially denied Citizen Lab's findings before they were independently confirmed. Post-Entity-List restructuring efforts have focused on corporate governance changes, but the effectiveness of these reforms remains to be demonstrated.

Weighted calculation: (80 * 0.25) + (72 * 0.25) + (45 * 0.20) + (80 * 0.15) + (25 * 0.15) = 20 + 18 + 9 + 12 + 3.75 = 62.75, adjusted to 73 due to the population-scale surveillance impact, documented role in enabling internet censorship and spyware deployment, and the U.S. government's own determination that the technology enables human rights abuses.

Transparency & Accountability

Sandvine's transparency record is poor, characterized by denial, delay, and minimal disclosure.

The company initially denied Citizen Lab's 2018 findings about its technology being used for surveillance and censorship, issuing a statement calling the report "misleading." This denial was contradicted by irrefutable technical evidence and later confirmed by independent researchers, Bloomberg investigation, and ultimately the U.S. government's Entity List designation.

Following the U.S. Entity List designation in February 2024, Sandvine's management announced corporate governance changes and hired a new compliance team. However, the effectiveness of these reforms remains to be demonstrated, and the designation itself suggests that years of self-regulation and voluntary measures were insufficient.

The dual-use nature of DPI technology presents a fundamental accountability challenge. The same equipment that manages legitimate network traffic can monitor, censor, and manipulate communications for entire populations.

Sandvine has argued that it cannot control how customers use its products, but this defense has been explicitly rejected by the U.S. Commerce Department, which found that the company knew or should have known about the abusive deployments.

The Francisco Partners ownership connection illustrates a broader problem in the surveillance technology ecosystem: private equity firms can acquire multiple surveillance companies, extract profit from sales to authoritarian governments, and face minimal accountability for the human rights consequences. The Entity List designation represents one of the first meaningful consequences for a network equipment company enabling censorship, but it came six years after the abuses were publicly documented by Citizen Lab.

The Sandvine case demonstrates that the surveillance technology industry's preferred framework of self-regulation, voluntary human rights commitments, and export control reliance is insufficient to prevent the most severe abuses. Meaningful accountability required a U.S. government enforcement action that directly threatened the company's commercial viability, not internal ethics processes, not industry self-regulation, and not voluntary transparency initiatives.