The International Spy Network ‘Sandvine’: Why Cutting Ties with the el-Sisi Regime?

Sandvine, a company that sells surveillance spyware enabling authoritarian regimes to hack into, and spy on their citizens, has announced that it will cease its dealings with 56 “non-democratic” countries, including Egypt, as part of a “comprehensive reform process.”

The company, accused of profiting from the torture and oppression of citizens in several repressive countries, claimed that its plans to stop dealing with non-democratic countries aim to prevent the misuse of its technology, claiming that it will now focus on working exclusively with democratic nations.

In a bid to demonstrate its positive change, Sandvine announced the resignation of its CEO, Lyndon Cantor, who will be replaced by a “human rights-focused director.” The company also pledged to donate 1% of its future profits to organizations dedicated to protecting internet freedom and addressing human rights violations.

However, in reality, Sandvine faced an economic crisis and a decline in its business following the sanctions imposed by the U.S. Department of Commerce in February 2024. These sanctions were a consequence of the company’s role in providing internet surveillance equipment and blocking websites for the Egyptian regime.

The company’s involvement in the repression carried out by the Egyptian regime under President Abdel Fattah el-Sisi was exposed by newspapers and human rights organizations, tarnishing its reputation. It is believed that Sandvine altered its policy for economic pressures rather than humanitarian or human rights concerns.

Why Egypt?

The company, which was founded in Canada, published a statement on September 19, 2024, claiming that it now wants to be a “leader in technology solutions for democracies.”

As part of this new strategy, the company stated, ”We have already exited 32 countries and are in the process of exiting an additional 24 countries, with an end-of-service date of March 31, 2025.”

Sandvine did not disclose the 56 countries it has exited or plans to stop working with, but strangely, it specifically mentioned “Egypt.” The company pledged to terminate its dealing with Egypt and leave it by the end of March 2025, without clarifying the fate of the surveillance and spying devices it had previously sold to the Egyptian regime.

Egypt was previously classified among 12 countries that used the Canadian company’s technologies to impose censorship on content published on the Internet.

This came after the announcement that the company was linked to an attempt to hack the phone of the former parliamentarian, currently imprisoned, Ahmed Eltantawy, during the recent presidential election race, according to Bloomberg on September 26, 2023.

It was found that one of the two Egyptian telecommunications companies, Vodafone or Telecom Egypt, was involved in the crime of eavesdropping on Eltantawy’s mobile phone as one of their clients.

This hacking was carried out by installing a device manufactured by Sandvine, which injects malware that the Egyptian government purchased from the Israeli company "NSO" to hack Eltantawy’s phone.

The Citizen Lab at the University of Toronto conducted an extensive investigation into Egyptian security agencies spying on Eltantawy’s iPhone on September 14, 2023, through a series of attacks using the ‘Predator spyware.’

The Predator software can take screenshots and monitor the mobile user's inputs in addition to operating the microphone and camera.

This software enables mobile attackers to monitor all activities on and around the device, such as room conversations, and it can record messages as they are being sent and received, even through encrypted or disappearing messaging applications such as WhatsApp and Telegram, as well as encrypted Internet and phone calls.

In 2020, it was revealed that the Egyptian authorities were using technology produced by the same Canadian company Sandvine to block websites.

On September 26, 2023, Bloomberg reported that Sandvine had achieved sales worth more than $30 million in Egypt, from selling its blocking and monitoring technologies to various entities, including the National Telecommunications Regulatory Authority, Vodafone Egypt, and the Ministry of Defense.

The report explained that one of the company's largest sales ever was a deal worth more than $10 million that it concluded in 2020 with the government-owned Telecom Egypt, according to the documents.

In addition to supplying Vodafone Egypt with Deep Packet Inspection (DPI), a technology used to analyze data transmitted over a network, the company also trained Egyptian telecom employees on how to use the technology between 2020 and 2021, according to internal company documents. Researchers from Curium Media, a digital rights organization, confirmed in September 2020 that Sandvine’s technology had been used to help the Egyptian government block more than 600 websites, including 100 news and media sites.

Underlying reasons?

Sandvine said that it based its decision to withdraw from dozens of countries on a review of its operations based on the Economist Intelligence Unit’s (independent) “Democracy Index” issued in February 2023, which ranks countries based on “regime type.”

In its statement about ceasing dealings with authoritarian regimes, Sandvine said that it made this decision “in consultation with the U.S. Department of Commerce, the U.S. Department of State, and other key members of the U.S. government.”

This means that it succumbed to US pressure to lift US sanctions on it and resume its economic activity after it was hindered by these sanctions, coinciding with its announcement of these reforms in its field of work.

On February 26, 2024, the United States included Sandvine on the trade restrictions list due to its assistance to the Egyptian regime in targeting human rights activists and politicians, according to Reuters.

The U.S. Department of Commerce accused Sandvine of selling its products for “mass web-monitoring and censorship to block news as well as in targeting political actors and human rights activists,” and placed it on the “Sanctioned Entities” list.

John Scott-Railton, a senior researcher at the Canadian Citizen Lab, which monitors internet censorship, confirmed to TechCrunch on September 20, 2024, that this significant decline witnessed by Sandvine is directly related to U.S. sanctions.

The U.S. decision to sanction the Canadian company sparked joy among human rights activists. However, they questioned why Washington singled out the Canadian company while overlooking other European companies, including those from Italy, France, and the UK, that also provide Egypt with surveillance, espionage, tracking, and internet blocking systems.

An Egyptian technology expert previously confirmed to Al-Estiklal that the reason for America not objecting to European countries selling surveillance and blocking technologies for social media sites and its selective objection to a Canadian company may not align with Washington’s stated aim of protecting freedoms.

He explained that European technologies sometimes include American components in their manufacture, such as Canadian technologies, so part of the matter may seem purely commercial (business).

Moreover, America stands to gain from the publicity surrounding the punishment of the Canadian company for alleged freedom violations. This move enhances its public relations image, making it appear committed to opposing government surveillance and website censorship. 

In 2021, the U.S. Department of Commerce placed the Israeli NSO Group on the "banned list", preventing American companies from dealing with the company that makes the Israeli spyware “Pegasus.”

In 2023, the U.S. government also placed the company "Intellexa" on the banned list for selling the spyware “Predator.”

Company Crimes

Sandvine is often referred to as an ‘Octopus’ of surveillance and blocking, offering a technology known as ‘deep packet inspection (DPI),’ which can be utilized to monitor and spy on the vast flows of internet traffic passing between networks.

This technology can “block spam and viruses,” which the company publicly says is its goal, “but it can also block millions of websites and messaging apps and perform covert surveillance of internet activity,” according to Bloomberg.

This change in the company’s direction comes after years of investigations conducted by Bloomberg on October 8, 2020, which confirmed that Sandvine sells internet monitoring products to authoritarian regimes, most notably Egypt, the UAE, Belarus, Eritrea, and Uzbekistan.

A technical investigation conducted by the Egyptian website “al-Manassa” with the Qurium Media Foundation on September 21, 2020, revealed that internet service providers in Egypt have developed strategies to block hundreds of websites, with this Canadian company.

This is done by blocking alternative domain names, subdomains, that websites use to reach their audience, using a wildcard to prevent access to domains indiscriminately.

The investigation confirmed that this is done by "monitoring" the communication ports with email servers, through a proxy, as well as internal internet addresses that are also monitored.

On March 11, 2018, Mada Masr quoted technical expert Amr Gharbeia, who stated that while the technology employed by the Canadian company (deep packet inspection) may have ‘legitimate’ applications, it also poses potential harmful uses. It depends on how the system is configured, which could cause "serious risks related to human rights, such as monitoring access to content, or worse, quietly infecting users with malware, or large-scale financial fraud."

Amr Gharbeia highlighted the lack of a clear legislative framework in countries exporting such technologies, which is necessary to prevent their misuse in human rights violations. While some countries have implemented "individual measures" to regulate this through export licenses, a comprehensive framework is still missing.  

In March 2016, the Italian government suspended the company's export license "Hacking Team" to prevent the sale of spyware outside the European Union, following its dealings with several human rights-violating countries, including Egypt.

As stated on its website, the Canadian company Sandvine provides a service to provide an operations engineer based at its clients' locations. However, identifying these individuals remains challenging. 

According to a report by the Canadian Citizen Lab entitled "Bad Internet Traffic" on February 9, 2024, the presence of this enigmatic company engineer in any country raises questions about "the extent of the company's knowledge of or involvement in activities that significantly impact human rights in these countries, including Egypt."

Citizen Lab, a technical research lab affiliated with the University of Toronto in Canada, focuses on studying digital attacks on journalists, politicians, and human rights activists worldwide.

In 2017, The American company Francisco Partners acquired Sandvine, the Canadian-founded firm, and merged it with Procera Networks, in a $444 million deal, forming a single entity under the Sandvine name.

According to an analysis by the Canadian Citizen Lab, which monitors surveillance and blocking programs, Francisco Partners holds numerous investments in technology companies, including the Israeli firm NSO Group, which develops and sells mobile spyware.

This mobile spyware has been used to target journalists, lawyers, and human rights defenders and spy on their phones in nearly 45 countries worldwide, most notably the UAE, Saudi Arabia, Bahrain, Jordan, Morocco, Egypt, and Algeria.

This implies that Sandvine holds shares in the Israeli company NSO, which is engaged by numerous Arab governments, including Egypt, to acquire spyware used to target journalists, politicians, and activists.