U.S. blocklists Sandvine for enabling digital repression in Egypt

Sandvine must make good on its commitments and stop harming human rights

To,
Chief Executive Officer Mr. Lyndon Cantor
Chief Technology Officer Mr Alexander Haväng 
Sandvine Inc.

Re Sandvine Corporation’s recent announcement of reforms and following removal from the U.S. Department of Commerce’s Entity list

We, the undersigned human rights organizations and experts, are writing to inquire about Sandvine’s recent reforms resulting in its removal from the U.S. Department of Commerce’s Entity list, and request evidence of the adequacy and effectiveness of the announced measures.

In February 2024, the Bureau of Industry and Security (BIS) added Sandvine to its Entity List, which subjects companies and individuals to license requirements and enhanced scrutiny for the export or transfer of designated goods or services. This sanction was imposed as the company’s activities were deemed “contrary to the national security and foreign policy interests of the United States,” in response to media and civil society documentation of its sales of deep packet inspection technology to authoritarian governments, including Egypt, Belarus, and Russia. According to the investigations by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto (Citizen Lab), Masaar, and Bloomberg, Sandvine has facilitated internet shutdowns, mass web monitoring, and mass censorship in countries around the world and enabled the targeting of at least one Egyptian politician and election candidate with spyware. These investigations also report that Sandvine’s technology has been used to attack civic space and fundamental freedoms by abusive regimes in at least 12 countries.  

Eight months later, we welcome Sandvine’s acknowledgement of “past misuse of Sandvine’s products, as well as the fact that the company’s response to past reports of misuse was insufficient.” We equally recognize the steps it announced toward rights-respecting business practices  — resulting in its removal from the Entity List on October 21. Sandvine’s reforms, including its exit from 32 countries and commitment to “no longer operate in non-democracies or countries where the threat to digital rights is too high,” demonstrate the impact of civil society advocacy, shareholder influence, and targeted sanctions in shaping corporate behavior in line with human rights best practices.

However, given Sandvine’s well-documented record of facilitating human rights violations and its failure to address them, the authenticity and effectiveness of those recent reforms should be strictly scrutinized. Particularly, we call into question Sandvine’s (i) ongoing failure to provide meaningful remedies to people affected by its past wrongful business, (ii) previous failure to meaningfully respond to queries from civil society, and (iii) lack of transparency and evidence regarding the effectiveness and adequacy of its newly announced human rights due diligence program.

First, despite Sandvine’s acknowledgement of its past wrongful conduct, public information does not indicate that the company has provided a meaningful remedy to those affected by the abuses of its technologies in Egypt, Belarus, Azerbaijan, Russia, or other countries. Given the centrality of the right to remedy in human rights law and principles, as well as the corporate responsibility to provide remediation as stated in the United Nations Guiding Principles on Business and Human Rights (UNGPs), Sandvine’s attempt to start a rights-respecting “new chapter” without adequately addressing past misconduct undermines the credibility of its commitment to human rights. The company needs to acknowledge the damage caused in specific countries and take steps informed by the affected communities to repair it. In conversation with several civil society representatives who were affected by the company’s technology, it was highlighted that Sandvine “caused considerable and irreparable damage” to their communities. While Sandvine’s commitment to dedicate 1% of its profits to digital rights and human rights groups is commendable, there are questions about how this fund would be administered and distributed and whether it can be used to help reverse the effects of digital repression Sandvine helped facilitate in the past.

Second, Sandvine has expressed a commitment to “better relationships and consultations with civil society and affected stakeholders” to understand how it can support digital rights, and to “engage more with human rights groups and other stakeholders prior to expanding business operations to new jurisdictions.” Given the previous failures to meaningfully respond to civil society inquiries about its operations, we are seriously concerned about Sandvine’s ability to follow through with this commitment. Sandvine should have risen to the opportunity to provide a meaningful response to questions raised by civil society in the past and address the fact that they have threatened researchers like those at the Citizen Lab with legal action for exposing the abuses of Sandvine’s technology. Without addressing these prior failures in meaningful engagement, Sandvine will continue to struggle to build a trusted relationship with the civil society organizations that represent and support at-risk communities, even as it attempts to rebrand itself. 

Third, while we welcome Sandvine’s announcement of its new human rights due diligence program, the Business Ethics Committee (BEC) review process, and its board-level Human Rights Subcommittee, Sandvine’s CEO Lyndon Cantor claimed in February 2018, that the company already had a “comprehensive” Ethics Policy and BEC, as well as to have implemented “numerous other corporate and social responsibility policies” since at least 2016. Similar to Sandvine’s recent announcement of using “a variety of government and external references” to drive corporate responsibility, the 2018 letter also stated, “The BEC uses best practices based on a variety of factors, including, for example, global indices related to human rights…” Mr. Cantor referenced these measures as evidence of “robust practices, procedures, and contractual requirements concerning responsibility, human rights, and privacy rights.” Given the evidence of failure of such existing programs and policies to prevent the misuse of Sandvine’s technologies over the past eight years, and lack of transparency about how the new processes and oversight entities will operate, civil society and the affected communities are understandably skeptical about the ability of these new programs and policies to produce meaningful change in the company’s practices. This is especially so, given other companies that the US government added to the Entity List similarly claim to have human rights policies while continuing to facilitate human rights abuses. 

Given the concerns stated above, and referencing the UNGPs detailing companies’ responsibility to respect human rights and address human rights harms in their business operations, we’re asking Sandvine to publicly commit to uphold the UNGPs and to address the following questions in line with those principles: 

  1. Will Sandvine publish a human rights policy, approved by the most senior-level officers at the company? Who in the leadership team, including on the Board of Directors, would be responsible for the management and implementation of such a policy? 
  2. What human rights due diligence (HRDD) program and relevant policies are currently in place at Sandvine?
    1. Has Sandvine published a detailed list of its current client base? If so, where can that list be found? When was the most recent update to the list, and how regular are these updates?
      1. What are the 32 countries that Sandvine has already exited as mentioned in the press release? What are the other 24?
    2. What criteria are used to determine whether a country or regime is eligible to use your technology, and how are these criteria applied to each client? How often do you reassess if eligible countries are still eligible? What mechanisms are in place to respond to changes in country contexts, such as new government leadership?
    3. How is the HRDD program designed to effectively identify, prevent, mitigate and account for clients’ misuse of your products, for example, towards censorship, surveillance, or internet shutdowns?
      1. How does the company identify and mitigate the emerging risks? 
      2. Does the company have periodic independent third-party audits of the human rights due diligence program to verify its effectiveness? 
      3. How does the company ensure that third-party resellers or other  business relationships across the value chain comply with its human rights due diligence program? 
  3. What mechanisms, including, but not limited to legal and technical ones, are in place to ensure prevention of abuse and effective implementation of the compliance program?
    1. How are the relevant policies integrated into operation?
    2. Is the company including clawback or shut-off clauses in the standard sales or export contracts?
    3. Does Sandvine have the ability to disable the internet censorship and shutdowns deployed by authorities using Sandvine-supplied items?
    4. Will Sandvine commit to independent third-party audits of its operations and technology usage to ensure that its tools are not used for censorship, surveillance, or internet shutdowns? 
  4. Is the human rights due diligence program adequately resourced for its effective implementation?
    1. What level of authority do the consulted digital rights experts, the Business Ethics Committee (BEC), and Human Rights Subcommittee have in the company’s decision making?
      1. What backgrounds, expertise, and credentials do consulted digital rights experts, BEC members, and Human Rights Subcommittee have?
    2. What sort of incentive/discipline mechanism is put in place to ensure management and employees’ good-faith implementation of human rights due diligence programs?
    3. How will Sandvine ensure meaningful engagement with civil society in its human rights due diligence process? 
    4. What resources will be provided to the Senior Advisor reporting to the Board’s Human Rights Subcommittee? 
  5. As stated in your press release, “In the interim period before exiting [24] jurisdictions, Sandvine will maintain contractual authority to act on violations of the end-user license agreement.” What exact actions will the company take if violations took place in those jurisdictions?
    1. When and how will Sandvine publicly report on the abuses?
    2. What mechanisms are in place to ensure that the infrastructure will not be abused even after Sandvine withdraws from a particular country?
  6. Does the company have an employee whistleblowing system? And, if so, what does it consist of? How are whistleblowers protected from reprisals?
  7. What protocols does the company have to investigate potential misuse of its products flagged either internally or externally by civil society organizations?
  8. How and when will Sandvine provide for or cooperate in the remediation for victims of shutdowns and mass surveillance who have already been impacted by the documented abuse of its technology?
    1. How will the promised 1% of all the company’s profits be donated and administered? Will this fund have limitations? Would this fund support civil society and other relevant communities impacted by the abuses of Sandvine’s technologies? How would such organizations be identified?
    2. Which stakeholders will the company consult in designing and implementing a process for remediation?
    3. Will the company create a grievance mechanism to monitor ongoing adverse impacts on communities and individuals?

The harms caused to people by mass surveillance, shutdowns, and targeted repression using Sandvine’s technologies cannot be undone and remain unremedied. It is imperative that remedial measures to past misconduct and robust as well as verifiably effective human rights due diligence programs with strong oversight and transparency lead the company’s new chapter to prevent future misuse of Sandvine’s technologies. We remain concerned about how Sandvine plans to prevent future misuses of its tools and believe this is an opportunity for Sandvine to demonstrate to the public and other stakeholders that it will take its stated commitments seriously.

We look forward to hearing from you and request a response by November 21, 2024. 

Signatories

Organizations:

  • Access Now
  • Amnesty International
  • Bloggers Association of Kenya (BAKE)
  • Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
  • Committee to Protect Journalists (CPJ)
  • Common Cause Zambia
  • Egyptian Initiative for Personal Rights (EIPR)
  • Eurasian Digital Foundation
  • Gulf Centre for Human Rights (GCHR)
  • Human Constanta
  • INSM for Digital Rights
  • Internet Protection Society
  • Masaar – Technology and Law Community
  • Paradigm Initiative
  • RKS Global
  • SMEX
  • The International Justice Clinic at UC Irvine
  • The Tahrir Institute for Middle East and Policy (TIMEP)

Experts:

  • Arzu Geybulla, Azerbaijan Internet Watch
  • Hinako Sugiyama, Digital Rights Fellow and Senior Counsel, International Justice Clinic at the University of California, Irvine School of Law
  • Ilya Livkin, analytic & digital security specialist Stay connected foundation
  • John Scott-Railton, Senior Researcher, the Citizen Lab, University of Toronto’s Munk School of Global Affairs & Public Policy
  • Klimarev Mikhail, CEO VPN Generator
  • Nima Fatemi, Founding director of Kandoo
  • Ron Deibert, Professor and Director of the Citizen Lab, University of Toronto’s Munk School of Global Affairs & Public Policy.