Pakistan has acquired the services of a controversial Canada-based company to help build a nationwide “web monitoring system,” Coda Story can reveal.

Sandvine is expected to provide equipment for monitoring and analyzing all incoming and outgoing internet traffic from Pakistan.

The agreement raises serious concerns about privacy and civil liberties in Pakistan, where government critics have sometimes seen digital retribution from officials and other powerful groups.

According to the agreement — a copy of which was exclusively shared with Coda — the contract is worth $18.5 million and dated December 12, 2018. The “web monitoring system” will use Deep Packet Inspection (DPI) to monitor communications, measure and record traffic and call data on behalf of the country’s national telecommunications regulator, Pakistan Telecom Authority (PTA).

The contract was signed by a number of parties, including Pakistan firm Inbox Business Technologies Ltd, which is acting as a local partner for Sandvine and Pakistan Telecommunication Company for “procurement of hardware, software and provision of related services for web monitoring system.”

The new system is the result of a controversial 2010 law that mandates the monitoring and blocking of any traffic to and from Pakistan.

Deep Packet Inspection is often used by authoritarian governments to surveil its citizens and censor content that is deemed unlawful. According to WIRED, DPI is “a type of data processing that looks in detail at the contents of the data being sent and re-routes it accordingly.” To simplify, it’s the “equivalent of opening up letters in a postal depot and reading the contents.”

Asad Baig, who co-founded Media Matters For Democracy, said he feared the ‘web monitoring system’ “will give full autonomy to [the Pakistan Telecom Authority]  to do what they please with digital content without due process, and as is evident from their history of content regulation, that will not bode well for anyone.”

“With a web monitoring system, the state will have the ability to surveil citizens’ digital activity almost constantly,” said Baig. “Simply knowing that a monitoring system is in place can have a chilling effect on journalists, activists and political dissidents who are increasingly paranoid of state surveillance for speaking up online.”  

A source working at Inbox Business Technologies, which appears to have been licensed to install Sandvine’s equipment, said the system was not yet operational.

When asked if PTA had contracted the services of Sandvine or Inbox Business Technologies, the regulator said that the authority was not in “any agreement or contract with Inbox or Sandvine at present or in the past.”

However, the regulator pointed out that these companies “may have been” providing technology to the country’s telecom industry.

Sandvine has come under criticism in the past for selling technology to authoritarian regimes. The company came under fire last year after an investigation by the Canada-based Citizen Lab revealed Sandvine DPI was being used in Turkey, Egypt and Syria to redirect users to download legitimate programs “bundled with spyware.” 

Citizen Lab also found out that the Sandvine DPI equipment was being used to “block political, journalistic, and human rights content.”

Sandvine did not respond to several requests for comment for this story.

Lack of transparency

Despite PTA’s denials, there is more evidence that the government intended to acquire Sandvine’s services. In May this year, reports surfaced that PTA had directed the telecom industry to deploy a suitable technical solution for monitoring, analyzing and curbing “grey traffic” — which includes Voice over Internet Protocol and Virtual Private Networks. 

Pakistan’s Minister for Parliamentary Affairs, Azam Khan Swati, told the country’s Senate that the PTA had asked Inbox Business Technologies and Sandvine Inc, to provide equipment for monitoring grey traffic. At the same time, he maintained that PTA was not involved with either of the companies and no public funds had been spent on the project.

However, a March 2018 tender available on PTA’s website invited bids for the web monitoring system “at national level, for identifying and blocking access to any on-line content classified as unlawful under Prevention of Electronic Crimes Act 2016.”

The content listed as unlawful in the tender included material that might be considered “blasphemous,” “indecent” or “immoral” and ”anti-state.”

Just over a third of Pakistan’s population, around 72 million people, are online. Around 70 million use 3G or 4G data plans for their internet access. As digital penetration has grown, the government has tightened its grip on digital spaces. Pakistan has a history of arbitrarily blocking websites over content that is deemed “anti-state” — a well-known euphemism for material that is critical of Pakistan’s powerful military. 

The control of the internet in Pakistan comes at a crucial time for digital access in the region. In nearby Indian-administered Kashmir, the Delhi government imposed a mobile phone and internet blackout in August as part of a security clampdown to enforce its annulment of Kashmir’s constitutionally guaranteed autonomy. Authorities restored some phone connections earlier this month. 

In Pakistan, more than 925,000 websites have been blocked in Pakistan, according to PTA. Around 33,339 websites reportedly contained content deemed “anti-state, anti- judiciary, defamation, disinformation, sectarian, hate-speech.” The regulator has also blocked over 10,000 proxies from access to internet users in Pakistan. 

In 2018, Pakistan blocked Voice of America after critical coverage of a Pashtun rights movement, and the government has used internet shutdowns to deal with ethnic tensions. Pakistan has also banned YouTube several times in the past, until it was restored in 2016 after a localized version was launched. In 2018, Pakistan blocked the website of the Awami Workers Party, a democratic socialist group.

The digital crackdown has also been extended to journalists. Last week, Pakistan blacklisted and expelled the Asia coordinator of global press freedom group the Committee to Protect Journalists. Steven Butler was refused entry after landing at an airport in Lahore. He was returned to the U.S. after being told he was on “a stop list of the Interior Ministry.” Butler had been due to attend a human rights conference.

Citizen Lab reported in 2013 that Pakistan was using technology supplied by a Canadian company called Netsweeper to filter and block websites on a national scale.

In a report earlier this year, the independent democracy watchdog Freedom House expressed concerns over PTA’s “unchecked powers to censor material on the internet.” It added that there was evidence for “widespread state surveillance of social media and internet activity.” Freedom House downgraded Pakistan’s internet rating from 71 out of 100 in 2017 to 73 in 2018. 

Human rights groups have also expressed concerns over Pakistan’s deteriorating overall freedoms. According to Reporters Without Borders, Pakistan’s 2019 press freedom ranking was down three points to 142. Amnesty International said in a statement earlier this year that there has been a “noticeable increase in attacks on the right to freedom of expression in Pakistan.”

A recent Pakistan plan to launch special media courts also came under fire from the free speech groups. The Committee to Protect Journalists, in a statement, expressed concerns, saying “Pakistan needs to strengthen the nation’s democracy by freeing newspapers and broadcasters from the intense official pressures they already face.”

In addition to the forthcoming launch of Sandvine’s monitoring system, PTA has ordered network operators to pay the government security deposits to install the system. 

Digital rights groups in Pakistan have highlighted the lack of publicly available information on the so-called web monitoring system. Usama Khilji, who works for Bolo Bhi, an internet advocacy firm, said his organization was planning on submitting a Right to Information (RTI) request in an effort to find out more about the system. 

Although PTA maintains the system would be used to only curb grey traffic, Khilji fears it could be open to authoritarian abuse. “Grey traffic is just an excuse,” he said. “We fear the system could be used for large scale surveillance.”

“This includes crackdown on political and human rights activists, especially those who challenge official security-centered narratives that often trample on rights,” Khilji said. 

Sandvine’s role in web monitoring in Pakistan has received attention in previous years. In 2012, when Pakistan’s government first called for proposals for the building of an internet filtering system, Sandvine was among the companies that responded to human rights concerns and said it would not bid for the project. At the time, Pakistani rights groups thanked Sandvine, Verizon and Cisco for not working with the government to filter the internet access.

However, according to two sources at Inbox Business Technologies, Sandvine was already providing solutions to Pakistan Telecommunication Company Limited (PTCL) — the main company responsible for distributing internet bandwidth in Pakistan.

According to one former employee who worked as a team lead for one of the Sandvine projects, the company was already providing solutions back in 2014 — only two years after publicly committing it did not intend to work with the government of Pakistan. A tender notice available on the website of PTCL also confirmed that Sandvine was indeed providing its services in Pakistan going back at least 2016. 

When asked for confirmation regarding the current and previous projects involving Sandvine, a PTCL spokesperson refused to comment on the matter and directed Coda to speak to PTA instead.

Unchecked access to data

The Inbox contract mentions the company will take steps to ensure that any customer data it acquires through web monitoring must not infringe upon citizens’ rights protected under various laws and the constitution of Pakistan.

However, telecom operators in Pakistan remain skeptical. “How will they find out if there is a breach when the data is completely at Inbox’s disposal?” asked Luqman Kamil, an advisor to telecom operators. “The investment is ours, but the contract gives overt control to Sandvine,” he said.

Meanwhile, Usama Khilji fears the unchecked access to the customers’ data could prove catastrophic for human rights and privacy. “We fear that through Sandvine equipment, the government would be able to access, and even spy on the secure means of communication,” he said.