July 5, 2020

PTA enters contract with Sandvine, no security audit conducted

June 5, 2020 – Documents obtained by Digital Rights Monitor  (DRM) show that the Pakistan Telecommunication Authority (PTA)  has obtained the technology from the international company Sandvine, to monitor internet traffic in the country. The report of the Standing Committee of the Cabinet, acquired by DRM, also shows  that  they have made no attempts to carry out a proper security audit before outsourcing the technology. The audit is important considering reports that the Sandvine is a controversial company and its tech has been used previously to censor free speech.

The committee considered the matter on March 5, 2020, according to the document. The question was initially asked by Senator Mushtaq Ahmed Khan, who also expressed his concerns over such widespread monitoring in the absence of any laws for data protection. The Senator also raised concerns about the technology being previously used for privacy, and if there had been adequate research on these issues before it was bought by the Pakistani government.

To this, the PTA Chairman responded that  a contract with the company had already been signed following “proper procedure”, and a security audit could only take place once the system is installed. He also said that they could only check for loopholes within the tech once it is up and running on the servers, to ensure that it was being used for the purpose stated and not anything else. 

After previous reports that the government had sought the services of Sandvine to monitor internet traffic, PTA officials initially denied the claim. However these documents clearly state that the PTA has already signed a contact, and are waiting for the tech to be installed. 

Sandvine,  a Canada-based company, offers the ability to conduct deep packet investigation of internet traffic through sophisticated technology. This essentially gives the government the ability to look into all information being exchanged through the country’s deep sea cables, that are responsible for providing the internet. The company has previously been accused of sharing technology with authoritarian regimes. 

An investigation by Citizen Labs shows that the company’s services had been used in Egypt, Syria and Turkey, where it redirected users to download software that appeared legitimate but included malware. The same investigation found that Sandvine’s equipment had been used to block journalistic and human rights content. 

Digital rights and privacy advocates have expressed similar concerns about the use of the technology in Pakistan. “We have consistently seen that this government has tried to increase its control over the internet through various laws and policies, and their web monitoring system is another major step in that direction,” said Sadaf Khan, Co-founder and Director Programs at Media Matters for Democracy. She added, “We have seen censorship of the press already increase under the government, and technology like this increases the threat to freedom of expression.”

According to a Forbes report from March 2018, Sandvine is a portfolio company for Francisco Partners, a private equity firm that essentially buys out other companies. This firm also bought two companies founded by Israeli businessmen. The companies are called NSO and Circles, where NSO is also famous for producing Pegasus, a malware used to spy on cell phones by the authoritarian governments. This raises concerns about the main companies ties and interests given their previous ties with authoritarian regimes. 

Written by

Amel Ghani is a Program Manager at Media Matters for Democracy and leads special initiatives on media development, digital rights, privacy online and Media and Information Literacy (MIL).

No comments

leave a comment