For the second time in two months a University of Toronto human rights and Internet research group has criticized a Canadian-based company for allowing its technology to be used by countries for questionable practices against their people, including censorship.
In a report issued Wednesday, Citizen Lab said 10 countries are using the content filtering products of Waterloo, Ont.-based Netsweeper Inc. to block access to a wide range of digital content protected by international legal frameworks, including religious content in Bahrain, political campaigns in the United Arab Emirates, and media websites in Yemen.
“The international deployment of this Canadian-made filtering technology raises a number of human rights, corporate social responsibility, and public policy concerns and questions,” the report says. “These questions include whether and to what degree Netsweeper undertakes due diligence with respect to sales of its technology to jurisdictions with problematic rights records, and whether the Canadian government should be assisting Netsweeper, financially or otherwise, when its systems are used in a manner that negatively impacts internationally-recognized human rights.”
In response to queries from Citizen Lab, Netsweeper issued a press release saying the organization’s research lacks a “sound technical understanding on how Internet providers operate, how information technology companies support online operations, and how online programs function.
“Netsweeper cannot prevent an end-user from manually overriding its software. This a dilemma shared by every major developer of IT solutions including globally renowned corporations that make the Internet work. Our firm’s technology and its applications are fully disclosed in the public realm. Even the most elementary review of our posted material shows that Netsweeper’s design does not include any organic functionality to limit the online content [Citzien Lab’s director Ron Deibert] highlights. The ultimate effect of what Mr. Deibert and his interests propose would be the full-scale shut down of the internet in multiple jurisdictions worldwide. This would prevent vital e-commerce and other transactions critical to the livelihood of millions in the developing world.”
Netsweeper was asked for comment. A spokesperson didn’t return a call by press time.
This report follows one issued March 9 which alleged a telco in Turkey is using technology from Waterloo’s Sandvine Corp. to redirect hundreds of users in that country and Syria to nation-state spyware when users attempted to download certain legitimate Windows applications. Citizen Lab also alleged a telco in Egypt uses the equipment to hijack Egyptian Internet users’ unencrypted web connections en masse, redirecting the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.
Sandvine is part of Procera Networks, which is owned by a San Francisco private equity firm Francisco Partners.
The reports raise questions of so-called dual-use technology, where a product is intended to be used one way — for example, to screen content for illegal or violent content — but can also be used for another — for example, to eliminate criticism of governments.
Citizen Lab has written reports on Netsweeper before. “Netsweeper is of particular research interest given that it is a Canadian company, encouraged by the Canadian government and society to “reflect Canadian values” in its operations,” the report says. Companies like Netsweeper “have responsibilities under international human rights law to respect human rights,” it argues. “Such responsibilities involve ensuring due diligence measures are used to identify, prevent, and mitigate any impacts their operations have on human rights; public transparency about those measures; and ensuring remedial action if negative impacts are identified.”
For its latest research the institute used a combination of publicly available IP scanning, network measurement data, and other technical tests to identify Netsweeper installations designed to filter Internet content operational on networks in 30 countries. It then used other data points associated with these installations, including in-country measurements, to narrow our list to those installations that appear to be filtering content for national-level, consumer-facing ISPs in Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, the UAE, and Yemen.
“We identified a pattern of mischaracterization and/or over blocking involving the use of Netsweeper’s systems that may have serious human rights implications, including blocking Google searches for keywords related to LGBTQ identities and blocking non-pornographic websites in various countries on the basis of an apparent miscategorization of these sites as ‘Pornography’,” the report says.
“We raise issues with the nature of the categories delimited by Netsweeper for the purpose of filtering, including the existence of an ‘Alternative Lifestyles’ category, which appears to have as one of its principal purposes the blocking of non-pornographic LGBTQ content, including that offered by civil rights and advocacy organizations, HIV/AIDS prevention organizations, and LGBTQ media and cultural groups. We also note that Netsweeper can be configured to block access to websites from entire specified countries.”
Public and regulatory pressure on network operators to filter content has given rise to a large and lucrative market, Citizen Lab says. It quotes one industry report that estimates the value of the web content filtering market at US$3.8 billion by 2022. Content filters come with a service or software, or network operators can set up custom filters. Netsweep offers a cloud-based categorization engine, giving censors an automated mechanism to bulk-filter entire content categories (such as Abortion, Alcohol, Hate Speech and Pornography), as well as the opportunity to also add their own categories and URLs.
A case studies section gave detailed examples of activity. For example, an Afghan carrier blocked categories “matrimonial” and “match-making.” In Kuwait pages with the categories “abortions,” “sex education,” “nudity,” and pornography” were among those blocked.
Some countries blocked websites categorized as ‘Alternative Lifestyles,’ which includes non-pornographic LGBT (lesbian, gay, bi-sexuual and transsexuual) sites.
Citizen Lab says it is not alleging definitive violations of Canadian or international law, but setting out “responsibilities and obligations both Netsweeper and Canada have under international human rights law, how they may be falling short, and how they may do better … Netsweeper has responsibilities under international law to respect human rights such as the right to freedom of opinion and expression, a right that is clearly implicated by the filtering practices.”
The Sandvine report was less definitive. In it Citizen Lab said it matched network deep packet insprection characteristics to Sandvine PacketLogic devices, and concluded there was “apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt.” It was “likely” done by nation-states or ISPs” for “malicious or dubious ends.”
“Targeted users in Turkey and Syria who downloaded Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects,” Citizen Lab alleged. In Egypt a carrier used middleboxes to redirect users across dozens of ISPs to affiliate ads and browser cryptocurrency mining scripts. “In Egypt and Turkey, we also found that devices matching our Sandvine PacketLogic fingerprint were being used to block political, journalistic, and human rights content.”
In response to a letter with questions about the findings sent before the report was published Francisco Partners told Citizen Lab that it spends “considerable time and effort regarding the thoughtful development and implementation of proper governance and social responsibility policies and processes for Francisco Partners and for the companies in which we invest.”
For its part Sandvine complained to the University of Toronto that release of the report “will contain false, inaccurate and misleading information that has the potential to do significant harm to the company, its shareholders and its customers.” Sandvine demanded the report not be released publicly “at this time.”
“Sandvine appears to have technical means in place to prevent misuse of its technology,” says Citizen Lab, noting the company says that it “implements stringent software license controls that limit access to specific product capabilities outside of an intended use case.” However, Citizen Lab sasy the allged malicious and dubious activities “that appear to have been conducted through the use of [Sandvine] PacketLogic devices” suggest that Sandvine’s safeguards “have come up short.”
“We recommend that Sandvine engage in regular consultation with civil society regarding its human rights due diligence and business ethics program, and enhance transparency surrounding its sales review process and post-sale technical controls. We also recommend that Sandvine establish an operational-level grievance mechanism, in line with the UN Guiding Principles on Business and Human Rights, to address incidents of misuse of its products, and clearly communicate to the public how to report concerns, the timeframe in which one can expect to receive a response, and remedial action taken.”