In March 2018, the Citizen Lab at the University of Toronto’s Munk School
published research documenting that Egyptian internet service providers were using
Sandvine/Procera Networks PacketLogic deep packet inspection (DPI) equipment to
hijack subscriber internet traffic at the ISP infrastructure level. The DPI
middleboxes intercepted unencrypted HTTP connections and redirected users to pages
serving affiliate advertisements and cryptocurrency mining scripts, effectively
monetizing the internet activity of millions of Telecom Egypt subscribers without
their knowledge or consent.
The operation was conducted at the national telecommunications infrastructure
level, meaning individual subscribers could not opt out or protect themselves
through conventional means. The DPI equipment was positioned between subscribers
and the internet, giving it complete visibility into and control over unencrypted
traffic flowing through the network. Citizen Lab identified the specific Sandvine
PacketLogic hardware through network fingerprinting techniques, and confirmed
that the same equipment was also being used for internet censorship, blocking
access to human rights organizations, independent media, and political content.
## Key Facts
- .**What:** Sandvine DPI equipment hijacked Telecom Egypt subscriber traffic.
- .**Who:** Millions of Telecom Egypt internet subscribers nationwide.
- .**Data Exposed:** HTTP browsing activity, search queries, and unencrypted web traffic.
- .**Outcome:** Citizen Lab exposed the operation; Sandvine faced international scrutiny.
## What Was Exposed
- .Complete HTTP browsing activity of Telecom Egypt subscribers, visible to
the DPI middleboxes in plaintext including URLs visited, search queries,
form submissions, and page content
- .Subscriber browsing sessions hijacked through HTTP 307 redirects to
inject affiliate advertising scripts and Coinhive cryptocurrency mining
JavaScript into web pages the subscriber was attempting to visit
- .Subscriber IP addresses and connection metadata, enabling identification
and profiling of individual internet users based on their browsing
patterns
- .The DPI infrastructure simultaneously enabled blocking of websites
belonging to human rights organizations (Human Rights Watch, Reporters
Without Borders), news outlets (Al Jazeera, Mada Masr), and
circumvention tools (Tor, VPN providers)
- .Download hijacking capability observed, where the DPI equipment
intercepted software download requests and substituted different
payloads, potentially enabling malware distribution at the ISP level
- .Email and messaging content transmitted over unencrypted protocols,
visible to the DPI infrastructure in transit
This incident is fundamentally different from a conventional data breach.
There was no external attacker, no vulnerability exploited, and no system
compromised. Instead, the infrastructure that subscribers trusted to
deliver their internet traffic was itself weaponized against them. The
DPI middleboxes operated as sanctioned man-in-the-middle devices,
intercepting, inspecting, and modifying subscriber traffic as it passed
through the ISP’s network. This represents the ultimate
infrastructure-level betrayal: the tool you depend on for connectivity
is simultaneously the tool being used to exploit you.
The cryptocurrency mining injection is particularly revealing. By
redirecting subscriber HTTP requests through pages containing Coinhive
JavaScript mining scripts, the operators converted subscriber CPU
cycles and electricity into cryptocurrency revenue without the
subscribers’ knowledge. Every affected subscriber experienced
degraded device performance, increased power consumption, and reduced
battery life on mobile devices - real economic costs imposed
on millions of individuals to generate revenue for the entity
controlling the DPI infrastructure. This is not surveillance; it is
resource theft at a national scale, conducted through the very
infrastructure subscribers pay to use.
The affiliate advertising injection operated similarly. When subscribers
attempted to visit legitimate websites over HTTP, the DPI middleboxes
inserted redirect scripts that routed the connection through affiliate
advertising networks before delivering the requested page. Each
redirect generated advertising revenue for the entity controlling the
DPI system, monetizing subscriber internet activity without consent
and without any benefit to the subscriber. The economic model is
parasitic: subscribers pay for internet connectivity, and the
infrastructure provider extracts additional revenue by manipulating
the traffic they are paid to deliver faithfully.
Citizen Lab’s identification of Sandvine PacketLogic equipment
through network fingerprinting raised critical questions about the
role of technology vendors in enabling state surveillance and
subscriber exploitation. Sandvine (which had merged with Procera
Networks) marketed its PacketLogic platform for legitimate network
management purposes including traffic optimization, quality of
service management, and regulatory compliance. However, the same
deep packet inspection capabilities that enable network management
also enable surveillance, censorship, and traffic manipulation. The
dual-use nature of DPI technology means that the vendor’s
decision to sell to a particular customer is a decision about how
the technology will be used, whether the vendor acknowledges that
responsibility or not.
The censorship dimension of the DPI deployment compounds the privacy
violation with a freedom of expression violation. The same
infrastructure that injected ads and mining scripts also blocked
access to Human Rights Watch, Reporters Without Borders, the Tor
anonymity network, and independent Egyptian news outlets like Mada
Masr. The coexistence of commercial exploitation and political
censorship on the same DPI platform reveals a disturbing synergy:
the infrastructure for censorship pays for itself through traffic
monetization, creating a self-funding surveillance and control
apparatus embedded in the nation’s telecommunications
backbone.
The powerlessness of individual subscribers is the defining
characteristic of infrastructure-level attacks. When a website is
breached, users can change passwords and move to a different
service. When an application is compromised, users can uninstall
it. But when the ISP itself is the threat actor, there is no
user-level mitigation short of encrypting all traffic (via VPN
or exclusively using HTTPS) or switching to a different ISP
- .options that are neither practically available nor
technically understood by most subscribers. In a market where
Telecom Egypt is the dominant infrastructure provider and
other ISPs lease capacity from its backbone, even switching
providers may not escape the DPI infrastructure.
## Regulatory Analysis
The regulatory analysis of state-sponsored infrastructure-level
traffic manipulation presents a unique challenge: the entity
responsible for the violation is either the state itself or a
state-controlled enterprise, and the regulatory frameworks
designed to protect citizens are administered by the same state.
This fundamental tension between the state as protector and
the state as violator defines the governance challenge of
infrastructure-level surveillance.
The Egyptian Constitution of 2014, Article 57, establishes the
right to privacy of correspondence, including electronic
communications. The article states that communications are
inviolable and may only be monitored or intercepted by judicial
order for a limited period. The mass interception and
manipulation of Telecom Egypt subscriber traffic through DPI
middleboxes, conducted without individual judicial orders and
applied indiscriminately to all subscribers, appears to
contravene this constitutional protection on its face. However,
constitutional rights in practice depend on judicial willingness
to enforce them against state security apparatus, which varies
significantly across jurisdictions and political contexts.
Law No. 151 of 2020 on the Protection of Personal Data, while
enacted after the Citizen Lab revelations, provides a framework
for analyzing the data processing involved. The DPI system
processed the personal data of millions of subscribers -
their browsing activity, connection metadata, and communication
content - without consent, transparency, or data
minimization. Under the law’s principles, such processing
would require a clear legal basis, notification to data
subjects, and limitation to a specific, legitimate purpose.
The monetization of subscriber traffic through ad injection
and cryptocurrency mining serves no public interest that
could justify mass traffic interception.
The Telecommunications Regulation Law (Law No. 10 of 2003)
governs the telecommunications sector and establishes the
National Telecommunications Regulatory Authority (NTRA).
Article 64 of this law prohibits the interception of
telecommunications without authorization, and Article 73
establishes criminal penalties for violations. However,
the law also includes broad national security exceptions
that have been interpreted to authorize various forms of
telecommunications monitoring. The challenge is that the
Sandvine DPI deployment served dual purposes -
ostensibly legitimate network management alongside
commercial exploitation and political censorship -
making it difficult to cleanly categorize under any single
legal provision.
The international dimension involves export control
regulations and corporate responsibility frameworks that
govern the sale of surveillance technology. The European
Union’s Dual-Use Regulation (Regulation 2021/821)
establishes export controls for technologies that can be
used for surveillance, including deep packet inspection
systems. Sandvine, as a Canadian company (later acquired
by Francisco Partners, a US private equity firm), was
subject to Canadian export controls and potentially US
regulations after the acquisition. Citizen Lab’s
research directly influenced subsequent export control
discussions and contributed to increased scrutiny of DPI
technology sales to countries with poor human rights
records.
The pending operationalization of Egypt’s Data
Protection Center does not meaningfully change the
regulatory picture for state-level infrastructure
surveillance. Even a fully operational DPC would face
insurmountable institutional challenges in investigating
and sanctioning telecommunications surveillance conducted
with state authorization. The EGP 5 million maximum fine
is trivial relative to the revenues generated by the
traffic monetization operation, and enforcement against
a state-controlled telecommunications provider requires
political will that transcends regulatory mandate.
## What Should Have Been Done
The fundamental problem with infrastructure-level traffic
manipulation is that the solution lies primarily outside
the individual subscriber’s control. Nevertheless,
there are structural, technical, and policy measures that
should have been in place to prevent or detect this type
of abuse.
The single most effective technical countermeasure is
universal HTTPS encryption. The DPI system was effective
because it intercepted HTTP (unencrypted) connections,
which allowed the middleboxes to read, modify, and
redirect traffic content. HTTPS connections, which are
encrypted end-to-end between the user’s browser
and the destination server, cannot be modified by DPI
equipment without breaking the encryption and generating
certificate errors visible to the user. The global push
toward HTTPS, accelerated by initiatives like Let’s
Encrypt and browser default-HTTPS policies, has
significantly reduced the attack surface for traffic
injection attacks since 2018. Website operators globally
should ensure all pages are served over HTTPS, and
browser vendors should continue strengthening protections
against HTTP downgrade attacks.
DNS over HTTPS (DoH) and DNS over TLS (DoT) provide
additional protection against infrastructure-level
surveillance by encrypting DNS queries that would
otherwise reveal every website a subscriber visits.
Traditional DNS queries are sent in plaintext and are
easily intercepted by DPI systems, providing a complete
browsing profile even when the actual page content is
encrypted via HTTPS. By encrypting DNS queries to
trusted resolvers (such as Cloudflare 1.1.1.1 or Google
8.8.8.8), subscribers can prevent their ISP from
monitoring their DNS activity. Modern browsers now
support DoH by default, though ISP-level DNS redirection
can still complicate this protection.
Telecommunications regulatory frameworks should
explicitly prohibit ISP-level traffic manipulation for
commercial purposes. While DPI technology has legitimate
network management applications (traffic optimization,
quality of service, lawful interception under judicial
order), its use for injecting advertising, cryptocurrency
mining scripts, or any other commercial payload into
subscriber traffic should be prohibited by law with
meaningful penalties. The NTRA should establish clear
regulations that distinguish between permissible network
management and prohibited traffic manipulation, with
independent audit mechanisms to verify compliance.
Independent telecommunications auditing should be
established to verify that ISP infrastructure is not
being misused for surveillance or traffic manipulation.
This auditing function should be insulated from
political pressure and empowered to conduct technical
inspections of ISP infrastructure, including DPI
deployments. International models such as the German
Federal Network Agency (BNetzA) or the UK’s
Investigatory Powers Commissioner provide frameworks
for independent oversight of telecommunications
surveillance that Egypt could adapt to its own
institutional context.
Export controls on DPI and surveillance technology should
be strengthened to prevent the sale of dual-use equipment
to countries that use it for mass surveillance or traffic
manipulation. The Wassenaar Arrangement on Export Controls
for Conventional Arms and Dual-Use Goods and Technologies
includes intrusion software and IP network communications
surveillance systems, but enforcement remains inconsistent.
Sandvine’s sale to Egypt despite the evident risk of
misuse highlights the need for more rigorous due diligence
requirements and end-use monitoring conditions in export
licenses for surveillance-capable technologies.
Internet service providers should implement transparency
reporting that discloses the nature and extent of traffic
management practices, including any DPI deployments and
their configured purposes. Subscribers have a right to
know how their traffic is being processed by the
infrastructure they pay to use. Transparency reports,
similar to those published by major technology companies
regarding government data requests, would provide
subscribers with the information needed to make informed
choices about their connectivity and to advocate for
changes to practices they find unacceptable.
Civil society organizations and security researchers play
a critical role in detecting and documenting
infrastructure-level surveillance that affected
individuals cannot detect themselves. The Citizen Lab’s
research was the only reason this operation became public
knowledge. Governments that respect privacy rights should
create legal safe harbors for security research that
identifies surveillance infrastructure, ensuring that
researchers who document these practices are protected
rather than prosecuted. Without independent research
capacity, infrastructure-level surveillance operates in
complete opacity, accountable to no one.
For individual users in environments where ISP-level
traffic manipulation is a risk, the primary
recommendation is the use of a reputable VPN service
that encrypts all traffic between the user’s
device and the VPN server, preventing the DPI
equipment from inspecting or modifying any traffic
content. However, VPN use has limitations: it requires
technical knowledge, often degrades connection speeds,
and in some jurisdictions may itself attract scrutiny
from authorities. The burden of protecting citizens
from infrastructure-level surveillance should not fall
on individual users - it should fall on the
legal, regulatory, and institutional frameworks that
govern telecommunications infrastructure.
When the infrastructure meant to connect people becomes
the infrastructure used to exploit them, no individual
security measure can compensate for the structural
betrayal. The Sandvine/Telecom Egypt DPI operation
demonstrates that the most dangerous data breaches are
not always the ones that steal data - sometimes
they are the ones that hijack the data pipe itself.
Protecting citizens from their own infrastructure
requires independent oversight, transparent regulation,
and international accountability for the companies
that supply surveillance technology to authoritarian
operators.