On Monday, 21 October 2024, the U.S. government announced the removal of Sandvine from the Entity List in response to the recent changes the company has made to its corporate governance and business practices. While Sandvine’s reforms are welcome – and demonstrate the impact of civil society advocacy and targeted sanctions for shaping corporate behavior towards human rights – it is yet to be seen if their commitments will translate to sustained improvements to its business practices. To ensure this does not set a precedent for delisting companies prematurely, Access Now urges the U.S. government to ensure continued scrutiny of Sandvine’s practices in close consultation with civil society, and urges Sandvine to publicly demonstrate its commitment to human rights.
Sandvine was added to the Entity List in February 2024 for supplying deep packet inspection technology to governments – including Egypt, Belarus, and Russia – that facilitated mass web monitoring, censorship, and the targeting of human rights activists and politicians. Over the years, Access Now, with other civil society organizations, provided evidence of Sandvine’s abuses to U.S. policymakers and encouraged the imposition of targeted sanctions and other restrictive measures on the company. Investors in turn spearheaded the change in Sandvine’s ownership and board.
Its removal comes just eight months after its original listing, and roughly one month after the announcement of proposed company changes via a press release.
Sandvine’s recent commitments are welcome, but changes to the Entity List should not be based on promises made in a press release. As evidenced by Sandvine’s announcements, the U.S. government has used the Entity List as a powerful policy mechanism to motivate companies not to facilitate human rights violations. But the U.S. must maintain a close eye on Sandvine to ensure its commitments are not merely pen on paper.Michael De Dora, U.S. Policy and Advocacy Manager at Access Now
Commitments made by Sandvine notably include leaving 32 countries, with 24 more countries in the process by the end of 2025, as well as committing to “no longer operate in non-democracies or countries where the threat to digital rights is too high.” The company also claims it will overhaul ownership and leadership and donate one percent of its profits to digital rights organizations.
Technology can be misused anywhere. Companies must not be doing business with countries with a poor human rights record, but must also equally ensure their tools are not misused by democracies. What effective mechanisms have been put in place to ensure that Sandvine’s customers are not abusing its technology? That is a question that both Sandvine and U.S. policymakers need to answer. Sandvine must know it is now on probation, and civil society will continue to watch closely. Any commitments must not be a check-box exercise, and must translate into meaningful and sustainable change.Rand Hammoud, Surveillance Campaign Lead at Access Now.
Recommendations for Sandvine:
- Commit publicly to upholding the U.N. Guiding Principles on Business and Human Rights (UNGPs) and instituting a human rights policy;
- Ensure the new human rights due diligence program (HRDD) and business ethics committee (BEC) translate to meaningful scrutiny in line with the UNGPs and embed these structures into the highest levels of decision-making;
- Put in place policies and practices that identify, assess, and mitigate the potential adverse human rights impacts resulting from the business, including appropriate consideration for business partners and customers, as well as high-risk individuals and communities who may be impacted by the company’s products or operations, and the potential impact of technology misuse, and monitor progress through regular participation in a multistakeholder dialogue such as the Global Network Initiative;
- Regularly publish said due diligence reports including the BEC’s assessment of countries and territories with a history of blocking or censoring websites or social media platforms or using spyware, data analytics, and other forms of internet restrictions or surveillance to commit human rights abuses and infringe upon the rule of law as stated in their public commitments;
- Consult with stakeholders to put in place a grievance mechanism to ensure access to remedy by potentially affected stakeholders;
- Make public the list of the governments that the company has ended contracts with;
- Make public its list of government customers going forward;
- Make public any licensing agreements of its technology to other companies;
- Disclose changes to the contract that ensure customers are terminated if misuse is detected;
- Implement the appropriate measures to disable internet censorship, shut down, and surveillance capabilities of the equipment remaining in use after the license agreement has been violated and contract severed;
- Fully participate in accountability mechanisms, including judicial inquiries or civil society-led processes, to investigate and redress abuses the company has caused or contributed to;
- Abstain from legal or other retaliatory measures against victims, whistleblowers, researchers, journalists, and civil society organizations investigating or reporting on human rights violations that the company or its technologies might have been implicated in; and
- Publicly confirm completion of end-of-service agreements for Egyptian customers by March 31, 2025, the date listed in their press release, and clarify the current status of their technology in the 24 territories where termination has not been completed yet.
Recommendations for the U.S government:
- Publish transparent, clear processes and criteria for delisting entities based on demonstrable change, informed by regular consultations with civil society;
- Establish a probation period in which regular public and transparent reporting on activities by companies delisted must be made available to the U.S. and civil society, with failure to comply resulting in relisting; and
- Continue to closely monitor Sandvine’s activities in consultation with civil society with a possibility of relisting and imposing further sanctions on the company in case it fails to meaningfully change its behavior and practices.
Access Now and civil society will work to ensure both Sandvine and the U.S. government are transparent about this process and that Sandvine’s deep-packet inspection is not misused in the facilitation of human rights violations around the world.