Don Bowman, co-founder of Sandvine Inc., was always aware of the risks his company’s products posed. Sandvine makes what’s called deep packet inspection equipment, tools useful for spam filtering and internet network management that can also be used for surveillance and censorship. During Bowman’s two-decade tenure, Sandvine periodically turned down potential clients, including a telecommunications company partially owned by the Turkish government that wanted Sandvine to help it spy on email correspondence. “What that could lead to—we’re talking about journalists vanishing, whistleblowers put in jail,” says Bowman, who has since founded a security company called Agilicus in Kitchener, Ont. “We didn’t want to be part of that.”
Such concerns didn’t appear to take priority after Francisco Partners Management LLC, a private equity firm in San Francisco that primarily invests in technology companies, bought Sandvine in 2017. Francisco Partners replaced Sandvine’s entire executive team, including Bowman, and Sandvine then began selling to governments with troubling records on human rights, according to interviews with more than a dozen people familiar with the matter and documents reviewed by Bloomberg News. Sandvine had previously dealt exclusively with the private sector, and its pursuit of government contracts, Bowman says, represented “a fundamental shift for the company.”
Sandvine doesn’t make its client list public and declined to comment for this story. But according to documents reviewed by Bloomberg, from 2018 to 2020 the company agreed to deals worth more than $100 million with governments in countries including Algeria, Belarus, Djibouti, Egypt, Eritrea, Iraq, Kenya, Kuwait, Pakistan, the Philippines, Qatar, Singapore, Turkey, the United Arab Emirates, and Uzbekistan. In its rankings of political freedom, the human-rights group Freedom House classified all these countries as either partially free or not free. Eritrea rated 206th out of 210 countries the group examined, worse even than North Korea.
Sandvine faced criticism after Bloomberg News disclosed how Belarusian President Alexander Lukashenko’s regime had used its technology last summer to partially shut down the internet during nationwide protests over a disputed election. Sandvine canceled the deal after it became public, but advocacy groups have pressured federal and state officials to investigate Francisco Partners and Sandvine for due diligence and disclosure failures, and U.S. Senator Richard Durbin (D-Ill.) has raised questions about whether it violated U.S. sanctions against Belarus. Activists held demonstrations in front of offices for both companies. No public investigations or charges have been brought to date.
Other companies affiliated with Francisco Partners have faced controversy over deals they’ve pursued with authoritarian regimes. These include internet-monitoring companies Blue Coat Systems and Procera Networks as well as NSO Group Technologies, which makes software to hack into phones and computers, according to reports from human-rights groups such as Amnesty International, Access Now, and the University of Toronto’s Citizen Lab, which tracks illegal hacking and surveillance.
A Francisco Partners spokesperson says Sandvine “allows the world’s major communications providers to offer a safe and efficient internet with security protocols to prevent websites promoting child pornography, malware, and other criminal activity,” adding that the firm was “deeply committed to ethical business practices, and we evaluate all of our investments through that lens.” The firm says business ethics committees at its portfolio companies have blocked more than $100 million in sales that would have been legally permissible. It denies that it violated sanctions.
The market for government surveillance technology is about $12 billion annually, according to Moody’s, and the estimates for the deep packet inspection market peg it at about one-quarter that size. Executives at Francisco Partners have kept their work largely out of the public eye and include no mention of this aspect of its operations in marketing materials. This account, based on interviews with current and former employees at the company and the businesses it’s financed, as well as internal documents and financial filings, provides new details about how Francisco Partners conducts business with some of the world’s most repressive governments.
In many cases the governments interested in monitoring and silencing their citizenry are U.S. allies, and there are few rules governing the technologies they use to do so. Michael McFaul, former U.S. ambassador to Russia and director of Stanford’s Freeman Spogli Institute for International Studies, says the Biden administration should create new export controls and other regulations.
Until that happens, there’s a market opportunity, says Jonathon Penney, a research fellow at Citizen Lab. “A lot of the abuses we’ve seen involving these technologies would not have been possible without the support of capital-rich and resource-rich private equity firms like Francisco Partners,” he says. “There’s a real gap in legal accountability, and there’s so much money in the sector that the incentives are just not there for companies to change the way they’re doing business.”
---
In 2019, Francisco Partners said its business strategy was to identify and overhaul poorly managed companies that had created good technology so it could “buy confusion at discount and sell clarity at premium.” Since its founding in 1999, the company has raised about $24 billion and invested in more than 275 technology companies, according to its website.
The company has a long-term relationship with prominent Silicon Valley venture capital fund Sequoia Capital and has also worked with Paul Singer’s hedge fund, Elliott Management Corp. In 2018, Francisco Partners announced that Blackstone Group Inc. and Goldman Sachs Group Inc. acquired a minority stake in the company.
A Sequoia spokesperson describes Sequoia as a passive investor in some Francisco Partners deals and finds the company to be “ethical in their practices and policies.” Elliott Management says it had no involvement in the acquisitions of NSO Group, Procera, and Sandvine. Blackstone says it has a less than 5% stake in Francisco Partners and is not involved in investment decisions. Goldman Sachs declined to comment.
Francisco Partners’ involvement in controversial government work dates to 2006, when it made the first of a series of investments in California technology company Blue Coat Systems and put Keith Geeslin, a partner at Francisco Partners, on the company’s board of directors.
Blue Coat’s revenue more than doubled, to $496 million, in April 2010, from $177.7 million in April 2007, according to company records. But it also began drawing negative attention. Human-rights activists disclosed that Syrian President Bashar al-Assad’s regime was using the company’s technology to block access to the internet and surveil dissidents during a brutal crackdown in 2011. Researchers at Citizen Lab later found that Blue Coat’s technology had been used in Iran and Sudan, countries subject to U.S. sanctions.
Blue Coat said at the time that its equipment had been “unlawfully diverted to embargoed countries without our knowledge,” and Francisco Partners says it held only a small stake in Blue Coat and had no ability to control its operations.
“They could have done more to rein back the worst impulses of customers”
In March 2014, Francisco Partners acquired a majority stake in the Israeli surveillance company NSO Group. Citizen Lab and Amnesty International have linked the company’s equipment to phone hacks of dissidents, journalists, and human-rights activists in Saudi Arabia, the UAE, and Mexico since at least 2016.
Within weeks of acquiring NSO Group, Francisco Partners began closely controlling every aspect of the business, and representatives from the company were involved in approving every deal it signed, a senior NSO Group employee says. Under Francisco Partners’ direction, the number of NSO Group employees grew sixfold, to 600, boosting its global presence and sales revenue in the process, the senior NSO employee says.
Francisco Partners often learned about allegations of NSO Group’s role in human-rights abuses through media reports, a former NSO Group employee says, and made efforts to investigate them.
At times, Francisco Partners representatives who worked with NSO Group agreed to temporarily shut down customers who were suspected of wrongdoing, but they were reluctant to take permanent action. “They could have done more to rein back the worst impulses of customers,” says the former employee, who requested anonymity because of a nondisclosure agreement.
The controversies at NSO Group bothered some employees at Francisco Partners, even as the company’s leadership internally played them down. “We were told that, if some people are using the technology incorrectly, that was a minority of the revenue,” says a former employee, who requested anonymity because they were not authorized to speak publicly.
The Francisco Partners spokesperson defended its record with NSO Group, saying the company had saved lives and proved useful to governments pursuing criminals.
Francisco Partners sold its stake in NSO Group in February 2019, receiving about $1 billion for it, according to Reuters. That amounts to a return of more than 700% after adjusting for inflation.
Demonstrators with signs and Belarusian flags protest outside Francisco Partners’ headquarters in San Francisco on Sept. 18, 2020.PHOTOGRAPHER: MICHAEL SHORT/BLOOMBERG In 2015, soon after buying into NSO Group, Francisco Partners acquired Procera Networks, a company that sold technology to monitor and manage digital networks. Procera’s direction quickly changed, according to three former Procera employees who requested anonymity because they had signed nondisclosure agreements.
Under its new ownership, Procera became more willing to sell its equipment to just about anyone, one of the employees says. Procera employees raised concerns about deals with the governments of Egypt, Turkey, and other countries with poor records on human rights. Several resigned. Johan Jönsson, who left Procera at about the same time Francisco Partners took over, says he initially believed Francisco Partners did business with Turkey because it was “utterly unprepared for doing business with the kind of equipment” Procera manufactured. But after a further series of questionable sales, Jönsson says, he came to the conclusion that the company was “very prepared to take those risks and prioritize the financial gain over ethics.”
Francisco Partners acquired Sandvine in 2017 and merged it with Procera. Operating under Sandvine’s name, the combined company became a powerhouse global provider of deep packet inspection equipment.
Sandvine devised ways of detecting particular types of data, even if it was encrypted, so its technology could tell whether people were sending WhatsApp messages or viewing Facebook and YouTube videos, even if it couldn’t monitor the content. In an internal newsletter he sent to employees in August, Sandvine Chief Technical Officer Alexander Haväng cited the technology as a way to appeal to governments whose surveillance efforts were complicated by encryption. Sandvine’s equipment could “show who’s talking to who, for how long, and we can try to discover online anonymous identities who’ve uploaded incriminating content online,” he wrote.
In 2020, Sandvine agreed to a deal with the Algerian government on a project to log data about the internet activities of as many as 10 million people and pursued a similar contract with authorities in Jordan, according to documents reviewed by Bloomberg. Francisco Partners denies that Sandvine has a contract with the Jordanian government.
Sandvine created a business ethics committee to review sales to countries with poor human-rights records, but it rarely vetoed any sales, say two current and four former employees familiar with the process. In early 2018, Sandvine executives decided to exclude questions of internet censorship—or “traffic blocking,” as the company calls it—from ethics review, meaning that it wouldn’t consider whether a government customer might use the equipment to disrupt people’s internet access.
Then Belarus used Sandvine’s equipment to help shut down news websites, social media platforms, and messaging apps amid nationwide protests. Haväng initially told concerned employees that Sandvine didn’t want to play “world police,” before eventually reversing course.
Sandvine has said it requested that Belarus return the equipment it had purchased. But that country’s government has declined, and Sandvine can’t force it to do so, according to Francisco Partners. The gear has remained in use at two data centers in Minsk, where it’s filtering a large portion of the internet traffic that goes in and out of Belarus, according to documents reviewed by Bloomberg News. Activists in the country have reported that dozens of news and political websites remain blocked and say that during protests as recently as October, there were signs that the government used Sandvine’s equipment to disrupt usage of the encrypted chat app Telegram.
“We were satisfied when we heard the news that Sandvine had stopped cooperation with the government,” says Alexey Kozliuk, a co-founder of Human Constanta, a human-rights organization in Belarus. “But the damage has already been done.”
This story was first published in Bloomberg Businessweek.