Netsweeper, a company in Ontario, Canada, has touted its internet filtering software as a way for institutions like schools and hospitals to block pornographic, exploitative, or illicit websites, or help governments collect taxes on e-commerce sales. It says that its artificial intelligence software can filter the web in real time while receiving requests for “approximately 22 million new URLs each and every day” from over 500 million end users.
Increasingly, many of those users are living in countries where authoritarian and otherwise troubled political regimes are using Netsweeper and similar tools to block a range of “controversial” content, including political campaigns, media websites, and even search terms like “LGBTQ,” “gay,” and “lesbian.”
An April report by researchers at the Munk School of Global Affairs at the University of Toronto identified 10 countries where the company’s tools “appear to be filtering content for national-level, consumer-facing ISPs” amid acute human rights or security concerns: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE, and Yemen. Except for India and Pakistan, all of the countries are ranked “authoritarian” by the Economist Democracy Index.
“It does appear that Netsweeper has no aversion to selling to clients in authoritarian regime contexts, within which there is a growing appetite to censor the internet,” says Ron Deibert, the director of Citizen Lab, the internet watchdog group behind the report, “Planet Netsweeper.”
Filtering the web like this “appears inconsistent with core corporate responsibilities to respect human rights such as freedom of opinion and expression and non-discrimination,” the researchers wrote.
Increasingly, observers warn, software like this is helping governments build their own walled versions of the internet, and in ways that are discriminatory and abusive. Netsweeper contends that it abides by local laws and cannot bear responsibility for the way its technology is ultimately used. Its software isn’t about censorship but helping companies and governments achieve what it calls “compliance.”
Since 2009, the company has also received at least $300,000 in Canadian government grants, partly aimed at boosting its foreign sales. In early June, Canada’s Senate Committee on Human Rights released a report that found that Canada’s export laws have made it easy for the federal government to essentially compromise human rights in favor of foreign policy goals and economic interests.
CEO Perry Roach explained the company’s overseas work at a London cable industry conference in May. “What do we do? Essentially we sit in the gateways, and we push these legal and illegal sites that the government wants to manage according to their values, their laws, and we take the burden away from them,” Roach said. “So our platform is beneficial from a government, compliance, and legislative [sic].” He said that the firm’s single largest client included over 160 million users.
Netsweeper has also worked with Western governments to police their networks. It is a “direct partner” of the UK’s Counter Terrorism Internet Referral Unit, which is responsible for “removing unlawful terrorist material content from the internet or content that incites or glorifies terrorist acts.” Using predetermined or custom filters targeted at content like “Hate Speech”, “Extreme”, “Criminal Skills”, or “Weapons,” according to Netsweeper, CTIRU has “had over 200,000 URL’s removed from service providers to ensure that they are not accessible by UK citizens or organizations.”
“This one president of this country we’re working with is trying to overcome two suicide bombers a day,” Roach explained at the conference. “If somebody’s got some interesting activity going on with ‘how to build a bomb,’ and actually looking at radicalization, we can alert the authorities, because safety is more important today.”
An off-the-shelf Great Firewall
Netsweeper is far from the only company that sells internet-filtering technology to governments. As with systems sold by companies like Blue Coat Systems, SmartFilter, and Sandvine—which also has its headquarters in Ontario—Netsweeper’s products are marketed at a wide range of clients, like libraries, schools, hospitals, and businesses, meant to keep users “safe” from malware and objectionable content, like pornography or violent imagery. In recent years the firm has also marketed its filtering technology as a way to help governments collect taxes on cross-border e-commerce sales. “Netsweeper is here to enforce the internet laws of your country,” the firm said in a 2016 promotional video.
But the same tools are also used by governments and ISPs to monitor and filter political, social, and LGBTQ content across whole countries.
In Qatar, where sodomy is punishable by one to three years in prison, social content related to the LGBTQ community is regularly blocked, while in Afghanistan LGBTQ content is blocked, apparently on the grounds that it is categorized as “matchmaking.” (One filtering category, “alternative lifestyle,” is meant to encompass what the company calls “the full range of non-traditional sexual practices, interests, and orientations.”)
In Kuwait, attempts to access the World Health Organization’s HIV/AIDS site was blocked on the grounds that it was pornographic. In the UAE, the entire World Health Organization website is considered pornography by Netsweeper’s filters. Websites for The Christian Science Monitor, the World Union for Progress Judaism, the Center for Health and Gender Equity, and Change Illinois are also labeled as porn.
Unlike China’s Great Firewall, a still-mysterious set of technical controls that restricts internet access there, Netsweeper is off the shelf software, available to virtually anyone operating a network. According to a 2017 pricing sheet, the company charged government clients about $11 a month per user for under 2,000 users. In 2016, the company charged Bahrain, with a population of 1.5 million, a fee of $1.2 million for a “national website filtering solution.”
In promotional materials, Netsweeper says that its software is operational in 63 countries; Citizen Lab’s analysis found the technology being used to filter content across entire networks in 30 countries. Among the ten countries Citizen Lab studied between August 2017 and April 2018, the highest number of Netsweeper installations was in India, where the group found 42 installations by 12 ISPs. Pakistan, with 20 installations, came in second.
A history of dismissals and “bullshit”
Netsweeper did not respond to specific questions from Fast Company but sent a statement that dismissed or ignored Citizen Lab’s findings. In April, CBC News reported that Roach, Netsweeper’s chief executive, has called Citizen Lab’s previous reports on his company “bullshit.”
In an email to Fast Company, Deibert says that not only are the findings peer-reviewed, “but the methods, data, and findings are transparent and reproducible.”
“[Roach’s] flippant statement is not only insulting to our group, and to the enormous effort and care we put into the research and writing of this report; it is also insulting to all Canadians and Canadian values,” says Deibert.
“In a single phrase, it speaks volumes about his company’s apparent dismissal of any obligation to public accountability and corporate social responsibility,” he says. “I suppose that is what happens when there are few repercussions for engaging in business practices that violate human rights.”
Deibert’s encounters—and tussles with—Netsweeper date back nearly a decade. Citizen Lab has been tracking the software’s fingerprints since 2011, when Middle Eastern governments were blocking objectionable web content during the Arab Spring. Ahmed Mansoor, a human rights advocate in the UAE, said that his persecution by the government began that year, when the government used software like Netsweeper to censor the online discussion forum he ran. Mansoor, who was also famously the target of a sophisticated spyware attack that Citizen Lab also examined, was imprisoned in 2017 for publishing “false information that harm national unity and damage the country’s reputation.”
Along with researchers from OpenNet Initiative, Deibert first noticed the company’s software back in 2010 in the Gulf region, several years after they published a report on Websense, a cybersecurity company that also sells firewall technology. The report found that Yemen was using the software to institute political filters, which led the Austin, Texas-based company to pull its services from the Middle Eastern country.
Subsequent Citizen Lab tests demonstrated that Yemen did not give up on political filtering, as YemenNet ultimately began deploying Netsweeper instead.
In the wake of Citizen Lab’s reporting on Yemen, Netsweeper sued the university and Deibert in 2015 for defamation, with damages estimated at more than $3 million. The company discontinued the lawsuit the following year.
“One point bears underscoring,” Deibert wrote after the suit was canceled. “It is an indisputable fact that Citizen Lab tried to obtain and report Netsweeper’s side of the story. Indeed, we have always welcomed company engagement with us and the public at large in frank dialogue about issues of business and human rights.” But Netsweeper never replied, he said.
When asked for comment via email, Netsweeper CEO Perry Roach directed questions to the company counsel, Christos Vitsentzatos, author of an April 13th press release that states most of the company’s clients are governments and government institutions seeking “to protect children from the dissemination of child exploitation.”
Vitsentzatos contended that Deibert and Citizen Lab demonstrate “a fundamental misapprehension” of how internet service providers and companies like Netsweeper function. He did not, however, directly address Citizen Lab’s findings on authoritarian regimes, though he appeared to suggest those governments were to blame.
“Netsweeper cannot prevent an end-user from manually overriding its software,” Vitsentzatos wrote in the statement. “This a dilemma shared by every major developer of IT solutions including globally renowned corporations that make the internet work. Our firm’s technology and its applications are fully disclosed in the public realm. Even the most elementary review of our posted material shows that Netsweeper’s design does not include any organic functionality to limit the online content Mr. Deibert highlights.”
How to map a censorship machine
To paint a portrait of Netsweeper’s activity, Citizen Lab used network measurement methods to map every one of the internet’s billions of IP (Internet Protocol) addresses to search for a signature associated with Netsweeper installations. The group collected data using tools that continuously perform various searches, collecting data on these installations worldwide; all of which is archived, periodically analyzed, and updated about every week.
Citizen Lab has used similar methods to map the activity of Sandvine, which sells a more sophisticated method for intercepting web traffic called deep packet inspection. A former Sandvine engineer told the Wall Street Journal this month that the company rolled out a platform for network insights in Egypt in 2016, allowing an ISP, for instance, to crack down on pirated video streams or to surveil and censor citizens’ web activity. The country’s online blacklist includes a variety of news sites and advocacy groups including Reporters Without Borders, a press-freedom group, and Avaaz, an activism site.
Sandvine says it holds its business “to the highest standards” and has safeguards to ensure it adheres to “principles of social responsibility, human rights, and privacy rights.” It also said some of Citizen Lab’s findings were “technically inaccurate and intentionally misleading.”
Deibert says the group’s new report was driven in part by a motivation to clearly demonstrate methods that a growing community of researchers can use to collect their own data about the use of Netsweeper and similar technologies. The report also more thoroughly maps the extent of Netsweeper’s installations, beyond the single-country reports that Citizen Lab had previously compiled.
“We wanted to make a point about the worldwide proliferation of Netsweeper technology to numerous countries, highlighting the lack of safeguards and controls to prevent sales to problematic country contexts, or abuse and misuse of the technology,” says Deibert.
Still, Deibert says that he is unaware of any efforts by the Canadian government to establish legislative or judicial oversight of Netsweeper’s more unsavory overseas work. He wonders if this has something to do with the Canadian federal and provincial government’s funding of Netsweeper over the last decade.
In a 2009 grant, Canada’s National Research Council awarded Netsweeper $280,615 for support “with a research and development project,” and in 2012, the company received an additional $46,430 for a different project. The government of Ontario has also funded Netsweeper through its Export Market Access program, designed to assist small and medium-size companies “to access and expand their growth in foreign markets.” In July 2016, Export Development Canada (EDC) provided support to Netsweeper through a guarantee to the Royal Bank of Canada. The bank then provided financing to support the company’s business activity in Bahrain.
Deibert hopes that someone in the Canadian government will eventually take notice. In June, Senate investigators examining Canada’s export laws cited Netsweeper when it found that the government had effectively permitted violations of human rights. In a statement to parliament, Christopher Pullen, an export official, said customers are vetted prior to transactions for possible human rights violations. He said that the guarantee to the Royal Bank of Canada in relation to Netsweeper’s business in Bahrain is no longer in place, and that the company is no longer a customer of EDC.
Still, the Senate found the government had no statutory obligation to acknowledge human rights concerns in its financial decisions. In the case of Netsweeper’s sale to Bahrain, the Senate found that the EDC offered its guarantee “despite the widespread availability of credible reports indicating that the Government of Bahrain was committing large-scale violations of the right to freedom of expression of its own citizens, as well as various other serious human rights violations.”
To Deibert, it’s not only Netsweeper’s sales but its bristling, rude reaction to his group’s criticism that merits reflection.
“If I were working for the Canadian government,” he said, “I would think long and hard about what it signifies to have a CEO of a Canadian company, whose technology is used to censor access to women’s health and information, react to a serious report in such a dismissive and offensive manner.”