In March 2018, the Citizen Lab at the University of Toronto’s Munk School published research documenting that Egyptian internet service providers were using Sandvine/Procera Networks PacketLogic deep packet inspection (DPI) equipment to hijack subscriber internet traffic at the ISP infrastructure level. The DPI middleboxes intercepted unencrypted HTTP connections and redirected users to pages serving affiliate advertisements and cryptocurrency mining scripts, effectively monetizing the internet activity of millions of Telecom Egypt subscribers without their knowledge or consent.
Key Facts
- WhatSandvine DPI equipment hijacked Telecom Egypt subscriber traffic.
- WhoMillions of Telecom Egypt internet subscribers nationwide.
- Data ExposedHTTP browsing activity, search queries, and unencrypted web traffic.
- OutcomeCitizen Lab exposed the operation; Sandvine faced international scrutiny.
What Was Exposed
- Complete HTTP browsing activity of Telecom Egypt subscribers, visible to the DPI middleboxes in plaintext including URLs visited, search queries, form submissions, and page content
- Subscriber browsing sessions hijacked through HTTP 307 redirects to inject affiliate advertising scripts and Coinhive cryptocurrency mining JavaScript into web pages the subscriber was attempting to visit
- Subscriber IP addresses and connection metadata, enabling identification and profiling of individual internet users based on their browsing patterns
- The DPI infrastructure simultaneously enabled blocking of websites belonging to human rights organizations (Human Rights Watch, Reporters Without Borders), news outlets (Al Jazeera, Mada Masr), and circumvention tools (Tor, VPN providers)
- Download hijacking capability observed, where the DPI equipment intercepted software download requests and substituted different payloads, potentially enabling malware distribution at the ISP level
- Email and messaging content transmitted over unencrypted protocols, visible to the DPI infrastructure in transit
This incident is fundamentally different from a conventional data breach.
There was no external attacker, no vulnerability exploited, and no system compromised. Instead, the infrastructure that subscribers trusted to deliver their internet traffic was itself weaponized against them. The DPI middleboxes operated as sanctioned man-in-the-middle devices, intercepting, inspecting, and modifying subscriber traffic as it passed through the ISP’s network. This represents the ultimate infrastructure-level betrayal: the tool you depend on for connectivity is simultaneously the tool being used to exploit you.
The cryptocurrency mining injection is particularly revealing. By redirecting subscriber HTTP requests through pages containing Coinhive JavaScript mining scripts, the operators converted subscriber CPU cycles and electricity into cryptocurrency revenue without the subscribers’ knowledge. Every affected subscriber experienced degraded device performance, increased power consumption, and reduced battery life on mobile devices - real economic costs imposed on millions of individuals to generate revenue for the entity controlling the DPI infrastructure.
This is not surveillance; it is resource theft at a national scale, conducted through the very infrastructure subscribers pay to use.
The affiliate advertising injection operated similarly. When subscribers attempted to visit legitimate websites over HTTP, the DPI middleboxes inserted redirect scripts that routed the connection through affiliate advertising networks before delivering the requested page. Each redirect generated advertising revenue for the entity controlling the DPI system, monetizing subscriber internet activity without consent and without any benefit to the subscriber.
The economic model is parasitic: subscribers pay for internet connectivity, and the infrastructure provider extracts additional revenue by manipulating the traffic they are paid to deliver faithfully.
Citizen Lab’s identification of Sandvine PacketLogic equipment through network fingerprinting raised critical questions about the role of technology vendors in enabling state surveillance and subscriber exploitation. Sandvine (which had merged with Procera Networks) marketed its PacketLogic platform for legitimate network management purposes including traffic optimization, quality of service management, and regulatory compliance. However, the same deep packet inspection capabilities that enable network management also enable surveillance, censorship, and traffic manipulation.
The dual-use nature of DPI technology means that the vendor’s decision to sell to a particular customer is a decision about how the technology will be used, whether the vendor acknowledges that responsibility or not.
The censorship dimension of the DPI deployment compounds the privacy violation with a freedom of expression violation. The same infrastructure that injected ads and mining scripts also blocked access to Human Rights Watch, Reporters Without Borders, the Tor anonymity network, and independent Egyptian news outlets like Mada Masr. The coexistence of commercial exploitation and political censorship on the same DPI platform reveals a disturbing synergy:
the infrastructure for censorship pays for itself through traffic monetization, creating a self-funding surveillance and control apparatus embedded in the nation’s telecommunications backbone.
The powerlessness of individual subscribers is the defining characteristic of infrastructure-level attacks. When a website is breached, users can change passwords and move to a different service. When an application is compromised, users can uninstall it. But when the ISP itself is the threat actor, there is no user-level mitigation short of encrypting all traffic (via VPN or exclusively using HTTPS) or switching to a different ISP
- options that are neither practically available nor technically understood by most subscribers. In a market where Telecom Egypt is the dominant infrastructure provider and other ISPs lease capacity from its backbone, even switching providers may not escape the DPI infrastructure.
Regulatory Analysis
The regulatory analysis of state-sponsored infrastructure-level traffic manipulation presents a unique challenge: the entity responsible for the violation is either the state itself or a state-controlled enterprise, and the regulatory frameworks designed to protect citizens are administered by the same state.
This fundamental tension between the state as protector and the state as violator defines the governance challenge of infrastructure-level surveillance.
The Egyptian Constitution of 2014, Article 57, establishes the right to privacy of correspondence, including electronic communications. The article states that communications are inviolable and may only be monitored or intercepted by judicial order for a limited period. The mass interception and manipulation of Telecom Egypt subscriber traffic through DPI middleboxes, conducted without individual judicial orders and applied indiscriminately to all subscribers, appears to contravene this constitutional protection on its face.
However, constitutional rights in practice depend on judicial willingness to enforce them against state security apparatus, which varies significantly across jurisdictions and political contexts.
Law No. 151 of 2020 on the Protection of Personal Data, while enacted after the Citizen Lab revelations, provides a framework for analyzing the data processing involved. The DPI system processed the personal data of millions of subscribers - their browsing activity, connection metadata, and communication content - without consent, transparency, or data minimization. Under the law’s principles, such processing would require a clear legal basis, notification to data subjects, and limitation to a specific, legitimate purpose.
The monetization of subscriber traffic through ad injection and cryptocurrency mining serves no public interest that could justify mass traffic interception.
The Telecommunications Regulation Law (Law No. 10 of 2003) governs the telecommunications sector and establishes the National Telecommunications Regulatory Authority (NTRA).
Article 64 of this law prohibits the interception of telecommunications without authorization, and Article 73 establishes criminal penalties for violations. However, the law also includes broad national security exceptions that have been interpreted to authorize various forms of telecommunications monitoring. The challenge is that the Sandvine DPI deployment served dual purposes - ostensibly legitimate network management alongside commercial exploitation and political censorship - making it difficult to cleanly categorize under any single legal provision.
The international dimension involves export control regulations and corporate responsibility frameworks that govern the sale of surveillance technology. The European Union’s Dual-Use Regulation (Regulation 2021/821) establishes export controls for technologies that can be used for surveillance, including deep packet inspection systems. Sandvine, as a Canadian company (later acquired by Francisco Partners, a US private equity firm), was subject to Canadian export controls and potentially US regulations after the acquisition.
Citizen Lab’s research directly influenced subsequent export control discussions and contributed to increased scrutiny of DPI technology sales to countries with poor human rights records.
The pending operationalization of Egypt’s Data Protection Center does not meaningfully change the regulatory picture for state-level infrastructure surveillance. Even a fully operational DPC would face insurmountable institutional challenges in investigating and sanctioning telecommunications surveillance conducted with state authorization. The EGP 5 million maximum fine is trivial relative to the revenues generated by the traffic monetization operation, and enforcement against a state-controlled telecommunications provider requires political will that transcends regulatory mandate.
What Should Have Been Done
The fundamental problem with infrastructure-level traffic manipulation is that the solution lies primarily outside the individual subscriber’s control. Nevertheless, there are structural, technical, and policy measures that should have been in place to prevent or detect this type of abuse.
The single most effective technical countermeasure is universal HTTPS encryption. The DPI system was effective because it intercepted HTTP (unencrypted) connections, which allowed the middleboxes to read, modify, and redirect traffic content. HTTPS connections, which are encrypted end-to-end between the user’s browser and the destination server, cannot be modified by DPI equipment without breaking the encryption and generating certificate errors visible to the user.
The global push toward HTTPS, accelerated by initiatives like Let’s Encrypt and browser default-HTTPS policies, has significantly reduced the attack surface for traffic injection attacks since 2018. Website operators globally should ensure all pages are served over HTTPS, and browser vendors should continue strengthening protections against HTTP downgrade attacks.
DNS over HTTPS (DoH) and DNS over TLS (DoT) provide additional protection against infrastructure-level surveillance by encrypting DNS queries that would otherwise reveal every website a subscriber visits.
Traditional DNS queries are sent in plaintext and are easily intercepted by DPI systems, providing a complete browsing profile even when the actual page content is encrypted via HTTPS. By encrypting DNS queries to trusted resolvers (such as Cloudflare 1.1.1.1 or Google 8.8.8.8), subscribers can prevent their ISP from monitoring their DNS activity. Modern browsers now support DoH by default, though ISP-level DNS redirection can still complicate this protection.
Telecommunications regulatory frameworks should explicitly prohibit ISP-level traffic manipulation for commercial purposes. While DPI technology has legitimate network management applications (traffic optimization, quality of service, lawful interception under judicial order), its use for injecting advertising, cryptocurrency mining scripts, or any other commercial payload into subscriber traffic should be prohibited by law with meaningful penalties.
The NTRA should establish clear regulations that distinguish between permissible network management and prohibited traffic manipulation, with independent audit mechanisms to verify compliance.
Independent telecommunications auditing should be established to verify that ISP infrastructure is not being misused for surveillance or traffic manipulation.
This auditing function should be insulated from political pressure and empowered to conduct technical inspections of ISP infrastructure, including DPI deployments. International models such as the German Federal Network Agency (BNetzA) or the UK’s Investigatory Powers Commissioner provide frameworks for independent oversight of telecommunications surveillance that Egypt could adapt to its own institutional context.
Export controls on DPI and surveillance technology should be strengthened to prevent the sale of dual-use equipment to countries that use it for mass surveillance or traffic manipulation. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies includes intrusion software and IP network communications surveillance systems, but enforcement remains inconsistent.
Sandvine’s sale to Egypt despite the evident risk of misuse highlights the need for more rigorous due diligence requirements and end-use monitoring conditions in export licenses for surveillance-capable technologies.
Internet service providers should implement transparency reporting that discloses the nature and extent of traffic management practices, including any DPI deployments and their configured purposes. Subscribers have a right to know how their traffic is being processed by the infrastructure they pay to use. Transparency reports, similar to those published by major technology companies regarding government data requests, would provide subscribers with the information needed to make informed choices about their connectivity and to advocate for changes to practices they find unacceptable.
Civil society organizations and security researchers play a critical role in detecting and documenting infrastructure-level surveillance that affected individuals cannot detect themselves. The Citizen Lab’s research was the only reason this operation became public knowledge. Governments that respect privacy rights should create legal safe harbors for security research that identifies surveillance infrastructure, ensuring that researchers who document these practices are protected rather than prosecuted.
Without independent research capacity, infrastructure-level surveillance operates in complete opacity, accountable to no one.
For individual users in environments where ISP-level traffic manipulation is a risk, the primary recommendation is the use of a reputable VPN service that encrypts all traffic between the user’s device and the VPN server, preventing the DPI equipment from inspecting or modifying any traffic content. However, VPN use has limitations: it requires technical knowledge, often degrades connection speeds, and in some jurisdictions may itself attract scrutiny from authorities.
The burden of protecting citizens from infrastructure-level surveillance should not fall on individual users - it should fall on the legal, regulatory, and institutional frameworks that govern telecommunications infrastructure.
When the infrastructure meant to connect people becomes the infrastructure used to exploit them, no individual security measure can compensate for the structural betrayal. The Sandvine/Telecom Egypt DPI operation demonstrates that the most dangerous data breaches are not always the ones that steal data - sometimes they are the ones that hijack the data pipe itself.
Protecting citizens from their own infrastructure requires independent oversight, transparent regulation, and international accountability for the companies that supply surveillance technology to authoritarian operators.