How Surveillance Became a Service
When Canadian company Sandvine (since rebranded as AppLogic Networks) withdrew from the Pakistani market under U.S. sanctions in 2023, it left behind a trove of deep-packet inspection hardware embedded in the country’s telecom infrastructure. Rather than dismantling the surveillance capability, Chinese company Geedge Networks apparently stepped in, retrofitted the existing Sandvine equipment, and built a new, more comprehensive state surveillance and censorship model.
This handoff was one of many operations documented in over 100,000 leaked files from Geedge Networks, a company that has been secretly selling what amounts to commercialized versions of China's Great Firewall to governments worldwide. The leaked documents, studied by a consortium including Amnesty International and other human rights organizations, reveal a vast number of internal communications, technical specifications, and operational logs showing how Geedge has deployed its surveillance systems across at least five countries while testing experimental features, including internet access "reputation scores."
What the files show isn’t just a single company’s work but evidence of how digital control itself has evolved. In the past, large-scale surveillance systems were either developed directly by governments (like China’s original Great Firewall) or required extensive custom integration by foreign vendors. Geedge has taken a different approach; they have created standardized products, like the Tiangou Secure Gateway hardware and Cyber Narrator software interface, that can be deployed across different countries with minimal customization, or at least, compared to earlier bespoke systems, seem very much plug-and-play.
Modern surveillance infrastructure, on the other hand, has become modular and infrastructure-agnostic, meaning it can be grafted onto almost any telecom backbone. In practice, the same core system that is monitoring 81 million connections in Myanmar also operates in Kazakhstan (K18 and K24), Pakistan (P19), and Ethiopia (E21). And once embedded, it’s hard to remove, showing how repression has become standardized, transferable, and essentially permanent once installed.
For example, by October 2024, the Pakistan Telecommunication Authority had renewed Geedge's license for the same monitoring capabilities, including email interception. Leaked support tickets show intercepted emails with full content and metadata flowing through infrastructure that Sandvine originally built. It doesn’t matter who manages the infrastructure; it may have been Sandvine in the past, it may be Geedge Networks now, and another company could inherit operations with minimal disruption.
On another note, modern surveillance systems create a form of dependency between nations. Geedge’s equipment sits on 26 data centers across 13 internet service providers in Myanmar alone. This isn’t software that can be easily uninstalled; it’s hardware that sits at the core of how internet traffic operates in a country. In fact, Geedge personnel are to remotely access client systems or travel on-site for repairs. The company even has "senior overseas operations and maintenance engineers" job postings on third-party sites requiring three to six months abroad in client countries like Pakistan, Malaysia, Bahrain, Algeria, and India.
Geedge equipment also required extensive modifications to existing telecom infrastructure: changes to traffic routing, data processing workflows, and network architecture. Removing it would likely be highly disruptive to core telecom infrastructure. When your country's internet monitoring depends on foreign technicians who understand proprietary hardware and software, switching vendors becomes enormously complicated.
This all creates a form of digital lock-in. Once installed, these systems become integral to how a country's internet functions, making the cost of switching prohibitively high and the risks of service disruption substantial.
Another pattern that emerged through this whole situation is that tools that were first deployed in places like Myanmar and Ethiopia later appear in pilot projects inside China. In Xinjiang, Geedge’s systems were adapted with new features such as geofencing and ‘reputation scores.’ While the documents don’t spell out an explicit strategy, they reveal a feedback loop in practice: that foreign deployments are shaping the evolution of China’s own censorship model.
For instance, the Ethiopian deployment shows Geedge's system switching from monitoring to active interference 18 separate times, with the most significant shift occurring just days before the February 2023 internet shutdown. Each transition generated performance data, error logs, and technical adjustments that could inform system improvements.
In Myanmar, the deployment catalogued 281 popular VPN tools, recording their technical specifications, subscription costs, and circumvention effectiveness. Blocking mechanisms were then tested against this database, refining detection algorithms through continuous engagement with actual user attempts to bypass censorship. This created a detailed repository of circumvention tools that Geedge engineers could draw upon in future deployments.
Finally in 2024, after years of overseas operations, Geedge launched its Xinjiang pilot project, designated J24 in internal communications. Documents show collaboration with the Chinese Academy of Sciences, specifically their Massive and Effective Stream Analysis laboratory. Photographs reveal academy students visiting Geedge's Xinjiang server facilities, directly absorbing lessons learned from international deployments. The Xinjiang implementation incorporates features that weren't present in earlier overseas deployments. This deployment incorporated features absent in earlier foreign rollouts, like user geofencing, relationship mapping between individuals, and a reputation scoring system. Taken together, the records suggest these advanced capabilities emerged only after years of overseas operations.
What makes this entire operation possible is how Geedge packages these capabilities. The company markets itself as providing "comprehensive visibility and minimizing security risks" for clients, positioning its services within the framework of cybersecurity and network monitoring. This language deliberately mirrors how legitimate lawful interception systems are described: tools that allow governments to monitor specific communications under judicial oversight or established legal frameworks.
Yet the company's actual capabilities extend far beyond standard lawful interception. Geedge's Tiangou Secure Gateway processes all internet traffic flowing through a country, scanning every packet for content, metadata, and behavioral patterns. The malware injection practice represents perhaps the starkest departure from lawful interception norms. The system not only has the ability to inject malicious code into users' internet traffic but also to monitor and manipulate digital communications.
Another example is a prototype ‘reputation score’ system… It’s not clear whether this feature was ever deployed at scale, but its inclusion in internal testing shows how far Geedge is willing to push beyond lawful interception. Each internet user receives a baseline score of 550, which must reach 600 through submission of personal information, including national identification, facial recognition data, and employment details. Users below this threshold cannot access the internet at all. No established lawful interception framework includes conditional internet access based on compliance scoring.
Perhaps the most sobering realization from this leak is how easily comprehensive surveillance can get packaged as something else. Twenty years ago, building a surveillance apparatus like China's Great Firewall was a massive undertaking that required state resources, and, controversies aside, everyone knew about it. Now, governments, vendors, and civil society all face a choice: accept these systems as neutral infrastructure, or confront the ethical and political consequences of deploying surveillance that far exceeds traditional lawful interception.
Subscribe to get weekly insights on China's tech culture that Western media misses.
