An internet service provider backed by European state development funds in military-run Myanmar appears to have installed highly sophisticated Chinese technology that information gathered by reporters indicates is being used for online surveillance.

An investigation by Finance Uncovered (FU) and Myanmar Now (MN) has collected evidence from multiple sources indicating that Frontiir has installed equipment capable of tracking people online, blocking websites and preventing people from using virtual private networks (VPNs) which allow users to side-step censorship controls.

The equipment was developed by Geedge Networks, a controversial Chinese cybersecurity company founded by the so-called father of China’s Great Firewall, Fang Binxing.

Our findings bring into focus decisions made by the governments of the UK, Norway and Denmark to inject $40 million into Frontiir through their international development funds in return for shares in the company.

Digital crackdown

Information obtained by FU and MN shows that Geedge equipment is seemingly housed inside one of Frontiir’s data centres in Yangon, Myanmar’s biggest city. It appears to be the same technology that featured in a separate investigation by activist group Justice For Myanmar (JFM) in June 2024.

In that investigation, documents leaked to JFM revealed that Myanmar’s junta had obtained Geedge’s equipment, which could be used to intercept and decrypt messages, block certain websites and prevent people from using VPNs.

Around the time the Geedge technology was reportedly activated by the junta in late May, activists claim that there was a dramatic reduction in internet freedom in Myanmar.

Myanmar’s military has waged an unrelenting crackdown on digital freedom since it seized power more than four years ago, sparking a brutal civil war that has seen thousands of people killed and millions displaced.

Since the February 2021 coup, human rights observers say nearly 2,000 people have been arrested for criticising the junta online, or posting support for anti-regime groups.

In September 2021, Norwegian telecommunication provider Telenor announced it was withdrawing from Myanmar because of the junta’s demands that it activate a “lawful interception” system. Telenor said cooperating in such a way would violate Norwegian and international sanctions.

A former Telenor employee told reporters they believed it would be “impossible” for an ISP to operate in Myanmar today and not allow authorities access to information on its users.

The junta has also imposed internet blackouts in areas where troops are battling ethnic armed resistance groups and civilian defence forces. These continued even after a devastating 7.7 magnitude earthquake struck Myanmar in late March, hindering rescue efforts.

‘Bad for the people’

FU and MN’s findings are likely to present a quandary for the governments of the UK, Norway and Denmark, all of which own shares in Frontiir. Their funding has been crucial in driving its rapid growth to become one of the largest ISPs in Myanmar, providing internet services to millions of people through its Myanmar Net brand.

A spokesperson for Frontiir denied that it had ever “built, planned, or designed anything related to surveillance” on its network in a statement sent to FU, saying any such claims were “completely false.”

It has also told its European investors that “its network has never been used by the Myanmar government to intercept or decrypt communication”.

The UK's development fund, British International Investments (BII), has invested $26 million into Frontiir’s Singapore parent company. Norfund also invested 26.9 million Norwegian krone ($3 million) and Denmark’s IFU spent 70.1 million Danish krone ($10.5 million) on Frontiir shares.

It is believed that the funds’ equity stakes are now worth less than the sums invested. This means that were they to divest, they would make a loss.

All of the investments have been made since 2019 — after the UK, Norway and the European Union imposed sanctions barring their companies from providing internet surveillance or equipment to Myanmar authorities.

Pressed about FU and MN’s findings, BII, Norfund and IFU said they had received assurances from Frontiir that its network has never been used by Myanmar authorities to intercept or decrypt communications. All of them emphasized that Frontiir was a key provider of low-cost internet services, saying they had no plans to sell their shares.

“Divesting our stake in Frontiir would be bad for the company and bad for the people in Myanmar,” said a spokesman for BII.

‘Security and intelligence’

From its Beijing research and development centre, Geedge boasts it is a “global provider of network security and intelligence equipment and solutions”.

Co-founded by Fang Binxing, the man credited with building China’s Great Firewall, one of the world’s most notorious internet censorship systems, Geedge claims it offers “encrypted traffic visibility” to broadband service providers and telecommunication companies around the world.

Last year, a JFM investigation obtained leaks which suggested that Geedge’s Tiangou secure gateway (TSG) sits at the heart of the Myanmar junta’s newly upgraded surveillance system.

Described by Geedge as a “one-stop solution for network perimeter security,” TSG is equipped with “deep packet inspection” capabilities, meaning it can capture, decode and analyse packets of data, such as the content of emails and the details of a user’s internet traffic. This technology can be used to neutralise sophisticated cyber attacks — but also to monitor and eavesdrop on people’s communications.

New information provided to FU by well-placed sources suggests that Frontiir hosts the same TSG technology in its own data centre in east Yangon. This has the potential to allow the junta’s cybersurveillance team to remotely monitor web traffic and “intercept most things,” according to one source.

Geedge did not respond to repeated requests for comment.

Digital rights activists claim that the junta has rolled out technology allowing its cyber security team to remotely monitor web traffic not just at Frontiir’s Myanmar Net, but all telecommunications companies and ISPs in Myanmar.

“The military now has the ability to look into network activities live. They don’t even need to be there physically, they have their own monitoring office,” said Wai Phyo Myint, Asia Pacific Policy Analyst from respected digital rights campaign group, Access Now.

She called on investors to take a closer look at ISPs like Frontiir, if they have “fully complied with military directives,” including “compliance with data requests, and the interception of communication lines and blocking thousands of websites and apps”.

“We strongly urge investors and international governments to scrutinise these investments and consider imposing sanctions on companies whose operations directly or indirectly benefit the military and to stop technology transfer to those companies,” she said.

‘Urgent investigation’

Concerns about Frontiir’s compliance with the Myanmar government’s demands to censor the internet were voiced in 2020, when FU and MN reported that it was blocking access to thousands of websites on the Myanmar government’s orders.

The UK’s development fund, then known as CDC Group, pledged an urgent investigation after questions were raised in the UK parliament about Frontiir’s censorship of the internet in June of that year.

But rather than divest its $20 million stake, CDC invested a further $3 million the following month.

Founded by three US citizens and led by Myanmar-born MIT doctorate Godfrey Tan, Frontiir’s business grew swiftly after a previous military regime ceded power to a quasi-civilian administration that was succeeded in 2015 by the first elected civilian government in a generation.

But concerns were already growing that Myanmar’s military was spying on the country’s rapidly expanding pool of internet users.

In 2018, the UK and European Union imposed sanctions barring their companies from helping Myanmar authorities to surveil the internet, fearing the military was using this information to carry out atrocities against Rohingya Muslims.

These sanctions did not stop Norway, Denmark or the UK from investing in Frontiir the following year — or from increasing their stakes even as the company devised a proposal to build a system to listen in on its users online.

Lawful interception

In November 2020 — just a few months after the BII increased its investment in Frontiir — Myanmar Net drafted a “proposal” for a so-called “lawful interception” system that would allow law enforcement agencies to track its users’ locations, read their messages and emails, and the content of any audio or visual files they exchanged (see the full document under this article).

At the request of authorities, the network proposed creating “a dedicated line connection to transfer intercept related information and content of communication,” according to a copy of the plan leaked to reporters.

As long as they had a warrant, Myanmar Net said it would provide law enforcement with intercepted data for up to two weeks at a time.

“This document specifies the details and protocols of the three types of Handover Interfaces … which Myanmar Net … humbly proposes to use to cooperate with the Law Enforcement Agencies in conducting Lawful Intercept operations,” said the document.

After initially denying involvement in any interception system, Frontiir acknowledged to FU and MN that it had submitted the proposal to authorities, which at that time were run by the democratically elected government of Aung San Suu Kyi.

But a spokesperson said the document “merely contains ideas about [lawful interception] based on publicly available information”.

Such systems are used by law enforcement agencies to catch criminals all over the world, but under international rules they are only meant to be deployed after a legal vetting process to prevent abuse. In the proposal, Myanmar Net highlighted the sensitivity of interception requests, saying each required a valid warrant or the company could face “legal ramifications”.

“Lawful Intercept is a powerful tool and Myanmar Net is committed to comply with the international standards,” said the document, dated November 15, 2020.

The network must “exercise the highest degree of care and observe extraordinary diligence to ensure controls are in place to curtail abuses and to protect the privacy rights of individual citizens,” it added.

But just a few weeks after Myanmar Net submitted its proposal, Telenor – one of the largest telecommunications companies operating in the country at the time – warned authorities intended to scrap such legal controls. In a December 2020 update, the Norwegian telecoms operator said the government wanted to access ISPs’ systems directly, without needing case-by-case legal approval to intercept people’s data.

“Without sufficient legal safeguards, this creates an opportunity for misuse and breach of customers’ human rights,” Telenor said.

After the February 2021 military coup, any attempt to bring in legal safeguards to protect Myanmar’s citizens online were scrapped and the proposed lawful interception system was never built. Instead, the junta dramatically expanded its control over the internet, blocking websites, enforcing rolling blackouts and spying on users.

Frontiir shut off the internet in the commercial hubs of Yangon, Mandalay and the capital Naypyidaw on the military’s orders on the day of the coup. Since then, it has periodically blocked social media platforms, including Facebook, Twitter (now X) and Instagram, as well as independent media and civil society sites.

Surging profits

The political upheaval appears to have made little difference to Frontiir’s profits.

In an unprecedented insight into a leading Myanmar technology company, leaked financial statements obtained by reporters show the company’s profits after tax hit $7.1 million in the year ended September 2021, some $270,000 lower than the previous year.

The following six months profits surged to $4.8 million after tax as the company rapidly added new subscribers, according to its accounts. The leaked accounts show that no dividends were paid out in the period covered, consistent with statements issued by Frontiir’s European state investors, BII, Norfund and IFU.

As business boomed in the midst of what has developed into a vicious civil war, Frontiir even provided infrastructure for the department responsible for Myanmar’s state internet surveillance.

In a cover letter (also see the full document under this article) attached to the lawful interception proposal, a senior Frontiir manager wrote the company had installed fibre-optic cables for the building that houses the Information Technology and Cyber Security Department (ITCSD).

“As an operational update, Frontiir's fibre connection has reached the NayPyiDaw S12 Exchange and work is proceeding,” said the November 2020 letter, which was addressed to the director general of the Directorate of Communications.

FU understands the ITCSD continued to use Frontiir’s cables after the February 2021 military coup.

Frontiir’s spokesperson did not respond to repeated questions about the fibre optic cables. Norfund, the IFU and BII said the company told them that Frontiir was required to lay the cables as part of its licence, but they were never used.

The former head of the Post and Telecommunications Department and the current head of Myanmar’s cybersecurity team both denied any knowledge of Frontiir’s involvement.

Sanctions loophole

UK, Norwegian and EU sanctions explicitly forbid companies from those countries from providing Myanmar authorities with internet surveillance equipment or services, such as monitoring communications.

But lawyers said loopholes in the sanctions regime mean these restrictions don’t extend to investors in companies from other parts of the world. So the UK’s $26 million equity stake in Frontiir, and the millions more invested by Norway and Denmark, don’t appear to violate the governments’ own sanctions.

Pressed by reporters, spokespeople for the UK, Norwegian and Danish development funds all said Frontiir had assured them it was not enabling surveillance by Myanmar’s junta or handing over data on its users to authorities.

“To date, we have seen no evidence that the Myanmar government has accessed the Frontiir network to intercept or decrypt communications,” said a spokesperson for the BII, adding the company had assured them it has “never been subject to interception”.

He defended the BII’s decision to invest in Frontiir, even after questions were raised about its network blocking websites on government orders in 2020.

“The rationale for investing $3 million in 2020 was the same as for making the earlier investment – to accelerate the rollout of vital internet services to millions of people,” he said.

Norfund said it had been monitoring its stake via its investment partner, which said Frontiir had assured them it does not host a surveillance system that can decrypt web traffic or correlate web traffic to users’ private data.

“We are aware of the challenging situation Frontiir is in, and we are monitoring the situation, but we have to this date not seen any evidence that gives us reason to doubt what the company is telling us,” said a Norfund spokesperson.

The IFU echoed the other funds in its responses, saying Frontiir had assured the fund that it had never provided user information to authorities or installed any system that “can monitor and decrypt any encrypted data”.

As a result, a spokesperson said, “we have not identified compelling arguments to suggest that relinquishing our equity stake in the company would contribute positively to the situation in Myanmar.”

Joseph Wilde-Ramsing, an expert on the human rights obligations of international companies from SOMO in the Netherlands, described the investors’ responses as weak. He said he believes the UK, Norway and Denmark are failing to enforce the OECD’s guidelines on responsible business in their dealings with Frontiir.

Under those rules, which are legally binding for all three OECD members, he said investors have a responsibility to use whatever leverage they have to prevent companies violating human rights.

“In Myanmar, we’re talking about people getting killed, arrested and kidnapped, so the burden for how quickly companies need to act, transparency and the robustness they must show, is high,” Wilde-Ramsing said.

In written statements sent to reporters, BII, Norfund and IFU said they followed OECD guidelines.

Main image: Frontiir's headquarters in Yangon (Kan Kaung/Myanmar Now)

*Edited by Nick Mathiason and Ted Jeory