This is no longer the case. Francisco partners bought Sandvine in 2017 and while there is still a development team in Waterloo, the execs are largely based out of Dallas, Texas.

Agree on the company turning evil. Sandvine 1.0 was a joy to work at. Sandvine 2.0 is a disaster.

You still see the packets on the wire. Every flow has a 5-tuple associated with it that uniquely identifies the flow. Sandvine also can correlate other orthogonal pieces of information such as subscriber, location, time-of-day, destination, etc.

So by itself, an SSL-encrypted packet means the device cannot decrypt the payload. That's not the point. I know already from the network that the packet came from some IMSI, which was connected to some eNB at a specific location, during some time of day where there was a demonstration, and it the destination was a specific AS community that hosts something I want to prevent.

Those metadata are enough to make me suspicious, or fit a criteria such that I can block that traffic based on the above conditions.

Source: Me: Ex-Sandviner worked in Tunisia and Egypt during the arab spring in 2012 to overcome government regulations.