Bulgaria has granted a Sofia-based surveillance firm permission to export phone tracking, interception, and monitoring systems to intelligence agencies in countries with a documented history of suppressing dissent. The licenses, leaked and published by Human Rights Watch on March 26, expose a technology supply chain that, under the veil of government authorizations, fuels pervasive control over already oppressed populations.

This is not an isolated diplomatic incident: the documents list government buyers in Azerbaijan, Serbia, Malaysia, Mexico, the United Arab Emirates, and at least other unspecified contexts. Circles BG, the company at the center of the case, is known among analysts for its lawful interception and location tracking solutions—tools that exploit mobile network vulnerabilities to geolocate targets and intercept communications.

The technology behind the scenes

These tools—often based on IMSI catchers, SS7 interception systems, or monitoring gateways—typically operate in an on-premise mode. That means they are installed directly in the buyer's infrastructure, far from external scrutiny. This choice is deliberate: it gives the purchasing government full control over collected data, avoids dependence on third-party clouds, and makes any independent audit nearly impossible. For authoritarian regimes, local deployment is a prerequisite: every bit of information stays within national borders, sealed under the label of “national security.”

The costs of such infrastructure are generally opaque, but they are known to require significant upfront investment—in hardware, software, and training—followed by multi-year maintenance contracts. The Total Cost of Ownership for a nationwide surveillance system can easily reach tens of millions of euros, but for a repressive government, price is secondary compared to the control it gains.

The paradox of sovereignty

The Bulgarian case is an extreme example of how technological sovereignty can be used for oppressive ends. The very principle—keeping data and infrastructure within one's own borders, without relying on external providers—is at the heart of the debate on Large Language Models and on-premise AI. European companies that evaluate deploying local LLMs to comply with GDPR or to protect trade secrets do so with protective motives. But when the same approach is adopted by authoritarian regimes, sovereignty becomes a shield to violate human rights.

It is no coincidence that modern surveillance tools are almost always self-hosted. In intelligence circles, the cloud is seen as a risk because it introduces an intermediary. Self-hosting is the norm, and Circles BG's solutions are no exception. Yet transparency is zero: these implementations escape international oversight precisely because they are closed and proprietary.

Implications for those evaluating on-premise deployment

For those in the tech sector, the Bulgarian case offers a bitter lesson: the choice of on-premise architectures is never purely technical, but deeply political. When an organization decides to keep its AI inference on its own servers, it does so for control, long-term TCO reduction, compliance, and data sovereignty. However, the same motivations can be twisted to build walls that conceal abuses. The difference lies in regulatory frameworks and transparency of audit processes.

AI-RADAR closely follows these dynamics, not only for Large Language Models but for the entire local infrastructure ecosystem. The key question is not whether on-premise is a right choice, but whom it serves and under what controls. The Bulgarian licenses demonstrate that without accountability, technology becomes a tool of repression.