Like economical/business "intelligence" (or lack of intelligence).

That's a bit the same problem with having that kind of development done in a private firm.

The private firm needs money. It may accept to built some backdoor way to inject some IP's in the BGP mesh for short duration to "tcp reassembly"/parse it etc. in the layer7 box (which is a linux box).

Worse, in every software shop I've been, adding a backdoor to a new development has always a "cool" (even if childish in reality) effects. Getting money in the pocket, too. (Solving the rest of this equation is left as an exercise to the reader :-)

So if the government want to push such a filtering, they will need to propose a completely open implementation to peer reviews, compiled, packaged and signed by a team of 5 - 10 peoples taken out of the community of network operators and end users.

cheers