BT: no transparency report in the foreseeable future

Speaking at the Annual General Meeting (AGM) of BT (formerly known as British Telecom) today in London, Access Senior Policy Counsel Peter Micek questioned the company on transparency reports, surveillance, and sweeping data retention legislation making its way rapidly through the UK Parliament.

In response to Micek’s questions, asked on behalf of hundreds of members of Access’ global community and ShareAction (a responsible investing charity which Access is a member of), the company confirmed that it would not be releasing a transparency report in the near future. It’s reasoning: There’s already “significant” transparency currently available from the UK Interception of Communications Commissioners (ICC) disclosures. 

In reality, the ICC report BT referenced is far from “significant”: The information it provides is vague, lacking in scrutiny, and circumscribed in its scope. For instance, GCHQ conducts most of its surveillance via satellites and fibre-optic undersea cables, which do not fall under the Commissioner’s purview, and which are thus missing from the report. Even if the UK’s Commissioner were to achieve high standards of transparency, the UK is only 1 of 170 countries where BT provides services. We need to know more about BT’s involvement in facilitating surveillance worldwide.

BT also disregarded pleas from privacy advocates to divulge links between GCHQ and other government surveillance agencies and militaries. Chairman Sir Michael Rake dismissed the comparison drawn between BT and other companies that have released transparency reports, such as Vodafone, calling BT an “entirely different company.” This description is simply untrue. Though Vodafone provides wireless service while BT does not, both are UK-based telecommunications companies that have responsibilities to respect the privacy and other rights of users, even when legal restrictions in the UK and elsewhere at times make it difficult to do so.

Last month, Vodafone released a groundbreaking transparency report that not only reported statistics of user data protection in 14 countries, but also revealed the numerous incidents in which governments directly accessed Vodafone networks. By way of comparison, BT’s conspicuous silence leaves us and the company’s users to wonder how it is assisting and facilitating government surveillance.

In 2013, human rights charity Reprieve issued a complaint to the UK National Contact Point of the Organization for Economic Cooperation and Development (OECD) regarding BT’s participation in U.S. government-led lethal drone strikes. Reprieve claimed that BT provided links between U.S. military bases in Yemen and the U.K. According to Reprieve, rather than simply providing its normal, commercial broadband links, BT specifically tailored the fiber-optic connections for military purposes.

In response, BT was quick to note that the Organization for Economic Cooperation and Development (OECD) dismissed this claim issued by Reprieve. This result seems to stem more from lack of information provided from BT, which would not release any due diligence it carried out on the contracts with the U.S. military, than on definitive findings of innocence.

When asked about BT’s participation in government surveillance programs, Chairman Rake assured the public that BT complies with law. But despite the company’s assurances, the law is not so black-and-white. According to a new report from the UN Office of the High Commissioner of Human Rights, private companies have many “pushback” options at their disposal, including “interpreting government demands as narrowly as possible, seeking clarification from a Government with regard to the scope and legal foundation for the demand, requiring a court order before meeting government requests for data, and communicating transparently with users about risks and compliance with government demands.” BT did not address any such “pushback” strategies.

Remarkably, Chairman Rake did take the opportunity to tout BT’s human rights commitments — even though BT hasn’t published a strong human rights policy (although one is apparently in the works). Access maintains that human rights commitments mean little without due diligence, and for now BT has little to stand on.

Support for data retention

This announcement comes at a vital time, as the U.K. Parliament is currently trying to push through emergency legislation mandating the retention of user data, the Data Retention and Investigatory Powers Act (DRIP).

Why now? A Court of Justice of the European Union (CJEU) ruling in April struck at the heart of data retention, finding the practice itself to violate the E.U. Charter of Fundamental Rights for its unnecessary and disproportionate interference with user rights. DRIP purports to replace legislation passed under the now-invalidated directive, but DRIP does not account for the recent CJEU determination. DRIP is moving rapidly through the UK Parliament and may be passed into law as soon as this week. This unpopular bill will require telecommunications companies to keep possession of customer data for up to a year, exposing mass amounts of information to government surveillance. The government claims that it is merely attempting to “clarify” existing law and to ensure that internet service providers and telcos continue to comply with U.K. law enforcement, even as the bill’s text grants sweeping new surveillance powers.

When asked to comment, Chairman Rake said data retention was considered a “political” question, not meant for private sector lobbying. He maintained that BT complies with U.K. law by retaining user data for one year, and that data are handed to the government based on valid warrants. However, calling the protection of user information a “political question” completely neglects the company’s responsibilities under the U.N. Guiding Principles on Business and Human Rights. A company cannot prevent or remedy its adverse human rights impacts if it doesn’t first assess what those impacts are! Further, there is no way to examine the accuracy of the Rake’s statement, as the Regulation of Investigatory Powers Act (RIPA) imposes secrecy on all warrants issued.

Chairman Rake explicitly signalled support for the emergency DRIP legislation currently in Parliament. “Quite frankly,” he replied to a question about the expanded data retention measures, “we think that was an appropriate step to take” given the recent ruling at the CJEU against data retention. To be equally frank, Access does not believe a telco can honestly commit to uphold human rights on the one hand, and support data retention laws on the other. BT’s stance distances the company from its peers, including Verizon, who testified before U.S. Congress to the unnecessary and disproportionate costs the telco would incur to retain user data beyond what’s needed for business purposes.

In essence, Chairman Rake has declared that BT will continue business as usual without a comprehensive disclosure to its customers or to the international community regarding its use of data and how it shares that information with governments around the world.

These actions cannot go unchecked and without repercussions. Users worldwide must show that this hidden sharing of information with governments will not be tolerated. Transparency reports should be a vital, required piece of documentation released by all companies that hold user data. Such information is critical to understanding the scope and scale of government surveillance.

Investors and users should demand greater disclosures from BT on its compliance with government surveillance demands, and vocally oppose increased data retention requirements. As the company develops its human rights framework, user privacy and freedom of expression should rank at the top of the list for BT, a global company that must comply with human rights obligations, not just local law.