Five lessons from the new Vodafone transparency report


After breaking ground with its first transparency report last year, Vodafone has continued digging to produce its second annual report. We welcome its development, despite the fact that in some cases progress has been slower than hoped regarding the company’s impact — and government obstacles to — respecting user privacy and free expression.

The 2015 report includes updated country-by-country information on the number of wiretapping or user data requests submitted between April 2014 to March 2015 (or more accurately, those requests that the company is allowed to publish). Changes in Italian law and increased use of surveillance authorities, as well as difficulties engaging with Netherlands officials, merit review. Vodafone also uses the report to introduce policy positions, including freedom of expression principles, acknowledges the growing use of encryption, and addresses the quickly closing divide between content providers and telcos.

Below, we take a close look at the new report, identifying five lessons for Vodafone — as well as for Access and users around the world  — as we work toward a rights-respecting telecom sector.

1.) We know more about surveillance laws in each country, but much remains secret

Vodafone’s inaugural transparency report last year included a legal annex with detailed information on the laws and regulations related to lawful intercept, as well as government access to protected information, in the 28 countries where the company directly operates.

This legal annex introduced a model for telecom transparency, as Telenor recently followed suit [PDF], publishing information about the surveillance laws in countries where it operates. Recently, the Telecommunications Industry Dialogue compiled the two reports to provide an overarching resource on national legal frameworks. 

In February 2015, Vodafone updated its legal annex to include information on the censorship-related legal powers that government authorities enjoy. The resource now includes an overview of the laws in each country that grant government agencies authority to shut down networks or communication services, block access to URLs and IP addresses, or even take control of a telecommunication network.

Reading through this updated legal annex can be disheartening, as it provides details on the expansive legal powers in each country through which our right to secure communications could be infringed, demonstrating that there are unequal mechanisms lacking necessity, proportionality, clarity, or oversight. However, we applaud Vodafone’s efforts in preparing this resource, as the detailed study of the legal realities in 28 countries shows the company’s strong commitment to ensuring that the authorities’ requests are coming through legal channels. A further step would be to publish any licensing agreements, administrative orders, and directives from the licensor that the company is subject to. If the company is specifically restricted by applicable law from disclosing these agreements, it should publish general terms and urge governments to drop any bars to disclosure.

2.) Numbers are good to get (when we can get them), but they don’t always show the full picture

Vodafone’s 2015 report updates the country-by-country list on the number of warrants that the company receives from various government agencies, for wiretapping and for users’ communications data. However, it is worth noting that the company provides the number of wiretapping requests for only 2 out of 28 countries of operation (the Czech Republic and Spain). For the remaining 26 countries, the company:

  • is banned from reporting (nine countries);
  • was advised not to report by authorities (Ireland);
  • refuses to publish data when the government does (eight countries); or
  • states there has been “no technical implementation” (eight countries).

What does this mean? Can we even make meaningful inferences by interpreting the numbers? One way to do that is to compare the numbers for different time periods, to identify trends such as large increases in warrants. For example, in Italy, there was a one-year increase of 260,000 in the number of warrants requesting communications data  an alarming 43 percent increase in such warrants. On top of that notable increase, which was reported by only one of the eight telecoms offering mobile services in the country, the legal annex mentions the Prime Minister Decree of January 24, 2013, which “has established guidelines to ensure cyber security and national security and confirms the crucial role played by ‘ad hoc agreements’ with communication service providers.”

More specifically, the decree introduced the requirement that communication service providers such as Vodafone, “can be required, among other things, to allow intelligence agencies and the National Security Department to access their databases on the basis of specific agreements setting out the modalities of such access.” This signals that on top of the 866,578 requests by Italian authorities for user data, there might have been instances when the authorities had direct access to company databases. This revelation is not likely to be limited to Italy.

The upshot is that we cannot easily make inferences from the data in transparency reports, as surveillance powers in each country can be expanded or used more intensively for a variety of reasons, ranging from changes in the political climate, to legal reforms, to ad-hoc agreements. Yet transparency reports can be a vehicle to spotlight these powers.

On top of all of this, there’s another limitation to analysis: the number of warrants does not necessarily show how many users were affected. In the transparency report, Vodafone explains this caveat with a hypothetical example, demonstrating that a single warrant can lead to “more than 100 separate instances of authority access to individual devices used by individual subscribers, not to mention those with whom individuals targeted may have communicated.” This is quite worrisome, and we hope that such lawful requests are indeed necessary and proportionate, and abide by international human rights frameworks, while also pushing for more uniform reporting standards to lessen confusion.

3.) Free expression reporting has a long way to go


Vodafone has introduced a set of principles on freedom of expression based on international laws and principles. The company also rolled out recommendations for governments, calling for statistics on content blocking, and more creatively, “permitting telecommunications operators and service providers to supply an online ‘splash page’ instead of a simple ‘404 page not found’ error message” following a ban.

Vodafone does not release any numbers on its freedom of expression impacts. Indeed, many tech and telecom companies appear to have difficulty revealing their own content takedowns, terms of service and identity policy enforcement, hate speech policing, and other actions that directly impact users’ freedom of expression.

For our part, Access has begun to track network shutdowns or blocking for non-technical reasons, such as to thwart demonstrations during elections, or even to prevent students from cheating on exams. We encourage all companies to preserve evidence of shutdown requests, to work with civil society to map such events, and to take other steps identified in our Telco Action Planand Telco Remedy Plan to address this growing problem. But more experimentation is needed with regard to reporting on free expression in order to realize its potential for mapping progress in the free flow of information online.

In terms of its operations, we hope that Vodafone will find ways to demonstrate real commitment to these principles via effective measures such as lobbying governments to reform and revise laws to “minimise or mitigate the impact on freedom of expression arising from the implementation of a lawful demand.”

4.) Even with industry prodding, governments fight to retain secret surveillance powers

Since the beginning of 2014 when Vodafone publicly committed to greater transparency regarding government surveillance, the company has continued to improve its reporting mechanisms. However, Vodafone has not made much progress fighting against governments who demand direct, secret access to its networks and block the company from revealing data handovers. There’s no indication that governments who enjoyed direct access last year have lost their secret entrances to Vodafone’s data and networks.

In its transparency report, Vodafone lays out reasons why it is the government’s duty to publish statistics on data handovers. Access, too, supports oversight and transparency from national governments. However, dual accountability is necessary for meaningful transparency, since single-sided reporting  from governments or companies alone  can be troublesome and insufficient. We hope that Vodafone and other telcos will start publishing statistics on countries where there is government reporting, and where laws about reporting are unclear.

For example, in the Netherlands, opacity, not transparency, is the status quo. Vodafone states that it has engaged in lobbying efforts with the Netherlands government only to make “little progress on the need for change to the current reporting methodology.” More information on such lobbying, as well as on the involvement of other stakeholders, including civil society, is needed for more meaningful transparency, and for results that we and our local partners would call “an epic win.” It is positive, nevertheless, to see that transparency reporting can encourage public dialogue on these rather shady and unclear laws, especially as there are active policy reforms on data privacy around the world.

5.) More telcos need to follow Vodafone’s lead


Vodafone sets the bar for telecom companies looking to respect rights through transparency on challenges to privacy and free expression. Whole continents, such as Latin America and Asia, remain dark, as neither telecoms nor governments reveal their handover of user data. Will Telefonica issue a transparency report and legal annex of surveillance powers? Does SingTel wish to communicate risks and “know and show” its human rights expertise across Southeast Asia? Will Turkcell, who offers services in diverse jurisdictions such as Turkey, Ukraine, and Belarus, create a human rights policy showing commitment to protecting privacy and freedom of expression? Where possible, Vodafone should join forces with these and other companies to push reform on a country-by-country basis.

In sum, Access welcomes this report, despite disagreeing on some particulars, and we urge telcos and governments across the sector to help implement its recommendations.

For more company reports, see the Transparency Reporting Index.