|

More telcos join the transparency push to expose government surveillance

Transparency reports

 

Multinational telcos take different approaches in different countries, sometimes give governments direct access to operators’ networks and/or customers’ communications data

With governments from Germany to Australia increasing data retention mandates for telecommunications companies, requiring data localization, and accessing more user data held by telcos, transparency reports have become increasingly important. They are one of the only ways that the general public can assess the scope and scale of government surveillance, as well as monitor radical requests by governments, such as requests for internet shutdowns.

There are now two more reports by multinational telcos, one from Telenor [PDF] and one from Orange [PDF]. That makes a total of 15 telcos that are now publishing these reports, in a trend towards transparency that is growing internationally.

What do these multinational telco transparency reports show? They typically include the number of requests for real-time interception of or access to stored user data for each country where the company operates. But they can reveal much more than that.

For example, the Orange report for 2014 shows that in Spain, there were 48,305 interceptions, which refers to government requests for the content of communications. This means that on average, there was one wiretap order for every 240 Orange users. In Belgium, meanwhile, there were 35,527 requests for various types of customer data, including “details of calls, identities, addresses, locations of mobiles, and invoicing details.” These are large numbers. But remember: Orange is not the only, or even the largest, operator in some countries. In Spain, for instance, Telefonica is the dominant player and does not publish a transparency report. So these figures show only a portion of the surveillance actually taking place.

Below, we take a close look at what else the two new transparency reports reveal, exploring the current topography of privacy and the free flow of information online. Then we give our recommendations for improving transparency reporting, including providing guidance for telcos on how to achieve “dual accountability” and make their reports more accessible and useful to the public.

Beyond the numbers: telcos sometimes give authorities direct access to operator networks

Telenor, following the industry norm, provided actual numbers of requests for user data except in instances where it is prevented by law from doing so. In addition, Telenor gave an overview of the relevant laws in the 13 countries where it has major operations. This is something that we hope to see Orange do in the extended version of its transparency report, especially given that Orange is one of the founding members of the Telecom Industry Dialogue. We also hope that Orange goes beyond that by including information about possible “major events” that the company may have faced in the past year that have implications for users’ access to the internet, freedom of expression, or privacy.

In addition to providing the standard numbers, Telenor admitted that in a few markets, “authorities have direct access to operators’ networks and/or communication data.” That means that Telenor would not even know how often these authorities are accessing user data. This kind of practice violates rule of law principles and disregards international human rights frameworks that safeguard privacy.

There are many channels besides these unlawful backdoors for government agencies to put our rights at risk. Governments exercising “emergency powers” can allow police to take control of an operator’s network. Some governments exercise the authority to request a complete shutdown of internet services during times of unrest, a practice that has recently been declared in contradiction of our fundamental rights.

Fundamental rights are treated differently in different countries

Telenor has illustrated the challenges to respecting users’ rights, both in its transparency report and in a public sustainability seminar in mid-May.

For example, in Myanmar, laws to govern telecom operations were passed only in 2013, and these laws lack necessary legal and regulatory frameworks, such as rules to govern the interception of communications.

While Telenor previously maintained that it would not cooperate with the government and hand over user data until the new “lawful intercept” law was passed, it has begun to hand over data based on case-by-case assessments. To date, Telenor has complied with 3 of 15 requests [PDF] for data in Myanmar, the site of government persecution campaigns that target oppressed religious minorities like the Rohingya, and also the site of communications surveillance of human rights defenders [DOC].

Access urges Telenor to exercise extreme caution in handling any government request for data or interception, and to follow strictly the guidance in the Access Telco Action Plan [PDF], as well as the Industry Dialogue Guiding Principles. We also urge Telenor to consult outside stakeholders such as the new UN Special Rapporteur on the right to privacy, as necessary. Any new laws related to communications surveillance passed in Myanmar must protect users’ rights and ensure the privacy protections required by international human rights frameworks. At minimum, these frameworks require that court orders be issued for any type of government access to protected information, give clear responsibilities to providers, and authorize user notification. We expect international partners like the World Bank to prevent, mitigate, and remedy any misuse of funds or violations of telecom user rights in Myanmar.

In Bulgaria, there are different legal and privacy risks. These manifest due to political instability and corruption in Bulgaria, and rights infringements take place even though the Bulgarian legal frameworks are “fully harmonized” with the EU, and thus more predictable.

In Thailand, the coup d’etat in 2014 brought about an order “empowering officials to gather, acquire and examine any data.” [PDF]

As we have shown, there are stark differences in the legal and political environments where multinational telcos operate. That makes it even more important for these companies to abide by their human rights commitments, grounded in the UN Guiding Principles on Business and Human Rights. This would ensure that their services do not infringe, but rather, facilitate and advance people’s fundamental rights.

Our recommendations: we need “dual accountability” for telcos and governments

Even though there is a growing trend toward corporate transparency, telcos share the opinion that it is not the private sector but governments that have primary responsibility for transparency about requests for user data. In fact, when governments themselves publish statistics, companies like Orange and Vodafone refrain from reporting the numbers themselves. This is a problem because government reporting is usually delayed and aggregated across companies and different types of requests. Governments may also have more motivation than do telcos to shield or hide the true extent of surveillance being conducted.

Instead, we need “dual accountability,” meaning separate government and company reporting, so that the numbers can be objectively compared, and to build a norm that transparency on surveillance is expected of companies, whether they are multinational or domestic.

We welcome the new reports released by Telenor and Orange, and we look forward to reading the expanded version of Orange’s report. We encourage — and expect — more telcos to open up about their involvement in government surveillance, by publishing regular transparency reports that include information about local laws and regulations that govern requests for interception and access to user data.

In addition, we hope that more companies recognize the human rights implications of the way they operate around the world, and open up to independent, third-party assessment of how they are fulfilling their corporate commitments and responsibilities. This review should include assessment of the outcomes of their decisionmaking should a “major event” happen in any of the countries in which they operate.

Reminder: For telecom companies that are committed to protecting human rights, Access has developed the Telco Action Plan (TAP) [PDF]. It gives companies guidance for preventing and mitigating human rights infringement, such as by allowing independent, third-party assessments of “major events,” in the model of the Global Network Initiative’s auditing process.

If you are part of a company that is seeking guidance and assessment, Access and our partners are ready and willing to assist you. Please feel free to contact us.