Telcos find backbone, deny Guinea’s request for users’ data

In contrast to U.S. telcos, African operators push back on rights-violating demands

Three telecommunications companies in the west African nation of Guinea Conakry (formerly French Guinea) just said “no” to demands that they hand over all subscriber and call data.

On January 6th, Guinea’s post and telecommunications regulator, the Autorité de Régulation des Postes et Télécommunications (ARPT), told the companies that it intends to set up a central control center for all voice and data traffic, in order to quantify the volume of calls, tax the telcos, and certify their revenue. The demand, signed by the Director General, says that to create this center, the ARPT needs the telcos to hand over all call detail records and subscriber data for the month of December.

Call detail records show the date, time, duration, sender and receiver, and even location, among other data points, of phone calls and SMS. You may recall that the U.S. government collected millions of call detail records from telcos in its now-shuttered program of mass surveillance under Section 215 of the USA PATRIOT Act. For its part, the U.K. is considering surveillance laws that could have the same impact that the U.S. program did, requiring bulk data retention of all personal data and enabling bulk interception.

Unlike U.S. telcos under PATRIOT, three of Guinea’s biggest operators — Orange Guinee, MTN Guinee, and Cellcom Guinee — jointly pushed back on the request. In a letter on January 19th, they told the government that its request suffered from a “total absence of legal basis,” and violates privacy protections in the Guinean Constitution and the Universal Declaration of Human Rights. Creating the control center would exceed the scope of the Guinean telecoms law, the telcos said.

The request also infringes the African Union Convention on Cyber Security and Personal Data Protection, including Article 13, which mandates that data collection be “not excessive in relation to the purposes for which they are collected and further processed.” It is not necessary for authorities to have access to all call data in order to calculate tax records.

The regulator invited the companies to a meeting on January 21st, which according to our sources did not go well. Representatives of the ARPT stated that they intend to set up the control center with or without the telcos’ assistance. This unilateral demand runs contrary to the approach the government has committed to in many processes, such as its multi-stakeholder approach to internet governance, including the 2005 African Information and Communication Technologies (ICT) Ministers Common Position on Internet Governance.

Additionally, the government has threatened to fine the companies about $640. It’s not clear whether the fine is per day of non-compliance, or per user, in which case the final sum would be much higher. Since MTN Nigeria is currently in court fighting a fine of nearly $4 billion USD, we’re concerned that conservative telecom regulators are learning from one another, levying fines in an effort to restrict expression and control the explosive popularity of mobile communications.

Pushback – a corporate duty across the globe

The right to privacy, established under international and domestic law, prevents unnecessary and disproportionate invasions of privacy. The right also protects vulnerable groups from the chilling effects and possible retaliation that they may face for voicing unpopular opinions, or associating with oppressed or dissident groups. We are glad to see telcos standing up to the Guinean government’s request, which would violate human rights by arbitrarily and unlawfully infringing the privacy of all Guinean mobile phone users.

Under the U.N. Guiding Principles on Business & Human Rights, corporations have a duty to avoid contributing to potential adverse human rights impacts in their operations. Courts increasingly recognize that this duty obligates companies to stand up for their customers’ rights, a norm that is becoming customary international law.

When asked to help governments violate human rights, telcos — and other tech and telecom companies — have many “pushback” tools at their disposal. The Access Now Telco Action Plan has guidance for preventing and mitigating involvement in human rights abuses. We are happy to say that in this case, the telcos in Guinea followed many of our recommendations:

  • insisting government requests are consistent with international human rights law and standards, and rejecting those that fall short;
  • transparently reaching out to civil society and other external stakeholders to raise alerts about possible rights restrictions;
  • contacting peer companies in the region to engage in dialogue and advocacy as needed; and
  • documenting and publishing responses to government requests.

We support these telcos as they continue to push back and stand up for user privacy, and request that they transparently use all legal, diplomatic, and business tools at their disposal.

We also call on the Guinean government to withdraw its request for user data, and to strictly scrutinize its plan to create a central control center, for consistency with domestic and international law and norms, including the African Declaration on Internet Rights and Freedoms.

Centralized databases or choke points for telecommunications data increase the risks of breach and misuse of sensitive user data, and put all users at risk of unlawful surveillance, especially when governments obtain direct access to telco networks and data. Whether or not the central control center is legal under Guinean law, we guarantee it will not encourage innovation or the free flow of information in the country.

Whether in Guinea, the U.S., or the U.K., governments do not have the right to demand blanket handover of user data, and it’s in everyone’s interest — from telcos to human rights defenders — to push back the way Orange, MTN, and Cellcom have done.