In the U.S., where Verizon has more than 100 million customers, the company continues to receive tens of thousands of government requests for user data every month, according to its latest transparency report.
Yet even in foreign jurisdictions, Verizon gets asked for the data it holds. Verizon’s latest transparency report reinforces revelations that governments worldwide make hundreds of requests for user data each month from foreign telecoms, even in countries where those companies do not offer retail customer services.
Like Vodafone, the U.K.-based telecom giant that released a detailed report last month on law enforcement requests and access, Verizon reports that it is barred from reporting the different types of requests it receives from various jurisdictions. But unlike Vodafone, Verizon does not reveal any information on whether governments enjoy direct access to its networks.
Access welcomes Verizon’s continued reporting on government requests, and reiterate our call for all telcos to release regular data on the scope and scale of surveillance on their networks.
Restrictions on reporting
Owing to the settlement that internet firms Facebook, Microsoft, Apple, Google, LinkedIn, and Yahoo made with the Department of Justice earlier this year, Verizon cannot report the number of orders it received from the Foreign Intelligence Surveillance Court over the past six months, or how many customer selectors — pieces of information, such as a telephone numbers or IP addresses, that can identify customers — those orders sought information on.
Verizon was one of the first companies named in Edward Snowden’s disclosures last year, when The Guardian revealed a request from the NSA for all the company’s telephone metadata in the U.S. These orders are still under wraps, Verizon says, “as any orders we may have received related to the bulk collection of non-content information, remains prohibited.”
Like Vodafone, Verizon reports that Australia prohibits reporting on the number of warrants from law enforcement for interceptions or stored communications. Also like Vodafone, Verizon states it is not allowed to disclose any requests it receives from India. India additionally prohibits Verizon from revealing “the specific number of websites that we were asked to block by the Government of India.” Verizon should be allowed to communicate to all users the extent of government intrusion into privacy and free expression online by releasing unrestricted statistics and information on laws and its policies through its regular transparency reports.
The French and German governments lead the way in requesting subscriber and transactional data. France requested subscriber data on 745 customer selectors in the last 6 months. Germany requested transactional data on 669 customer selectors, and also asked for nearly 1000 lawful intercepts, or real time tapping of customer communications, during that period.
Germany is the only European country that requested intercepts from Verizon (though other countries may enjoy direct access to Verizon networks, and don’t need to request intercepts). Verizon lost its contract with the German government recently over concerns of NSA surveillance, though these relatively high numbers show German authorities rely on the company for intelligence services.
Helpfully, Verizon provides details about a Dutch database it is forced to supply with user data. “In the Netherlands the Central Information Point for Telecommunications (CIOT in Dutch) program run by the Ministry of Justice requires telecom providers to store all subscriber data (name, address, service provided, name of provider, telephone numbers, IP-addresses, and email-addresses) in a central database that is accessible to Dutch law enforcement.” Verizon does not report how often this database is accessed by the Dutch government.
Access opposes any data retention mandates under law. Forced retention turns all citizens into suspects, creating chilling effects on expression, and circumvents due process standards. The massive databases are at risk of breach and unlawful transfer of data. Mandatory retention also forces companies to contribute to mass surveillance in violation of international human rights norms. When governments enjoy direct access to the databases, users lose the opportunity for third-party transparency (like Verizon’s report) to reveal how often that data is accessed.
These numbers are not trivial; in Colombia, Verizon blocked access to 1,324 websites in the first six months of 2014 alone. The company previously blamed this high rate on requests to block child pornography websites. Instead of blocking access to websites, Access believes the government should focus on punishing the creators and viewers of the unlawful material, and help to form a strong international coalition and improve national legal infrastructure to actually remove these unlawful sites.
Verizon breaks “metadata” into two categories: “subscriber information (typically requiring that we provide the name and address of a customer assigned a given phone number or IP address) and transactional information (billing data or numbers called).” This innovative reporting method should be adopted by other telcos, and further shows why governments should extend greater legal protection to non-content data, which provides an array of sensitive information about users.
Verizon also made good on its promise to report compliance rates in the U.S., which did not make it into previous reports. Verizon rejects about three percent of subpoenas received, and about 4.5 percent of orders and warrants, a fairly high percentage.
Access welcomes Verizon’s continued reporting on government requests. We would like to see future reports accompanied by a clear statement regarding whether Verizon has also engaged in any voluntary agreements to provide authorities with data or access to its networks, beyond the legal requests. In addition, linking to Verizon’s policies on user notification may contribute to greater awareness of whose data is being requested and how the company provides access to remedy.
Finally, we reiterate our call for all telcos to release regular data on the scope and scale of surveillance on their networks.