Vodafone reports on law enforcement access to user data, worldwide

Vodafone, the largest international mobile provider in the world, released today the most detailed transparency report ever, identifying the surveillance laws and policies that apply in the 29 countries in which it operates as well as statistics on the number of requests is receives. In addition to pulling back the curtain on the context in which telcos operate, the company also called for an end to unfettered government access to its networks, which it is required to provide in several countries.

Access has long called on Vodafone to address its human rights impacts, appearing multiple times at its annual shareholder meetings. In 2012, the Access community petitioned Vodafone to release a “transparency report,” a petition which shareholder Louise Rouse of ShareAction delivered directly to the company’s board (Access is a member of ShareAction). Vodafone has responded with a more than 40,000-word “Law Enforcement Disclosure Report,” deeply considering its role in the surveillance practices of a diverse set of governments. The first annual look at the state of surveillance on its networks, it reflects Vodafone’s commitment to transparency and accountability for its human rights impacts. While some gaps in reporting remain, due to legal barriers as well as corporate choices, today’s report adds to the picture of how user privacy is (and is not) respected online — and outlines the path to greater protections on the ground.

Unfettered access

Many governments require, by law and in telecom licenses, the ability to tap directly into networks to intercept communications. As the Guardian reported, currently “in about six of the countries in which Vodafone operates, the law either obliges telecoms operators to install direct access pipes, or allows governments to do so.”

Hinting at this capability, the company notes that in Albania, Qatar, the UK, Ireland, and Hungary, the government could possibly access its networks without the operator’s control or oversight.

Many countries are shown to have complicated and opaque laws on surveillance. India requires telcos “to take all steps and provide all facilities to enable the government to carry out interception of communications,” but “there is no judicial oversight over the interception process.”

In the UK, at least two different provisions could possibly provide direct access. Section 5 of the Intelligence Services Act gives power “broad enough to permit government direct access to Vodafone’s network.” Meanwhile, Section 11 of the Regulation of Investigatory Powers Act (RIPA) allows for law enforcement or intelligence officials to enforce a warrant “without the provision of any assistance,” or even notification to the service providers. Vodafone’s report did not mention the Tempora mass surveillance program, in which Vodafone, BT, and other providers have been named as participants, aiding the UK’s GCHQ intelligence agency to vacuum data off their fiber-optic cables. Indeed, the report does not appear to detail any national security-related requests.

Access asserts that unfettered access to telecom networks facilitates indiscriminate, unnecessary, and disproportionate violations of privacy, and also offends the rule of law and due process. This kind of surveillance is inherently disproportionate and unnecessary, and operates without oversight or accountability. Yet, telecoms are some of the world’s largest corporations and there is strength and safety in numbers; together, the telcos of the world should rally around Vodafone’s call to end this practice.

New policies and positions

Vodafone also used the first section of the report to expand on its own policies and positions, articulating several strong policies respecting human rights. Specifically, the company: takes a firm stand against blocking social networks and messaging platforms; shows why communications metadata needs more protection under law; establishes strong principles for government transparency reports; explains often opaque ‘lawful intercept’ standards and processes, from ETSI to the local level; and links to all Vodafone policies on assisting governments.

Helpful information, despite barriers

In our advocacy with Vodafone, one of the key things we’ve asked for is that, where corporate disclosure is prohibited, the company identify the underlying law or policy that poses the barrier to transparency. In its report, Vodafone identified at least 13 countries where there are legal limits to disclosure: Albania, Egypt, Germany, Ghana, Hungary, Kenya, India, the Netherlands, Qatar, Romania, South Africa, Turkey, and the United Kingdom.

The company also gives statistics on government requests in 14 countries — many never before reported on — for the period from Apr. 1, 2013 through March 31, 2014. For instance, Vodafone tallied requests for stored communications data in Albania (5,778), Tanzania (98,765), Malta (3,773), and Hungary (75,938).

Comparing raw statistics from different countries can be frustrating, though, because countries have:

• differing legal systems and forms of legal process;

• variations in populations and Vodafone subscriber bases; and

• alternative methods of capturing user data, like direct police access to networks, which would not be counted.

Vodafone and its legal team at Hogan Lovells reached out to many governments to determine whether it could legally disclose the data. Irish authorities simply barred the company from disclosing its requests for stored data, even though Ireland lacks any laws prohibiting disclosure. In several countries, including Mozambique, Kenya, and Egypt, the company thought it would put staff at too great a risk to even ask whether disclosures are legal.

Personnel with conflicting roles

Remarkably, Vodafone revealed that some employees may not even be able to follow the company’s Code of Conduct, due to their conflicting responsibilities. Certain Vodafone personnel with State security clearances carry out surveillance behind locked doors, activities that they are not legally allowed to share with other employees. This leaves the company in the dark as to how its own networks could be abused, preventing the company from meeting its human rights responsibilities and opening it to all types of legal, reputational, and other risks.

Areas to improve transparency reports

Vodafone chose not to release data where governments already disclose it. Access believes that governments should release their own transparency reports, but this does not and should not supplant the corporate responsibility to be transparent. Corporate and government reporting would provide two-way accountability, and a ‘check and balance’ on the data. Additionally, government reports should break down the data by provider, giving users a chance to compare them.

Future reports should show compliance rates on requests, and reasons for denial. They also should include numbers on requests for content removal, blocking, and filtering. The reports could further help explain laws and policies restricting/permitting notification of users of government requests for their data.

More reports, better numbers

Vodafone maintains that it will work with other operators “to develop a consistent cross-industry recording and reporting methodology.” This local collaboration, involving stakeholders from civil society as well as government, is crucial to transforming today’s disclosures into greater protections and transparency for users worldwide.

Indeed, as the current Chair of the Telecommunications Industry Dialogue — a group of nine major telcos that have come together to jointly address freedom of expression and privacy risks — Vodafone has a golden opportunity to convince its peer companies to issue their own reports, ideally using a similar methodology. Already, Deutsche Telekom, a competitor of Vodafone’s in Germany, has signalled its intent to “publish something similar to Vodafone.”

While we are concerned about the threats to human rights that the company has revealed, Access applauds Vodafone on its progress today, and stands ready to work alongside the company to achieve the goal of sector-wide transparency, accountability, and respect for human rights.