Telcos handle more data about our private lives each day. To connect with our families, friends, and professional contacts, we have little choice but to trust that our data, including our contacts, text messages, location information, and more, is safe in the hands of telcos.
So when we read horror stories like the revelation that an employee of Vodafone Hutchison Australia breached a customer’s text messages and other data — and that the customer happened to be a journalist who had just written a story critical of Vodafone security — we recoil. Not surprisingly, the breach victim, journalist Natalie O’Brien, was devastated by the “creepy” incident.
The facts are largely undisputed: Vodafone employees accessed journalist O’Brien’s call and text records in 2011 after she authored news reports about the company’s Siebel security system. According to a leaked email, Vodafone managers asked employees to use “any means available” to uncover the source of O’Brien’s information, who was presumably a whistleblowing employee within the company. Vodafone executives knew about the breach as early as June 2012, and saw the “huge risk” to its reputation if the story leaked. Vodafone commissioned an investigation by a top accounting firm, the results of which it refuses to release, while denying any “improper behavior.” However, after public pressure on the company intensified this week, Vodafone reversed course and has asked federal police to investigate.
Journalists are under threat. Censored, harassed, and jailed, journalists often stand alongside human rights defenders on the receiving end of digital and physical attacks in retaliation for their work. While countries with poor human rights records like Sudan and Turkey are often the first to come to mind when we think about attacks on the media, this incident shows that countries like Australia can also fail to protect the rights of the press. Intimidation like this not only restricts the journalist’s rights, it also infringes on the public’s right to access information, part of the freedom of expression.
Telcos help us connect with one another, but they can also facilitate government surveillance and censorship. This incident, along with the mobile tracking that Access exposed in our recent report, shows that regulators, advocates, and the public must continue pressing for the sector to meet its responsibilities to respect human rights and remedy abuses it causes or contributes to.
After speaking with our civil society partners in Australia, Access now believes that the 2011 breach should be fully reviewed by the Australian Communications and Media Authority (ACMA) and the Privacy Commissioner (OAIC). These two regulators have a memorandum of understanding and are meant to liaise on these issues. Vodafone’s actions constitute a breach of the Privacy Act and Part 13 of the Telco Act.
Legislators, too, must consider how easy it is for data retained by telcos to be accessed by their employees. Australia’s new data retention regime requires that companies retain two years of data. Data retention is antithetical to human rights, but also harmful to good data security practices. Companies should not be forced to keep sensitive personal information any longer than is necessary in the course of business. To require otherwise is to create additional attack surfaces for criminals and other bad actors to exploit.
For its part, Vodafone must fully cooperate with investigators, release the independent report it commissioned, publicly explain what actions the company took after it became aware of the breach, and promise non-repetition. The company should strive to implement encryption, including end-to-end encryption, which would prevent employees from being able to access user data like this in the future.
Vodafone is a leader in transparency, and has made human rights commitments far beyond what most telcos promise. Its response to this incident to date fails to uphold these commitments, and it must urgently act to remedy the abuse.