Vodafone privacy report reveals state access to its networks

The world’s second largest mobile phone group, Vodafone, has revealed the existence of secret permanent access to its networks from government agencies in at least six of the 29 countries in which it operates. Vodafone did not name the countries, citing fear that governments could revoke licenses to operate and in some cases pursue legal action against Vodafone employees.

The “Law Enforcement Disclosure report” has an 88-page appendix detailing law enforcement measures in each of the 29 countries. It says that five—Albania, Egypt, Hungary, Ireland and Qatar—have provisions that allow authorities to demand unfettered access. Other countries, such as the United Kingdom, while not publishing provisions regarding unfettered access, have provisions to prevent such measures from ever becoming known.

The report on the UK states: “Section 19 of the Regulation of Investigatory Powers Act 2000 prohibits disclosing the existence of any lawful interception warrant and the existence of any requirement to provide assistance in relation to a warrant. This duty of secrecy extends to all matters relating to warranted lawful interception. Data relating to lawful interception warrants cannot be published. Accordingly, to publish aggregate statistics would be to disclose the existence of one or more lawful interception warrants.”

A number of countries, including Malta, Romania and Turkey, have similar provisions. In India and South Africa it is unlawful to publish aggregate statistics, and in Ireland permission to publish was refused. The report states, “While local laws do not expressly prohibit disclosure” in Ireland, “we asked the authorities for guidance and have been informed that we cannot disclose the information.”

Given the secrecy surrounding these programs, any published figures are inherently unreliable. In cases where Vodafone is prohibited by law from publishing the number of requests for access, the report cites government published figures. For the UK the published figures are 514,608 requests for national metadata and 2,760 requests for content.

The Vodafone document is yet another confirmation of the massive global spy network and data mining operation revealed one year ago by NSA whistleblower Edward Snowden. Since the Snowden revelations, telecommunications companies have been increasingly criticized for their collaboration with security forces. The Snowden leaks revealed that AT&T and others were turning over call records to the NSA for use in its mass surveillance programs. Even before the Snowden revelations in 2006, it was revealed that AT&T was forwarding global Internet traffic directly to the US government. Retired AT&T technician Mark Klein leaked knowledge of the company’s collaboration with the NSA in installing network hardware to monitor, capture and process American telecommunications.

The disclosure from Vodafone is the most extensive made by a global communications provider and the first to provide a breakdown of legal powers on a country-by-country basis. Vodafone is second only to China Mobile, with more than 400 million customers in countries from Australia to the UK. Vodafone exited the US market this year after selling its stake in Verizon Wireless to Verizon Communications Inc. for $130 billion. Verizon and AT&T in the US have themselves published transparency reports in the wake of revelations by Snowden. Verizon listed 320,000 requests in the US in 2013 and several thousand collectively in 11 other countries. AT&T listed 300,000 requests.

The report states that in every country in which Vodafone operates there are laws “which require us to disclose information about our customers to law enforcement agencies or other government authorities, or to block or restrict access to certain services.” The company states, “Refusal to comply with these laws is not an option.” Citing technical difficulties in gathering the metrics, Vodafone states, “We have not included statistical data on the number of orders received to block or restrict access to content or services.”

Stating that, “All governments have incorporated national security exceptions into national legislation to give legal powers to agencies and authorities,” the authors comment that while some have contained those powers, “others have created much wider-ranging powers with substantially greater human rights impacts.” The report says that, “agencies and authorities have the scope to apply advanced analytics techniques to every aspect of an individual’s communications, movement, interests and associations— to the extent that such activity is lawful—yielding a depth of real-time insights into private lives unimaginable two decades ago.”

Referring to “tensions” between an individual’s right to privacy and the “duty of the state to ensure public safety,” the report notes, “Those tensions have been heightened as a consequence of the allegations made by the former US National Security Agency (NSA) contractor Edward Snowden.”

The report concludes that media reports of widespread government surveillance and data harvesting by the intelligence agencies have “triggered a significant public debate about the transparency, proportionality and legitimacy—and even lawfulness—of the alleged activities of a number of high-profile agencies,” adding that, “Questions have also been asked about the role of communications operators such as Vodafone in support of those activities.”