On 6 June 2014 Vodafone released its first Transparency Report on the requests it receives from governments and law enforcement for user data. While other telecommunications companies have started to release domestic transparency data, this is the first time a global player is releasing a global data set, with transparency data from 29 countries where Vodafone has extensive operations and customer base.
What may be the most alarming piece of the report is that in as many as six countries, authorities have direct access to Vodafone's network, which allows governments to monitor communications directly without having to go to the company for the data of their customers. This type of unfettered access permits uncontrolled mass surveillance of Vodafone's customers and anyone in contact with them.
In 2013 Privacy International submitted a complaint to the OECD to investigate this exact type of mass surveillance, and the role that telecommunication companies play in the practices revealed today in Vodafone's report. Given the information contained within the report released today, the OECD UK National Contact Point must accept our complaint and encourage other telecommunications companies to engage with the process to push back against mass surveillance.
The importance of transparency
This time last year Edward Snowden took the incredibly brave step to make surveillance transparent. Transparency is essential for us to have an open debate about our privacy, and the boundaries and safeguards that define us as humans. It is critical to know how states, domestic and foreign, govern their incredible powers to interfere with our private lives.
Other companies, particularly internet companies, have released datasets before on government requests. Vodafone's Transparency Report is remarkable in its depth, releasing 140 pages of information. Unlike other transparency reports, Vodafone performs a public service by outlining the legal landscape, to the best of their understanding, in each of their markets, under a creative commons licence.
While it does the more traditional 'transparency reporting', Vodafone also correctly notes that the mere release of numbers is insufficient. Each government permits different levels of reporting on the monitoring of communications, and some not at all.
But in some cases, Vodafone wouldn't even know when authorities were accessing customer data. The report makes clear that there are demands upon companies to provide direct access to the local government. Vodafone reports that they cannot discuss the nature of these demands, saying 'it is unlawful even to reveal that such systems and processes exist at all'.
In at least six countries, though, this level of access to Vodafone's centres is on-going.
"However, in a small number of countries the law dictates that specific agencies and authorities must have direct access to an operator's network, bypassing any form of operational control over lawful interception on the part of the operator. In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link."
This is mass surveillance at its most severe, where government places demands against telcos for broad access to the data flowing through their wires, operating in secrecy, under unclear legal bases, without any accountability.
Companies must fight back
As recently reported by The Register, such a situation is precisely what exists in the UK - GCHQ pays telecommunications companies, including Vodafone, tens of millions of pounds to install and maintain the optical fibre taps that directly feed data into the UK's mass surveillance system, TEMPORA. Vodafone now shows us that this type of access occurs elsewhere too, and other telcos are quietly abiding by these laws and practices.
Companies must be held to account and their secret agreements with governments regarding the monitoring of communications data must be made public. We urge the OECD National Contact Point to immediately investigate what steps, if any, companies are taking to defend the human rights of their customers.
The lack of transparency when it comes to surveillance is unacceptable in a democratic society -- whether it's governments refusing to comment on their activities, parliamentary committees with privileged access and limited powers to open debate, secret courts interpreting the law, or companies being gagged from talking about demands to their customer's data.
In the past month, however, there have been some interesting recent attempts to bring more light to this darkness.
- Last month Microsoft challenged a National Security Letter it had received from the FBI ordering the disclosure of data regarding an enterprise customer. And they won.
- Last month we won a case at the UK Administrative Court - the Court declared that Her Majesty’s Revenue and Customs (HMRC) acted unlawfully and "irrationally" in issuing blanket refusals into the status of any investigation into the potentially illegal export of the spyware FinFisher to repressive regimes by UK-based Gamma International. This ruling marks a significant turning point in our long-running campaign to bring more transparency and accountability to the surveillance industry.
- Earlier this week Google added a component to its Transparency Report, Safer Email. This identifies the firms that support encryption in transit, i.e. other servers that interact with Google's mail servers using transport layer security.
- And this week two service providers in Canada released Transparency Reports, at long last breaking Canadian industry's silence regarding surveillance.
Companies have to do more. Transparency reports that disclose numbers of requests are helpful. Reports that clarify the broad types of access and their legal bases are an improvement. Building more secure platforms and infrastructure helps. Taking legal action to push back against surveillance requests is promising.
But we want companies to demand a clear legal basis that abides by international human rights principles. And as Trevor Timm put it so well, if companies really demanded it (and used their vast political capabilities), the chances of surveillance law reform would increase dramatically.
The usefulness of transparency reports hinges on governments abiding by the rule of law. We now know that these reports only provide a limited picture of what is going on. It is ridiculous that a year after the first Snowden leaks, governments continue to impoverish our much-needed democratic debate. It is also incredible that governments think that they may craft laws to provide for mass surveillance. And it is insulting that not a single law has changed after a yearlong global debate about surveillance.
We have learned from Mr. Snowden that governments see us not as people, but as objects to be monitored, tracked, and profiled. There is so much more to do.