Vodafone Publishes Highly Detailed Report Into State Surveillance Requests

Carrier Vodafone has published a report detailing the surveillance demands that were made on its users by government agencies and authorities in 29 of the different countries around the world in which it operates. The report covers the period 1 April 2013 and 31 March 2014.

The first of what will likely be an annual report hereafter, called the Law Enforcement Disclosure Report, was published this morning. In it Vodafone publishes a per-country breakdown of lawful intercept requests, and comms data requests.

In this breakdown it either lists whether, in the case of the UK for example, it cannot legally disclose “lawful interception or access to communications data”; or whether it does not yet have a technical capability to “enable lawful interception” (as is the case in Tanzania, apparently).

Or else the carrier discloses the volume of intercept and data access requests it received over the period — as in the case of Spain where it apparently had 24,212 lawful intercept demands and 48,679 comms data demands.

The latter category refers largely to comms metadata, according to Vodafone, but can also include “demands for other types of customer data such as name, physical address and services subscribed”.

While “lawful interception” refers to what in previous tech times was known as wiretapping — i.e. when the technology involved required agents to connect recording equipment to a suspect’s telephone line. The advance of technology means wiretaps have become intercepts which require carriers to — in Vodafone’s words —

…implement capabilities in their networks to ensure they can deliver, in real time, the actual content of the communications (for example, what is being said in a phone call, or the text and attachments within an email) plus any associated data to the monitoring centre operated by an agency or authority.

So, basically, to provide agencies with the ability to eavesdrop on any call on their network, as well as access SMS or other data on request.

The report adds:

Lawful interception is one of the most intrusive forms of law enforcement assistance, and in a number of countries agencies and authorities must obtain a specific lawful interception warrant in order to demand assistance from an operator. In some countries and under specific circumstances, agencies and authorities may also invoke broader powers when seeking to intercept communications received from or sent to a destination outside the country in question. A number of governments have legal powers to order an operator to enable lawful interception of communications that leave or enter a country without targeting a specific individual or set of premises.

Vodafone claims it is the first carrier to compile and publish such a detailed overview of surveillance requests — albeit, it does not use the loaded term ‘surveillance’, but rather describes these as “demands for assistance from law enforcement and intelligence agencies”.

It’s certainly an interesting move, and one which looks aimed at piling more pressure on governments around the world to be more transparent about their data harvesting practices.

One reason why Vodafone is willing to invest the time and effort to pull together a report as extensively detailed as this, is that its acquisition of Cable & Wireless, back in 2012, means it owns some 425,000km of undersea communications cables. In its 2014 annual report it describes itself as “one of the world’s largest investors in submarine cables that reach more than 100 countries”.

That submarine cable network gives Vodafone more of a stake in the ongoing debate around overreaching state surveillance on digital communications — given that what might be termed ‘unlawful intercepts’ may well be achieved by agencies tapping directly into undersea cables, i.e. rather than going the lawful route and obtaining a warrant to request an intercept.

Vodafone’s report does not make direct reference to its undersea cable network but does call for, among other things, that governments should —

  • enhance accountability by informing those served with demands of the identity of the relevant official who authorised a demand and by providing a rapid and effective legal mechanism for operators and other companies to challenge an unlawful or disproportionate demand;
    • amend legislation which enables agencies and authorities to access an operator’s communications infrastructure without the knowledge and direct control of the operator, and take steps to discourage agencies and authorities from seeking direct access to an operator’s communications infrastructure without a lawful mandate;

Vodafone is clearly advocating for greater transparency on how states collect data from telcos, and the processes involved in the data harvesting — noting the difficulties it has in obtaining  a full picture of agency data demands, let alone understanding those requests in context.

“In our view, it is governments – not communications operators – who hold the primary duty to provide greater transparency on the number of agency and authority demands issued to operators,” Vodafone writes in the report.

“No individual operator can provide a full picture of the extent of agency and authority demands across the country as a whole, nor will an operator understand the context of the investigations generating those demands. It is important to capture and disclose demands issued to all operators.”

Speaking to The Guardian, Vodafone’s group privacy officer, Stephen Deadman, also made explicit reference to a “direct access” intercept model by which states are gaining warrantless access to telco’s data.

“These pipes exist, the direct access model exists,” he said. “We are making a call to end direct access as a means of government agencies obtaining people’s communication data. Without an official warrant, there is no external visibility.

“If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used.”

The report goes on to reveal that local Vodafone employees are required to have security clearance to deal with government agency intercept and requests — which Vodafone notes limits its ability to understand the extent of these requests, and ensure they comply with its privacy commitments to users.

The report notes:

…only local Vodafone employees with a high level of government security clearance will ever be made aware of specific lawful demands issued by agencies and authorities, and even then they will not typically be made aware of the context of any demand.

Elsewhere, it also points out that “several countries” have empowered their agencies to “require the disclosure of the encryption ‘keys’ needed to decrypt data” — adding that: “Non-compliance is a criminal offence”, to flag up the ‘rock and hard place’ telcos are being squeezed into by state surveillance demands.

It will be interesting to see whether other carriers follow Vodafone’s lead and compile their own intercept and comms data disclosure reports. However those that don’t own submarine cable infrastructure may see less of a reason to expend so much effort lobbying for greater government transparency about surveillance agency processes.

It should be noted that some governments do publish details on the volume of comms data they are collecting themselves. In the UK, for instance, the Interception Commissioner publishes an annual report.

However the Vodafone report still stands out for the level of detail it goes into, because it’s a compilation of all the requests one carrier is receiving across its operational footprint, and because in making a big public fanfare of disclosing the data Vodafone is lobbying for change.

[Image by Chris Waits via Flickr]