Vodafone publishes law enforcement report for 29 countries, but can release numbers for only 2
© Flickr/cc-licence/Alex Barth
Vodafone Group today published its first Law Enforcement Disclosure report, which it claims is the first of its kind published anywhere in the world. It provides a highly detailed insight into the legal frameworks, governance principles and operating procedures associated with responding to demands for assistance from law enforcement and intelligence agencies across 29 countries.
The report covers all 29 operating businesses directly controlled by Vodafone (including its joint ventures in Australia, Kenya and Fiji), in which it has received a lawful demand for “assistance” from a law enforcement agency or government authority. It hasn’t included operational countries where no such demands were received, nor has it included countries where Vodafone does not own or control a licensed telco (such as where it only has a minority stake).
So, have we finally got details of lawful intercept requests for Egypt, India, South Africa, Turkey and (gasp) even the UK? No. Because any disclosure by Vodafone of details from these countries (and seven others) would be deemed unlawful. Yes, even from the UK.
And therein lies the real point of this report. It’s not that it purports to give full disclosure from its operations around the globe, it’s that it highlights the problems and inconsistencies in trying to do so.
In fact, if you take the 12 countries where it is unlawful for Vodafone to disclose information, then add the 6 countries where national governments publish the data instead (and often telcos are still prohibited from doing so themselves), plus the nine countries where no technical implementation has been put in place to enable intercepts, the you are left with just two – Spain and the Czech Republic (24,212 and 7,677 requests respectively).
The situation is a little better when it comes to the second category reported, that of ‘communications data’, or metadata. For example, call routing information, duration, etc. Unlike the ‘lawful interception’ category, this doesn’t involve the actual contents of calls and messages.
However, it is still possible to learn a great deal about an individual’s movements, interests and relationships from an analysis of metadata and other associated data. As Vodafone notes, “In many countries, agencies and authorities therefore have legal powers to order operators to disclose large volumes of this kind of communications data.”
Looking at the report, data is available for 13 of the 29 countries. These range from Belgium with just two requests, to Italy with a staggering 605,601 requests in the past twelve months to 31 March 2014.
Vodafone said it tried to create a single disclosure report covering 29 countries on a coherent basis, but it soon become clear that there is very little coherence and consistency in law and authority practice, even between neighbouring EU Member States. It warns of attempts to draw any meaningful conclusions from a comparison of one country’s statistical information with that disclosed for another.
Despite the scarcity of hard data – through no fault of Vodafone, indeed, it should be commended for producing this report (and making it available under a Creative Commons licence) – there’s plenty to read. The telco provides a detailed overview of the legal, governance and operational factors underpinning law enforcement and intelligence agency access to customers' private data; as well as a legal annexe summarising the most relevant legislation governing agency and authority access to customer data, which has not previously been published by any operator.
“Our customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws,” Vodafone says in its report. “Respecting that right is one of our highest priorities: it is integral to the Vodafone Code of Conduct which everyone who works for us has to follow at all times.”
However, it has to abide by the laws of those countries in which it operates, and if a government prevents disclosure of information then there is not much it can do about it. Except, of course, to raise the issue publically.
In Vodafone’s opinion, “it is governments – not communications operators – who hold the primary duty to provide greater transparency on the number of agency and authority demands issued to operators.” Therefore, it’s not the duty of telcos to publish this data, it should be a requirement of governments.
No individual operator can provide a full picture of the extent of agency and authority demands across the country as a whole, nor will an operator understand the context of the investigations generating those demands. Also, different operators are likely to have widely differing approaches to recording and reporting the same statistical information.
The full report is available from Vodafone.