Vodafone and the number game

Telecom operators have followed suit. After a number of internet service providers have set a standard of reporting on the frequency of government requests for communication data and intercepts-assistance, operators are now joining the trend. The most recent and to date most extensive report published by operator Vodafone on 6 June 2014 stands out. It illustrates how number games are far removed from real transparency about snoopy government agencies.

In its “Inaugural Law Enforcement Disclosure report,” Vodafone not only lists aggregate numbers of demands from law enforcement between 1 April 2013 and 31 March 2014 for 29 serviced countries. The report provides very useful insight in legal provisions in the different countries and how the operator deals with them. It also includes a wealthy annex detailing the different national laws the requests were based on. For reports from other operators see AT&T and Deutsche Telekom.

The highest single number of requests reported by Vodafone in the report are more than 600.000 requests for communication data by the Italian authorities. Links to the statistics of the German Regulatory Authority reveal a number of 42 million requests for customer related information (numbers, names) by law enforcement and security agencies. On the other hand from France, Vodafone reports that the company had not “implemented the technical requirements necessary to enable lawful interception and therefore had not receive any agency or authority demands for lawful intercept assistance”.

Not that France does not have surveillance statistics, see the reporting by the Commission Nationale de Contrôle des Interceptions de Sécurité, not cited by Vodafone's report.

Lack of standards for reporting

The variance among countries, Vodafone points out, is due to little coherence and consistency in law and agency and authority practices, even between neighbouring European Union member states. But what might be even more biased, is what goes into tapping statistics at all.

One problem is a lack of standard in reporting. It was for example clear, Vodafone wrote after comparing official statistics with transparency reports from other operators, namely Deutsche Telekom in Germany and an Australian Telecom company, and its own figures, that “certain categories of agency and authority demand have been omitted from local operators' publication either to comply with legal restrictions (for Australia) or for reasons not disclosed to us (in Germany)”.

Many countries do forbid the publication of statistics by operators, even in aggregate form, and only 9 out of 29 publish statistics of their own. What is more, where operators are requested to allow automatic access to their system and are obliged to grant direct access, agencies and authorities will have permanent access to customers and their communications.

Even where law enforcement legislation was seeking to balance individuals' privacy and public interest, those considerations had much less weight when national security was invoked for strategic intelligence. For the report Vodafone only listed lawful wiretap warrants and requests for communication data (so-called metadata). It warned about drawing conclusions for the comparisons of numbers of different countries listed. The potential for selective withholding of certain categories and agencies would act, Vodafone reasons, as a significant barrier to the kind of meaningful disclosure sought by the public.

Lack of external oversight

To get better transparency, not only reporting standards would have to be brushed up. In many cases legislation is unclear and vague with regard to obligations by providers and limitations for agencies or authorities.

The lack of effective oversight over the limitations of fundamental rights in a EU member state like the UK is striking. “The judiciary plays no role in the authorisation of interception warrants under RIPA (the UK Regulation of Investigatory Powers Act).” Oversight is left to the executive branch, who issues the warrants in the first place.

The “Investigatory Powers Tribunal, established under RIPA Section 65”, the only body that will hear complaints about misconduct of intelligence agencies MI5, MI6 and GCHQ is “not subject to appeal or questioning by any court in the UK”. The complaints Privacy International and other NGOs have filed with the Tribunal need to be brought to the European Courts when they want to appeal the decision.

How lack of oversight might result in creative interpretation of already far reaching laws by the executive branch was just illustrated by the Tribunal's hearing in the week of 16 June 2014. David Farr, Director General of the Office for Security and Counter-Terrorism, explained that Facebook, Google or Twitter communications of British citizens are considered as “external communication”.

Contrary to that Vodafone, in its transparency report, underlines that “(the regional internet registry) RIPE defined the term 'external communication' as a communication sent or received outside the British Islands (Section 20 of RIPA). The Interception of Communications Code of Practice (IOC COP) states that an external communication does not include communications both sent and received in the British Islands, even if they pass outside the British Islands (Paragraph 22 of the IOC COP).” The first of the announced updates to the report seems to be necessary here.

More transparency reports?

Other members of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy did not make commitments so far with regard to transparency reports. A spokesperson by French operator Orange pointed to the reporting by CNCIS (Commission Nationale de Contrôle des Interceptions de Sécurité) and underlined the group would only reply to requests that have been first approved by that Commission. Industry Dialogue member Telefonica did not get back until press time.