Vodafone discloses national privacy variations

As part of its bid to increase transparency about the terms under which it operates in different countries, Vodafone has published the overarching processes and policies in place regarding lawful interception of communications data required by domestic authorities on a country by country basis.

It describes the nature of the local legal regime governing law enforcement assistance, an indication of the volume of each country's agency and authority demands, wherever that information is available and whether publication is prohibited or not using data gathered by the local licensed telecommunications operator (Vodafone subsidiary) - see samples at foot of page and summaries here.

Vodafone reports that it has proven very difficult to persuade governments, agencies and operators to pursue a more consistent and meaningful approach to statistical recording and public disclosure to improve overall transparency. Only local Vodafone employees with a high level of government security clearance are ever be made aware of specific lawful demands issued by agencies and authorities and even then will not typically be made aware of the context of any demand.

The statistics for communications data demands are overwhelmingly related to communications metadata, but also include demands for other types of customer data such as name, physical address and services subscribed, and in some countries a single demand can cover several different types of data.

New information in the latest report covers network blocking and censorship, including the:

·         shut down of network or communication services;

·         blocking of access to URLs and domains; and

·         powers enabling agencies and authorities to take control of a telecommunications network.

Some governments responded to requests for guidance and their views are summarised in the relevant country section of the report. In countries experiencing political tension, even innocuous questions related to national security and criminal investigation matters were seen as putting Vodafone employees at risk of harassment or criminal sanction and so not pursued.

Given the very wide variations between legal frameworks, recording methodologies and reporting regimes, comparison of statistics provided by the countries themselves does not enable meaningful comparisons.  In addition, Vodafone's own statistical information is not published where:

The law prohibits disclosure of the aggregate demand information held by Vodafone .

In some countries, there is no legal provision or technical implementation.

The law on disclosure is unclear and no guidance available.

Local laws do not expressly prohibit disclosure, but the authorities have told Vodaphone directly that it cannot disclose this information.

Government/other public body publishes statistical information for certain types of demand issued to all operators in that country.

Looking at some sample countries, the report summaries below note how say Albania does not allow any disclosure of lawful interception, Australia publishes its own statistics, while Ghana has no technical implementation and it has not proven possible to get guidance.  

Albania

Type of demand

 

Lawful Interception

Communications Data

Statistics

Vodafone disclosure unlawful (1)

5,695 (2)

Key note (1)

It is unlawful to disclose any aspect of how lawful interception is conducted.

Key note (2)

Prior to the 2014 report, the legal position was unclear regarding whether or not it would be lawful for Vodafone to disclose statistics related to agency and authority communications data demands. We asked the authorities for guidance and were informed that we could disclose this information in the 2014 report. There has been no change to the guidance since that report: we have therefore updated this statistic with the latest information we hold for our own local operating business.

For a summary of the most important legal powers relating to law enforcement demands on a country-by-country basis, see our Law enforcement legal powers country-by-country annexe (pdf, 2.59 MB).

Australia

Type of demand

 

Lawful Interception

Communications Data

Statistics

Government/other public body publishes (1)
Further action to follow (2)

Government/other public body publishes (1)
Further action to follow (2)

Key note (1)

The Australian Communications and Media Authority and the Australian Attorney General's Department publish statistical information related to lawful interception and communications data demands issued by agencies and authorities.

Key note (2)

The Australian government has legislated for a communications data storage regime to be implemented from October 2015. Telecommunications operators will be required to retain the proscribed information for two years. The period of time stipulated for the storage of communications data is at the upper bounds of the requirements implemented or proposed in other jurisdictions. However, the legislation establishes a range of assurance measures – including oversight by the Commonwealth Ombudsman – and there will be a reduction in the number of agencies permitted to issue demands for access to that information.

During the consultation phase of the communications data storage legislative process, we engaged with the Attorney General and made submissions to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) regarding the reporting regime for the recording and disclosure of statistics related to law enforcement demands.

The Australian government has now accepted the PJCIS recommendation that the Telecommunications (Interception and Access) Amendment (Data Retention) Act should require the Attorney General to provide a public report on an annual basis stating the number of law enforcement demands for access to communications data together with the age of the data sought.

We believe this would represent an important enhancement to transparency and welcome the government's decision to adopt the PJCIS recommendation. Discussions regarding further refinements to the reporting regime – including a common approach to industry disclosure – are ongoing. We are urging the government to finalise those arrangements as part of the implementation of new legislation regarding the storage of communications data.

Meanwhile, another operator in Australia has published information related to some of the statistical data it holds for its own operations. As we explain earlier in the report, while transparency is important, we do not believe that individual operator disclosures of this kind are an effective route to achieve the level of transparency sought by the public as a whole. We will therefore continue to engage with government and industry to ensure that the new policy framework contains statistical data reporting provisions which are as consistent and robust as possible.

For a summary of the most important legal powers relating to law enforcement demands on a country-by-country basis, see our Law enforcement legal powers country-by-country annexe (pdf, 2.59 MB).

Ghana

Type of demand

 

Lawful Interception

Communications Data

Statistics

No technical implementation (1)

Unable to obtain guidance (2)

Key note (1)

We have not implemented the technical requirements necessary to enable lawful interception and therefore have not received any agency or authority demands for lawful interception assistance.

Key note (2)

The legal position remains unclear regarding whether or not it would be lawful for Vodafone to disclose statistics related to agency and authority communications data demands.

Under the Electronic Communications Act, 2008 (“ECA”), certain classes of information which are deemed to be of importance to the protection of national security may be declared to be critical electronic records and subject to restrictions in respect of access, transfer and disclosure. Under section 56 of the ECA, the Minister for Communications may by notice in the Gazette (the official government publication) declare certain classes of information which are deemed to be of importance to the protection of national security to be critical electronic records. Section 59 of the ECA therefore provides for the setting of minimum standards in respect of access to, transfer and control of a critical database.

Additionally, section 60 of the ECA imposes restrictions on the disclosure of information in a critical database to persons other than the employees of the National Information Technology Agency, a law enforcement agency, a ministry, department or other government agency. As a result, if the aggregate data in respect of the above agency and authority demands are designated as critical electronic records, the government will be able to prevent Vodafone from publishing them.

Prior to the publication of the 2014 report, we approached the authorities to ask for clarity and guidance as to whether Vodafone was lawfully permitted to disclose aggregate statistics related to communications data demands received from government agencies and authorities. We did not receive a response in time for publication of last year's report.

During 2014–15, we have again attempted to engage with the authorities to seek guidance but have again been unable to obtain clarity on the legal position. Given the uncertain legal position and the extent of potential risk to our employees associated with publication, we are therefore not in a position to disclose aggregate statistics related to communication data demands.

For a summary of the most important legal powers relating to law enforcement demands on a country-by-country basis, see our Law enforcement legal powers country-by-country annexe (pdf, 2.59 MB).