Vodafone, the world’s second largest telecommunications company, today published its first transparency report, its Law Enforcement Disclosure Report, in which it revealed that a small number of countries by law have direct access to the provider’s network.
The report does not identify the countries, but this was a point of contention in an interview last July with former NSA contractor Edward Snowden. Snowden said the National Security Agency had direct access to servers belonging to large technology companies in order to collect user data and traffic. Most of those providers have denied direct access exists and say they comply and turn data over only when ordered to do so by a court.
“In a small number of countries the law dictates that specific agencies and authorities must have direct access to an operator’s network, bypassing any form of operational control over lawful interception on the part of the operator,” the report said. “In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.”
Others have varying levels of warrant and data-retention requirements. Noting that these laws “are designed to protect national security and public safety or to prevent or investigate crime and terrorism,” the company ultimately reasons that “Refusal to comply with a country’s laws is not an option.”
And comply they did, with an unknown number of requests for an unknown amount of data in 29 countries, nearly all of which have laws making it illegal for Vodafone to disclose that it handed user data over or aided governments in the interception of that data. On that note, the company only discloses two categories of information: lawful interception and access to communications data. The former describes how many times the company aided law enforcement in intercepting data. The latter describes exactly how many customer records were obtained by the company for law enforcement. In just one case, Spain, does Vodafone provide data under both categories.
However, in the pages and pages of procedural bloviation leading up to the actual details of the report, the company notes that it did not include any countries in which the government has not requested user data. Thus, Vodafone was the recipient of a “lawful demand for assistance from a law enforcement agency or government authority between 1 April 2013 and 31 March 2014” from every country included in the report, regardless of their specific laws about publishing that information.
Furthermore, Vodafone has omitted information in any case where the government making these requests publishes their own transparency report involving investigative requests for user data. For example, Australia publishes its own national transparency reports. Instead of including that information in their report, Vodafone merely provides links to the Australian national report.
Specifically, Vodafone granted or performed the following for the government in question:
- 5,778 communications data records to Albania;
- two communications data records to Belgium;
- 436 communications data records to Democratic Republic of Congo;
- 760 communications data records to Fiji;
- three communications data records to France;
- 7,677 lawful intercept procedures in Czech Republic;
- 75,938 communications data records to Hungary;
- 4,124 communications data records to Ireland;
- 605,601 communications data records to Italy;
- 488 communications data records to Lesotho;
- 3,773 communications data records to Malta;
- 28,145 communications data records to Portugal;
- 24,212 lawful intercept procedures and 48,679 communications data records to Spain;
- 98,765 communications data records to Tanzania ;
Despite listing them, the report fails to provide any substantive information regarding lawful intercept or communications data records from any of the following countries: Australia, Egypt, Germany, Ghana, Greece, India, Kenya, Mozambique, Netherlands, New Zealand, Romania, South Africa, Turkey, and United Kingdom. Among these, information about such requests in Australia, Germany, Greece, Netherlands, New Zealand, and United Kingdom were omitted because the government publishes its own reports. Among this second group, only in the Netherlands and U.K. is it illegal for Vodafone to publish such records. All the other countries were omitted either because it would be unlawful for Vodafone to disclose such information or because Vodafone is “awaiting guidance” on whether it would be legal to disclose such information.
To reiterate, Vodafone is most definitely receiving data requests of one kind or another from these countries, otherwise they would not be listed in the report. The report includes no data regarding U.S. citizens because Vodafone does not operate in the U.S.