Translate

Friday, 6 June 2014

I am sure they had a good time listening to the Quinn Family Calls.

Law Enforcement Disclosure Report

Our customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws. Respecting that right is one of our highest priorities: it is integral to the Vodafone Code of Conduct which everyone who works for us has to follow at all times.
However, in every country in which we operate, we have to abide by the laws of those countries which require us to disclose information about our customers to law enforcement agencies or other government authorities, or to block or restrict access to certain services. Those laws are designed to protect national security and public safety or to prevent or investigate crime and terrorism, and the agencies and authorities that invoke those laws insist that the information demanded from communications operators such as Vodafone is essential to their work.
Refusal to comply with a country’s laws is not an option. If we do not comply with a lawful demand for assistance, governments can remove our licence to operate, preventing us from providing services to our customers. Our employees who live and work in the country concerned may also be at risk of criminal sanctions, including imprisonment. We therefore have to balance our responsibility to respect our customers’ right to privacy against our legal obligation to respond to the authorities’ lawful demands as well as our duty of care to our employees, recognising throughout our broader responsibilities as a corporate citizen to protect the public and prevent harm.

Complex, controversial – and constantly changing

Communications technologies have evolved rapidly over the last 20 years. Almost three billion people1 now communicate and share information over electronic communications networks on a regular basis, and vast volumes of data are created and exchanged every second. However, many of the legal powers relied upon by law enforcement agencies, intelligence agencies and other government authorities were first drafted in a much simpler era, when a household shared a single telephone landline, mobile phones were relatively rare and the internet as we understand it today did not exist. Our views on the legislative challenge in many countries are set out later in this report.
The use of those legal powers in the context of today’s far more complex electronic communications has proven to be highly controversial. All governments have incorporated national security exceptions into national legislation to give legal powers to agencies and authorities. Some governments have constrained those powers to limit the human rights impact; others have created much wider-ranging powers with substantially greater human rights impacts. Meanwhile, agencies and authorities have the scope to apply advanced analytics techniques to every aspect of an individual’s communications, movements, interests and associations – to the extent that such activity is lawful – yielding a depth of real-time insights into private lives unimaginable two decades ago.
In a number of countries, these changes have created tensions between the protection of the citizen’s right to privacy and the duty of the state to ensure public safety and security. Those tensions have been heightened as a consequence of the allegations made by the former US National Security Agency (NSA) contractor Edward Snowden. Media reports of widespread government surveillance and data ‘harvesting’ by intelligence agencies have triggered a significant public debate about the transparency, proportionality and legitimacy – even lawfulness – of the alleged activities of a number of high-profile agencies.
Questions have also been asked about the role of communications operators such as Vodafone in support of those activities. We hope that this report will provide some of the most important answers, although there will undoubtedly be some questions that we cannot answer for reasons that we explain later in this report.

What we are publishing, and why

This is our inaugural Law Enforcement Disclosure Report. We are also one of the first communications operators in the world to provide a country-by-country analysis of law enforcement demands received based on data gathered from local licensed communications operators. We will update the information disclosed in this report annually. We also expect the contents and focus to evolve over time and would welcome stakeholders’ suggestions as to how they should do so.
The report encompasses all 29 operating businesses directly controlled by Vodafone (including our joint ventures in Australia, Kenya and Fiji), in which we have received a lawful demand for assistance from a law enforcement agency or government authority between 1 April 2013 and 31 March 2014. We have not included countries in which we operate where no such demands were received, nor have we included countries where there may be some form of Vodafone brand presence (for example, through a partner market relationship) but where Vodafone does not own or control a licensed communications operator.
We have focused on the two categories of law enforcement demands which account for the overwhelming majority of all such activity: lawful interception; and, access to communications data. Both of these terms are explained later in this report. We have not included statistical data on the number of orders received to block or restrict access to content or services (further details of which are addressed below. We are exploring options to include this information in future reports, although it is important to note that there are complexities involved in collating the information required (content filters can be applied at various points within a country’s various networks, some of which may not be visible to Vodafone) and a number of countries are likely to prohibit publication of this information.
The report is intended to:
  • explain the principles, policies and processes we follow when responding to demands from agencies and authorities that we are required to assist with their law enforcement and intelligence-gathering activities;
  • explain the nature of some of the most important legal powers invoked by agencies and authorities in our countries of operation;
  • disclose the aggregate number of demands we received over the last year in each of our countries of operation unless prohibited from doing so or unless a government or other public body already discloses such information (an approach we explain later in this report); and
  • cite the relevant legislation which prevents us from publishing this information in certain countries.
Compiling this report has been a very complex and challenging endeavour. Given the sensitivity of any discussion of agency or authority activity in certain countries, it has also not been without risk. We set out to create a single disclosure report covering 29 countries on a coherent basis. However, after months of detailed analysis, it has become clear that there is, in fact, very little coherence and consistency in law and agency and authority practice, even between neighbouring EU Member States. There are also highly divergent views between governments on the most appropriate response to public demands for greater transparency, and public attitudes in response to government surveillance allegations can also vary greatly from one country to another.

The transparency challenge

Law enforcement and national security legislation often includes stringent restrictions preventing operators from disclosing any information relating to agency and authority demands received, including disclosure of aggregate statistics. In many countries, operators are also prohibited from providing the public with any insight into the means by which those demands are implemented. These restrictions can make it very difficult for operators to respond to public demand for greater transparency. We provide further insight into the nature of those prohibitions later in this report.
We respect the law in each of the countries in which we operate. We go to significant lengths to understand those laws and to ensure that we interpret them correctly, including those that may be unpopular or out of step with prevailing public opinion but which nevertheless remain in force. In this report, we have therefore set out the laws and practices, on a country-by-country (pdf, 1.76 MB) basis, that limit or prohibit disclosure. We believe this form of transparency is as important as the publication of aggregate demand statistics themselves in terms of ensuring greater public understanding in this area.
In a number of countries, the law governing disclosure is unclear. Under those circumstances, we have approached the authorities to seek clarity, wherever feasible. Some have given their assent to disclosure of aggregate statistical information about demands received. However, others have told us that we cannot publish this information. If we were to defy the responses received from the latter, we believe it is likely that our local businesses would face some form of sanction and that in some countries, individual Vodafone employees would be put at risk. Therefore, in our report this year we make no disclosure wherever the authorities have told us that we cannot do so. Similarly, where the authorities have not responded to our request for guidance or where the security situation means that any form of engagement with the authorities carries an unacceptable level of risk, we have not disclosed aggregate demand information out of concern for the safety of our employees. However, wherever possible, we will re-engage with the relevant authorities to seek updated guidance ahead of the publication of this report in future years. It is therefore possible that the level of disclosure permitted within the countries concerned may change over time as a result of that process.

Who should publish: governments or operators?

In our view, it is governments – not communications operators – who hold the primary duty to provide greater transparency on the number of agency and authority demands issued to operators. We believe this for two reasons.
First, no individual operator can provide a full picture of the extent of agency and authority demands across the country as a whole, nor will an operator understand the context of the investigations generating those demands. It is important to capture and disclose demands issued to all operators: however, based on our experience in compiling this report, we believe it is likely that a number of other local operators in some of our countries of operation would be unwilling or unable to commit to the kind of disclosures made by Vodafone in this report.
Second, different operators are likely to have widely differing approaches to recording and reporting the same statistical information. Some operators may report the number of individual demands received, whereas others may report the cumulative number of targeted accounts, communications services, devices or subscribers (or a varying mixture of all four) for their own operations. Our views on the scope for considerable inconsistency in this area are explained later in this report. Similarly, multiple different legal powers may be invoked to gain access to a single customer’s communications data: this could legitimately be recorded and disclosed as either multiple separate demands, or one.
To add to the potential for confusion, an agency or authority might issue the same demand to five different operators; each operator would record and disclose the demand it received in its own way (with all of the variations in interpretation explained below); and the cumulative number of all operators’ disclosures would bear little resemblance to the fact of a single demand from one agency. Moreover, in countries where the law on disclosure is unclear, some operators may choose not to publish certain categories of demand information on the basis of that operator’s appetite for legal risk, whereas another operator may take a different approach, leading to two very different data sets in the public domain.
Shortly before this report was published, other local operators in two of the countries in which we operate – Germany and Australia – began to publish their own law enforcement disclosure reports. Those reports included statistical information about some (but not all) types of agency and authority demands for assistance received by the operator in question. In both countries, the authorities also publish statistical information spanning all operators.
We have compared the statistical information we hold for our own operations in the two countries in question with the information recently published by other local operators in those countries. For some categories of agency and authority demand, the volumes involved seem closely comparable between Vodafone and other local operators, although as explained above, there is a significant risk of under or over-counting overlapping demands issued to multiple operators. Furthermore, it is also clear that certain categories of agency and authority demand have been omitted from local operators’ publications, either to comply with legal restrictions (in the case of Australia) or (in Germany) for reasons not disclosed to us.
In our view, inconsistent publication of statistical information by individual operators amounts to an inadequate and unsustainable foundation for true transparency and public insight. There is a substantial risk that the combination of widely varying methodologies between operators (leading to effectively irreconcilable raw numbers) and the potential for selective withholding of certain categories of agency and authority demand (for reasons which may not themselves be fully transparent) would act as a significant barrier to the kind of meaningful disclosure sought by the public in an increasing number of countries.
We believe that regulators, parliaments or governments will always have a far more accurate view of the activities of agencies and authorities than any one operator. However, our belief is not without qualification. In order for publication of this statistical information by the authorities to be meaningful and reliable, in our view it must:
  • be independently scrutinised, challenged and verified prior to publication;
  • clearly explain the methodology used in recording and auditing the aggregate demand volumes disclosed;
  • encompass all categories of demand, or, where this is not the case, clearly explain those categories which are excluded together with an explanation of the rationale supporting their exclusion; and
  • encompass demands issued to all operators within the jurisdiction in question.
We believe governments should be encouraged and supported in seeking to adopt this approach consistently across our countries of operation. We have therefore provided links to all aggregate statistics currently published by governments in place of our own locally held information (where disclosure is legally permissible at all) and are already engaged in discussions with the authorities in a number of countries to enhance the level of transparency through government disclosure in future.
Separately, where the authorities currently do not publish aggregate statistical information but where we believe we can lawfully publish in our own right, we have disclosed the information we hold for our own local operations. In at least 10 of the 29 countries covered, the disclosures we make in this report represent the first time that this kind of information has been placed into the public domain by a locally licensed operator. However, our concerns about the inadequacy of this kind of disclosure remain. Wherever possible, we will therefore seek to work with other local operators to develop a consistent cross-industry recording and reporting methodology and will engage with governments to make the case for a central, independent and verified source of statistical information spanning all operators. We look forward to updating this report with the outcomes from those discussions.
Finally, we would emphasise that it is not possible to draw any meaningful conclusions from a comparison of one country’s statistical information with that disclosed for another. Similar types and volumes of agency and authority demands will be disclosed (where public reporting is permitted at all) in radically different ways from one country to the next, depending on the methodology used. Similarly, changes in law, technology or agency or authority practice over time may make year-on-year trend data comparisons difficult in future reports.

What statistics should be reported: warrants or targets?

In our country-by-country disclosures, we have focused on the number of warrants (or broadly equivalent legal mechanism) issued to our local businesses as we believe this is the most reliable and consistent measure of agency and authority activity currently available. The relatively small number of governments (9 out of the 29 countries covered in this report) that publish aggregate statistics also collate and disclose this information on the basis of warrants issued.
Each warrant can target any number of different subscribers. It can also target any number of different communications services used by each of those subscribers and – in a modern and complex all-IP environment – it can also target multiple devices used by each subscriber to access each communications service. Additionally, the same individual can be covered by multiple warrants: for example, more than one agency or authority may be investigating a particular individual. Furthermore, the legal framework in some countries requires agencies and authorities to obtain a new warrant for each target service or device, even if those services or devices are all used by the same individual of interest. Note that in the majority of countries, warrants have a time-limited lifespan beyond which they must either be renewed or allowed to lapse.
As people’s digital lives grow more complex and the number of communications devices and services used at home and work on a daily basis continues to increase, the ratio of target devices and services accessed to warrants issued will continue to increase. To illustrate this with a hypothetical example:
  • a single warrant targets 5 individuals;
  • each individual subscribes to an average of eight different communications services provided by up to eight different companies: a landline phone line, a mobile phone, two email accounts, two social networking accounts and two ‘cloud’ storage accounts; and
  • each individual owns, on average, two communications devices fitted with a SIM card (a smartphone and a tablet) in addition to a landline phone and a laptop.
In the hypothetical example above, that one warrant could therefore be recorded as more than 100 separate instances of agency and authority access to individual services on individual devices used by individual subscribers. The scope for miscounting is immense.
In our view, the most robust metric available is the number of times an agency or authority demand for assistance is instigated – in effect, a formal record of each occasion that the state has decided it is necessary to intrude into the private affairs of its citizens – not the extent to which those warranted activities then range across an ever-expanding multiplicity of devices, accounts and apps, access to each of which could be recorded and reported differently by each company (and indeed each agency or authority) involved.
We therefore believe that disclosure of the number of individual warrants served in a year is currently the least ambiguous and most meaningful statistic when seeking to ensure public transparency. However, over time it is possible that an alternative means of providing accurate and reliable aggregate statistical data will emerge as a result of our engagement with other operators and with governments in those countries where publication of this information is permitted.

No comments: