International mobile phone network operator Vodafone has revealed the scale of government surveillance of its customers across the world.
The company has published a report covering the 29 countries where it does business, detailing the requests made by various governments for access to data about customer communications.
That law enforcement and intelligence agencies request this data is hardly new. But Vodafone said the evolution of communications technology — and the desire of governments to tap into it — has created a tension between citizens' right to privacy and the state's need to ensure safety and security. Concerns about widespread surveillance and habitual data harvesting by intelligence agencies have triggered a debate about the scale and legitimacy of such monitoring.
While in most places Vodafone retains control over the systems used for lawful interception of communications, it revealed that in a small number of countries where it operates (which it did not name), the authorities have direct access to an operator's network, bypassing the telco completely.
As a result, in those countries, government authorities have complete and permanent access to all customer communications via their own direct link — without needing a warrant for the interception.
The report focuses on the two categories of law enforcement demands that account for the overwhelming majority of all such activity: lawful interception and access to communications data.
The company said that it does refuse to comply with demands that are fall into the other category of demands: the unlawful ones. It said the majority of rejections it issues tend to be for defects in the legal process or documentation, or in response to demands issued under inappropriate legal powers.
But is also noted handling such demands can be difficult for the operator: "the powers in question are often used in the context of highly sensitive and contentious developments — for example, during major civil unrest or an election period — which means that Vodafone colleagues dealing with the authorities in the country in question can be put at risk for rejecting a demand on the basis that it is not fully compliant with the law."
The company said that while it wanted to publish the data for all of the countries on a coherent basis, "after months of detailed analysis, it has become clear that there is, in fact, very little coherence and consistency in law and agency and authority practice, even between neighbouring EU member states". Governments should do a better job of disclosing their surveillance activities themselves, it added.
The company said in the case of at least 10 of the 29 countries covered, it was the first time that this kind of information has been placed into the public domain by a mobile operator.
In its country-by-country list it details the number of warrants issued to its local businesses as the most reliable measure of activity currently available. But the company warned it is hard to reach conclusions about the levels of survelliance from those figures, as each warrant can target any number of different subscribers, different communications services, and devices.
The also company pointed out that there trying to shine a light on the murky area of government surveillance can have consequences. "Our decision to make the disclosures set out in this report is therefore not without risk. In some countries, providing what to many observers would seem to be relatively anodyne information about the legal powers and processes used by agencies and authorities could lead to criminal sanctions against Vodafone employees."
The full list of countries and details of intercept requests can be found in Vodafone's Law Enforcement Disclosure Report.