Vodafone Reveals Government Agencies Have Direct Access To Its Network Around The World, No Warrants Required
from the even-worse-than-we-thought dept
One of the important results of Snowden's leaks over the last year is that the companies involved are not only becoming more open about how their services have been used by the NSA and GCHQ to spy on people, but they are even starting to push for less intrusion and more transparency. The latest to provide important information about what has been going on is Vodafone, with some fairly shocking news, as reported by the Guardian:
Vodafone, one of the world's largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond.
The Guardian story has lots of new information, and is well-worth reading. It includes a table that shows the number of warrants issued last year for legal interception of content, on a country-by-country basis. There are some surprises here -- for example, the fact that the Australian government issued 685,757 warrants for metadata, which is even more than the UK's 514,608 warrants, despite the fact that Australia has well under half the population of the UK.
There are other fascinating details in the Vodafone Law Enforcement Disclosure Report itself. For example, it contains this explanation about what exactly a warrant might encompass these days:
The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.
The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a "nightmare scenario" that confirmed their worst fears on the extent of snooping.
Each warrant can target any number of different subscribers. It can also target any number of different communications services used by each of those subscribers and -- in a modern and complex all-IP environment -- it can also target multiple devices used by each subscriber to access each communications service. Additionally, the same individual can be covered by multiple warrants: for example, more than one agency or authority may be investigating a particular individual. Furthermore, the legal framework in some countries requires agencies and authorities to obtain a new warrant for each target service or device, even if those services or devices are all used by the same individual of interest. Note that in the majority of countries, warrants have a time-limited lifespan beyond which they must either be renewed or allowed to lapse.
That means that the number of warrants listed in the Vodafone report, and collected in the Guardian table mentioned above, is likely to be a significant underestimate of the total number of acts of surveillance being conducted. Alongside the main report, there is also an 88-page Legal Annexe (pdf):
As people's digital lives grow more complex and the number of communications devices and services used at home and work on a daily basis continues to increase, the ratio of target devices and services accessed to warrants issued will continue to increase. To illustrate this with a hypothetical example:
a single warrant targets 5 individuals;
each individual subscribes to an average of eight different communications services provided by up to eight different companies: a landline phone line, a mobile phone, two email accounts, two social networking accounts and two "cloud"; storage accounts; and
each individual owns, on average, two communications devices fitted with a SIM card (a smartphone and a tablet) in addition to a landline phone and a laptop.
In the hypothetical example above, that one warrant could therefore be recorded as more than 100 separate instances of agency and authority access to individual services on individual devices used by individual subscribers.
This annexe to Vodafone's Law Enforcement Disclosure report seeks to highlight some of the most important legal powers available to government agencies and authorities seeking to access customer communications across the 29 countries of operation covered in this report.
As that notes, very few people are aware of the powers that exist around the world, which makes this Annexe an extremely valuable contribution to charting the surveillance landscape, not least because it is being released freely. As well as for this research, Vodafone deserves credit for making the following call, as reported by the Guardian:
Whilst the legal powers summarised here form part of local legislation in each of those countries and can therefore be accessed by the public, in practice very few people are aware of these powers or understand the extent to which they enable agencies and authorities to compel operators to provide assistance of this nature.
Vodafone's group privacy officer, Stephen Deadman, said: "These pipes exist, the direct access model exists.
That's a hugely important point. Direct access, as revealed by Vodafone, not only allows governments real-time access to enormous quantities of private communications data, but does so in a way that hides the fact that the interception is taking place at all, even to the companies involved. As Vodafone notes, introducing the requirement for a warrant for all such interception would make it much easier for companies to resist, alert the public to the sheer scale of the surveillance being carried upon them, and probably act as a natural brake on governments. Direct access to the network represents a huge exacerbation of the dangers of government surveillance: it is simply too easy to "collect it all." Vodafone's disclosure report is an important step towards changing that; the "other telecoms groups" mentioned above should now follow suit by issuing their own.
"We are making a call to end direct access as a means of government agencies obtaining people's communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used."