Vodafone’s Transparency Report: Breaking New Ground in the ICT Sector
Commentary, 13 June 2014
By Lucy Purdon, Policy Officer, Privacy International; Research Fellow, IHRB
Last week, UK-based telecom operator Vodafone released its first transparency report as part of the company’s wider 2013-2014 Sustainability Report. It is the latest example of a growing trend among telecommunications companies to explain publicly how they have complied with government or law enforcement requests to supply user data, block content, or intercept communication.
Companies are taking these steps in response to rising disquiet among consumers and human rights groups about a lack of transparency in such decisions. Several telcos have released their transparency reports this year, including CREDO and Verizon (USA), Telstra (Australia), Rogers Communications Inc. and TekSavvy Solutions Inc. (Canada). Other companies in the broader ICT sector which regularly publish transparency reports include Google, Microsoft, Facebook, Yahoo!, Apple, Linkedin and Dropbox.
Vodafone’s report focuses on 29 countries where it directly controls operations (including joint ventures in Australia, Kenya and Fiji), and in which the company received a lawful demand for assistance from a law enforcement agency or government authority between 1 April 2013 and 31 March 2014. The report does not include countries where no such demands were received or countries where Vodafone does not own or control a licensed communications operator.
While transparency reports are an important step in building trust with customers and other stakeholders, we have raised questions in the past as to how the data in transparency reports can actually be used to address risks to human rights and highlighted the challenge of giving meaning and context to what is essentially a list of numbers. Transparency reports should provide more answers than raise new questions.
Vodafone’s first transparency report moves in this direction and breaks new ground. While other company reports to date have chosen to publish only a list of numbers with little or no context, Vodafone has also stated clearly what it is not permitted to disclose in certain countries, rather than disregarding this information altogether and leaving readers with the impression they are not getting the complete picture. This includes detailing the legal constraints the company is under in even disclosing the number of requests it receives and the pressure this can put on the staff in country. As the report explains,
“Law enforcement and national security legislation often includes stringent restrictions preventing operators from disclosing any information relating to agency and authority demands received, including disclosure of aggregate statistics. In many countries, operators are also prohibited from providing the public with any insight into the means by which those demands are implemented.”
In the country-by-country analysis, the report presents 6 circumstances in which Vodafone has not published statistics. These include:
1. Situations where disclosure is unlawful under the laws of that country;
2. Where there is no lawful provision and/or such technology has not been implemented, and therefore Vodafone does not receive requests. It appears requests could however be made through one of its partners e.g. SFR in France;
3. Where the law on disclosure is unclear and Vodafone is awaiting guidance;
4. Where the law on disclosure is unclear and Vodafone has been unable to obtain further guidance;
5. Where authorities have directly told Vodafone they cannot disclose information, even when the law does not expressly prohibit this. This was the case in Ireland and Qatar;
6. Where it does not need to publish because the government, parliament or a credible independent body such as a regulator already publishes statistical information for certain types of demands issued to all operators in that country.
The Vodafone report therefore is less about numbers and more about the responsibilities of the government. States clearly have obligations to protect human rights, but all companies have a responsibility to respect human rights as set out in the UN Guiding Principles on Business and Human Rights. Companies need to assess actual and potential human rights impacts and report their activities so that it becomes clearer where accountability lies. Vodafone’s report is useful by providing granular information of where it acts because it is required to do so by law or a legal order, and where the legal situation is not entirely clear. It is necessary for human rights groups and other stakeholders to have such information in order to seek legislative changes and mount legal changes accordingly. For that, it is important for governments and companies to be more transparent about their conduct.
Vodafone makes clear its view that ideally governments should be disclosing such information and not the companies so that consumers and other relevant bodies get an accurate picture of the extent of demands.
The most crucial and revealing aspect in the report is the confirmation that in some countries, the laws on interception that do exist have little or no legal oversight and allow law enforcement authorities to bypass the operator and have direct access to the network. The report states,
“…in a small number of countries the law dictates that specific agencies and authorities must have direct access to an operator’s network, bypassing any form of operational control over lawful interception on the part of the operator. In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.”
Vodafone did not detail the countries in question due to reported concerns regarding the risk of possible retaliation against staff, but a Guardian report states that there are “about six” countries where the law obliges operators to install “direct access pipes” or allow governments to do so.
Vodafone was the first telco to break the corporate silence in the wake of documents leaked by Edward Snowden and published in The Guardian and The Washington Post last year detailing the surveillance and data gathering practices of the US National Security Agency (NSA), in particular the ‘Dishfire’ programme. This system reportedly collected 200 million text messages per day and was accessed by UK intelligence agency GCHQ, which prompted Vodafone to speak out. At that time, a Vodafone representative told Channel 4 News:
“What you’re describing sounds concerning to us because the regime that we are required to comply with is very clear and we will only disclose information to governments where we are legally compelled to do so, [we] won’t go beyond the law and comply with due process. But what you’re describing is something that sounds as if that’s been circumvented…From our perspective, the law is there to protect our customers and it doesn’t sound as if that is what is necessarily happening.”
This reaction and level of transparency is a stark contrast from Vodafone’s initial reaction to criticisms over the telecommunications network being shut down during the Egyptian revolution in 2011. IHRB wrote extensively at the time about steps Vodafone could have taken and IHRB Executive Director John Morrison and Vodafone Egypt’s CEO Hattem Dowidar exchanged letters in The Financial Times.
Like many other companies, Vodafone is evolving in its positions on such matters and now believes it is not enough to say that it has no other choice but to accede to government demands, or that the company is merely abiding by the national law and not take the responsibility for the possible consequences. Vodafone has shown with its new transparency report that more can be done by increasing levels of disclosure and explaining publicly what processes are in place to deal with state requests.
The report is a welcome addition to the increasing number of corporate transparency and disclosure reports. Vodafone has raised the bar – it is time for other companies to take up the challenge.