The disclosure by Vodafone Group Plc (VOD), provider of mobile-phone service to more than 400 million customers worldwide, that some governments tap directly into its network without company consent spurred a new round of protests by privacy advocates about the scope of surveillance.
In its first law-enforcement disclosure report, Vodafone said 29 governments from Albania to the U.K. have requested access to the company’s network or user data, to wiretap and intercept calls or obtain Web-browser records. The June 6 report covered the year ended March 31.
While other global carriers such as AT&T Inc. (T:US) and Deutsche Telekom AG (DTE) have published similar reports, Vodafone is among the first to reveal that some governments have direct links to its communications systems, without going through the company or a legal review process. Vodafone’s disclosure may heighten the public backlash that resulted after National Security Agency contractor Edward Snowden exposed wide-ranging surveillance of private communications.
“One year after the Snowden revelations, this shows again the scale of collection by governments,” European Union Justice Commissioner Viviane Reding told reporters in Luxembourg on June 6. “There should not be unregulated, direct and automatic mass access by law enforcement authorities to data of citizens held by private companies -- only where there is a clear suspicion.”
While in most countries Vodafone maintains full operational control over the infrastructure used to enable lawful interception, in “a small number of countries” the law dictates that authorities have direct access to an operator’s network. That means agencies can access networks via their own direct link, without asking for the carrier’s permission or help, Vodafone said.
Matt Morgan, a Vodafone spokesman, said six nations have direct access to Vodafone’s network. He declined to identify them because of potential repercussions for employees.
“This type of unfettered access permits uncontrolled mass surveillance of Vodafone’s customers and anyone in contact with them,” Privacy International, a London-based organization campaigning for privacy and transparency, said in a statement. “This is mass surveillance at its most severe.”
Several nations covered by the report, including Egypt, India and Turkey, forbid disclosing what type and how many requests carriers receive from authorities, Vodafone said. Vodafone also said it doesn’t comply with demands that are unlawful.
As the second largest mobile-phone company, Vodafone has customers in countries stretching from the U.K. to South Africa, India to Australia. The only carrier with more users is China Mobile Ltd. Vodafone this year exited the U.S. after selling its stake in Verizon Wireless to Verizon Communications Inc. (VZ:US) for $130 billion.
In Germany, Deutsche Telekom last month published numbers on data handed over to authorities. The country’s top prosecutor is set to start a formal investigation into whether U.S. intelligence agents tapped Chancellor Angela Merkel’s mobile phone, potentially heightening tensions between the two countries over spying.
Deutsche Telekom said it’s evaluating whether it will publish information about regulatory requests in markets outside of Germany, spokeswoman Alexia Sailer said by phone.
“In our view, it is governments –- not communications operators –- who hold the primary duty to provide greater transparency on the number of agency and authority demands issued to operators,” Newbury, England-based Vodafone said in the report, which it plans to update annually.
In the U.S., both of Congress’s chambers are working on legislation to limit government surveillance of communications by Americans. The House of Representatives last month voted to end a domestic spy program in which the NSA collects and stores as much as five years of phone records on Americans, while the Senate Intelligence Committee is moving on a bill to curb the NSA’s collection of bulk telephone records and other electronic data.
U.S. President Barack Obama in March said that the U.S. can stop collecting and storing bulk telephone, e-mail and Internet usage records without compromising national security. Both he and Congress have been under pressure to restrain U.S. spying since Snowden, who faces espionage charges and is living in Russia, leaked documents exposing the surveillance programs to the U.K. Guardian and Washington Post newspapers.
Of the 29 countries covered by Vodafone’s report, a dozen forbid carriers from disclosing “lawful interception” attempts. Some governments, such as Germany and the U.K., report such numbers themselves. In nine of the countries, Vodafone doesn’t have the capability to intercept communications, for example because local legislation prohibits such technology.
Vodafone’s home country defended its interception practices yesterday. Jean-Christophe Gray, spokesman for U.K. Prime Minister David Cameron, said the country’s security services are “operating under clear legal frameworks as well as oversight and scrutiny by independent commissioners and independent parliamentary committee.”
The U.K. forbids Vodafone from disclosing lawful interception attempts. The government’s commission for the interception of communications publishes its own annual survey. Last year, 2,760 communications interception warrants were authorized, according to the report.
Vodafone reported the number of interception requests for two of the countries, with its Spanish unit receiving 24,212 demands and the Czech Republic 7,677.
The company also reported government requests for communications data, including the locations where phones were used, length of calls and other so-called meta-data related to use of Vodafone’s network.
“It’s unacceptable governments carry out surveillance work so massive, widespread and indiscriminate as that revealed by Vodafone’s report,” Antonello Soro, chairman of Italy’s Data Protection Authority, said in a statement. “Just as it is not acceptable that governments have access directly to the phone calls of citizens outside the safeguards prescribed by law and without a measure of the judiciary.”
Vodafone’s Italian unit received 605,601 such requests. The Tanzanian business was asked for such data 98,765 times and Hungary reported 75,938 requests, though the number for that country excludes inquiries related to national security.
AT&T, the largest U.S. phone company, received 301,816 demands for information from U.S. federal, state and local courts, including subpoenas, court orders and search warrants, in 2013. It had 22 requests from governments outside the U.S.
Verizon Communications, AT&T’s biggest rival, reported 321,545 subpoenas, orders and warrants from law enforcement in 2013, in addition to more than 1,000 national security letters, it said in January. Verizon said that outside the U.S., the country with the most inquiries was Germany. It made almost 3,000 requests last year, followed by France’s 1,347 and Belgium’s 473.
Ed McFadden, a Verizon spokesman, said the carrier plans to update its transparency report for the first half of 2014 “in the July timeframe.” AT&T spokesman Mark Siegel said the company releases its reports semi-annually.
To contact the reporters on this story: Amy Thomson in London at firstname.lastname@example.org; Daniele Lepido in Milan at email@example.com
To contact the editors responsible for this story: Kenneth Wong at firstname.lastname@example.org Don Frederick, Bernard Kohn