Britain’s Vodafone revealed Friday that several governments are collecting surveillance data directly from its networks without any legal review and publicly urged more safeguards against such unfettered access to the private communications of its customers.
The declarations, made by the world’s second-largest cellular carrier, show that the type of access to telecommunications networks enjoyed by the U.S. National Security Agency also occurs in other countries where legal protections almost certainly are lower. Vodafone’s networks span much of Europe and parts of Africa and Asia.
The company said that voice, Internet and other data could be collected without any court review in “a small number” of nations. Although the company does not name them, news reports suggested that one is Britain, whose GCHQ intelligence agency is a close partner of the NSA in filtering the world’s Internet traffic.
“It is a healthy reminder that no amount of legal reform in the United States will solve the problem if there isn’t an international solution,” said Peter Eckersley, director of technology projects for the Electronic Frontier Foundation, a civil liberties group that is based in San Francisco.
Vodafone’s statements, coming in the company’s first report on data demands made by authorities in the countries where it operates, were unusually pointed, detailed and sober by the standards of the “transparency reports” issued by a growing number of companies since the revelations by former NSA contractor Edward Snowden.
The Vodafone report includes an 88-page annex detailing laws and experiences in 29 nations where, collectively, government agencies have made millions of data requests of the company.
In several of those countries — South Africa, Turkey, Egypt and others — publishing even such rudimentary totals of requests are prohibited by law. The report merely summarizes the legal standards there rather than quantifying the extent of government data collection.
“Refusal to comply with a country’s laws is not an option,” the company said in its report. “If we do not comply with a lawful demand for assistance, governments can remove our licence to operate, preventing us from providing services to our customers. Our employees who live and work in the country concerned may also be at risk of criminal sanctions, including imprisonment.”
Privacy advocates praised Vodafone for issuing such a thorough report but expressed dismay about the revelations of “direct access” that allowed governments to intercept any communication without seeking a court order or making a formal request to the company. Governments could use such access to collect increasingly massive troves of personal information — voice calls, e-mails, video chats, search histories and online address books — without any form of oversight.
“This is the kind of practice that needs to end,” said Eric King of Privacy International, an activist group based in London.
Governments have been gaining increasingly intrusive access to communications for at least two decades, when the United States and other nations began passing laws requiring that powerful surveillance capabilities be built directly into emerging technologies, such as cellular networks and Internet-based telephone systems.
Those demands became even more forceful in the aftermath of the Sept. 11, 2001, attacks, when intelligence agencies scrambled to prevent a similar tragedy. A burgeoning surveillance industry, with regular conferences around the world, grew to meet the well-funded appetite for gathering information on criminals and possible terrorist threats.
Such systems can collect and analyze almost any information, including the content of most phone calls, that flows over the Internet when it’s not encrypted. As a result, governments can learn virtually anything people in their nations say or do online and frequently can learn where they are using location tracking, which is built into most cellular networks.
The Vodafone report distinguishes between content — words or other information conveyed over its networks — and metadata, which reveals who is contacting whom and what kinds of communications systems they are using.
Metadata tends to be more useful in establishing relationships among surveillance targets and, even in countries with rigorous frameworks for protecting personal information, can be gathered more readily by governments with a lower legal standard.
In the Czech Republic, for example, the government compelled Vodafone to turn over the content of conversations 7,677 times during the 12-month reporting period, from April 2013 to March 2014. Hungary collected metadata 75,938 times. Italy, with its government investigations into organized crime, led the Vodafone list with 605,601 demands for metadata.
Britain’s Guardian newspaper, relying on documents provided by Snowden, reported last year on GCHQ’s Tempora Program, in which the British intelligence agency taps into the fiber-optic cables that carry much of the world’s Internet traffic — the kind of “direct access” that Vodafone’s report argues should be curbed.
American technology and telecommunications companies have been scrambling to protect their reputations in the year since Snowden’s revelations began appearing in news reports by The Washington Post and the Guardian.
U.S.-based technology companies such as Google, Microsoft, Yahoo and Facebook have adopted new encryption measures, demanded more latitude to report on government data requests and lobbied Washington for legal curbs on surveillance.
Big telecommunications providers, such as Verizon and AT&T, have been less assertive in their responses, although both companies over the past year have issued their own “transparency reports,” for the first time tallying up government data requests.
Verizon listed 320,000 requests in the United States in 2013 and several thousand collectively in 11 other nations. AT&T listed more than 300,000 requests. (Vodafone was a partner of Verizon in the largest U.S. cellular network, Verizon Wireless, before selling its share to Verizon this year.)
The close relationship between the NSA, the FBI and major telecommunications companies long has been a sore point with privacy advocates.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, based in Washington, said the Vodafone report “underscores the much closer relationship between communications providers, both in the United States and outside the United States, with national intelligence agencies. . . . It’s time to rebuild the wall separating church and state in surveillance.”
Eckersley said that most global telecommunications companies are “handmaidens of their governments’ surveillance apparatuses,” and he expressed little hope for a global treaty. Only new technical solutions capable of thwarting even the most aggressive intelligence agencies could significantly curb the spying of the Internet, he said.
Follow The Post’s tech blog, The Switch, where technology and policy connect.