Vodafone put out a highly informative report on the intercept practices of the countries where it does business. The greatest news interest was spurred by its statement that some countries tap directly into the provider’s infrastructure and take what they want without notice to the provider:
In a “small number” of countries, Vodafone said in the report, the company “will not receive any form of demand for communications data access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.”
Vodafone refused to name the countries. But I can’t help thinking that the report provides some pretty clear clues about two of them. I suspect we’ll soon discover that they are France and Belgium.
The reason is buried in the footnotes to the report. The report gives reasons when it does not disclose the number of lawful intercept warrants the company received in a particular country. Sometimes reporting on wiretaps is prohibited by law.
But in eight cases, the report doesn’t cite legal restrictions on disclosure. Instead, it says that it has no intercept numbers because there is “no technical implementation” of lawful intercept capabilities in those countries. In one country, Kenya, there’s no implementation because Kenyan law prohibits operators from deploying wiretap capabilities. In the other seven, though, the reason the company gives is murkier: “We have not implemented the technical requirements necessary to enable lawful interception and therefore have not received any agency or authority demands for lawful interception assistance.”
You might think those are countries that have simply decided not to do lawful intercepts, perhaps because intercept equipment is expensive or technically demanding. For five of the seven, that’s plausible. They are Mozambique, Ghana, Lesotho, Tanzania, and Fiji.
But the other two on the list are France and Belgium. Does anyone think that these two countries lack the resources, the technical skills, or the will to conduct lawful intercepts? Hardly. France is second to none in its enthusiasm for state intelligence collection, and especially for wiretaps. And Francophone Belgium is often heavily influenced by the governing style of French institutions.
It is inconceivable that these two countries lack a robust wiretapping capability. It is also inconceivable that they would fail to tap mobile phone systems, including Vodafone’s. Yet Vodafone says that it has not received any demands for lawful interception from these countries and has not implemented the technical requirements to enable lawful interception.
The answer may be in how the Vodafone report seems to define lawful interception — as requiring that the operator carry out the wiretap:
“In most countries, governments have powers to order communications operators to allow the interception of customers’ communications. This is known as ‘lawful interception’…. . Lawful interception requires operators to implement capabilities in their networks to ensure they can deliver, in real time, the actual content of the communications (for example, what is being said in a phone call, or the text and atachments within an email) plus any associated data to the monitoring centre operated by an agency or authority.”
So if Vodafone had been ordered simply to give the governments of France and Belgium direct access to Vodafone switches, I’m guessing that Vodafone’s report would say that it had not implemented lawful interception in those countries. Which is what it does say.
Maybe I’m wrong about this, but my money is on Belgium and France as two of the countries with “direct access” to telecom switches.
I’m sure the European Commission will investigate, as soon as they finish their proposals for reforming NSA, FBI, DHS, Treasury, CIA, and the Bureau of Land Management.
UPDATE: Corrected Vodaphone to Vodafone. Thanks, Bart (Amon_RA)