Monday, June 09, 2014

On Moving From Theory to Practice of the Corporate Responsibility to Respect Human Rights When National Law and International Norms Conflict--Vodafone's "Law Enforcement Disclosure Report"

I have been considering current efforts to implement the U.N. Guiding Principles on Business and Human Rights  (GPs), a set of principles endorsed by the U.N. Human Rights Council in 2011.  My recent focus has been on issues relating to the operationalization of the corporate responsibility to respect human rights (e.g., On Moving From Theory to Practice of Corporate Responsibility to Respect Human Rights--Thoughts on the Human Rights Reporting and Assurance Frameworks Initiative (RAFI) Project), and on the state duty to protect human rights (e.g., On the Problem of the State in the State Duty to Protect Human Rights--Fostering National Action Plans as a Means of Refocusing the State Duty on the Business of the State Itself).

(Pix (c) Larry Catá Backer)

I have argued elsewhere that the GPs recognize the essentially polycentric nature of governance of enterprise governance at the national, international and transnational levels (Backer, Larry Catá, From Institutional Misalignment to Socially Sustainable Governance: The Guiding Principles for the Implementation of the United Nation’s 'Protect, Respect and Remedy' and the Construction of Inter-Systemic Global Governance, Pacific McGeorge Global Business & Development Law Journal, 2011).  When the substantive provisions of the three systems are consistent, operation within each of these autonomous systems is relatively seamless.  But when one of more conflict, or are in tension, then the enterprise faces difficult choices.  The Guiding Principles offers some guidance to enterprises in cases where their social norm governance systems and their obligations derived from international law and norm principles may be in tension with the law (or enforcement practices) of states in which enterprises operate.  GP 23. Some enterprises have begun to operationalize this most difficult of the Guiding Principles.  

This post looks at one of the more interesting efforts to reconcile an enterprise's international and transnational obligations to protect the privacy of its customers, with the increasingly comprehensive regimes of monitoring imposed through the domestic legal orders of states principles of the GPs.  Vodafone, Law Enforcement Disclosure Report (2014). The Report may serve as a model of the way enterprises honor their responsibilities under GP 23 while complying with the law of the states in which they operate.

In many cases, the governance regimes of the state (expressed through law), international organizations (expressed through law directed at states and norms directed at individuals and organizations), and non-state actors (expressed through governance systems sometimes evidenced through contract or other binding arrangements) either are relatively coherent and may be reasonably cobbled together. In other cases, one or another of these autonomous governance frameworks serve as a baseline above which the other systems may build (for example national minimum wages do not prevent multinational corporations from insisting on the payment of higher wages down the supply chain through their own governance mechanisms). But in some cases the systems are out of alignment. In those cases, especially where national security may be involved, or where there are differences in the approach to fundamental constitutional arrangements, multinational corporations retain both their responsibility to obey local law and their responsibility to respect human rights, the later responsibility existing autonomously of local and national obligation in places where enterprises may have operations. GP 11.

Where such misalignment exists, the GPs seek to provide a mechanism for enterprises to mediate the incoherence to the extent possible.  Guiding Principle 23 provides:
In all contexts, business enterprises should:
(a) Comply with all applicable laws and respect internationally recognized human rights, wherever they operate;
(b) Seek ways to honour the principles of internationally recognized human rights when faced with conflicting requirements;
(c) Treat the risk of causing or contributing to gross human rights abuses as a legal compliance issue wherever they operate.
The Commentary to GP 23 makes clear that within the territory of any state the enterprise is usually required to apply a crude hierarchy of law to determine the way in which it will meet its responsibility to respect human rights Within this hierarchy, the law of the place of operation usually is treated as superior to other law or governance norms, but in which enterprises ought to seek to interpret national law in ways that harmonize their application to the objectives of international and transnational standards of human rights consensus (where such exists). 
Although particular country and local contexts may affect the human rights risks of an enterprise’s activities and business relationships, all business  enterprises have the same responsibility to respect human rights wherever they operate. Where the domestic context renders it impossible to meet this responsibility fully, business enterprises are expected to respect the principles of internationally recognized human rights to the greatest extent possible in the circumstances, and to be able to demonstrate their efforts in this regard. (Guiding Principle 23 Commentary).
GP 23 might have been specifically targeted to conflict zones or to state with weak governance.  But it is with some irony that GP 23's tensions are being realized with greater consequence in the most developed states, not just states with reputations for authoritarian governance, but also within states that have prided themselves in their advanced degree of democratic openness and respect for human rights.
Some operating environments, such as conflict-affected areas, may increase the risks of enterprises being complicit in gross human rights abuses committed by other actors (security forces, for example). Business enterprises should treat this risk as a legal compliance issue, given the expanding web of potential corporate legal liability arising from extraterritorial civil claims, and from the incorporation of the provisions of the Rome Statute of the International Criminal Court in jurisdictions that provide for corporatecriminal responsibility. In addition, corporate directors, officers and employees may be subject to individual liability for acts that amount togross human rights abuses.
In complex contexts such as these, business enterprises should ensure that they do not exacerbate the situation. In assessing how best to respond, they will often be well advised to draw on not only expertise and cross-functional consultation within the enterprise, but also to consult externally with credible, independent experts, including from Governments, civil society, national human rights institutions and relevant multi-stakeholder initiatives. (Guiding Principle 23 Commentary).
The approach of GP 23 is essentially one of balancing risk, harm and the probability of success of mediating tactics (lobbying for change or interpretive flexibility).  There may well be instances, however, where the extent of the human rights wrongs involved in compliance with local law may be severe enough  to warrant the decision to avoid the jurisdiction entirely.  In international relations among public institutions, the effect is one of embargo.  In the private sector, it is one of refusal to deal.  But even this decision has human rights consequences--abandoning a human rights non compliant state make make it easier for those states to continue their detrimental activities.

Beyond the balancing, in these cases enterprises face a human rights related risk.  The first is direct--the consequences of compliance with national requirements that may produce detrimental human rights effects.  The second is indirect, and focuses on the risk to the enterprise's employees, operations, and customers, where the enterprise seeks to change or interpret  its way around human rights detrimental domestic legal regimens in ways that may produce conflict with national authorities.

These are the issues that faced Vodafone in recent yesrs. Vodafone published tits Law Enforcement Disclosure Report to explain "the nature and extent of government powers to order our assistance, together with information about agency and authority demands in countries where statistical data can lawfully be disclosed."  The Report suggests both the complexities and costs to enterprises of human rights polycentricity where  issues of national security are involved.  This complexity is deepened where the operationalization of human rights (in this case of privacy) are also fluid and impact areas of civil and political rights, the basis of which are still subject to great controversy among states.

But the Report also suggests the importance of disclosure as a means of engaging with states where the rules of domestic legal orders are inconsistent with or threaten internationally recognized norms of human rights behaviors and behavioral expectations of states.  Iit is sometimes difficult for enterprises to undertake direct negotiation with states over contentious local rules, and where it might not be possible to invoke the local judicial system to attain a sounder interpretation of an ambiguous local law with potentially human rights detrimental impacts.  However,  it is sometimes possible to use disclosure as a means of provoking global discussion of issues and to induce states to reconsider the value of their internal positions, just as the process works for disciplining corporate behaviors  (Larry Catá Backer, From Moral Obligation to International Law: Disclosure Systems, Markets and the Regulation of Multinational Corporations, 39 Georgetown Journal of International Law 591-653 (2008)).  This can be done in a way that furthers the intent and gives effect to GP 23 without violating local law.

These insights are well in evidence with the Vodafone disclosure decision. "By publishing its report, and highlighting its efforts to seek explanations form governments, Vodafone is entering the international debate about balancing the rights of privacy against security.  Rather than being stuck with responsibility and backlash when citizens realize their data has been scooped up without their permission, Vodafone is pushing for a debate." (Peter Svensson, Vodafone Report Sparks Surveillance Debate, AP June 9, 2014).  Indeed some analysts are already using the language of the GP to structure the terms of the debate: "Cynthia Wong, a senior researcher at Human Rights Watch, said Vodafone experienced "a hard lesson" in Egypt. "Even if the government is the ultimate problem, they realized they needed to take steps to mitigate harm to their users," she said." (Id).

The Report follows:

Law Enforcement Disclosure Report

Our customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws. Respecting that right is one of our highest priorities: it is integral to the Vodafone Code of Conduct which everyone who works for us has to follow at all times.
However, in every country in which we operate, we have to abide by the laws of those countries which require us to disclose information about our customers to law enforcement agencies or other government authorities, or to block or restrict access to certain services. Those laws are designed to protect national security and public safety or to prevent or investigate crime and terrorism, and the agencies and authorities that invoke those laws insist that the information demanded from communications operators such as Vodafone is essential to their work.
Refusal to comply with a country’s laws is not an option. If we do not comply with a lawful demand for assistance, governments can remove our licence to operate, preventing us from providing services to our customers. Our employees who live and work in the country concerned may also be at risk of criminal sanctions, including imprisonment. We therefore have to balance our responsibility to respect our customers’ right to privacy against our legal obligation to respond to the authorities’ lawful demands as well as our duty of care to our employees, recognising throughout our broader responsibilities as a corporate citizen to protect the public and prevent harm.

Complex, controversial – and constantly changing

Communications technologies have evolved rapidly over the last 20 years. Almost three billion people1 now communicate and share information over electronic communications networks on a regular basis, and vast volumes of data are created and exchanged every second. However, many of the legal powers relied upon by law enforcement agencies, intelligence agencies and other government authorities were first drafted in a much simpler era, when a household shared a single telephone landline, mobile phones were relatively rare and the internet as we understand it today did not exist. Our views on the legislative challenge in many countries are set out later in this report.
The use of those legal powers in the context of today’s far more complex electronic communications has proven to be highly controversial. All governments have incorporated national security exceptions into national legislation to give legal powers to agencies and authorities. Some governments have constrained those powers to limit the human rights impact; others have created much wider-ranging powers with substantially greater human rights impacts. Meanwhile, agencies and authorities have the scope to apply advanced analytics techniques to every aspect of an individual’s communications, movements, interests and associations – to the extent that such activity is lawful – yielding a depth of real-time insights into private lives unimaginable two decades ago.
In a number of countries, these changes have created tensions between the protection of the citizen’s right to privacy and the duty of the state to ensure public safety and security. Those tensions have been heightened as a consequence of the allegations made by the former US National Security Agency (NSA) contractor Edward Snowden. Media reports of widespread government surveillance and data ‘harvesting’ by intelligence agencies have triggered a significant public debate about the transparency, proportionality and legitimacy – even lawfulness – of the alleged activities of a number of high-profile agencies.
Questions have also been asked about the role of communications operators such as Vodafone in support of those activities. We hope that this report will provide some of the most important answers, although there will undoubtedly be some questions that we cannot answer for reasons that we explain later in this report.

What we are publishing, and why

This is our inaugural Law Enforcement Disclosure Report. We are also one of the first communications operators in the world to provide a country-by-country analysis of law enforcement demands received based on data gathered from local licensed communications operators. We will update the information disclosed in this report annually. We also expect the contents and focus to evolve over time and would welcome stakeholders’ suggestions as to how they should do so.
The report encompasses all 29 operating businesses directly controlled by Vodafone (including our joint ventures in Australia, Kenya and Fiji), in which we have received a lawful demand for assistance from a law enforcement agency or government authority between 1 April 2013 and 31 March 2014. We have not included countries in which we operate where no such demands were received, nor have we included countries where there may be some form of Vodafone brand presence (for example, through a partner market relationship) but where Vodafone does not own or control a licensed communications operator.
We have focused on the two categories of law enforcement demands which account for the overwhelming majority of all such activity: lawful interception; and, access to communications data. Both of these terms are explained later in this report. We have not included statistical data on the number of orders received to block or restrict access to content or services (further details of which are addressed below. We are exploring options to include this information in future reports, although it is important to note that there are complexities involved in collating the information required (content filters can be applied at various points within a country’s various networks, some of which may not be visible to Vodafone) and a number of countries are likely to prohibit publication of this information.
The report is intended to:
  • explain the principles, policies and processes we follow when responding to demands from agencies and authorities that we are required to assist with their law enforcement and intelligence-gathering activities;
  • explain the nature of some of the most important legal powers invoked by agencies and authorities in our countries of operation;
  • disclose the aggregate number of demands we received over the last year in each of our countries of operation unless prohibited from doing so or unless a government or other public body already discloses such information (an approach we explain later in this report); and
  • cite the relevant legislation which prevents us from publishing this information in certain countries.
Compiling this report has been a very complex and challenging endeavour. Given the sensitivity of any discussion of agency or authority activity in certain countries, it has also not been without risk. We set out to create a single disclosure report covering 29 countries on a coherent basis. However, after months of detailed analysis, it has become clear that there is, in fact, very little coherence and consistency in law and agency and authority practice, even between neighbouring EU Member States. There are also highly divergent views between governments on the most appropriate response to public demands for greater transparency, and public attitudes in response to government surveillance allegations can also vary greatly from one country to another.

The transparency challenge

Law enforcement and national security legislation often includes stringent restrictions preventing operators from disclosing any information relating to agency and authority demands received, including disclosure of aggregate statistics. In many countries, operators are also prohibited from providing the public with any insight into the means by which those demands are implemented. These restrictions can make it very difficult for operators to respond to public demand for greater transparency. We provide further insight into the nature of those prohibitions later in this report.
We respect the law in each of the countries in which we operate. We go to significant lengths to understand those laws and to ensure that we interpret them correctly, including those that may be unpopular or out of step with prevailing public opinion but which nevertheless remain in force. In this report, we have therefore set out the laws and practices, on a country-by-country (pdf, 1.76 MB) basis, that limit or prohibit disclosure. We believe this form of transparency is as important as the publication of aggregate demand statistics themselves in terms of ensuring greater public understanding in this area.
In a number of countries, the law governing disclosure is unclear. Under those circumstances, we have approached the authorities to seek clarity, wherever feasible. Some have given their assent to disclosure of aggregate statistical information about demands received. However, others have told us that we cannot publish this information. If we were to defy the responses received from the latter, we believe it is likely that our local businesses would face some form of sanction and that in some countries, individual Vodafone employees would be put at risk. Therefore, in our report this year we make no disclosure wherever the authorities have told us that we cannot do so. Similarly, where the authorities have not responded to our request for guidance or where the security situation means that any form of engagement with the authorities carries an unacceptable level of risk, we have not disclosed aggregate demand information out of concern for the safety of our employees. However, wherever possible, we will re-engage with the relevant authorities to seek updated guidance ahead of the publication of this report in future years. It is therefore possible that the level of disclosure permitted within the countries concerned may change over time as a result of that process.

Who should publish: governments or operators?

In our view, it is governments – not communications operators – who hold the primary duty to provide greater transparency on the number of agency and authority demands issued to operators. We believe this for two reasons.
First, no individual operator can provide a full picture of the extent of agency and authority demands across the country as a whole, nor will an operator understand the context of the investigations generating those demands. It is important to capture and disclose demands issued to all operators: however, based on our experience in compiling this report, we believe it is likely that a number of other local operators in some of our countries of operation would be unwilling or unable to commit to the kind of disclosures made by Vodafone in this report.
Second, different operators are likely to have widely differing approaches to recording and reporting the same statistical information. Some operators may report the number of individual demands received, whereas others may report the cumulative number of targeted accounts, communications services, devices or subscribers (or a varying mixture of all four) for their own operations. Our views on the scope for considerable inconsistency in this area are explained later in this report. Similarly, multiple different legal powers may be invoked to gain access to a single customer’s communications data: this could legitimately be recorded and disclosed as either multiple separate demands, or one.
To add to the potential for confusion, an agency or authority might issue the same demand to five different operators; each operator would record and disclose the demand it received in its own way (with all of the variations in interpretation explained below); and the cumulative number of all operators’ disclosures would bear little resemblance to the fact of a single demand from one agency. Moreover, in countries where the law on disclosure is unclear, some operators may choose not to publish certain categories of demand information on the basis of that operator’s appetite for legal risk, whereas another operator may take a different approach, leading to two very different data sets in the public domain.
Shortly before this report was published, other local operators in two of the countries in which we operate – Germany and Australia – began to publish their own law enforcement disclosure reports. Those reports included statistical information about some (but not all) types of agency and authority demands for assistance received by the operator in question. In both countries, the authorities also publish statistical information spanning all operators.
We have compared the statistical information we hold for our own operations in the two countries in question with the information recently published by other local operators in those countries. For some categories of agency and authority demand, the volumes involved seem closely comparable between Vodafone and other local operators, although as explained above, there is a significant risk of under or over-counting overlapping demands issued to multiple operators. Furthermore, it is also clear that certain categories of agency and authority demand have been omitted from local operators’ publications, either to comply with legal restrictions (in the case of Australia) or (in Germany) for reasons not disclosed to us.
In our view, inconsistent publication of statistical information by individual operators amounts to an inadequate and unsustainable foundation for true transparency and public insight. There is a substantial risk that the combination of widely varying methodologies between operators (leading to effectively irreconcilable raw numbers) and the potential for selective withholding of certain categories of agency and authority demand (for reasons which may not themselves be fully transparent) would act as a significant barrier to the kind of meaningful disclosure sought by the public in an increasing number of countries.
We believe that regulators, parliaments or governments will always have a far more accurate view of the activities of agencies and authorities than any one operator. However, our belief is not without qualification. In order for publication of this statistical information by the authorities to be meaningful and reliable, in our view it must:
  • be independently scrutinised, challenged and verified prior to publication;
  • clearly explain the methodology used in recording and auditing the aggregate demand volumes disclosed;
  • encompass all categories of demand, or, where this is not the case, clearly explain those categories which are excluded together with an explanation of the rationale supporting their exclusion; and
  • encompass demands issued to all operators within the jurisdiction in question.
We believe governments should be encouraged and supported in seeking to adopt this approach consistently across our countries of operation. We have therefore provided links to all aggregate statistics currently published by governments in place of our own locally held information (where disclosure is legally permissible at all) and are already engaged in discussions with the authorities in a number of countries to enhance the level of transparency through government disclosure in future.
Separately, where the authorities currently do not publish aggregate statistical information but where we believe we can lawfully publish in our own right, we have disclosed the information we hold for our own local operations. In at least 10 of the 29 countries covered, the disclosures we make in this report represent the first time that this kind of information has been placed into the public domain by a locally licensed operator. However, our concerns about the inadequacy of this kind of disclosure remain. Wherever possible, we will therefore seek to work with other local operators to develop a consistent cross-industry recording and reporting methodology and will engage with governments to make the case for a central, independent and verified source of statistical information spanning all operators. We look forward to updating this report with the outcomes from those discussions.
Finally, we would emphasise that it is not possible to draw any meaningful conclusions from a comparison of one country’s statistical information with that disclosed for another. Similar types and volumes of agency and authority demands will be disclosed (where public reporting is permitted at all) in radically different ways from one country to the next, depending on the methodology used. Similarly, changes in law, technology or agency or authority practice over time may make year-on-year trend data comparisons difficult in future reports.

What statistics should be reported: warrants or targets?

In our country-by-country disclosures, we have focused on the number of warrants (or broadly equivalent legal mechanism) issued to our local businesses as we believe this is the most reliable and consistent measure of agency and authority activity currently available. The relatively small number of governments (9 out of the 29 countries covered in this report) that publish aggregate statistics also collate and disclose this information on the basis of warrants issued.
Each warrant can target any number of different subscribers. It can also target any number of different communications services used by each of those subscribers and – in a modern and complex all-IP environment – it can also target multiple devices used by each subscriber to access each communications service. Additionally, the same individual can be covered by multiple warrants: for example, more than one agency or authority may be investigating a particular individual. Furthermore, the legal framework in some countries requires agencies and authorities to obtain a new warrant for each target service or device, even if those services or devices are all used by the same individual of interest. Note that in the majority of countries, warrants have a time-limited lifespan beyond which they must either be renewed or allowed to lapse.
As people’s digital lives grow more complex and the number of communications devices and services used at home and work on a daily basis continues to increase, the ratio of target devices and services accessed to warrants issued will continue to increase. To illustrate this with a hypothetical example:
  • a single warrant targets 5 individuals;
  • each individual subscribes to an average of eight different communications services provided by up to eight different companies: a landline phone line, a mobile phone, two email accounts, two social networking accounts and two ‘cloud’ storage accounts; and
  • each individual owns, on average, two communications devices fitted with a SIM card (a smartphone and a tablet) in addition to a landline phone and a laptop.
In the hypothetical example above, that one warrant could therefore be recorded as more than 100 separate instances of agency and authority access to individual services on individual devices used by individual subscribers. The scope for miscounting is immense.
In our view, the most robust metric available is the number of times an agency or authority demand for assistance is instigated – in effect, a formal record of each occasion that the state has decided it is necessary to intrude into the private affairs of its citizens – not the extent to which those warranted activities then range across an ever-expanding multiplicity of devices, accounts and apps, access to each of which could be recorded and reported differently by each company (and indeed each agency or authority) involved.
We therefore believe that disclosure of the number of individual warrants served in a year is currently the least ambiguous and most meaningful statistic when seeking to ensure public transparency. However, over time it is possible that an alternative means of providing accurate and reliable aggregate statistical data will emerge as a result of our engagement with other operators and with governments in those countries where publication of this information is permitted.

Security and secrecy: The limits on what local licensed operators can disclose

Beyond a small group of specialists, very few people understand the laws invoked by agencies and authorities when requiring a local licensed communications operator such as Vodafone to provide assistance. In part, that lack of understanding arises because those laws also impose strict secrecy obligations on those involved in the processes: the more you know, the less you are allowed to say.
Our decision to make the disclosures set out in this report is therefore not without risk. In some countries, providing what to many observers would seem to be relatively anodyne information about the legal powers and processes used by agencies and authorities could lead to criminal sanctions against Vodafone employees. The main restrictions on disclosure are set out below.

Obligations on individual employees managing agency and authority demands

In each of our operating companies around the world, a small number of employees are tasked with liaising with agencies and authorities in order to process demands received. Those employees are usually security-cleared to a high level and are bound by law to absolute secrecy. They are not permitted to discuss any aspect of a demand received with their line management or any other colleagues, nor can they reveal that a demand has been received at all, as doing so could potentially compromise an active criminal investigation or undermine measures to protect national security. Additionally, in some countries, they cannot even reveal that specific law enforcement assistance technical capabilities have been established within their companies.
Furthermore, even the limited number of employees aware of a demand will have little or no knowledge of the background to, or intended purpose of, that demand. Similarly, the individual employees involved will not be aware of all aspects of the internal government approval process involved, nor will they know whether or not an agency or authority is co-operating with – or working on behalf of – an agency or authority from another jurisdiction when issuing a demand using Mutual Legal Assistance Treaty (MLAT) arrangements concluded between governments.
All such demands are processed ‘blind’ with no information whatsoever about the context. Whilst we can – and do – challenge demands that are not compliant with legal due process or seem disproportionate, it is therefore not possible for Vodafone to ascertain the intended purpose of any demand received. Equally, we cannot assess whether or not the information gathered as a result of a demand will be used in a manner which is lawful, nor, in most cases, can we make any judgement about the potential consequences of complying (or failing to comply) with an individual demand.
It is also important to note that in seeking to establish whether or not an individual has been involved in unlawful activity, agency and authority demands may encompass access to information regarding many other individuals who are not suspected of any crime. The confidentiality obligations imposed on operators are therefore also intended to prevent inadvertent disclosure of private information related to individuals who are not suspects but whose data may help further an investigation or prove that they are a victim.

Restrictions on disclosing technical and operational systems and processes

Many countries require communications operators such as Vodafone to comply with specific technical and operating requirements designed to enable access to customer data by agencies and authorities. There are wide-ranging legal restrictions prohibiting disclosure of any aspect of the technical and operating systems and processes used when complying with agency and authority demands. In some countries, it is unlawful even to reveal that such systems and processes exist at all.
The small number of Vodafone employees familiar with the systems and processes involved are prohibited from discussing details of these with line management or other colleagues, and the circulation within the company of general information related to those systems and processes is heavily restricted or classified.

Restrictions on disclosing details of the aggregate number of demands received

In some of our countries of operation, we are prohibited in law from disclosing aggregate statistics relating to the total number of demands received over a 12 month period. In others, the law may expressly prohibit the disclosure that law enforcement demands are issued at all. In a number of countries where the law on aggregate disclosure is unclear, the relevant authorities have told us that we must not publish any form of aggregate demand information. We believe that defying those instructions could lead to some form of sanction against our local business and – in some countries – would also present an unacceptable level of risk for individual employees, to whom Vodafone owes a duty of care.
Whilst we have included factors relevant to national security powers in compiling this report, it is important to note that many countries prohibit the publication of any form of statistical information relating to national security demands.
Further details can be found in the country-by-country law enforcement disclosure section.

How we work with law enforcement agencies and government authorities

At Vodafone, our customers’ privacy is paramount. We have strict governance controls in place across all of our businesses worldwide to ensure the protection of our customers’ data and communications. We are committed to following the UN Guiding Principles on Business and Human Rights (pdf, 147 KB). We are also a founding member of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy (the ‘Industry Dialogue’). The Industry Dialogue is a group of global communications operators who work together and in collaboration with the Global Network Initiative to address a range of human rights and privacy challenges. We are a signatory to the Industry Dialogue’s Guiding Principles on Freedom of Expression and Privacy, which defines a common approach to be taken by operators when dealing with demands from governments, agencies or authorities that may affect our customers’ privacy and freedom of expression. Further details of Vodafone’s policies and principles in these areas can be found in the Privacy and security section of the sustainability report.
As we explain in our Privacy and law enforcement principles below, Vodafone is committed to meeting its obligations to respond to agencies’ and authorities’ lawful demands but will not go beyond what is mandated in law (other than under specific and limited circumstances, again outlined below).
Abiding by those principles can be challenging in certain countries at certain times. In practice, laws governing agencies’ and authorities’ access to customer data are often both broad and opaque, and – as explained below – frequently lag the development and use of communications technology. Furthermore, the powers in question are often used in the context of highly sensitive and contentious developments – for example, during major civil unrest or an election period – which means that Vodafone colleagues dealing with the authorities in the country in question can be put at risk for rejecting a demand on the basis that it is not fully compliant with the law.
We can – and do – refuse to comply with demands that are unlawful. The majority of rejections tend to be for defects in the legal process or documentation or in response to demands which appear to be issued under an inappropriate legal power. We do not yet have sufficiently robust reporting mechanisms to record all such refusals, so these are not listed in this report. We will consider how best to address this shortcoming where possible, in future reports.
Demands for assistance made by agencies or authorities acting beyond their jurisdiction will always be refused, in line with our principles. It is important to note that we have not, in fact, received any such cross-border demands. Were we ever to receive such a demand, in providing our refusal in response, we would inform the agency or authority that they should consider any MLAT processes to seek the co-operation of the relevant domestic agency or authority with the necessary lawful mandate.
As a general principle, our dealings with agencies and authorities fall into one of the three categories below. If we receive a demand for assistance which falls outside these three categories, we will challenge it and refuse to comply.

Mandatory compliance with lawful demands

We will provide assistance in response to a demand issued by an agency or authority with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law. Each of our local operating businesses is advised by senior legal counsel with the appropriate experience to ensure compliance with both the law and with our own principles.

Emergency and non-routine assistance

Our policy allows for the provision of immediate emergency assistance to agencies and authorities on a voluntary basis where it is clear that it is overwhelmingly in the public interest for us to do so. These are very specific circumstances where there is an imminent threat to life or public safety but where existing legal processes do not enable agencies and authorities to react quickly enough. Common examples include a police request for assistance whilst a kidnapping is in progress or to locate a missing child.
Under these circumstances, we will respond immediately to a request for assistance so long as we are satisfied that the agency making the request has the legal authority to do so. We will then require the formal lawful demand to follow soon thereafter with retrospective effect. We are clear in our policy that discretionary assistance is granted on an exceptional basis and cannot be used by agencies and authorities as a routine alternative to compliance with legal due process. All such instances are scrutinised carefully under our governance rules.

Protecting our customers and our networks

We work with law enforcement agencies on a voluntary basis to seek to prevent or investigate criminal and hacker attacks against our networks and to prevent or investigate attempts to defraud our customers or steal from Vodafone. We also co-operate on a voluntary basis on broader matters of national infrastructure resilience and national security. We have similar arrangements with banks and our peers under which we share intelligence on how best to protect our customers and our businesses from illegal acts. We believe that this form of co-operation – which does not involve providing agencies with any access to customer data – is strongly in the interests of our customers and the public as a whole. It is important to note that this form of co-operation does not involve providing agencies and authorities with any access to customer data: moreover, we believe it is strongly in the interests of our customers and the public as a whole.

The Vodafone privacy and law enforcement principles

We do not:
  • allow any form of access to any customer data by any agency or authority unless we are legally obliged to do so;
  • go beyond what is required under the law when responding to demands from any agency or authority for access to customer data; or
  • accept any instruction from any agency or authority acting beyond its jurisdiction or legal mandate.
We do:
  • insist that all agencies and authorities comply with legal due process;
  • scrutinise and, where appropriate, challenge the legal powers used by agencies and authorities in order to minimise the impact of those powers on our customers’ right to privacy and freedom of expression;
  • honour international human rights standards to the fullest extent possible whenever domestic laws conflict with those standards;
  • communicate publicly any threats or risks to our employees arising as a consequence of our commitment to these principles, except where doing so would increase those risks; and
  • seek to explain publicly the scope and intent of the legal powers available to agencies and authorities in all countries where it is lawful to do so.
Our policy provides everyone who works for Vodafone with a global governance framework and a set of criteria which must be applied to all interactions with agencies and authorities. In defining our policy (which we update regularly as laws and technologies evolve), we have three objective to:

Ensure a robust assessment of the scope of the law

We seek to have as clear an understanding as possible of the scope of – and limits on – the legal powers granted to each country’s agencies and authorities in order to ensure we do not exceed what is lawfully required when responding to a demand for assistance.

Ensure appropriate internal oversight and accountability

Vodafone’s overall approach to engagement with agencies and authorities is overseen at the most senior level of executive management to ensure effective governance and accountability. However, it is important to note that individual directors’ knowledge of specific demands, systems and processes will be limited as a consequence of the restrictions on internal disclosure outlined above.

Address the complexities of law enforcement across multiple countries

Laws designed to protect national security and prevent or investigate crime vary greatly between countries, even within the EU. As a global business operating under local laws in multiple countries and cultures, Vodafone faces a constant tension in seeking to enforce a set of global principles and policies which may be at odds with the attitudes, expectations and working practices of governments, agencies and authorities in some countries. Our global governance framework is designed to manage that tension in a manner which protects our customers and reduces the risks to our employees without compromising our principles.

Communications technology and governments

It is inevitable that legislation lags behind technological innovation in the fast-moving and complex era of internet protocol-based networks, cloud technologies and the proliferation of connected devices in an ‘internet of things’. We recognise that agencies and authorities can face significant challenges in trying to protect the public from criminals and terrorists within a legislative framework that pre-dates many of the technologies that are now central to people’s daily lives.
We think many governments could do more to ensure that the legal powers relied upon by agencies and authorities are fit for the internet age. In our view, legislative frameworks must be:
  • tightly targeted to achieve specific public protection aims, with powers limited to those agencies and authorities for whom lawful access to customer data is essential rather than desirable;
  • proportionate in scope and defined by what is necessary to protect the public, not by what is technically possible; and
  • operationally robust and effective, reflecting the fact that households access the internet via multiple devices – from games consoles and TVs to laptops, tablets and smartphones – and each individual can have multiple online accounts and identities.
We also believe that governments should:
  • balance national security and law enforcement objectives against the state’s obligation to protect the human rights of all individuals;
  • require all relevant agencies and authorities to submit to regular scrutiny by an independent authority empowered to make public – and remedy – any concerns identified;
  • enhance accountability by informing those served with demands of the identity of the relevant official who authorised a demand and by providing a rapid and effective legal mechanism for operators and other companies to challenge an unlawful or disproportionate demand;
  • amend legislation which enables agencies and authorities to access an operator’s communications infrastructure without the knowledge and direct control of the operator, and take steps to discourage agencies and authorities from seeking direct access to an operator’s communications infrastructure without a lawful mandate;
  • seek to increase their citizens’ understanding of the public protection activities undertaken on their behalf by communicating the scope and intent of the legal powers enabling agencies and authorities to access customer data; and
  • publish regular updates of the aggregate number of law enforcement demands issued each year – meeting the proposed criteria we specify earlier in this report – or at the least allow operators to publish this information without risk of sanction and – as we also explain earlier – on the basis of an agreed cross-industry methodology.
Separately, it is important to note that there can be considerable capital costs associated with technical compliance with law enforcement demands, which an operator is usually unable to recover. There are also considerable operating costs, which an operator may be able to recover from the government in a minority of cases, but most of which cannot be recovered. Vodafone therefore does not – and cannot – seek to make a profit from law enforcement assistance.

Agency and authority powers: The legal context

Vodafone is headquartered in the UK; however, in legal terms, our business consists largely of separate subsidiary companies, each of which operates under the terms of a licence or authorisation issued by the government of the country in which that subsidiary is located. Whilst there are some laws which apply across some or all of our businesses (for example, our European operating companies are subject to EU law as well as local laws, and laws such as the UK Bribery Act apply to all our operations), it is important to note that each subsidiary is established in, and operated from, the local market it serves and is subject to the same domestic laws as any other local operator in that country.
All countries have a wide range of domestic laws which govern how electronic communications networks must operate and which determine the extent to which law enforcement agencies and government authorities can intrude into or curtail privacy or freedom of expression
In some countries those powers are contained within specialist statutes. In others, they may be set out in the terms of a communications company’s operating licence. They may also be distributed across a wide range of legislative orders, directives and other measures governing how agencies and authorities carry out their functions.
However enacted, these powers are often complex, opaque and convoluted. A comprehensive catalogue of all applicable laws across all of our countries of operation would be so vast as to be inaccessible to all but the most determined of legal academics: for that reason, in our country-by-country law enforcement disclosure section we have focused on the most salient legislation only. Even with a focus on the most relevant legislative elements alone, the laws can be difficult for anyone other than a specialist lawyer to understand – and sometimes even the specialists can struggle. A summary of the relevant legislation, country by country, can be found in the Annexe (pdf, 1.76 MB).
Despite this complexity, there are a number of areas which are common to many of the legislative frameworks in our countries of operation, the most significant of which we summarise below.

Provision of lawful interception assistance

In most countries, governments have powers to order communications operators to allow the interception of customers’ communications. This is known as ‘lawful interception’ and was previously known as ‘wiretapping’ from a past era when agents would connect their recording equipment to a suspect’s telephone line. Lawful interception requires operators to implement capabilities in their networks to ensure they can deliver, in real time, the actual content of the communications (for example, what is being said in a phone call, or the text and attachments within an email) plus any associated data to the monitoring centre operated by an agency or authority.
Lawful interception is one of the most intrusive forms of law enforcement assistance, and in a number of countries agencies and authorities must obtain a specific lawful interception warrant in order to demand assistance from an operator. In some countries and under specific circumstances, agencies and authorities may also invoke broader powers when seeking to intercept communications received from or sent to a destination outside the country in question. A number of governments have legal powers to order an operator to enable lawful interception of communications that leave or enter a country without targeting a specific individual or set of premises.

Technical implementation of lawful interception capabilities

In many countries, it is a condition of an operator’s licence that they implement a number of technical and operational measures to enable lawful interception access to their network and services quickly and effectively on receipt of a lawful demand from an agency or authority with the appropriate legal mandate.
Wherever legally permitted to do so, we follow the lawful interception technical standards set down by the European Telecommunications Standards Institute (ETSI), which define the separation required between the agency or authority monitoring centre and the operator’s network. The ETSI standards are globally applicable across fixed-line, mobile, broadcast and internet technologies, and include a formal handover interface to ensure that agencies and authorities do not have direct or uncontrolled access to the operators’ networks as a whole. We continuously encourage agencies and authorities in our countries of operation to allow operators to conform to ETSI technical standards when mandating the implementation of lawful interception functionality within operators’ networks.
In most countries, Vodafone maintains full operational control over the technical infrastructure used to enable lawful interception upon receipt of an agency or authority demand. However, in a small number of countries the law dictates that specific agencies and authorities must have direct access to an operator’s network, bypassing any form of operational control over lawful interception on the part of the operator. In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link. We describe above our views on those arrangements and explain the restrictions imposed on internal discussion of the technical and operational requirements here.
Vodafone’s networks are designed and configured to ensure that agencies and authorities can only access customer communications within the boundaries of the country in question. They cannot access customer communications on other Vodafone networks in other countries.

Disclosure of communications-related data (‘metadata’)

Whenever a device accesses a communications network, small packets of data related to that device’s activities are logged on the systems of the operator responsible for the network. This ‘metadata’ is necessary for the network to function effectively; for example, in order to route a call to a mobile phone, the network needs to know the mobile network cell site that the device is connected to. Operators also need to store metadata – such as information about call duration, location and destination – to ensure customers are billed correctly. This metadata can be thought of as the address on the outside of an envelope; the communications content (which can be accessed via a lawful interception demand, as explained above) can be thought of as the letter inside the envelope.
It is possible to learn a great deal about an individual’s movements, interests and relationships from an analysis of metadata and other data associated with their use of a communications network, which we refer to in this report generally as ‘communications data’ – and without ever accessing the actual content of any communications. In many countries, agencies and authorities therefore have legal powers to order operators to disclose large volumes of this kind of communications data.
Lawful demands for access to communications data can take many forms. For example, police investigating a murder could require the disclosure of all subscriber details for mobile phone numbers logged as having connected to a particular mobile network cell site over a particular time period, or an intelligence agency could demand details of all users visiting a particular website. Similarly, police dealing with a life-at-risk scenario, such as rescue missions or attempts to prevent suicide, require the ability to demand access to this real-time location information.
In a small number of countries, agencies and authorities have direct access to communications data stored within an operator’s network. In those countries, Vodafone will not receive any form of demand for communications data access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.

Retention of communications data

Communications operators need to retain certain communications data for operational reasons, as described above. Subject to any applicable privacy or data protection laws, operators may also use communications data for marketing and other business purposes, for example, to promote certain products or services likely to appeal to a particular customer based on their previous activity. Vodafone has developed strict rules governing the use of communications data for marketing purposes which we explain in detail in the Privacy and security section of our sustainability report.
In some countries, operators are required by law to retain communications data for a specific period of time solely in order to fulfil the lawful demands of agencies and authorities who require access to this data for investigation purposes. For example, since 2006, EU legislation (the Data Retention Directive 2006/24/EC) has required Member States to implement laws that mandate the retention of certain communications data. However, a recent European Court of Justice ruling has found that the Data Retention Directive is incompatible with the Charter of Fundamental Rights of the European Union. The full implications of this ruling for Member States with data retention laws derived from the Directive are still being considered by governments at the time of the publication of this report.
In addition, in many countries mobile operators are obliged to collect information to verify customers’ identities. This is primarily to counter the use of anonymous pre-paid mobile phone services where no identity information is otherwise needed to bill for the service.

Decryption of protected data

Electronic communications may be encrypted in some form. This can prevent agencies and authorities from reading the data disclosed to them under applicable legal powers. Encryption can be applied by the operator of the communications network, or it can be applied by the many devices, services and applications used by customers to encrypt data that is transmitted and stored. Several countries empower agencies and authorities to require the disclosure of the encryption ‘keys’ needed to decrypt data. Non-compliance is a criminal offence. It is important to note that an operator typically does not hold the key for data that has been encrypted by devices, services and applications which the operator does not control: furthermore there is no legal basis under which the operator could seek to gain access to those keys.

Search and seizure powers

In most countries, the courts have the power to issue a variety of search and seizure orders in the context of legal proceedings or investigations. Those orders can extend to various forms of customer data, including a company’s business records. The relevant legal powers may be available to members of the public in the course of civil or criminal legal proceedings as well as to a wide range of agencies and authorities.

National security orders

The protection of national security is a priority for all governments. This is reflected in legislative frameworks which grant additional powers to agencies and authorities engaged in national security matters which typically exceed those powers available for domestic law enforcement activities.
For example, in many countries, domestic law enforcement legislation seeks to achieve some form of balance between the individual’s right to privacy and society’s need to prevent and investigate crime. Those considerations have much less weight in the context of threats to the state as a whole, particularly when those threats are linked to foreign nationals in foreign jurisdictions.

Powers to block or restrict access to communications

IP/URL content blocking and filtering
Some forms of internet content may infringe a country’s laws or social norms. Consequently, many countries have laws which enable agencies and authorities to mandate a block on access to content on certain sites (identified by their IP address ranges or URLs), typically by ordering communications providers to apply a filter on their networks. Child abuse content is widely blocked – including on a voluntary basis under the system administered by the Internet Watch Foundation – but other content may be filtered according to a ‘block list’ maintained by the relevant agencies or authorities.
Take-down of particular services
Many countries empower agencies and authorities to order the take-down of specific electronic communications services for reasons such as a government’s desire to restrict access to information it considers harmful to social order. Messaging services and social networks are familiar targets for these take-down actions, although short of a complete network shutdown (addressed below) these measures rarely prove effective over the long-term given the ease with which internet traffic can be re-routed dynamically.
A number of countries also retain legal powers requiring mobile operators to prioritise communications from designated SIMs in mobile phones used by the emergency services at the scene of a major incident where networks can become congested. Whilst such powers are relatively commonplace, in reality they are rarely used and are only effective if the emergency services have supplied operators with an up-to-date list of the SIMs to be prioritised.

Emergency or crisis powers

Many countries have special legal powers that can be invoked at a time of national crisis or emergency, such as a major natural disaster or outbreak of violent civil unrest. The use of those powers typically requires formal approval from the country’s parliament (or legislative equivalent). Once invoked, agencies and authorities are empowered to take direct control of a wide range of activities in order to respond to the crisis or emergency.
Whilst emergency or crisis powers are intended to be used for a limited period of time, their effects can be significant. These laws can be used to restrict or block all forms of electronic communication, either in a specific location or across the country as a whole. In January 2011, the Egyptian government ordered all operators – including Vodafone – to shut down their networks entirely. An overview of these events and Vodafone’s response can be found here.
Further details about the legal powers available to agencies and authorities in each of our countries of operation are set out in our country-by-country law enforcement disclosure section, together with statistical information about the number of demands received.

No comments: