Vodafone is coming clean on how it deals with the data of its customers around the world. The carrier published a global report this evening giving detailed information about how it responds to law-enforcement requests. In some instances, the carrier admits, some law enforcement agencies have warrantless, instant access to customer metadata. Hoooo boy.
In a bid to further contribute to the debate on metadata collection and its use in law-enforcement, Vodafone published an detailed document related to its cooperation with law enforcement around the world.
Our customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws. Respecting that right is one of our highest priorities: it is integral to the Vodafone Code of Conduct which everyone who works for us has to follow at all times.
However, in every country in which we operate, we have to abide by the laws of those countries which require us to disclose information about our customers to law enforcement agencies or other government authorities, or to block or restrict access to certain services.
The carrier added in no uncertain terms that non-compliance with law-enforcement requests in the countries in which it operates is not an option.
But Vodafone around the world goes one step further than simple compliance. In some instances, the carrier offers real-time metadata collection of its customers (emphasis added):
It is possible to learn a great deal about an individual’s movements, interests and relationships from an analysis of metadata and other data associated with their use of a communications network, which we refer to in this report generally as ‘communications data’ – and without ever accessing the actual content of any communications. In many countries, agencies and authorities therefore have legal powers to order operators to disclose large volumes of this kind of communications data.
Lawful demands for access to communications data can take many forms. For example, police investigating a murder could require the disclosure of all subscriber details for mobile phone numbers logged as having connected to a particular mobile network cell site over a particular time period, or an intelligence agency could demand details of all users visiting a particular website. Similarly, police dealing with a life-at-risk scenario, such as rescue missions or attempts to prevent suicide, require the ability to demand access to this real-time location information.
In a small number of countries, agencies and authorities have direct access to communications data stored within an operator’s network. In those countries, Vodafone will not receive any form of demand for communications data access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.
Their own direct link?! That means that some law enforcement agencies around the world are permanently camped inside Vodafone’s network siphoning metadata from customers as they please.
It doesn’t look like Australian law enforcement agencies are part of Vodafone’s admission that law enforcement agencies have direct access to the carrier’s network. It does specify that, under the Telecommunications Act (emphasis added):
the interception of live communications may occur (without a warrant being issued) by the police in specified urgent situations, for example, where there is risk to loss of life or the infliction of serious personal injury or where threats to kill or seriously injure another person have been made. The police are able to request a carrier to intercept individual communications in these circumstances (Part 2-3 of Chapter 2 of the TIA).
Interception of live communications may also be authorised (without a warrant) under section 31A of the TIA by the Attorney-General to enable security authorities for the purpose of developing and testing interception capabilities
Read the full report here (PDF).
We’ve reached out to Vodafone Australia for comment. We’ll update you further if and when we hear back.