Vodafone has become the first telecoms company to voluntarily reveal the scope of government snooping on mobile phone networks. It comes at a time when spy agencies face greater scrutiny for their surveillance practices.
One of the world's largest cellphone companies, Vodafone, has painted the clearest picture to date of the lengths governments go to snoop on the mobile phone communications of their citizens, saying authorities in some countries have direct wiretaps into its networks.
In the company's "Disclosure Report," released on Friday, Vodafone outlined the scope of government surveillance in 29 European, African and Asian countries.
Most explicit was the disclosure that a "small number of countries" demand unfettered access to an operator's network without securing a warrant.
"It is a reminder that as chilling as the NSA's capabilities are, there are many countries around the world that are less restrained in the surveillance they conduct," said Julian Sanchez, a senior fellow and privacy expert at the Cato Institute in Washington D.C.
"In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link," the report said.
Vodafone, which has 400 million customers worldwide, did not list the countries by name for legal reasons. But it did say it was prohibited by law to disclose any information about wiretapping in Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey.
The revelations came at a time when governments in major democracies are coming under greater scrutiny for their surveillance practices following the revelations of Edward Snowden one year ago.
Legal checks not a given
Many countries have laws requiring warrants or legal notice of government intrusion into phone networks, but such protective laws do not exist everywhere. When taken in a global context, judicial review of intelligence interception is more an exception than the rule.
According to the report, Vodafone was in some cases obliged to provide the technical means necessary to eavesdrop on customers' phone calls or read their text messages.
"Lawful interception requires operators to implement capabilities in their networks to ensure they can deliver, in real time, the actual content of the communications," the company said.
That content could include what is said in a phone call or the text and attachments within an email.
The report did not go into more detail about the obligation except to say legal restrictions prohibited the company from saying more.
But the Guardian newspaper cited industry sources as saying agencies sometimes installed their own equipment at Vodafone's data centers or rerouted traffic through government servers.
"Refusal to comply with a country's laws is not an option," the company said, noting that Vodafone employees could be arrested or face criminal sanctions if it chose to ignore national laws.
Between a rock and a hard place
Governments that called for access to Vodafone's network often did not reveal the identity or the number of customers targeted. Vodafone noted that non-disclosure laws made it extremely difficult for operators to be more forthcoming about what data governments actually accessed.
Telecommunication firms are often at pains to balance the interests of their customers with laws were designed to protect national security and facilitate criminal investigations.
While a company may have the legal prerogative to challenge a court order, it is often not privy to the information that would justify it.
"A phone company gets told, 'put a tap on this line,'" the Cato Institute's Sanchez said. "Is it someone who's trafficking nuclear secrets or a political dissident? The phone company has no way to know."
According to the Vodafone report, which also cited data released by national governments, Italy made 605,601 requests for communication metadata, the most in the countries surveyed.
Germany, which was up in arms when it became public that the United States had tapped Chancellor Angela Merkel's cell phone, also made requests. These included 23,687 requests to eavesdrop on phone conversations and 18,026 requests to collect metadata. Metadata reflects where a call was made and to whom.
Push for more transparency
In the last year it has largely been IT and sofware companies that have been the most outspoken against sweeping government surveillance. With this report, Vodafone becomes one of the first telecommunications operators to join that push.
Vodafone also said it wanted to work with other operators to provide a complete picture of the kind of surveillance going on in countries vis a vis telephone companies.
"What you need is a kind of belt-and-suspenders approach where you have transparency from both sides," Sanchez said.