Vodafone puts out wide-ranging transparency report, hinting at secret surveillance programs

The British carrier group Vodafone(s vod) has issued its first Law Enforcement Disclosure Report, which it will update on an annual basis. This is the most comprehensive transparency report yet, covering 29 countries where a Vodafone-controlled operator received a demand for assistance from law enforcement agencies or government authorities during the last year.

In at least 10 of those countries, Vodafone said, it is the first locally licensed operator to publish such information. A good deal of data is missing from the report, though, notably anything specific relating to countries where the authorities have secret direct connections to the network. Vodafone said breaking such secrecy laws could endanger its employees, not to mention its license to operate. Many countries also won’t allow the publication of request statistics.

Forget comparisons

The breakdown shows that, of the 13 countries that permit the sharing of communications data, Italy led the pack with 605,601 requests. Tanzania was next with 98,765 requests, then Hungary with 75,938 requests. All of two countries allowed the publication of Vodafone-specific wiretapping requests: Spain made 24,212 during the year, and the Czech Republic 7,677. Of the countries that publish their own aggregate lawful interception stats, Italy was again in the lead with 140,577 — much of this is probably mafia stuff.

However, Vodafone warned against reading too much into comparisons of one country’s statistical data with that of another, noting that “similar types and volumes of agency and authority demands will be disclosed (where public reporting is permitted at all) in radically different ways from one country to the next, depending on the methodology used.”

As the carrier put it:

“We set out to create a single disclosure report covering 29 countries on a coherent basis. However, after months of detailed analysis, it has become clear that there is, in fact, very little coherence and consistency in law and agency and authority practice, even between neighbouring EU Member States. There are also highly divergent views between governments on the most appropriate response to public demands for greater transparency, and public attitudes in response to government surveillance allegations can also vary greatly from one country to another.”

Vodafone said it believes governments rather than operators should be doing the disclosing here, because lone operators have a limited view of the big picture, and because of the inconsistency in how carriers record and report information. Also, “in countries where the law on disclosure is unclear, some operators may choose not to publish certain categories of demand information on the basis of that operator’s appetite for legal risk, whereas another operator may take a different approach, leading to two very different data sets in the public domain.”

Limited view

There are significant limitations to this report, even if you don’t count certain countries’ ban on reporting aggregate data. In each of its operating companies, Vodafone explained, a small number of employees have high security clearance in order to liaise with agencies and authorities – these people can’t even inform their line managers about the requests they receive, and “in some countries, they cannot even reveal that specific law enforcement assistance technical capabilities have been established within their companies.”

Then there’s the fact that, in “a small number of countries,” agencies and authorities really can plug straight into the network, meaning there are no requests to Vodafone for the carrier to count. Handily, the telco has also provided a detailed write-up (PDF) of the laws in various countries that limit or prohibit disclosure, though it said it was only focusing on “the most relevant legislative elements” to keep things understandable.

Reports from August 2013, based on Edward Snowden’s leaked NSA and GCHQ information, showed that the British intelligence agency taps directly into undersea fiberoptic cables run by a variety of telcos including Vodafone, which apparently went by the codename “Gerontic.” There is, unsurprisingly, nothing in the company’s report that refers to this arrangement, though Vodafone did include this nugget:

“Vodafone’s networks are designed and configured to ensure that agencies and authorities can only access customer communications within the boundaries of the country in question. They cannot access customer communications on other Vodafone networks in other countries.”

In the U.S., similar reports have been issued in recent months by Verizon(s vz) and AT&T(s t), though neither carrier has anything approaching the breadth of Vodafone’s operating business portfolio. U.S. tech firms like Apple(s aapl) and Google(s goog) are also ramping up their disclosure efforts as they wrestle with the American government over surveillance.