This was co-written by Bridget Andere, Africa Policy Fellow at Access Now.
In response to mounting pressure from civil society, MTN has published an inaugural transparency report. For the first time in the company’s 25 years, it is publicly outlining how it processes the information of 250 million people in Africa and the Middle East. Although this report is a welcome development, and Access Now encourages MTN to make this a yearly publication, the content leaves us with more questions than answers.
Transparency reporting is one of the strongest ways for companies to disclose threats to their users’ privacy and freedom of expression. Access Now’s Transparency Reporting Index tracks over 70 companies worldwide that have released these reports, with MTN’s marking a milestone as only the second major Africa-based company to release one.
MTN’s initial report details the legal frameworks that govern its interactions with authorities, especially those that affect its customers’ freedoms of expression, data privacy, and information security. Covering the period 1 January 2019 to 31 December 2019, MTN provides a country-by-country breakdown of external information requests from both governmental and non-governmental entities. The report is commendable for listing specific legal frameworks and authorities that have the power to make requests for each country, a practice which other companies should follow. Yet the company misses the mark in many other areas, and Access Now recommends the following improvements to ensure MTN’s reporting truly achieve its purpose:
Provide specific information regarding internet shutdowns and other suspension or blocking of services
Governments in almost half of the countries where MTN operates have shut down the internet, blocked social media, filtered or censored apps and websites, or disrupted some service at least once in the past three years. Given the prevalence of these practices in MTN’s market, MTN should be transparent about shutdown orders it receives and make this information easily accessible. MTN’s report aggregates data requests regarding SIM cards, service restriction orders, internet shutdowns, and more. Transparency requires accessibility, and reporting these different incidents as just one number provides only limited insight into practices that affect millions of individuals. In future reports, MTN should disaggregate this data and separate internet shutdown requests from other requests that affect service.
For example, most countries in which MTN operates — such as Nigeria — have introduced mandatory SIM card and ID registrations, and in some contexts, unregistered SIM cards have been de-registered in mass. Around the world, mandatory SIM card registrations continue to deny many people who cannot produce a valid ID access to communication platforms. MTN could advance transparency around this issue by reporting on SIM cards as a separate issue from internet shutdowns.
Clarify and rectify the legal frameworks that govern lawful interception
MTN’s report provides information about the countries, jurisdictions, and legal frameworks concerning “digital human rights” within which it operates. Presumably, MTN uses the legal frameworks it references to evaluate the validity of government requests and the authority of agencies or individuals making such requests, and to determine whether requests should be granted.
We are alarmed to see in MTN’s report profound misrepresentations of the legal landscape in the countries in which it operates — including both omission of key laws applicable to processing of government requests and inclusion of draft bills and proposals that have not yet been adopted as law. Although we list examples from Nigeria, Ghana, Rwanda, and Uganda, this issue also appears to be prevalent in other markets.
For Nigeria, MTN identifies three separate bills to guide processing of interception requests that have not yet been adopted into law. The Data Protection Bill 2019, the Digital Rights and Freedoms Bill 2019, and the Protection from Internet Falsehood and Manipulations Bill 2019 are all still pending legislation — not binding on MTN or any other entity, and not providing authority to the Nigerian government to make interception requests. If MTN indeed consulted these texts instead of existing laws while processing the more than 4,500 requests it received from the government of Nigeria, it has failed to protect millions of Nigerians’ human rights.
For a guiding framework in Ghana, MTN references Article 20(1) of the country’s constitution — an article on property rights with no clear connection to telecommunications or data requests from the government. The report also points to a so-called “Law for Intervention of Communication of 2010” as governing legal interception requests in Ghana, but there is no public record that any such law actually exists. Other legal frameworks that govern lawful interception in Ghana, such as the Anti-Terrorism Act of 2008, and others that deal with disclosure of communication data or network shutdowns and services, like the Electronic Communications Act 2008, are missing from the report.
Similarly, MTN mentions the Draft Regulation Governing the Use of Personal Data in Rwanda, which is not yet law and is currently under consideration and consultation, as well as Uganda’s National Payment Bill which was enacted in 2020 and could not have bound MTN for its reporting in 2019.
These widespread deficiencies in MTN’s documentation of the laws governing the processing of interception requests raise serious red flags regarding the company’s evaluation of such requests. Correction of this analysis, as well as clarification about MTN’s processes for evaluating the legality of government requests, will be essential next steps.
Clarify which authorities have the mandate to request data or information from MTN
Authorities that request user information from MTN must have the mandate and power to do so. However, it seems that in some countries MTN is extending that authority beyond what is sanctioned by law. For instance, MTN lists all statutory bodies in Ghana as having powers to make various requests. While some statutory bodies might have a mandate to request information from MTN, others do not. In Eswatini, MTN lists both the police and the Anti-Corruption Commission, but fails to include the courts.
What’s missing?
In future iterations, MTN should expand its reporting to disclose critical information regarding data retention requests, communication data, metadata and information around the installation of interception technology, and steps MTN takes to push back against improper requests, including detailed information regarding how it handles internet shutdown orders. Furthermore, information about IP and website blocking, social media blocking, and around requests to take control of MTN networks and their legality are essential to truly make this report transparent and reflective of the reality on the ground.
Although MTN has a lot more work to do, this first transparency report is a step in the right direction. Access Now calls on all other telecommunications companies in the region to follow suit, and lift the curtain on an opaque industry that holds the rights of millions in their hands.