This post is co-authored by Peter Micek and Alyse Rankin, with contributions from Javier Pallero.
Six years in, transparency reporting has grown up, and it’s about to get schooled. About half of the world’s largest telecoms companies now report on government requests that impact our privacy and free expression, and the practice is steadily growing. Civil society and academia, meanwhile, are developing better ways to make the reports useful for understanding and responding to attacks on our fundamental rights. Let’s take a walk across the playground to see what’s new — including the first-ever report by Telefonica, the second report from AT&T, and a new transparency reporting toolkit.
Telefonica comes around
Telefonica, one of the world’s largest telcos, has released a transparency report that reveals for the first time details about requests from law enforcement authorities to hand over stored and real-time user data, to block or filter internet content, and to shut down network services.
The report is a positive move forward for Telefonica and a good foundation to build upon for future reports. The company has surpassed our expectations, boldly revealing country-by-country data in Latin America — the first time a telecom has done so. We ask Telefonica to continue to issue regular transparency reports, and we call on other telcos in the region, including América Movil, to follow its lead. Below are some insights from the Telefonica data and suggestions for improving future reporting.
What we’ve learned from Telefonica, and the questions its report raises
The report covers 17 countries — everywhere Telefonica has customers except the People’s Republic of China, where it has an investment agreement with Unicom. (It is not clear whether Telefonica collects or shares user data with authorities in China.) The report’s statistics cover the years 2013 through 2015.
Telefonica reveals that government requests for what’s called “historical user data” have increased significantly. The company defines historical user data as “the name and address of the registered user (subscriber information); the data to identify the source and destination of a specific communication (e.g. telephone numbers, internet service user names, etc.); the date, time and duration of the communication; the type of communication; the identity of the communication equipment (including IMSI or IMEI); the location of the user or device.”
Put in plain English, these are requests that would enable a government to get details such as your subscriber name and address; how you’re communicating (including the devices, services, and equipment you’re using); whom you’re calling or connecting with for a specific communication; what time you communicated and for how long; and where you/your device is located.
In 2015, these requests increased from the year before in Germany (172,033 requests), Brazil (1,291,629 requests), Costa Rica (14,208), and Venezuela (32,646). The total number may be even higher in Brazil for 2015 since Telefonica’s figure does not include requests made to GVT, a company Telefonica Brazil purchased that year. We also note that in Venezuela, legally mandated communication interceptions — or real-time wiretaps — doubled compared to 2014, to a total of 339,646 orders.
The report covers the United Kingdom as well, but it doesn’t include statistics on disclosure of historical and real-time user data. There are some legal restrictions on disclosure in the U.K., but we believe Telefonica could potentially share more data on government requests there, and we hope it will in future reports.
The report provides similarly limited information on Colombia, only covering the interception of fixed lines. Local competent authorities have the ability to directly intervene with mobile communications, without specific notice to companies. This leaves everyone depending on the goodwill of local law enforcement to reveal the extent of their interference with private communications. We — and some of the world’s largest telcos — oppose any mechanism or law that gives authorities this kind of direct access to mass communications networks or data.
Also notable is the increase in Venezuela of government orders to restrict content — blocking or filtering. These orders almost tripled in 2015 from the year before, to 960, a worrisome trend that we will watch closely.
Overall, Telefonica’s country-by-country breakdown is useful for understanding how governments respect and protect the rights to privacy and free expression, and it deepens our understanding of law enforcement access to user data in Latin America. Before the Telefonica report, Millicom had published aggregate regional — but not country level — data on requests for interception, metadata, mobile financial services data, and “major events” like shutdown and blocking requests (see page 14 here). Millicom revealed that there were eight shutdown requests across its markets in Africa and Latin America in 2015. This is a very important indicator for understanding what’s going in these regions with respect to free expression, and we unfortunately anticipate seeing more shutdown requests reflected in this year’s report, which we expect to see in April.
What happens from here: Telefonica policies
A look at Telefonica’s policies reveals more about how it’s handling government requests, and ways to take action regarding the information it has revealed. Government requests for user data are handled in accordance with Telefonica’s Privacy Policy. The policy shows that Telefonica has a “Privacy Officer in each country for the local implementation of the Privacy Policy.” However, the company doesn’t provide contact information for these privacy officers, so it’s not clear how users or civil society can contact them to ask questions or make complaints.
Telefonica’s “Global procedure for requirements from competent authorities” is a policy to guide the company’s national-level subsidiaries on how to process government requests that impact users’ privacy and free expression rights. The report states that Telefonica’s procedure for responding to requests from competent authorities “guarantees…the protection of the rights of the affected parties,” and that it is based on the guiding principles of confidentiality, completeness, rationale, diligent response, and security. However, Telefonica doesn’t make the policy itself publicly available, so we can’t determine whether it complies with human rights frameworks or guides such as the International Principles on the Application of Human Rights to Communications Surveillance, the Telecommunications Industry Dialogue Guiding Principles on Freedom of Expression and Privacy (IDGPs), the Ranking Digital Rights Corporate Accountability Index, or the Access Now Telco Action Plan.
Telefonica also states that during 2013-2015, it did not receive any requests from law enforcement authorities that the company deems to be politically motivated, legally unfounded, or aimed at limiting freedom of expression. However, since Telefonica has not publicly disclosed its policy for processing government requests, we don’t know how Telefonica makes this determination. We call on Telefonica to disclose how it assesses and reviews government requests, and the number of requests that it challenges or rejects. This would assure its customers that Telefonica has adequate procedures in place for protecting their privacy and free expression.
AT&T’s second transparency report: What’s up with Hemisphere?
Also new in the world of transparency reports is AT&T’s second report on the implementation of the IDGPs. We commend AT&T for issuing the report, which provides links to AT&T’s publicly available Privacy Policy, Human Rights Policy, Principles of Conduct for Suppliers and Code of Business Conduct. AT&T also provides an email address where customers can submit questions or complaints regarding AT&T privacy matters.
According to the company, all government requests for user data or the blocking or restriction of AT&T services are reviewed for compliance with applicable legal requirements, and, where appropriate, AT&T objects to requests or seeks to have them clarified or modified.
However, we note that AT&T goes beyond legal requirements in handing over user data, by proactively retaining and marketing user data to local and federal law enforcement through its Hemisphere program, which our community has spoken out about, and shareholders raise as a problem. Through Principle 8 of the IDGPs, AT&T commits to “Report externally on an annual basis, and whenever circumstances make it relevant, on their progress in implementing the principles, and on major events occurring in this regard.” We consider the revelations regarding Hemisphere to be just such a “major event,” and we join shareholders in asking for more transparency regarding this program and consideration with respect to how it advances the human rights of AT&T customers.
Lastly, we call on AT&T to respond to our previous requests. We analyzed AT&T’s January 2016 transparency report here, and called on the company to provide details about its compliance with the Mexican government’s requests for user data, and to explain whether and how it processes Mexican requests differently than it does U.S. law enforcement demands. We’re pleased to see AT&T include statistical compliance with requests from both U.S. and Mexican law enforcement demands, and we also welcome AT&T’s plan to conduct a comprehensive human rights impact assessment of its Mexican operations. But we reiterate our call for AT&T to explain its procedure for processing Mexican government requests for user data.
Transparency Reporting Toolkit: Reporting Guide & Template
Civil society has also been active in figuring out how to “do” transparency right. The Berkman Klein Center for Internet & Society at Harvard University in collaboration with the Open Technology Institute have recently published the Transparency Reporting Toolkit: Reporting Guide & Template. This guide offers a practical standard for companies reporting on U.S. government requests for personal data, and contains best practices as well as tools to make transparency reports more consistent and comprehensible. The guide provides guidance on the types of legal process requests to include in a transparency report; how the requests should be counted and recorded; how to record compliance with requests; and how to describe company procedures and policies for processing government requests.
In short, it’s a crucial bid and plan for consistency in transparency reports, which more than 60 companies now issue worldwide. According to the authors, “If there is one practice, however, that we strongly urge every company to adopt, it is this: no matter what you do, be clear about what you are reporting on. More than anything else, the current generation of transparency reports suffer from a lack of clarity about how they are arriving at the numbers they are reporting.” We second this call. It’s another reason we support projects like Ranking Digital Rights, which has standards for privacy and free expression commitments and disclosures to promote best practices in the field, worldwide.
The Berkman Klein/OTI toolkit is limited to reporting of U.S. government requests for user data, so it does not address requests that impact content, such as orders to shut down networks and block or filter applications, services, and protocols. It’s just as important that companies report on restrictions of content as it is to report on interferences with privacy. However, as a start, we recommend that any company that is subject to U.S. jurisdiction comb through this new guidance to ensure that their transparency reports meet its rights-respecting standard for disclosures that impact user privacy.
We’re pleased to see the progress companies are making on transparency, and we look forward to seeing even more engagement with civil society to improve processes and procedures to respect human rights.