Swedish-Finnish telco TeliaSonera issued its first transparency report on Friday, Aug. 22. The company disclosed surveillance requests from its two home jurisdictions, along with promises of more comprehensive reports to be released every six months.
This report marks an overdue, though welcome, step toward consistent disclosures of major risks to TeliaSonera users. Statistics in this report only cover surveillance requests in Sweden and Finland, though the company will expand reporting to 5 more countries — Denmark, Estonia, Nepal, Norway and Spain — in its January 2015 report.
The former state-owned telco also operates in emerging markets in Eurasia, including Uzbekistan, and Azerbaijan, and has minority ownership of Turkcell in Turkey, and Megafon in Russia. These governments routinely violate human rights using direct and indirect access to telecom networks, and any companies operating there must clearly state their human rights principles and disclose steps and obstacles to implementing them, including through transparency reporting. As one example, see the statement by on privacy and free expression by TeliaSonera’s CEO here, along with their recent sustainability report.
Transparency reporting on surveillance requests
Reporting of third-party requests impacting user data and connectivity is fast becoming a basic requirement of conducting business around the world. Since January 2014, transparency reports from Australia’s Telstra, Vodafone, Deutsche Telekom, along with CREDO Mobile, AT&T and Verizon in the U.S., have revealed how telco data fuels government surveillance. While many non-U.S. firms are only releasing data in their annual reports, TeliaSonera has adopted the standard twice-yearly reporting calendar, which is necessary to track this fast-moving space.
TeliaSonera reports getting 4,091 requests last year in Finland for “historical data,” a category including location data and cell phone tower dumps, which show all users whose phones pinged a certain tower over a certain period of time — an enormous amount of info that reveals the location thousands of users not related to the subscriber under investigation. Less than half that number of requests, or 1,996, came from Sweden in 2013. Given that TeliaSonera has greater market share in Sweden, which has a larger population than Finland, you’d expect the company to receive more requests from Sweden. The opposite is true, however. Finland also issues roughly one-and-a-half to two times more real-time surveillance and wiretap requests than Sweden to TeliaSonera, suggesting that Finland’s intelligence and security forces are more willing and able to access — or perhaps dependent on — user data than Sweden’s government.
Freedom of expression and remedy
TeliaSonera takes an innovative step to show the risks to freedom of expression as well privacy, by categorizing government requests and demands for network shutdowns, blocking of services (like SMS) and content (like Facebook), and other disruptions as “major events.” From January to June 2014, TeliaSonera “logged some ten major requests or demands from governments across our operations that have a potentially serious impacts on freedom of expression in telecommunications.”
Unfortunately, while the company gives the context of its response to the requests, it offers very little information about the disruptions themselves (though some events are mentioned directly on their website. TeliaSonera says governments often prohibit disclosure of this type of information, so TeliaSonera will release “aggregated information” on major events with its upcoming January and July transparency reports.
Access encourages more quantitative reporting by companies on their free expression impacts. We suggest telcos disclose several indicators:
- Government requests for disruptions, broken down by type, and by the country and agency requesting it;
- Whether the company complied;
- Duration of service outages;
- Number of subscribers affected;
- Reasons given for the government’s initial request, and for the lifting of the suspension; and
- The substance of user complaints related to the disruptions.
Additionally, companies should disclose any commercial deals that result in the promotion or degradation of certain applications and services. As noted in Access’ Telco Remedy Plan, preserving and disclosing evidence of government-ordered disruptions is an important step toward providing affected users with access to remedy and redress.
Over the past two years, TeliaSonera has had a high-profile struggle over corruption and its intimate involvement in the human rights abuses of state security forces in several countries. Access weighed in when TeliaSonera’s CEO stepped down in early 2013 over due diligence failures, we called for transparency reporting more than a year ago, and we even hosted a session on surveillance disclosures at RightsCon, where TeliaSonera participated.
While this is a welcome step forward, more granularity will be needed about “major events” impacting free expression, in line with the above indicators. At minimum TeliaSonera should break down the disruptions by type of blocking. The company also must proceed as quickly as possible to report surveillance requests from all countries in which it operates. If any governments bar reporting, the telco should follow Vodafone’s lead by naming any laws or other obstacles to disclosure, as well as its plan to work with all stakeholders — including Access — to tear down those barriers. In addition, publishing rates of data retention will help inform users about laws and practices affecting their privacy across different countries.
This report marks the first step toward consistent disclosures of the facts that users need to gauge their security and privacy on TeliaSonera networks.
Updates: This post has been updated to reflect that TeliaSonera does not operate in Turkey and Russia, but has minority ownership in telcos there; to link to the CEO’s statement on human rights; and to note the company’s sustainability report and its comments on major events affecting freedom of expression.