Vodafone reveals existence of secret wires that allow state surveillance
Juliette Garside, The Guardian
Thursday 5 June 2014
The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a “nightmare scenario” that confirmed their worst fears on the extent of snooping.
Direct-access systems do not require warrants, and companies have no information about the identity or the number of customers targeted. Mass surveillance can happen on any telecoms network without agencies having to justify their intrusion to the companies involved.
Industry sources say that in some cases, the direct-access wire, or pipe, is essentially equipment in a locked room in a network’s central data centre or in one of its local exchanges or “switches”.
Vodafone is calling for all direct-access pipes to be disconnected, and for the laws that make them legal to be amended. It says governments should “discourage agencies and authorities from seeking direct access to an operator’s communications infrastructure without a lawful mandate”.
All states should publish annual data on the number of warrants issued, the company argues. There are two types – those for the content of calls and messages, and those for the metadata, which can cover the location of a target’s device, the times and dates of communications, and the people with whom they communicated.
For brevity, the Guardian has also used the term metadata to cover warrants for customer information such as name and address. The information published in our table covers 2013 or the most recent year available. A single warrant can target hundreds of individuals and devices, and several warrants can target just one individual. Governments count warrants in different ways and New Zealand, for example, excludes those concerning national security. While software companies like Apple and Microsoft have jumped to publish the number of warrants they receive since the activities of America’s NSA and Britain’s GCHQ came to light, telecoms companies, which need government licences to operate, have been slower to respond.
Vodafone Reveals Government Agencies Have Direct Access To Its Network Around The World, No Warrants Required
by Glyn Moody, TechDirt
Fri, Jun 6th 2014
The Guardian story has lots of new information, and is well-worth reading. It includes a table that shows the number of warrants issued last year for legal interception of content, on a country-by-country basis. There are some surprises here — for example, the fact that the Australian government issued 685,757 warrants for metadata, which is even more than the UK’s 514,608 warrants, despite the fact that Australia has well under half the population of the UK. There are other fascinating details in the Vodafone Law Enforcement Disclosure Report itself. For example, it contains this explanation about what exactly a warrant might encompass these days:
Each warrant can target any number of different subscribers. It can also target any number of different communications services used by each of those subscribers and — in a modern and complex all-IP environment — it can also target multiple devices used by each subscriber to access each communications service. Additionally, the same individual can be covered by multiple warrants: for example, more than one agency or authority may be investigating a particular individual. Furthermore, the legal framework in some countries requires agencies and authorities to obtain a new warrant for each target service or device, even if those services or devices are all used by the same individual of interest. Note that in the majority of countries, warrants have a time-limited lifespan beyond which they must either be renewed or allowed to lapse.
As people’s digital lives grow more complex and the number of communications devices and services used at home and work on a daily basis continues to increase, the ratio of target devices and services accessed to warrants issued will continue to increase. To illustrate this with a hypothetical example:
a single warrant targets 5 individuals;
each individual subscribes to an average of eight different communications services provided by up to eight different companies: a landline phone line, a mobile phone, two email accounts, two social networking accounts and two “cloud”; storage accounts; and
each individual owns, on average, two communications devices fitted with a SIM card (a smartphone and a tablet) in addition to a landline phone and a laptop.
In the hypothetical example above, that one warrant could therefore be recorded as more than 100 separate instances of agency and authority access to individual services on individual devices used by individual subscribers.
That means that the number of warrants listed in the Vodafone report, and collected in the Guardian table mentioned above, is likely to be a significant underestimate of the total number of acts of surveillance being conducted.
Direct access, as revealed by Vodafone, not only allows governments real-time access to enormous quantities of private communications data, but does so in a way that hides the fact that the interception is taking place at all, even to the companies involved. As Vodafone notes, introducing the requirement for a warrant for all such interception would make it much easier for companies to resist, alert the public to the sheer scale of the surveillance being carried upon them, and probably act as a natural brake on governments. Direct access to the network represents a huge exacerbation of the dangers of government surveillance: it is simply too easy to “collect it all.” Vodafone’s disclosure report is an important step towards changing that; the “other telecoms groups” mentioned above should now follow suit by issuing their own.
In The Guardian piece referenced above there’s also this information-
In Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey, it is unlawful to disclose any information related to wiretapping or interception of the content of phone calls and messages including whether such capabilities exist.
Which I think serves as an introduction to this from Marcy Wheeler-
Those Cable Landings Chelsea Manning Didn’t Leak
Published June 4, 2014
While the BT/Vodaphone details are worth clicking through to read, I’m particularly interested in the focus on the base in Oman. (See an interactive map of the cable landings here.)
The Brits would have you believe – and I have no reason to doubt them – that this cable landing in Oman is one of the key points in their surveillance infrastructure.
I raise this because of a cable listing the globe’s critical infrastructure – and fearmongering surrounding it – that Chelsea Manning leaked to Wikileaks. As I noted at the time, while the cable lists a slew of cable landings as critical infrastructure sites – including the Hibernia Atlantic undersea cable landing in Dublin, which gets mentioned in the Register story – it does not list a single cable landing site in the Middle East.
Note, Bahamas’ telecom, which recent reporting has also noted is critical to NSA’s spying, also gets no mention.
That’s not surprising in the least. The cable (and the list) is classified Secret. NSA and GCHQ’s prime collection points are (as the Register notes) classified several levels above Top Secret.
And while the list provided some indication of what sites were significant by their absence, it’s likely that the sites that were listed were the relatively unimportant sites.
At trial, Manning’s lawyers repeatedly point out that she had chosen not to leak stuff from JWICS, which would be classified at a higher level. The stuff she leaked, which she got on SIPRNET, was by definition less sensitive stuff.
I don’t mean to suggest this reflects on the relative value of what either Edward Snowden or Chelsea Manning leaked. I think it is a good indication, though, of how unfounded a lot of the fear mongering surrounding this particular leaked cable was.