Freedom of expression and surveillance privacy

image description

Ambitions:

  • Enable, respect and support freedom of expression and ­surveillance privacy
  • Telia Company is trusted as an ICT industry leader in ­human rights
2017 progress
  • Eighth Law Enforcement Disclosure Report covering eight countries published
  • Four countries covered with regard to information on local surveillance legislation
  • Information on local legislation on direct access covering all our main markets
  • More than half of closed unconventional requests challenged in some way, often by transparency
  • Contributed to the Industry Dialogue and the Global Network Initiative joining forces in March
2018 goals
  • All major markets covered in law enforcement disclosure reports with regard to number of conventional requests and information on local legislation on direct access
  • Promote freedom of expression and surveillance privacy in all closed unconventional requests, if and to the extent possible
  • Contribute actively to the work of the Global Network Initiative (GNI)
2018 planned activities
  • Continue contributing to shared learning and standardization of reporting within the GNI
  • Improve governance and training to make internal process of assessments and escalations swifter, especially regarding requests and demands for direct access
  • Put freedom of expression and surveillance privacy into a clearer context of our human rights commitments
  • Review and implement recommendations in the area of freedom of expression and surveillance privacy from BSR’s human rights impact assessments

 

Our approach

This focus area is governed by the Group policy – Freedom of expression and surveillance privacy.

The right to customer privacy is widely understood as fundamental for the right to freedom of expression, meaning we have commitments both as to surveillance privacy (when authorities mandate access to user data), and customer privacy (processing customer data for our own needs). Read more about our customer privacy work in “Customer privacy.”

Telecommunications enable access to information and the exchange of ideas in a way that supports openness and transparency. Issues related to freedom of expression and surveillance privacy pose a high risk to users of telecom services globally. We see growing debate, and diverging external pressure, as policy-makers seek additional surveillance measures to fight crime, terrorism, hate speech and more.

We aim to fulfill our responsibility and commitment to respect freedom of expression and surveillance privacy as laid out in the UN Guiding Principles for Business and Human Rights. Our objective is to limit potential harm to individuals by seeking active measures to support the rights of individuals where we believe that these are at risk. Our work is also guided by the Global Network Initiative (GNI) Principles on freedom of expression and surveillance privacy.”

Assessment and escalation

Our group instruction sets out practical steps regarding assessments and escalation that are to be carried out whenever a local company receives a request or demand that may have potentially serious impacts on the freedom of expression and surveillance privacy of individuals (“unconventional request”). Guidance is provided in a form for assessments and escalation, a tool that we have shared publicly and that is included in the GSMA’s Policy Handbook.

Unconventional requests are to be assessed by the local company and escalated within Telia Company for informed decision-making. This includes considerations from outside the often complex and stressed specific local context on if, and if so, how to perform a “point of challenge.” This means adhering to local legislation while at the same time seeking to carry out measures to respect and support the rights of individuals. Most often, what we can do is seek to publicly share as much information as possible about the request. Through legislation and decisions from authorities, states define the scope of surveillance of communications and limitations to the free flow of information, so while the process is intended to identify and mitigate potential violations to individuals’ freedom of expression and surveillance privacy, the actual outcome depends heavily on local laws, as well as the safety and capabilities of local employees.

Work during the year

ID members merged with GNI

The Telecommunications Industry Dialogue (ID), which was launched in 2013, was a group of eight international telecommunication operators and vendors that jointly addressed freedom of expression and surveillance privacy in the telecommunications industry within the context of the UN Guiding Principles on Business and Human Rights. The final annual report of the ID covers its work from January 2016 to March 2017, including stakeholder engagement.

In March, seven of the former ID companies officially transitioned to full membership of the GNI. The multi-stakeholder GNI brings together ICT companies, human rights and press freedom groups, academics, and investors to protect and advance global free expression and privacy in the ICT industry.

The societal value of upholding freedom of expression

To highlight the societal value of upholding freedom of expression and surveillance privacy, we actively contributed to a GNI document available in ten languages. The tool points to the societal value of open networks and free flow of information as arguments against network shutdowns and service restrictions. By pushing back on network shutdowns and blocking of sites, we also seek to reduce societal costs while maintaining our core business.

Law enforcement disclosure reporting

We believe that transparency on surveillance activities contributes to freedom of expression and surveillance privacy being more strongly enforced. This is why we publish law enforcement disclosure reports (LEDR) twice a year.

The most recent report, released alongside this Annual and Sustainability Report, includes statistics covering conventional (“day-to-day”) requests from the police and other authorities in eight countries. The statistics show the number of authority requests based on a court order or other legal demand by the police or another authority. The statistics are subject to limited assurance by Deloitte.

Authority requests1 2017

Country

Lawful 
interception

Historical
data

Subscription
data

Challenged or
rejected requests

Denmark

8,130

2,057

12,225

0

Estonia

4,5962

1,327

386,6063

54,1684

Finland

3,640

2,474

7,436

20

Georgia

Direct access
- no statistics

847

49

30

Lithuania

2,7335

No permission
to publish

No permission
to publish

No permission
to publish

Moldova

Direct access
- no statistics

9,464

5,002

175

Norway

1,569

6,315

9,201

686

Sweden

3,822

3,255

1,521

200

1) As explained below, direct access is not included in the statistics.

2) In Estonia, a direct access system is used. Telia in Estonia has full visibility into the number of requests.

3) Includes all requests for Subscription data. For other countries the corresponding figure covers only requests that are handled by authorized personnel, and automated requests that refer to a criminal case.

4) This figure includes all requests to which we were not able to answer, most often because the requested information was about a customer of another operator.

5) Telia in Lithuania has been granted permission to publish Lithuanian authority statistics for Lawful interception requests. Telia in Lithuania has added a few requests. According to the authority and Telia in Lithuania statistics, there were 2,733 requests during the year.

6) Invalid requests due to administrative form errors.

Telia Company has not been able to establish reporting of statistics on conventional requests in our operations in Azerbaijan, Kazakhstan and Uzbekistan.

 

Several factors make it difficult to compare the statistics between countries. Telia Company has different market shares in different countries, which is probably reflected in the figures. Furthermore, Telia Company does not have knowledge of the authorities’ working methods and priorities in different countries, but the methods are likely to differ. Also, within the group, there are different internal methods of collecting data in different countries causing issues related to completeness and accuracy of reported data. We aim to streamline these working methods and define best practice to further improve data quality. Also note that the figures show the number of requests from authorities, not the number of individuals that have been targeted. Not even we as the operator and provider of the information have this knowledge. Most likely, in the category of lawful interception, the number of requests is larger than the number of individuals that have been targeted.

Pertaining to requests for cell tower dumps (i.e. requests that oblige the local operator to disclose data about the identity, activity and location of any device that connects to targeted cell towers over a set span of time) the number of affected individuals will naturally become larger than the number of requests. Depending on the scope of the request, Telia Company is required to hand out varying amounts of customer data. This depends on the timeframe of the request as well as where the cells within the scope of the request are situated. In urban areas, the amount of disclosed data is naturally higher.

Additionally, the LEDR includes links to national laws that provide governments with direct access to information about our customers and their communication without having to request information from Telia Company. Regarding governments’ direct access, i.e. signals intelligence (intelligence gathering through analysis and processing of communication signals) and real-time access without requests (technical systems for more extensive monitoring of telecommunications), Telia Company has no insight into the extent of such surveillance (when, who and what) and cannot provide any statistics beyond those provided within this report.

Our reporting on country local laws on freedom of expression and surveillance privacy in telecommunications is performed through contributions to the ID/GNI database on country legal frameworks.

Unconventional requests

In addition to reporting statistics on conventional requests, we seek to publish information on unconventional requests or demands from governments (“major events”). During 2017, we closed nearly 30 such unconventional requests or demands from governments across our operations. To ensure consistency, group level experts facilitated local assessments and escalations. Points of challenge, where possible to establish and most often by being transparent, were defined jointly by local and group management.

There are challenges related to transparency on un-conventional requests. Local laws that sometimes lack full clarity determine what can be published. There may be confidentiality provisions and/or constraints based on our duty to protect the safety of our employees. Issues regarding direct access are closely related to national security and are therefore complex and challenging to communicate. Counting the number of unconventional requests is difficult and subjective as they range from a demand to block one or several websites or shutting down a network locally to requests regarding direct access.

We have an exciting couple of years ahead of us, with new technologies like 5G and the internet of things bringing huge opportunities. These tools also bring new risks as ICT technologies grow more pervasive in our everyday lives, and the issue of government surveillance deserves more attention than ever. Together in the GNI, we can push for freedom of expression and privacy on the ground as part of the ongoing transition into the digital age, setting a standard for not just telecommunications and vendor companies, but for the entire ICT sector.

- Industry Dialogue annual report