Vodafone Concerns Over Surveillance in USA

Vodafone’s privacy boss has taken the unusual step of garnering public support – via mainstream news media – as part of his company’s strategy to protect customers from surveillance. Stephen Deadman is Vodafone’s Group Privacy Officer, with responsibility across the 25 countries where Vodafone operates. Last week, he gave an interview to Britain’s Channel 4 News. He emphatically stated that Vodafone will ‘challenge’ the UK’s government, and other governments, about the legality of spying activity like the NSA’s DISHFIRE program. His motivation was obvious; government snooping is bad for Vodafone’s business. Here is the video of that interview, so you can judge for yourself:

talkRA has argued that wholesale gathering of data about private communications causes commercial harm. People communicate in the belief that their actions are not being scrutinized by unknown third parties. If that trust is lost, then they will find other ways to communicate with each other. The importance of trust is clearly at the forefront of Deadman’s mind, and this is consistent with how he has approached his job in the past. The following was written by Deadman and his Vodafone colleague Amanda Chandler, for a book on privacy impact assessments:

Trust – For a communications company, user trust is an essential ingredient for providing a trusted network and environment for customers and users as they spend more of their lives connected to Vodafone’s networks, platforms and services. Respect for privacy is an essential element in building trust.

In that piece, Deadman and Chandler go on to describe the relevant governance and accountability for implementing Vodafone’s privacy policy, how they embed privacy management within business practices, how their risk-based approach draws on lessons learned from Business Continuity Management, and the use of privacy impact assessments to identify, communicate and prioritize risks and the responses to them. I recommend it as a good read for anyone interested in how telcos should integrate privacy with the management of information risks – and I believe anyone trusted to work with large volumes of customer data should be taking an appropriate interest in safeguarding privacy. However, I draw three further lessons from this paper, and from Deadman’s appearance on news media:

  1. Some risks are driven by factors outside of the company, and are not completely within the company’s control. In such cases, the risk manager still has to come up with a response, even if it means challenging government or going public to assure customers that their service provider is on their side.
  2. Problems like this do not go away by ignoring them. There will be many telcos who note ‘privacy’ in a token list of risks, then address it in a similarly token fashion, by taking inward-looking steps like training the company’s junior staff or issuing a policy that nobody reads. When government action undermines customer privacy, the company will not prosper by ignoring valid customer concerns.
  3. There are important people in this world who need to be appeased. Some of them are in government. But the most important people to a business are its customers. Without them, there is no business. So the business must prioritize their needs above all others.

It is a relief to see that some telcos have the backbone to stand up for their customers. After all, this is a situation where the interests of telcos and customers are the same, and where customers will reward telcos that are on their side, and punish the telcos that side against them. However, the telecoms sector is inherently subject to a lot of government interference and regulation, so it might be tempting for telcos to bend to the will of government. In the end, all businesses will abide by the law in their country. However, Vodafone’s action shows how telcos can address customer concerns when they fear the law is being used against the interests of their customers. It also demonstrates how the rule of law is strengthened by public engagement rather than quiet backroom chats between big government and big business – which may only encourage extra-legal activity.

When the rule of law is given healthy respect, even governments are bound by it. And governments can break the law too, as is part of the argument about the NSA’s spying program. President Barack Obama gave a speech about curtailing spying that employed soaring oratory, taking listeners on a vivid journey from the American Revolution, via the Nixon scandals and the Cold War, to the 9/11 terrorist attack and the future of technology. However, on matters of real substance, he said bugger all. So it is apparent that the USA will continue to spy on all non-Americans, save for a few allied national leaders of the highest rank, like Angela Merkel. This will cause problems for global telecoms businesses like Vodafone. And when it comes to protecting the rights of American citizens, the limit of US law will be tested in the courts, with Senator Rand Paul leading that charge. This is how Paul summed up his argument that the current spying program is against the US constitution:

He mentioned Paul Revere, but Paul Revere was warning us of the British coming. He wasn’t warning us the Americans are coming. The thing is, the lesson from the American Revolution that the President I think misunderstands is that we were upset about British soldiers writing their own general warrants — like national security letters — that allowed them to go into the colonials’ house and look at their papers. We didn’t like that so we wrote the Fourth Amendment to say the warrants have to be individualized… we didn’t want a dragnet.

It is atypical for opinions about business practices in the telecoms sector to be discussed alongside politics, like I have. However, I feel this is justified because this topic is political. In that respect, I believe most of the trade press is letting us down. We do not just work for telcos, we are also customers of telecom services. We are people, and privacy matters to people. This subject may be uncomfortable for some working in the sector. They might prefer to treat all business as apolitical. But this risk, like all risks, will not go away just because we ignore it. And the political dimension of this public debate is ramping up, not declining, despite the minor tweaks that Obama announced to US spying programs. In fact, Obama pointed the finger at our sector during his speech, by saying the following:

…the challenges to our privacy do not come from government alone. Corporations, of all shapes and sizes, track what you buy, store and analyze our data, and use it for commercial purposes. That’s how those targeted ads pop up on your computer and your smartphone periodically.

Other politicians, across the world, are also talking about the hurt done to business as a consequence of spying. David Davis is a senior British politician, and a former front-runner for the leadership of his party. Davis argued in last week’s Times that state snooping could prompt an exodus of technology companies from the UK; you can read his op-ed here. Nick Pickles, head of the UK’s Big Brother Watch campaign organization, also wrote that US government spying will hurt UK business; see here. The reasons for telcos to participate in this public debate was underlined when Pickles cited Vodafone’s example. And Pickles called for more telcos to transparently report on how much customer data they hand to government. When the use of telco data is being discussed publicly like this, telcos cannot afford to play deaf.

Technologists are not immune from the topics that occupy the minds of lawyers and politicians. They are also interested in them, as human beings. They handle the data that lies at the heart of this debate. And recent events have ably demonstrated how technological back doors can be implemented to achieve results that lawyers and politicians may be ignorant of. Everyone working with data in telcos has a stake in this debate. We need to find our voice. One way or another, we are going to be listened to. For our own interests, and for our customers’ interests, we need to speak clearly, so everyone can hear us.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.