Three European telecommunications companies are handing over private customer communications “like a cash machine” according to a report on Friday by The Guardian. EE, Vodafone and Three have automated systems to process requests made by law enforcement personnel. O2 still requires staff to review all requests from police.
“If companies are providing communications data to law enforcement on automatic pilot, it’s as good as giving police direct access [to individual phone bills],” said Eric King, deputy director of Privacy International, a transparency watchdog to the Guardian.
Earlier this year in April, the European Court of Justice struck down the Data Retention Directive which was a law requiring telecoms to keep metadata for two years. The UK quickly followed with emergency data retention laws that went into effect in July in the UK. In August both Australia and Mexico joined the UK in requiring telcos to retain customer metadata.
Privacy is a hot topic in the EU as of late. In April, the European Court of Justice also ruled that citizens have the right to request inaccurate or outdated information be removed from search engines in the well known right to be forgotten case.
With the EU exploring data retention and privacy laws in the wake of these recent court decisions it will be interesting to see what effect new policies have on service providers of all types. A recent interview with industry analyst Rory Duncan identified legislation as key to the future of cloud, hosting and internet providers.
By UK law telcos must store a year of call data records. Law enforcement agencies can access these records without a warrant under the new Regulation of Investigatory Powers Act 2014 (RIPA, originally enacted in 2000). This same act was recently used to identify journalist sources. In 2013, over half a million requests were made by law enforcement agencies under this law.
According to the Guardian investigation, “Documents from software providers and conversations with mobile companies staff reveal how automatic this system has become, with the ‘vast majority’ of records demanded by police delivered through automated systems, without the involvement of any phone company staff.”
Spokespeople from all three telcos confirmed that most RIPA requests were handled by an automated system. “The overwhelming majority of the Ripa notices we receive are processed automatically in accordance with the strict framework set out by Ripa and underpinned by the code of practice,” a spokesperson for Vodafone told The Guardian. “Even with a manual process, we cannot look behind the demand to determine whether it is properly authorised.”