Monday, September 25, 2017

When is mobile data not your own?

Telcos can find out who users talk to, as well as where and when – and right now, in certain situations, a Posts and Telecommunications Department (PTD) request could lead operators to share that information with police.

A woman listens to a phone call yesterday. According to the law, in very specific circumstances the government can listen in as well. Photo: Zarni Phyo / The Myanmar  TimesA woman listens to a phone call yesterday. According to the law, in very specific circumstances the government can listen in as well. Photo: Zarni Phyo / The Myanmar Times

Despite a new telecoms law that empowers the Union government to pursue confidential user information under certain circumstances, a framework around its implementation has yet to be hammered out. Industry players have established stopgap measures that balance consumer rights and compliance.

Section 75 of Myanmar’s 2013 telecoms law says the Union government may direct organisations to help it obtain information or telecommunications damaging to national security and the prevalence of law, so long as doing so does not impact fundamental rights of citizens.

And section 77 says the Ministry of Communications and Information Technology (MCIT) has the right in emergency situations to direct a licensee to intercept or not to operate particular forms of communication, and to obtain necessary information and communications.

At a sustainability briefing last month for Telenor Myanmar, the firm’s CEO Petter Furberg called the telecoms law “balanced” and said his company acknowledged that, around the world, governments have the right to access confidential information to assist in their efforts of preventing and prosecuting serious crimes.

While Myanmar’s government claims a similar prerogative over its own telcos, the legal framework is not yet fully in place and questions remain – especially around what body would authorise requests for information.

For example, Mr Furberg said his firm sees the legislation as necessitating a court order for information to be released, but that the law lacks clarity as to which court. Posts and Telecommunications Department director U Than Htun Aung said that by default the competent authority is the Supreme Court – but that a mechanism hasn’t been established.

Ambiguity in the legislation has driven telcos and the government to use interim protocols around requests for information addressing the law’s dual directives of compliance and customer protection.

For now, Telenor – as well as its competitors, Ooredoo and MPT – requires involvement from the PTD to give out information, and has supplemented that with an internal review process.

“As an interim arrangement, we are requesting that the police – to the extent they want access to the historical customer information – are sending a request to the PTD for their consent to release the information and for their consent to release Telenor from our obligations under the law,” Mr Furberg said last month. “At the same time we are requesting the right to, on an individual basis, review all cases before we release this customer information.”

U Than Htun Aung said that information is sought from operators in the event of criminal investigations.

“Today, when this framework is missing, we discuss with operators when the police can prove they are [conducting] criminal investigations – in the case of murder or narcotics,” he said, adding major issues also include terrorist activity like bomb threats and human trafficking.

Myanmar’s telcom companies say they have begun receiving requests from authorities.

Telenor Myanmar has received 15 official requests for information on its customers, and in three cases has provided the police with “historical” data around missing persons and drug investigations, Mr Furberg said at the briefing.

Meanwhile, Ooredoo Myanmar senior manager of community and public relations Ma Thiri Kyar Nyo said just a few requests – two to three – have been made of the telco, and in all cases information has been provided.

“As and when there are [cases of] human trafficking, drugs and homicide, they will come and contact us through the PTD,” she said. The company also has an internal authorisation process.

MPT declined to provide details on how many requests have been made of the telco for information, but said the firm has been sticking to rules laid out by the PTD and the MCIT. “The request has to come to MPT from PTD,” wrote deputy general manager of legal and corporate affairs Daw San San Lwin in an email. “Only with a PTD request will MPT process further. MPT’s managing director and general manager of HR and corporate affairs and legal are the only people who can authorise [the telco] to proceed further with the request.”

Ma Thiri Kyar Nyo said requests have been around caller and receiver location and call records. Telenor has affirmed appeals have been for “historical” information.

“If the police have a number and they want to understand who has this number, that is the subscriber information, that is one thing,” the ministry’s U Than Htun Aung said. “And then sometimes the location of that number, and number three, call records ... who that person is making calls to.”

So far, requests have stuck to communications data – although U Than Htun Aung said the telecoms law, which he describes as broad, covers content as well.

However, he said that only extreme circumstances would lead to authorities requesting this particular information.

“We will be very reluctant to authorise operators to release the content unless it is very serious ... [and] very important to help the criminal investigation,” he said.

Telenor stated in its London sustainability briefing last month that it had the system set up for lawful intercept but that so far it has not been used. Ma Thiri Kyar Nyo confirmed that in extreme cases, such as terror threats or national crises, Ooredoo would cooperate on requests for content.

These interim processes help protect the telcos, as Mr Furberg notes giving out confidential user information could earn him one year in jail.

“I try to avoid that,” he said drily.

Meanwhile, the Myanmar administration has begun work to forge a framework around external access to customer information, seeking international input in the process. Mr Furberg said the Council of Europe through the EU has begun working with MCIT.

“The assistance appears to be focussed on helping Myanmar understand the Council of Europe’s Budapest Convention on Cybercrime,” said Myanmar Centre for Responsible Business (MCRB) director Vicky Bowman.

The Budapest Convention, also called the Convention on Cybercrime, has informed cybercrime laws in more than 45 states and has been ratified or acceded in 46.

“We definitely would want to have a [wider] framework on lawful interception,” said MCRB sector-wide impact assessment manager Ma Thi Thi Thein. “We would like to see something that’s wider in terms of policy than just specifically on cybercrime.”

Myanmar’s policy on lawful intercept could come as part of an overarching cybercrime law or as a standalone policy, according to an industry insider.

MPT’s Daw San San Lwin noted the development process on a framework around cyber crime – led by the PTD and supported by the EU – was ongoing and that a Cyber Crime forum and workshop had been held in Nay Pyi Taw in May. Though an industry insider said the administration had previously set July as its target date for a public consultation, Daw San San Lwin said it is early days for the framework and the organisation could not pinpoint when it would come out. An assessment report and suggestions for the framework are due to the MCIT later this month. There has also been discussion of a public consultation process, with the government earlier pledging a public airing.

Ms Bowman said “The Ministry has a good track record of running online consultations on draft legislation, and it is established practice for both the EU and Council of Europe, consistent with their commitment to democracy and human rights.”

The Department of Home Affairs, which sent representatives to a recent fact-finding mission, were identified as the point ministry to draft legislation on cybercrime in the past, an industry insider said.

“For these new regulatory issues, one thing that’s a little bit concerning is just the low level of visibility I think in the ICT community or in the stakeholder community,” said MCRB information and communication technologies research leader Kamran Emad. “I think CSOs want to participate and want to have a seat at the table, but if they don’t know there’s a table and they’re not invited, that’s tricky.”

The MCRB, Myanmar ICT for Development Organisation (MIDO) and downtown innovation lab Phandeeyar will host a workshop featuring ICT project manager for the Institute for Human Rights and Business (IHRB) Lucy Purdon later this month to educate the public on lawful intercept. Ms Purdon will also address the question “When can the government access my data?” in a talk at the tech hub.

Ms Purdon said that prerequisites for rules that respected human rights in Myanmar included targeted – rather than mass – surveillance, an authorisation process, oversight, transparency and periodic reviews. “It would be great if individuals could be notified [afterward] so that the possibility for them to seek a remedy is open – and also a remedy if people have been under surveillance that they believe to be illegal,” she said.

“It would be a step back if Myanmar took advantage of the developments in telecommunications in Myanmar to implement a repressive surveillance regime similar to before the reforms,” she wrote in an email.

A 2013 report from Human Rights Watch on reforming Myanmar’s telecoms industry said that the country’s previous military government had enacted “draconian measures” such as restricted access to technology, severe punishments for internet expression and even an online blackout in 2007.

“Fear of surveillance, online and offline, has historically been pervasive in Burmese society,” the report said.

The report also said that Myanmar’s 2004 Electronic Transactions Law had previously been wielded as a weapon against journalists and activists. However, U Than Htun Aung from the ministry told The Myanmar Times the legislation would only affect electronic commerce in the future.

Yet memories from a previous era of surveillance still linger.

In Myanmar, where scrutiny under the military government is finished, it remains fuzzy how adept the government’s surveillance capabilities might be.

“When the internet arrived in Myanmar around 2000, 2001, it seems the Government was very quick to take advantage of surveillance capabilities,” Ms Purdon said.

“[We don’t know] what technology was borrowed or bought and it’s really hard to tell if they still have those capabilities.”