Issue link: https://maltatoday.uberflip.com/i/326223
maltatoday, SUNDAY, 8 JUNE 2014 11 MATTHEW VELLA VODAFONE'S difficult balancing act on Friday, in which it published an extensive, 40,000-word report on government monitoring, has revealed the extent to which private telephone and internet transfers of data can be accessed by national security agencies and police forces. Vodafone, the world's second largest carrier, said that government agen- cies were using secret wires to tap its network in many of the 29 countries where it offers wireless service. According to the telephone pro- vider, government agencies are using direct wires to record conversations taking place over the carrier's pipeline, in many cases without asking for a court order. In 2013, there were 3,773 warrants filed by Maltese government agen- cies for metadata – information that includes clients' names, addressed, device locations and times of calls and messages. The Maltese government has claimed that "in the absolute majority of the cases", the requests were made by the Police for criminal investiga- tions and missing persons' reports. But while the home affairs minis- try said that very few of the requests were interceptions or information re- quested by the Security Services, the Vodafone report also reinforces the absence of proper judicial oversight on the Maltese Security Services: the MSS can access all the metadata it requires and intercept electronic communica- tion with warrants issued by the home affairs minister himself, or even by permanent secretary or the Cabinet secretary. Vodafone Malta said the demands related to crimes such as theft of phones which mostly anonymous calls, homicides and other criminal investigations. In the large majority of cases demands received by law en- forcement agencies are in response to reports initiated by the public, Voda- fone Malta said. But the company said that legal in- terception, which is not done by Vo- dafone or by any operator, is not fac- tored in the aggregate figure of 3,773, because this only reflects the total amount of requests Vodafone had re- ceived from law enforcement agencies throughout the past year. Vodafone, GO plc and Melita and other internet providers had to fi- nance a €2.5 million legal interception system that gives the Malta Security Service access to any metadata it re- quires, on a simple warrant issued by the government minister responsible – and not by a court judge. But in March 2012, the three com- panies told the MCA they would not contribute any longer to the financing of the legal interception. The Maltese government intervened to finance the system itself. Politically, opposition parties joined in an overall criticism of the unfet- tered access that Maltese law enforce- ment agencies enjoy for the intercep- tion of data. Nationalist MP Kristy Debono said that by the simple "flick of a switch" the Maltese authorities enjoy access to the citizens' calls and texts without requiring a warrant. Debono argued that Malta's rate of phone tapping was 37% more than the UK: "This casts serious doubts on Malta's phone tap- ping trend." Green party Alternattiva Demokra- tika's spokesperson for digital soci- ety Henrik Piski said governments had once again breached the right for privacy. "The right of privacy is a fundamental right which cannot be breached," he said. AD chairman Ar- nold Cassola said that while the state was justified in guaranteeing the se- curity of its people, orders for "such eavesdropping" should not be author- ised by the minister. Who can access your internet and telephone data? Security Service Act The Security Service of Malta can obtain authorization for interception or interference with communications by means of a warrant issued by the minister responsible for the Security Service. The Security Service is tasked with the protection of national security, in particular, against threats from organ- ised crime, espionage, terrorism and sabotage, and activities of agents of foreign powers. "Interception" requires a warrant that allows the MSS to disrupt, seize, eavesdrop and listen in to communi- cations. Following a request made by the Se- curity Service, the minister may issue a warrant authorising the taking of such action, or in an urgent case where the minister has expressly authorised its issue and a statement of that fact has been endorsed by a Permanent Secre- tary or the Cabinet Secretary. Ministers' warrants are generally valid for six months and can be ex- tended. Electronic Communications rules All undertakings like Vodafone and GO plc, and other electronic commu- nication firms are obliged to comply with requirements to allow legal inter- ception and data retention. Telecommunication companies are required to assist law enforcement agencies, most notably the Security Service, in implementing the intercep- tion capabilities on their networks. While the Malta Communications Authority, as the regulator, defines the technical and operational require- ments to enable legal interception of all electronic communications, the companies have to finance the provi- sion of the legal interception technol- ogy. Although no direct legal provision exists relating to the obligation of au- thorised undertakings to implement interception capabilities on their net- works, companies have a legal obliga- tion to fund the infrastructure used for interception. Processing of personal data Disclosure of metadata is governed by the Processing of Personal Data (Electronic Communications Sector) regulations. Disclosure of metadata – the infor- mation that identifies users of elec- tronic communications such as email, internet, SMS, and telephonic com- munication – has to be made available in an intelligible form to the police or the Security Service. This includes: data necessary to trace and identify the source of a communi- cation, such as the calling telephone number; the name and address of the subscriber or registered user; and the user IDs, names and addresses of an Internet Protocol address. Other information that has to be provided are telephone numbers di- alled, call transfers, telephone sub- scribers' names, recipients of internet telephone calls, the date and time of the start and end of telephone and in- ternet communications, the date and time of the log-in and log-off of the In- ternet access service, IP addresses, and what equipment was used to make any electronic communication. Other crucial information police and the MSS have access to is the data necessary to identify the location of mobile communication equipment, which includes the cell ID at the start of the communication, and the data identifying the geographic location of cells – such as mobile phones – for the time during which data is retained. In this case, the information can be made available for the investigation of a "serious crime", defined as any crime which is punishable by a term of im- prisonment of not less than one year. A request for data is to be made in writing and shall be "clear and specif- ic", but if that data is urgently required, the request may even be made orally. A written version of the request must however be made at the earliest op- portunity. There is no legal obligation on pro- viders of publicly available electronic communications services or of a pub- lic communications network to retain data revealing the content of any com- munication. Emergency Powers Act Under the provisions of the Emer- gency Powers Act, following a declara- tion by the President of Malta of a state of public emergency, the President acting in accordance with the advice of the Prime Minister, may make any necessary regulations to "secure the public safety and defence of Malta". Such regulations can include taking control of any property or even a tel- ecommunications company to apply any law with or without modification. Such regulations shall expire and cease to have effect after two months unless approved by a resolution of the House of Representatives. Oversight of the use of powers The Security Service Act does not provide for judicial oversight. Howev- er, it establishes the post of a Commis- sioner who shall keep under review, among other things, the exercise by the minister responsible for the Se- curity Service of his powers to issue warrants. The Information and Data Protec- tion Commissioner is responsible for the compliance and enforcement of the processing of personal data and data retention rules. Aggrieved per- sons can request his or her interven- tion. Any decision by the Information and Data Protection Commissioner may be contested in front of the Data Protection Appeals Tribunal. News Big Brother enjoys wide access to your metadata