Vodafone, one of the world's largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond.
The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.
The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a "nightmare scenario" that confirmed their worst fears on the extent of snooping.
In Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey, it is unlawful to disclose any information related to wiretapping or interception of the content of phone calls and messages including whether such capabilities exist.
"For governments to access phone calls at the flick of a switch is unprecedented and terrifying," said the Liberty director, Shami Chakrabarti. "[Edward] Snowden revealed the internet was already treated as fair game. Bluster that all is well is wearing pretty thin – our analogue laws need a digital overhaul."
In about six of the countries in which Vodafone operates, the law either obliges telecoms operators to install direct access pipes, or allows governments to do so. The company, which owns mobile and fixed broadband networks, including the former Cable & Wireless business, has not named the countries involved because certain regimes could retaliate by imprisoning its staff.
Direct-access systems do not require warrants, and companies have no information about the identity or the number of customers targeted. Mass surveillance can happen on any telecoms network without agencies having to justify their intrusion to the companies involved.
Industry sources say that in some cases, the direct-access wire, or pipe, is essentially equipment in a locked room in a network's central data centre or in one of its local exchanges or "switches".
The staff working in that room can be employed by the telecoms firm, but have state security clearance and are usually unable to discuss any aspect of their work with the rest of the company. Vodafone says it requires all employees to follow its code of conduct, but secrecy means that it cannot always verify that they do so.
Government agencies can also intercept traffic on its way into a data centre, combing through conversations before routing them on to the operator.
"These are the nightmare scenarios that we were imagining," said Gus Hosein, executive director of Privacy International, which has brought legal action against the British government over mass surveillance.
"I never thought the telcos [telecommunications companies] would be so complicit. It's a brave step by Vodafone and hopefully the other telcos will become more brave with disclosure, but what we need is for them to be braver about fighting back against the illegal requests and the laws themselves."
Vodafone's group privacy officer, Stephen Deadman, said: "These pipes exist, the direct access model exists.
"We are making a call to end direct access as a means of government agencies obtaining people's communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used."
Vodafone is calling for all direct-access pipes to be disconnected, and for the laws that make them legal to be amended. It says governments should "discourage agencies and authorities from seeking direct access to an operator's communications infrastructure without a lawful mandate".
All states should publish annual data on the number of warrants issued, the company argues. There are two types – those for the content of calls and messages, and those for the metadata, which can cover the location of a target's device, the times and dates of communications, and the people with whom they communicated.
For brevity, the Guardian has also used the term metadata to cover warrants for customer information such as name and address. The information published in our table covers 2013 or the most recent year available. A single warrant can target hundreds of individuals and devices, and several warrants can target just one individual. Governments count warrants in different ways and New Zealand, for example, excludes those concerning national security. While software companies like Apple and Microsoft have jumped to publish the number of warrants they receive since the activities of America's NSA and Britain's GCHQ came to light, telecoms companies, which need government licences to operate, have been slower to respond.
In America, Verizon and AT&T have published data, but only on their domestic operations. Deutsche Telekom in Germany and Telstra in Australia have also broken ground at home. Vodafone is the first to produce a global survey.
It shows that Malta is one of the most spied on nations in Europe. The former British protectorate has a tiny population of 420,000, but last year Vodafone alone processed 3,773 requests for metadata.
In Italy, where the mafia's presence requires a high level of police intrusion, Vodafone received 606,000 metadata requests, more than any other country in which it runs networks. The number of warrants across all operators is potentially many times that number, but the government does not publish a national figure for metadata.
Italy's parliament does disclose content warrants, however, and it issued 141,000 in 2012, compared with just 2,760 in the United Kingdom. In contrast to the UK, terrorism concerns mean Ireland does not allow any information on the number of content warrants to be made public.
Spain, which has suffered terrorist strikes from Islamists and Basque separatists, allowed Vodafone to disclose that it had received over 24,000 content warrants. Agencies in the Czech Republic made nearly 8,000 content requests from the network. After Italy, the Czech Republic is the biggest user of metadata, issuing 196,000 warrants nationally in the most recent year for which information has been published. Tanzania, one of several African countries in which Vodafone operates, made 99,000 metadata requests from the company.
Peter Micek, policy counsel at the campaign group Access, said: "In a sector that has historically been quiet about how it facilitates government access to user data, Vodafone has for the first time shone a bright light on the challenges of a global telecom giant, giving users a greater understanding of the demands governments make of telcos. Vodafone's report also highlights how few governments issue any transparency reports, with little to no information about the number of wiretaps, cell site tower dumps, and other invasive surveillance practices."
On the question of whether the UK uses direct-access pipes, Vodafone's Deadman said such a system would be illegal because Britain did not permit agencies to obtain information without a warrant. The law does, however, allow indiscriminate collection of information on an unidentified number of targets. "We need to debate how we are balancing the needs of law enforcement with the fundamental rights and freedoms of the citizens. The ideal is we get a much more informed debate going, and we do all of that without putting our colleagues in danger."
Snowden, the National Security Agency whistleblower, joined Google, Reddit, Mozilla and other tech firms and privacy groups on Thursday to call for a strengthening of privacy rights online in a "Reset the net" campaign.
Twelve months after revelations about the scale of the US government's surveillance programs were first published in the Guardian and the Washington Post, Snowden said: "One year ago, we learned that the internet is under surveillance, and our activities are being monitored to create permanent records of our private lives – no matter how innocent or ordinary those lives might be. Today, we can begin the work of effectively shutting down the collection of our online communications, even if the US Congress fails to do the same."