Deutsche Telekom has been publishing annually since 2014 how many surveillance measures it had to take, along with the type and scope of information provided to security authorities.
Telecommunications companies are legally obliged to assist security authorities. On the one hand, this involves surveillance measures by which telecommunications connections can be traced or recorded. On the other hand, it involves information, for example concerning line owners or traffic data.
Deutsche Telekom was the first company to publish a transparency report for Germany in 2014. After extensive analysis of the legal framework conditions applying in the other countries of Deutsche Telekom’s footprint, the first international report was published 2016 for the years 2014 and 2015. The report is now available for 2019.
Deutsche Telekom abides strictly by the legal framework
The legal framework conditions sometimes vary widely. In certain countries, we are not permitted to provide information on security measures. In others, for example, the authorities carry out surveillance activities directly, without the involvement of the telecommunications company. You can find more information on the local situations in the various country reports.
Deutsche Telekom strictly complies with the legal framework when assisting security authorities. The security authorities only receive our assistance, if the legal prerequisites have been fulfilled. Here, Deutsche Telekom focuses on protecting the rights of the individual, in particular the secrecy of telecommunications.
The internal regulations and procedures are subject to constant checks and are optimized continuously , both now and in the future. Despite the different statutory provisions, this produces a high level of international security and data privacy when processing inquiries from the authorities:
- The group of employees involved is specifically minimized in accordance with the need-to-know principle. This group of employees is trained regularly to secure maximum legal certainty for our employees and our company. Moreover, they are contractually obliged to maintain strict confidentiality, irrespective of the statutory provisions.
- Special technical precautions also need to be taken on account of internal guidelines. For instance, the IT systems required for processing purposes need to be protected and checked separately by using state-of-the-art security technology.
- Likewise, physical access to the critical infrastructure is substantially restricted and reserved exclusively for internal staff.
We continue to work together with legislators to find solutions that promote transparency for those countries where statutory provisions prevent us from publishing statistics.
Interpreting the figures
The data published on the individual countries complies with the respective different legal requirements. It is therefore not always possible to make a straight comparison of the country data. In some countries, only the number of inquiries from the authorities is counted, not the number of surveillance measures actually carried out or of reports provided. On the one hand, the authorities may inquire about stored traffic data (when did a communication take place? Between which lines? How long did it last?). On the other, they can ask about customer data (such as name, address, and date of birth). Information must sometimes also be provided on the owners of IP addresses (customer data for a particular IP address).
Such an inquiry may refer to multiple lines or data records. It must also be taken into account that a data record can also contain a large amount of information (such as multiple identification features like the mobile equipment identification number (IMEI) and the telephone number). If the request relates to only one particular customer, that customer may have both a mobile and a fixed-network number. So at least two data records have to be taken into account.
If a mobile handset is to be localized at a particular time, this may entail multiple mobile cells and thus also multiple data records, because the location had changed from one cell to another. Information volume increases dramatically if all the mobile devices registered in a cell need to be analyzed over a particular period. This may generate tens if not hundreds of thousands of data records, especially in large cities.