Dangerous data: Telenor’s irresponsible exit from Myanmar may put customers’ lives at risk
When Norwegian telecoms firm Telenor Group announced the sale of its Myanmar operations to Lebanese investment firm M1 Group in July, the people of Myanmar were five months into nationwide protests and strikes opposing the February 1 coup, which threatened to plunge the country back to the dark days of military rule.
Data relating to Telenor Myanmar’s 18 million customers forms part of that sale. And in the wrong hands, that data could mean life or death for the company’s former clients.
Telenor entered the Myanmar market in 2013, one of four telecoms companies after the country opened up to foreign investment. Telenor quickly became the ‘network of choice’ for activists due to the company’s strong stance on human rights.
But the coup presented dilemma after dilemma as the human rights situation deteriorated. The junta arbitrarily arrested more than 10,000 people, murdered more than 1,300 women, men, and children, and ramped up invasive surveillance of civilians while demanding telecoms companies activate call-intercept equipment on their networks. In Telenor’s case this would violate 2018 EU sanctions.
In May 2021 Telenor Group wrote a whopping US$700 million off the value of Telenor Myanmar, selling it for US$105 million without meaningful consultation with customers or civil society organisations inside the country. On its website the Group says that the “deterioration of the situation and recent developments in Myanmar form the basis for the decision to divest the company. In the present situation it has not been possible for Telenor to conduct an ordinary sales process”.
The cut-price sale to M1 Group – which has cooperated with authoritarian regimes in Syria and Sudan, according to a complaint filed with the Organisation for Economic Co-operation and Development (OECD) – has undermined Telenor’s progressive agenda and evaporated goodwill. One activist we spoke to said news of Telenor’s exit left them “feeling devastated and demoralised”.
Metadata – ‘easy to connect the dots’
The call-data records, or “metadata”, forming part of the sale reveal whom Telenor customers privately contacted, the time and duration of calls, and the location of the tower or base station from which the call was transmitted. As Myanmar has mandatory SIM card registration, phone numbers are also linked to people via their national ID, which contains a photo and other personal details.
Fortify Rights, Privacy International and others have raised concerns with Telenor that this data could end up in the junta’s hands, but they are yet to share with us how they plan to mitigate the risks posed. Instead, the company has directed public attention to the issue of activating call-intercept technology on their network. Although a valid concern, focusing solely on the issues around this technology fails to tell the whole story.
Human rights groups have been fighting the government-constructed “content versus metadata” myth globally for decades. Listening into calls and reading messages in real time using call-intercept technology is time-consuming and requires significant manpower. It is much easier for governments to connect the dots in metadata.
A well-used example to illustrate the powerful possibilities associated with metadata is this: call records reveal someone calls a suicide prevention hotline from the Golden Gate Bridge. Is it necessary to listen to that call to work out what is happening?
The fact that our metadata can be so revealing is why intelligence agencies around the world are hungry for it, and why the European Court of Human Rights has recognised that it is as sensitive as content data. In the context of Myanmar, it is likely to expose networks of activists, their contacts, their activities, their locations, and their relationships going back years. And this puts people at risk of arbitrary detention, enforced disappearance, torture, and murder.
‘Profits and conscience’
It is shocking to see a major European telecommunications company playing down these risks by replicating a defunct and dangerous logic used by governments attempting to expand their surveillance powers. Why would Telenor not delete the metadata before exiting Myanmar, or at least conduct a proper human rights impact assessment regarding the sale? In short: profits and conscience.
The metadata is seen simply as a set of assets when it is time for mergers and acquisitions, and a proper human rights impact assessment would lay bare the problems the company is attempting to downplay.
This all raises questions about the quality of Telenor’s human rights due diligence, a process expected by OECD guidelines and the UN’s Guiding Principles on Business and Human Rights, and a process to which Telenor has consistently expressed its commitment over the years.
Recent reports suggesting that the Myanmar junta is demanding that a local, and inevitably military-linked, company be involved in the sale makes the case for proper due diligence even more compelling.
Not just Telenor.....but......
However, we cannot lay all of this at Telenor’s doorstep. That is because the mobile-operator industry has been trying to exploit this data for decades.
Privacy laws, where they exist, tend to restrain this sector from mining the data for profit and governments from using it for power.
But the industry knows its value. Mobile operators jealously watch the likes of Google and Facebook exploit internet-level metadata for massive profits. They acquiesce to government mandates to retain this data on all users and submit it to authorities upon request.
This industry knows very well it is sitting on a data ‘gold mine’ of our friends, families, locations, and habits. Once the data is created, deletion is the only true protection, while strong safeguards and the rule of law can help to prevent abuse.
This leaves the telecoms sector facing a unique problem with divestment, especially from extremely challenging markets such as Myanmar. Other sectors could, for example, close down factories, stores and supply chains, and walk away. Jobs would be lost and the impact felt economically. But no other sector places those left behind in this kind of peril, whereby handing over detailed and revealing data – in this case information relating to 18 million people – could lead to devastating consequences.
Ultimately, Telenor is leaving Myanmar and the firm’s bosses want to do it with their heads held high and pats on the back, principles and values publicly intact. Who can blame them. But to dismiss the risks associated with the metadata they leave behind is reckless.