Update: Orange has provided Access with an official statement on their position. Please see below.

Last Friday, the French newspaper Le Monde revealed a previously undisclosed relationship between French telco Orange and the French intelligence services, the Direction Générale de la Sécurité Extérieure (DGSE).

According to an internal document from Britain’s Government Communications Headquarters (GCHQ) leaked by Edward Snowden, DGSE has an almost unlimited ability to spy on French citizens and international users by accessing a major, unnamed French telco’s networks. The Le Monde article reports the telco in question as the French global telco giant Orange.

The document details DGSE’s close cooperation with the unnamed telco: together, they have worked to improve the French intelligence services’ capabilities for interception on communication networks; develop encryption technologies; and break the encryption of data flowing through the network.

All signs are Orange

Based on the profile of the company described in the documents, and an independent investigation conducted by Le Monde, the newspaper came “to the conclusion” that the telco in question is Orange, a French multinational telecommunications corporation headquartered in Paris with more than 250 million customers around the world.

The AFP reported that Orange responded to their own inquiry into the allegations by maintaining that its relations with state agencies “strictly comply with the laws” and are similar to other companies’ responsibilities.

But according to the leaked document and Le Monde’s investigation, the DGSE has “free and total” access to Orange’s networks and data passing through “without any oversight,” and has shared this data with allied foreign intelligence services such as the GCHQ. It is not clear whether this unfettered access is only for Orange’s operations in France, or includes its 30 networks and partner networks in Europe, the Middle East, Africa, and the Caribbean.

In addition to nearly total access, the document alleges that the telco in question cooperates with the French government in order to break unspecified encryption protocols for data flowing over its networks. From large companies to journalists, many institutions and users employ encryption to protect the confidentiality of all types of data, including emails, documents, and phone calls. In the aftermath of 2013’s mass surveillance revelations, many organizations, companies, and individuals, including Access, have been promoting encryption as a way to deter unauthorized access to data, and move state actors toward using proper, legal channels to obtain personal information.

Orange and human rights

Although the telco in the leaked documents is unnamed, Orange has been subject to allegations that it contributes to human rights violations before. In 2011, the company’s Egyptian subsidiary MobiNil complied with the Mubarak regime’s order to shut down access to the nation’s internet and mobile networks. Last summer, police assaulted protesters in Jordan who were demonstrating in front of the company’s offices for complying with a government’s decree to block some 300 news websites who failed to register under the country’s new online licensing law.

If Le Monde’s allegations are correct, this latest news is particularly disturbing as it is directly at odds with the recent strong signals from Orange in support of user rights. In December, the company announced its intention to sue the NSA for tapping underseas cables partly used by Orange, and repeated that announcement at Access’ RightsCon global conference series in San Francisco, California earlier this month.

Orange also helped create and currently serves as Chair of the Telecommunications Industry Dialogue, a group of operators and vendors “who jointly address freedom of expression and privacy rights in the telecommunications sector in the context of the UN Guiding Principles on Business and Human Rights.”

Unrestricted access and pushback by companies

This is not the first time an intelligence agency has reportedly gained full access to public communications networks with operator consent or knowledge. India requires its agencies be able to access to telecommunications networks in telecom and ISP licenses. And in 2006, whistleblower Mark Klein revealed the NSA received a copy of all data flowing over AT&T’s networks, even traffic from other providers, via a secret room in the company’s San Francisco switching center.

Currently, the U.K. government faces a lawsuit, filed by our friends Big Brother Watch in London, alleging that the GCHQ’s Tempora program violates user privacy by tapping underseas cables carrying internet and telephone data. The case has been fast-tracked by the European Court of Human Rights. Documents released by Edward Snowden show a number of U.S. and UK telecoms and fiber-optic cable operators were involved in setting up the program, which taps more than 200 cables landing on UK shores.

In other instances, countries and operators may have partial knowledge of the compromise, or none at all. Last year, Access released a paper, Commonwealth of Surveillance States, detailing the varied uses of Russian-made surveillance technology in former Soviet countries. Just last week, the Washington Post reported that the U.S. National Security Agency (NSA) has also been shown to record all phone calls in certain foreign countries.

In one sense, unrestricted access is a legacy of traditional, public-switched telephone networks, where the main telecom operator was often a government entity. Before deregulation and its renaming in 2013, Orange was better known as France Télécom, a division of the French government. Until as recently as 2004, the government was the majority shareholder (its ownership stake is now down to “only” 27%). These recent revelations, which describe a relationship lasting “at least 30 years,” are evidence of how France still regards the telecom as a national security asset.

Demands for accountability and transparency

To protect human rights the transfer of data to a government from a telco must be an arm’s length transaction that complies with the rule of law and due process.

Access calls on the unnamed telco, allegedly Orange, to:

Terminate all agreements, written or otherwise, providing the French government unrestricted access to its networks;

Cease weakening or breaking encryption on its networks;

Publicly report on the extent of its collaboration on encryption standards, and the nature of any technical access provided to the DGSE; and

Show precisely how this access has been exploited by the French government and its allies to surveil users.

If any of these actions or disclosures are prohibited by French law, we call on the company to publicly disclose the relevant laws and the company’s interpretation of them. Likewise, Orange should identify and explain any French laws mandating cooperation on surveillance and encryption.

For its part, Orange lists several commitments and vision statements on data protection, privacy, and freedom of expression on its website. However, a thorough review by Access did not reveal a policy on law enforcement access to networks and user data. Access recommends that Orange develop such a policy, or if one exists, make it publicly accessible in multiple languages via its Group website.

Remedy must be part of the solution

Beyond the Orange case, Access strongly believes no government should ever be granted unrestricted access to public communications networks. Unrestricted access to networks facilitates mass government surveillance, a practice in violation of international law on privacy and freedom of expression. This kind of pervasive surveillance violates the privacy rights of all of the company’s users, creates a chilling effect on free expression, and is highly susceptible to abuse by any government agency that can get its hands on the data flowing through the network.

Mobile network operators can play a critical role in buffering government access to user data by deploying legal and technical safeguards. Legally, operators can insist that governments follow proper legal process by vetting any orders they receive, and meeting other procedural safeguards found in the Access Telco Action Plan. Technically, operators can encrypt communications and maintain physical separation between their networks and police and intelligence services.

Recently, Swedish telco Tele2 rejected a Swedish government proposal for direct, automatic access to its networks, citing the importance of the ‘human element’ and have trained personnel to provide checks and balances on government requests. We hope to see more telcos follow this example, and support user rights over unlawful government requests, as the debate on government surveillance continues.

Access reached out to Orange regarding the Le Monde allegations. As of March 26, here is their official position:

General position:

Orange, as all the telecom operators, has relations with the French Government services in charge of the national security of the country and the people. These relations are built in the strict respect of the laws, under the responsibility of the State and under judicial control.

In addition:

Telecoms operators are subjected to interceptions processes that are issued from a legal frame precisely defined:

The general legal scheme for interceptions comes from requisitions taken within the framework of an investigation initiated under the control of a magistrate. It is understood as a judicial requisition and in this frame, Article (6. II) of the law for the trust in the digital economy (LCEN), enables access of police services or other specialized services, on technical data (after interception).

Another regime presented as exceptional, issued from application of the “law of January 23rd 2006 related to the fight against terrorism” including several provisions one security and border controls extended by the laws of December 1st, 2008 and December 21st, 2012, is effective until December 31st, 2015.

This regime answers the administrative requests of interceptions in prevention of terrorist acts. They are subjected after the event to the control of the CNCIS (national control commission of the security interceptions) made up in particular of members of Parliament. Employees, individually mandated and duly authorized, of police services, have access to the technical data of these interceptions.

The law of military programing (promulgated December 19th, 2013) does not modify the general legal scheme of this regime of exception, but proceeds to numerous adjustments of provisions regarding terrorism. It widens in particular the list of people who can obtain the access to the data on the basis of the exception scheme beyond the scope of the singles cases of terrorism.