UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
Article 35 of the Regulation of the licensing and register for the providing of telecommunications services of public usage and establishing and usage of the public network of telecommunications (Decree No. 33/2001 of 6 November) states that licensed providers are obliged to cooperate with the legal competent authorities regarding the legal interception of communications.
Under the Regulation, such interception will be made through the Regulatory Authority’s duly credentialed members. It does not appear to provide a clear outline of the process; nor is there a law or decree that establishes one.
There appear to be no specific laws that grant law enforcement agencies the legal powers to allow direct access into a communications service provider’s network without the operational or technical control of the communications service provider.
Disclosure of Communications Data
THE TELECOMMUNICATIONS LAW
Article 68 of the Telecommunications Law (Law No. 8/2004 of 21 July – the Telecommunications Law) states that the secrecy of the communications is guaranteed except in cases of criminal law and in the interests of national safety and the prevention of terrorism, criminality and organised delinquency.
National Security and Emergency Powers
Except as already outlined above, the government agencies do not have any authority to invoke special powers to access a communications service provider’s customer data and/or network on the grounds of national security.
Article 10 of the Telecommunications Law states that the government is responsible for the adequate coordination of the telecommunications services in emergency situations. In such situations, the government may issue a notice with mandatory instructions to the telecommunications operators. The Telecommunications Law does not provide a clear outline of the process; nor is there a law or decree that establishes the procedures.
Oversight of the Use of Powers
There does not appear to be any judicial oversight of the powers contained within this report, other than in cases of criminal law, which are overseen by judges sitting in the criminal courts of Mozambique.
SHUT-DOWN OF NETWORK AND SERVICES
Decree N.º33/2001 of 6 November
Articles 10 and 37 of the Regulation of the licensing and register for the providing of telecommunications services of public usage and establishing and usage of the public network of telecommunications (Decree No. 33/2001 of 6 November) state that when a state of siege or emergency is declared, the Regulatory Authority has the power to cancel Vodafone’s licence to provide its network and services in order to protect national security.
Separately, the Regulatory Authority may at any time suspend or revoke Vodafone’s licence to provide its network and services if Vodafone breaches certain conditions set out in its licence. These conditions include Vodafone’s requirement to cooperate with legally competent authorities in their interception requests.
BLOCKING OF URLS & IP ADDRESSES
The government does not have legal authority to require Vodafone to block URLs or IP addresses.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
See ‘Shut-down of network and services’ above; the Regulatory Authority’s power when a state of siege or emergency is declared could extend to taking control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
There is no judicial oversight of the Regulatory Authority’s execution of its powers.
Encryption and Law Enforcement Assistance
Please note that since this legal analysis was undertaken, a new Telecommunications Law came into force on 3 August 2016.
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. The statutory law in Mozambique does not expressly refer to encryption. The existing statutory obligations on a telecommunications operator are to:
- provide real-time lawful interception assistance under Decree No. 33/2001 (see ‘Provision of real-time lawful interception assistance’ above); and
- disclose communications data to competent government agencies under Article 68 of Law No. 8/2004 (see ‘Disclosure of communications data’ above).
In Vodafone’s view, these are wide enough that, in each case, they could be interpreted as requiring a telecommunications operator to decrypt communications data, where that operator has applied the encryption. This is because the operator must cooperate with the competent authorities to achieve these outcomes.
Another reason for this interpretation is that the general obligation of secrecy of communications contained in Article 68 of Law No. 8/2004 contains an exception in cases provided by law in criminal prosecutions matters or of interest to the national security and the prevention of terrorism, criminality and organised delinquency. Therefore, the fact that the concept of secrecy of communications is not absolute implies that decryption would be acceptable in one of the excepted circumstances.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
No. The scenario is not addressed under Mozambican Law.
Vodafone’s understanding of the existing law is that a telecommunications operator must cooperate with the competent authorities to provide real-time lawful interception assistance and disclose communications data (see Question 1 above). It is unclear how far such cooperation can go if the operator lacks the technological ability to decrypt a third party’s encryption.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
No. The law currently in force doesn’t regulate this matter and therefore does not expressly prohibit a telecommunications operator from offering end-to-end encryption on its communication services.
Nonetheless, Vodafone thinks that offering end-to-end encryption may be interpreted as incompatible with a telecommunication operator’s obligation to cooperate with the competent authorities with regard to the legal interception and disclosure of communications data (see Question 1). Vodafone cannot be certain of this, as the law does not establish procedures for this cooperation, nor make clear the nature and extent of cooperation required from a telecommunications operator.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
No. Mozambique is governed by Roman-Germanic system any interference by the state and/or government should be based on the law. However if there’s no legislation they can resort to custom, doctrine and jurisprudence.