UPDATED: May 2017 | SOURCE: Vodafone Group/ Hogan Lovells Legal Advisory
Provision of Real-time Lawful Interception Assistance
DECREE LAW NO. (34) OF 2006
Decree Law No. (34) of 2006 on the promulgation of the Telecommunications Law (the Telecommunications Law) and No. (1) of 2009 on the promulgation of the Executive By-Laws for the Telecommunications Law (the Telecoms By-Laws) require telecommunications systems operators that provide services to the public to intercept communications in real time.
Article 59 of the Telecommunications Law states that ‘service providers must comply with the requirements of the security authorities in the state which relate to the dictates of maintaining national security and the directions of the governmental bodies in general emergency cases and must implement orders and instructions issued by the General Secretariat regarding the development of network or service functionality to meet such requirements.’
Any government department involved in state security can rely on Article 59 of the Telecommunications Law, together with the use of any enforcement powers vested directly in the concerned government authority.
Article 93 of the Telecoms By-Laws states that ‘nothing in the By-Law prohibits or infringes upon the rights of authorised governmental authorities to access confidential information or communication relating to a customer, in accordance with the applicable laws.’
Article 91 of the Telecoms By-Laws mentions that service providers shall not intercept, monitor or alter the content of a customer communication, except with the customer’s explicit consent or as expressly permitted or required by the applicable laws of the State of Qatar.
Article 4 of the Telecoms By-Laws authorises the Secretary General of the Ministry of Information and Communications Technology (ictQATAR) to issue regulations, decisions, rules, orders, instructions and notices for the implementation of the Telecommunications Law and the Telecoms By-Laws.
In cases involving national security and general emergency, the Qatari ministries and law enforcement agencies can directly approach communication service providers and require them to assist law enforcement agencies in achieving their objectives, which could involve implementing a technical capability that enables direct access to their network (without the communications service provider’s operational control or oversight).
Disclosure of Communications Data
The powers outlined above in relation to real-time interception may also be used to order the disclosure of communications data.
National Security and Emergency Powers
In all cases of national security and general emergency, the Qatari government agencies and law enforcement agencies can directly approach communications service providers to access their customers’ communications data and/or network.
Oversight of the Use of Powers
There is no judicial oversight of the use of the powers outlined.
Article 63 of the Telecommunications Law states that the employees of ictQATAR who are vested with powers of judicial seizure by a decision from the Attorney General, following the agreement by the Chairman of the Board of ictQATAR, shall seize and prosecute offences committed in violation of the rules of the Telecommunications Law.
In this section, Vodafone refers to Decree Law No. (34) of 2006 on the promulgation of the Telecommunications Law (Telecoms Law) and No. (1) of 2009 on the promulgation of the Executive By-Laws for the Telecommunications Law (Telecoms By-Laws).
SHUT-DOWN OF NETWORK AND SERVICES
National Security or Public Emergency
Under Article 59 of the Telecoms Law, service providers (such as Vodafone) must comply with the requirements of any government department where such requirements relate to national security or a general public emergency. It is feasible that Vodafone could be required to shut down its network or services.
Each network provider operates under a licence. Articles 3, 4 and 12 of the Telecoms Law and Article 15 of the Telecoms By-Laws provide that ictQATAR and Qatar’s Communications Regulatory Authority (CRA) may suspend, revoke or refuse to renew a network provider’s licence where the provider has repeatedly breached the Telecoms Law or the terms of its licence, or has not paid its licence fees. However, before making such a decision, the CRA should give a network provider a reasonable amount of time (such period of time to be determined by the CRA) to remedy its breach or the circumstances giving rise to the suspension, revocation or refusal to renew. Vodafone may therefore lose its licence to provide a mobile network, and related services, if Vodafone repeatedly breaches the terms of its licence.
BLOCKING OF URLS & IP ADDRESSES
See ‘Shut-down of network and services’ above. It is feasible that Vodafone could be required to block certain URLs, IP addresses and/or IP ranges by a government department pursuant to the department’s powers under Article 59 of the Telecoms Law.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
See ‘Shut-down of network and services’ above. It is feasible that a government department using its powers under Article 59 of the Telecoms Law could take control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
There is no judicial oversight of the government’s use of its powers.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. Article 59 of Decree Law No. (34) of 2006 on the promulgation of the Telecommunications Law states that ‘Service providers must comply with the requirements of the security authorities in the state which relate to the dictates of maintaining national security and the directions of the governmental bodies in general emergency cases and must implement orders and instructions issued by the General Secretariat regarding the development of network or service functionality to meet such requirements.’
In all cases involving national security and general emergency, the government agencies and LEAs can directly approach the service provider to decrypt customer data that it has encrypted. We are of the view that Decree Law No. 24, in particular the articles listed under this section, are wide enough to permit the government the legal authority to require the telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Article 59 of the Telecommunications Law would also apply to this scenario.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
While there is no express law on this matter, it is Vodafone’s view that a telecommunications operator cannot offer end-to-end encryption on its communication services without breaching the above-mentioned articles found in the answers to Questions 1 and 2. It would be advisable to liaise with the Ministry of Interior and the Ministry of Transportation and Telecommunications to obtain their opinion prior to launching such a service.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
Vodafone is not aware of any such examples. It should be noted that there is no doctrine of binding precedent in Qatar (so it is not possible to predict the course the court may adopt in the future) and that decisions of the Qatari courts are not published.