Telenor built a highly successful business in Myanmar but now finds itself forced to shut down the internet and share user data with a regime intent on crushing all opposition.
By EMILIE EKEBERG and FRONTIER
When Telenor secured a highly prized mobile operator licence in Myanmar in 2013, the Norwegian telecom giant announced plans to invest hundreds of millions of dollars – a big vote of confidence in the country’s political and economic reforms.
Eight years on, the mood is very different. Telenor, which says it places a high value on human rights and responsible business practices, finds itself complicit in efforts to restrict internet access and target regime opponents. As a result, the company is reportedly thinking of selling its Myanmar business and leaving the country.
Since the February 1 coup, Telenor has been forced to block access to social media platforms Facebook, Twitter and Instagram, which people were using to organise protests and share footage of human rights abuses. In mid-March it was also ordered to cut internet access to its 18 million mobile customers, who can now only access a limited number of junta-approved services and applications through what’s known as whitelisting.
After initially informing the world about directives it was receiving from the generals, Telenor has since been silencedby the regime. It also paid an annual licence fee to the junta, despite opposition activists urging individuals and businesses to halt payments in the wake of the coup.
Less well known is that the regime also requires Telenor to share data on its users, such as their home addresses and call history. This was confirmed by sources in the Myanmar Police Force and the telecom industry interviewed by Frontier and Danish investigative news organisation Danwatch, with whom Frontier has partnered for this report.
Although Telenor has shared user data with Myanmar authorities on a case-by-case basis since entering the market in 2014 – for example, when such data was needed for an investigation into a serious crime – the company may now be forced to hand over data about regime opponents.
“The operators must provide this information, which we request in order to arrest or check a person, or action will be taken against them,” said a police officer involved in the surveillance of the protest movement who asked to remain anonymous.
The requests for information can include the identity document used to register a SIM card, cell tower records that can be used to trace a person’s movements, and a customer’s home address and call history, according to the police officer. The officer, who is part of a new cybersecurity team within the police force, confirmed that they could access this information from all four mobile operators in Myanmar.
Sources in two different companies in the telecom industry acknowledged independently of each other that they share this data with the authorities. “We have no choice but to comply,” a senior official in one company said.
All of this creates a significant dilemma for Telenor – but would its exit be good for users?
‘Broad powers of interception’
Telenor’s ability to push back against regime diktats is limited by Myanmar law.
In 2013, the same year that Telenor was awarded its licence, Myanmar passed a new Telecommunications Law that paved the way for foreign investment in the sector and broke the monopoly of state-owned operator MPT. But it did not enshrine data security or protect privacy rights; instead, it granted authorities’ sweeping access to user data.
In the first five years after Telenor’s launch this seemed to matter little. But since 2019, the company has been forced to comply with requests to shut down internet access and block websites, including media outlets reporting on the military’s human rights abuses against the Rohingya minority and, later, anti-coup demonstrators.
When the Myanmar government introduced mandatory SIM-card registration in 2019, which requires providing a national ID card or passport, Telenor expressed concern at a lack of protection for privacy rights. Nonetheless, the company terminated unregistered SIM-cards in June last year.
The one area where it has more discretion is on requests to hand over historical user data. At a briefing in December 2020, it said that it had received 327 such requests in Myanmar, of which it complied with 217 that were “related to life-or-death situations such as murder, drug and missing person investigations”.
However, the number of requests – and the company’s compliance with them – appear to have risen rapidly in the year before the coup. In 2020, Telenor agreed to 91 out of 97 requests for historical user data in Myanmar, according to its annual Authority Request Disclosure Report. As one request can cover several people, it is unclear how many individuals had their user data shared with the authorities.
Sources interviewed by Frontier and Danwatch say the requests for user data have not increased significantly since the coup. The new regime has, however, made further legal changes that could make it more difficult for Telenor – as well as other mobile operators and internet service providers – to push back against data requests.
The regime has repealed sections of the Law Protecting the Privacy and Security of Citizens, but of greater concern are recent amendments to the Electronic Transactions Law that grant the authorities almost unlimited access to user data without even basic safeguards.
Free Expression Myanmar, an advocacy group, said that under the February 15 amendment there are no limitations on the type or scale of the data that can be intercepted, and no rules on how intercepted data should be handled, or for how long. The amendment “represents a significant risk to civic space” it said, adding that the regime now has “broad powers of interception without even the most basic safeguards for misuse”.
More harm than good?
While some critics have argued that Telenor invested too early in a country still heavily under the influence of the military, others applaud the company’s efforts to bring affordable phone and internet services to Myanmar.
“Now, Telenor faces an extremely difficult dilemma, operating under an illegitimate regime that is hardly acknowledged by any other states,” said Marte Nilsen, a Myanmar researcher at the Norwegian Peace Research Institute (PRIO).
Nilsen noted that while Telenor needs to follow the military’s orders to stay in business and offer an alternative to junta-controlled companies, sharing user data with the authorities could potentially put many people at risk.
“Today, the democracy activists have either fled or they are hiding from the security forces. They [sleep] in different places from night to night, to avoid being arrested. Then you cannot risk that their mobile phone is revealing where they are,” said Nilsen.
Although the company is increasingly unable to defy junta requests for sensitive user data, Telenor is still widely perceived as the safest of the four operators.
State-owned MPT and military-linked Mytel are known to share data much more freely with the authorities, while Qatari firm Ooredoo has said little about the human rights situation in the country and has not pushed back publicly against internet shutdowns or website filtering.
Possibly because of this perception, Telenor added two million new users in the first quarter of the year. One of those was Ko Naing Lin Myo (not his real name), a 23-year-old university student from Yangon who took part in protests against the coup. Prior to February he was an MPT customer, but as the military cracked down in March he grew more concerned that his calls could be monitored and switched to Telenor.
“Many people say that Telenor is the safest – I feel that they put the security of their customers first,” he said.
Even the parallel National Unity Government, formed by deposed lawmakers to fight back against the military regime, acknowledges the complexity of the issue – including the fact that a company’s staff would be at risk if it disobeyed the junta.
“Companies such as Telenor have no choice but to follow these instructions due to security concerns,” said the NUG’s environment and natural resources minister, Tu Hkawng, to Nikkei Asia in a recent interview.
Activist Ma Thinzar Shunlei Yi, who has been on the run since the regime put out a warrant for her arrest in April, said she agreed Telenor was likely the “safest” operator for users but the company needed to take more of a stand.
“Telenor has invested under laws that violate human rights. Therefore, it has to shut down the internet if the military orders it to, and it also has to provide user information,” she said. “If Telenor receives directives that violate people’s digital rights, the ethical thing would be to cut ties with the military and leave the country.”
Others call on Telenor to inform their users about the risks they face using their services.
“Telenor has been committed to transparency, in stark contrast to the other mobile operators in Myanmar, but has been unable to continue acting with transparency following the attempted coup,” said Ma Yadanar Maung, spokesperson for Justice For Myanmar, an NGO committed to exposing the ties between international business and the military. “Telenor should clarify its position on the military’s interception system and the data they are disclosing to the junta.”
Stay or go?
Telenor declined to comment on whether, how often or what kind of user data it is sharing with the authorities. In a written comment sent to Danwatch and Frontier in early May, the company could not guarantee that the military does not have access to Telenor user data.
“We are very concerned about the events of the last few months since the military coup on February 1. Unfortunately, it is no longer possible for us to comment on directives from the authorities, because we have to balance our desire for transparency with the safety of our employees,” Telenor’s information manager Mr Tormod Sandstø said in an email.
Aggression and threats against Myanmar’s mobile phone companies, even holding employees protesting the military’s orders at gunpoint, have been reported by Reuters.
Amid this danger – and plummeting revenue – there are some signs Telenor may leave Myanmar. On May 4, when the company announced its results for the first quarter of this year, it wrote down the value of its Myanmar business to zero – booking a loss of 6.5 billion krone, or US$782 million.
However, CEO Mr Sigve Brekke insisted that Telenor was not preparing to leave the country, saying instead that the shutdown of the mobile data network and limited prospects of improvement made it impossible to calculate the value of its Myanmar operations.
But Telenor did not respond clearly when asked how long the company can operate under military rule in Myanmar.
“We believe we have made a difference as a provider of telecom services in Myanmar. Our continued presence will depend on developments in the country and our ability to make a positive contribution to the people of Myanmar,” Sandstø wrote in early May.
On July 1, trade publication TMT Finance reported that Telenor was seeking a bidder for their Myanmar business, citing anonymous sources.
Telenor has since confirmed that it is “evaluating various options”; whether it stays will depend on developments and whether it can “contribute positively to the people of Myanmar”.
The news has alarmed NGOs. “Bad news!” Free Expression Myanmar tweeted, adding that the organisation is worried about a Russian or Chinese company replacing Telenor.
Justice for Myanmar, meanwhile, has urged Telenor to only sell its business if the buyer commits to respecting human rights.
“We are concerned about reports of Telenor’s potential sale of its Myanmar business. If sold to a company that is not committed to transparency and the protection of personal data, the people of Myanmar will be put at greater risk. We urge Telenor to carefully consider the human rights impact of any disengagement from Myanmar,” spokesperson Yadanar Maung said.
Given Myanmar’s legal framework and the regime’s focus on crushing it opponents, it is difficult to envisage any company committed to protecting users entering the market. However, Professor Andreas Rasche, from the Copenhagen Business School’s Sustainability Centre, said that Telenor is obliged to consider the human rights impact of a sale under the UN Guiding Principles on Business and Human Rights. Human rights due diligence requires looking at actual as well as potential impacts of business activities and relationships.
“When selling a business in such a situation to a company from China or Qatar, such potential impacts need to be kept in mind, especially as the human rights track records of both countries are rather poor,” Rasche said.
Meanwhile, Telenor says it is doing what it can to manage the risks of operating under the military.
“Since February 1, we have continuously assessed the actual and potential human rights effects of our business and taken measures to deal with the consequences”, said Sandstø in the written comment.
Frontier and Danwatch’s investigation also found the regime was using sophisticated digital tools against its opponents.
U Khin Maung Zaw, one of the defence attorneys for detained leader Daw Aung San Suu Kyi, said he has seen data extracted from mobile phones presented as evidence in court against his clients. These clients include U Min Thu, a former member of the Nay Pyi Taw municipal council whom the junta arrested in March and accused of “manipulating” striking civil servants.
“Copies of chat conversations from his [Min Thu’s] mobile phone and laptop were brought to court as evidence. The police also found that he had chatted with two co-defendants in his case,” said Khin Maung Zaw.
This data appears to have been extracted using digital forensics technology, much of which has been acquired from Western companies.
Khin Maung Zaw also defended Reuters journalists Ko Wa Lone and Ko Kyaw Soe Oo, who were imprisoned for more than 500 days from December 2017 for reporting on a military-led massacre of Rohingya men.
“In Wa Lone and Kyaw Soe Oo’s case, the authorities [used] software from an Israeli company, Cellebrite, to access the content on their mobile phones,” said Khin Maung Zaw.
The police officer involved in the surveillance of the protest movement says that the police have instructions to confiscate the mobile phones of arrested demonstrators, and that they are capable of accessing stored data.
“If a protester’s name is on a watchlist, the police will check the mobile phone including the chat applications, Facebook and photo gallery to find more suspects or friends connected to this protester,” said the source.
Another prominent lawyer, Daw Zarli Aye, who since the coup has been assisting imprisoned activists from the democracy movement, said that because of the regime’s increased phone-cracking and remote surveillance capabilities, it was simply no longer safe to use phones.
“When I was discussing a case with a railway worker from the Civil Disobedience Movement, I talked too much about the case on the phone and the police searched this worker’s home the next day,” Zarli Aye said. “After that, I do not trust mobile operators and have decided to only hold face to face discussions with my clients about the cases.”
The demands Telenor is facing from the regime – for access to the calls, SMS messages and internet usage data of Telenor users in real time – is known as “lawful interception” and is common in many countries. In Myanmar, though, there are no checks – such as judicial review – on what data can be monitored and under what circumstances.
Access to this data is generally considered more intrusive and concerning from a digital rights perspective than the historical records that Telenor presently provides on a case-by-case basis. Frontier and Danwatch have confirmed that police do not yet have access to real-time data from Telenor or Ooredoo customers – but that could soon change.
The police officer from the cybersecurity team said the police are monitoring calls from government-owned operator MPT and military-linked operator Mytel with artificial intelligence software to identify and track regime opponents.
“Words such as “revolution” (in Burmese taw hlan yay) and “protest” (san da pya) are put into the system, and the police or the Criminal Investigation Department are notified if people use these words. If the system notices that someone is using these words very often, the person will be added to the suspect list, and then police can listen to their conversations,” the police officer said.
However, Reuters has since reported that the regime has ordered all operators to install the intercept technology. It set a July 5 deadline, but it is still unclear whether Telenor and Ooredoo have complied. A week before the order, the junta banned foreign and Myanmar executives of “major telecommunications firms” from leaving the country without permission, Reuters reported, in what seems a crude attempt to force them to comply.
But this is not a new initiative. Leaked meeting notices and government budgets included in a November 2020 report from Open Technology Fund shows that the authorities had made plans to impose the interception system on all mobile operators, including Telenor.
On January 31, 2019 – almost exactly two years before the coup – the Ministry of Transport and Communications called Telenor and Myanmar’s three other mobile carriers to discuss the technical aspects of monitoring voice, SMS and data, the meeting invitation shows.
The ministry – then under the National League for Democracy government but stacked with former military officers – subsequently allocated K6.19 billion in the 2019-20 budget to implement a system that would be capable of intercepting up to 120 calls on the Telenor network simultaneously, while also monitoring 1 gigabyte per second of the company’s customer data.
The budget request also included funds for digital forensics software from several companies, including OpenText and Magnet Forensics from Canada.
In December 2020, Telenor itself sounded the alarm at their annual public sustainability briefing held in Yangon, announcing that the authorities would have direct access to user data in real time
“We are concerned that existing laws and regulations do not contain clear definitions on when such powers can and cannot be used, as well as other legal and regulatory safeguards to make sure that these powers are used in a proportionate and necessary way,” the Telenor official said at the briefing, which was shared by Telenor on YouTube.
The author of the Open Technology Fund report, Ma Phyu Phyu Kyaw (a pseudonym), said that for now the military still relies heavily on community-based informants to track its opponents as they go about their daily lives, but this could change.
“I think that when protests end, they will increase the use of surveillance technology to track down the remainder of the protesters,” she said in an interview with Frontier and Danwatch.
While the author praises Telenor for being transparent about government directives in the past and advocating for the rights of its users, she does not believe that Telenor can object to the junta’s orders today.
“The military has surveillance technology, but they also have guns,” she said. “I would suspect they would just go into the telecom offices and demand the data they need.”