The Maduro Administration Is Spying on Everyone

A strange transparency report published by Spanish telecommunications giant Telefónica shows how its Venezuelan subsidiary allowed the government to intervene over 20% of their subscribers phone lines. Here are the dirty details

Originally published by VE sin Filtro in Spanish.

A transparency report recently published by Telefónica, the parent company of Movistar Venezuela, revealed indiscriminate and massive interceptions of the private communications of their Venezuelan subscribers, by order of security government agencies.

According to the document, in 2021 Telefónica intercepted the communications of over 1.5 million (1,584,547) subscribers in Venezuela, more than 20% of Movistar telephone/internet accounts. These interventions were carried out by order of the government of Nicolás Maduro and included intercepting or “tapping” calls, monitoring SMS, giving the location of people through their cell phones and/or monitoring their internet traffic. Interventions in other countries in the region included in the report don’t even get close to 1%. 

For years, there have been suspicions about the pervasiveness of tapped calls and the excessive and unjustified monitoring of other forms of communication, but this report has shed a light for the first time on the real scope of this threat to civil and digital rights across the country.  Although the interception of communications can be a tool to investigate serious crimes, its use must be in accordance with human rights standards and due process. However, the vast number of intercepted lines points to systematic abuse.

Data from other telephone operators and internet services is currently unknown, because they do not publish transparency reports, but we can assume that they are similar—or possibly worse in the case of state companies, which leads to a highly authoritarian prospect.

The Telefónica report, matches multiple reported cases, including one that we documented in our 2021 report “Without Rights in #InternetVE”, where we highlight how a Venezuelan human rights NGO was the victim of unauthorized access to a communication service account. The evidence in the case, clearly pointed to the facilitation and interception of SMS messages by their operator. In recent years we have alerted other cases of journalists and civil society actors whose communications have likely been spied on.

The revelations made in the report highlight the need for journalists and their sources, political spokespersons, human rights defenders, and activists to avoid using phone calls or SMS messages to communicate, but rather to use encrypted means of communication such as Signal. Even WhatsApp is better than regular SMS or phone calls.

It also reinforces the need for at-risk users to set up two-factor verification for their accounts using means other than SMS or phone calls, but through authentication apps like Google Authenticator and physical items like security keys.

Highlights of the report

  • Number of phone or internet lines affected by the interceptions: 1,584,547 (21% of Movistar lines)
  • Number lines affected by metadata requests: 997,679 (13% of the lines)
  • Number of telephone and internet lines serviced by Movistar Venezuela: 7,730,000
  • Rate of access requests of both types: 33%
  • The number of lines affected by interceptions increased 7 times since 2016, when there were 234,932 access breaches
  • Movistar Venezuela does not receive requests through judicial orders, but rather from investigative, police, military, and intelligence bodies—and even from the UNES Security University
  • Telefónica recognizes that in 2021 they began blocking 27 different URLs by order of CONATEL

The violation of the right to privacy

For Movistar Venezuela, the competent authorities that have requested the interception of communications in the country include: the Public Ministry (the General Prosecutor’s office), the CICPC (Venezuela’s main criminal investigations agency), police forces “qualified to exercise powers in matters of criminal investigation” and, strangely enough, the National Experimental Security University (UNES).

Similarly, the competent authorities listed to require metadata about communications and subscriber data (things like who a user is calling, how long the calls last, what the subscriber’s data is, etc.) also include the military.

Nowhere does it mention that the orders come from courts or come with the approval of judges, as they do in other countries, which means there isn’t evidence of the validation of courts for these interventions as is required by Venezuelan law, with particular exceptions such as the case of emergencies and flagrant crimes, in which the CICPC can make a direct request—but even in these cases the prosecutor must be notified and it must be included in the file.

The abuse in obtaining communication metadata is also a violation of the rights of individuals when it is not done in a way that human rights. The location of people, with whom they communicate, by what means, for how long, how often, and the content of such communications is sensitive information that has to be appropriately handled by international human rights standards. Any interception of communications must meet at least these conditions:

  • Legitimate goal: You must seek a necessary legal interest in a democratic society that respects human rights, such as investigating a crime.
  • Necessary: ​​A practice that could violate rights should not be used if it is not necessary to pursue those legitimate purposes
  • Proportional: As the use of surveillance interferes with human rights, it should be used only when this is proportional to the seriousness of the crime that is sought to be investigated. The amount of data obtained should be minimized to only what is necessary; the control over this information should be used only for the approved purposes; and irrelevant information should be immediately discarded.
  • It must be adequately supported by the laws.
  • It should be performed under a judicial order of a competent and independent court of the authority focused on the surveillance of communications.
  • Ensuring due process by notifying the person and maintaining the transparency of the whole proceeding.

Privacy is a fundamental and inalienable human right, which in turn is key to the free exercise of freedom of expression and association, among other rights.

Website blocking

Telefónica’s transparency report also shows that the National Telecommunications Commission (CONATEL) requested the blocking of 30 URLs during 2021, another systematic form of human rights violation in Venezuela.

In 2021, VE sin Filtro also documented that at least 68 internet domains and 58 websites were blocked in that period. Movistar is the second ISP with the most documented blocking events, after state-owned CANTV. Out of those 68  blocked domains in Venezuela, 45 belong to media outlets and 3 to organizations that defend human rights.

In 2022, VE sin Filtro documented new blocking events, both by news media and human rights organizations, the most recent in June 2022, where the website of the NGO Justicia, Encuentro y Perdón was blocked by CANTV and Movistar.

Recommendations

  • Movistar should list the number of requests received by government body, also clarifying what percentage is backed by courts. 
  • Movistar should define more clearly what a “real-time” request means and when this information is no longer available to the requesting party. Likewise, it insufficiently defines the possible scope of requests that are not blocked and the concept of accesses affected by the requests.
  • Venezuelans must assume that any unencrypted communication can be tapped without respecting international Human Rights standards.
  • Journalists, human rights defenders, and activists in Venezuela must avoid the use of phone calls, SMS and unencrypted communications on the internet.
  • Journalists, human rights defenders, and activists in Venezuela at risk should enable the use of two-step verification in their internet service accounts, and avoid using SMS or calls as a verification factor and instead use code-generating apps like Google Authenticator and physical items like printed backup codes stored in a safe place, or ideally, use FIDO digital security keys (Yubico is one of the best-known brands) and Google Authenticator backup keys.
  • We recommend using Signal for internet calls and messages and using VPN or Tor Browser to visit web pages that are sensitive in the Venezuelan context.
  • We also recommend the use of VPN to access blocked websites in Venezuela.