Norway’s Telenor may soon commit an “egregious breach” of EU sanctions in Myanmar by selling a surveillance system to a junta-linked company that will allow the military to spy on millions of phone and internet users in real time, Myanmar Now has learned.
The company’s widely criticized—and allegedly illegal—sale of its Myanmar operations will include a so-called Lawful Interception system made by a German firm called Utimaco, according to leaked documents and current and former Telenor staff.
“The intercept system was installed at Telenor Myanmar a few years ago,” a Telenor staff member told Myanmar Now on condition of anonymity. “But it’s not just Telenor. All other operators in Myanmar had to install it as well.”
The staff member added: “I am not sure whether other operators have given the authorities access to the intercept system but Telenor did not because there is no relevant law for us to do so.”
It is feared that after the sale, the new military-linked owner will allow the junta free rein to use the system, drastically strengthening its surveillance powers as it continues a nationwide campaign of terror to crush resistance to its rule.
Utimaco’s systems are designed to help telecoms firms comply with electronic surveillance laws around the world. The company’s website says the technology “intercepts a range of public communications services in real-time, including phone and video calls, messages… faxes, e-mails… file transfers and other Internet services.”
Documents leaked to the activist group Justice For Myanmar, and seen by Myanmar Now, show that Telenor purchased the system from China’s Huawei in February 2018 and installed it in May of the same year, just weeks after the EU prohibited the transfer of surveillance technology to Myanmar.
The April 2018 EU regulationwhich was implemented under Norway’s Sanctions Act, banned the provision of “telecommunication or internet monitoring or interception services of any kind” to Myanmar’s government, whether directly or indirectly.
Although the system was purchased before the sanctions were passed, Justice For Myanmar spokesperson Yadanar Maung argues that Telenor violated the new ban by installing the system.
“This egregious breach of EU sanctions must be investigated by the Norwegian and German governments,” she said.
The Utimaco system was integrated into the military-run Ministry of Home Affairs’ monitoring center in 2020, with a fiber optic cable linking the ministry to the system, Myanmar Now understands.
But Telenor sources say the ministry, which oversees both the police and its spy agency, Special Branch, was not granted access to customers’ communications via the system; it was merely a legal requirement to have the infrastructure installed so that authorities could request access if needed.
Telenor has received approval from the junta’s telecoms regulator for the sale of its operations to the Lebanese company M1 Group. It is now awaiting permission from the Myanmar Investment Commission, according to Myanmar Now’s sources.
After the sale, M1 Group will transfer a majority stake in the venture to a local company with close military ties called Shwe Byain Phyu.
Justice For Myanmar called on the Norwegian and German governments to intervene and stop the sale.
“A serious sanctions violation is about to occur through Telenor’s transfer of their Lawful Intercept gateway,” Yadanar Maung said. “It must be stopped before it’s too late and this dangerous equipment falls into the hands of the military-linked company, Shwe Byain Phyu.”
In a legal memo published on Wednesday, barristers Felicity Gerry QC and Daye Gang wrote that “Telenor’s legal liability regarding intercept equipment requires further scrutiny.”
Since last year’s military coup, Telenor Myanmar has complied with more than 200 requests from the junta to share sensitive user data, including call histories and last-known locations. Telenor complied with the requests despite concerns that they were based on information obtained by the junta through torture, a company source told Myanmar Now last month.
Telenor spokesperson Cathrine Stang Lund neither confirmed nor denied that the company will transfer a Utimaco surveillance system to M1 Group as part of the sale. The company is exiting Myanmar precisely because of concerns about surveillance, she said.
“A key reason why Telenor is selling Telenor Myanmar is that we cannot activate intercept equipment, which all operators are required to,” she said. “This situation is extreme and difficult, with significant challenges. Telenor must ensure its exit happens in a manner that does not increase the security risk for our employees, and that remains our key priority now.”
In a comment provided to Justice For Myanmar, Utimaco said it had not breached EU sanctions.
“With the introduction of EU export regulation which was published on 27 April 2018, Utimaco informed its international business partners that Utimaco ends all activities regarding partner projects in Myanmar,” the company told the group.
It added: “In compliance with EU export law, Utimaco has also not delivered any products or services nor provided any support via indirect partners in Myanmar since then.”
Telenor’s sale also involves the transfer of historical metadata, which critics have argued will be used by the junta to track down dissidents.
Last month, a Myanmar citizen filed a complaint at the Norwegian Data Protection Authority seeking to prevent the transfer of user data.