Product misuse

Addressing the misuse of telecommunications technology in Iran
Nokia Networks
Nokia Networks, a subsidiary of Nokia Oyj, is a multinational telecommunications company with headquarters in Espoo, Finland. The company’s main products, solutions and services are focused on mobile, fixed and converged network technology, as well as related professional services.
Further information:

Dilemma: Alleged abuse of telecommunication technology by the Iranian government

For a number of years, Nokia Networks has provided basic 2G/2.5G mobile networks for MCCI and Irancell, the two mobile network operators in Iran. These basic networks incorporated a standards-based lawful interception capability. In the second half of 2008, Nokia Siemens Networks delivered a ‘monitoring centre‘ (a tool used to activate lawful interception and to analyse intercepted data) to MCCI.

According to media reports, the monitoring center was allegedly misused by the Iranian government after the 2009 election to illegitimately monitor communications of political dissidents. Three months prior to these reports, Nokia Networks had exited the monitoring centre business and sold the related business line to another company called Trovicor.

The challenge Nokia Siemens Networks faced related to the dual use of the monitoring centre. On the one hand, its features allow for the legally required, lawful interception of pre-defined suspects – a right of all states as defined in the constitution of the International Telecommunications Union (ITU) (e.g. for the purposes of addressing national security and serious crime). On the other hand, this otherwise legitimate functionality was allegedly used to infringe upon free speech and the confidentiality of communications of political dissidents.

There were also claims that Nokia Networks had provided Deep Packet Inspection (DPI) solutions in Iran. DPI enables providers of Internet service and other intermediaries to collect and analyse the communications of Internet users. While Nokia Siemens Networks uses DPI in some of its policy control products, it had not provided these in Iran.

Good practice: Engaging with stakeholders to address product misuse

Following these reports, Nokia Networks engaged with different stakeholders through a variety of means, including press releases, clarifying statements on its website a speech in the European Parliament public hearing on ICT companies and discussions with human rights experts and governmental and NGOs to better understand the issues. Engagement efforts were aimed at providing transparency about Nokia Networks' business in Iran, as well as the monitoring centre it sold to MCCI in particular. It also aimed to receive essential input for the strengthening of the company’s internal policies and processes.

Nokia Networks confirmed that the monitoring centre made it possible to intercept communications of pre-determined targets using Iran’s mobile networks. However, for a number of reasons (including the restricted functionality of the monitoring centre (as delivered by Nokia Networks), the fact that in Iran 99.9% of Internet traffic takes place over fixed networks, and the lack of 3G communications) meant that the centre could not be realistically used for the widespread monitoring of internet traffic, international calls, speech recognition or for altering communicated information.

The company noted that a lawful interception capability is legal prerequisite for a licence to operate telecommunications networks in practically all states in the world. It is used by law enforcement authorities to intercept communications in order to combat child pornography, drug trafficking, terrorism and other serious crime. Nokia Networks also noted that this is a standard capability that is included in telecommunications networks of all vendors, and is explicitly referenced in:

  • The constitution of the International Telecommunications Union
  • Several resolutions of the Council of the European Union
  • Technical functionality definitions of the European Telecommunication Standards Institute (ETSI) and the 3GPP (3rd Generational Partnership Project) standards

While emphasising that the sale of the monitoring centre was in compliance with relevant laws, including export controls, Nokia Networks publicly acknowledged that it should have better understood the possible implications for human rights in Iran before providing a monitoring centre to MCCI in 2008.

Results: Revision business and core policies and procedures

Stakeholder engagement helped Nokia Siemens Networks to better understand the complexity of issues surrounding new technologies and human rights. These have now become a particularly pertinent issue for the ICT industry due to events around the ‘Arab spring‘. It has also prompted a review of Nokia Networks products in view of such risks. As a result, Nokia Networks:

  • No longer provides any service or support to monitoring centres in Iran, or anywhere else in the world
  • Has committed to not accepting new customers in Iran except for contract extensions in cases when the company had previously provided networks, products and/or services, provided such extensions are related to the previously installed products
  • Voluntarily restricted itself to meeting only the minimum requirements for passive standards-based elements of lawful interception in its products

Furthermore, Nokia Networks has strengthened its approach to human rights impact assessments to include processes to identify sales cases where some of its products may be at risk of misuse – including the compromising of confidentiality of communications and of freedom of expression. Making decisions on requests to disclose communications now requires a thorough due diligence process and the involvement of senior management. Where necessary, Nokia Networks seeks relevant legal, ethical and other advice.

The whole experience has also led to a creation of a specific human rights policy relating to product misuse. The policy:

  • Re-emphasises Nokia Networks’ respect for the principles and values of the Universal Declaration of Human Rights, including freedom of speech and assembly, as embedded in the company’s Code of Conduct
  • Provides, in the absence of relevant trade regulations, guidance as to the review of sales to countries with poor human rights records and/or high levels of corruption
  • Commits the company to carrying out due diligence when selling certain products in certain countries