In Myanmar, the phone records of pro-democracy activists connect them together like suspects on a cork board. When many of those activists fled the military crackdown and went into hiding after the coup in February 2021, they believed the trails of phone calls, mapping out their association with family members and colleagues, were safe on networks outside the military’s control. Now they claim that data is in peril.
Like all telecoms companies, Myanmar’s four major operators keep a record of phone call metadata—information about who calls who, when, and for how long. Pro-democracy campaigner Kyaw (not his real name) did not worry much about his metadata even when the coup shocked the country. The activist, who asked for his real name not to be published because he is afraid of being arrested by the military, believed his personal data was safe because he was using a sim card made by Telenor, a multinational headquartered in Norway—a country he associated with democracy and human rights.
But in July that sense of security was shattered when Telenor—the country’s second-largest telecoms business—announced it would leave Myanmar, selling 100 percent of the company to M1, a Lebanese investment group. For the following seven months, the company has been trying to escape Myanmar’s deteriorating security situation and military pressure to install surveillance equipment in its networks. But as Telenor joins other international companies rushing for the exit, the news of its departure prompted panic among human rights activists like Kyaw, who are worried their data could end up in the hands of the military as a result of the sale.
Activists have been scrambling to stop this from happening. More than 470 civil society groups from Myanmar filed a complaint against Telenor’s sale in July. That same month, Kyaw wrote a letter asking the company to delete his personal data—a request he believed Telenor would have to comply with because Norway complies with Europe’s GDPR privacy law. But Telenor’s reply, seen by WIRED, said the GDPR “does not in general apply to Telenor Myanmar,” frustrating Kyaw. “We are paying them, just like the people in the EU are paying but the treatment is very different,” he says. “The worry is that if the regime gets control of this data, they will be able to root out the networks,” says Joseph Wilde-Ramsing, senior researcher at SOMO, a Dutch group that investigates the ethics of multinationals and is helping Kyaw with his case. “If they get one person and they find out the number then they can see who that number has been in contact with and they can track down the family members and the network contacts and the other activists and use that information to target people.”
This week, Kyaw is trying a new approach. On February 8, he filed a legal complaint—in which his real name is redacted—arguing that Telenor’s Myanmar business is subject to GDPR as a subsidiary of a Norwegian company. The complaint, filed to the Norwegian data protection authority, highlights how the telecoms giant has become trapped between wanting to leave Myanmar as quickly as possible and its responsibility to the users who believe the military could use its data to track them down.
“We understand Telenor wants to leave,” says Ketil Sellæg Ramberg, a partner at SANDS law firm in Oslo who is working on the case. “Our concern is they are leaving the country without safeguarding the data of the 18 to 19 million customers.” Ramberg says the complaint is an attempt to inspire the Norwegian data authority to intervene and to prove the Norwegian-headquartered group has control over the data processing in Myanmar—a claim Telenor denies. “None of the data is handled in Norway or the EU and GDPR does not apply to Telenor Myanmar’s customer data handling,” says Telenor spokesperson David Fidjeland.
“The concerning situation in Myanmar has developed in a direction where we are currently in a conflict between local laws on the one hand and our values, international law and human rights principles on the other,” says Fidjeland, adding that this made it “impossible” for the company to stay in Myanmar. Fidjeland confirmed to WIRED that the phone call metadata will be transferred as part of the sales process “to allow continued operations and avoid disruption of services for customers.”
At the heart of the GDPR complaint is activists’ suspicions that the company Telenor has chosen as its successor in Myanmar, M1, may eventually succumb to military pressure to collaborate. “Even though we believe Telenor has fallen short, at least they try to sometimes push back or insist on due process,” says Raman Jit Singh Chima, Asia policy director at digital rights group Access Now. “M1 is regarded as being actively keen to facilitate government surveillance wherever possible in order to ensure market access.” M1 Group did not reply to a request to comment but has in the past described concerns about its ethics as “racist and discriminatory.”
But Telenor’s Fidjeland says the company chose to do business with M1 because it found "no direct relationships” between M1 and the military. Local activists disagreed with that assessment. “That is not true,” says Wai Phyo, a digital rights activist now working for Access Now, who left Myanmar two months ago but did not want to share her current location for fear of military reprisals. “M1 already has investment in the [cell-phone] tower companies which are linked to Mytel, a company which is majority-owned by the military.” Fidjeland, however, describes this as an “indirect relationship.” Mytel did not respond to a request for comment.
One year on from Myanmar’s deadly coup, the military junta continues to be associated with violence against their opponents. Nearly 12,000 people have been arbitrarily detained for voicing opposition to the military, the United Nations said in January, adding that at least 290 have died in detention, “likely due to the use of torture.” Kyaw is well aware of the risks. “If this [data] is transferred to the junta, we will be arrested, tortured and killed,” he says. He is especially worried the military will use his phone records to track down and arrest his family members to force him out of hiding. Local news reports suggest there have been cases where family members, including children, have been detained to force their parents to give themselves up.
Activists hoped the violence would incentivize Telenor—in which the Norwegian government owns a 53.97 percent share—to stay and act as a buffer between the military regime and its customers’ communications data. But for a more sympathetic audience at home, it justifies the company’s attempts to get out. Telenor’s senior executives have been banned from leaving the country and the company has repeatedly raised concerns about its employees’ safety. “They have more than 700 employees there,” says Frank Maaø, telecoms expert at DNB Markets, a Norwegian investment bank. “It’s very important to be realistic about what the alternative is [to leaving] when soldiers with weapons are running up your stairs in another country and your management is not even allowed to leave the country.” Access Now’s Chim believes this argument is being used by Telenor as an excuse to dodge full transparency. “We understand concerns about staff safety are legitimate but we actually think this is being used to suppress information for business reasons and for public relations reasons,” he says.
When Telenor started operating in Myanmar in 2014, the country had just liberalized its telecoms sector and was undergoing a transition away from full military rule. “Many democracy activists and human rights defenders signed up as customers because Telenor came in with this reputation of being very ethical,” says SOMO’s Wilde-Ramsing, who is helping Kyaw with his case. “Part of their sales pitch was, ‘Look, we’re Norwegians, you can trust us.’” Telenor has earned accolades for its efforts to be transparent about the shutdown orders it has received in Myanmar, and in the immediate aftermath of the 2021 coup it lived up to that reputation. When it was forced by the military to shut down the internet or block URLs, the company disclosed those orders on its website.
But on February 14, 2021, those updates stopped. “It is currently not possible for Telenor to disclose the directives we receive from the authorities,” the company said at the time. That was just the start. Before the coup, Telenor had reported being under pressure to install surveillance technology into its networks. After the military takeover, that pressure only intensified. The regime set deadlines for its installation and published a draft cybersecurity bill that would force internet providers to store the personal data of users for three years and hand it over to the military on request.
The intercept technology would give the authorities direct access to “internet service providers systems without case-by-case approval,” according to a December 2020 statement made by Telenor, which has since been removed from its website. Although democratic countries also use this technology to help law enforcement investigate crime, Telenor said at the time the legal safeguards to prevent this technology’s misuse did not exist in Myanmar. Fidjeland says Telenor would not “enable” the intercept equipment in its networks voluntarily, although he declined to comment on whether the technology was already installed “due to well-founded concerns for the safety of our employees.”
It didn’t take long for the coup to start weighing on the business. In results published in May, Telenor wrote off the entire $783 million value of its Myanmar operation, dragging the rest of the company to an overall loss of 3.9 billion Norwegian crowns (more than $445 million). When Telenor announced it would sell to M1, rumors circulated that the military regime also wanted a local partner involved in the deal. Then in January, local news reported that the junta had approved the sale to a partnership of M1 Group and Investcom Myanmar, a company owned by petrol conglomerate Shwe Byain Phyu.
Neither Telenor, M1 Group nor Shwe Byain Phyu have confirmed the involvement of the petrol conglomerate in the deal. Despite this, activists saw the news as confirmation of their worst fears. “Shwe Byain Phyu is a gems trader with deep links to the Myanmar military and no apparent experience operating a telecommunications business,” says Yadanar Maung, a spokesperson at campaign group Justice for Myanmar, pointing to how Shwe Byain Phyu’s chairman, Thein Win Zaw, is a director of another company, Mahar Yoma Public Company, which has a stake in military-owned Mytel. “If the sale goes through, it will be the military in control of Telenor Myanmar and its data.”
Shwe Byain Phyu spokesperson, Kyaw Myo Aung, says the group is not privy to the details of the Telenor sale but describes allegations that the group is linked to the military as “baseless.” “We do not do business with the military and our group chairman, U Thein Win Zaw, has already resigned from the board of directors of Mahar Yoma PLC, which owns just 1 percent of Mytel,” says Kyaw Myo Aung.
It is not only activists who are facing an uncertain future—Telenor employees are too. One staff member, who asks to remain anonymous because he is concerned for his safety, says he will consider leaving the company if the news about Telenor selling to Shwe Byain Phyu is true. “I don't want to work for a military regime, a related company, or a related person,” he says. “I’m strongly against the military takeover. I don't want to give my professional knowledge or my efforts to any of them.”
- 📩 The latest on tech, science, and more: Get our newsletters!
- They were “calling to help.” Then they stole thousands
- Extreme heat in the oceans is out of control
- Thousands of “ghost flights” are flying empty
- How to ethically get rid of your unwanted stuff
- North Korea hacked him. So he took down its internet
- 👁️ Explore AI like never before with our new database
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
