The Brazilian Senate is scheduled to make its vote this week on the most recent version of “PLS 2630/2020” the so-called “Fake News” bill. This new version, supposedly aimed at safety and curbing “malicious coordinated actions” by users of social networks and private messaging apps, will allow the government to identify and track countless innocent users who haven’t committed any wrongdoing in order to catch a few malicious actors.
The bill creates a clumsy regulatory regime to intervene in the technology and policy decisions of both public and private messaging services in Brazil, requiring them to institute new takedown procedures, enforce various kinds of identification of all their users, and greatly increase the amount of information that they gather and store from and about their users. They also have to ensure that all of that information can be directly accessed by staff in Brazil, so it is directly and immediately available to their government—bypassing the strong safeguards for users’ rights of existing international mechanisms such as Mutual Legal Assistance Treaties.
This sprawling bill is moving quickly, and it comes at a very bad time. Right now, secure communication technologies are more important than ever to cope with the COVID-19 pandemic, to collaborate and work securely, and to protest or organize online. It’s also really important for people to be able to have private conversations, including private political conversations. There are many things wrong with this bill, far more than we could fit into one article. For now, we’ll do a deep dive into five serious flaws in the existing bill that would undermine privacy, expression and security.
Flaw 1: Forcing Social Media and Private Messaging Companies to Collect Legal Identification of All Users
The new draft of Article 7 is both clumsy and contradictory. First, the bill (Article 7, paragraph 3) requires “large” social networks and private messaging apps (that offer service in Brazil to more than two million users) to identify every account’s user by requesting their national identity cards. It’s a retroactive and general requirement, meaning that identification must be requested for each and every existing user. Article 7 main provision is not limited to the identification of a user by a court order, also including when there is a complaint about an account’s activity, or when the company finds itself unsure of a user’s identity. While users are explicitly permitted to use pseudonyms, they may not keep their legal identities confidential from the service provider. Compelling companies to identify an online user should only be done in response to a request by a competent authority, not a priori. In India, a similar proposal is expected to be released by the country’s IT Ministry, although reports indicate that ID verification would be optional.
In 2003, Brazil made SIM card registration mandatory for prepaid cell phones, requiring prepaid subscribers to present a proof of identity, such as their official national identity card, driver’s license, or taxpayer number. Article 39 of the new draft expands that law by creating new mandatory identification requirements for obtaining telephone SIM cards, and Article 8 explicitly requires private message applications that identify their users via an associated telephone number to delete accounts whenever the underlying telephone number is deregistered. Telephone operators are required to help with this process by providing a list of numbers that are no longer used by the original subscriber. SIM card registration undermines peoples’ ability to communicate, organize, and associate with others anonymously. David Kaye, United Nations’ Special Rapporteur on Freedom of Expression and Opinion have asked states to refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users.
Protect Your Privacy with a Phone Shield Faraday Bag
Even if the draft text eliminates Article 7, the draft remains dangerous to free expression because authorities will still be allowed to identify users of private messaging services by linking a cell phone number to an account. The Brazilian authorities will have to unmask the identity of the internet user by following domestic procedures for accessing such data from the telecom provider.
Internet users will be obliged to hand over identifying information to big tech companies if Article 7 is approved as currently written, with or without paragraph 3. The compulsory identification provision is a blatant infringement on the due process rights of individuals. Countries like China and South Korea have mandated that users register their real names and identification numbers with online service providers. South Korea used to require websites with more than 100,000 visitors per day to authenticate their identities by entering their resident ID numbers when they use portals or other sites. But South Korea’s Supreme Court revoked the law as unconstitutional, stating that “the [mandatory identification] system does not seem to have been beneficial to the public. Despite the enforcement of the system, the number of illegal or malicious postings online has not decreased.”
Flaw 2: Forcing Social Networking and Messaging Companies to Retain Immense Logs of User Communications
Article 10 compels social networks and private messaging applications to retain the chain of all communications that have been “massively forwarded”, for the purpose of potential criminal investigation or prosecution. The new draft requires three months of data storage of the complete chain of communication for such messages, including date and time of forwarding, and the total number of users who receive the message. These obligations are conditioned on virality thresholds and apply when an instance of a message has been forwarded to groups or lists by more than 5 users within 15 days, where a message’s content has reached 1,000 or more users. The service provider is also apparently expected to temporarily retain this data for all forwarded messages during the 15-day period in order to determine whether or not the virality threshold for “massively forwarded” will be met. This provision blatantly infringes on due process rights by compelling providers to retain everyone’s communication before anyone has committed any legally defined offense.
There have also been significant changes to how this text interacts with encryption and with communications’ providers efforts to know less about what their users are doing. These mandatory retention requirements may create an incentive to weaken end-to-end encryption, because end-to-end encrypted services may not be able to comply with provisions requiring them to recognize when a particular message has been independently forwarded a certain number of times without undermining the security of their encryption.
Although the current draft (unlike previous versions) does not create new crimes, it requires providers to trace messages before any crime has been committed so the information could be used in the future in the context of a criminal investigation or prosecution of crimes for specific crimes defined in articles 138 to 140, or article 147 of the Brazil’s Penal Code, such as defamation, threats, and calúnia. This means, for example, that if you share a message that denounces corruption of a local authority and it gets forwarded more than 1,000 times, authorities may criminally accuse you of calúnia against your local authority.
Companies must limit the retention of personal data to what is reasonably necessary, proportionate to certain legitimate business purposes. This is “data minimization,” that is, the principle that any company should minimize its processing of consumer data. Minimization is an important tool in the data protection toolbox. This bill goes against that, favoring dangerous big data collection practices.
Flaw 3: Banning Messaging Companies from Allowing Broadcast Groups, Even if Users Sign Up
Articles 9 and 11 require broadcast and discussion group sizes in private messaging tools to have a maximum membership limit (something that WhatsApp does today, but that not every communications tool necessarily does or will do), and that the ability to reach mass audiences via private messaging platforms must be strictly limited and controlled, even when those audiences opt in. The vision of the bill seems to be that mass discussion and mass broadcast are inherently dangerous and must only happen in public, and that no one should create forums or media for these interactions to happen in a truly private way, even with clear and explicit consent by the participants or recipients.
Suppose an organization like an NGO, or a labor union, or a political party wanted to have a discussion forum among its whole membership or send its newsletter to all its members who’ve chosen to receive it. It wouldn’t be allowed to do this through a tool similar to WhatsApp — at least once some (unspecified) audience size limit was reached. Per articles 9 and 11, the organization would have to use another platform (not a private messaging tool), and so the content would be visible to and subject to the control of its operator.
Flaw 4: Forcing Social Media and Messaging Companies to Make Private User Logs Available Remotely
Article 37 compels large social networks and private messaging apps to appoint legal representatives in Brazil. It also forces those companies to provide remote access to their user databases and logs to their staff in Brazil so the local employees can be directly forced to turn them over.
This undermines user security and privacy. It increases the number of employees (and devices) that can access sensitive data and reduces the company’s ability to control vulnerabilities and unauthorized access, not least because this is global in scale and, should it be adopted in Brazil, could be replicated by other countries. Each new person and each new device adds a new security risk.
Flaw 5: No Limitations on Applying this Law to Users Outside of Brazil
Paragraphs 1 and 2 of Article 1 provide some jurisdictional exclusions, but all of these are applied at the company level—that is, a foreign company could be exempt if it is small (less than 2,000,000 users) or does not offer services to Brazil. None of these limitations, however, relate to the users’ nationality or location. Thus, the bill, by its terms, requires a company to create certain policies and procedures about content takedowns, mandatory identification of users, and other topics, which are not themselves in any way limited to people based in Brazil. Even if the intent is only to force the collection of ID documents from users who are based in Brazil, the bill neglects to say so.
Addressing “Fake News” Without Undermining Human Rights
There are many innovative new responses being developed to help cut down on abuses of messaging and social media apps, both through policy responses and technical solutions. WhatsApp, for example, already limits the number of recipients of a single forwarded message at a time and shows users that messages were forwarded, viral messages are labeled with double arrows to indicate they did not originate from a close contact. However, shutting down bad actors cannot come at the expense of silencing millions of other users, invading their privacy, or undermining their security. To ensure that human rights are preserved, the Brazilian legislature must reject the current version of this bill. Moving forward, human rights such as privacy, expression, security must be baked into the law from the beginning.
Katitza Rodriguez is EFF’s international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF’s International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF’s growing Latin American programs. She was an advisor to the UN Internet Governance Forum (2009-2010). In 2018, CNET named Katitza one of 20 most influential latinos in technology in the United States. In 2014, she was also named one of “The heroes in the fight to save the Internet“.
Seth Schoen has worked at EFF over a decade, creating the Staff Technologist position and helping other technologists understand the civil liberties implications of their work, EFF staff better understand technology related to EFF’s legal work, and the public understand what products they use really do. He helped create the LNX-BBC live CD and has researched phenomena including laser printer forensic tracking codes, ISP packet spoofing, and key recovery from computer RAM after a computer has been turned off. He has testified before the U.S. Copyright Office, U.S. Sentencing Commission, and in several courts.
Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.