This post is the second of two analyzing the risks of approving dangerous and disproportionate surveillance obligations in the Brazilian Fake News bill. You can read our first article here.
Following a series of public hearings in Brazil's Chamber of Deputies after the Senate's approval of the so-called Fake News bill (draft bill 2630), Congressman Orlando Silva released a revised text of the proposal. As we said in our first post, the new text contains both good and bad news for user privacy compared to previous versions. One piece of bad news is the expansion of existing data retention mandates.
Brazil’s Civil Rights Framework for the Internet (known as “Marco Civil”, approved in 2014) already stipulates the retention of “connection logs” and “access to application logs” for the internet service providers (ISPs) and applications set by the law. Internet applications broadly refer to websites and online platforms. According to Marco Civil, application providers constituted as legal entities, with commercial purposes, must collect and retain the date and time the application is used, from a certain IP address, for a period of six months. Article 37 of the bill seeks to indirectly expand the definition of “access to application logs” to compel application providers to retain “logs that unequivocally individualize the user of an IP address.”
Since the debates on the approval and further regulation of Marco Civil, law enforcement has pushed for including the information about users' networking ports in the law’s data retention obligation. They have sought to influence legislation and courts' understanding about the existing retention mandate, since Marco Civil doesn't mention the storage of users' ports. Such a push takes into account the current use of technical solutions (particularly those based on Network Address Translation (NAT)) that enable multiple users to simultaneously share a single public IP address. There is a shortage of public IPv4 addresses, and to help mitigate this issue, NAT allows us to use several private IPs for one public IP. NAT can do this by allocating a range of ports per private IP on the public IP. However, servers on the internet still need to correlate this information with the internet service provider logs.
Despite controversies in courts and well-founded criticism that judicial interpretation should not expand data retention obligations, recent rulings from the Superior Court of Justice (STJ) have upheld such a troublesome extension. Article 37 of the bill seeks to override this controversy with a language that can go even beyond the problematic retention of networking ports.
The provision forces internet applications to unequivocally individualize the user of an IP address, apparently based on the flawed aspiration of linking a given IP address to a specific user without a margin of error. This language offers wide-open interpretations by law enforcement and courts that could severely extend the current data retention mandates, or even force the use of persistent identifiers linked to our every single move online. There are so many variables in internet routing that it is not possible for an application to say unequivocally who is related to a connection.
IP addresses were designed to uniquely identify electronic destinations on the internet, not specific users. While it is sometimes reasonable to assume that a single person has an IP address, for example the address given to a mobile phone, often a single address is given to an entire home and a single device like a tablet is commonly used by more than one person. Mobile networks bring additional issues that make IP addresses fluctuate. Also, a device switches IP addresses when connected to different Wi-Fi networks. Moreover, due to routing, efficiency, and availability of IPv4 address reasons, IP addresses are not static to specific devices.
Companies and individuals operating open wireless networks out of their homes, cafés, public libraries, businesses, and communities that various people can use, or even shared environments where several people use the same devices, are examples on how this can get tricky. Other services, such as Virtual Private Networks (VPNs) and proxy servers, also can make IP addresses unreliable indicators of the identity of a particular person. When connected to a VPN, the IP address visible to the website or app visited is the public IP of the VPN provider, not the one relating to the user's device.
Sometimes there might even be errors on the records that telecom companies hand to law enforcement authorities. Lastly, IP addresses can be maliciously forged to conceal the origin of the sender or impersonate another computer system. This technique, called IP Spoofing, is used in DDoS attacks and could be further exploited by attackers seeking to maliciously frame other users if the aspiration of unequivocally linking an IP address to a user is turned into law and reinforced by courts.
Although IP addresses may be enough to pinpoint the person using a device, especially when having the date and time the application was used (and when the connection started and finished), it doesn't preclude additional checks. However, the provision seems to intend to skip this step, making the internet application responsible for checking and unequivocally asserting the individual user of an IP address. Other web identifiers like cookies, for example, can be deleted by the user and are also related to devices that can be used by multiple persons. Hardware identifiers, like the IMEI number, are only visible to applications with special permissions exactly for privacy and data protection reasons.
IP addresses (and the TCP/IP protocol) are a building block of communications on the internet, related web requests we make, and information we access. It was designed to individualize destinations so communications can happen and services can reach each other; not to uniquely individualize a user. Besides, advocating for the massive retention of IP addresses turned into unequivocally identifiers of every internet user (the vast majority of whom are law-abiding individuals) runs afoul of international standards of privacy and data protection.
In the landmark Digital Rights Ireland decision, the EU Court of Justice condemned the blanket retention of communications metadata as a violation of privacy and data protection rights under the EU Charter, which was later confirmed by the Tele2/Watson ruling. IACHR and UN human rights standards are clear in rejecting indiscriminate data retention mandates affecting all internet users. Mass data retention also poses security risks.
Marco Civil's debates about the provisions setting data retention obligations were heated and, although the mandates were finally approved, legislators' choice was not to force internet applications to store information readily individualizing or identifying users. This choice was correct and does not prevent the investigation of illegal acts based on the information available.
Article 37 of the bill is not a reasonable ask. Mass retention of communication logs unequivocally individualizing the user of an IP address will lead to severely disproportionate surveillance obligations as well as security risks. Like the traceability rule, Brazilian legislators should drop Article 37 in favor of privacy, free expression, and data protection fundamental rights.