Update: On Tuesday night (6/30), the Brazilian Senate approved the “PLS 2630/2020”, the so-called “Fake News” bill. A final amendment cut back on article 7 “Account Registration” so that mandatory identification no longer applies to all users and is, in principle, optional in general. Under the revised text, companies "may" demand identification from users where there are complaints of non-compliance with the "fake news" law, or when there is reason to suspect they are bots, are behaving inauthentically, or assuming someone else's identity. Social networks and private messengers app are also expected to create some means of detecting fraud in account creation (Article 7, paragraph one). These new provisions seem to match most companies' existing practices but may be expanded to also include those new obligations established in the "fake news" bill.

An amendment narrowed article 8 “Account Registration” so that it applies only to private messaging accounts "exclusively linked to cell phone numbers" (still potentially tremendously confusing in practice); private messaging services are ordered to check with mobile operators which numbers had their contract terminated in order to suspend the related accounts in the app. This provision now excludes social networks.

An amendment removed “within the scope of its service” from article 9 that says that private messaging services must limit the size of private groups and lists. This last change can potentially undermine innovation of future products based upon peer-to-peer messaging systems that, by design, can not control the size of a group.

Another amendment cut back on article 10 "the traceability provision", forcing only private messaging applications to retain the chain of all communications that have been “massively forwarded” for the purpose of potential criminal investigation or prosecution. Previous versions of the bill, as explained in our post below, also included social networks. The virality of a message and thresholds do not change the privacy and due process rights of the original sender. Forwarding a popular message does not mean you should automatically be under suspicion. The traceability provision is a "tech mandate" that compels private messaging apps to change their privacy-by design platform to weaken its privacy protections.

All the other parts of the provisions discussed in this post remained intact.

---
The original article was published on Monday morning, June 29th, 2020. 

The Brazilian Senate is scheduled to make its vote this week on the most recent version of “PLS 2630/2020” the so-called “Fake News” bill. This new version, supposedly aimed at safety and curbing “malicious coordinated actions'' by users of social networks and private messaging apps, will allow the government to identify and track countless innocent users who haven't committed any wrongdoing in order to catch a few malicious actors. 

The bill creates a clumsy regulatory regime to intervene in the technology and policy decisions of both public and private messaging services in Brazil, requiring them to institute new takedown procedures, enforce various kinds of identification of all their users, and greatly increase the amount of information that they gather and store from and about their users. They also have to ensure that all of that information can be directly accessed by staff in Brasil, so it is directly and immediately available to their government—bypassing the strong safeguards for users’ rights of existing international mechanisms such as Mutual Legal Assistance Treaties.

This sprawling bill is moving quickly, and it comes at a very bad time. Right now, secure communication technologies are more important than ever to cope with the COVID-19 pandemic, to collaborate and work securely, and to protest or organize online. It’s also really important for people to be able to have private conversations, including private political conversations. There are many things wrong with this bill, far more than we could fit into one article. For now, we’ll do a deep dive into five serious flaws in the existing bill that would undermine privacy, expression and security.

Flaw 1: Forcing Social Media and Private Messaging Companies to Collect Legal Identification of All Users

The new draft of Article 7 is both clumsy and contradictory. First, the bill (Article 7, paragraph 3) requires “large” social networks and private messaging apps (that offer service in Brazil to more than two million users) to identify every account’s user by requesting their national identity cards. It’s a retroactive and general requirement, meaning that identification must be requested for each and every existing user. Article 7 main provision is not limited to  the identification of a user by a  court order, also including when there is a complaint about an account’s activity, or when the company finds itself unsure of a user’s identity. While users are explicitly permitted to use pseudonyms, they may not  keep their legal identities confidential from the service provider. Compelling companies to identify an online user should only be done in response to a request by a competent authority, not a priori. In India, a similar proposal is expected to be released by the country’s IT Ministry, although reports indicate that ID verification would be optional.

In 2003, Brazil made SIM card registration mandatory for prepaid cell phones, requiring prepaid subscribers to present a proof of identity, such as their official national identity card, driver’s license, or taxpayer number. Article 39 of the new draft expands that law by creating new mandatory identification requirements for obtaining telephone SIM cards, and Article 8 explicitly requires private message applications that identify their users via an associated telephone number to delete accounts whenever the underlying telephone number is deregistered. Telephone operators are required to help with this process by providing a list of numbers that are no longer used by the original subscriber. SIM card registration undermines peoples’ ability to communicate, organize, and associate with others anonymously. David Kaye, United Nations’ Special Rapporteur on Freedom of Expression and Opinion have asked states to refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users;

Even if the draft text eliminates Article 7, the draft remains dangerous to free expression because authorities will still be allowed to identify users of private messaging services by linking a cell phone number to an account. The Brazilian authorities will have to unmask the identity of the internet user by following domestic procedures for accessing such data from the telecom provider.

Internet users will be obliged to hand over identifying information to big tech companies if Article 7 is approved as currently written, with or without paragraph 3. The compulsory identification provision is a blatant infringement on the due process rights of individuals. Countries like China and South Korea have mandated that users register their real names and identification numbers with online service providers. South Korea used to require websites with more than 100,000 visitors per day to authenticate their identities by entering their resident ID numbers when they use portals or other sites. But South Korea’s Supreme Court revoked the law as unconstitutional, stating that "the [mandatory identification] system does not seem to have been beneficial to the public. Despite the enforcement of the system, the number of illegal or malicious postings online has not decreased.”

Flaw 2: Forcing Social Media and Private Messaging Companies to Track and Retain Immense Logs of User Communications  

A Brazilian political cartoon of a man being arrested by a police officer in his home.

Man: What happened? Police officer: You shared that message that went viral accusing someone of a corruption scheme. They’re saying that it’s a lie and is calúnia. Descriptive text: It’s easy to imagine how the new traceability rule could be abused and make us all afraid to share content online. We can’t let that happen.

Article 10 compels social networks and private messaging applications to retain the chain of all communications that have been “massively forwarded”, for the purpose of potential criminal investigation or prosecution. The new draft requires three months of data storage of the complete chain of communication for such messages, including date and time of forwarding, and the total number of users who receive the message. These obligations are conditioned on virality thresholds and apply when an instance of a message has been forwarded to groups or lists by more than 5 users within 15 days, where a message’s content has reached 1,000 or more users. The service provider is also apparently expected to temporarily retain this data for all forwarded messages during the 15-day period in order to determine whether or not the virality threshold for “massively forwarded” will be met. This provision blatantly infringes on due process rights by compelling providers to retain everyone’s communication before anyone has committed any legally defined offense. 

There have also been significant changes to how this text interacts with encryption and with communications providers' efforts to know less about what their users are doingThis provision may create an incentive to weaken end-to-end encryption, because end-to-end encrypted services may not be able to comply with provisions requiring them to recognize when a particular message has been independently forwarded a certain number of times without undermining the security of their encryption. 

Although the current draft (unlike previous versions) does not create new crimes, it requires providers to trace messages before any crime has been committed so the information could be used in the future in the context of a criminal investigation or prosecution for specific crimes defined in articles 138 to 140, or article 147 of the Brazil’s Penal Code, such as defamation, threats, and calúnia. This means, for example, that if you share a message that denounces corruption of a local authority and it gets forwarded more than 1,000 times, authorities may criminally accuse you of calúnia against your local authority. 

Companies must limit the retention of personal data to what is reasonably necessary, proportionate to certain legitimate business purposes. This is “data minimization,” that is, the principle that any company should minimize its processing of consumer data. Minimization is an important tool in the data protection toolbox. This bill goes against that, favoring dangerous big data collection practices.

Flaw 3: Banning Messaging Companies from Allowing Broadcast Groups, Even if Users Sign Up

Articles 9 and 11 require broadcast and discussion group sizes in private messaging tools to have a maximum membership limit (something that WhatsApp does today, but that not every communications tool necessarily does or will do), and that the ability to reach mass audiences via private messaging platforms must be strictly limited and controlled, even when those audiences opt in. The vision of the bill seems to be that mass discussion and mass broadcast are inherently dangerous and must only happen in public, and that no one should create forums or media for these interactions to happen in a truly private way, even with clear and explicit consent by the participants or recipients.

Suppose an organization like an NGO, or a labor union, or a political party wanted to have a discussion forum among its whole membership or send its newsletter to all its members who’ve chosen to receive it. It wouldn't be allowed to do this through a tool similar to WhatsApp — at least once some (unspecified) audience size limit was reached. Per articles 9 and 11, the organization would have to use another platform (not a private messaging tool), and so the content would be visible to and subject to the control of its operator.

Flaw 4: Forcing Social Media and Messaging Companies to Make Private User Logs Available Remotely

Article 37 compels large social networks and private messaging apps to appoint legal representatives in Brazil. It also forces those companies to provide remote access to their user databases and logs to their staff in Brazil so the local employees can be directly forced to turn them over. 

This undermines user security and privacy. It increases the number of employees (and devices) that can access sensitive data and reduces the company's ability to control vulnerabilities and unauthorized access, not least because this is global in scale and, should it be adopted in Brazil, could be replicated by other countries. Each new person and each new device adds a new security risk. 

Flaw 5: No Limitations on Applying this Law to Users Outside of Brazil 

Paragraphs 1 and 2 of Article 1 provide some jurisdictional exclusions, but all of these are applied at the company level—that is, a foreign company could be exempt if it is small (less than 2,000,000 users) or does not offer services to Brazil. None of these limitations, however, relate to the users’ nationality or location. Thus, the bill, by its terms, requires a company to create certain policies and procedures about content takedowns, mandatory identification of users, and other topics, which are not themselves in any way limited to people based in Brazil. Even if the intent is only to force the collection of ID documents from users who are based in Brazil, the bill neglects to say so.

Addressing “Fake News” Without Undermining Human Rights

There are many innovative new responses being developed to help cut down on abuses of messaging and social media apps, both through policy responses and technical solutions. WhatsApp, for example, already limits the number of recipients of a single forwarded message at a time and shows users that messages were forwarded, viral messages are labeled with double arrows to indicate they did not originate from a close contact. However, shutting down bad actors cannot come at the expense of silencing millions of other users, invading their privacy, or undermining their security. To ensure that human rights are preserved, the Brazilian legislature must reject the current version of this bill. Moving forward, human rights such as privacy, expression, security must be baked into the law from the beginning.