President Lula and the Brazilian Cybercrime Bill
Brazilian President Luiz Inacio Da Silva, popularly known as Lula, announced during the recent Fórum Internacional de Software Livre (FISL) that "No one is more creative than we are. What we need is an opportunity. This law here... it doesn't aim to fix the abuse of the Internet. It really tries to impose censorship". He was talking about the controversial Azeredo bill (English translation available here), which aims to establish new criminal offenses that are "performed by the use of an electronic, digital or similar system, networked computers, or that are applied against devices or communication systems and the like".
In front of an audience of free software developers passionately opposed to this cybercrime bill, Lula fell short of promising to exercise his presidential veto (full video here, in Portuguese, and full English translation here), noting that the bill still has to pass through the Brazilian Congress. However, it's clear that he got the message that Brazil's Internet users don't want or need this law and its dangerous repercussions.
The proposed cybercrime law is problematic because its provisions are too vague and too broad, and could criminalize commonplace and trivial behavior. For example, the bill prohibits circumventing an "express access restriction" to obtain "unauthorized access" to a computer network or device, punishable by one to three years in prison. But "express access restriction" is not defined: the provision could capture daily network practices with criminal sanctions even when the most nominal legal, contractual or technological restrictions are in place. Violating a "robots.txt" file with a script, or reverse-engineering a protocol, for instance, could bring the police to your door.
The bill also prohibits dissemination of malicious code in a computer network, punishable by one to three years of imprisonment, with harsher penalties if damage is caused. However, the bill as constructed would extend criminal culpability even to people who unintentionally disseminate code. While the intended purpose for the provision was to go after "phishing scams" it captures just about any Internet user who has received a replicating worm or virus. Several other scenarios of commonplace Internet acts criminalized in the bill are discussed in the thorough analysis written by the members of the Center of Technology and Society (CTS) of the Fundação Getulio Vargas Rio de Janeiro Law School.
Though Brazil is not a signatory to the Council of Europe’s Convention on Cybercrime, Senator Azeredo has made presentations about his bill on behalf of the Brazilian Senate and has been claiming that its passage is necessary in order to join the Convention.
Unfortunately, Azeredo’s bill borrowed only the enumerated crimes from the Cybercrime Convention, and skipped the Explanatory Report's authoritative interpretation of the scope and balance with human rights and privacy. Among its recommendations, the Report clearly states that "legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices should not be criminalized" (#38), and that “the power or procedure shall be proportional to the nature and circumstances of the offence” (#146). Moreover, all provisions should be implemented "with due respect to human rights in the new Information Society" (#6).
This cybercrime bill, as with others enacted and being considered around the world, respond to abstract dangers extrapolated from the physical world with insufficient consideration of how the technical architecture of networks affects criminal culpability. Few provisions require consideration of actual intent. That means that when a computer has been hijacked by viruses or other malware which further disseminated the malicious code, its owners could go to prison. Finally, in a misguided attempt at inflating deterrence, the penalties in the bill have grown out of proportion with other provisions of the Brazilian Penal Code and other relevant criminal legislation.
Another major point of concern in the bill is the requirement that Internet service providers (ISPs) secretly inform the relevant authorities about any complaints they receive containing evidence of crimes committed within their network, without due process or transparency guidelines. The system invites abuse and vigilante actions, rather than facilitating the fight against crime. By making ISPs into judges, the legitimacy of the justice system is undermined and the service offered to customers is diminished.
Without the public attention brought on this bill in Brazil by several civil society organizations, this bill might have become law without any scrutiny. Organizations such as the Center of Technology and Society of the FGV Rio de Janeiro Law School, Mega Não and Trezentos and Brazilian activists Sergio Amadeu, João Carlos Caribé, Omar Kaminski and Idelber Avelar have long been raising awareness, supporting online petitions, and organizing events all over Brazil to warn of the dangers of the bill to Internet users in Brazil.
Their message has reached the President — and, it seems, might yet have reached the Brazilian Congress too. The political pressure generated by the civil society recently led the federal deputy in charge of the Azeredo bill, Julio Semeghini, to assert that Congress might have to abandon the bill altogether, because after removing the most controversial points, "there may be nothing useful left". But the bill is not dead yet. The future of Internet freedom in Brazil still rests with Semeghini and his colleagues in Congress.
The Brazilian activists and their supporters worldwide cannot rest just yet. There is still work to be done to make sure an awful bill does not become a terrible law in Brazil. If you'd like to join them in their fight, sign the petitions, and keep an eye on Brazil's activist sites.