A bill pending in the Brazilian Senate (PLS 272/2016) amends the current anti-terrorism law to make it a “terrorist act” to interfere with, sabotage or damage computer systems or databases in order to hinder their operation for a political or ideological motivation. Publicly praising such actions, or other ill-defined terrorism offenses, could lead to a penalty for up to eight years in prison, according to the same bill. Earlier this year, EFF criticized a set of Brazilian “anti-terrorism” bills that seriously threaten free expression and privacy safeguards. PLS 272/2016 is one of them. Now, the new rapporteur appointed in the Senate’s Constitutional Commission is expected to convene a public hearing and release a new report.
Among other key concerns, Brazilian human rights groups have stressed that the bill unduly expands terrorism offenses to frame acts that are already addressed by existent criminal law—targeting them for harsher, disproportionate, penalties. Praising or inciting crime and breaking into computer devices are already illegal under the Brazilian Criminal Code. But if the bill passes, actions similar to those could receive a sentence ten times higher or more.
In addition, the Criminal Code’s offense of breaking into computer devices has far more detailed formulation than the one drafted in the new bill. As laid down in the Code, liability for this crime requires the violation of a security mechanism with the goal of obtaining, changing or destroying data or information without express or tacit authorization from the owner, or "to install vulnerabilities" to obtain an illicit advantage. By contrast, the bill refers to a "political or ideological motivation" in order to disrupt, hinder or impede the operation of systems or databases.
One could claim that taking control over or sabotaging critical infrastructure and essential services, such as power systems, deserves harsher treatment than other forms of malicious intrusion. However, that is not what PLS 272/2016 is about: those acts are already punished severely by the current anti-terrorism law.
To make matters worse, a proposed amendment on the bill drops even the vague requirements for motivation and intent, referring only to "interfere with, sabotage or damage computer systems or databases." If the new rapporteur embraces it, a broad range of acts related to interference or damage to computer systems could be framed as “terrorist acts.”
Although the current legal definition of terrorism has requirements that limit the application and interpretation of terrorist acts set out by the law, this and other bills overly broaden such definition. For example, the law limits the crime of terrorism to reasons of xenophobia, discrimination or prejudice of race, color, ethnicity and religion. However, the same amendment to PLS 272/2016 expands it to include "other political, ideological or social motivations." Under this amendment, identifying vulnerabilities in a public system and widely publicizing them to push the government to improve its security could be understood as a terrorist act.
This bill simultaneously increases penalties and broadens the language of existing law. Here’s the problem with that: criminal prohibitions aimed at deterring network or device intrusion can easily and detrimentally impact security research. An overly expansive formulation of the criminal offense could target and impair important and positive security research activities.
The Role of Hackers and Security Researchers
Security researchers and hackers have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, they are able to improve security for every user who depends on information systems for their daily life and work. While they play a key role in uncovering and fixing flaws in the software and hardware that everyone uses, their actions are often misunderstood.
For example, at the 2010 Black Hat technical security conference in Las Vegas, professional security researcher Barnaby Jack publicly demonstrated that it was possible to bypass security measures on ATMs and program them to dispense money. Given the widespread use of ATMs, there is a strong public interest in shedding light on these kinds of security flaws, pushing vendors to act in a timely fashion to information about vulnerabilities as well as to build machines and systems with the highest security standards possible. Jack was supposed to have given the talk at the conference the previous year, but his employer at the time, Juniper Networks, pressured him to cancel it after receiving a complaint from an ATM vendor. As a result, ATMs remained vulnerable for an entire year after Jack first intended to make their existence publicly known.
EFF's Latam Coder's Rights Project demonstrates that rights recognized by the American Convention on Human Rights provide an important baseline to protect the crucial activities of hackers and security researchers, along with ensuring the secure development of the Internet and other digital technologies. Cybercrime offenses must be precisely tailored and include both malicious intent and actual damage. Penalties must be proportionate and criminal law cannot serve as a response to socially beneficial behavior by security researchers.
We hope that Brazil’s legislators carefully consider these standards and acknowledge the potential harm a broad, excessive, cybercrime provision could impose on society as a whole. We should also take into account that vague, unnecessary, and disproportionate anti-terrorism legislation jeopardizes exactly the core legal values and fundamental rights it was supposed to protect. PLS 272/2016 is a demonstration of this risk and EFF will continue to monitor its progress.