Copyright trolls typically don’t produce or distribute content, but instead make money off of copyrighted material by using the threat of litigation to shake down people who allegedly download movies and other content over the internet—a business model that invites harassment and abuse. These entities operate in many countries around the world, and have recently cropped up in Brazil, with predatory practices that threaten the due process, privacy, and data protection rights of thousands of internet users.

Fortunately, civil society is on the case, raising awareness, providing guidance, and fighting back on behalf of Brazilians who are being targeted by this problematic business practice.

Brazil’s copyright trolls are using the same playbook as trolls EFF fights against in the U.S. It goes something like this: entities claiming to represent rightsholders such as movie studios find ways to obtain IP addresses that allegedly shared movies online using BitTorrent or other file-sharing systems. The trolls, usually a law firm or “rights management” company, amass large numbers of IP addresses, then file lawsuits to make courts require internet service providers (ISPs) to disclose personal identifying information associated with internet subscribers

Now armed with names and addresses, copyright trolls send notifications accusing those people of copyright infringement and demanding they pay a settlement to avoid costly lawsuits. Users who aren’t aware of their rights and don’t know how to defend themselves against such threats will pay—the troll profits and moves on to the next set of victims.

There’s a lot wrong with this scheme. Copyright trolls weaponize the courts, filing lawsuits with little evidence and little regard for accuracy. Some name dozens of defendants in a single case, making individual justice all but impossible. They typically target broadband subscribers, who may not have downloaded the copyrighted material. And, as at least one egregious example in Brazil shows, they can lead to the exposure of thousands of people's personal information in violation of privacy and data protection safeguards.

Law firms in Brazil representing U.S. film studios have in recent years targeted thousands of people for alleged use of BitTorrent to download movies online. These people receive notices claiming they have infringed Brazil’s copyright law and offering them a way out: pay the law firm a few thousand reals (about $400) to avoid being sued and racking up hefty legal fees. One firm reported sending more than 60,000 notices. Even if only 15% of those notified decided to pay, the troll would still make millions.

Like trolls elsewhere, trolls in Brazil usually get access to users’ identification, like names and addresses, by obtaining court orders requiring telecommunications companies to disclose subscriber information associated with IP addresses. Regulators and courts often consider subscriber information less sensitive than other categories of data based on the problematic assumption that it doesn’t reveal intimate details of people’s lives and habits. But we know that subscriber information is exactly the kind of information needed to identify users’ internet browsing and communications. Assessing a request for data should not be any less rigorous just because it seeks subscriber data, and should be made on the basis of whether it's necessary and proportionate.

In late 2020, Telecom operator Claro, one of the major ISPs in Brazil, turned over the personal information of more than 70,000 subscribers to the law firm Kasznar Leonardo Advogados. The firm, representing a UK company that was tracking non-authorized copies of three films for American production company Millennium Media, had filed a lawsuit, and Claro disclosed the data after receiving a court order.

Shockingly, the data was available on spreadsheets hosted on a Google drive with unrestricted access. Anyone with credentials to access the court’s electronic system could view the spreadsheets. More than 70,300 entries containing names and addresses of customers from all over Brazil, as well as the details about when and how the movies were downloaded, were exposed. Civil society groups following the case, like Creative Commons Brasil, Coalizão Direitos na Rede, IDEC, and Partido Pirata, pointed out that, because the personal information was disclosed in this manner, it would be complicated to assert that any notices sent to users were coming from Kasznar Leonardo Advogados.

Using the courts to make ISPs turn over subscriber data for the purpose of sending demand letters to tens of thousands of people is highly problematic. Fortunately, some courts and ISPs are taking a stand against copyright trolls. The EU Court of Justice ruled in 2021 that courts must reject a request for information based on copyright infringements if it is unjustified or disproportionate. In 2018, two Danish ISPs won a lawsuit they brought to prevent the identities of their subscribers from being handed over to copyright trolls. Meanwhile, in Brazil, UP Tecnologia, a small ISP, has also taken a stand by notifying users about requests for their data from a company representing U.S. film studios. This gives users the opportunity to defend themselves and take steps to protect their rights.

But more often than not, ISPs turn over subscriber data without a fight.

Brazilian users enjoy certain legal protections against these abuses, and Brazilian courts and ISPs should take them into account. Copyright trolls cite Brazil’s Copyright Law and Article 184 of the country’s penal code in their shakedown letters to scare users and lure them into paying settlements. But Brazilian courts have adopted a restricted interpretation of when copyright infringement is a crime. Criminal prosecutions mainly target people seeking to profit from copyright infringement by selling protected content, not people downloading movies for personal use or sharing for free.

Brazil also has robust data protection safeguards, thanks to the country’s comprehensive data protection law. Courts should abide by its principles when assessing personal data requests, and ISPs must comply with its rules when disclosing user data, including by adopting proper security measures.

The legal framework is there to make it less comfortable for copyright trolls to abusively extract copyright settlements in Brazil. The courts and ISPs should do their part to protect users from their predatory practices.  Meanwhile, a group of lawyers was formed to provide free legal assistance to individuals in Brazil who may be sued after receiving a demand letter. The group can be contacted at