This post is the first of two analyzing the risks of approving dangerous and disproportionate surveillance obligations in the Brazilian Fake News bill. You can read our second article here.

The revised text of Brazil’s so-called Fake News bill (draft bill 2630), aimed at countering disinformation online, contains both good and bad news for user privacy compared to previous versions. In a report released by Congressman Orlando Silva in late October, following a series of public hearings in the Chamber of Deputies, the most recent text seeks to address civil society’s claims against provisions harmful to privacy.

Regarding serious flaws EFF previously pointed out, the bill no longer sets a general regime for users' legal identification. Second, it does not require social media and messaging companies to provide their staff in Brazil remote access to user logs and databases, a provision that would bypass international cooperation safeguards and create privacy and security risks. Most importantly, it drops the traceability mandate for instant messaging applications, under which forwarding information would be tracked. We hope all these positive and critical changes are preserved by Members of Congress in the upcoming debates. 

However, the text of the bill also has significant downsides for privacy. Among them, Article 18 of the draft legislation will expose some users’ IDs, requiring providers to make publicly available, by default, the national ID number of natural persons paying for content that mentions political parties or candidates, as well as the name of the person who authorized the ad message. Besides the potential for harassment and retaliation based on users' political leanings, the provision creates a trove of personal data for potential political profiling using a national and unique ID number.

These can be cross-referenced with several other government and corporate databases. Even though Brazil’s data protection law sets safeguards for the use of sensitive and publicly available personal data, the stakes here are high. Government's "antifascists' ' dossiers or lists in Brazil, including names of public officials, influencers, journalists, and university teachers, revealed by the press in the last couple of years, are a serious demonstration of the problem.

The bill also establishes that internet platforms can have their activities prohibited or temporarily suspended as part of the penalties for noncompliance. According to Article 2, the draft law applies to social networks, search engines, and instant messaging service providers with over two million users registered in Brazil. Blocking entire websites and internet platforms raises many technical and fundamental rights concerns. International freedom of expression standards emphasize that even blocking just specific content  is only permissible  in exceptional cases of clearly illegal content or speech not covered by freedom of expression safeguards, such as direct and public incitement to genocide.

Yet, blocking entire internet applications as a penalty for noncompliance with the law clashes with those standards. As stressed by the UN Human Rights Committee, generic bans on the operation of certain sites and systems are not compatible with Article 19, paragraph 3 of the UN's International Covenant on Civil and Political Rights (ICCPR). Similarly, the Council of Europe has recommended that public authorities should not, through general blocking measures, deny access by the public to information on the internet, regardless of frontiers.

Blocking applications to force their compliance with the law is also prone to abuse, even when determined by courts. We have seen how this can lead to abusive enforcement, for instance, with judicial orders requiring encrypted applications to hand the content of communications or encryption keys to authorities (like WhatsApp in Brazil or Telegram in Russia). In a constitutional challenge to WhatsApp being blocked in Brazil, Justice Rosa Weber examined the legal provision allegedly authorizing the blocking and repealed any interpretation that entailed punishing providers for failure to comply with a court order to turn over the content of communications “that can only be obtained by deliberately weakening privacy protection mechanisms embedded in the application’s architecture.”

Trial proceedings have been halted since May 2020. In the meantime, provisions in the draft reform of Brazil’s Criminal Procedure Code pose similar assistance obligations threats. Justice Weber had it right: refusing to deliberately weaken the privacy protections they built into their products should not be grounds for blocking internet platforms. Blocking deprives users of the fundamental right of free expression, and should be approached with extreme caution. 

The provision of disproportionate surveillance measures in the Fake News bill raises related red flags. The remainder of this post delves into why the Brazilian legislators must align with the bill's rapporteur and reject the traceability rule. Our second article goes deeper into the perils and flaws of expanding existing data retention mandates in Brazilian law.  Following the Brazilian  Congress’ recent approval of an amendment explicitly including data protection as a fundamental right under the country's Federal Constitution, legislators should embrace the principle of data minimization and proportionate personal data processing when assessing and voting on the Fake News bill.

Twists and Turns in the Traceability Rule, and Why It Should Stay Out

The dangerous traceability rule, approved in the Senate but wisely dropped in the current version of the bill, forced messaging applications to retain information about who shared  communications that have been “massively forwarded.” The provision required three months of stored data showing the complete chain of forwarded communications, including date and time of forwarding, and the total number of users who received the message. Although these obligations were conditioned on virality thresholds, the service provider was expected to temporarily retain this data for all forwarded messages during a 15-day period to determine whether or not the virality threshold was met.

As we have stressed, this provision undermines users’ expectations of privacy and security in messaging services like WhatsApp and iMessage, and raises serious due process concerns. It reverses the burden of proof against users in two dimensions. First, merely sharing a viral message may put a user under suspicion, and place the burden on the user to demonstrate that he or she did not have a malicious intent when forwarding it. Second, the rule blurs the lines between the originator of a communication chain in a messaging application and the actual creator of the message’s content. Although the former does not equate to the latter, as previously explained, it would be up to the originator of the communications chain to prove they are not the content’s author.  

An informal alternative version of the bill with changes in the traceability rule was circulated a few days before the official submission of Congressman Silva’s new report. The language of the informal version generically required messaging services to have the ability to identify the original sender of massively disseminated messages (resembling India’s troublesome traceability rules). Even worse than the previous version of the bill, this article did not define what a massive message meant nor specify time limits for data retention. But just like the previous traceability mandate, it is designed to lead messaging services to collect information about all forwarded messages, regardless of whether they were maliciously shared and even before the message content is deemed a problem.

All in all, both are intended to encourage companies to move away from strong encryption safeguards aimed at ensuring that an adversary can neither confirm nor disconfirm guesses about a message’s content. On WhatsApp, for example, forwarding information is protected and remains encrypted for the messaging provider (even though users can see that a message was forwarded on their devices, this information is encrypted on the company's server side).

Fortunately, the traceability mandate was dropped from the proposal officially presented. The new text sets out a metadata preservation order.

The Proposed Metadata Preservation Order is a More Proportionate Call

According to Article 13 of the current official bill, a court order can direct messaging applications to prospectively preserve and make available interaction records pertaining to specific users for a period of no longer than 15 days, renewable up to a maximum of 60 days. The rule is subject to the same high-level requirements applied to the interception of communications content set out in the Law 9.296/1996 (Brazil's Telephone Interception Law). In this case, the preservation of such records occurs after request relating to specific users, and not by default for users in general.

Interaction records capture the date and time that specific users have sent and received messages and audio calls. There is currently no law directly authorizing judges to order companies to preserve such interaction records. The article prohibits linking the data to the content of communications and voids generic requests. It also disallows orders that exceed the scope and technical limits of the service, therefore preserving secure end-to-end encryption and other privacy-by-design implementations that protects users' data and communications.

Metadata preservation orders in criminal investigations that respect the security and privacy features built into applications can provide relevant information about individuals suspected to be involved in serious crimes. And they do so without jeopardizing the principles of strong encryption or without encouraging massive retention of data associated with the communication of millions of users. As data protection scholar Danilo Doneda argued, this is a much more proportionate proposition. 

Nonetheless, the language of the last paragraph of the provision, which allows the judge to require additional information relating to a specific user, still needs tweaking to make explicit that such requests complement the metadata interactions order and, therefore, follow the same privacy-protective requirements.

In line with Congress’ approval of data protection as a fundamental right in the country’s Constitution, and following the safeguards of Brazil’s data protection law, legislators must align with the bill’s rapporteur and reject the traceability mandate in the Fake News bill.