.png)
BOOK THIS SPACE FOR AD
ARTICLE ADDespite widespread complaints about its effects on human rights, the Brazilian Senate has fast-tracked the approval of “PLS 2630/2020”, the so-called “Fake News” bill. The bill lacked the necessarily broad and intense social participation that characterized the development of the 2014 Brazilian Civil Rights Framework for the Internet and is now in the Chamber of Deputies. The Chamber has been holding a series of public hearings that should be considered before releasing a new draft text.
The traceability debate has mostly focused on malicious coordinated action on WhatsApp, which is the most popular encrypted messaging tool in Brazil. There has been minimal discussion of the impact on other tools and services such as Telegram, Signal, or iMessage. WhatsApp uses a specific privacy-by-design implementation that protects users by making forwarding indistinguishable for the private messaging app from other kinds of communications. So when a WhatsApp user forwards a message using the arrow, it serves to mark the forward information at the client-side (and count if it’s more than 5 times or not), but the fact that the message has been forwarded is not visible to the WhatsApp server. In such a scenario, the traceability mandate would take this information, which was previously invisible to the server, and make it visible to the server, affecting the privacy-by-design secure implementation and undermine users’ expectations of privacy and security.
While we do not know how a service provider will implement any traceability mandate nor at what cost to security and privacy, ultimately, any implementation will break users’ expectations of privacy and security, and would be hard to implement to match current security and privacy standards. Such changes move companies away from privacy-focused engineering and data minimization principles that should characterize secure private messaging apps. Below, we will take a deep dive into a series of questions and answers to explain why the current language of two critical issues of the Senate’s bill would undermine human rights:
PROBLEM I: A tech mandate to force private messaging servers to track “massively forwarded” messages sent to groups or lists
Article 10 of the bill compels private messaging applications to retain, for three months, the chain of all communications that have been “massively forwarded.” The data to be retained includes the users that did the mass forwarding, date and time of forwardings, and the total number of users who received the message. The bill defines “mass forwarding” as the sending of the same message by more than five users, in an interval of up to fifteen days, to chat groups, transmission lists, or similar mechanisms that group together multiple recipients. This retention obligation applies only to messages whose content has reached 1,000 or more users in 15 days. The retained logs should be deleted if the virality threshold of 1,000 users has not been met in fifteen days.
Many of the most obvious implementations of this article would require companies to keep massive amounts of metadata about all users’ communications, or else to break encryption in order to get access to the payload of an encrypted message. Even if other implementations are possible, we don’t know exactly how any given provider will ultimately decide to comply, and at what cost to security, privacy, and human rights. Ultimately, all such implementations are moving away from the privacy-focused engineering and data minimization that should characterize secure private messaging apps.
When does access to the traceability records occur?
The third paragraph of Article 10 states that access to these records will “only occur with the purpose of determining the liability of mass forwarding illicit content, to constitute evidence in criminal investigation and procedural penal instruction, only by court order” as defined in the Brazilian Civil Framework for the Internet. (In Brazil, defamation liability can be obtained through a moral damage claim under civil law. But it is also a crime. Criminal defamation has been widely criticized by UN Special Rapporteurs on Free Expression and others for hindering free expression.)
The text is ambiguous. In one interpretation, both “mass forwarding purpose” and “criminal investigation” are mandatory elements. This means that the metadata could only be accessed in criminal investigations that involve the mass forwarding of a message. In another interpretation, this article may allow a much broader range of uses of the recorded message history information. In this interpretation, the elements related to the responsibility for massive forwarding of illegal content and to use in criminal investigations are separate, independently permitted uses of the data. In that case, the retained metadata could also be used to investigate illegal acts under civil law related to massively forwarded messages and also could be used for criminal investigations unrelated to massively forwarded messages.
How does traceability break the users’ expectation of secure and private messaging?
In common implementations, including WhatsApp’s, probabilistic end-to-end encryption ensures that an adversary can neither confirm nor disconfirm guesses about a message’s content. That also includes confirming a specific guess that the message was not about a certain topic. In such scenarios, traceability allows someone with access to the metadata to confirm that a user did send a message that was identical to another message (even when the content of that message is unknown). This disconfirms the guess that the user was actually talking about something else entirely, disconfirms the guess that the user was writing something original, and disconfirms many other possible guesses about the content! In general, “forward” vs. “write something new” is a kind of activity that is fundamentally related to knowing something about the content.
In some cases, the fact that a person forwarded something could be extra-sensitive even when the forwarded item is not necessarily illegal, e.g. when someone who made a threat wants to punish someone for forwarding the threat, or when someone wants to punish a leaker for leaking something. WhatsApp made a specific privacy-by-design implementation that protects users by making forwarding indistinguishable for WhatsApp server from other kinds of communications.
How does traceability for criminal and civil cases interfere with the right to privacy and data protection?
Traceability in civil and criminal cases creates serious concerns about privacy and freedom of expression. Revealing the complete chain of communication for a massively forwarded message can also be intrusive in a distinctive way beyond the intrusion of revealing individual relationships: the complete history for certain messages may reveal the structure and membership of a whole community, such as people who all share a certain belief or interest, or who speak a certain minority language, even when none of them is actually involved with illegal activities. The avenues are open for abuse.
Brazil is one of the few democracies with a Constitution prohibiting anonymity exclusively in the context of freedom of expression. However, that prohibition does not extend to the protection of privacy nor in accessing information anonymously. Moreover, such a restriction to anonymous speech cannot serve to impede the expression altogether when this protection is crucial to enable someone to speak in circumstances where her life or physical integrity might be at risk.
The Inter-American Commission on Human Rights (IACHR) Office of the Special Rapporteur for Freedom of Expression has explained that privacy should be understood “in a broad sense as every personal and anonymous space that is free from intimidation or retaliation, and necessary for an individual to be able to freely form an opinion and express his or her ideas as well as to seek and receive information, without being forced to identify him or herself or reveal his or her beliefs and convictions or the sources he or she consults.” Anonymity does not shield Internet users who engage in “illegal speech” in accordance with international human rights law. In all those cases, the IACHR Office has noted that judicial authorities would be authorized to take reasonable measures to disclose the identity of a user engaged in an illegal act as provided by law. At the United Nations, the Special Rapporteur on Freedom of Expression has also noted that “encryption and anonymity provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attack.”
What could go wrong with achieving a traceability mandate?
First, forwarding a popular message does not mean you should automatically be under suspicion. In fact, the virality of a message does not change the privacy and due process rights of the original sender nor the presumption of innocence, a core requirement of international human rights law. Second, the first person to introduce some content into a particular private messaging system could be wrongly viewed as or assumed to be the author who massively forwarded an alleged illegal message. Third, a person who forwarded content by any means other than an app’s forwarding interface could be wrongly viewed as or assumed to be the author. People could be framed as authors of content that they were not actually involved in creating. People could also be more frightened about sharing information if they think it’s more likely that someone will try to punish them for their role in disseminating it (which is also a very disproportionate measure for the huge majority of innocent users of messaging systems). Finally, the line between originating and forwarding messages can be blurred either by the government, leading to overzealous policing, or in the public’s eyes, leading to self-censorship. The latter also creates a serious concern for freedom of expression.
Which assumptions are wrong in the traceability debate in Brazil?
Article 10 seeks to trace back everyone who has “massively forwarded” a message for the purpose of investigation or prosecution of alleged crimes. This includes the originator as well as everyone who forwarded the message, regardless of whether the distribution was done maliciously or not. The supporters of the bill have argued that mass retention of the chain of communication is needed to help trace back who the originator of the message was.
That assumption is wrong from the outset.
First, while the details of how traceability will be carried out are based on the providers’ implementation choices, it shouldn’t necessarily imply that there will be mass centralized retention. However, that would be the most simple implementation, so we have serious concerns about it. Mass data retention is a disproportionate measure that would affect millions of innocent users instead of only those investigated or prosecuted for an illegal act under criminal or civil law. Mass data retention programs can be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of law. On this front, the UN High Commissioner for Human Rights stated that “it will not be enough that the [legal] measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.” These measures are not necessary and proportionate to the problem being solved.
Second, legislators should take into account that metadata is personal data under Brazil’s data protection law when it relates to an identified or identifiable natural person. This means that companies should limit personal data collection, storage, and usage to data for legitimate, specific and explicit purposes, and such processing should be relevant, proportional, and non-excessive in relation to the purposes for which the data is processed. Recently, the Brazilian Supreme Court issued a landmark decision stressing the constitutional grounds for the protection of personal data as a fundamental right, separate from the right to privacy. As Bruno Bioni and Renato Leite have argued, “The new precedent of the Supreme Court is such a remarkable shift of how the Court has been analyzing privacy and data protection because it changes the focus from data that is secret to data that is attributed to persons and might impact their individual and collect
[…]
Bengali (Bangladesh) · 
English (United States) ·