The world’s attention is rightly focused on the terrible new National Security Law in Hong Kong . But, as ever, there are bad things happening to human rights elsewhere as well. For example, in Brazil a new law that supposedly deals with “fake news” is close to being passed. That’s problematic in itself; but as so often, there are serious knock-on effects that will threaten privacy too. Brazil’s attack is particularly disappointing because just two years ago it passed a data protection law. It was closely modelled on the EU’s GDPR , and as such offered “respect for privacy, freedom of expression, information, communication and opinion, and informational self-determination”, as the IAPP puts it. The Electronic Frontier Foundation (EFF) has provided an analysis of the new law, which it says:
creates a clumsy regulatory regime to intervene in the technology and policy decisions of both public and private messaging services in Brazil, requiring them to institute new takedown procedures, enforce various kinds of identification of all their users, and greatly increase the amount of information that they gather and store from and about their users. They also have to ensure that all of that information can be directly accessed by staff in Brasil, so it is directly and immediately available to their government
Initially, the law would have required “large” social networks and private messaging services – that is, those that offer services in Brazil, and have more than two million users – to identify every account’s user by gathering information derived from national identity cards. That’s in addition to a long-standing requirement for users of prepaid mobile phones in Brazil to present proof of their identity. Thankfully, at the last minute, an amendment watered this down somewhat. Now, under the revised text, companies “may” demand identification from users “where there are complaints of non-compliance with the “fake news” law, or when there is reason to suspect they are bots, are behaving inauthentically, or assuming someone else’s identity.”
In addition, a requirement that Internet companies would check with Brazil’s mobile operators to find out which phone numbers had their contract terminated, in order to suspend the related accounts online, has also been modified. Now this only applies to private messaging services, and to accounts “exclusively linked to cell phone numbers”, and not social media in general. However, that is still an onerous requirement, and it’s easy to imagine mistakes being made – either leaving accounts active that shouldn’t be, or shutting down the wrong ones.
Similarly, an initial requirement to retain the “chain of all communications” that have been “massively forwarded”, for the purpose of potential criminal investigation or prosecution, has been cut back. It still applies to private messaging services, but excludes social networks. Since it is never evident which particularly messages will go viral, this requirement inevitably means that all messages will need to be logged, otherwise it will be impossible to work out that “chain of communications”. It seems an impractical approach, and one that could have a chilling effect on people’s use of private messaging.
Those amendments make bad ideas slightly less problematic, but they are vague, which means that they will be hard to implement properly, and could still be used in ways that undermine privacy. Other elements of the original proposals remain untouched, flaws and all. For example, probably the most dangerous and ill thought-out requirement is that large social networks and private messaging apps must appoint legal representatives in Brazil. As part of that, it also forces these companies to allow its staff in Brazil to access remotely the main user databases. The idea here seems to be that this will make it easier for the Brazilian authorities to demand information from companies by compelling local employees to comply.
This is clearly a terrible idea, since it potentially creates a local vulnerability for accessing global data. If anyone wants to break in to Facebook or Instagram, say, Brazil will be the obvious place to try to do that. Moreover, as the EFF points out, now that Brazil has set a precedent, other countries may well demand similar local access. That would then create multiple points of weakness for global databases – diminishing the overall security of user data even more.That’s a useful reminder that what might appear to be a serious, but local problem for Brazilians actually has implications for everyone, wherever they are in the world. It’s another reason why we should care about threats to privacy in other countries.
Similarly, the stronger that privacy becomes elsewhere, the greater the beneficial effects that are likely to flow in other parts of the world. That’s been most evident with the GDPR. For all its undoubted shortcomings , it has created a benchmark against which other data protection legislation can be measured. It led to a strong privacy law being passed in Brazil, which will at least provide digital rights campaigners with a legal foundation for challenging the new “fake news” law if it is passed in its present form. As the EFF tweeted, the bill is now in Brazil’s Chamber of Deputies, so there is still a chance to make further improvements to this badly-flawed legislation. Featured image by Boris Kasimov.