Cybersecurity & Standards, Free Expression, Government Surveillance, Privacy & Data
Traceability Under Brazil’s Proposed Fake News Law Would Undermine Users’ Privacy and Freedom of Expression
By CDT Namrata Maheshwari, CDT Summer Intern, a Columbia Law School graduate working on tech policy issues in India and globally [Twitter / LinkedIn]
Brazil’s Senate is about to consider PL 2630/2020, known as the “Fake News Law,” to combat the spread of disinformation on online social networks. Even though the bill is still evolving and has been considered through an expedited and anomalous legislative process during the COVID-19 pandemic, the current draft strikes at foundational elements of a democratic internet: privacy and freedom of expression.
A major focus of the bill is on mass identification and traceability of communications in order to combat the spread of “fake news” which has not been defined in the bill. The bill would require users to provide proof of identity, including name, address, and a valid ID proof, as a precondition for access to social networks such as Facebook, WhatsApp, and Twitter. Further, it criminalizes users’ creation and operation of inauthentic accounts, unidentified automated accounts, or unidentified artificial distribution networks under Brazil’s Criminal Organization and Money Laundering laws. Platforms that fail to disallow such accounts are subject to fine and temporary suspension of activities. Determining whether an account falls under these categories would require companies to establish monitoring procedures that may violate users’ right to privacy and free speech. These laws also stipulate that police and prosecutors may access users’ registration data, including names and addresses, without prior judicial authorization and without even having opened a criminal investigation.
The ability to trace messages back to the origin is cemented by placing a massive and indiscriminate data retention obligation on social networks. Platforms would be required to track all chains of communication and retain the metadata irrespective of the nature of the message or the intention with which it was shared. This traceability mandate is contrary to international norms on the principle of data minimization, and as a result of its implementation, even if a user was not the creator of content found to be problematic or was sharing the content merely to condemn it, the user’s personal data would still be associated with the impugned chain of communication and consequent investigations.
If enacted, the legislation would undermine end-to-end encryption, a core privacy promise of which is that only the original sender or original recipient of the message could attest to the origin of the message. One example of how a traceability requirement when implemented would undermine this promise: a messaging platform could embed an identifier in the metadata accompanying a message, and that identifier could be used to attribute the original message to the person who originated it. In fact, as the message is forwarded or otherwise shared from user to user, identifiers of each user in a chain of communications could be added to the message metadata, putting at risk the anonymity of each user. Law enforcement officials would be empowered to compel the messaging platform to disclose the account information (name, valid ID proof, and address) linked to all users in the chain of communication. This would be the case regardless of whether the user was the originator of the message, or had simply shared it without the intention of endorsing it.
For example, Alice sends a message to Bob who copies the text of the message to Carlos who forwards the copied text to Dionne who forwards it to Edward, Elena and Emma. Edward decides that the message is fake news and shares it with law enforcement for action. At present, platforms that offer end-to-end encryption are not in a position to trace the trajectory of a message and identify all the users involved in the communication chain. But under the bill, the messaging platform could effectively be required to attach an identifier pertaining to each user in the message chain. Those identifiers would enable law enforcement to obtain the name, ID proof, and address of every user, from Alice to Emma.
If enacted, users of social media would be required to make an unfair choice between expressing themselves freely and protecting their privacy. Anonymity and confidentiality are vital for privacy in the virtual space, and empower users to exercise their freedom of expression free from threat of reprisals. In a democracy, it is particularly important to preserve anonymity and encryption on social networks as they make it possible for political dissidents and vulnerable groups to communicate safely.
The traceability provisions are predicated on the aim of fighting so-called “fake news.” However, the ambiguity of the term “fake news” further exacerbates the bill’s potential to quell free expression and impede the right to privacy. Leading human rights experts, including the UN Special Rapporteur on Freedom of Opinion and Expression, have warned that prohibitions on dissemination of information premised on vague and ambiguous concepts such as “fake news” are incompatible with international standards of freedom of expression and should be abolished.
Further, one of the sanctions under the bill is temporary suspension of the social network or private messaging service provider’s activities. Rather than risk a total shutdown, social networks and private messaging service providers would be forced to implement the provisions of the bill in a harsh manner and restrict accounts where there is even an iota of doubt in order to protect themselves from suspension. The penalty is not only detrimental to users’ rights but also unreasonable and disproportionate.
Apart from being incongruous with democratic principles and international norms on internet regulation, the bill also runs counter to Brazil’s own internet bill of rights, or Marco Civil da Internet (MCI), which came into effect in 2014. The MCI, a result of extensive debate and public consultation, seeks to protect users’ privacy, personal data and freedom of expression, and limits the liability of internet service providers.
Brazil is not the only country considering imposition of a traceability requirement. Similar “fake news” legislation is pending before the Parliament in India.
We hope that the Senate in Brazil will reconsider the provisions of the bill through the lens of prioritizing and protecting users’ right to privacy and freedom of expression, and incentivizing social networks to maintain a technological infrastructure that ensures strong encryption and cybersecurity.