This post was authored by Namrata Maheshwari, a summer 2020 CDT intern and recent graduate of Columbia Law School, and co-authored by Greg Nojeim.
Amid mounting freedom of expression and privacy concerns, the Brazilian Senate has passed an amended version of the “Fake News” bill, formally titled “The Brazilian Internet Freedom, Responsibility and Transparency Act.” The amendments, however, do little in practice to allay the concerns raised by traceability requirements under the previous draft of the bill, outlined in an earlier blog post by CDT. Next, the lower house of the National Congress, the Chamber of Deputies, will vote on the bill before President Bolsonaro signs it into law or vetoes it.
One of the main issues with the bill approved by the Senate is that it retains a problematic and onerous provision on traceability. The provision imposes significant data retention requirements on private messaging services. Under the traceability requirements in the previous draft, messaging service providers had to maintain, for at least one year, records about who originated or forwarded every message carried on their platform. The bill, as approved by the Senate, requires private messaging services to store for three months only the logs of messages sent by more than five users that reach at least 1,000 users. These messages are deemed to have been “broadcasted.” Despite the reduction in scope on its face, the traceability provision remains a cause for concern for various reasons.
First, it makes the protection of users’ privacy and freedom of expression contingent on an irrelevant criterion of virality. Users should not be brought under suspicion and their rights should not be made vulnerable because they drafted or shared a widely circulated message.
Second, it essentially acts as a blanket “technical capability directive” requiring private messaging services to redesign their platforms to develop the ability to trace individual messages – a change that will inevitably weaken encryption mechanisms aimed at protecting privacy and security.
Third, and most importantly, even though the provision requires only retention of message logs pertaining to broadcasted messages, and states that records of messages that reach fewer than 1,000 users must be destroyed pursuant to the data protection law, the feasibility of this mandate is dubious. From a practical standpoint, companies cannot know which of the messages originated or forwarded on their platform will meet the traceability requirements later. Therefore all messages, and not just broadcasted messages, would have to be traceable because of the possibility that any message could go viral. As a result, the purported reduction in the scope of the traceability requirement turns out to be no reduction at all. Overall, the traceability provision will not only violate users’ rights, but may also result in compromising the technological integrity of messaging services and amplifying online security risks.
Further, while the Senate-approved bill ostensibly cuts back on the user and subscriber registration requirement, several ambiguities may jeopardize their rights. It is no longer necessary for users and subscribers to provide their name, address and a valid ID proof in order to access social networks and private messaging platforms. Instead, companies “may” require users and subscribers to confirm their identity if there are reports of non-compliance with the fake news law, evidence of automated or inauthentic accounts, or upon court order. Additionally, social networks and private messaging services must develop technical means to detect fraud in account registration.
There is a lack of clarity as to what constitutes a “report” or “evidence” that may trigger the requirement of confirmation of users’ identity. It is unclear whether the threshold is as low as a complaint by a single user, or a news report, or the launch of an official investigation. Users may therefore be compelled to surrender the confidentiality of their identity without due process, even before a competent authority has commenced an inquiry. This ambiguity, coupled with inadequate safeguards, creates a risk of mass identification, or at least excessive identification, on arbitrary grounds in violation of users’ rights to privacy and freedom of expression.
Moreover, the extent of “technical means” of monitoring that service providers will have to inject into their platforms to comply with the bill is unclear and poses a potential threat to online privacy and security. Given the significant sanction of up to ten percent of its income in Brazil that service providers may face under the law, they may be forced to demand confirmation of users’ and subscribers’ identities on the basis of the slightest suspicion. Thus, while online users and subscribers will not be required to submit identification documents to create an account, once they do have one, there are still numerous ways in which they may be required to reveal personal information that are not aligned with the goal of protecting users’ rights.
Ultimately, not only are these rules overbroad and vague, they directly contradict the principles on which the bill is said to be based: “freedom of expression,” “guarantee[ing] individuals’ right to privacy,” and “guarantee[ing] the reliability and integrity of information systems.” The bill should not be passed as it stands today, and we urge the lower house of Congress in Brazil to make meaningful amendments preserving users’ privacy, freedom of expression, and online security.