STEPS TO MASS CONTROL? Brazilian Cybercrime Bills Threaten Open Internet For 200 Million People
BRAZILIAN INTERNET FREEDOM activists are nervous. On Wednesday, a committee in the lower house of Congress, the Câmera dos Deputados, will vote on seven proposals ostensibly created to combat cybercrime. Critics argue the combined effect will be to substantially restrict open internet in the country by peeling back the right to anonymity, and providing law enforcement with draconian powers to censor online discourse and examine citizens’ personal data without judicial oversight.
The bills are ripped straight from what has become a standard international playbook: Propose legislation to combat cybercrime; invoke child pornography, hackers, organized crime, and even terrorism; then slip in measures that also make it easier to identify critical voices online (often without judicial oversight) and either mute them or throw them in jail for defamation — direct threats to free speech.
Pakistan, Nigeria, Mexico, Kuwait, Kenya, the Philippines, Peru, the United Arab Emirates, and Qatar have all seen similar proposals recently. Some were met with strong resistance and got shelved, some are still pending, and others made it into law.
“Cybercrime is one of the recurring excuses for creating overbroad legislation which place controls on internet activity,” Katitza Rodriguez, international rights director at the Electronic Frontier Foundation, wrote in an email to The Intercept.
In Brazil, the proposals are the result of the nine-month-long Parliamentary Commission of Inquiry on Cybercrimes, referred to as the CPICiber, created in July 2015 by House President Eduardo Cunha at the request of a congressman from President Dilma Rousseff’s ruling Workers’ Party (PT). The first draft of the report, released on March 30, provoked a massively negative response from civil society groups.
The Brazilian press has not dedicated much coverage to this story — reporters have their hands full with the monthslong political crisis currently enveloping the nation — but the Folha de São Paulo, a major national newspaper, published an editorial on Saturday arguing that the proposals use the “pretext of increasing security” online to “increase the power to censor the web and diminish users’ privacy.” According to Folha, the “provisions attack the pillars of the Marco Civil da Internet, a statute enacted in 2014 which put Brazil at the vanguard of the issue” of internet rights. The paper concluded that “this is the type of control used by countries such as China and Iran.”
One particularly controversial proposal would have required social networks to remove content deemed “offensive to the honor” of politicians within 48 hours of receiving official notification. After public outcry, that section was removed from the second version of the report, but other proposals remain that would force companies to take down prohibited user-generated content, including those deemed to be “crimes against honor and other injuries,” without a unique judicial order.
The CPICiber report contains seven proposed bills (with 20 specific suggestions in all). Among its provisions, it would also:
- Allow for internet services (such as WhatsApp or Facebook) to be unilaterally blocked by a judicial order, a violation of net neutrality. (This actually happened in December of last year, when a judge shut down nationwide access to WhatsApp to pressure its parent company, Facebook, to cooperate in a criminal investigation.)
- Require service providers to grant law enforcement access, without a judicial order, to IP addresses, a device’s unique online fingerprint that can be used to help identify and geolocate a user and reveal certain browsing history.
- Divert 10 percent of public funds originally designated to improve desperately underfunded and overpriced national telecom services and infrastructure to law enforcement agencies.
- Expand the scope and penalties for laws involving hacking and unauthorized access to data, including the criminalization of improper access that “risks misuse or disclosure,” whether or not such misuse actually occurred or involved criminal intent.
Gustavo Gus, co-founder of CryptoRave, a crowdfunded hacker conference in São Paulo, has followed the CPICiber hearings closely. “The police, judiciary, and the Brazilian authorities have not been happy with Silicon Valley’s responses to the Snowden revelations,” he wrote in an email. “Since the Cybercrime CPI was announced, there has been a lot of pressure from these sectors to increase data retention” and expand authorities for mass surveillance, he wrote.
Civil society groups have been suggesting changes since the first draft of the report was issued. Now, the third draft is due to be unveiled and go to a committee vote on Wednesday. If approved, it will then go to a full vote in the lower house of Congress and, if it passes, to the Senate.
“We’re trying to create a dialogue for the final version of the report and we have to try to work together and make it better,” Joana Varon, director of Coding Rights, a group that promotes human rights in the digital arena, told The Intercept, “but a lot of times our proposal is: ‘Please abandon this idea.’”
In a statement emailed to The Intercept, the committee’s chair, Dep. Mariana Carvalho, wrote:
I consider the criticisms against the work of the CPI to be hasty and unfair.
The text is still under construction, having received profound contributions from scholars, providers and organizations representing diverse technology sectors, including the American Electronic Frontier Foundation and the Information Technology Industry Council as well as the Latin American Internet Association.
The initiatives in the CPI report are geared mainly towards affording greater agility, efficacy and security in the combat of crimes practiced in the virtual world. That is to say, the measures do not affect people’s navigation of pages of interest nor does it impede the use of applications of their choice, such as Facebook, WhatsApp, Instagram [and] Snapchat.
Forty-eight civil society groups and academic centers such as the Electronic Frontier Foundation, Article 19, Access Now, Intervozes, and Institute for Technology and Society of Rio de Janeiro have joined Coding Rights to combat the proposed legislation. In a letter to the members of the CPICiber, Tim Berners-Lee, inventor of the World Wide Web, said he was “saddened” by the package, adding, “allowing law enforcement to identify people associated with IP addresses without a warrant would threaten privacy online — creating a chilling effect for freedom of speech, and with knock on effects for business and democracy.”
Dep. Daniel Coelho, a member of the CPICiber, has sharply refuted such arguments. In a tweet, Coelho responded to an article from a leading think tank titled, “Politicians want to censor the internet in Brazil with the excuse of fighting ‘cyber crime,’” saying, “what a ridiculous lie this article is. None of this exists.”
For Varon and many of her colleagues, the CPICiber proposals are especially difficult to accept after having spent years working with government officials to patch together the Marco Civil da Internet, an innovative piece of legislation that Varon calls the “Magna Carta of the internet.” It provides a clear regulatory framework and lays out a broad series of digital rights for all Brazilians, including the right to affordable broadband access and the right to free speech. It was produced through an open and inclusive dialogue.
The package was widely heralded by internet freedom advocates around the world, despite some serious reservations about such things as including mandatory retention of user logs by service providers. Since then, elements of Brazil’s political class have been trying to chip away at some of the newly established rights.
The CPICiber report is “the fruit of a strong conservative wave that has taken over our Câmera dos Deputados,” says Varon. “And when this wave hits the internet, it results in censorship and surveillance. This is a backslide.”
In the last year, a controversial antiterrorism law was passed into law by a president who was once herself imprisoned for being a “terrorist” during the military regime, and a bill debated late last year that would grant sweeping domestic digital espionage powers is waiting to be dusted off the shelf.
EFF’s Katitza Rodrigues warns: “Once one bad bill is adopted in one country, they can spread further into other countries, a domino effect. … Match this to the frustration of governments around the world with their inability to control encrypted communication services, and you create an environment where every country feels entitled to block not just websites, but entire services.”
Varon is worried, too. If the cybersecurity debate “is led by a conservative vision,” she says, then “we end up criminalizing everything, saying that we’re all terrorists, taking common practices and criminalizing them because we don’t understand how the internet works. It’s problematic.”