By André Fernandes, André Ramiro, and Raquel Saraiva
Bill No. 2630/2020, which aims to establish the Brazilian Law on Freedom, Responsibility and Transparency on the Internet, has been discussed since mid-2020 between the National Congress, experts and digital rights activists. The law project was approved in the Senate and is now under debate in the House of Representatives, going through a cycle of thematic public hearings aimed at unraveling some more sensitive and less peaceful aspects of the proposal.
A questionable highlight is the article 10, which establishes a system for tracking messages in private messaging applications, a regime that has become known in the public debate as “traceability.” According to the mechanism presented in the bill, private message platforms should “save records of bulky sent messages for three months”, considering bulky messaging “sending the same message by more than five users, within up to 15 days, to chat groups, broadcast lists, or similar mechanisms”.
This device was designed considering the episodes since the 2018 elections, to avoid contamination of the public debate with the spread of disinformation in an environment where information cannot be verified and disperses very quickly. Although this is a problem to be addressed, given the social corrosion that it has been causing, some arguments deserve to be presented against the proposed remedy.
Despite sufficient clarification from the academic community about the security risks related to interference in cryptography and groups linked to the guarantee of rights on the network,the debate is being reset under “new” terms: instead of traceability in all communications of messenger applications, it would be implemented only the record of sendings from public groups. Such a difference (between public and private groups, or public and intimate communication) does not deserve to prosper, not even the possible differentiated treatment between them. However, before the design of the debate in these terms, the dichotomy will be assumed for argumentative purposes.
It is claimed that, on the one hand, interpersonal messages – between two people – carried a greater need for privacy protection, on the other hand, public groups would be “reportedly” accessible, visualized and therefore would not deserve the same level of protection. Some reasons make it clear that such assertiveness is politically contestable and technically fragile.
The seesaw of risks and ineffectiveness
Despite the appearance of greater reasonableness and proportionality to a monitoring mechanism, some fragile points deserve to be demystified. The degree of publicity given to a public group — on WhatsApp, for example — does not go beyond the act of sharing by one of the group members with the legitimacy to do so. As “popular” as a group can be, its publicization still belongs, fundamentally, to the user’s circle of autonomy in sharing it—there is no possibility, for example, of automatic indexing of the group in search engines like Google.
In other words: The share link for entry into private messenger groups exists by default and it is not available to search engines, except when the group’s own users share the same on some web platform. More forceful and prophylactic proposals, such as the temporary ban on sharing and the change of the group’s link after a certain period, may be more effective when it comes to breaking a chain of harmful sharing.
Additionally, “traceability of messages only to public groups” would result in a “breach” of the current of trust, conferred by encryption, in case a legitimate message is passed on from a private group to a public group (not being traceable and then traceable). Once again, an inhibiting effect would surround the individual freedom of speech who fears having his communication monitored. Furthermore, to what extent would traceability be effective from the perspective of the proposal – to find limits in private groups? It would easily be “broken” when the message pursued went through a private group.
Traceability can also be circumvented by other simple measures: copying the message and pasting another group would “zero” the sharing chain or create a “disturbing event” of the trace, bringing insecurity as to the source of the message. Considering the constitutional principle of the presumption of innocence, any errors may put in the passive pole of investigations and lawsuits users who have nothing to do with disinformation chains.
Another argument that jumps to the eye in the defense of traceability is that “the user would have autonomy to decide on the level of privacy” – and encryption – about their communications. This perspective ignores the decades of privacy governance construction exemplified in the concept of “privacy by design”, more specifically in the requirement of “privacy by default”, crystallized in Article 46, §2, of the General Law for the Protection of Personal Data.
The law focuses on express command: to fill an organic information gap to the user who is unaware of the technical and marketing logic of the applications, in addition to curbing inappropriate or illicit treatments, it will be necessary to “level over”, by default, the configurations and architecture of the mechanisms that ensure the security and privacy of the user. A direct consequence is the default encryption feature, a trend of best practices in messaging applications worldwide. To assume that a user could opt for a lower degree of security in their communications is, at the very least, simpleton and a disservice to advances in personal data protection regulations and on the applications’ ecosystem security.
The proposal does not consider that encryption by default is also a measure of information security in a context of surging cybercrimes. It’s part of the cryptographic technique to raise community security levels, preventing malicious agents from exploiting vulnerabilities in other parts of the system—such as weak passwords, no two-step verification, and more. The theme has a parallel, in the current context we live in, with the notion of community protection between vaccines and the defeat of pathological agents, such as pandemic viruses.
It is wrong who believes that the user, when being part of a public group, gives up their rights related to the use of the platform. Not only do malicious agents make use of public groups: social, legal and psychological assistance groups to minorities and groups victims of systemic violence, such as LGBTQIA+, ethnic agendas, or people in situations of domestic violence often access public groups in their free right to assembly and association.
Works of political articulation also make extensive use of interinstitutional and interparty groups, often public, to mature understandings and build strategies for democratic action. To mandatorily track these high-sensitivity communications — despite the public interest — is to weaken these rights, so closely linked to the reliability conferred on messenger platforms.
After decades of debate, it is consolidated that the possibility of interfering in the potential for encryption, via the intermediary of the application, to curb crimes implies a disproportionate risk to security and rights related to encryption. Framing traceability as a “necessary evil” in the fight against disinformation is aligning with notorious surveillance lawyers, notified by aversion to the confidentiality of communications, under the aegis of a supposed collective interest.
The proposed “new” traceability regime continues to attack privacy, freedom of expression and the rights of association and assembly, and is not effective because of its own weaknesses. Brazil’s recent history already has sufficient public policies based on scientific denial and social, political and economic repercussions derived from analyses that do not listen to academics and the vast majority of organized civil society. It will be necessary to reflect whether the defence of traceability mechanisms, as proposed, is not expanding this culture.
Original article (published on ConJur.com.br)