By Ana Bárbara Gomes, Gustavo Rodrigues and Victor Vieira, Institute for Research on Internet and Society (IRIS)
A study by IRIS and ISOC Brasil mapped the perceptions of professionals who drive the public debate about exceptional access in Brazil. In view of the results, we reflected on the risks of abuse of the tool in the light of the Brazilian institutional scenario. What happens when exceptional access encounters an authoritarian climbing environment?
History of the debate on exceptional access in Brazil
Since 2016, there has been an intense debate in Brazil regarding the legitimacy of the use of strong cryptography for the protection of private communications in the digital environment: this was the year in which the 1st judicial order determining the blocking of WhatsApp due to the encryption used in the application was issued. The filing of two lawsuits related to the topic, ADPF 403 and ADI 5527, at the Supreme Court of Brazil in the same year represented an advance in this controversy over the technical and legal impacts of requiring the implementation of backdoors – or exceptional access methods – in cryptographic systems.
In 2017, the public hearing held during these proceedings brought together presentations on the topic from various actors involved in the controversy. The opinion of the law enforcement sector, in general, has always been favorable to the adoption of mechanisms to weaken strong cryptography. This is because information security techniques of this caliber represent an alleged hindrance for state authorities to conduct criminal investigations by accessing the suspects’ encrypted communications.
From a law enforcement point of view, the use of strong cryptography by ordinary people has always been criticized by the state – the famous Going Dark narrative. This narrative culminated in the holding of the 1st Brazilian Going Dark Symposium, in 2019, an initiative of the then Minister of Justice Sérgio Moro, in which a declaration was signed by 13 countries, highlighting an interest in international collaboration for efforts to increase power state investigative.
Throughout the period portrayed, it was observed the emergence of several bills that seek to legitimize, by means of legislation, the weakening of cryptography in Brazil. One study by IP.rec, for example, mentions Bills 9.808/2018, 11.007/2018, 2.418/2019 and 5.285/2009 (although the latter is prior to the worsening of this discussion in Brazil).The so-called “Anti-Crime Package”, converted into Law 13.964 / 2019, contained legal mechanisms in the same spirit, even though these were not approved. More recently, the opinion of the rapporteur of Bill 8.045/2010 (new Code of Criminal Procedures – CPP) raised these concerns again, since it included provisions that could be interpreted in a way that would result in an obligation to weaken encryption.
This is because the report of the new CPP foresees an obligation of assistance for providers of telecommunication services, which includes the obligation to provide the technological means and resources necessary for interception. In addition, it establishes that the procedure for telephone interceptions should be subsidiarily followed in telematic interceptions. Taken together, these provisions may result in an obligation for application providers, such as WhatsApp, to introduce vulnerabilities in their cryptographic systems to provide access to authorities in criminal investigations. What is observed, in this sense, is yet another legislative attempt to circumvent the security of strong cryptography in favor of a crime prevention argument.
It is worth highlighting a point repeatedly raised by opponents to the weakening of encryption: there is no evidence that this extreme measure is a current need for the success of criminal prosecution in Brazil. This is because there is no conclusive evidence for us to understand the extent to which the protection of communications through strong encryption represents an obstacle to national investigative authorities. In this sense, there is a growing fear that these vulnerabilities are being implemented without their effectiveness and necessity having been effectively demonstrated – resulting in derisory gains for the proper criminal prosecution of offenders in the country. Added to this is the fact that these measures – which are potentially ineffective – would simultaneously result in an environment of less privacy and security for all users of the services.
In addition to the expansion of State interception powers, the new CPP text provides for alternative measures to obtain evidence for investigative authorities. There is provision for measures involving “forced access to electronic devices, computer systems or data networks”, comprising “offensive security methods or any other way that allows exploration, isolation and control”.
In summary, in addition to the potential obligation to implement a backdoor, it seeks to legitimize the so-called government hacking, that is, the use of technologies of technological invasion – remotely or not – by the State to obtain the means of evidence that could not be obtained by other methods. Taking into account the current scenario of debate and controversy regarding the implementation of exceptional access mechanisms, it is inevitable to consider whether these government hacking techniques consist of a “plan B” of the national authorities – in case exceptional access proves to be unviable by a decision of the Supreme Court or even by the discontent of civil society.
It is concluded, therefore, that the debate about the limits of the State’s investigative power is a highly controversial topic today. Several attempts to expand this power can be observed by the State – and, at the same time, it is possible to observe responses in equal measure by those who oppose the strengthening of the Brazilian repressive apparatus.
What the professionals who drive the debate think
In order to better understand the reasons why the exceptional access controversy persists, IRIS and the Brazilian chapter of ISOC have been conducting the project “Privacy is Security: communicating the importance of encryption for all” with support from the ISOC Foundation.
In its first stage, the project undertook research aimed at understanding the rationales that guide the different stakeholders involved in these debates. To this end, we conducted semi-structured interviews with more than 40 professionals engaged with the topic. The universe of participants included people from different fields of education, including Law, Computing, Social Sciences, Media, Public Administration, International Relations, etc. There was also a great diversity of professional trajectories: we interviewed from digital rights and free software activists to public affairs managers at large platforms, from cybersecurity analysts to operators of the criminal justice system, from university professors to employees of regulatory agencies. In all cases, we seeked people specialized in the matter or with previous participation in the public debate regarding it.
The questions were about issues such as the participant’s professional and academic trajectory, their level of satisfaction with the regulatory environment regarding cryptography in Brazil, and their opinions and perceptions about the implementation of exceptional access in encryption to facilitate criminal investigations. We also asked them about alternative means of investigation that did not involve encryption interference and about the legitimacy of judicial application blocks based on the Brazilian Internet Bill of Rights, like the WhatsApp blocks in Brazil in 2015 and 2016.
Recently, we published the first results of the study, which discuss the perceptions of these professionals in relation to exceptional access as a solution to the Going Dark controversy. From a quantitative point of view, the majority (69.8%) of the interviewees expressed their opposition to the implementation of exceptional access, 18.6% have no determined position in the matter and only 11.6% were in favor. Among respondents with training associated with the technical field of computing, 87.5% were against the measure, 12.5% were favorable and none had an indeterminate opinion.
But the truly significant aspects of the study are not its quantitative results, not least because the selection method used – snowball sampling – is non-probabilistic and therefore not representative of any cohesive population segment. Our focus was qualitative: mapping the speeches, arguments and perceptions that inform the Crypto Wars in Brazil, in order to understand the assumptions and judgments of value and rationalities that have guided the debate.
Among supporters of exceptional access, we perceive a discourse centered primarily on legal and political arguments, avoiding going too far into the technical aspects of the debate. The reasoning starts from the premise that public security, here immediately associated with success in criminal prosecution, must be prioritized in relation to other rights potentially threatened by exceptional access. There is no denying that the measure has risks, but they are considered to be mitigable by robust institutional controls and, in general, considered less serious than the alternative, which would leave serious crimes unresolved. In addition, exceptional access is equated with telephone interception, in order to suggest that disobedience to data delivery orders is a breach of the Law and an arrogant challenge by companies to the authority of the Brazilian State.
Contrary speech to exceptional access, in turn, precisely emphasizes aspects minimized by the favorable speech as: its technical consequences and policy implications of these repercussions. It is argued that the damage is too much, as the security of the entire system would be weakened, creating a high risk of usurpation of the access mechanism by malicious third parties and of abuse by the public authority. Still, the effective need for this measure is questioned (there would be no conclusive data proving that it is cryptography that prevents the resolution of most investigations), as well as its effectiveness (criminals could abandon platforms once exceptional access has been implemented).
One aspect that seemed central to this dissent was the different assumptions of those involved about the risks of abuse of the tool by the public authorities. The defense of exceptional access framed this point as a matter of principles – there is a risk of abuse, but it must be trusted that they can be restrained by institutional controls. As one interviewee summed it up: “If I don’t trust that, I can’t trust anything regarding the judicial system”. On the other hand, arguments against exceptional access often adopted the opposite premise – institutions cannot be trusted to be effectively able to curb abuses of authority.
This leads us to a fundamental question: have the institutions shown to be or not to be able to prevent abuses of authority? In order to better support the empirical debate on this point, the next section examines Brazil’s recent history in this regard.
The advancement of techno-authoritarianism in Brazil
Like any technology, cryptography must be thought and studied in context with the society in which it is inserted. This helps us to measure with reality what are the risks and powers of different socio-technical arrangements in concrete contexts. In the recent Brazilian context, specifically, we have observed a tendency to concentrate information on citizens that is sometimes associated with authoritarian actions to control public discourse and silence opponents. If data centralization is presented as the door to greater efficiency in the public service, it is undeniable that it carries with it risks of abuse and threats to individual and collective rights and freedoms, in addition to trivializing vigilantism and the processing of personal data without safeguards and guarantees. The use of technology for the projection of authoritarian measures is what characterizes techno-authoritarianism, and this is a latent concern in the Brazilian scenario, especially if we pay attention to the latest events.
A report published by the non-governmental organization Article 19 brings us evidence that, since June 2013, Brazil has experienced a process of silencing political dissidents. This is notable in several initiatives that converge towards an intensification of the repression of the right to protest. It is noticeable in the use of the Brazilian Army to suppress demonstrations; footage of protests by the police and use of data and images of protesters for investigations; arbitrary attempts at prior censorship and the prohibition of demonstrations by the judiciary; legislative advances to expand the anti-terrorism law and create new types of penalties attributed to protesters in a controversial manner and a resurgence of existing sanctions.
In the middle of that year, the Chamber of Deputies, our lower house of Congres, approved the text that repeals the National Security Law, a norm inherited from the times of the dictatorship and incompatible with the democratic order. Its replacement, however, passed without much time for debate with civil society, and brought a series of new concerns on restrictions on freedom of expression guided by a logic of combating an internal enemy, precisely the motto of the Doctrine of National Security that founded the old law. This criminalizing approach to online conduct can undermine digital activism and the exercise of rights on the web, as well as going against the best information security practices.
The construction of data megabases at the State level has also proved to be a problem, such as the National Multibiometric Bank created by the Anti-Crime Package to store “biometric record data, fingerprints and, when possible, iris, face and voice, to support federal, state or district criminal investigations ”. Another example is the Citizen Base Register provided for by Decree 10,046 / 2019, a megabase of data that would bring together 51 existing databases, containing identification data, education, health, salaries, as well as biometric data for automated recognition – such as iris of the eyes, palm and even the way you walk. In both cases, the absence of concern of these proposals with the principles of protection of personal data, such as purpose and necessity, stands out.
There is additional evidence that this risk of abuse is not a mere abstraction. In January 2021, the Center for the Analysis of Freedom and Authoritarianism (LAUT) and Data Privacy Brasil published a retrospective with several moments in which Brazilian public authorities forced the surveillance barrier proposing the increase of monitoring activities and creation of citizens’ databases in the year 2020. Each of the measures documented in the report warns us about ways in which fundamental rights have been put in check by an authoritarian escalation where technology is a key part for the exercise of the State’s surveillance and control in all its attributions and competences, be it in the Legislative, Executive or Judiciary.
In July 2020, a dossier prepared by the Ministry of Justice and Public Security was made public with 579 federal and state employees identified as “anti-fascists”. The dossier brought great discontentment to civil society, especially journalists and activists, and the Inter-American Commission on Human Rights warned that the practice is reminiscent of the military dictatorship. In August of that year, the Supreme Court prohibited the creation of dossiers like this, considering the practice to be unconstitutional. Despite that rulling, at the end of last year, the Brazilian government hired a company in charge of categorizing journalists and influencers according to their political positions, whether they are “favorable”, “neutral”, or “detractors”. 77 people were included in the dossier.
The entire context described converges to a scenario of unequivocal authoritarian escalation strongly associated with the use of technology. The debate on the institutions’ ability to mitigate the risks of abuse necessarily implied by a backdoor must therefore consider that this mechanism would be implemented in a delicate socio-political context, where successive threats target citizens’ rights. In this environment, strong cryptography presents itself as an even more crucial tool for maintaining rights on the network and its weakening means a setback for all users and gives space for the advance of the techno-authoritarian trend observed in recent years. The argument that it would be possible to weaken it – provided that we establish a rigid and strong regulatory structure – meets a scenario of many institutional and political uncertainties, where episodes of intimidation by opponents, critics, activists, have appeared to us day after day.