Digital rights activists across Brazil held their breath yesterday, as the country’s Parliamentary Commission on Cybercrime (CPICIBER) debated whether to send its report to the full lower house of Congress for committee assignment and debate. In the end, the vote was postponed, and rescheduled for Tuesday, May 3rd. A postponement does not fix the problems with the commission’s proposals — but it may show a growing realization of the negative attention the report is gathering from Brazil’s Internet users.

As we’ve described previously, the report contains a set of seven new cybercrime bills authored by the Commission, as well as a call for the adoption of nine previously-introduced bills , one of them being the extension of a mandatory data retention obligation to everyone in Brazil who provides Internet access.

The bills would be disastrous for privacy and freedom of expression in Brazil. That's why EFF is joining ARTIGO19.org, Access, Coding Rights, Intervozes, and Instituto Beta in opposing the CPICIBER bills and PL 3237/15. As the vote will take place on May 3 it's still crucial to voice your concerns to CPICIBER members now.

Speaking from the Brazilian Parliament in Brasilia, Bia Barbosa, coordinator of Intervozes, told EFF:

Yesterday's session showed that our pressure on the Parliament is working. They have a majority in the Commission and they could force a vote if they wanted. However, over the last few weeks, civil society was able to show that approving this report would have negative consequences for the congressmen. That's why they are open to some kind of negotiation with us. We were already able to change some parts of the report for the better, but others are still very bad. That's why it is important to keep the pressure on the Congress, to preserve our rights and the Marco Civil da Internet.

Fight Back Against Brazil’s Draconian New Cybercrime Bills

Combata os novos PLs autoritários contra cibercrimes no Brasil

What Some Of The Bills Do

As we explained last week, the CPICIBER was created in July 2015 by House President Eduardo Cunha in response to a request from congressman Sibá Machado. The CPICIBER was charged with investigating online crimes and their effects on the Brazilian economy and society. The CPICIBER worked from August 2015 until April 2016 and published three draft reports with an analysis of how Brazil is dealing with a high number of crimes against the financial system and the increase in racist messages online. The third version of the report was published last Tuesday, and is being proposed as a final report.

The report submitted by the CPI is over 200 pages long, touches on many topics, and makes many recommendations. Unfortunately, many of its proposals would create drastically expanded monitoring and control of Internet use in Brazil, in many cases rolling back protections for users enacted in the Marco Civil da Internet, Brazil’s landmark Internet framework law. Here, we describe just a few of the report's many scary suggestions.

Expand Data Retention Mandates

The Marco Civil unfortunately created, for the first time, a data retention obligation for ISPs—one of the few dark points in an otherwise excellent law. But that obligation was applied only to the very largest entities and not to everyone involved in providing Internet access. The report endorses an attempt to change this in bill 3237/15 introduced by Vinicius Carvalho, which would require everyone in Brazil who provides Internet access to the public to retain connection records and to individually register the identity of their users. That’s not just ISPs. The bill's author specifically gives airports, bus stations, and shopping malls as examples of a “gap” in the mandate to register user identities and store connection records, which it proposes to close by requiring all Internet-access providing entities in the country to keep such records. Mandatory data retention would create a huge potential for abuse and should be rejected as a serious infringement on the rights and freedoms of individuals. This bill contemplates the pervasive surveillance of every ordinary citizen.

Demand Warrantless Access to IP Addresses

In the last draft of the final report, the proposal for warrantless access to IP address data was deleted and replaced by a suggestion for further deliberations on an existing bill PLS 730/2015 already being approved by the Senate. This bill, authored by Senator Otto Alencar, authorizes the police or prosecutors to demand registration information about Internet users (either from ISPs or from application providers), without a court order in order, to identify alleged criminal activity. (The current version of the bill seems to have a drafting error, but the goal appears to include letting law enforcement demand IP addresses from application providers' logs, then and demand the corresponding subscriber identities from ISPs.) This proposal, which has already been advancing in the Parliament, ignores the fact that demanding IP address information is still surveillance. And, the human rights requirement to use such powers by public officials includes the need for an authorization by an impartial and independent authority and strict legal safeguards. In short, prior judicial authorization of surveillance powers is not merely desirable but essential. This is because neither of the other two branches of government is capable of providing the necessary degree of independence and objectivity to prevent the abuse of surveillance powers.

In addition, in August 2012, the South Korean Constitutional Court rejected the collection of individuals’ subscriber data in the absence of prior judicial authorization on the basis that this amounted to “treating them as potential criminals.” This was followed by the Korean National Human Rights Commission, which decided in April 2014 that the lack of any requirement for prior judicial authorization for access to the collected data by police violates international human rights. In conclusion, we believe that only a judge offers the sufficient guarantees of independence and impartiality to ensure that access to IP address and any other data are exercised in a manner which is both necessary and proportionate. (Read more about PLS 730/2015 here)

Impose a Net Censorship Regime

UPDATE: Saturday morning 30/04, the Sub-Rapporteur Mr Sandro Alex released a new version of the bill that deals with the blocking of websites. The arguments below are valid, but does not consider the new version, which also explain the focus of the bill on copyright protection, patents and computer programs.

Another striking part of the report is the way it echoes the failed U.S. SOPA and PIPA proposals; after their dramatic defeat in the U.S. in the face of broad and intense opposition, it seems these Internet censorship measures have effectively resurfaced in Brazil. The report specifically mentions copyright industry groups’ advocacy and support for these measures. Unfortunately, the final draft of the report continued to claim that site-blocking provisions (requiring ISPs to cut off access to third-party sites accused of facilitating copyright infringements) are already the law in the U.S., as though the fight over SOPA had never happened. (EFF wrote to the commission pointing out this error, which was noted in this week’s debate.)

The SOPA-like site-blocking proposal isn't the only harsh copyright measure that U.S. entertainment interests are now trying to export to Brazil. The report argued that US Law does not prohibit service providers "to make reasonable efforts in order to resolve violations of copyright or other illegal activities." While service providers aren’t forbidden from making reasonable efforts to deter copyright infringement, that doesn’t mean they are required to take any specific measures except as set forth in Section 512 of the Digital Millennium Copyright Act, such as responding expeditiously to take-down notices in exchange for a safe harbor. What's more, section 512 is a law that has caused significant collateral damage, and should not be followed as a template by Brazil. Its neighbor Chile has a superior system to that of the U.S., in that it requires a court order before content is removed from the Internet.

The report also mentioned the fact that a notice and stay down proposal is being considered, and that the "matter is also the subject of study in the United States where there is a public consultation to amend Section 512 of the Digital hereMillennium Copyright Act." Let's be clear, notice and stay down is effectively just mandatory filtering, and is vigorously opposed by a broad coalition of public interest groups, creators and service providers in the United States. In practice, a “filter-everything” regime would prevent many valuable and innovative services from ever launching, to the detriment of commerce and free expression.The fact that a few powerful interests may be pushing this extreme proposal is hardly evidence of the imminent expansion of Section 512, and the suggestion that this constitutes any kind of international legal trend is a misleading and reprehensible attempt at policy laundering. A more detailed account of criticism of “Notice-and-Stay-Down” in the United States, is available in our analysis of American proposals and our comments pertaining to the Copyright Office's ongoing study into the Digital Millennium Copyright Act's Section 512.

We also note that the UN Human Rights Committee, in its General Comment 34, said that "Permissible restrictions generally should be content-specific; generic bans on the operation of certain sites and systems are not compatible with paragraph 3 [of article 19 of the ICCPR]".

Put Researchers At Risk

Another major problem is the proposed change to article 154-A of the Penal Code, “Inappropriate Access to an Information System” and its impact on the ability of researchers to access computers, devices or electronic communication networks for security testing without explicit permission. Examining computers without the explicit permission of the owner is necessary for a vast amount of useful research. The existing text of article 154-A already leaves the position of security researchers uncertain. Rather than remedying this, the commission seems intent on making the law even stricter. Researchers who study others’ systems in the course of good faith research (including to test the security of their own data) may become criminals. The proposed text should affirmatively protect access for purposes of security testing even if the security researcher does not have a written or oral authority to access the system.

Speaking from Brasilia, Paulo Rená, Researcher at Instituto Beta, told EFF:

We are facing a set of draconian propositions. Instead of helping against cybercrime, the draft bills would menace of millions of innocent Brazilians. Our double effort now is, for the Representatives, shine a light on the threats; at the same time, gather more public support to help us stop the bills.

These are not unknown issues; all of them have been brought to the CPI's attention before. It’s a continuing shame that the CPI did not give more weight in its deliberations to the many contributions from Brazilian civil society. This isn’t the first time that a governmental committee looking at online crime has gotten carried away and proposed draconian measures. We hope this short delay will give cooler heads a chance to prevail, and that any revisions to Brazil’s online crime laws will respect individual rights online.

Fight Back Against Brazil’s Draconian New Cybercrime Bills

Combata os novos PLs autoritários contra cibercrimes no Brasil