Last year’s Brazilian elections were a victory for Jair Bolsonaro—a politician with highly controversial positions on the country's past military dictatorship and civil rights. Bolsonaro’s ascent to power and the beginning of his administration in January has attracted international attention for their potential impact on human rights. His election reflects greater support for a conservative agenda likely to jeopardize free expression and privacy safeguards. Executive branch decisions, bills in Congress, and cases up for trial in the Supreme Court, may all deserve careful attention because of their potential to undermine civil liberties.

One key example is the set of anti-terrorism bills pending in Congress that may gain greater support. Most of roughly ten proposals so far build on an existing 2016 law passed mainly due to international pressure before the Olympics in Rio de Janeiro. The legislation attracted strong criticism from civil society for potentially criminalizing protests and protesters. But the new bills go further. Nearly all seek to broaden the definition of terrorism. Some narrow current safeguards that prevent the actions of social movements from being considered terrorism offenses—offenses which carry a potential 30 year prison sentence.

These broad and vague definitions are inconsistent with standards of precision required by Brazilian criminal law. They leave the door open to subjective and arbitrary decisions— which wouldn’t be new in the region . One bill makes it a “terrorist act” to tamper with and disrupt computer systems or databases with a political or ideological motivation. Proposed amendments in the Senate drop legal requirements for determining motivation and malicious intent. As a result, any interference or damage to computer systems may be framed as “terrorism,” seriously endangering the activities of journalists, security researchers, and hackers. EFF’s long standing work on coders rights seeks to combat regulations like these that overlook the increasing importance of vulnerability research and safeguards for coders that are already in place .

Two proposed pieces of legislation ( PLS 272/2016 and PL 9555/2018 ) make it a crime to praise or incite such ill-defined terrorism offenses, imposing penalties for up to eight years in prison. One bill increases the penalty if this “incitement” happens over the Internet or through any media outlet. If this legislative agenda is successful, a tweet in favor of hacking, or actions connected to protests or strikes, could lead to long jail sentences. This threatens both free speech and privacy in Brazil.

The current text of a Bolsonaro’s bill , which he wrote as a congressman, replaces the previous requirement of court orders with a pre-authorization for specific law enforcement agents, connected to the Brazilian Army and police, to obtain communications metadata (defined by Law n. 12.965/2014 as connection and access to Internet applications logs). These agents could also ask the court to require telecom operators to provide the geolocation of specific devices. A judge would have only 6 hours to decide whether to compel access and companies no more than 24 hours to hand over the data. In addition to Bolsonaro’s proposed legislation, draft bill n. 9808/2018 would grant police explicit authorization to obtain the content of private communications if the person is caught in the act of committing offenses such as terrorism and drug trafficking.

Communications surveillance carried out by the Brazilian state must comply with human rights principles based on international standards . These require inter alia clear and precise laws, due process, and rulings by an independent judicial authority. These proposed rules could undermine the integrity of Brazilian communications.

And there’s more such efforts in the pipeline.

Here we go again—potential battles over encryption

Draft bill n. 9808/2018 would also secure further police powers granting access to the content of communications when a mobile device is seized while the offense is being committed. The chief police officer would be entitled to ask ISPs, application providers, or app developers for an encryption key. Previous disputes around exceptional access to encrypted communications led both to judicially imposed blocks of WhatsApp and to continuous pressure from law enforcement agents before courts and Congress.

Several proposals also threaten the integrity of encryption systems.

Earlier this year, a Commission of Jurists, created by the Chamber of Deputies Speaker and coordinated by a Supreme Court Minister, released a list with 11 priorities for combating organized crime. These recommendations will be sent to Congress and the Minister of Justice in a package of reforms for 2019. One of these proposals advocates for more effective tools for investigating criminal organizations as described below:

The provision of means to access and breach secrecy on the exchange of messages between members of criminal organizations over the internet, social networks or messaging applications, including the possibility of infiltration by police officers. Companies providing Internet services, social networks and communication applications should have its headquarters or representation in the national territory and must comply with the determinations addressed to them.

The list mirrors two draft bills created by the Commission of Jurists and explicitly mentioned in the document. One bill proposes changes to the Criminal Organizations Law to allow the infiltration of police officers investigating offenses specified in the legislation. The bill also states that this procedure “will include the possibility of access by police authorities to the encryption key of ISPs, content providers and authors of communication applications”. The bill’s meaning is blurred. It’s not clear if it compels the use of backdoors. Or if officers are allowed to join the online communications of criminal organizations by gaining their trust or by demanding the service provider to covertly add them to the conversation. The latter case would mirror the UK’s “ghost” proposal, which is only another name for a backdoor .

What is clear from this document, however, are the Brazilian government’s intentions to force application providers to have an office in Brazil. Requiring all application providers to maintain a Brazilian office will stifle innovation by further stacking the deck in favor of tech giants who have the resources to comply. And what if they don’t? The most probable solution would be blocking users’ access to them. This would violate present net neutrality rules and undercut the constitutional right to free expression. Time and again, WhatsApp blocks were overruled by Brazilian courts due to their lack of proportionality. This discussion is now in front of the Supreme Court here and here . These cases are also considering law enforcement demands for backdoors vis a vis constitutional rights. As EFF tirelessly points out, backdoors compromise security, privacy, innovation, and are not effective for their stated purposes.

“Fake news” and elections, round two

We have written before how initiatives against civil liberties could gain traction depending on the extent of disinformation in Brazil’s presidential elections. False news did spread , and WhatsApp’s end-to-end encryption has been wrongly blamed as the main villain. In addition to reinforcing attacks against encryption and user security, this claim overlooks other ways to really tackle the problem. For example, the government could hold accountable companies and candidates that misused the app in violation of electoral legislation and other norms (e.g. by massively activating chips with ID numbers of elderly people without their knowledge).

There are also two new bills in the Brazilian Congress that would criminalize the malicious creation and release of false news related to any relevant public interest—or in order to change or disrupt a truth regarding the electoral process. Possible penalties include three years in prison. While there’s an exception for asserting opinion, artistic or literary expression, and humorous content, the bills raise concerns . Creating new criminal offenses is a risky path to address complex problems, especially when it involves deciding what is true or false. Online platforms could be held liable for failure to remove or block content reported as false within 24 hours. This upends the general regime of intermediary liability set in the Law n. 12.965/2014—known as the Brazilian Civil Rights Framework for the Internet—which was devised to protect free expression online and avoid prior censorship.

Under current law, intermediaries are not held liable for third-party content except for noncompliance with a court-issued takedown order (art. 19, main section). This legal regime is currently facing a constitutional challenge . The case is being heard by the Brazilian Supreme Court and leading civil liberties groups have filed amicus briefs here and here stressing the dire consequences of the potential repeal of laws which safeguard free expression and access to information.