Brazil's Fake News Legislation Moves Forward, Gets Slightly Better And Way Worse
from the land-of-contrasts-with-some-contrasts-more-equal-than-others dept
Taking a cue from the then Demagogue-in-Chief of the United States, Brazil’s government decided something must be done to
control the spread of “fake news” to give the government more control of the narrative. “Fake news” continues to be a handy concept to abuse by governments seeking to limit their constituents’ ability to consume or create content. That was Donald Trump’s rationale as well, even if it was never articulated with any clarity or cohesiveness.
Brazil’s government liked the abusability of “fake news” and turned it into legislation. But before it did that, it gave itself some more power. It “mobilized” the federal police to combat “fake news” ahead of the country’s 2018 elections. It gave people with guns the power to regulate the internet, allowing them to “identify and punish” people who published whatever those in power said was “fake.”
The proposed law made a bad thing even worse. The original proposal demanded that social networks and messaging apps tie accounts to users via the country’s national identity cards. It also mandated data collection on those who spread “fake news” to determine how far it had carried and, if possible, discover the origin of the content. Since there’s no way to tell what the government would call “fake news” and when the government might get around to making this determination, the safest way for services to comply would be to log all info indefinitely just in case the government decided it needed access to this info later.
The bill has since been revised. And while it’s not quite the privacy nightmare it was when it was introduced, it really hasn’t improved much. The EFF has two posts covering the legislation, detailing what’s been made better, what’s been made worse, and what has remained terrible since the bill’s introduction last summer.
Here’s the good news:
Regarding serious flaws EFF previously pointed out, the bill no longer sets a general regime for users’ legal identification. Second, it does not require social media and messaging companies to provide their staff in Brazil remote access to user logs and databases, a provision that would bypass international cooperation safeguards and create privacy and security risks. Most importantly, it drops the traceability mandate for instant messaging applications, under which forwarding information would be tracked.
But several downsides remain. First, there’s still some mandated unmasking of users, via mandates on publication of user info of those paying for content mentioning political parties as well as those buying or authorizing political advertising. This will make it insanely easy for powerful political officials to target anyone who opposes or criticizes them, adding to list of laws that can be abused to silence their opposition.
The proposal also gives the government the power to pull the plug on parts of the internet if it decides the law has been ignored or violated.
The bill also establishes that internet platforms can have their activities prohibited or temporarily suspended as part of the penalties for noncompliance. According to Article 2, the draft law applies to social networks, search engines, and instant messaging service providers with over two million users registered in Brazil.
Too many critics hanging out in certain internet places? Shut it down. Not only does this provide the government with a quick way to silence up to two million people at a time, but it directly contravenes UN agreements that forbid the wholesale disruption of communication services relied on by countries’ populations.
Back to improvements. The amended bill finally places some limits on data retention by platforms and communications apps, restricting it to communications metadata. And that collection is further limited by time constraints: only 15 days in a row, extendable to a maximum of 60 days via court approval.
But, even these improvements have some serious issues. In the EFF’s second post, Veridiana Alimonti points out the government thinks it can tie an IP address to a person, which will allow it to make even worse assumptions about communications metadata that go beyond its original faulty assumption: that an IP address = a person.
The provision forces internet applications to unequivocally individualize the user of an IP address, apparently based on the flawed aspiration of linking a given IP address to a specific user without a margin of error. This language offers wide-open interpretations by law enforcement and courts that could severely extend the current data retention mandates, or even force the use of persistent identifiers linked to our every single move online. There are so many variables in internet routing that it is not possible for an application to say unequivocally who is related to a connection.
That assumption was faulty back when most internet communication was handled via desktop computers at people’s homes. Mobile devices, public Wi-Fi, limited availability of IPv4 addresses, and the use of multiple connected devices in any home make this bad assumption completely unworkable. And yet, legislators appear to believe it will work.
If it doesn’t work, it can fine and/or pull the plug on service providers that fail to do the impossible. The only way to even attempt to comply is to log all sorts of information that can possibly tie users to IP addresses and make this all available to the government when it’s requested. This essentially makes the metadata-only demands meaningless since the government clearly wants to be able to identify users and will expect the same providers that thought they were only obligated to log certain things to collect it all and let the government sort it out.