Brazilian Code of Criminal Procedure Reform Working Group: Citizens should be protected from encryption backdoors, massive data collection, and unchecked government hacking
June 28, 2021
In light of recent advances in the legislative debate on the reform of the Brazilian Code of Criminal Procedure, the undersigned, which include members of the Global Encryption Coalition – a global multi-stakeholder alliance with the goal to promote and defend encryption, express their concerns about the risks entailed by these developments for encryption and security of users, which could negatively impact fundamental rights, the digital economy, public security, and national security not only in Brazil, but in several countries.
Encryption is a resource that protects the privacy, security, and freedom of expression of billions of people in a world where interactions are increasingly digitized. This protection is not limited to ordinary citizens, but it also extends to digital transactions and the communications of public authorities acting in an official capacity. By safeguarding the integrity, confidentiality, and authenticity of digital information exchanges, encryption fosters the trust necessary for the development of the digital environment and supports public safety and national security in countries around the world.
The Code of Criminal Procedure reform now pending in the Brazilian Congress draws attention to a complex debate on the modernization of criminal procedure in light of the new challenges posed by technological advances. The text published on April 26th through the advisory opinion of the rapporteur, Parliamentarian João Campos, raises international concerns about the possibility of harm to encryption and to the security of users, companies, and authorities in Brazil and other countries. The main issues of concern are the provisions regarding telematic interception and the exploitation of technological vulnerabilities by law enforcement for the production of criminal evidence – a set of practices known as “government hacking”.
On the topic of telematic interceptions, articles 288 and 305 of the proposal may impose a duty on application providers to freely make available the technological means and resources necessary for interceptions to be carried out. In the context of private messaging applications protected with end-to-end encryption – such as WhatsApp, an application installed on 99% of smartphones in Brazil – this could mean an obligation to redesign the system in order to introduce a security flaw designed for systematic exploitation – a backdoor – by law enforcement.
An alteration of this nature would undermine the security of the service and put all users at risk. Not only is it a scientifically established consensus in the field of information security that it is impossible to ensure that a backdoor is only exploited lawfully and by legitimate actors, but the implementation of this flaw would require the reversal of best practices in information security, such as forward secrecy – a technique in which new keys are negotiated at each transaction to reduce the damage resulting from the system being compromised. That is, the change would not only create a security vulnerability that could potentially be exploited by foreign governments and cybercriminals, but it would also give strong incentives for such exploitation to actually come to fruition by increasing the prospective gains of potential attackers. This undermines a range of fundamental rights as well as the trust in information services and their providers in Brazil, with serious potential impacts to the economy and innovation capacity in key areas for the country’s digital development, such as internet banking, e-commerce, and transportation.
Furthermore, enforcing this requirement could have legal and economic repercussions, not only in Brazil, but in other countries. It is worth remembering that the judicial shutdown of WhatsApp in Brazil in 2015 affected users of the application in Argentina, Chile, Uruguay, and Venezuela, representing an undue overreach of jurisdiction. Due to the global nature of the services offered on the internet, maintaining the security and stability of the network depends on coordinated solutions. Therefore, technical and regulatory arrangements adopted by one country can impact several others. In this scenario, it should be noted that the UN Human Rights Council by means of Resolution (A/HRC/38/L.10/Rev.1) expressly called upon States not to interfere in the use of technical solutions to protect the confidentiality of digital communications, such as encryption.
Under the premise of improving effective criminal prosecution, the text promotes indeterminate data retention and paves the way for government hacking. Also, the incorporated language regarding e-evidence aims at allowing law enforcement agencies to have access to data at the infrastructure level by targeting ISPs without any mechanism of proportionality. By welcoming provisions surrounding the possibility of continuous surveillance of individuals under investigation and access to data stored outside of the country, the current version of the draft bill fails to update the Brazilian criminal process for the digital age and poses serious threats to constitutional guarantees and due process of law.
In one of its greatest risks to fundamental rights, the text of the new CCP can legitimize government hacking practices and fishing expeditions. Generic language such as “remote collection”, “resting data accessed from a distance”, “forced computer system access”, and “open source processing” can be responsible for facilitating access through surveillance technologies and can end up opening huge loopholes for uncontrolled abuses of state power, such as spying on journalists and activists, and for diminishing security and trust in computer systems.
On this note, the undersigned entities urge the Brazilian Congress to further discuss the e-evidence section of the above mentioned draft text in order to avoid fostering privacy violations and weakening users’ security online. The country must reinforce the need for law enforcement activities to be conducted in a proportionate and rights respecting way, and avoid affecting online services or the internet’s infrastructure.
Association for Proper Internet Governance (Geneva, Switzerland)
Center for Democracy & Technology
Coalizão Direitos na Rede
Data Privacy Brasil Research
Derechos Digitales · América Latina
Electronic Frontier Foundation
Electronic Privacy Information Center
Global Partners Digital
IBIDEM – Instituto Beta: Internet & Democracia
Instituto Liberdade Digital
Internet Society Brazil Chapter
Internet Society Dominican Republic Chapter
Internet Society Ecuador Chapter
Internet Society Panama Chapter
Internet Society Portuguese Chapter ISOC.pt
Internet Society Uruguay Chapter
Intervozes – Coletivo Brasil de Comunicação Social
IP.rec – Law and Technology Research Institute of Recife
IRIS – Institute for Research on Internet & Society
LAPIN – Laboratory of Public Policy and Internet
MEGA The Privacy Company
New America’s Open Technology Institute
R3D: Red en Defensa de los Derechos Digitales
Software Freedom Law Center
The Tor Project