Brazil’s Proposed ‘Fake News’ Law Says Internet Users Are Guilty Until Proven Innocent, Demands Constant Logging From ISPs

Brazil’s legislature is set to vote on its proposed “fake news” law. This law would criminalize speech the government doesn’t like, under the handy theory that anything it doesn’t like must be “fake.” There was some mobilization on this not-even-legal-yet theory back in 2018, ahead of an election, when the Federal Police announced it would be keeping an eye on the internet during the election process. There are plenty of ways to combat misinformation. Giving this job to people with guns is the worst solution.

The EFF has put together a summary of the worst aspects of the proposed law. And they are the worst. First and foremost, lawmakers have realized a law that targets users the government can’t identify is completely worthless. Brazilians will pretty much need a license to communicate with others — something achieved by turning platforms and app makers into bouncers at the internet nightclub.

[T]he bill (Article 7, paragraph 3) requires “large” social networks and private messaging apps (that offer service in Brazil to more than two million users) to identify every account’s user by requesting their national identity cards. It’s a retroactive and general requirement, meaning that identification must be requested for each and every existing user. Article 7 main provision is not limited to the identification of a user by a court order, also including when there is a complaint about an account’s activity, or when the company finds itself unsure of a user’s identity.

No doubt legislators will say comforting things about protecting anonymous speech as the bill is debated. But those platitudes will be emptier than usual. Users are permitted to use pseudonyms. But they’re also required to provide their legal identities to these platforms.

Brazilians can’t bypass this identification process by using only phone apps to communicate. SIM card registration has been in place since 2003 and the proposed law expands on that, requiring private messaging apps to delete accounts that are no longer linked to registered phone numbers.

Since the law is triggered when alleged fake news reaches (a very low) critical mass, social networks and messaging apps are required to log pretty much everything users do, just in case. Since it’s impossible to predict what will go viral, logging will be continuous.

These obligations are conditioned on virality thresholds and apply when an instance of a message has been forwarded to groups or lists by more than 5 users within 15 days, where a message’s content has reached 1,000 or more users. The service provider is also apparently expected to temporarily retain this data for all forwarded messages during the 15-day period in order to determine whether or not the virality threshold for “massively forwarded” will be met.  

This provision basically makes all users guilty until their inability to find an audience proves them innocent. The safest thing for tech companies to do is log continuously and retain forever, since there’s always a chance of sleeper hits reaching a broad audience weeks or months after the content was originally posted. The law mandates a four-month minimum for retention. It does not place a limit on maximum retention length.

The law also mandates that this massive collection of info be available remotely 24/7 for perusal by government regulators. This massively increases the chance of a harmful data breach by expanding the attack surface to every user and every government employee granted access privileges. And if there’s an opportunity for abuse by government employees — and there is — it will be abused.

This logging and demands for identification from messaging/social media users obviously makes any assurances about respecting users’ privacy blatantly false. The proposed law pretty much renders the country’s data privacy law — passed in 2018 — irrelevant. The law can’t protect internet users from careless logging and extended retention of user info — not when the government’s demanding service providers and social media platforms do exactly this to aid in the regulation of third-party content.

Then there’s this problem: even if the law fails to pass, the Federal Police have made it clear they’re going to punish people for spreading “fake news.”

A top police official just yesterday warned that, absent a new law, they will invoke the authorities of one of the dictatorship era’s most repressive laws: the so-called Law of National Security, which contain deliberately vague passages making it a felony to “spread rumors that caused panic.”

The government will be in the censorship business with or without the new law. Since it obviously desires to be more fully involved in the business of censoring, the law will likely pass, since it will give the police (and others) a whole lot of data and PII to work with. The current leader of the country bearing the First Amendment brand declares news he doesn’t like to be “fake.” We shouldn’t expect anything better from other countries which have engaged in open censorship of government criticism in the past, no matter what niceties are said about protecting the public from misinformation.

Techdirt.