The Battle for Encryption in Brazil

This piece was written by Danilo Doneda and Joana Varon and originally appeared here.

The Facebook-owned messaging platform WhatsApp is the leader in the Brazilian mobile messaging market, surpassing 100 million users. Brazilians have long ceased to use SMS messaging as a means of daily communication. The strong presence of WhatsApp is favoured by some telecom companies delivering the service for ‘free’ in the zero-rating model, in which the app doesn’t use a person’s data.

Hence, the multiple recent bans on WhatsApp’ services ordered by Brazilian magistrates ignited widespread discussion. Currently, the platform has been ordered to suspend its services four times, with law enforcement authorities arguing that the company hasn’t released to law enforcement user data which was deemed fundamental for criminal investigations. The issue recently escalated with WhatsApp adopting end-to-end encryption by default to all its users, meaning that, in theory, the company will hold no user content data.

Throughout 2016, several court orders have demanded temporarily blockage of WhatsApp due to disputes over access to encrypted data, however, Brazilian Law does not prohibit or ban encryption. The most recent of these court orders occurred in October 2016. The third order occurred in July 2016 and the platform was subsequently banned in the country for hours. Unlike previous cases in which a magistrate required the company to produce users’ IDs and the content of conversations, in this case the magistrate asked WhatsApp to disable its encryption and allow for real time monitoring of conversations. The case in question was an investigation on criminal organizations.

In the previous cases, WhatsApp’s CEO Jan Koum argued: “Not only do we encrypt messages end-to-end on WhatsApp to keep people’s information safe and secure, we also don’t keep your chat history on our servers. When you send an end-to-end encrypted message, no one else can read it — not even us.”

The core of the investigations are being kept secret, which means it is impossible to clearly extract the legal justification that underpins these orders. However, it should be taken into account that temporary blockage of applications is foreseen in Article 12 of the Civil Rights Framework (Marco Civil da Internet) as a possible sanction — but this sanction is intended to apply specifically and only if the right to privacy, data protection, and secrecy of communications are not respected in the Articles 10 and 11 by a connection or service provider (even if it is located abroad). Therefore, a provision that was enacted to increase protection of privacy may be mistakenly applied to implement an excessive and disproportional reaction.

This misleading interpretation has been so polemical that there are several draft bills addressing the issue of blocking applications currently under debate in the National Congress, some of which forbid such practice interpreted as unnecessary and disproportional, while others were conceived to change the Internet Bill of Rights (Marco Civil da Internet, a law aimed at promoting internet users’ rights) and explicitly allow for application blockage by court order, particularly in the context of criminal investigations. The Supreme Court is also holding a public hearing asking experts to provide technical inputs, particularly on how WhatsApp encryption can prevent access to the content of communications relevant for criminal investigations. The court is meant to deliver a decision on an action demanding the prohibition of application blockages but it is unclear when they intend to do that.

The latest attempt to force access to data also included another strategy: block Facebook’s money. In July 2016, a judge blocked US$ 6.07 million of Facebook’s cash, as WhatsApp as a service is ran entirely from outside Brazil and don’t have bank accounts in the country. Nevertheless, the fight over sustaining encryption remains, even because what’s at stake, more than one application or service in particular, is the very possibility of implementing a privacy-friendly technology to a very broad number of users, enabling privacy to non tech-savvy users and even to users unaware of the privacy risks embodied in unprotected communication tools.