Category Archives: Brazil

Privacy and data protection in the Marco Civil da Internet (Brazilian Civil Rights Framework for the Internet Bill)

The Civil Rights Framework for the Internet Bill (Marco Civil da Internet) was approved by the lower house of Brazilian’s Parliament and is now being discussed by the Brazilian Federal Senate, before being enacted into Law by Brazil’s president.

A substantial portion of the Bill deals with privacy and data protection – and this is one of its major changes since earlier versions. Its first draft was the result of a collaborative work done over the internet, which resulted in a principle-orientated statute with the main aim of assuring a set of rights to internet users. Afterwards, an intense debate emerged concerning issues as the liability of intermediaries and net neutrality. The Bill was amended in order to regulate more specifically these two points.

Another major development was related to privacy and data protection. Firstly, the Bill sustained a general approach to these issues, contemplating privacy and data protection as general principles for the use of internet and reaching a more specific tone mainly on the issue of data retention by internet providers.

This scenario changed substantially after Edward Snowden’s leaks – some of them addressed documentation about Brazilian enterprises and politicians. This inspired the legislator to include more specific data protection and privacy rules in the Bill. Thus, its final text ended up with a rather impressive length of privacy provisions, which we’ll proceed to briefly analyse.

Before going to the text, it must be stressed that Brazil doesn’t have, as of yet, a general data protection statute nor general rules about data protection on the internet.
The privacy provisions on the Bill can be widely classified in three main groups: (i) principles and users’ rights; (ii) specifications on log’s retention; (iii) access to personal data.

The conceptual definitions of Marco Civil are still basically the same of its prior versions. The main issue is the lack of a definition of ‘personal data’ (probably an intended one, as the general forthcoming data protection bill shall work directly on this). This absence is not a problem per se, as it is possible to infer a definition from the usage of the term in actual Brazilian jurisprudence and from legal scholarship as data which is or can be related to an individual. The Bill also was clear enough to specify some special kinds of data that should further be considered as personal (i.g., access logs and other).

The English text of Marco Civil is a free and unofficial translation. We’ll  mention only the parts of the Bill directly related to privacy and data protection. A full (and also unofficial) whole version of the text can be found here.

(i) Principles and user’s rights

Privacy and data protection are – separately – mentioned as principles for the use of internet in the very beginning of the Bill.

Art. 3º The discipline of the use of Internet use shall be grounded on the following principles:

II – privacy protection;
III – protection of personal data, in the terms of the law

The fact that privacy and data protection are mentioned separately evokes the concept of data protection as diverse from privacy and with a different scope – despite its similarities. This approach can be traced to the Charter of Fundamental Rights of the European Union, in which they are both mentioned but in different articles (7º and 8º).

Art 3º, III adds to the mentioning of the principle of protection of personal data the expression “in the terms of the law”. This means that the general data protection regulation and principles shall be found in another statute, which will regulate data protection in general terms, while the provisions in Marco Civl related to data protection consist of particular specifications that take into account the characteristics of internet

It is also worth mentioning that, at a first glance, the privacy principles in Marco Civil are compatible with the framework of the draft of the data protection bill that is currently being prepared by the Brazilian Federal Government.
The chapter II of the bill mentions the rights of internet users – several of them related to privacy and data protection.

Art. 7º. Access to the Internet is essential for the exercise of citizenship, and the following rights are secured to its users:
I – the inviolability of intimacy and private life, assuring their protection and compensation for material or moral damages derived from their violation.
II – the inviolability and secrecy of communications on the Internet, except under judicial order, in the hypotheses and form established by law;
III – the inviolability and secrecy of stored private communication, except under judicial order;

Art 7, I to III basically stresses that the general guarantees regarding privacy found in Brazilian Constitution, and partly replicated in the Brazilian Civil Code, are applicable to the internet:

These provisions could be read as rather redundant, except for one very important point made clear by art 7, III. This particular provision concerns the interpretation Brazilian courts make of Brazilian Constitution, according to which the constitution only protects data when it is being communicated (i.e., in a telephone call) and not the data which is stored (i.e. in the memory of a computer or in a datacenter). The Bill recognised this paradox and endowed stored data with the same level of protection as communications have, filling an old gap that wasn’t reasonable anymore given today’s feasibility of storing most of communications data.

VI – the information provided in Internet service provider agreements must be clear and comprehensive, including detailed information on the protection of connection logs and access to Internet applications records, as well as network management practices that may affect quality;

art 7, VI, together with VIII, can be read as a mandate to make privacy policies or any terms of use applicable to personal data clear and understandable. This is particularly important given the fact that consumer law also, and often, applies to personal data used on internet and taking into account that the recent Decree 7.962 of 2012 establishes as mandatory the easy and meaningful communication of any relevant characteristic or restriction of the service to the consumer,

The provision also mentions the necessary availability of information about “logs and access to internet records”, which are the data that the Bill will further regulate in a very stringent way.

VII – guarantee that personal data, including connection logs and access to Internet applications records will not be shared with third parties, except upon the user’s express free and informed consent or as provided by law;

Consent is here presented as the instrument the individual can use to decide whether his personal data will (or won’t) be disclosed or transmitted to third parties. The connection logs and ‘internet applications records’ mentioned here will be further detailed in specific provisions later.

The consent must be free (it must correspond to the actual will of the citizen, not forced by any means) and informed (valid only after the citizen has been given enough information in order to know the context and the consequences of his choice) – both are very important criteria that must inspire industry to be clear and precise when informing and asking for citizens’ consent.

Lastly, consent will not be required when there is specific law permitting the treatment of personal data even without consent.

VIII – there must be clear and comprehensive information on personal data collection, use, storage, care and protection, which can only be used for the purposes that

a) justify the collection;

b) not prohibit by law; and

c) are specified in the Terms of Service or Use of Internet applications.

Here Marco civil begins to turn into a small data protection framework, as two of its main principles are presented: transparency and purpose.

The need for ‘clear and comprehensive’ information is a consequence of the adoption of the informed consent mechanism and ckarifies that all treatments of personal data shall be known and transparent to the data owner, in its existence and characteristics.

The purpose principle here stresses that use of personal data for purposes other than those known (and authorized) by the data owner is unlawful. Thus, the secondary use of personal data (out of its prior purpose) will not be possible unless a new consent is sought.

It is very important to note that these (and other) provisions are valid and must be followed also in case of data treatments authorised by law without the consent of the data’s owner. Thus, if the Law allows personal data to be used by an enterprise for a certain purpose and without consent (for databases of unpaid loans, for example), this does not absolutely mean that these data can be used for any other purpose not explicitly mentioned in the law.

IX – clear consent of the collection, use, storage, processing of personal data, which shall occur separately from the other contractual terms;

The consent requisite is mentioned again, but this time in general terms; the consent shall be obtained to any form of treatment of personal data, which is mentioned in its fundamental forms of ‘collection, use, storage, processing’.

A fundamental specification here is that consent cannot be obtained by a clause inserted in a contract with other provisions – it must be obtained separately- This is a formal traditional contractual tool to assure that the data subject actually had the opportunity to freely reflect before giving its consent.

X – upon a user’s request, at the end of the term of the agreement between parties, personal data stored in connection with access to an application must be completely removed, except in case of mandatory record keeping established in this Law; and

Marco Civil included here a ‘right to be forgotten’ provision, which is rather weak and potentially problematic. In fact, the Bill should have recognised that, in the end of the agreement between parties, personal data must be completely removed by an internet application, for the very fact that there would be no contractual justification its maintenance anymore. Anyway, the provision does not change the fact that the consent was given for a certain use of the data during an agreement and that, of course, the end of the agreement implies the necessary destruction of the data, unless law or the contract have different provisions.

Another problematic provision is that the text gives the impression that the individual is free to ask for the removal of his data only at the end of an agreement. Nonetheless, there shall be occasions in which the individual does not want (or even can’t) end or break an agreement, yet he may want his personal data to be totally or partially removed. In several situations this will be a legitimate claim and the Marco Civil provision must be interpreted in a way that safeguards this fundamental right of the individual to revoke, totally or partially, his consent to the treatment of his data, even without ending another agreement.

As the Marco Civil does not permit some categories of personal data to be erased, it mentions that even a request of the citizen cannot be enough to cancel the data in some occasions. These are the cases of logs’ retention, to be later analysed.

XIII – incidence of consumer protection and defence rules in all consumer relations conducted on Internet.

The fact that several data treatments conducted in internet are also subjected to consumer law endows the internet user with a very protective set of consumer rules to assure his personal data will be fairly used. The intersection between Marco Civil and consumer law (mainly the Law 8.078 of 1990) will, thus, be the main framework to regulate personal data in internet while there is no general data protection law enacted.

Importantly, Brazilian courts recognise that consumer law is also applicable to internet services which are provided ‘free of charge’, or in other words, when it is possible to identify any form of ‘indirect payment’ (such as the permission to use personal data, in fact).

Article 8 Protection of the right to privacy and freedom of expression in communications is a prerequisite for the full enforcement of the right of access to the Internet.

Sole paragraph. Any provision contrary the above mentioned is void, such as:

I – implies offence to inviolability and confidentiality of private communications over the Internet; or

The last of the ‘general’ data protection provisions on the Bill provides another strong and sound affirmation of the fundamental value of privacy (as well as of freedom of expression) whenever internet is considered.

This article even makes use of a common procedure in consumer law, that is, to recognise as void any contractual clause which is contrary to the right to privacy (as well as, specifically, the secret of private communications). In such cases, the clause is to be considered not written, although ® the rest of the contract can still be valid and enforced.


(ii) specifications on log’s retention

Section II
Record, Data Protection and Private communications protection

Article 10. Record retention of Internet connection and access to application logs, for the purposes of this Law, as well as personal data and private communications content, must protect the privacy, private life, honour and image of the parties directly or indirectly involved.

Before mentioning the mandatory retention of some types of personal information, Marco Civil makes it clear that the data stored must be used only in accordance of the law. This technique of mentioning the protective standard first and the data retention second reinforces the interpretation of data retention as an exception that must be treated as such.

The provision calls for the protection of personal data of everyone involved, be it the sender, receiver of the communication as well as any third party mentioned or indirectly involved.

§ 1 The provider responsible for record retention will only be required to provide the aforementioned logs, alone or combined with personal data or other information that may help identifying a user or terminal, upon court order, as set forth in Section IV of this Chapter, complied with article 7o.

As a way to protect the individual,the logs stored must only be disclosed upon judicial order,  avoiding thus generic (and, in some occasions, bad-faith) requirements to access personal data made processed in some easier way.

Not only logs, but other personal information stored and useful to identify users can be given by the provider upon judicial request.


§ 2o. Private communications content may only be released by court order, in the terms and provisions established in this Law, complied with article 7, II and III.

The specific mention to the content of communications in § 2o strengths the conceptual difference between content and metadata in internet communications. It also establishes as mandatory the requirement to obtain a specific judicial order to access the content of communication, which cannot be a general one or one that only refers to the metadata involved in communications.

§ 3o The provisions in this article do not prevent the access by administrative authorities that have legal competence to request data related to personal qualification, affiliation and address, in terms of the law.

This provision establishes a major exception in Marco Civil: in particular situations, personal data can be requested by an administrative authority without the need for a warrant.

It is important to note that not all personal data is subject to this kind of request, but only ‘personal qualification, affiliation and address’.

This provisions is essentially the repetition of one presented in Law 12683 of 2012, which authorised the police and the public prosecutor to request data for the purpose of investigations regarding money laundering

As this provision is and must be considered as an exception, its interpretation is restrictive and must take into account the limits to the requisition of personal data which are already mentioned in Law 12683 of 2012 and that basically narrows these request to the scope of ongoing investigations. Thus, even if this provision is a fundamental exception in Marco Civil, an integrative perspective of the statute assures that it may not, in any sense, be taken as a general nor multi-purpose exception, and that its misuse is unlawful by its own terms.


§ 4º Security and confidentiality measures and procedures must be communicated by the provider and clearly meet the standards set forth by regulation.

This provisions establishes that the citizen must be informed of the security measures taken to protect its data from misuse and unauthorised access. The specificities of the security measures and standards that must be followed for the treatment of personal data in internet are to be detailed in secondary legislation as defined by the Brazilian government.

Art. 11. Any operation involving collection, storage, retention and treatment of records, personal data and communications by Internet connectivity and applications providers, wherein at least one of these acts occur in national territory, it will be mandatory to comply with national legislation, privacy rights, data protection rights and the confidentiality of private communications and records.

§ 1º The provisions in this article apply to any data and communications content collected in the national territory, wherever at least one of the terminals are located in Brazil

§ 2º The provision in this article applies to foreign-based legal entities, if they provide services to Brazilian audience or at least one of the holder in the same economic group is based in Brazil.

§ 3º Internet connectivity and applications providers have to provide information that allow for the inspection of compliance to Brazilian legislation referring to collection, retention, storage and treatment of data, as well as the respect to privacy and confidentiality of communications, under the terms of the law.

§ 4º A Decree shall regulate the procedures for inspection of violations to this article.
This is the jurisdiction clause of Marco Civil, which establishes that any treatment of personal data that is processed in Brazil, even if partially and even if the data is only collected by means of a terminal located inside the territory, must comply with Brazilian legislation (which includes but is not restricted to the Marco Civil). l,.

Foreign companies are subjected to this rule whenever they provide services to Brazilian citizens. This means that even if a company doesn’t particularly focus and approaches Brazilian users but admits them as customers, this provision shall apply. Also, if the company holds a foothold or subsidiary of its same group in Brazil, the provision will also apply.

Companies must also permit inspections aimed to verify the compliance of its practices to the legislation. The Bill does not specify nor clarify which is the body in charge of this inspection, although the inspection procedures are also going to be further regulated in a Decree (the second explicitly mentioned in Marco Civil).

Art. 12 Regardless of other civil, criminal or administrative sanctions, any violation to articles 10 and 11 are subject to the following sanctions applied exclusively or in conjunction with others, according to each case.

I – Warning, with a deadline to start any corrective action;

II – fine up to 10% of the economic group revenue in Brazil, according its last financial year, excluding taxes, and considering the economic condition of the offender and the principle of proportionality between the level of fault and the severity of the penalty.

III – temporary suspension of activities involving the actions referred in article 11;

IV – prohibition of activities that involve the actions referred in article 11.

sole paragraph. In the case of foreign based companies, any subsidiary, branch, office or establishment in the country will be jointly liable.

Here we can find listed the substantial sanctions for the lack of compliance with the data retention provisions in the Bill, which ranges from warning, corrective measures and fines, to suspension and even prohibition of the activities that involves data retention. Foreign companies are also subject to these sanctions, which can also be imposed on their Brazilian subsidiaries or alike.

Subsection I
Internet Connection Records Retention

Art. 13. Under the terms of the relevant Regulation, when providing Internet connection, autonomous system administrators are obliged to retain connection records under strict confidentiality, in a controlled and safe environment for one year.

§ 1 The responsibility for retaining connection logs cannot be transferred to third parties.

§ 2 The police, administrative authorities or the public prosecutors may require that precautionary connection logs are retained for longer than foreseen in the caput of this article.

§ 3 In the case foreseen in paragraph 2, the applicant authority shall have a period of sixty days, from the date of request to the ISP, to file for a court order to authorise access to the referred records.

§ 4 The provider responsible for record retention must protect the confidentiality of the requests foreseen in paragraph 2, which shall be void if the court order is denied or if it is not filed within the period set forth in paragraph 3.

§ 5º In any case, the availability of records mentioned in this article to the applicant must be preceded of a court order, according Section IV of this Part.

§ 6º In the execution of sanctions for the violations of this article, it should be considered the nature and severity of the infraction, the respective damages, potential benefit gathered by the offender, aggravating circumstances, background violations of the offender and recidivism.
The data retention performed by internet providers embodies a lengthily discussed provision of the Marco Civil – and is, interestingly, one of the main reasons of the very existence of the Bill! In effect, this piece of legislation was firstly proposed as a counter part to another Bill that proposed mandatory data retention within a legal framework build upon criminal sanctions.

The very definition of a connection log can be found at Article 5, V:

VI – connection log: a set of information regarding the date and time that the Internet connection begins and ends, its duration and the IP address used by the terminal to send and receive data packets;

The minimum period for the retention of data of connection logs is one year, but this period can be extended if a request is made by the police, administrative authorities or the public prosecutors (no judicial order is needed for the extension but the request to a judicial order must be filed within 60 days).

There is no maximum time limit for data retention.

The log must be kept by the company which collected it. In order to technically comply with this obligation, the company will not be able to use a contractor or third party as a kind of ‘data processor’.

Subsection II
Access to Internet Applications Records Retention in Connectivity

Art. 14. In the provision of Internet connection, costly or gratuitous, it is forbidden to retain records of access to Internet applications.

Marco Civil uses the technique of not bundling together the connection logs (kept by ISP’s) with data from ‘internet application (kept by sites and alikes) – in fact, it forbids it. This very explicit measure is key to its privacy framework as it expects ISP’s not only not to deal with the contents in one’s connection, but also not to keep logs of what is happening in the sphere of ‘internet applications’, which would be a restrict place for the OTT (over-the-top).

As the Bill makes it mandatory both kinds of logs (at least for the big branch of applications with ‘economic purposes’), this provisions aims to draw a strict line between these two main genre of mandatory logs that will, in fact, be the very ‘recent memory’ of internet use in Brazil once the Bill is enacted and effective. It can be argued if it is really possible to conceive such a clear and concrete line.


Subsection III
Access to Internet Applications Records Retention for Applications Provision

Art. 15 providers established as a legal entity acting in organised and professional structure, with economic purposes, shall keep records of their access to Internet application, under confidentiality, in safe and controlled environment, for at least 6 months, under the terms of regulation.

§ 1º Court order may require, for a specific time frame, Internet applications providers that are not under the above mentioned requirements, to keep record of access log to Internet applications, only if it is related to a specific event in a specific period

§2, the police, administrative authorities and public prosecutors may require in precaution to any Internet applications provider that records are stored, including for a longer term than above-mentioned, observed the procedure and terms set forth in § § 3 and 4 of article 13 from this Act.

§ 3º In any case, the availability of records mentioned in this article to the applicant must be preceded of a court order, according Section IV of this Part.

§ 4º In the execution of sanctions for the violations of this article, it should be considered the nature and severity of the infraction, the respective damages, potential benefit gathered by the offender, aggravating circumstances, background violations of the offender and recidivism.

Several Internet applications shall have to keep records of theirs users’ access for at least six months.

Internet applications are, according to Article 5, V:

VII – Internet application: a set of features that can be accessed by a terminal connected to the Internet

And the logs of access to them contains, says Article 5, VIII:

VIII – Record of access to Internet applications: a set of information regarding the date and time when a specific Internet application was used, from a given IP address.

This measure is a very extreme one as it may not only increase drastically the volume of personal data being kept as a result of regular internet navigation but also makes it impossible to run several kinds of privacy-friendly services which are not meant to preserve records of their normal use.

More data being kept means more costs in the eyes of internet enterprises, but means other pretty negative consequence for internet users: it raises the risks of something bad happens with personal data, such as non-authorised access, accidental disclosures and so on.

Even if the records mentioned doesn’t directly contain personal information, it is clear that they will be useful only in occasions they could be contextually related to an identifiable individual, so, for the proposed purposes, that must be considered as equivalent to personal data.

This kind of mandatory logs were a last-minute increment to the Bill that were not fully discussed, as other provisions were. They find practically no equivalence in other legislation (in fact, data retention usually refers to ISP logs and not log from internet sites). There is a strong argument that can be made on the grounds of the principles of proportionality and economy.

Only for-profit and legal entities qualify as applications that are bound by this provision. The Bill requires a judicial order as the only means for this logs to be disclosed, and even establishes in § 4 some requirements for the order to be issued.

As with connection logs, there is no time limit on the retention of these logs, as the six-months period can be extended on the requirement of an authority.

Art. 16. When providing paid or free Internet applications, it is forbidden to retain:

I – access log to other Internet applications without the data owner previous consent, in compliance with article 7o.

II – personal data that exceed the purpose for which has been consented by the holder.

One internet application is forbidden to keep records of access to other internet applications, in order to make another clear line between who are the natural depositories of these records.

Anyway, this procedure can be done providing the data owner has given his consent.


Art. 17. Except in the cases mentioned in this Law, the choice to not to keep records of access to applications does not imply liability for damages from use of these services by third parties.

The provision tries not to make the retention of access data to internet applications the implicit rule also for non-profit services or to other services not mentioned in Article 15.


(iii) access to personal data


Section IV
Court Order for Disclosure of Records

Art. 22 For the purpose of gathering evidence and proof for legal proceedings in civil or criminal areas, the interested party may request a judge an order addressed to the entity responsible for record retention to disclose connection or access to applications logs, on an incidental or standalone basis.

Sole paragraph. Without prejudice to other legal requirements, the court order shall contain, subject to becoming void:

I – underlying evidence of the offence;

II – detailed reasons for the relevance of the requested records to the investigation or probative use, and

III – the specific period the records refer to.

Art. 23 The judge is responsible for taking the necessary steps to ensure the confidentiality of the records received under custody, and to safeguard the privacy, private life, honour and image of the user. The judge may deem the legal proceedings classified.

The judicial order, generally required to access private information, is directly mentioned in art. 22 and 23.

A judicial order can be given either in criminal as in civil cases. This substantially widens the array of situations in which a judge can find it reasonable to issue such an order when compared to some propositions to make it ossicle (possible) only in criminal cases.

In order to restrain the effects of a excessively wide judicial order, the Bill mentions that the order shall only be taken into account after the judge has received underlying evidence of the offence which is being discussed; after having received and considered the relevance of the data to the investigation in course, the judge must also define a specific period to which the order refers to.

The principles of proportionality (regarding the measurement of the importance of the data requested and its importance to the investigation) and specification (regarding the limitations the time period the data requested refers to) are present and are important constrains to any form of abuse, proposital or not. Moreover, the judge is not only supposed to issue the order but, as article 23 mentions, he needs to take any necessary precaution to assure the privacy of the individuals affected by the disclosure of the data. This provision also includes the possibility – and, we shall add, the necessity – of the judge classic and the proceedings related to the requested data, as party of his duty to safeguard the privacy of the citizens involved.


Danilo Doneda

The author would like to thank Norberto Nuno de Andrade for his comments on a draft of this post.


Facebook’ “Sponsored Stories” challenged in Brazilian’s court

 A class action has been presented by the Brazilian Institute of Computer Law (IBDI) against Facebook’s Sponsored Stories product over a collective moral damage at the sum of R$ 76,000,000. The product is alleged to be unfair, abusive and in violation of consumer’s privacy

In their petition, IBDI’s Lawyers attest the violation of consumer’s privacy in virtue of consent and commercial practice. According to the petition, Facebook is in violation of Brazilian Civil Code, which protects an individual name and image as a “Right of personhood”:

Art.18 Without consent, one shall not use someone else’s name in advertising.

Art. 20 Except where consent was given or if necessary to the administration of justice or the maintenance of public order (…) the display or use of a person’s image may be prohibited by their requirement if the use or display achieve the honor, good reputation or respectability, or if intended for commercial purposes.


Brazilian Federal Constitution presents a general privacy rule which embraces intimacy, private life (vie privée), honor and image as expressions of an individual personality.

Despite Facebook’s waiver on Sponsored Stories in January of this year, IBDI’s class action represents one of the firsts internet related privacy prosecutions in Brazil.


Brazilian Congress to vote on mandatory storage of personal data in Internet

The Bill known as “Internet Civil Rights Framework” (Marco Civil da Internet in Portuguese)   seems ready to be voted in the Parliament’s lower house this week. Besides a handful  of polemic measures regarding issues as net neutrality, the Bill proposes a very strict obligation to Internet sites: they must keep a log of their access and usage for the last six months.

This piece of legislation would make mandatory the retention of personal data – not only for the connection provider (which would be constricted to keep records of the whole last year of connections according to art. 14 of the Bill), but this time for the so-called ‘application provider’.

This measure is present in article 16 of the last version of the Bill:

Art. 16. The legal entity who acts as a provider of Internet applications and who exercises its activity in an organized, professional and pursuing profit, shall keep the records of  access to its Internet applications, in secret and in a secure and controlled environment, for a period of six months, according to the terms to be set forth by further regulation.

This measure not only contradicts all previous versions of the Bill (which is a work in progress started by a draft generated by a public consultation in 2010). It establishes an unprecedented  duty to all “for profit” Brazilian Internet players who run a site or service to keep private information of their users for 6 months, regardless of any consideration about their users’ consent.

Even if the Bill mention protection measures for the data owners, it is clear that the simple fact of the existence of the mandatory personal data register is, ‘per se’, a danger that users cannot avoid since their free consent would be not taken into account. Moreover, the lack of a general framework for personal data protection makes the whole environment at least very prone to the misuse of personal information.

Several Brazilian NGO’s and Civil Society organisations stressed this week their concerns regarding this issue.

[UPDATE 24 february] The voting was postponed to next week (around February 25)

[UPDATE 17 march] Congress is yet to vote the Bill. Last week, PMDB (a political party that is part of the governing coalition but has his own views on the Marco Civil Bill) presented an alternative version for Marco Civil [available here]. Its main points are: (i) Net Neutrality isn’t mandatory; (ii) data centres of Internet companies  won’t  have to be located in Brazil; (iii) Brazilian Telecommunicarion’s Agency (ANATEL) would draft the exceptions to net neutrality.

Brazil monitors protests against the 2014 World Cup

On the eve of the World Cup, Brazil monitors potential protesters through social networks and communications’ media.

In 2013 Brazilian society aroused in social manifestations worldly broadcasted as the Brazilian Autumn in reference to the Arab Spring. The president Dilma Roussef gave even a public manifesto of support to the democratic demonstrations.

During the 2013 Confederations Cup in Brazil, civil protests took place through out several cities of the country. They were ongoing public demonstrations of dissatisfaction, first advocating against public transportation fare rise. Later, growing to include other economic, political and social issues.

The Confederations Cup has long ended and the 2014 World Cup is still a few months ahead. Nevertheless, protests continue with slogans as such: “There Will Be no World Cup”.

The public support of the protests now grow as fear of a social disrupt at the eyes of the international community, specially with the action of the group “Black Blocs” combating police force and breaking the tone of the peaceful riots.

With the awake of Brazlian society it is also known authorities have been monitoring social media communications, used advances technology to locate protesters’ computers and, even, infiltrated the movement to gather more precise information, accordingly to an anonymous official.

The protests’ repression were characterized by violent repression, with strong images of injures citizens, journalists, policemen and even tourists. In adition to the use of force, the Army’s Center for Cyber Defense has used a software known as “Guardian” to monitor communications related to the riots. The information collected was reported to the Federal Police, the security secretariat of cities involved in riots and the Federal Public Prosecutor.

Guardian”, software from the Brazilian Tech company “Dígitro”, monitors voice and data and is very similar to the technology used by the North American National Security Agency (NSA). Accordingly to General José Carlos dos Santos from the Army’s Center for Cyber Defense the monitoring is legal and justifies itself within national security policies and actions. He also claims the software is adapted and customized by the user and didn’t monitor a unknown generality of citizens, being used only during the 2013 Confederations Cup.

The media office at Brazil’s SESGE, a division of the Minitry of Justice charged with the World Cup security, referred questions about government surveillance initiatives to the Ministry of Defense, which declined comment, accordingly to Reuters.

Brazilian government and enterprises found victims of NSA monitoring

The Brazilian government and its biggest oil company, Petrobras, would be under spying by the US National Security Agency (NSA). Documents released by the whistleblower Edward Snowden to The Guardian journalist Glenn Greenwald show that the NSA is conducting intelligence-gathering operations that go beyond its core mission of national security. Brazil appeared in several files showing that the US agency intercepted Brazilian communications and spied on the president Dilma Rousseff and her aides. Petrobras is among several targets for the agency’s Blackpearl program, which extricates data from private networks.

Petrobras is the largest company in Brazil and one of the 30 biggest businesses in the world. Majority owned by the state, it is a major source of revenue for the government and is developing the biggest oil discoveries of this century, which are in a pre-salt region deep under the Atlantic.

In a top secret presentation, titled “Private networks are important”, slides prepared by the Britain’s GCHQ shows as targets Petrobras along with the Belgium-based Society for Worldwide Interbank Financial Telecommunication, an organisation better known as SWIFT that oversees international bank transfers thought to be secure transactions, the French foreign ministry and Google. There is several other targets on the list, which may have links to terrorist organisations and other operations that potentially threaten the US. One slide, headed “Results – what do we find?”, notes that private network traffic is collected from energy companies, financial organisations and airlines, as well as foreign governments. This records show how two programs that monitor private networks work: “Flying Pig” and “Hush Puppy”.

In the overview of another surveillance operation called Blarney, one slide provides a list of requirements that includes “economic” information as well as military, diplomatic, political and counter proliferation and counter terrorism data. The presentation also explains how the NSA intercepts the information. According to the document, spying is done through a computer network attack known as “man in the middle”. In this case, the data are shifted to the centre of the NSA and then arrives to the recipient without anyone knowing. One of the records disclosed by Snowden and released on one of the country’s most influential TV transmission named “Fantástico”, from Rede Globo, says that the name of the Latin America’s key target program is “Silverzephyr”. The program metadata records the total information thattravels over the network, and the content of recorded voice and fax.


Brazilian court aiming to disclose personal data of 140 million citizens to Serasa/ Experian

The Brazilian Superior Electoral Court (Tribunal Superior Eleitoral, or TSE), the highest court to deal with electoral issues, signed a contract with the one of the leading financial databases in Brazil, Serasa/ Experian, which prescribed the Court was supposed to give Experian personal data of the all Brazilian citizens allowed to vote. This amount accounts for more than 140 million citizens.

Altought the contract specifies that a set of personal data would be sent, like name, electoral number, date of birth and mothers’ name, it must be stressed that the Court has what is probably one of the biggest biometric database in use, which was collected in order to provide means to the biometric authentication of each citizen in the automated Brazilian voting system.

The Courts’ president, soon after the news about the contract came out by some of the major Brazilians’ newspapers, denied knowledge about it and made sure the disclosure of personal data is illegal and would review the contract.

[contract available here (portuguese only)]