Brazil’s Fake News Bill: Perils and Flaws of Expanding Existent Data Retention Obligations

This post is the second of two analyzing the risks of approving dangerous and disproportionate surveillance obligations in the Brazilian Fake News bill. You can read our first article here.

Following a series of public hearings in Brazil's Chamber of Deputies after the Senate's approval of the so-called Fake News bill (draft bill 2630), Congressman Orlando Silva released a revised text of the proposal. As we said in our first post, the new text contains both good and bad news for user privacy compared to previous versions. One piece of bad news is the expansion of existing data retention mandates.

Brazil’s Civil Rights Framework for the Internet (known as “Marco Civil”, approved in 2014) already stipulates the retention of “connection logs” and “access to application logs” for the internet service providers (ISPs) and applications set by the law. Internet applications broadly refer to websites and online platforms. According to Marco Civil, application providers constituted as legal entities, with commercial purposes, must collect and retain the date and time the application is used, from a certain IP address, for a period of six months. Article 37 of the bill seeks to indirectly expand the definition of “access to application logs” to compel application providers to retain “logs that unequivocally individualize the user of an IP address.”

Since the debates on the approval and further regulation of Marco Civil, law enforcement has pushed for including the information about users' networking ports in the law’s data retention obligation. They have sought to influence legislation and courts' understanding about the existing retention mandate, since Marco Civil doesn't mention the storage of users' ports. Such a push takes into account the current use of technical solutions (particularly those based on Network Address Translation (NAT)) that enable multiple users to simultaneously share a single public IP address. There is a shortage of public IPv4 addresses, and to help mitigate this issue, NAT allows us to use several private IPs for one public IP. NAT can do this by allocating a range of ports per private IP on the public IP. However, servers on the internet still need to correlate this information with the internet service provider logs.

Despite controversies in courts and well-founded criticism that judicial interpretation should not expand data retention obligations, recent rulings from the Superior Court of Justice (STJ) have upheld such a troublesome extension. Article 37 of the bill seeks to override this controversy with a language that can go even beyond the problematic retention of networking ports. 

The new provision forces internet applications to unequivocally individualize the user of an IP address, apparently based on the flawed aspiration of linking a given IP address to a specific user without a margin of error. This language offers wide-open interpretations by law enforcement and courts that could severely extend the current data retention mandates, or even force the use of persistent identifiers linked to our every single move online. There are so many variables in internet routing that it is not possible for an application to say unequivocally who is related to a connection.