Fences in the ether: Brazil’s proposed Internet laws

August 25, 2008

Imagine trying to promote universal Internet access and a robust online business environment with the following laws in place:

It all sounds like a mock-cartoon version of repressive censorship laws, and in fact these regulations were satirized in the graphic novel O’Reilly published earlier this year, Hackerteen, Volume 1: Internet Blackout. But the author of the novel, Marcelo Marques, informed me that the proposals are real. They have been widely discussed in the Brazilian blogosphere and to some extent in the Brazilian press and TV, but they’ve received hardly any attention in the United States.

Rather than launch into a predictable and hackneyed defense of free access, let me start with the stated reasons behind the laws, then look compare this laws to others and list some of the reactions by knowledgeable experts. I’ll finish by seeking the broader vision that lies behind by the proposals.

Rationale for Internet regulation

The chief proponent of Internet regulation in Brazil, Senator Eduardo Azeredo, cited three targets in an interview with a Portuguese-language magazine:

Two justifications I expected to hear—terrorism and unauthorized downloads of copyrighted material—I was surprised to find missing. But I, as well as some Brazilian commentators, have no doubt those issues are also on the minds of the law’s proponents.

Just given those three targets, it’s worth stopping for a moment to see how widely Azeredo has drawn his net and how far these social problems diverge in their causes and risk factors.

Identity theft is an intrusion by criminals into the communications of innocent victims. The exchange of pornography, in contrast, is a crime of cooperation. The victims are not on the Internet at all, but are the children who are abused in order to create the material being exchanged.

This distinction is important. A number of protections can reduce identity theft without incurring the ironic effect of intruding on everyone’s privacy. For instance, we can force businesses not to depend on social security numbers or other fixed pieces of information, and we can make it harder to open accounts so that criminals have fewer opportunities to misuse information. However, we can’t hope to find child pornographers—or other cooperating criminals, such as drug dealers and suicide bombers—unless we give governments easy access to everyone’s communications.

As for stopping computer viruses, I cannot imagine how recording Internet logins can possibly have any benefit at all. The origin of a virus is as hard to track as the origin of the infamous email that claimed Barack Obama was a Muslim. When one virus writer (the author of the Melissa virus) was found, it had nothing to do with tracking his Internet behavior. Rather, the case was cracked due to his laughable ignorance of Microsoft Office; he left routine personal identification information in the file loaded with the virus.

And nowadays, viruses are spread by infecting web sites at least as much as by email. The connection between the perpetrator and the evidence is more and more attenuated.

One small innovation (whether in law or technology) can have diverse effects, not to mention unpredictable ones. This is the dilemma of modern life, from the way we introduce software on the Internet to the way we introduce industrial chemicals into our air and water. We can expect that changes will be far-reaching, but it would be hubris to claim that we could predict the changes. That unfortunately is what legislatures do whenever they pass a law.

Precedents and analyses

Considerable attention has been given to these laws in Global Voices, blogs that are good starting places for English-language readers. A couple short notices have also appeared on Boing Boing.

In general, the commentators discuss the Brazilian laws without reference to similar laws in the European Union. The EU passed a well-known directive requiring ISPs (along with phone companies) to preserve information about users. The Brazilian laws have definite parallels with the Budapest Convention on Cybercrime.

Although the creation of such centralized databases—a historic break from the strong concerns for personal privacy felt in Europe after World War II—creates classic risks, such as break-ins by criminals and abuse by governments, European countries have tried to temper the dangers. For instance, the directive requires information to be kept for only six months (a reduction from the original recommendation of two years), whereas the current Brazilian proposal requires three years.

European countries also require warrants and other legal safeguards. I can’t tell whether there are present in the Brazilian proposal, which requires providers to relinquish data in response to a “judicial requisition.”

Precedents for recording Internet access go even further back; I cover some of them in a 1998 article.

Azeredo’s law, known as Article 22, refers merely to information providers without indicating whether the law will cover public access points such as cybercafes and wireless networks in public parks. Fortuitously enough, a follow-on law described in a Portuguese-language blog by noted sociologist Sérgio Amadeu da Silveira explicitly covers all those places. Amadeu and others point out that the combined laws would eliminate anonymity—precisely Azeredo’s goal. Such guaranted tracking is possible in Brazil because it has a national ID card.

The exemption for private individuals and companies investigating Internet crimes—known as the “digital defense” clause—is perplexing. The Brazilian Congress removed this clause. One blogger claimed that it would merely carve out a safe harbor for research into computer crime and security. But it seems likely that companies such as movie studios would have exploited the exemption to carry out fearsome intrusions on people they suspect of hurting their businesses.

Context and reactions

All this law-making must be set in the context of ubiquitous political corruption, which recently has been dominating the front-page headlines of the newspapers in Brazil every day. Many observers suspect that the framers of the law are rewarding corporations that will take up lucrative middleman roles. Mandated by law to act as auditors who make sure that every institution logs accesses correctly, they will become an effective tax on all Internet access. Jomar Silva of the ODF Alliance discusses this in a Portuguese-language blog along with several other technical and economic effects. In email to me, he reiterated some of the issues.

According to Silva, most Brazilian providers use cheap Linksys and DLink wifi routers. However, these machines don’t have logging capabilities, so the ISPs would have to upgrade to expensive equipment to comply with the law. They would also need to spend a lot to put fail-safe practices in place, in order to comply with the requirement that no log data get lost.

There have also been speculations that the law shifts some of the burden of coping with financial fraud from the banks to the users.

Brazil is not, however, merely a playground for businessmen and politicians in perpetual collusion. It is also a vibrant source of free software; a center for the promotion of free software among businesses; the site of universal access projects like the famous cybercafes or “LAN houses” in poverty-stricken favelas; the country where pop star Gilberto Gil promotes Creative Commons as the minister of culture and where Amadeu has become a national hero for promoting open networks and digital citizenship; and the seat of a government still run by the moderate leftist Partido dos Trabalhadores, whose representatives show less enthusiasm for the proposed laws than the opposing Partido da Social Democracia Brasileira, of which Azeredo is a member.

So the proposals have kicked up a considerable ruckus. An on-line petition gathered more than 100,000 signatures in less than twenty days. The proposals have been answered point by point in English by the previously mentioned Global Voices blogs, and in Portuguese by the blogs of Professor Amadeu and by Silva.

It’s worth looking at some of the clauses in early versions of Azeredo’s bill (for instance, in Global Voices) because they show what little understanding the framers had of the bill’s potential effects—or perhaps worse, how much the framers were willing to disenfranchise Internet users in pursuit of unspoken goals. Surveying the changes in the bill may lead to the deeper understanding I seek in this article: an understanding of the framer’s ultimate vision.

Final note

As the title of this article suggests, I look beyond the contortions of Brazilian law-making to see an underlying philosophy. As the context for the discussion, consider that the Internet has always cut down fences. It has blurred the distinctions between activities in different countries, allowed people to form bonds that span wide geographies, ages, and other demographics, and placed data in a cloud where no one can say exactly where it is. In an attempt to combat crime, the proposed laws try to resurrect boundaries in a profoundly boundary-less place.

In the vision provided by the proposals, everyone would have a personal, individual Internet space. Data would reside only in the space of the original provider; the law doesn’t seem to comprehend the impossibility of permitting the provider to share a video or a piece of data with other people without having it leave this space. National laws would be rigorously enforced on everything that takes place within national borders. Each communication, duly logged by the ISP, would be the responsibility of a particular party—for instance, the person sending an email or requesting a file from a Web site. But the role and rights of the party on the other side of the communication are unclear.

Most of us are uncomfortable with this radically different vision of the Internet. Even my cursory summary of the vision exposes its unfeasibility. Although the proposal are less crude than the censorship practiced by China, Burma or Saudi Arabia, it is conceptually even more regressive.

But if Brazilian law-makers continue to debate the laws with the public, they may refine their proposals and (as the United States Congress did with the overturned Community Decency Act) bring them more into line with how the Internet works. Whether this refinement would be a step forward or an alarming danger is also subject to debate.

Is there an alternative approach to security that keeps the Internet safe and free? I sought such an approach several years ago in an article titled Cyber Hygiene, Not Cyber Fortress Protects Our Networks. Similar sentiments can be found in a book I reviewed named The Future of the Internet (And How to Stop It), by law professor Jonathan Zittrain, and an online article where he summarizes the thesis. Our hope lies in better education, and better coordination between the general public and the experts who understand the risks of Internet use.


Andy Oram is an editor at O’Reilly Media. This article represents his views only.

Author’s home page
Other articles in chronological order
Index to other articles