August 28, 2020

2612 words 13 mins read

InternetLabs Report Sets Direction for Telecom Privacy in Brazil

InternetLabs Report Sets Direction for Telecom Privacy in Brazil

Five years have passed since InternetLab published “Quem Defende Seus Dados?" (“Who defends your data?"), a report that holds ISPs accountable for their privacy and data protection policies in Brazil. Since then, major Brazilian telecom companies have provided more transparency about their data protection and privacy policies, a shift primarily fueled by Brazil’s new data protection law.  Internet

Lab’s fifth annual report launches today, identifies steps companies should take to protect Brazil’s telecom privacy and data protection. This edition, featuring eight telecom providers for mobile and broadband services, shows Brazil telecom provider TIM leading the way, followed by Vivo and Oi right behind. TIM scored high marks for defending privacy in public policy debates and the judiciary, publishing transparency reports, and transparent data protection policies. In contrast, Nextel scored in the last place as it did in 2019, very far away from the rest of its competitors. Nextel did take a step forward in defending privacy in the judiciary, in contrast to 2019, when it received no stars in any category. In stark contrast to InternetLab’s first report in 2016, half of the covered providers (Claro, NET, TIM, and Algar) have made significant progress in the data protection category. After being poorly rated in 2019, Algar obtained a full star this year in this category, a positive change as Brazil starts embracing its new GDPR-inspired data protection law.  This year’s report also assessed which companies stood out in publicly defending privacy against unprecedented government pressure to access telecom data during the COVID-19 pandemic.  For context, Brazil’s Supreme Court suspended the government’s provisional measure 954/2020 that ordered telecom providers to disclose their customers' data with the Brazilian Institute of Geography and Statistics (IBGE) during the health emergency situation. The court ruled the measure as overbroad and failing to clarify the purpose of the request.  Oi called upon IBGE to sign a term of responsibility before disclosing the data. Unfortunately, telecom providers also signed non-transparent data-sharing agreements with states and municipalities to help public authorities fight the COVID-19 pandemic. Here, Vivo and Tim publicly committed in the media that only anonymous and aggregated data, via heat maps and pivot tables, would be shared with the government. In São Paulo, for example, the deal allows public authorities access to a data visualization tool that includes anonymous and aggregated location data to measure social distancing orders' effectiveness. After a São Paulo court ruled the agreement should be public, many telecom providers have published the relevant policies on their sites, including TIM, Vivo Claro, NET, and OI. The companies' policies, however, did not specify the security practices and techniques adopted to ensure the shared data’s anonymity. In the future, companies should publish their policies proactively and immediately, and not after public pressure. Most providers continue to seriously lag on notifying users when the government requests their data. As we’ve explained, no Brazilian law compels either the State or companies to notify targets of surveillance. Judges may require notice, and companies are not prevented from notifying users when secrecy is not legally or judicially required. Prior user notice is essential to restrict improper government data requests of service providers. It is usually impossible for the user to know that the government demanded their data unless it leads to criminal charges. As a result, the innocent are least likely to discover the violation of their privacy rights. The report also evaluates for the first time if the companies publish their own Data Protection Impact Assessment; unfortunately, none did so. In the face of controversy on the interpretation of laws compelling companies to disclose data to the government, this year’s report, for the first time, looks at companies’ transparency regarding their legal understanding of such laws. Overall, this year’s report evaluates providers in six criteria: data protection policies, law enforcement guidelines, defending users in the judiciary, defending privacy in policy debates or the media, transparency reports and data protection impact assessment, and user notification. The full report is available in Portuguese and English. These are the main results:

Data protection policies Some providers are now telling users about what data they collect about them, how long the information is kept, and whom they share with (although frequently in an overly generic way). In some cases, providers notify users about changes in their privacy policy. Nathalie Fragoso, InternetLab’s Head of Research on Privacy and Surveillance, told EFF. In contrast to 2016, there has been a significant advance in the content and form of privacy and data protection policies. They are now complete and accessible. However, information on data deletion is often missing, and changes in their privacy policies are rarely proactively reported. While Claro and TIM send messages to their users about their privacy policy changes, Oi only tells users that any change will be available on their website. Far behind is Vivo, which reserves the right to change its policy at any time and does not commit to notifying users of such updates. 

The report also sheds light on how providers respond to users’ requests to access their data, and it evaluates the effectiveness of such responses. Nathalie Fragoso told EFF: We sent requests for our personal data to all the providers surveyed in this report, and gave them one month to respond. Our requests included any information relating to us. All providers, however, comply by disclosing only our subscriber information, except Claro and Oi, who fail to do so. We also learned that Algar and Tim took additional steps to certify the requestor’s identity before disclosing the data, a good practice that deserves to be highlighted. 

Defending users’ privacy in the media or public policy debates This year, Quem Defende Seus Dados? assesses if providers defended users’ privacy and data protection in public policy debates or the media. The first parameter evaluates the companies’ public contributions to congressional discussions and public policy consultations around data protection. Even though Vivo wrote a public submission to the “National Strategy for Artificial Intelligence” consultation, it made no concrete, normative or technical proposals to protect its customers. On the other hand, InternetLab found that TIM’s policy statements took a clear and robust pro-privacy stand on the same consultation. TIM calls for transparency and an explanation about AI systems. It also recommends providing sufficient information to those affected by an AI system to understand the reasons behind the results and allow those adversely affected to contest such results. Law enforcement guidelines Most providers seriously lag in publishing detailed guidelines for government data demands. Vivo Broadband and Mobile lead the way in this category; However, none obtained a full star. This category includes five parameters, which you can read in more detail in the report. Below we summarize two that deserve attention: Identifying which competent authorities can demand subscriber data without a court order Brazil’s Civil Rights Framework generally requires a court order to access communications data, including location data and connection logs. It has an exception for when  “competent administrative authorities” demand subscriber data when authorized by law. There is controversy about which government officials are included within the term “competent administrative authorities.” Thus, the report focuses closely on whether each company publicly explains its interpretations of this legal term, and if so, how it does. The report also focuses on whether the companies publicly explain which kinds of data they will disclose without a warrant and which they will only disclose with a warrant. Vivo Broadband and Mobile are far ahead of the other companies. According to its policies, Vivo discloses subscriber data only upon request from representatives of the Public Prosecutor’s Office, police authorities (police commissioners), and judges. Its policies say it makes connection logs and location data available only by court order. Claro and TIM have mixed results. Claro tells users that it discloses subscriber data to competent authorities–but fails to identify them. Likewise, TIM does not pinpoint the competent authorities that it believes can request subscriber data without a court order. However, TIM promises to comply with legislation in making “data and communications” available to “competent authorities.” InternetLab recommends that TIM expressly identify these authorities. Oi tells users that it shares data with competent authorities and names them. However, the report shows that the company fails to clarify which of the cited competent authorities do not require a court order and which need one. Algar and Nextel scored zero stars for their law enforcement guidelines. There is still much more that all companies can do in this category.  Identifying which crimes justify disclosure of subscriber data without a warrant As we explained in our legal FAQs for Brazil, authorizes prosecutors and police officers (usually the Chief of the Civil Police) to access subscriber data without a warrant to investigate money laundering and criminal organizations. The Criminal Procedure Code allows equal access for human trafficking, kidnapping, organ trafficking, and sexual exploitation crimes. Unfortunately, police authorities have claimed the power to access subscriber data without a warrant during the investigation of other crimes. As we’ve explained, they improperly assert a general authorization that regulates criminal investigation by the Civil Police Chief.  We are happy that InternetLab challenges erroneous legal interpretation regarding police power by assessing companies’ responses to such requests. Here again, in the face of controversy on the interpretation of the law, InternetLab calls for corporate transparency about the law’s interpretations. InternetLab results show that NET, OI Mobile, TIM Broadband, Tim Mobile, Nextel, Algar, and Sky failed to identify the crimes for which competent authorities may obtain subscriber records without a warrant.  Conclusion Given this year’s results, InternetLab encourages companies to improve their channels for data access requests to facilitate full access to ones' data. It recommends companies to adopt proactive user notification practices when changing their privacy policies. It also encourages them to publish law enforcement guidelines disclosing all the possibilities when disclosing subscriber data, location logs, and connection records, and for which crimes. Companies should ensure transparency regarding their legal interpretation of laws compelling them to disclose data to the government. Companies should be clear and precise when dealing with judicial orders vs. administrative requests for data demands. In the face of exceptional circumstances, such as the COVID-19 pandemic, InternetLab calls upon companies to take an active transparency approach regarding possible collaboration and data sharing agreements with the State, and ensure that such exceptional measure is carried out in the public interest, limited in time and proportional. Finally, InternetLab encourages companies to publish comprehensive transparency reports and notify users when disclosing their customers' data upon law enforcement demands. Through ¿Quien Defiende Tus Datos? reports, a project coordinated by EFF, local organizations have been comparing companies' commitments to transparency and user privacy in different Latin American countries and Spain. Today’s InternetLab report on Brazil joins similar reports earlier this year from= Fundación Karisma in Colombia, ADC in Argentina, Hiperderecho in Peru, ETICAS in Spain, IPANDETEC in Panama, and TEDIC in Paraguay. New editions in Nicaragua are on their way. All of these critical reports spot which companies stand with their users and which fall short.

Author: Katitza Rodriguez

Date: 2020-11-16


Antitrust Suit Against Google is a Watershed Moment (2020-10-29) The antitrust lawsuit against Google filed by the Department of Justice DOJ and eleven state attorneys general has the potential to be the most important competition case against a technology company since the DOJs 1998 suit against Microsoft The complaint is broad covering Googles power over search generally along with search advertising Instead of asking for money damages the complaint asks for ..
IPANDETEC’s Report on Panama’s ISPs Show Improvements But More Work Needed to Protect Users’ Privacy (2020-10-30) IPANDETEC the leading digital rights organization in Panama today released its second annual Who Defends Your Data Quin Defiende Tus Datos? report assessing how well the countrys mobile phone and Internet service providers ISPs are protecting users communications data While most companies received low scores the report shows some ISPs making progress in a few important areas: ensuring payment proc.. IPANDETEC’s Report on Panama’s ISPs Show Improvements But More Work Needed to Protect Users’ Privacy
In an Uncertain World, EFF Will Always Support the Users (2020-11-04) EFF turned thirty this year In our three decades of work weve seen huge shifts in the way technology and the Internet help harm and otherwise influence the lives of nearly everyone on the planetand that includes its enormous influence on electoral politics Our thirty-year view has allowed us the insight that regardless of who is in power technology can be wielded in the service of justice and demo..
Congress Fails to Ask Tech CEOs the Hard Questions (2020-10-29) The Big Internet Companies Are Too Powerful But Undermining Section 230 Wont Help The Senate Commerce Committee met this week to question the heads of Facebook Twitter and Google about Section 230 the most important law protecting free speech online Section 230 reflects the common-sense principle that legal liability for unlawful online speech should rest with the speaker not the Internet services..
EU Parliament Paves the Way for an Ambitious Internet Bill (2020-10-21) The European Union has made the first step towards a significant overhaul of its core platform regulation the e-Commerce Directive In order to inspire the European Commission which is currently preparing a proposal for a Digital Services Act Package the EU Parliament has voted on three related Reports IMCO JURI and LIBE reports which address the legal responsibilities of platforms regarding user c..
Video Analytics User Manuals Are a Guide to Dystopia (2020-11-19) A few years ago when you saw a security camera you may have thought that the video feed went to a VCR somewhere in a back office that could only be accessed when a crime occurs Or maybe you imagined a sleepy guard who only paid half-attention and only when they discovered a crime in progress In the age of internet-connectivity now its easy to imagine footage sitting on a server somewhere with any ..
No Police Body Cams Without Strict Safeguards (2020-11-03) EFF opposes police Body Worn Cameras BWCs unless they come with strict safeguards to ensure they actually promote officer accountability without surveilling the public Police already have too many surveillance technologies and deploy them all too frequently against people of color and protesters We have taken this approach since 2015 when we opposed a federal grant to the LAPD for purchase of BWCs..
EFF Urges Federal Appeals Court to Rehear Case Involving Unconstitutional Baltimore Aerial Surveillance Program (2020-11-30) Last week EFF urged the full US Court of Appeals for the Fourth Circuit to reconsider a split three-judge panels ruling that the Baltimore Police Departments aerial surveillance of the citys more than half a million residents is constitutional In a friend-of-the-court briefwhich was joined by the Brennan Center for Justice Electronic Privacy Information Center FreedomWorks National Association of ..
GitHub Reinstates youtube-dl After RIAA’s Abuse of the DMCA (2020-11-17) GitHub recently reinstated the repository for youtube-dl a popular free software tool for downloading videos from YouTube and other user-uploaded video platforms GitHub had taken down the repository last month after the Recording Industry Association of America RIAA abused the Digital Millennium Copyright Acts notice-and-takedown procedure to pressure GitHub to remove it By shoehorning DMCA 1201 i..
Education Groups Drop Their Lawsuit Against Public.Resource.Org, Give Up Their Quest to Paywall the Law (2020-10-15) This week open and equitable access to the law got a bit closer For many years EFF along with co-counsel at Fenwick West and attorney David Halperin has defended PublicResourceOrg in its quest to improve public access to the law including standards like the National Electrical Code that legislators and agencies have made into binding regulations In two companion lawsuits six standards development ..