Public hearing on encryption and WhatsApp blockages: the arguments before the STF
By Jacqueline de Souza Abreu
Translation by Ana Luiza Araújo
On June 2nd and 5th 2017, the Supreme Federal Court (STF) held a public hearing to discuss the constitutional complaints ADPF 403 and ADI 5527. The first one, whose rapporteur is justice Edson Fachin, discusses the compatibility of judicial orders determining blocks on WhatsApp with the freedom of communication. The second, whose rapporteur is justice Rosa Weber, discusses the constitutionality of items III and IV of art. 12 of the Brazilian Internet Civil Rights Framework (Marco Civil da Internet – MCI), which authorize the imposition of sanctions of “temporary suspension” and “prohibition of exercising activities” to internet connection and application providers that violate data protection rules. More on the subject of these complaints and the interpretative disputes underlying them can be found here, here, and here.
This post is a record of the opinions and discussions held at the hearing. The attributions of statements to speakers were linked to segments of the video recordings (in Portuguese) that support them. All videos are available on YouTube (here, here, here, and here).
Encryption
According to the dispatch order, the hearing was called on because the cases impose questions that “extrapolate the strict legal limits and demand transdisciplinary knowledge about the topic”. Particularly, the STF showed interest in understanding whether WhatsApp is capable of intercepting the content of messages, a conflict that is at the root of the blocking orders against application, which was punished for not complying with judicial orders for interception/“breach of secrecy”.
On the invitation, the STF solicited that the experts who were going to be heard offered answers to the following questions:
“1- In what consists the end-to-end encryption used by messaging applications such as WhatsApp?
2- Would it be possible to intercept conversations and messages on the WhatsApp application even if the end-to-end encryption is active?
3- Would it be possible to deactivate the end-to-end encryption of one or more specific users so that, in this manner, a legitimate judicial interception can be performed?
4- Having in mind that the usage of the WhatsApp application is not limited only to one platform (cellphones/smartphones), but it allows access and utilization also through other means such as computers (in WhatsApp’s case, using WhatsApp Web/Desktop), even if the end-to-end encryption is active, would it be possible to “mirror” the conversations on the application to other cellphone/smartphone or computer, allowing a judicial order of interception to be implemented against a specific user?”
The content of these questions helps to explain why the public hearing switched its tone to discussing encryption, and not blockages. Even though the issues raised by the cases concern the constitutionality of judicial orders of blocking an internet application and the legal grounds of these measures are under the MCI, the court indirectly stumbles upon issues connected to encryption: it’s a basic legal principle that no one is obliged to the impossible (ad impossibilita nemo tenetur); if WhatsApp is not capable of making these interceptions, no judge could demand this, let alone block accesses to the application for not doing something that was impossible for it to do. Thus, it is comprehensible that the court sought to hear tech experts.
Of the 24 experts consulted in the hearing, at least 9 were experts in the computer science, engineering and/or information security areas: the university professors Anderson Nascimento (University of Washington-Tacoma), Diego Aranha (Unicamp) and Marcos Simplício (Poli-USP), representatives of the Federation of the Associations of the Information Technology Companies (Fabio Maia), of the Center for Research and Development in Telecommunications (Alexandre Braga), of the Laboratory of Research in Private Law and Internet of the University of Brasília (Marcelo Gomes), of the Center of Open Software Competence of the Institute of Mathematics and Statistic of USP (Nelson Lago), of the Internet Steering Committee (Demi Getschko), and also Brian Acton co-founder and vice-president of WhatsApp Inc.
In presentations that complemented each other, these experts were unanimous in their message to the court: as it is built today, it is not possible for WhatsApp to intercept the content of messages; for it to be able to perform wiretaps, a modification on the app’s encryption protocol would have to be done.
This would be a bad idea for at least four reasons, according to the experts: the imposition of this change to WhatsApp
- would be inefficient, since it would not hinder, in practise, criminals from detecting the surveillance, neither to have access, through other means, to strong encryption service to communicate;
- would undermine the application’s whole security, since the introduction of a form of “exceptional access” would make the system more complex and, hence, more vulnerable;
- would have scale problems, once the application would have to be “particularized” for Brazil, imposing difficulties of management and execution on a global scale;
- would violate the freedoms of programmers (of building safe systems), of users (of communicating in a secure and private manner, which is specially sensitive when one thinks about human rights activists and professionals such as doctors, lawyers and even security agents) and of the company (of investing and developing and offering secure messaging services).
In their declarations, lawyers Dennys Antonialli, of InternetLab, Pablo Cerdeira, of the Center for Technology and Society of FGV Rio (CTS-FGV), Ronaldo Lemos, of Rio’s Institute of Technology and Society (ITS-Rio), Thiago Moraes, of the Laboratory of Research in Private Law and Internet of the University of Brasília (LAPIN-UnB), Paulo Rená, of the Beta Institute for Internet and Democracy (IBIDEM) and Rafael Zanatta, of the Brazilian Institute for Consumer Defense (IDEC), as well as Bruno Magrani, of Facebook Brasil, also endorsed the technicians’ diagnosis and emphasized the importance of protecting encryption.
For tech experts and lawyers, there is an opportunity for Brazilian law enforcement to modernize and adapt to a world in which end-to-end encryption is a reality. They talked about exploring alternatives in the scope of investigations such as analysing metadata, obtaining data in the cloud, and hacking devices.
Dennys Antonialli, of InternetLab, Juliano Maranhão, of the Center for Law, Uncertainty and Technology of the USP Faculty of Law, and Nelson Lago, of the Center of Open Software Competence of the Institute of Mathematics and Statistic of USP also argued that today there isn’t any obligation in the Brazilian legal system for the company to develop its application in a “wiretap-able” way, neither rules prohibiting cryptography.
On the other hand, representatives of the Federal Police, of the Federal Prosecution Service (MPF), of the Association of Brazilian Magistrates (AMB), of the Federal Council of the Brazilian Bar Association (OAB), of the Institute of Lawyers of São Paulo (IASP), of the Brazilian Federation of Telecommunications (FEBRATEL) and of the Ministry of Science, Technology, Innovations and Communications (MCTIC), while admitting the importance of encryption, argued that WhatsApp should collaborate with law enforcement agents on the prosecution of crimes performed through or facilitated by the application.
Felipe Leal, of the Federal Police, argued, for instance, that the question to be made should not be if the statement that there is a technical impossibility of making interceptions is true, but why there this impossibility and whether it should exist. In the same sense, Alberto Ribeiro, of the AMB, argued that it is not possible to accept a system of communication in which the government cannot intervene. Thiago Rodovalho, of IASP, also pondered that there is the need of technical compatibility of the applications with the compliance with judicial orders. Renato Opice Blum, of Insper, trying to reconcile the law enforcement needs and the importance of encryption as a measure of protection, suggested the possibility of including a “door of access” through the adoption of different layers of encryption.
According to Ivo Carvalho Peixinho, of the Federal Police, and Fernanda Domingos, of the MPF, specialists have attested that it is possible for the company to act as man-in-the-middle, forging encryption keys and, thus, facilitating the attack that would allow access to the content of messages of people under investigation. Volnys Bernal, of FEBRATEL, also claimed that the implementation of a conversation mirroring technique for authorities is possible, in spite of the associated risks.
In sum, for this group of speakers, if the company wanted to collaborate, altering the system’s current functioning mode, it would become capable of making interceptions.
Jurisdiction
Putting the dispute on encryption aside, Felipe Leal, of the Federal Police, Vladmir Aras, of the MPF and, Alexandre Atheniense, of OAB’s Federal Council, reported the historical conflictual relationship that Brazilian authorities have had with technology companies headquartered abroad, which refuse to comply with Brazilian judicial orders and so, with national jurisdiction. The speakers reminded the times in which Google, at the height of Orkut’s popularity in the country, would still refuse to cooperate with Brazilian authorities on jurisdictional grounds, which does not happen anymore.
Using article 11 of the MCI as reference, Fernanda Domingos, of the MPF, for instance, contended that foreign companies that operate in Brazil are subject to the Brazilian legislation: they must follow data retention obligations and comply with user data demands. Maxiliano Martinhão, of MCTIC, and Alexandre Atheniense and Claudia Marques, of OAB’s Federal Council, also joined this understanding. Neide Oliveira, of the MPF, also argued that, due to being a part of the same economic group as WhatsApp, Facebook Brasil has to respond to government demands for WhatsApp user data.
Bruno Magrani, of Facebook Brasil, explained that his company commercializes ad space, according to the corporation’s statute. The companies which are responsible for the facebook.com platform, and that have access to user data, are Facebook Inc. and Facebook Ireland. He also stated that, whenever they receive requests from Brazilian authorities, they are forwarded to the responsible companies abroad, which assess the legality of the request. Magrani also quoted art. 3, sole paragraph, of the MCI, according to which, the principles of the law do not exclude others “provisioned in international treaties in which the Federative Republic of Brazil is a part of”, to affirm that, when the company tells authorities to file international legal cooperation requests to access the content of communications on Facebook, they are also respecting the due legal process according to the Brazilian legislation.
Regarding this topic, Dennys Antonialli, of InternetLab stressed that the US legislation prohibits US internet companies from turning over the content of users’ communications to foreign authorities; a warrant from an American judge is mandatory. Given that there is a conflict between provisions of Brazilian and American law, the solution is respecting the mutual legal assistance treaties. Antonialli also explained that there isn’t a barrier in the American legislation for the providing of metadata to authorities from other countries.
When questioned about the legal and contractual relationship between WhatsApp and Facebook, Brian Acton, of WhatsApp, only stated that the teams responsible for responding to law enforcement requests operate separately. When responding about the way in which WhatsApp cooperates with authorities in the US, Acton affirmed that the WhatsApp team deals with requests from authorities from all over the world and assesses their legality before providing any information.
Blockages
The admissibility of WhatsApp judicial blocking orders and the constitutionality of the “temporary suspension” sanctions (art. 12, III) and “prohibition of activities” (art. 12, IV) of the MCI are the main issues of the complaints.
On this topic, representatives of the Federal Police, of the MPF, of the AMB, of OAB’s Federal Council, of IASP, and of MCTIC, argued for the possibility of judicial determining the block of access to WhatsApp, even if only as a last resource, and for the constitutionality of art. 12, III and IV of the MCI.
Neide Oliveira, of the MPF, argued that WhatsApp, just like other over-the-top applications, does not fit the legal category of “essential service”. For this reason, it is not protected by the “principle of continuity”; it may have its activities interrupted and, therefore, be blocked. However, if the court understands that it is an application that cannot be “interrupted” such as other essential services, every legal rule applied to “essential services” should be thoroughly applicable to WhatsApp, including the strict regulation and the supervision from regulatory entities.
Vladimir Aras, of the MPF, complemented this argument saying that the sanctions on article 12 of the MCI are not new: provisions of this kind can be found, for example, on art. 670 of the Code of Civil Procedure of 1939, which provides the dissolution of societies that promote illicit activities, and on art. 19, II and III of the Anti Corruption Act (Law 12.846/13), which sets forth the “suspension” and “dissolution” of companies that engage in infractions against the public administration.
Alberto Ribeiro, of AMB, reported the criminal procedure that resulted on the decision of blocking Whatsapp by judge Marcel Montalvão. He mentioned art. 5, XII, of the Federal Constitution, art. 1 of the Law 9.296/1996, art. 319, IV of the Code of Criminal Procedure, and articles 10, 11 and 12 of the MCI as legal grounds for the order. For Alexandre Atheniense, of OAB’s Federal Council, the possibility of blocking is linked to the defense of Brazil’s very own sovereignty.
Dennys Antoniali, of InternetLab, presented the results of the bloqueios.info platform, and asserted that two types of motivations for judicial blocking orders can be identified: (i) the ones that target applications considered to be incompatible with the Brazilian legal system for offering an activity that is (allegedly) illegal; (ii) the ones that target applications that did not comply with previous judicial orders. In WhatsApp’s case, the decisions are of the second type, since they were motivated by the failure to comply with judicial demand for user data. According to InternetLab’s representative, blocking orders of the second type are unconstitutional, since there is no illegality in the service and there are less severe means for demanding the compliance of a decision.
Ronaldo Lemos, of ITS-Rio, argued that blocking orders issued by lower court judges are unconstitutional when they affect the infrastructure layer of the Internet. That is because the jurisdiction of a lower court state judge cannot encompass either the whole infrastructure of the web in a country, or all Brazilians. No one admits the systemic blockades of telecommunication services or roads; similarly, the internet cannot be blocked.
Taking up the point initially brought by Demi Getschko of CGI, Lemos also argued that blockades are incompatible with the “principle of non imputability of the Internet”, according to which the fight against illicit actions on the web should attack their responsibles, not the means of access nor transportation of telecommunications. Moreover, Lemos argued that, when speaking of “suspension”, the MCI authorizes only the suspension of activities that violate the protection of personal data, and not the complete blocking of an application.
Rafael Zanatta of IDEC, also emphasized that the sanctions provisioned in art. 12 of the MCI were elaborated to be enforced, progressively, if a provider engaged in an activity that violated data protection rules. Hence, these are provisions destined to protect rights, not be be enforced in case a company does not comply with an order for breach of data secrecy. Zanatta also argued that that blocking of WhatsApp is a disproportionate measure, when considering the consequences that it causes for consumers and entrepreneurs.
With the same concern for protecting users’ rights, Paulo Rená argued against the “mutilation” of the MCI, in case arts. 10, 11 and 12 of this law were declared unconstitutional. Rená also affirmed that public security should be promoted within the precepts of a democratic rule of law, in which not all methods are valid: just as torture is not admissible, blockades should not be accepted either.
Regarding the technical aspects related to the execution of blockings, Volnys Bernal, of FEBRATEL, affirmed that it is a complicated diligence, which involves risks to its implementation. Maximiliano Martinhão, of MCTIC, quoting a research of the Brookings Institute, also affirmed that the blockages cause several damages to the Brazilian economy.