On May 29th, 30th and 31st, the I International Congress on Fundamental Rights and Criminal Procedure in the Digital Age took place at the University of São Paulo Law School (FDUSP), as a result of a partnership between USP and InternetLab. The Congress was attended by authorities who contributed and still contribute to the development of the theme, such as Tércio Sampaio Ferraz Júnior, Greg Nojeim, Riana Pfefferkorn, Diego Aranha and Marta Saad. During the event, we followed six panels, in which were discussed topics of the current agenda, such as collection of digital evidence, international cooperation for data access, search and seizure of electronic devices and access to electronic communications and encryption in the Brazilian and North American scenario.
Access to data and the legal context
At the opening of the event, lectured professor Tércio Sampaio Ferraz Jr., who back in 1992 wrote the first article of national relevance on the subject. At that time, when Internet was a far reality from everyday life, discussions on personal data emerged in a context where credit card operators and financial institutions refused to report on their customers’ transactions.
Despite the 25 years gap since the writing of that text, the concern with protection of electronic data in Brazil was only consolidated after the revelations of sites such as Wikileaks, in which people became aware that their digital information was used by States and private companies for different purposes. For any researcher on the subject, it is essential to read and consider professor Ferraz Jr.’s work.
In addition, Ferraz Jr.’s article has become even more relevant after recent decisions of Justice Gilmar Mendes and Minister Felix Fischer. The Justice of the Federal Supreme Court (STF) discussed the protection of personal data in Habeas Corpus 91.867, a case about telephone wiretapping.
In this case, Justice Gilmar Mendes argued that the Act on Telephone Lawful Interception (Lei 9.296/96) protects only the flow of communications, not the data itself. The Minister of the Superior Court of Justice (STJ), in Habeas Corpus 75,800, related to the Operation Car Wash, also follows the argument of Mendes, arguing that the Act on Telephone Lawful Interception, which regulates the final part of subsection XII of the Federal Constitution, relates only to the communications flow. It is important to emphasize that the thesis defended by the Ministers was developed by professor Ferraz Jr., in his article “Sigilo de Dados: O direito à privacidade e os limites a função fiscalizadora do Estado”.
On the same day, questions regarding the legal nature of data were also raised. The question that remained is: can an electronic data be considered a thing? In this panel Juliano Maranhão, professor of FDUSP, said that the legal analogy tries to create a parallel between data and a letter, when, in fact, the most correct would be an analogy with the telephone connection.
The professor argues that, because differently from the letter, in which the conversation is restricted to the paper itself, one does not know when the conversation by electronic means effectively ends. This is why it would be difficult to argue that stored data is something that can be seized in the same way as a chart.
Access to data in the criminal procedure and international cooperation
Furthermore, the Brazilian Congress devoted itself to approach from a topic of fundamental importance to the current criminal context: personal data as evidence. In Operation Car Wash for example, the vast majority of information obtained from investigations comes from digital spreadsheets and data contained in mobile devices. However, due to the inefficiency of the legislator in adapting the law to the forensic reality, the developing of studies and academic discussions on the subject is fundamental, so that the individuals will not have their fundamental rights disregarded.
Firstly, it is necessary to understand that digital data are not physical elements and so on should be accessed through electronic devices such as mobile phones, tablets and computers. Therefore, in order to access this data, a search and seizure of the devices in which they are contained must be carried out, so that the investigative authority can carry out its work.
This search and seizure operation is not simple, as it is required from the investigative authority to know which data is necessary to the investigation, because it is not lawful the device to be fully analysed, what would cause the fading of the individual’s privacy right. Because of this, the judicial decision that allows the police action shall be properly motivated.
In the current context, criminality became global. A crime committed in Brazil will probably have numerous evidences in other countries. Foreign Law may hamper, or even, preclude the authorities’ access to that data. This is why the judicial authority shall find ways of dodging the existing bureaucracy in order to access the essential elements for a crime investigation.
According to the Code of Criminal Procedure (Decreto-Lei 3.689/41), in force since 1941, the way of seeking assistance of a foreign authority during a criminal case is the Letters Rogatory. However, that bureaucratic proceeding of having a Letters Rogatory replied and its low efficiency generate problems to the progress of the criminal investigation. Although the legislative slowness in this field, the Judiciary has implemented new measures to dodge jurisdiction issues and the unhurriedness of Letters Rogatory.
One of the main measures, as mentioned by Brazil Attorney (Advogada da União) Caroline Yumi, is the Mutual Legal Assistance Treaty (MLAT). Yumi argued that because Brazil is a country with recent international cooperation expertise, we tend to commit errors when soliciting to other States, thru MLAT, data that can be essential to brazilian criminal cases. According to Yumi, one of the main brazilian MLAT partner is the United States. However, the biggest error when asking american cooperation is the lack of probable cause. Brazilian judicial authorities do not know how to operate the american criminal procedure. In the U.S. a tough justification that links clues and evidences is required to access the data required by the brazilian authority. Despite that, the U.S., owing to the first amendment, consider the data stored in mobile devices and application providers are protected under the freedom of speech, what makes access to electronic data even harder. Lastly, the U.S. say it is impossible to carry out that determination, when emitted from a foreign authority, because the access to personal data in american soil just can be ordered by an american judge and in particular cases.
According to InternetLab’s researcher Jacqueline Abreu, MLAT shows itself to be slow, which frustrates the Brazilian authorities to carry on its investigations. The reason for that is because this instrument of international cooperation was designed for physical objects, whilst data, once virtual, presents more volatility. In other words, it is more like to suffer a very effective mass destruction.
The American debate on Surveillance and Encryption
In this part of the event, we had the opportunity to listen professor Greg Nojeim, director of Center for Democracy and Technology and Riana Pfefferkorn, fellow of The Center for Internet and Society – Stanford Law School.
Greg Nojeim started his lecture from a very specific point: “We’ve moved our data from our homes to computers, and now, to clouds”. This brief sentence shows the importance of data protection in the current times.
The American Electronic Communications Privacy Act (ECPA), from 1986, has not suffered major updates up to now. According to that Act, data has different levels of protection. The higher on is attributed to the so-called “non abandoned data”. When we talk about metadata, that is, data about other data, the protection level granted is lower, and the access to those data can be obtained with ease. The lowest level of protection is the one attributed to user’s information, that can be accessed without a judicial order.
According to the CDT’s director, MLAT must be refitted, because although American Law is not discriminatory, once it protects american citizens’ data as it does with non-resident foreigners’ data, the process of applying American Law to external cases represents a high cost to the Department of Justice.
Finally, it is interesting to highlight from the lecturer’s speech that, according to that U.S. Act, american companies can release data without judicial order to foreign demands, but not to american authorities.
Riana Pfefferkon’s speech starts at a key point to the protection of fundamental rights: “States do not have natural right to access our personal data”. Nevertheless, most of internet users do not worry that their data can be used by the Government to suppress individual rights, as freedom of speech and privacy.
Pfefferkorn argues that the Constitution shall limit the data Governments can access, meanwhile Law must define how that access will happen. According to her, Law must be an individual’s protection mean, once it is simple to the State to access personal data, but protecting yourself from that action is a complex task.
The american researcher also spoke about the recent question about iOS 8 unblocking, by the FBI. According to Riana, the FBI uses American judicial system as a way of compelling tech-companies to provide user’s data. With the introduction of standard encryption in iOS 8, Apple has argued that it could not be possible anymore to provide data to the FBI, since even the iOS developer had not access to that data.
After a judicial war, FBI announced in the beginnings of 2016, that it had managed to unlock iPhone’s OS. However, no one knows how the Agency did it, seen that there is only speculation. This situation shows that the American Government is not reliable to protect its own citizens’ personal data, once U.S. Agencies actually promote the weakening of protective instruments.
Besides that, Pfefferkorn has analysed the battle between Whatsapp and the brazilian Justice. According to her, it is hard for brazilian judges to understand how encryption works, since they used to enjoy the State-power in an almost unlimited manner. Therefore, disproportionate actions, as blocking the app used by more than 100 million brazilians and arresting Facebook’s Latin America president, are desperate power demonstrations, since judges feel themselves apart from the digital universe. However, in Riana’s words, those actions are comprehensible, since tech-companies rarely show themselves willing to cooperate with the Judicial Power.