Blog

Public Hearing on WhatsApp blocks – a short review

Written by

10 de July de 2017

This year (2017) on June 2nd and 5th, a Public Hearing which discussed the judicial blockades of WhatsApp and the Internet Civil Registry took place in the building of the Federal Supreme Court in Brasília.

The topics of the Public Hearing are dealt with in the Direct Action of Unconstitutionality (ADI) No. 5.527 and in the Reference on Violation of a Fundamental Principle (ADPF) No. 403 whose Rapporteurs are respectively Minister Rosa Weber and Minister Edson Fachin – both of which presided over the Public Hearing, having summoned it jointly, an unprecedented event in our country.

The purpose of the Public Hearing was to provide our law enforcers with the necessary technical knowledge to enable an adequate judgment of the issues surrounding the WhatsApp application blocking orders that have occurred repeatedly in recent years. According to Minister Edson Fachin, the meeting was a “technical and procedural work”; Minister Rosa Weber added: “I do not need to emphasize that the issues dealt with in these cases [ADI No. 5,527 and ADPF No. 403], which involve extremely complex and multidisciplinary issues, concern the founding values of the Brazilian legal system and are of undeniable relevance for the consolidation of our Democratic State of Law. “

During the two days of the event, twenty-four exhibitions were held by individuals and entities from the governmental and technical-scientific spheres considered as holders of notorious knowledge about the topic discussed. Each of the speakers presented their point of view regarding the issue and, from time to time, there were moments for dialogue between the exhibitors and the ministers present in order to promote direct contestation between the parties involved in the Public Hearing, allowing the discussions to overcome the merely expository character of the presentations.

In spite of the plurality of exhibitors attending the event, it was possible to identify that, in a certain way, each of them was aligned between two main positions – one against and one in favor of the availability of the data required by the courts to WhatsApp.

Firstly, there was the argumentative line on which, in general terms, the exhibitors who are not part of the technical-scientific community were based. This group was composed by members of the Federal Police Department; Public Prosecutor’s Office; Ministry of Science, Technology, Innovation and Communications; Brazilian Federation of Telecommunications; Association of Brazilian Magistrates; Federal Council of the Brazilian Bar Association; and the Institute of Lawyers from São Paulo.

According to the aforementioned exhibitors, the requirement that WhatsApp complies with the judicial orders of interception and availability of data of the users of the application that are under criminal investigation is determined by Law – specifically, in arts. 10 and 11 of the Brazilian Internet Bill of Rights (MCI). This way, the non-observance of court orders by WhatsApp, according to several of the speakers who followed this line of argument, would justify, in extreme cases, the blocking of the application throughout the national territory in accordance with art. 12 of the MCI.

It should also be pointed out that the use of end-to-end encryption by WhatsApp – which guarantees the privacy of the service’s users – these exhibitors argue that fundamental rights are not absolute and, therefore, should be limited so as to ensure the effectiveness of other conflicting fundamental rights. This would be the case, for example, with respect to the protection of the rights of freedom of speech, to life and to dignity, which would justify weakening the privacy and communication rights of WhatsApp users, making it acceptable to break such encryption to aid criminal investigation.

Finally, several possible methods have been suggested to enable WhatsApp collaboration. It was suggested, for example, the implementation of a backdoor – a purposeful failure in the source code of the application – in which the authorities who had access to this tool could circumvent the encryption used and gain access to the messages exchanged by the users investigated. Another possible method, according to this group of exhibitors, would be through “man in the middle” practices, which would involve the interception of messages passing through WhatsApp servers – even if it was necessary to change the application in some way to make this possible.

Regarding the other group of exhibitors, which was composed mainly by members of the technical-scientific community, a clear identity of arguments was noticeable, which demonstrates a consensus in favor of the defense of the cryptography and the right to privacy of the Internet users in this environment. This group was composed by exhibitors: WhatsApp Inc.; Facebook Serviços Online do Brasil Ltda.; Management Committee for the Internet in Brazil.  (CGI.br) and Brazilian Network Information Center (NIC.br); Professor Anderson Nascimento from the University of Washington; Professor Diego de Freitas Aranha from Unicamp; Professor Marcos Antônio Simplício Júnior from USP; Insper; Federation of Associations of Information Technology Companies (Assespro Nacional); InternetLab; Institute of Technology and Society of Rio de Janeiro (ITS – Rio); Research Laboratory in Private Law and Internet of the University of Brasília (LAPIN – UnB); Center for Technology and Society of the Law School of the Getúlio Vargas Foundation from Rio de Janeiro (CTS – FGV Rio); Center for Research and Development in Telecommunications (CPqD); Beta Institute for Democracy on the Internet (IBIDEM); Center of Law, Uncertainty and Technology of the Faculty of Law from University of São Paulo (USP); Center of Competence in Free Software of the Institute of Mathematics and Statistics from University of São Paulo (CCSL – USP); and the Brazilian Institute of Consumer Defense (IDEC).

This second group of exhibitors sought in their presentations to point out the various problems that could emerge if WhatsApp interception measures suggested by the other exhibitors were adopted.

Firstly, it was determined that – contrary to what has been claimed by some of the exhibitors favoring WhatsApp interception – the use of encryption through the Signal protocol (one of the most secure currently available) by the application has already been verified by the technical-scientific community, therefore, there is no question about this merit.

The creation of a backdoor in the application’s encryption to allow access to the messages of the investigated by the authorities was considered a measure that would generate exaggeratedly dangerous repercussions. The backdoor could be used unrestrictedly by the authorities, favoring the creation of a state of constant digital surveillance. In addition, it is certain that access to this failure in the application code would not be of restricted use by the authorities since hackers, corporations and other governments would do anything to gain access to this tool, potentially to use it in bad faith – they mentioned the recent use of a backdoor in Windows that was kept secret by the United States National Security Agency (NSA), but was discovered by hackers and used for a worldwide attack (the widely known “WannaCry”).

Regarding the suggested man in the middle techniques for intercepting messages, it was argued that they can be detected without much difficulty by anyone with a minimum of technical knowledge and care – which means that anyone using the Application for illegal purposes could, without much difficulty, check whether or not it was being monitored, and change the application if so.

In addition to that, determining that WhatsApp should create tools to “turn off” the cryptography of messages to specific users, although possible, it was considered a non-viable solution since it would involve changing the source code of the application which would be extremely costly and would involve technical knowledge held by few people in the world,  given the complexity of the process of creating a new cryptographic protocol.

It was also argued that completely disabling encryption service would be a merely ineffective measure. Anyone wishing to use the application for illegal purposes could employ third-party encryption services and use them together with WhatsApp, while ordinary and “good” users would be unprotected. In addition, decreasing the security of the application would cause users to simply migrate to another similar service that provides encryption.

Finally, exhibitors against the breakdown of WhatsApp cryptography presented practical alternatives such as requesting metadata for the application – since this information is easily retrievable by the server, and the application’s own Terms of Use mention their collection and possible availability to authorities for assistance in criminal investigations.

As it can be seen, the present discussion is very complex in nature, involving several variables, pros and cons to be considered. The subject of privacy on the Internet is sensitive, and it can not be denied that techniques aimed at promoting this right – such as cryptography – are a reality that is increasingly present in our daily lives.

Having this in mind, it is important that both lawmakers and Law enforcers make an effective effort so that our Law be able to follow these technological advances, and not limit innovation in our country. For the case at hand, there are possible solutions that do not conflict with users’ right to privacy and communication – such as the use and analysis of metadata cited above – which is why there is no need to adopt measures as drastic and harmful as the suggested by some of the exhibitors.

Written by

Victor Vieira holds a Bachelor’s Degree in Law from the Federal University of Minas Gerais (UFMG) and is a postgraduate student in Personal Data Protection at the Pontifical Catholic University of Minas Gerais (PUC Minas). He is a researcher and data protection officer at the Institute for Research on Internet and Society (IRIS), and a lawyer. Member and certified by the International Association of Privacy Professionals (IAPP) as Certified Information Privacy Professional – Europe (CIPP/E).

Tags

Categorised in:

Leave a Reply

Your email address will not be published. Required fields are marked *

Veja também

See all blog posts