Leading discussions about the global rules to regulate digital privacy and surveillance is a somewhat unusual role for a developing country to play. But Brazil had been doing just that for over a decade.
Edward Snowden’s bombshell in 2014 detailing the US National Security Agency’s digital surveillance activities changed all that. It included revelations that the agency had been spying on Brazil’s state-controlled oil company Petrobras, and even on then-president Dilma Rousseff´s communications. The leaks prompted the Brazilian government to adopt a kind of digital “Bill of Rights” for its citizens, and lawmakers would go on to pass a data protection measure closely modeled on Europe’s GDPR.
But the country has now shifted toward a more authoritarian path. Last October, President Jair Bolsonaro signed a decree compelling all federal bodies to share the vast troves of data they hold on Brazilian citizens and consolidate it in a centralized database, the Cadastro Base do Cidadão (Citizen’s Basic Register).
The government says it wants to use the data to improve public services and cut down on crime, but critics warn Bolsonaro’s far-right leadership could use the data to spy on political dissidents.
For the September/October issue of MIT Technology Review, journalist Richard Kemeny explains how the government’s move to centralize civilian data could lead to a human rights catastrophe in South America’s biggest economy. This week on Deep Tech, he joins our editor-in-chief, Gideon Lichfield, to discuss why the country’s slide into techno-authoritarianism is being accelerated by the coronavirus pandemic.
Check out more episodes of Deep Tech here.
Show notes and links:
Full episode transcript:
Anchor for CBN News: A new report says the National Security Agency spied on the presidents of Brazil and Mexico. The journalist who broke the NSA domestic spying story has told a Brazilian news program that emails from both leaders were being intercepted. He based his report on information from NSA leaker Edward Snowden.
Gideon Lichfield: The Edward Snowden leaks in 2014 revealed that the US National Security agency had been spying on people’s communications all around the world. And that one of the countries where it collected the most data was Brazil.
That very same year, partly in response to Snowden’s leaks, the Brazilian government adopted the Marco Civil—a kind of internet “bill of rights” for its citizens. And in 2018, Brazil’s congress would pass a data protection law closely modeled on Europe’s ground-breaking GDPR.
Just two years later, though, things look very different. Brazil has been on a techno-authoritarian streak.
Last October, President Jair Bolsonaro signed a law compelling federal bodies to share most of the data they hold on Brazilian citizens and consolidate it in a vast, centralized database.
This includes data on everything from employment to health records to biometric information like your face and voiceprint.
The government says all this should help improve public services and fight crime, but under a far-right president who has clamped down on civil liberties, it looks more like a way to make it easier to spy on dissidents.
Today, I’m talking to Richard Kemeny, a journalist based in Sao Paulo. His story in our latest issue—the techno-nationalism issue—explains how the coronavirus pandemic appears to be accelerating Brazil’s slide toward a surveillance state.
I’m Gideon Lichfield, editor-in-chief of MIT Technology Review, and this is Deep Tech.
So Richard, Brazil has this history of being pretty advanced on internet governance and on digital civil rights. Tell us a bit about that. How did that begin?
Richard Kemeny: Sure, I mean, you know, way back in the nineties, when all things internet were just kind of kicking off, Brazil was actually quite a progressive, leading voice in the conversation. When internet was working its way into society, Brazil set up a body known as the Internet Steering Committee, whose job was to smooth the transition of the internet in society and kind of improve its development.
Gideon Lichfield: Okay. So then fast forward to 2014, Edward Snowden leaked the intelligence files about the NSA spying on people around the world, and that made a big impact in Brazil, right? Why was that?
Richard Kemeny: It did. One of the main sticking points was it was found that the NSA had hacked Petrobras, the state-owned oil company. And this was seen as an affront to Brazil particularly because they’re an ally of the United States. And so this led to that government that was then led by Dilma Rousseff setting up the Marco Civil which is essentially a bill of rights for the internet. And it was actually taken as a model for other countries, such as Italy, who wanted to set up something similar.
Gideon Lichfield: And then a few years later, Brazil passed a data privacy law that was also quite forward looking.
Richard Kemeny: Correct. It was closely modeled on Europe’s GDPR. The Lei Geral de Proteção de Dados. LGPD. So the LGPD also establishes the rights to privacy for citizens data and also protects them in a way that they know the way in which their data is being used and that it’s used in a proportionate way.
Richard Kemeny: And so Brazilian society was kind of founded on this culture of openness and transparency regarding these kinds of issues. Something that involved public debate and public contribution. And that’s something that’s changed in recent years.
Gideon Lichfield: And when did this change begin?
Richard Kemeny: So it started after the impeachment of Dilma Rousseff who left in 2016. And brought an introduction of president Michel Temer. He brought in the LGPD but vetoed some of it. So watered it down in certain ways specifically regarding the punishment of bodies that contravene the law. And this tendency was continued then under the government of Jair Bolsonaro who’s voted into office in 2018.
Gideon Lichfield: Now Bolsonaro is very far right. And he’s been taking a lot of things in Brazil in a more authoritarian direction. What’s he done as regards data rights and digital rights?
Richard Kemeny: Certainly the biggest move came in October, 2019, when more or less out of the blue president Bolsonaro signed a decree essentially compelling all public bodies to start sharing citizen information between each other more or less freely. This took many observers by surprise. It was something that wasn’t debated publicly. Many people didn’t really see it coming.
Gideon Lichfield: So why does the government say that it needs all of this centralized data?
Richard Kemeny: So the rationale behind the decree—according to the public line —was to improve the quality and consistency of the data that the government holds on citizens. One of the effects of the pandemic was to shine a light on millions of citizens who were in fact previously invisible to the government. Not registered on any public system. by the end of April, around 46 million had registered to apply for emergency financial aid.
Gideon Lichfield: What sorts of agencies are sharing data and what kinds of data are they sharing?
Richard Kemeny: So this includes all public bodies that hold information on citizens. And the data is very broad. It ranges everything from facial information, biometric characteristics, voice data, even down to the way that people walk and all of this information is, being poured into a vast database—which was also set up under the decree. The Cadastro Base do Cidadão or Citizens Basic Register.
Gideon Lichfield: Okay. So all of these federal bodies can now share data. Have there been any examples that we know of, of agencies swapping data in this way?
Richard Kemeny: One of the things that came out in June was articles leaked to The Intercept, which showed that ABIN, the security agency, requested the data of 76 million Brazilian citizens. All of those who hold driving licenses. So this was seen as perhaps the first known use of this degree to enact a large data grab.
Gideon Lichfield: In other words, the Brazilian national security agency basically just hoovered up the data of 76 million people without having to justify why it wanted it?
Richard Kemeny: Exactly. It seemed like there was no need for the justification because of the decree. And this kind of a vast amount of information was widely seen as disproportionate.
Gideon Lichfield: Brazil has also been using surveillance technology a lot more, right? Can you talk a bit about that?
Richard Kemeny: Yeah, that’s correct. Like many countries around the world, Brazil has steadily been increasing both the amount of, and use of, surveillance equipment. There was a marked increase when Brazil hosted the football World Cup in 2014 and followed by the Olympics in 2016. This is when surveillance technology was really brought in. And obviously since then the technology has stuck around.
Gideon Lichfield: And when we say surveillance technology, what kind of technology are we talking about?
Richard Kemeny: mostly facial recognition technology. Facial recognition, cameras that were set up throughout cities to monitor crime. And indeed police forces have been increasingly using this technology to spot signs of crime. Obviously this is useful in the countries, such as Brazil, where murder rates are about five times the global average and crime has been seen as a major problem in the society.
Gideon Lichfield: In our other podcast, in Machines We Trust, we’ve been looking at some of the problems of using face recognition for policing. What are the issues for it in Brazil?
Richard Kemeny: So one of the problems is that facial recognition technology is largely being developed by researchers in the West and largely created through the use of information from white faces. So in a country like Brazil, where the majority of the population are black or Brown, this can pose serious problems when it comes to misidentification of criminals.
Richard Kemeny: Especially in certain areas where crime is high and levels of poverty are also high. You can imagine a situation where a poor black man is misidentified through facial recognition technology. He can’t afford a lawyer for himself. That’s certainly a situation that no one wants to be put in.
Gideon Lichfield: And this centralized data register, the Cadastro, obviously it’s raising concerns because it allows government agencies to get as much data as they want on whoever they want. What sorts of other worries are there about it?
Richard Kemeny: I mean, one of the main concerns with having this much consolidated and centralized information is that it basically becomes a huge honeypot for criminals.
So Brazil has an unfortunate history of sensitive data finding its way onto the internet. In 2016, São Paulo accidentally exposed the medical information of 365,000 patients from the public health system.
Then in 2018, the tax ID numbers of 120 million people were left out on the internet. And this was basically due to someone accidentally renaming the file the wrong way. So this kind of thing, if you imagine, having the centralized database with the most amount of data possible about citizens, all in one place, either being hacked by criminals or just following some kind of accidental leak, presents a massive security risk. And one that many feel is not warranted for the potential benefits it could bring.
Gideon Lichfield: So we have this big centralized citizens’ data register and we have the increasing use of surveillance and face recognition. Put these two together, what risks does that create?
Richard Kemeny: So taken together, this vast database coupled with the increase in surveillance technology that’s being used more freely and more widely throughout the country is something that I actually spoke about with Rafael Zanatta, who is the director of NGO Data Privacy Brazil. He says he worries about the data of citizens who benefit from public services like welfare being used to build political profiles that can be targeted by the government.
Rafael Zanatta: So it is quite possible to do very powerful and precise inferences about political association based on the richness of the data and the beneficiaries of public policies. So we believe that the kind of risk that we do have now with the Cadastro Base do Cidadão it is close to the one we had in the seventies during the military dictatorship in the sense that it is possible for some parts of the intelligence community of the army to understand political patterns, patterns of association, and to do inferences based on this unified databases.
And this is very disturbing about Brazil because in most of the democratic nations, the intelligence community is worried about threats coming from the outside. So, the intelligence community worries about who are the terrorist groups or the foreigners, or external threats that might challenge the institutions in the democratic framework of a country. But in Brazil, what we’ve been seeing in the past years is that the intelligence community is looking like domestically. They believe that the threats are inside. They believe that they should actively monitor Instagram accounts, Twitter accounts and social networks to understand who are the people making protests and opposition within the country.
Richard Kemeny: Rafael says the effects of Brazil’s continued slide into techno-authoritarianism could be catastrophic for human rights in the near future.
Rafael Zanatta: Imagine that you could go out for a walk in your hometown in a small city in Brazil, and you go through a public square cause you want to buy some popcorn or some ice cream. And then a facial recognition camera in that square captures your face, sends it to a local database of local security. And that local database of your municipality, your city hall, is linked to the ministry of justice to the federal government.
And they cross that database and they identify that actually you’ve been persecuted for a political crime. An attempt to disrupt the federal government or something like that, because you were actively involved in some Instagram and Twitter conversations tha are considered dangerous. And there was in fact a criminal investigation upon you that you were not aware of.
And then this federal database that is linked to the municipal one goes at the same time to the Cadastro Base do Cidadão which has a link to the database operated by ABIN and a secondary intelligence community of the army that immediately recognizes that you are a threat and immediately sets up an alarm system that directs police officers to go there and take the picture of you once again and arrest you and take you to custody. This is not the life I want my children to have.
That’s why it is so important to have public commitments of the government with the data protection law. Because it is a legislation that really reinforces the idea of purpose limitation and that one specific unity of the government has a specific mandate to process the data only for one specific reason.
Gideon Lichfield: So there is this vast centralized database now, but Brazil also still has this data protection law that it passed in 2018. Those two things seem contradictory. How do they work together?
Richard Kemeny: So in theory, the data protection law should insure the correct and proportionate use of citizen data. This means that data will be taken by a body, used in a specific way, for a specific purpose, and then deleted or destroyed or given back afterwards. And it should also ensure that citizens know exactly how their data is being used. And in theory that they should be able to agree to its use for this reason. Of course the extent to which this law can actually regulate the use of sets and information depends on the way that the law is implemented and the way that it’s monitored.
So some of the people I spoke to while reporting this piece explained that there are some inconsistencies between the decree that brought in this database and the data sharing and the new data law, the LGPD. For example biometric data is something that’s seen as highly sensitive under the LGPD, but in the decree could still be shared between bodies.
And in practice, it’s not exactly clear which law is going to trump which and how this information will be monitored. So the government had tried to delay the implementation of LGPD until May next year, citing reasons such as businesses not being able to prepare for the law during the pandemic. Since the article has been published, the Senate has actually voted against the government and the law will now come into effect this year.
So there’s one body that monitors how the database is used. There’s another one, the monitors, how the data protection law is implemented. And then there’s a separate advisory body on top of that. Essentially data police to monitor the data police. So in theory, these multiple layers should provide a high level of independence and a high level of adherence to these laws. However the strength of these independent bodies completely depends on who is put into these positions and ultimately the decisions for those lie within the office of the president.
Gideon Lichfield: How has the pandemic accelerated this instinct of the government to amass more data and crackdown surveillance?
Richard Kemeny: So we have seen this trend for data grabbing increased during the pandemic. In April, the president signed a decree, imploring telecoms companies to handover data on 226 million Brazilian citizens to the state statistical organization under the pretext of monitoring income and employment during the pandemic.
This was seen as a hugely disproportionate grab for data largely because, in the past, the amount of information needed to carry out this task was far smaller. And added to that, the fact that the federal government or the president have denied the severity of the virus. This means that this seems far more just about grabbing as much information as possible. And in the end it was seen as unconstitutional and disproportionate and the Supreme court struck it down.
Gideon Lichfield: So it seems like Brazil is kind of at an inflection point. It’s got this increasingly authoritarian tendency, which is consolidating data and increasing surveillance, but it still has a strong civil society and a court system that’s pushing back. How do you think this might play out?
Richard Kemeny: Absolutely. So on the spectrum in the way that countries manage citizen data, privacy and surveillance; If you have China on the one end, a surveillance state, which in effect controls the behavior of the citizens. And on the other end: Somewhere progressive like Estonia where citizen information is decentralized and no one institution holds all of the data in its institutional basket. I see Brazil carving its own path down the middle, because you do have these pressures from this federal government of data grabbing, of consolidation of data and of increasing surveillance. But on the other hand, you do have these strong contracting balances. Congress and the Senate. The court system. And a wealth of NGOs that are pushing back on these tendencies to the government almost at every turn.
Gideon Lichfield: That’s it for this episode of Deep Tech. This is a podcast just for subscribers of MIT Technology Review, to bring alive the issues our journalists are thinking and writing about. You’ll find Richard Kemeny’s article “One register to rule them all” in the September issue of the magazine.
Deep Tech is written and produced by Anthony Green and edited by Jennifer Strong and Michael Reilly. I’m Gideon Lichfield. Thanks for listening.