In mid-December 2021, Brazil's Congress ratified the Budapest Convention on Cybercrimes after an unusually fast process marked by little debate and almost zero transparency. Experts warn that the roll-out was problematic, not least because the treaty may put citizen data in general at risk and open the way to criminalizing the work of InfoSec researchers and activists.
President Jair Bolsonaro has yet to sign the bill, passed in the two houses of Congress, into law to legally bind Brazil to the international agreement. However, part of a thriving activist community in Brazil, InfoSec researchers are now at risk of being criminally prosecuted for their work in identifying security breaches and data compromises. The treaty also allows authorities in Brazil to obtain citizen data without the need for prior judicial authorization.
The Budapest Convention of Cybercrimes dates back to 2001 and was initiated by the Council of Europe. Currently ratified by 67 countries, the treaty seeks to harmonize national legislation on cybercrime, establish a common framework for investigation and protocols and facilitate cooperation among signatory states.
With a process that began in December of 2019, Brazil's Senate and Chamber of Deputies passed the legislation ratifying the treaty in 2021. Yet, during this time, academics and civil society organizations working on digital rights were left in the dark, with little information on the document and no opportunity to engage in the debate.
In addition to the lack of public debate, the ratification process in Brazil was also marked by some misinformation promoted by the government itself. In official communications, the Brazilian government announced invitees have a three-year window after an invitation to decide on ratification. The deadline expires, in fact, five years after the invitation, as registered in the Council of Europe's invitation. Brazil's Federal Public Ministry put out statements publicly pushing for fast approval. This scenario fostered a false sense of urgency to get the bill approved.
The Coalition on Digital Rights (CDR), composed of 48 civil society and academic organizations, is critical of the “excessive celerity” of the bill, which is unjustified given the high stakes. But the speed of ratification is not the only concern flagged by experts.
Invited countries are allowed to only partially adhere to the convention and reject some parts of the treaty, for example. This mechanism allows states to ratify the convention without compromising their national legislation on the topic. Unlike many other signatory states, Brazil fully adhered to the treaty, not exercising its right to reservations.
This acritical ratification is particularly problematic because of two articles, which, according to experts, can be used to “wrongfully condemn legitimate and routinely activities by InfoSec activists and researchers.” Other signatory countries have chosen to leave out these two articles.
Thus, Article 7 of the treaty states that “one of the involved parties” could amend the text to require that “informatic falsification” be committed with intent to criminally hold accountable people who engage in such practice. This amendment would protect InfoSec activists and researchers, who frequently search and explore government, banking and online retailers’ websites for security breaches, for example. Brazil chose to move ahead without amending the text, explains Paulo Rená, an activist at Aqualtune Lab and Law scholars, which directly exposes these actors. Other countries, like Belgium and the United States, opted for this sort of protection when they ratified the convention.
In practice, if a researcher finds after their own research that their personal data has been compromised in one of the massive data leaks that have affected the country in the last years, and decides to reach out to the company or government agency about their exposed data, they can now be reported to authorities for committing a crime.
“This can happen with an online retailer, the Health Ministry, a foreign company, a university,” explains Rená. “This can be authoritarian rapture from people who, on a hierarchical perspective do not understand how the tech community works, a group that traditionally shares this type of information in a more open manner.”
InfoSec activists and researchers are not viewed very positively by authorities in Brazil. An example of this type of “authoritarian rapture” described by Rená was seen last May during the Parliamentary Commission dedicated to investigating how the Bolsonaro government handled the coronavirus crisis.
In one of the public hearings, a Health Ministry official accused data journalist Rodrigo Menegat of “hacking” into TrateCov, a telemedicine app designed by the government. It recommended treatments based on symptoms input. The app was deliberately flawed, as it recommended treatments that have had their scientific efficiency denied for nearly all types of symptoms. Menegat, currently working for Deutsche Welle in Brazil and an active member of Brazil's data journalism community, had simply inspected the application's code to uncover the flaw. Despite the code being public information, accessible to any person on the internet, Menegat was framed as a hacker.
But Brazil's ratification of the Budapest Convention is not menacing only for the InfoSec community. Nearly every Brazilian citizen is now at risk of having their personal data grabbed by the authorities without needing prior judicial authorization.
“The convention, in this article [15, paragraph 2], becomes a great vulnerability for the due process of law. These measures can be taken without judicial control. The Federal Public Ministry can obtain access to personal data without needing to ask a judge for authorization if it acts under the scope of the Budapest Convention, making judicial control not the standard. The reasoning of any of the mechanisms in the Budapest Convention is not the standard. Delimiting who the people are and the time span of these measures is not the standard. Exceptionally, if this is indicated, when appropriate, judicial control will be required,” added Rená.
This opens pathways to the abuse of power, including by political opponents and by institutions like the Federal Public Ministry, which has already been accused of such practices when it wiretapped former president Dilma Roussef’s presidential cabinet telephone to intercept her conversations.
Rená further explains that this also becomes a problem because it clashes with Brazil's Internet Bill of Rights (Marco Civil da Internet) from 2014. It is also concerning because it impacts bills and areas that are yet to be regulated in Congress, such as the Fake News Bill and the Draft Data Protection Law for public security and criminal prosecution.
Tug of war
The negotiations that are taking place now after Congress’ approval are even less transparent. One of the decisions to be made now is who will be the “point of contact” for the treaty in Brazil, an organ that will, in practice, act as the watchdog of the convention.
According to Rená, the chosen organ will have a privileged position, acting as a sort of “funnel” through which all investigations necessarily have to go through.
Few details are known about the ongoing process to choose this organ, but a report by the Brazilian Report in early February suggests there is a political struggle for control. The Prosecutor General, Augusto Aras, reportedly requested President Jair Bolsonaro directly that his department should concentrate on the Budapest Convention. Meanwhile, the Justice Ministry is also trying its luck, asking that the convention's oversight be handed to the Federal Police and to the International Cooperation and Asset Recovery Bureau (DRCI, in Portuguese), a ministry department.
If chosen, the Justice Ministry, however, would be subject to broad criticism due to allegations of political interference under the presidency of Bolsonaro. Because it is part of the executive branch, this organ would be less armored against political meddling.
Groups like the Coalition on Digital Rights propose that the most appropriate authority to be put in charge of the convention would be the National Authority on Data Protection (ANPD), as it would be the only one with a strict lens of privacy and data protection. The public will only find out the end of the saga when Brazil communicates its decision on the “point of contact” to the Council of Europe, which has no set deadline to happen.