Categorias
Artigos

The issue of WhatsApp’s encryption: the Brazilian Supreme Court trial under the perspective of communication security

21/09/2017

This article focuses on the Internet application, under the perspective of the right to safety and sanctity of the content of personal communication/data stored and transmitted by Internet applications, given the public interest of the Brazilian Judiciary in a police investigation and criminal prosecution.

 

The Brazilian Supreme Court has examined the constitutionality of the blockage of the WhatsApp application by court order, in the cases ADPF 403 and ADI 551, setting some issues on the encryption adopted by the application for a debate in a public hearing, namely:

“1 – What is the end-to-end encryption used by instant messaging applications such as WhatsApp?

2. – Is it possible to intercept conversations and messages transmitted through WhatsApp even if the end-to-end encryption is activated?

3 – Would it be possible to deactivate the end-to-end encryption of one or more specific users to allow for legitimate legal interception?

4 –  As the use of the WhatsApp application is not limited to just one platform (mobile phones/smartphones), but can also be accessed and used through other means, such as computers (by using WhatsApp Web/Desktop), even if the end-to-end encryption is activated, would it be possible to “mirror” the conversations had on the application to another mobile/smart phone or computer, allow to comply with the court order to intercept one specific user?”2

The public hearing will debate the possibility of compliance with a court order to intercept communication via WhatsApp for the purposes of producing evidence in criminal investigations and trials. First, if it is possible to have court ordered interception of the communications if the application’s encryption is activated. Second, if the court-ordered interception would be possible by deactivating the encryption. Third, if the court-ordered interception is possible by copying the communication transmitted via the application, by using other mobile/smartphones or computers, of a specific user. In this case, the Reporting Justice Of case APDF 403, Edson Fachin, clearly stated that the purpose is to know the possibility of court-ordered interception of private communication content of a specific user of the application.3

This WhatsApp case, under the constitutional jurisdiction of the Brazilian Supreme Court, has repercussions not only in all of Brazil, but also calls the attention of the international community as it involves issues of cybersecurity. The theme is interesting as it involves law, new technologies, and cybersecurity.

The matter of the security of private communications is of even greater interest given the recent cyberattack committed by hackers in over one hundred (100) countries, caused by a ransomware virus, which allowed for virtual extortion crimes by sequestering computer data and releasing them only after payment in cryptocurrency (bitcoin). According to the press, the technique used by the hackers to spread the virus is based on methods from the NSA – the National Security Agency of the USA, which explores flaws in Windows software, in particular the lack of updating.4 The cyberattack led to actions from the domestic security agencies to hold a worldwide investigation of the episode. Brazil was affected by the cyberattacks.5 This shows the serious risks to the security in the flow of private communications, globally.

This article focuses on the Internet application under the perspective of the right to security and sanctity of the content of personal communication/data stored and transmitted by Internet applications, given the public interest of the Brazilian Judiciary in a police investigation and criminal prosecution.6

It is important to examine the matter in a broader perspective, within the context of three main characters: the Brazilian Government, the markets (companies and technologies), and society (the guarantee of the fundamental rights to privacy, security, and sanctity of communication).

The Government is interested in applying the civil and criminal laws under its jurisdiction by gathering information and data in police investigations and criminal cases, upon court orders to intercept communications. A properly reasoned court order is necessary to intercept communication for the purposes of police investigation or evidence gathering in criminal cases.7 If there is any improper access to the content of private communications, without the necessary court order, the investigation or criminal case will be deemed null.8 In the realm of criminal law, we note that the invasion of a technological device, and the interruption or disturbance of technological and telematic services is deemed to be a crime.9 Therefore, cyberattacks, with the invasion of computers and mobile phones, are also a crime.

The Government must protect the fundamental rights to privacy and the sanctity of communication. If the encryption is the best solution for communication security, then the Government must encourage the best business practices to favor encryption.

On the other hand, the Brazilian Government must encourage the construction of Internet network infrastructure, such as: satellites, intercontinental submarine cables, optic fibers, and others.10 The Government must ensure the security of communications in the three branches of the Republic. The Judiciary must zeal for the security of data communication in the realm of electronic cases, for example. It is also required to guarantee data communication of the armed forces. So, encryption is viable as a security technique for communication, including in the public sector itself.

In sum, the Government, in the exercise of its national sovereignty, must promote actions to defend the infrastructure of its communication networks, as well as actions of intelligence considering the serious risk of cyberattacks and wars. It has the institutional responsibility to adopt measures to prevent the risks of cyberattacks, and repress Internet crimes.

The companies that provide Internet applications are interested in offering safe products and technologies to the respective consumers. They have a business responsibility before its consumers to offer safe products. We highlight the relationship between these application providers and the fundamental rights to the privacy and sanctity of the communications as set in the Brazilian Constitution. These technology companies demand parameters for sectoral regulation, with clear and precise rules.

In this sense, the obligation of mirroring the content of the communication (creation of a “back-door”11) cannot be imposed solely by court order, as there must be a prior law authorizing this type of measure to allow the access to the content of private communications by the authorities in charge of criminal investigations and cases. Even if this type of legislative measure is passed, its constitutionality may, of course, be questioned.12

Technology companies are interested in investing in communication network infrastructures. Governments and legislators must encourage safer encryption protocols. Encryption also involves matters of international competition of products and services in the digital economy. The countries that offer better security conditions on the Internet, and for hardware and software, are more competitive. The higher the security level offered by technology companies, the greater the degree of confidence in them by the users/consumers. And the lower the security level, the higher the distrust. It is clear that society, through its consumers and citizens, is interested in protecting its privacy, and in Internet security13, for the protection of the private life of individuals or legal entities. It is important to highlight the government’s duty to protect personal communication and business communication.

In the United States, there is a strong dispute regarding the establishment of encryption standards. On one side, the intelligence agencies (FBI) and internal security (NSA) seek approval by the government of measures that are more favorable to the decryption of data.14

In fact, there is a lot of controversy on the surveillance techniques and electronic monitoring adopted by the National Security Agency with regard to the privacy of people.15 This has led to a movement by technology companies and citizens civil organizations in favor of better encryption practices for private communications.16

In Brazil, we highlight the legal regime of Internet applications under the Brazilian laws.17 The Internet Regulatory Framework holds the principle of security and functionality of the network, as per technical measures compatible with international standards, encouraging the use of good practices.18

Decree 8771/16 regulates the Internet Regulatory Framework, stating that providers of Internet connection and applications should follow certain guidelines for the safekeeping, storage, and treatment of personal data and private communication: (…) IV – the use of record management solutions through techniques that ensure the confidentiality of the data, such as encryption or equivalent protective measures.”  As it can be seen, this decree expressly deals with encryption or similar measures as a mechanism to protect data security in private communication.

Moreover, Decree 8771/16 provides: “Article 16. The information on the security standards adopted by application providers and connection providers must be disclosed in a clear and accessible manner to any interested party, preferably through their Internet websites, respecting the right to confidentiality of business secrets”. We highlight here the protection of the right to confidentiality of the business secrets of Internet connection and applications providers.

The theme of court-ordered interception of communications made via WhatsApp requires the examination of the conflict between the rights to privacy, the sanctity of private communication, and the right to the protection and security of personal data given the need of law enforcement authorities to access communication content and data in the course of a police investigation or criminal case. Note that the application’s user data subject to court requisition may be: i) data stored on mobile/smartphones or computers; ii) data flow in private communication; iii) metadata such as the time the message was written, the telephone number or ID of the sender, the physical location of the sender and receiver at a certain moment.

The solution may lie in the distinction between the main data (the content of private communication) and metadata (secondary information). The main data integrate the key core of the right to privacy and the sanctity of the right to communication, thus the rigor in violating the secrecy of communication in this case. The purpose of the legal interception is to ensure that the proper authorities have access to the content of private communication in a criminal investigation and procedure. On the other hand, one may argue that the metadata mentioned above are not part of the key core of the right to secrecy of communications, thus allowing for a more flexible legal regime regarding the access of metadata by public authorities. Under the Brazilian Internet Regulatory Framework, it is already possible to request to the courts access to the metadata and records of Internet connection and applications.

In the specific case under examination (ADPF 403), the company WhatsApp claims that there are other legal alternatives for the collection of data and information for the purposes of police investigation or criminal procedure, thus claiming that the sanction that blocked the application was disproportionate.

From an economic standpoint, the encryption offered to the users is part of the business model of the Internet application provider. The product (software) is, thus, protected by the encryption.19 WhatsApp is an Internet-based technological platform and, therefore, it has the responsibility of offering a safe environment for the exchange of private communication. In other words, without encryption there are exponential risks of losses to the consumers, businesses, and even national security.

For example, the risk of cybercrimes by hackers may create threats to digital commerce. There are also serious risks of business espionage. This clearly shows the need for technical measures to protect business data.20 The main reason the application has adopted encryption is an economic one:  without security in data communication, it is quite clear that the application’s users would be vulnerable.

The use of encryption by WhatsApp is in the realm of free enterprise, as the Internet application provider has the business freedom and contractual freedom to establish the technology that offers the best security to its users.

In other words, offering encryption is inherent to the business model of technology companies. The business practice is to offer the most secure data trafficking to users. The regulatory State cannot forbid this business decision. Much to the contrary, it should encourage technological innovation and business practices for the security and protection of personal and business data. Therefore, any laws restricting encryption must have their constitutionality questioned.

Note that the Internet Regulatory Framework does not forbid the use of encryption in communications via Internet applications. In fact, the Internet Regulatory Framework protects the freedom of business models on the Internet. It ensures the users’ right to the privacy of their data, and the confidentiality of private communications exchanged and the stored.21 Articles 22 and 23 of this law deal with the court request for access to Internet applications..

Thus, the mirroring of communications made through the application requires legislative authorization. A court order for interception is not possible without a law that obliges the application provider to mirror the content of the private communications. There must first be the due legislative procedure to create the obligation for Internet application providers to mirror the content of private communications, to avoid violating the principles of legality and legal security. Thus, currently, neither the Brazilian Supreme Court or a court order may require an Internet application provider to create a back-door to access encrypted private communications, under the pretext of judicial interception of communications.

If a law is passed in Brazil forbidding encryption in Internet applications or requiring the adoption of back-doors, the constitutionality of such law will certainly be questioned. The discussion would revolve around the possible violation of the right to privacy and the sanctity of private communications, both protected under the Brazilian Constitution. The legislative restriction to the freedom of business model of Internet application companies would have negative effects beyond Brazil’s borders, reaching the free exchange of communication, the digital economy, and the Internet infrastructures, among other aspects.

The problem of data communication encryption by the WhatsApp application also exists in other countries. Governments and intelligence and security agencies pressure the companies to cooperate with police and criminal investigations.22 So this is a worldwide conflict: on one hand, the privacy and sanctity of communications; on the other, the interests of justice in criminal investigations.

The conclusion is that encryption, in and of itself, is not a threat to security. Much to the contrary, this technology is an assurance to the security of the sanctity of private communications.

The Brazilian Constitution guarantees the rights to privacy and sanctity of communications, except for the breach of confidentiality upon court order in a criminal investigation or procedure.23 Under the current laws, the confidentiality of communication via Internet application may be breached upon a court order for interception thereof. The problem is knowing if the encryption adopted by WhatsApp technically prevents this interception. This is a matter to be discussed in the public hearing to be held by the Supreme Court. It will also verify if it is possible to mirror the content of the private communications when encryption is activated, for delivery of data and information to the proper authorities.

To have legal security in the application of the law, it is essential to know the extent and limits of the obligations of the Internet application providers related to the protection of the fundamental rights to privacy and sanctity of communication. The interpretation of the current laws does not allow one to conclude that the Internet application provider must create a back-door that allows access to the content of the communication by the law enforcement authorities in charge of criminal investigations or procedures. There must first be a law authorizing this type of obligational burden to Internet application providers. Thus, the mere court order imposing this type of obligation, without a law to support it, violates the principle of legality.

Moreover, it is important to distinguish between the main data (the content itself of the private communications), which is the scope of the key core of the sanctity of communications, and metadata, in the interpretation of the sanctity of private communications. It seems that metadata is not part of the key core of the sanctity of communication. In this regard, the Internet Regulatory Framework contains some guidelines for the court requisition of Internet connection and application records, allowing for metadata to be legitimately obtained upon the issuance of a properly grounded court order against a specific user.

Therefore, the Brazilian Supreme Court is faced with setting clearly and exactly the key core of the fundamental guarantee to privacy and sanctity of private communication, as well as the obligations of Internet application providers related to the nature of the data requested by the courts, for the purposes of cooperating with Brazilian law enforcement.

 

  1. At the Brazilian Supreme Court, the main reasoning of the Motion of Violation of Fundamental Precept Number 403 is challenging the decision that ordered the blockage of the WhatsApp application in all of Brazil due to the noncompliance with the court order to intercept the content of communications, under the argument of a breach to the right to communication, as well as the violation of the principles of proportionality and reasonability. Case ADI 5527 requests the declaration of the unconstitutionality of the legal provisions of the Internet Regulatory Framework related to the sanction of blockage of applications or, alternatively, the interpretation of those legal provisions in accordance with the Brazilian Constitution. The main arguments are the violation of the rights to communication, free enterprise, consumer defense, inter alia.
  2. The noncompliance with the court order to intercept conversations of criminal suspects even led to the arrest of the Vice-President of Facebook in Latin America for the crime of disobedience.
  3. A judicial interception cannot be generic and open-ended, without a definite target for investigation. On the other hand, former Minister of Justice Alexandre de Moraes, who is currently serving as a Supreme Court Justice, stated publicly that the government was preparing a bill to regulate the access of the courts to private communications on Internet applications.
  4. According to the press, flaws in updates to the Windows operational system opened a window for viruses to enter the computers.
  5. São Paulo Court of Appeals, INSS (the National Institute of Social Security), private companies, and others, according to the press.
  6. The court-ordered blockage of WhatsApp also involves the examination of the fundamental right to communication, as well as the protection of the sanctity of communications. Thus, only a court may order the breach of the sanctity of communications, provided the legal requirements are met regarding the suspect and existence of the crime. Law 9296/96 deals with the interception of telephone and telematic communications.
  7. The Brazilian Constitution, in its Article 5, item XII establishes the sanctity of correspondence, telegraphic communications, data, and telephone communications, except, in the latter case, upon court order, as allowed by law for the purposes of criminal investigation or procedure. Law 9296/96 deals with the court-ordered interception of communications. The sole paragraph of Article 1 provides that the law applies to the interception of communication exchange on information and telematic systems. This legal provision was challenged in the motion for unconstitutionality ADI 1488-DF, grounded on the violation of Article 5, item XII. However, the injunction was denied.
  8. The Superior Court of Justice has ruled in several cases for the nullity of criminal cases due to the lack of court authorization to access the data of the WhatsApp application.
  9. See Law No. 12737/12. This law provides: “If the content of private electronic communications, business or industrial secrets, or confidential information as defined in law, is obtained or there is non-authorized remote control of the invaded device as a result of the invasion. Sanction – Six (6) months to two (2) years of imprisonment, plus fine, if the conduct does not constitute a more serious crime” Article 154-A, §3 of the Criminal Code, as per Law 12737/12
  10. To illustrate the matter, the Brazilian government has launched a communications satellite in partnership with private institutions to implement the national broadband network in remote areas. There is also an underground submarine cable network being built between Brazil and Africa, to be connected to Europe. The purpose is to avoid having data communication between Brazil and Europe pass through North American territory. For example, when Google’s email service is used, all the private communications by Brazilians using that service are transmitted to the servers of that company, spread throughout North America, and are stored therein. So the strategic goal is to create alternative data routes, decreasing the dependency on the North American communication networks.
  1. Back-door is related to a software’s source code. It is like a master key that would allow access to all the content of the private communications exchanged through the application.
  2. On the other hand, former Minister of Justice Alexandre de Moraes, who is currently serving as a Supreme Court Justice, stated publicly that the government was preparing a bill to regulate the access of the courts to private communications on Internet applications.
  3. The Constitutional Court of Germany has recognized the right to informational self-determination as inherent to the general right of personality, in light of the new technologies, and information and communication. So, even if the person is not yet qualified as the owner of their data, they are entitled to proper legal protection against invasions to their informational self-determination. Therefore, laws that authorize the monitoring of the private life of criminal suspects on the Internet through secret and remote computer investigation techniques have been ruled unconstitutional. See: Menke. Fabiano. A proteção de dados e o novo direito fundamental à garantia da confidencialidade e da integridade dos sistemas técnico-informacionais no direito alemão. In Direito, inovação e tecnologia, volume 1 (Coordenadores: Gilmar Ferreira Mendes, Ingo Wolfgandg Sarlet e Alexandre Zavaglia P. Coelho). São Paulo. 2015, p. 205-230.
  4. Since the September 11th terrorist attacks in the United States, there has been an increase in the surveillance and monitoring of data and information on the Internet, including with the requirement that telecommunications and Internet companies create back-doors. It seems that the NSA has partnered with Internet and telecommunications companies, including with the inspection of communication networks infrastructure such as router networks, fiber optics, cables, hardware and software platforms, etc. The USA Patriot Act passed during the Bush Administration and extended during the Obama Administration allowed the USA security and intelligence agencies to intercept phone calls and emails of people allegedly involved in terrorist acts, without the need for a court order. This massive surveillance program of US and foreign citizens by USA authorities without court orders was harshly criticized. It was replaced by the USA Freedom Act that establishes new procedures for the gathering of data and information in foreign territories, the so-called Foreign Intelligence Surveillance Court (FISC), in terrorist-related activities. Source: Wikipedia. Critiques say that the legal statute is too broad, allowing for the collection of metadata of telecommunications companies, violating the citizens’ right to privacy.
  5. In the United States, there is a debate on the Fourth Amendment of its Constitution, which guarantees the right of citizens to be protected against illegal searches and seizures, without reasonable cause and a proper warrant.
  6. Castro, Daniel. And Mcquinn. Unlocking Encryption: information security and the rule of law. ITIF. Information tecnology ^ Innovation Foundation, march 2016, p. 1-50.

Telecommunication services such as landlines and mobile telephony are under a different regime. The General Telecommunications Act of Brazil guarantees the sanctity of communications, except for the constitutional and legal caveats (Article 3). That statute also provides: “Article 72. The provider may only use information related to the individual use of the services by the user to perform its activity. §1. The disclosure of individual information requires express specific consent by the user. §2. The provider may disclose to third parties aggregated information on the use of its services, provided that it does not allow for direct or indirect identification of the users or violate their intimacy.” Moreover, the Resolution by Anatel on personal mobile services authorizes the breach of secrecy of telecommunications in the cases provided in law, upon court order in criminal investigations and procedures.

  1. On the other hand, there are several federal laws, and some state laws, that deal with the access to telecommunications users’
    registration information. For example, federal laws 12830/13, 12850/13, and 13,44/16.
    This laws oblige telecommunication companies to submit data and information on their users. That is why their constitutionality is being questioned in the cases ADI 5059, 5063, and 5642, pending trial before the Brazilian Supreme Court, grounded on the violation of the right to privacy and sanctity of communications.
  2. Brazilian Constitution, Article 3, item V.
  3. There are studies indicating that WhatsApp has contributed to economic growth in the following aspects: production cost reduction and increase of efficiency in Internet-based businesses, improvement of consumer services, reduction of marketing costs, efficiency in the communication between organizations and investors, and improvement in the provision of public services. Ver: Rafert, Greg e Mate, Rosamond. The Global and Country-level economic impacts of WhatsApp.
  1. It is worth remembering the invasion of Yahoo’s database, with the access to the content of thousands of email accounts.
  2. As per Article 7, items II and III of the Internet Regulatory Framework.
  3. As an example, we have the FBI versus Apple case on the IPhone unlocking codes. Apple refused to cooperate with the FBI, claiming the right to privacy of its users. According to Apple, FBI wished to obtain the master key to access the operational system, which is contrary to the company’s business privacy policy. In the end, the FBI decided to unlock the device itself. There was also a matter related to the access of data encryption on WhatsApp in Europe, related to the terrorist attacks in Paris and London.
  4. Brazilian Constitution, Article 5, item XII.