Virtual environment profoundly transforms legal categories
*This is an AI-powered machine translation of the original text in Portuguese
"The suspension of the WhatsApp application, which allows for instant messaging over the worldwide computer network, in the comprehensive manner as it was determined, seems to violate the fundamental precept of freedom of expression."
It was on this basis that Minister Ricardo Lewandowski, in ADPF 403 MC/CE, granted the injunction suspending the blockade imposed on WhatsApp. Now, let's consider the following hypothesis: what if WhatsApp or Facebook simply decided to cease their operations in Brazil?[1]
Would we say that Facebook violated the right to free communication and expression of millions of Brazilians or simply exercised its freedom of initiative? Could the state compel Facebook to continue providing its services here?
Perplexities generated by simple questions like this show how profound is the ongoing transformation of the law. Various actors (the state, application providers, access providers, and users) interact around and through a "space," the internet, organized by private entities but utilized and produced by a global audience[2]. This blurs the line between the public and the private in the virtual environment[3].
The same goes for the individual and the collective (think about production in Creative Commons where there is no author, neither individual nor collective)[4]. The distinction between consumer and producer is also affected since users create the content of social networks (they are produmers).
In a daily routine where relationships occur in the interweaving of physical and virtual communications, traditional dichotomies and legal categories need to be reconsidered[5]. This raises questions about the model built in the Modern Era that pits the state, legally personalized as the guarantor of public order, against individuals, conceived as spheres of subjective rights.
Encryption is particularly interesting in exposing this tension, as it has the potential, in some aspects, to replace the state. For example, cryptocurrencies like Bitcoin base their security in cryptography for coin issuance and transaction recording, bypassing a guaranteeing entity like the Central Bank.
The state is also the guarantor of the inviolability of domicile, communications, and the secrecy of correspondence (Brazilian Constitution of 1988, Article 5, XI and XII). Inviolable is the right because domicile, communications, and missives are, in fact, violable. In the digital environment, cryptography flips things around: emails, SMS, website contents, and even internet connection (via VPN) can be encrypted, making them inviolable in practice. If in the 1970s and 1980s total automation terrified workers, now the threat of "digitization of everything" haunts the Leviathan.
This understanding explains the strong reaction of citizens, speaking on behalf of the state, against the "boldness" of WhatsApp or Facebook in "refusing" to comply with a national court decision. But these are companies that depend on the content generated by their users - millions of Brazilian citizens - and if they started offering public key cryptography (or asymmetric or end-to-end), they did so not out of benevolence or to hinder the investigative action of law enforcement.
They simply realized this demand for privacy assurance from the users themselves, given the growth of competing applications that already offered this differentiator. And these are the same user-citizens who appeal to the state for both physical and digital security. What is at stake, therefore, is the democratic construction of the public space, both real and virtual.
When I argued, along with Tercio Sampaio Ferraz Junior and Marcelo Finger, for "the need to regulate encryption," some interpreted "regulate" as "restrict." In fact, that text had two central points. First, to highlight that a decision mandating WhatsApp to open the content of messages would mean the prohibition of offering absolutely secure products with end-to-end encryption in the country, as companies would have to reserve some exceptional access mechanism to comply with court orders regarding user-generated content.
Moreover, such a decision could generally mean that digital technology companies must produce devices and applications that allow for surveillance windows of their content. Second, the text questions whether the judiciary would be the appropriate forum to make this decision regarding the Brazilian IT market.
There are various scenarios for regulating encryption in international experience: an outright prohibition on encrypting or offering IT products and services with encryption; prior requirement and authorization for use; state supply of technology with retention of decryption key copies; application provider's retention of a decryption key copy linked to each chip; even absolute permission and freedom to use and commercialize this technology[6]. There is also an international agreement, the Wassenaar Arrangement, established in 1996, a response from the European Union to the U.S. initiative with the Clipper Chip.
According to the agreement, domestic use and commercialization of encryption should be free, with controls established for its export. In the USA, the conflict between the FBI and Apple revived a broad political debate from the 1990s, known as the Crypto Wars[7]. In that decade, the National Security Agency (NSA) proposed regulation (called the Clipper Chip) in which it would be responsible for providing a standard end-to-end encryption technology to be used, keeping a copy of each decryption key linked to each chip (Key Escrow) to read the content stored by any user, along with a backdoor mechanism to access the device keys.
The initiative generated a massive libertarian reaction and ultimately succumbed in Congress. On the other hand, until the 1990s in the USA, there was a ban on exporting strong cryptography (above 40 bits), metaphorically equating them to "ammunition." The reaction of privacy advocates and the free software community, inspired by the case Bernstein v. U.S Department of Justice, was based on the metaphor that encryption software uploaded on the internet (exported) would be a form of "speech" and as such, protected by the First Amendment (freedom of expression).
However, the defeat suffered by the NSA was primarily driven by the consequentialist argument of the industry, pointing out the economic potential of cryptography as a resource for e-commerce and the relentless advancement of technology (showing that the backdoor could be blocked and the USA was no longer the sole producer of strong encryption). Against the FBI's claims, who seized the terrorist's phone in the San Bernardino attack and demanded changes to the locking software to access its content, Apple argued that its software was speech.
Unfortunately for the legal debate but fortunately for the investigation, the FBI cracked the code, and the case was not tried. In a case involving the seizure of a methamphetamine dealer's phone, Judge J. Orenstein of the District Court of New York, in a decision in February 2016, held that, in the absence of legal provisions, Apple was not obliged to decrypt user access or messages (mentioning, in its support, the outcome of the Crypto Wars).
The connection with the freedom to express oneself artistically with the source code of software seems to obscure the central theme: the right of each individual to privacy regarding personal data stored on their phone versus the requirement for public safety.
Here, the right to encryption is linked to the issue of personal data protection, on which Brazil, unfortunately, still lacks legislation (for context, the first data protection law was enacted in Hessen, Germany, in 1970 - hence, already in the automation era, before the internet age). Data protection laws typically start from a prohibition principle, as a derivative of the fundamental right to privacy: the collection, processing, and use of personal data are prohibited unless expressly allowed by law or by the individual themselves.
The starting point is that the individual is always vulnerable to collection, and it is up to the state to prohibit it regarding third parties (including itself). Specifically regarding data stored on personal devices, the state can be replaced by an even more effective technological tool to guarantee the right to privacy, so the principle could be read, from the individual's perspective, as follows: everyone is allowed to prevent the collection, processing, and use of their data by third parties (i.e., to encrypt), unless prohibited by law.
But wouldn't this be precisely the statement of a right (fundamental?) to encrypt one's virtual spaces and private communications? If this is the case, wouldn't the provision of encryption technology or products that include exclusively accessible encrypted communication fall within the scope of free initiative? In what circumstances would it be reasonable to restrict, by law, its use or commercial availability? And how would you do that?
Questions to be answered by the people, for the people.
[1] This provocative question arose from a conversation with Renato Ópice Blum, to whom I am grateful.
[2] Hoffmann-Riem, W. New Collectivities on the World Wide Web as a Challenge for the Law, Juristen Zeitung, v.22, p. 1081 to 1136, 2012.
[3] See the case Intel Corp. vs. Hamidi (1Cal.Rptr.3d32(2003)): an email copying all company employees with criticisms of the boss, is it an act of public defamation or a set of private missives?
[4] Maranhão, J. S. A. and Ferraz Junior, T. S. Free Software and non-exclusive individual rights. Archiv für Rechts und Sozialphilosophie-ARSP, v. 94, 237-252, 2008;
[5] Maranhão, Juliano. “Conceptual Reconfiguration? Digital Law as a Metaphor for Itself,” to be published in Contemporary Theories of Law. Law and Normative Uncertainties. FGV Direito Rio Notebooks. Coords. Pedro Fortes, Ricardo Campos, and Samuel Barbosa.
[6] Gerhards, Julia. (Basic) Right to Encryption?, Der Elektronische Rechtsverkehr, Nomos, 2014.
[7] Khel, D., Wilson, A., and Bankston, K. Doomed to Repeat History? Lessons from the Crypto Wars of the 1990s, Open Technology Institute, New America, 2015.
[8] In a monograph on the subject, Augusto Marcacine argues for the right to encrypt. “Law and Informatics: a legal approach to cryptography,” São Paulo, 2010.
Originally published in Conjur.
*Image rawpixel