From Jurisdictional Battles to Crypto Wars: Brazilian Courts v. WhatsApp

The Supreme Federal Court of Brazil. Courtesy Leandro Neumann Ciuffo/Flickr.

The Supreme Federal Court of Brazil. Courtesy Leandro Neumann Ciuffo/Flickr.

Brazilian judicial authorities ordered that access to the U.S. messaging service WhatsApp be blocked three times within the last ten months: for forty-eight hours in December 2015, for seventy-two hours in May 2016, and indefinitely on July 19, 2016. Each time, the suspension was prompted by WhatsApp’s failure to comply with the Brazilian government’s requests for data relevant to criminal investigations.

These extreme measures are controversial and the Brazilian Federal Supreme Court has been called on (link in Portuguese) to declare the blocks unconstitutional. Meanwhile, superior courts have acted efficiently in lifting the blocking orders on the grounds of “disproportionality.” Nevertheless, the underlying causes of the suspensions have not been effectively addressed: the bans arise out of a complicated legal dispute of a transnational nature and of global concern and intertwine long-standing jurisdictional battles with cutting-edge issues surrounding end-to-end encryption.

The Jurisdictional Battle

Despite the fact that WhatsApp Inc. is incorporated and headquartered in the U.S. and has no legal presence in Brazil, Brazilian courts have still found jurisdiction over it. The Marco Civil da Internet (MCI)—Brazil’s Civil Rights Framework for the Internet—states in Article 10 that Internet application providers engaged in any form of data processing within the territory of Brazil must abide by Brazilian law. According to Article 11, this holds true “even if the activities are carried out by a foreign-based legal entity, provided that it offers services to the Brazilian public or at least one member of the same economic group has an establishment in Brazil.”

WhatsApp Inc. offers services in Brazil and collects data from users located within the country, creating touch-points that trigger the application of Brazilian law. That the company has no legal presence in Brazil adds a layer of complexity to legal matters: Brazilian courts recognize “Facebook Serviços Online do Brasil Ltda.” (Facebook Inc.’s subsidiary incorporated in Brazil [Facebook Brazil]) as the legal representative of WhatsApp Inc., and consider both to be members of the same “economic group” within the definition of the MCI. Consequently, data demands, such as subpoenas, warrants, and wiretap orders issued by Brazilian authorities towards WhatsApp Inc., are consistently served upon Facebook Brazil.

The jurisdictional battles commence at this point. In the backdrop of all three blocks lies Facebook Brazil’s refusal to be held as WhatsApp’s legal representative in the country. Facebook Brazil argues (link in Portuguese) not only that the businesses are distinct legal entities, but that it has no control over WhatsApp’s messaging service. Without such power, Facebook Brazil is unable to abide with government requests for data. After the first block in December 2015, WhatsApp Inc.’s counsel in Brazil made public statements (link in Portuguese) implying that the company did not cooperate with Brazilian authorities for similar reasons. The company had never been a party to the legal procedures; only Facebook Brazil was ever party to these proceedings. In addition, if WhatsApp turned over data without a U.S. warrant, it would be violating U.S. law. As such, Brazilian judges had to resort to the mutual legal assistance (MLA) process between the U.S. and Brazil to reach WhatsApp Inc. and obtain the sought-after data.

However, the company’s legal strategy has so far catastrophically backfired in Brazilian courts. WhatsApp’s resistance to disclose data creates the impression of unwillingness (link in Portuguese) to collaborate with Brazilian authorities, which has prompted courts to take drastic measures to enforce judicial orders. Brazilian judges have repeatedly reaffirmed their jurisdiction over WhatsApp and Facebook Brazil’s legal responsibility to respond for the company. The courts have also rejected (link in Portuguese) the need to go through an MLA procedure when the crime being investigated occurred in Brazil, or when the users affected are either Brazilian or located in Brazil – the great majority of the cases. The fact that Internet companies are often subject to conflicting national legislations, as in the case of Brazilian and U.S. laws that regulate government access to user data, is persistently ignored by the courts. Further, since some Brazilian judges are quick to (mis-)interpret jurisdictional arguments as attacks on their individual judicial authority and/or Brazil’s national sovereignty, personal power-plays and a geopolitical rivalry color WhatsApp’s legal dispute.

The Crypto Wars

After the second and the third blocks, WhatsApp Inc.’s public statements against Brazilian data demands focused on the technical impossibility of complying with requests. The messaging service differs from other applications in two ways: First, user data is only temporarily stored on WhatsApp’s servers: after a message is delivered to the addressee, WhatsApp erases the data from its servers, making it retrievable only from user devices. Second, the company protects the confidentiality of conversations with end-to-end encryption, making it impossible (even for the company itself) to decrypt any encrypted messages, even upon government request.

Here the Brazilian Crypto Wars unfold: These two characteristics make compliance with demands for stored communications (retrospective collection of content) and wiretap orders (contemporaneous collection of content) theoretically impossible. The only kind of collaboration that can be expected between WhatsApp and the Brazilian government is the rendering of account and usage information and the establishment of real-time interception of metadata. Unsurprisingly, Brazilian authorities are frustrated with the reduced surveillance powers of Brazil’s most popular app.

Officials (link in Portuguese) have pointed out that WhatsApp violates data retention provisions set forth in Article 15 of the MCI, which mandates Internet application providers retain access to application logs for six months. WhatsApp Inc. has defended (link in Portuguese) itself by claiming that law enforcement authorities usually compel production of more metadata than what the company is actually required to retain under the MCI. It is difficult for commentators to take a firm position on whether the government or the company has the better argument on this matter, because WhatsApp Inc. does not disclose its retention policies and the government keeps its data demands under seal.

Most worrying are the threats that authorities have voiced against encryption itself. When ordering the most recent block, the magistrate judge demanded WhatsApp to “disable the encryption key” to facilitate wiretaps and perhaps even espionage through man-in-the-middle attacks. The judge’s request basically amounted to ordering WhatsApp Inc. to compromise its own technology.

To be clear, Brazil has no explicit legal basis for such request. The Brazilian regulation that requires companies to design their networks so as to enable government surveillance does not extend to Internet application providers; it applies only to telecommunication carriers. However, the legal exemption that seems to protect WhatsApp from authoritative orders in Brazil is not the result of an intense public debate and deliberate legislative choice to restrict the extent of legal obligations to cooperate with law enforcement. While the exclusion of “information services” from surveillance requirements in the U.S. was a result of tooth-and-nail fight to limit the scope of the Communications Assistance for Law Enforcement Act, Brazil’s legislative history is less clear in the matter. This intensifies political discussions and gives room to legal arguments challenging the accordance of WhatsApp’s data security choices with Brazilian law.

The Future Ahead

A conclusion—or even a short-term solution—is not imminent. The jurisdictional battles revolving around WhatsApp’s struggle with Brazilian courts are yet another illustration of a deep-rooted issue in Internet law: squaring national laws, based on territorial notions of jurisdiction, with the global Internet. WhatsApp is a U.S. company indeed, but its operations affect societies worldwide. To effectively manage this tension, a global effort to delineate jurisdiction as applied to cross border requests for digital evidence and streamline mutual legal assistance processes is vital. Such endeavors would reduce the incentives of unilateral coercive actions not only as the shutdowns, but also arrests and fines. In this sense, while initiatives coming from the U.S. and Europe are commendable, close engagement with the rest of the globe is indispensable.

In its turn, the debate around encryption and conciliating law enforcement needs with data security and privacy concerns has recently been brought back to the spotlight. As it evolves, discussions inherently tied to one or another country might prove conceptually limited and ultimately unsatisfactory, given the impact that national encryption policies can have internationally. If Brazil were to pass legislation (link in Portuguese) banning services that deploy end-to-end encryption, for example, the negative side effects would transcend national boundaries; the free flow of information, the digital economy, and the Internet infrastructure would be adversely affected. For that reason, the potentially drastic outcomes from the Brazilian crypto wars beg for international attention and transnational multi-stakeholder collaboration.

In the meantime, the wholly domestic aspects of the Brazilian courts and WhatsApp Inc.’s disagreements merit domestic scrutiny. Aggressive and dubious interpretations of Brazilian law by a handful of tremendously powerful judges threaten to harm the reputation of a country once celebrated for its innovative model of Internet governance and commitment to defending privacy in the digital age. In the policy arena, Brazilian civil society has managed to push back propositions that would fundamentally worsen surveillance law from a civil liberties perspective. Yet the jurisdictional battles and crypto wars call for the development of a robust scholarship and solid case law around existing law. Although these are time-intensive responses to time-sensitive issues, such development is the only avenue for flushing out workable and promising strategies for the complex problems surrounding these issues that are simultaneously local and global.

Jacqueline de Souza Abreu (@jacqueabreu) is Project Lead at InternetLab, a São Paulo-based law and technology research center. She holds LL.M. degrees from UC Berkeley and LMU Munich.

Sachs 8_Small B symbol_end last sent