For many years, Latin America’s largest democracy was a leader on data governance. In 1995, it created the Brazilian Internet Steering Committee, a multi-stakeholder body to help the country set principles for internet governance. In 2014, impelled by Edward Snowden’s revelations about surveillance by the US National Security Agency of countries including Brazil, Dilma Rousseff’s government pioneered the Marco Civil (Civil Framework), an internet “bill of rights” lauded by Tim Berners-Lee, the inventor of the World Wide Web. Four years later, Brazil’s congress passed a data protection law, the LGPD, closely modeled on Europe’s GDPR.
Recently, though, the country has veered down a more authoritarian path. Even before the pandemic, Brazil had begun creating an extensive data-collection and surveillance infrastructure. In October 2019, President Jair Bolsonaro signed a decree compelling all federal bodies to share most of the data they hold on Brazilian citizens, from health records to biometric information, and consolidate it in a vast master database, the Cadastro Base do Cidadão (Citizen’s Basic Register). With no debate or public consultation, the measure took many people by surprise.
In lowering barriers to the exchange of information, the government says, it hopes to increase the quality and consistency of data it holds. This could—according to the official line—improve public services, cut down on voter fraud, and reduce bureaucracy. In a country with some 210 million people, such a system could speed up the delivery of social welfare and tax benefits, and make public policies more efficient.
But critics have warned that under Bolsonaro’s far-right leadership, this concentration of data will be used to abuse personal privacy and civil liberties. And the covid-19 pandemic appears to be accelerating the country’s slide toward a surveillance state. Despite briefly falling ill himself, and although Brazil’s death toll had passed 90,000 by the end of July, Bolsonaro has consistently downplayed the seriousness of the disease. Yet that hasn’t stopped him from using the crisis to justify even more aggressive data grabs.
The instinct to centralize
According to Rafael Zanatta, a director of Data Privacy Brasil, an NGO, the government’s discourse on using data to improve public services is strikingly similar to the way the military dictatorship in the 1970s justified its own efforts to create a unified system. That project, known as Renape, faced criticism from within the military and a backlash from the government technicians building it because of its lack of transparency and the threats it posed to freedom and privacy. It was eventually shelved.
The Cadastro may have been born of good intentions, says Ronaldo Lemos, a lawyer and director of the Institute for Technology and Society Rio. Indeed, the pandemic quickly revealed the need for some sort of nationwide digital identity system: by the end of April, 46 million informal workers, previously invisible to the federal government, had registered online to receive emergency financial aid.
But Lemos, one of the authors of the Marco Civil, says its centralized nature is worrisome. He has long advocated for a model akin to that used in Estonia, a country widely seen as a paragon of digital governance. The Estonian government stores a broad range of citizens’ data, yet no single government agency holds all the eggs in its institutional basket. Estonians have to give permission for one agency to access the data another agency holds on them, and they can track who looks at their data. “With this decree,” says Lemos, “Brazil is doing precisely the opposite.”
Under the October decree, any federal body could start requesting and gathering data from others. Documents leaked to The Interceptin June revealed that ABIN, Brazil’s national intelligence agency, had already used the decree to ask Serpro, a state-owned data company, for the records of the 76 million Brazilian citizens who hold driver’s licenses. Such examples mean citizens’ data could start appearing in many new data sets without their knowing about it.
The scope for data acquisition under the decree is broad. Along with basic information such as name, marital status, and employment, the Cadastro will include biometric data such as facial profiles; voice, iris, and retina scans; prints of digits and palms; even gait. There are no limits placed on how health data can be shared, and the list even includes genetic sequences. The plan, says Lemos, is “using genomics, faces, and fingerprints as a form of identifying people easily, without them knowing exactly how, which is pretty scary.”
Centralizing so much data presents a “huge security risk,” says Verónica Arroyo, a policy associate at the advocacy group Access Now. A hack or leak could open citizens up to identity theft, fraud, or worse. In 2016, São Paulo city hall accidentally exposed the personal data—including some medical records—of 365,000 patients in the public health system. In 2018, tax ID numbers and other information on 120 million people—more than half the population—were unveiled to the internet for weeks, after the server housing them was incorrectly renamed.
The Cadastro will be regulated by a Central Data Governance Committee. This body, made up of representatives from the federal government, will decide on the sensitivity of data and rule on any controversies. That’s in sharp contrast to the Internet Steering Committee set up in 1995, whose members include people from government, business, civil society, and academia. “You don’t have citizens, you don’t have the technical community, you don’t have civil society—it’s not even intended to be an independent commission,” says Danilo Doneda, a civil lawyer and advisor to the Internet Steering Committee.
It’s also not clear how the master database will be compatible with the LGPD, the new data protection law. There are stark inconsistencies—for example, biometric data is considered sensitive under the LGPD, yet in the new decree it falls under a less protected category. The new decree “basically ignores data protection legislation,” says Doneda. “The government is still acting like it wasn’t a concern.”
In fact, the fate of the LGPD is still up in the air. It was originally meant to come into force in August, but its protections had already been watered down both by Bolsonaro and by Congress under his predecessor, Michel Temer. In April, however, the government sneaked through an extension to delay implementation until May 2021.
“All these efforts can lead up to a high asymmetry of powers between citizens and the state.”
There were arguably good reasons to postpone the LGPD, as disruption caused by covid-19 made it harder for businesses to adapt. But some suspect the government’s real motive is to postpone the increased scrutiny the LGPD would bring to political campaigning. Municipal elections are slated to take place later this year, and electoral courts could use the new law to investigate political parties for improper accumulation and use of data, according to Zanatta of Data Privacy Brasil.
There’s ample reason to fear such misuse. During the 2018 presidential election that brought Bolsonaro into office, WhatsApp became a platform for widespread misinformation, most of it favoring Bolsonaro, according to an analysis by the Guardian. Some think the Cadastro could open the door to more targeted propaganda campaigns. Advanced profiling, including data gathered during the pandemic, could identify the voters most likely to believe and spread misinformation, who could then be unwittingly used to broadcast it, says Zanatta. One of Bolsonaro’s sons is currently under investigation for allegedly organizing a criminal scheme to spread fake news.
The covid-19 pandemic has produced further evidence of the president’s intent to use data as an instrument of power. In April, when the governor of São Paulo launched a project using phone data to track how well people were adhering to isolation measures, Bolsonaro’s son Eduardo called it an “invasion of rights,” and the president quickly put a stop to a similar plan from the science ministry. Yet he apparently had no such qualms a week later when he signed a decree mandating that telecoms hand over data on 226 million Brazilians to IBGE, the government’s statistical agency, ostensibly for surveying households during the pandemic. Critics said the data grab was unconstitutional and disproportionate, and it was eventually struck down by the supreme court.
Like many countries, Brazil has been increasing its use of technology for tracking its citizens. Surveillance camera networks installed for the 2014 World Cup and 2016 Olympics stayed in place after those events ended. Several police forces used facial recognition software during this year’s carnival to scour the crowds for criminals. And a series of bills both enabling and mandating widespread adoption of the technology—on public transport, for example—have been making their slow way through Brazil’s congress. Last year Brazilian police arrested 151 people who’d been identified with the help of facial recognition, including one man wanted for murder who was dressed as a woman for carnival. In December, facial recognition cameras were put in place near the border with Paraguay, a hot spot for drug trafficking and other organized crime.
Crime is a big issue in Brazil, where the murder rate is about five times the global average. A tough stance was key to Bolsonaro’s rise to power. But the Cadastro Base do Cidadão and mass surveillance technology make a terrible combination, warns Arroyo: “All these efforts can lead up to a high asymmetry of powers between citizens and the state.” And the fear of crime inclines Brazilians to relinquish their data privacy in return for security, says Doneda: “People are really afraid.”
The shortcomings of facial recognition tech are well documented—particularly the fact that existing systems, most of them developed in majority-white countries, disproportionately misidentify people of color. César Muñoz, a researcher at Human Rights Watch, says this poses a particular problem in Brazil, where more than half the population is Black or brown. Almost half of those people work in the informal economy, and around a third live under the poverty line. “If you are a Black person with no means to secure a lawyer and are detained on the basis of facial recognition, it’s going to be tough,” Muñoz says.
In theory, the regulations being created today are reversible. But once surveillance technology and masses of data are in the hands of the authorities, it’s hard to take them back. “If police buy the kit, they are going to use it until it stops working,” says Doneda.
Compared with other parts of the world, Brazil is rich with NGOs dedicated to data privacy and rights. It’s also relatively easy to launch collective-action lawsuits, making public pressure easier to apply. And as the pandemic has shown, the supreme court can still stand up to the federal government. In early June, it forced the health ministry to start publishing comprehensive data on covid-19 deaths again, after the ministry stopped doing so in what was widely seen as an attempt to cover up the rapidly rising death toll.
Lemos believes a culture of data protection could still flourish in Brazil, in a development similar to the paradigm shift that happened after a consumer protection code was introduced in 1990 and people started to exercise their newfound rights. Much will rest on when the LGPD comes into force, and whether it’s backed up by a credible and independent data authority.
But some observers think the authority could be dominated by the military, members of which occupy about half of Bolsonaro’s 22 cabinet seats. Military dictatorships are a not-too-distant memory in Latin America. Says Katitza Rodríguez, a Peruvian who is international rights director for the Electronic Frontier Foundation: “History has taught us that our democracies are not that strong.”