ImprimirBrazil, we need to talk about Child Sexual Abuse Materials clubs
Author: Carolina Christofoletti
In less than one week
1) Brazilian National Task Force arrested an IT technician suspected of leading a transnational child pornography “club” on the Deep Web. The websites were hosted on West-European Countries. According to Brazilian Police, one of the participants was planning to sell his niece to a Russian criminal organization, telling her that she was going to Disneyland instead.
(25.11.2020.G1.https://g1.globo.com/sp/sao-jose-do-rio-preto-aracatuba/noticia/2020/ 11/25/policia-prende-tecnico-em-informatica-suspeito-de-chefiar-quadrilha-de-por nografia-infantil.ghtml)
2) Child pornography images was found to be uploaded from a adult website. Though the crime seems to have been perpetrated in Brazil, the website was hosted in the Czech Republic
(26.11.2020. G1. https://g1.globo.com/rj/rio-de-janeiro/noticia/2020/11/26/ pf-faz-opera cao-para-combater-abuso-e-exploracao-sexual-de-criancas-e-adolescentes.ghtml)
Great work done by the Brazilian Police!
Why is that relevant?
Although the Brazilian Data Protection legislation refers to its non-applicability to criminal investigations (Art. 4, d, LGPD), which must be resolved by separate legislation, such legislation does not exist so far. Although there’s in fact a preliminary Draft currently subjected to the Brazilian Parliament ( Minuta de Anteprojeto de Lei de Proteção de Dados para segurança pública e investigação criminal), the proposed Draft seems to help little in developing a real risk management obligation by digital platforms. Here’s why.
a) Clear rules for cooperation between the public sector and criminal authorities must be set. Particularly when it comes to legal qualifications delegated to the private sector (e.g. child pornography), the existence of clear criteria in order to scale down the economic risk of a mis-qualification is something that should be urgently discussed.
The problem with the Brazilian proposed legislation here is one very similar to the European discussion regarding automatic detection of child pornography, confidentiality of communications and data retained by the private sector (digital platforms). Unfortunately, this question was not addressed by the proposed preliminary Draft.
b) Also, voluntary cooperation remains as a far too vague concept, leading to a legal loophole that prevents any concrete action in this regard. Since the Draft determines that criminal authorities access to personal data shall be addressed by a new legislation, except when the case is one of voluntary cooperation, the parameters of illegal conduct remains unclear, leading to a risk avoiding behaviour that could also conduct Brazilian activities to a “induced blindness” in regard of particular crimes (as child pornography crimes).
See: Art. 11, Minuta de Anteprojeto de Lei de Proteção de Dados para segurança pública e investigação criminal)
c) The rule on the use of end-to-end cryptography presumes the possibility of distinguishing which platforms are of lawful use and which are not. The fact that child pornography content continues to appear on common social platforms like Instagram or Facebook proves that criminal networks are much more infiltrated than they initially seem. Moreover, as the qualification appears only at a later point in time, it becomes impossible to decide ex-ante how one is expected to act.
See: Art. 11, §3º, Minuta de Anteprojeto de Lei de Proteção de Dados para segurança pública e investigação criminal
d) Even though Brazilian legislation addresses the notice and not taken down conduct of Internet Service Providers as criminal when it’s about child pornography, new legislation should also legally address Internet Service Providers duty of taking sufficient care so as not to allow its platforms to be exploited by criminals. Again, a risk assessment is urgent! Particularly the digital content that was reported, removed as criminals and over which no further action (data retention) was taken shall be seen as risk-friendly, especially when, except of hash politics, platforms don’t really seem to know what is really going on with child pornography. It’s there any pattern that could indicate an open-door to clubs? What about keywords in adult websites? Saying that platforms that have not retained relevant data don’t have the obligation of having done so (once again, timely inversion) may seem a far too complex provision, particularly within a legal situation where no compliance mechanisms are being addressed. See: Art. 11, §2º, Minuta de Anteprojeto de Lei de Proteção de Dados para segurança pública e investigação criminal)
e) The Budapest Convention (2004), which to a large extent regulates the instruments of transnational cooperation for the purpose of repression of cybercrimes, has not yet been signed by Brazil. The signature of the Budapest Convention has the potential to be a key instrument for the repression of transnational pornography clubs with Brazilian participants.