Article | Digital Defense Initiative | Asymmetries and Power

Spyware and the Corrosion of Democracy through Surveillance

In recent weeks, investigations by the Federal Police have indicated that the Brazilian Intelligence Agency (Abin) was allegedly used to illegally monitor Brazilian citizens during the Bolsonaro administration. This has sparked a debate about the limits that the state can have when it comes to collecting information about its population through opaque means and without the due knowledge of those who are subject to this analysis of personal information.

The tool used was FirstMile, from the Israeli company Cognyte (formerly Verint). Acquired without a bidding process for R$5.7 million at the end of 2018, the software allows the location of people to be identified from their cell phones. By exploiting a technical vulnerability in the telecommunications infrastructure, without people knowing, it was possible to identify the movement routine of targets and even issue real-time alerts when they moved.

This is spyware, a computer program designed to collect information clandestinely and without the knowledge of users—and it is not the first such software acquired by the Brazilian State.

Not all of them exploit the same vulnerability as First Mile. There are programs that extract data from handheld electronic devices, such as Cellebrite, while others allow remote access, such as Pegasus. Harpia Tech, on the other hand, specializes in scanning individuals’ information on the internet, creating biographical dossiers in an automated manner. The “Instituto de Pesquisa em Direito e Tecnologia do Recife (IP.Rec)” found 209 documents proving the acquisition, updating, and training for the use of these tools by security and intelligence agencies in the country between 2015 and 2021.

The increase in the use of spyware raises alarms about the limits of investigative activities, national defense, and state security. The monitoring of individuals and groups by political forces violates the fundamental rights to privacy and protection of personal data, in addition to putting freedom of expression assembly, among others, at risk. Robust safeguards and auditable operational procedures are needed to ensure that techno-authoritarian software is not used for systematic violation of rights or even a complete ban on the use of such technologies in the national territory.

External control and oversight of intelligence activities are exercised by the Legislative Branch through the Joint Intelligence Activities Control Committee (CCAI), as established in art. 6 of Law 9.883 of 1999 and Resolution No. 2 of 2013 of the National Congress. However, in addition to the lack of transparency regarding its activities, its current member includes Deputy Delegado Ramagem (PL/RJ), suspected of receiving information about operations in Rio de Janeiro carried out by Abin. Ramagem was director of Abin during the administration of former President Bolsonaro, warning about the need for strict legal parameters for the use of spyware and its control by the National Congress.

Currently, different bills seek to fill this legal vacuum. Bill 58/2024, authored by Congressman Alberto Fraga (PL/RJ), establishes less rigid criteria for its use, while Bill 199/2021, by Kim Kataguiri, adds elements such as the prohibition of personalization of data collection and processing, accountability for software use, and accountability reports to Congress. Both bills were attached to Bill 4510/2020, authored by Congressman Carlos Zarattini (PT/SP), which limits the use of such spyware technologies by national intelligence. The Bill was rejected in the first committee in which it was processed, with a dissenting vote from the opposition rapporteur and former leader of the Bolsonaro government, Congressman Vitor Hugo (PSL/GO).

The case is currently under dispute at the Brazilian Supreme Court. Direct Action of Unconstitutionality by Omission No. 84 concerns the partial omission in regulating the use, by public agencies and agents, of remote virtual intrusion programs and tools for secret and invasive monitoring of digital personal communication devices. Data Privacy Brasil and InternetLab filed an amicus curiae petition in order to contribute to the constitutional debate on this topic. In view of the precedents already established by the Brazilian Supreme Court in the IBGE and Cadastro Base Cidadão Cases, we understand that spyware, as currently used by intelligence agencies, is unconstitutional due to the systematic violation of the fundamental right to the protection of personal data and informational self-determination.

Spyware has a documented history of human rights violations, such as the persecution and violation of the rights of opponents in Sudan and the imprisonment and murder of thousands of people in Myanmar. There is growing concern that activists and journalists may be targeted by the government or even by private actors, substantially undermining the democratic regime in the country. The current scenario demonstrates the importance of combating techno-authoritarian practices with due safeguards for human rights, regulating digital technologies that corrode democracy.

Pedro Saliba

Lawyer and sociologist, master in Sociology and Anthropology from PPGSA/UFRJ. Research on the intersection between personal data protection and public power, especially in the area of ​​security and surveillance. He was a researcher at the Digital Studies Laboratory (LED/UFRJ) and is currently coordinator of the Asymmetries and Power area at Data Privacy Brasil.

This article also had the collaboration of:

Vinicius Silva

Master in Social Change and Political Participation and a degree in Public Policy Management from the School of Arts, Sciences, and Humanities (EACH) at the University of São Paulo (USP). Professional experience of almost 10 years in government relations and advocacy, working in monitoring, strategy, and incidence in public policies of various sectors. Represents Data Privacy Brasil in some organizational spaces such as the Pact for Democracy, the Alliance for Cryptography in Latin America and the Caribbean (AC-LAC) and the Coalition for Rights on the Internet (CDR),

Rafael Zanatta

Co-director of Data Privacy Brasil. He holds a master’s degree from the Faculty of Law at USP and a doctorate from the Institute of Energy and Environment at USP, having completed the Privacy Policy and Law course at the University of Amsterdam (2018). He holds a master’s degree in law and economics from the University of Turin. He was a visiting researcher at The New School (2021). He is a member of the Latin American Network for Surveillance, Technology, and Society (Lavits)

Text written by Pedro Saliba and originally published on 26.02.2024 on the website *desinformante.