This is another InternetLab newsletter about the Brazilian public consultations about the Marco Civil da Internet regulation and the Data Protection Draft Bill.

Check the trends of participation and the selected controversial topics of this week.

Numbers and charts

Regulation of Marco Civil: IPv6 and access records

The Federal Prosecution Service (MPF, in portuguese), in its contribution to the consultation platform of the Ministry of Justice, expressed concern about the impossibility of identification of Internet users. This process is currently performed through the records of the activities of users, which shall be stored by both the Internet companies and the connection providers.

Within the provisions of the Marco Civil it is possible to request two types of records, as defined in Article 5 of the law:

VI – connection log: all information regarding the date and start and end time of an internet connection, its duration and the IP address used by the terminal for sending and receiving data packets;

VIII – records of access to Internet applications: the set of information regarding the date and time of use of a particular Internet application from a particular IP address.

Through these two pieces of information, obtained only by court order, the competent authorities are able to, for example, find a computer used to carry out a crime and, finally, find the suspect of the crime. The MPF argues that, currently and as stated in the Marco Civil, this information would no longer be sufficient to find the suspects.

The problem identified by the MPF has a technical nature and is related to the IP numbers (Internet Protocol). It is through this communication protocol that the data packets (i.e., all traffic which is performed) are addressed from one machine to another in the network. Due to the increasing use of the Internet, the IPv4 (Internet Protocol version 4) is running out, which means that there is no more IPs to all users simultaneously. The ultimate solution to this problem would be to implement the new IPv6 protocol, which has greater ability to connect a larger number of users at the same time. However, this final solution is costly and has been slow (link in PT-BR).

In view of this problem, as explained in this Video by the NIC.br (the Brazilian Network Information Center – link in PT-BR), managers of autonomous systems are beginning to share the IPs “version 4” among many simultaneous users. This stopgap solution relieves the need for more IPs, however it leads to greater difficulty in finding suspects identities.

This greater difficulty is best explained with an example. Picture that the MPF needs to find the connection that used a given IP at a certain time and date. Typically, the number of IP combined with the time and date requested would lead to only one result and this would be the connection used by the suspect. Due to the sharing of a number of IP with multiple users, the requested IP will lead to a large number of connections at that time and date, making it become impossible to determine what is the connection that is a source of the suspicious activity and what are the other non-suspicious connections.

To solve this problem, the MPF requested the Marco Civil regulation decree to establish an obligation for connection providers to keep, in addition to other data already requested in Article 10, data related to the connection port used by users. This additional data would overcome the IPs share issue and it could be possible, again, to unequivocally identify the machine used by the possible criminal.

The biggest problem here seems to be that the creation of new obligations, not provided for in Marco Civil, is not the scope of the law regulation decree. Luckily, the migration to IPv6, which, after all, is the ultimate solution to the problem, is receiving great attention from various actors, among them ANATEL (the Brazilian Telecommunications Regulatory Agency) which already determined deadlines for its implementation (link in PT-BR).

Data protection: records of processing operations

Article 4 of the Data Protection Draft Bill seeks to give more transparency to the data treatment process and more power to the user to know what is done with the data owned by them:

 Art. 4. The responsible or operator must keep a record of the personal data processing operations that perform (…)

The text mentions the responsible and the operator of the data, defined in the draft bill itself (Article 5) as the person who is responsible for decisions relating to the data and the person who performs the processing of data on behalf of the responsible, respectively.

This rule imposes the same obligation to a large number of recipients who may not share the same resources or the same uses of the data.

The participant Roberto Taufick raised a number of issues regarding the provision of the Article 4. First, he points out that the article does not detail what type of record should be kept and what level of detail of the information about the processing of data should be kept on record.

Another question asked by the participant is related to the situation of small content providers. According to Roberto Taufick, they do not always have the resources to bear the burden of maintaining records of all data processing operations they perform and, even if they have, these resources would be diverted from the field of innovation, which would be a major disincentive for entrepreneurs.

It is worth remembering that data processing refers to a number of actions related to data, as provided for in Article 5 of the draft:

II – processing: set of actions regarding the collection, production, reception, classification, use, access, reproduction, transmission, distribution, transportation, processing, archiving, storage, disposal, evaluation and control of information, modification, blocking or supply to third parties of data, through communication, interconnection, transfer, distribution or extraction;

According to the participant, Article 4 may end up creating a costly burden for guardians who do not even have in the data processing its core business, and this does not seem to be the idea behind the provision. He suggests an adjustment to the draft of the device:

 “The solution more appropriate seems to be requiring this type of care from a given size of the provider edge: only in this way it is possible to require adequate investment to better retain personal information, without harming innovation, or balsamizing the internet “

Authors: Francisco Brito Cruz and Jonas Coelho Marchezan // Translation: Beatriz Kira.