Your data used against you: reports of manipulation on WhatsApp ahead of Brazil’s election

On Sunday October 28th, Brazil will hold a second round of presidential elections to pick a winner, after no candidates were able to win a majority vote in the first round. The two final contenders in the upcoming election are Fernando Haddad, whose original running mate was eliminated due to pending corruption charges, and Jair Bolsonaro, who has become notorious in the media and the Brazilian public debate for expressing misogynistic, homophobic, and violent views. In the middle of a very heated political debate, there are reports of misuse of personal data for disinformation campaigns on WhatsApp. This puts the rights of internet users at risk.  

Social media campaigns: risks for rights and democracy

Social media has become an essential tool in political campaigns, but it is not without risks for fundamental rights and democracy. We are familiar with the Cambridge Analytica case that entailed abuse of the Facebook platform to download, analyze, and use personal data for targeted political advertising. Some observers argue that the micro-targeting scheme that Cambridge Analytica facilitated had a key role in the 2016 U.S. presidential elections, the 2018 Kenyan presidential race, and the U.K. Brexit referendum, but research is only starting to become available and it is a matter of debate whether these campaigns really change people’s minds.

Regardless of the effectiveness of social media targeting for particular political campaigns, these tactics can seriously undermine users’ rights to determine how their information is used, and disrupt the free flow of information. Social media platforms have come under increasing public scrutiny due to their behavioral advertising models and the dissemination of disinformation on their sites. Yet laws and regulations on political campaigning and financing in most Latin American countries still don’t establish clear rules for social media advertising the way they do for traditional media outlets such as TV and radio. The hoovering of data and tracking practices of social networks put users’ data at risk of misuse, and threats are compounded by illegal or non-transparent practices when political parties hire data brokers to create campaigns that exploit personal information.

The situation in Brazil: data-driven manipulation

According to a report by Tactical Tech and Coding Rights, political parties hired marketing firms to develop a “data-driven campaign” for WhatsApp and other platforms. The objectives of the campaigns were to identify an audience, prepare political ads according to their preferences, and disseminate news, misinformation, and propaganda through various social media channels. The marketing firms behind this work use vast amounts of user data, from telephone numbers to identification information (such as age, location, and occupation). The way this information is obtained and used presents a serious threat to human rights in Brazil.

On October 18, the newspaper Folha de São Paulo reported that the marketing companies Quickmobile, Yacows, Croc Services, and SMSMarket made deals for “data-driven campaigns” not only with candidates but also with other companies. These deals were identified as corporate donation transactions which are unconstitutional in Brazil, based on a decision by the country’s Federal Supreme Court in 2015.

According to the law in Brazil, any political party that aims to direct political advertising messages to individuals should rely solely on its own databases. However, Coding Rights and Tactical Tech found that marketing companies also offer the use of outside databases for direct marketing, including those containing information that could have been obtained illegally, or collected for different purposes.

The report also states that marketing agencies working on political campaigning combine and cross-reference information collected from social networks and databases of public information (like census data). Other data brokers, such as Seresa, considered to be the biggest data broker in the country, do not disclose the source of the data. Additionally, reporting by Folha de São Paulo confirms that sometimes employees of telecommunication companies provide user data to marketing companies illegally.

Issue one: poor data protection

After many years of debate by stakeholders, Brazil approved a new legal framework to protect personal data in 2018 that will go into force in 2020. The law was considered an important step forward in data protection despite the president’s veto of important provisions such as those establishing its independent Data Protection Authority. The lack of an authority that can control, oversee, and impose fines when the law is violated could turn it into “dead letter” law, meaning that we will not see an end to situations like the current political marketing scandal, as violations would have no real consequences.

Data protection could help prevent widespread data collection and misuse, but it must be enforced. In an effective data protection regime, if someone wants to process your data, they should have to obtain your explicit consent. Additionally, when your data are processed, it should be tied to a specific purpose, one that you know about beforehand and authorize.

What is happening now in Brazil violates two basic data protection principles: the principle of consent and the principle of purpose limitation. There is no information as to whether or how the data brokers and the agencies here asked people for their consent to use their data for targeted election propaganda. We doubt that the members of 1,500 WhatsApp groups gave consent to get ads from political campaigns. Moreover, when data are obtained through unauthorized access and later sold, this can constitute a crime according to the Law 12.737.

This level of uncertainty harms people’s rights, as we no longer have control of our personal data. What is more, in the current scenario, Brazilians’ personal data is being used against them, flooding people with disinformation meant to manipulate their opinions. It is a clear demonstration that when your data are not adequately protected, it can be used as a weapon against you. The long-term outlook for the enforcement of the law, in the absence of any independent enforcement authority, is dangerous for internet users.

Issue two: disinformation and efforts to combat it

As we note above, data protection is not the only issue of concern here. A report by Brazilian digital rights organization ITS Rio highlights the spread of disinformation, which raises complex issues for free expression.

Lawmakers are proposing legislative solutions that are both insufficient and dangerous. Several proposed bills in the Brazilian Congress seek to criminalize the production and distribution of so-called “fake news” with a focus on punishing particular users or platforms.

In addition, social media companies are acting to address the spread of false information in ways that can put rights at risk. Notably, they often enforce their terms of service in ways that are not transparent to many users. In March, Facebook blocked 196 pages for violating the TOS by spreading misinformation. This led to a federal prosecutor ordering Facebook to disclose a justification for each removal. There is an ongoing debate about the lack of transparency, accountability, or remedy for Facebook content removal that takes place outside of legal processes.      

Issue three: WhatsApp is a dominant channel where news is hard to verify

Finally, there is the fact that disinformation campaigns have leveraged WhatsApp. WhatsApp is end-to-end encrypted (that’s a good thing !), and information is shared in closed groups.  In Brazil, most telecommunications companies offer WhatsApp as a zero-rating app, which makes it free to use, contributing to its dominance as a communications channel. That means that many people are using WhatsApp to share news, yet it’s a platform where the veracity of content is less easy to verify.

What can be done? A collective effort to defend rights

This is a complex situation that has no easy solution. To make Brazil’s information ecosystem healthy and safeguard free and open democratic discourse will entail action by multiple stakeholders, including all branches of government, companies, and users.

Enforce current laws to protect data, and strengthen the new framework. To start, the government must act to prevent misuse of personal data, instead of responding after the fact. Even though the new data protection law lacks a data protection authority and won’t come into force until 2020, there are laws on the books in Brazil that can be leveraged now to protect users’ data. As the report by Tactical Tech and Coding Rights rightly states, the Brazilian Constitution, Consumer Law, Election regulations, and the Brazilian Internet Civil Rights Framework each have protections against unauthorized data transfers and use. There are provisions that address informed consent and bar the use of personal data for purposes outside user authorization.

Companies must take their responsibility to protect data seriously. They have a responsibility to respect human rights. They must ensure that users are able to control the use of their personal information, especially for political campaigns, with user consent required and easy to withdraw. Targeted advertising must be transparent and auditable. Further, social media companies should pursue business models that do not rely heavily on the mass collection and analysis of our personal information, which in itself increases the risk of data breaches and misuse.

Lawmakers must avoid regulation that would have a chilling effect on freedom of speech and access to information, and aim for evidence-based, comprehensive, and participatory solutions. Government and private sector actions should be informed by facts, respect human rights, and increase media and information literacy through robust transparency programs and meaningful disclosures. For in-depth information on our recommended approach to addressing misinformation online, read our joint report from Europe with European Digital Rights and the Civil Liberties Union of Europe: Informing the Disinformation Debate. 

We at Access Now believe a healthy information ecosystem is within reach, as long as governments, companies, academics, civil society, and the tech sector are able to work together on the issues under shared principles of respect for human rights. Only through a renewed exercise of our democratic values will democracy thrive in the new technological environment.