But, as it says in the article, WhatsApp just doesn't have the data the judge wants it to turn over. How does it make sense to punish a company for not doing something that it physically cannot do?
Companies can be punished for failure to obey laws. If a company didn't bother to retain records on who bought something they are now required to recall due to safety failures I can't imagine any country would say that is ok. They would be punished.
I don't happen to think the law mentioned is a good one. And I have no idea how the law is actually worded. Depending on how it is worded maybe it is ok to just not keep records so you don't have to provide them. But it is certainly within the power of governments to demand companies operate in a manner that requires them to do certain things and you can't avoid that by for example not keeping the records you are required to.
I sure hope the USA stops the leadership of authoritarian overreaching on laws relating to technology. But it is not at all surprising that others are following the lead of the USA into horrible authoritarian and Orwellian laws given the USA's behavior. Few countries seem willing to put liberty ahead of authoritarianism. The USA is far from perfect but it is a country that has above average potential for promoting liberty.
But the last Bush and Obama administrations have been horrible and both political parties are pushing for horrible laws. A few decent advocates (such as Senator Ron Wyden) for fighting this trend exist but they are not common yet.
This promotion of authoritarian state power is a very dangerous trend that may well have incredibly bad consequences for us. Our history shows authoritarian governments abuse power and I am worried about the last two administrations strong support for increasingly powerful spying abilities of government.
I would hope countries like Brazil lead away from the path the USA is pushing the world down. Unfortunately I don't see much good happening in that way. I hope I am just not aware of good things other countries are doing but I worry that isn't the reason I don't hear about good moves to thwart the dreams of authoritarian regimes.
So if a judge demanded a telco hand over an audio recording of any specific conversation, they must comply -- even though calls are not recorded and stored?
If a judge demanded the postal service hand over an image of every envelope processed, it must comply -- even though no such images exist?
That's why Google doesn't operates in China at full scale. https://en.m.wikipedia.org/wiki/Google_China
They decided that was agains the company values to comply with Chinese law, so they stopped offering some services.
It's the law, and maybe I don't like it at all, but still I thing that companies should comply. I also thing that that laws should me changed.
Gmail works, in the sense that Shanghai utility is able to deliver e-mails to me when it's time to pay the electricity bill. Downloading stuff from google's android repostitories (i.e. for developing Android) also works (most of the time).
Yes the latter works (Android repos which are not on google.com), but when in Shanghai I get nothing from Gmail, ever. Not sure how that works then but at least it's not supposed to work I guess as that's officially banned. And when something works from Google it'll not work after trying it a few times. I definitely find it both hard to work there and both relaxing. Hope to be in Shanghai soon again.
Look, if a judge has such a right, a corporate lawyer usually has an idea that such a request might come. Companies that do not break law must do what is needed to make sure they will not violate any laws – neither now nor in the future. Or WhatsApp may say – sorry Brazil, we do not think that complying with your laws would be appropriate for us and stop servicing Brazilian numbers until laws are changed. But it's just not right to ignore country laws as long as that country is not US.
To become a telco, in the first place you need to comply with all of the laws to be allowed to operate. In the case of the US, this is CALEA, and every phone company should be able to provide a backdoor that allows the agencies to follow court orders and tap phones. Brazil has similar laws for the phone networks.
The problem with the attitude of the Brazilian courts in regards to Whatsapp is that they are not a telco. The abomination that is the Marco Civil, which is being used as a justification to enforce the court request and says data should be retained by companies for one year, does not help.
Like I said, the Brazilian code about Internet communications (Marco Civil) establishes that all companies must retain all data for one year.
This was passed in 2014, so the main allegation from the Brazilian courts is that Whatsapp should have this data, anyway. There is nothing "retroactive" there.
I shouldn't have used a metadata example with the postal service. Better case: judge demands the postal service turn over a transcript of every exchange between two people for the past year.
But the basic idea is yes, you must comply with all laws. If you can prove it violates the constitution you can have a court invalidate the law (but before that it would be illegal to violate it). There are often laws that you could argue conflict with this law and get out of it that way.
Often if you have lots of money you can influence the enforcement of laws. That doesn't exempt you from a law but often it isn't really an issue of what the law allows but what the regulator or prosecutors decide to enforce. And if you can't do that you can fight the attempts by the regulators and prosecutors (and law enforcement officials) and argue they have not legal right to do what they are seeking to do. See Apple, for a recent example.
Your rights are often not just a matter of the law but of to what extent the government and law enforcement are bound by laws. In the recent experience in the USA we have examples of the Bush and Obama administrations seeking to avoid accountability for authoritarian overreaching. They often seem to get away with it. The recent attempt to push around Apple was stopped mainly due to Apple's lawyers and leaders refusing to be pushed around.
I do not know if the Brazilian example is one where the government and/or judge are attempting to compel behavior not legal in Brazil (either not what the law requires, using a non-legal punishment or neglecting another legal requirement that would override the law being used to compel the behavior). But I do think it would be possible to have such a law and have the judges actions be legal.
Certainly laws can compel companies to do things that they are not now capable of doing. Normally if some new law were to be created the regulatory framework and notice would be publicized and companies would be aware of the requirement (say to keep records or whatever sort). And then if they failed to do so that isn't a justification to fail to comply since they failed to do what was required in order to be able to comply with a further requirement. Their lawyers may also be able to argue the law was unrealistic in expecting compliance because even though we wanted to comply it just wasn't possible to do so. And making a case that they are doing everything they can may be taken into account to say that while they are not fully compliant yet, they are taking all reasonable action and therefore to the extent the judge has leeway they could make adjustments to the consequences.
While it is sometimes annoying the reality is there are so many complications it is often a matter of judgement for whether something is or is not ok and even if it isn't ok, what is a reasonable consequence. When the legal system is working well it makes these judgement in a sensible manner even if it leaves many people unhappy. And then you have things like the Eastern district of Texas making a mockery of abuse of society by patent trolls.
I certainly do believe the legal system can be systemically broken. And those failures can be left unaddressed by our representatives for decades. Could that be similar to what is happening in this Brazil case? Yes. Could it also be that this Brazil case is just a matter of a bad law and the legal system is properly carrying out the consequences of that law? Yes.
>> If a company didn't bother to retain records on who bought something they are now required to recall due to safety failures
I am not aware of any law in the US ( talk on US laws because you discuss it later in your comment) that requires by business to keep sales records for the purposes of recalls, the only businesses required to do that are business that sell regulated goods, (firearms, explosives, Drugs, certain chemicals, etc)
Normal Consumer Goods are recalled all of the time with out the Manufacturers, or Retailers having a master list of every person that bought that item.
The Law orders it to collect the data, the data is available and Watsapp does collect it, but instantly discards (or so they claim).
What is in there that can not be punished?
I don't think this specific law is a good one, but it is not in clear violation of our Constitution, and was brought up by People's representatives... We should fight for improving it, and we should stop relying on infrastructure owned by private companies. But I can't think this judge is wrong.
It doesn't matter it's not a Brazilian company, there are no servers in Brazil, only the users exist in Brazil. They could mandate Mark Zuckerberg run around naked and it would make no difference. Maybe Brazil should create a great wall of Brazil and cut itself off of the internet. Then it could enact whatever laws it wants to affect companies in other countries.
Facebook has at least one company in Brazil, and they are providing a service in Brazil that this judge ordered to interrupt.
It's perfectly reasonable to forbid access to Brazil for some service that does not follow a Brazilian law. This is bad because of the specific terms of this law, not because of some broad issue.
I don't know if they have servers in brazil, but if they don't then it seems quite unreasonable to say that they are "providing a service in Brazil". If you run a bookstore in the US and a German comes and buys Nazi material, are you running a store in Germany? If Brazilians are effectively leaving their country to go get stuff from US servers then it's up to the Brazilian government to make a law to stop them, if it doesn't like that. Saying that connecting to the internet is "providing service" to every country in the world is a way to simply break the entire internet.
Under German law you are subject to German laws about commerce if you are "addressing the German market". Some indicators include offering your site in German, probably also support German phone numbers and addresses, etc. For some services/apps this is obvious (e.g. online shopping) for others it is more debatable.
The most important part however is that of course you don't have to give a damn about what German law thinks as long as you aren't in a position in which German jurisdiction can be enforced. Likewise, even if you are a German citizen living in Germany some German laws and regulations may not apply if you are decidedly not offering your services/apps to a German audience -- though of course that's a much less safe position. Either way, it's not as simple as "it exists on the Internet, therefore it falls under German jurisdiction" although the reasoning is quite similar to that in Brazil.
The point is moot, anyway. Brazil can't enforce their laws against a US company that doesn't have a presence in Brazil, but it can ban them from Brazil -- as apparently a Brazilian court is allowed to force Internet access providers to ban specific IPs. Whether courts should be allowed to do that is a legitimate question but right now in Brazil they apparently are, so everything is fine.
This isn't an action against WhatsApp. This is an action against Brazilian WhatsApp users. It's basically enforcing a sanction against WhatsApp by preventing Brazilians from accessing the service (which they can't get at otherwise). This is more like a German court forcing an IP ban (in Germany) against a Nazi website hosted outside of Germany -- which is a thing.
All that law orders them to do is to record the access logs (Registros de Acesso), not the actual messages or any other metadata. Soneca's post above said the judge "ordered Whatsapp to share a particular user conversation", which that law doesn't oblige them to record.
This investigation is under seal. Soneca is speculating just as much as I am.
That is the law Watsapp broke the last two times it was interrupted (when the news was almost a verbatim copy of what it is now). I imagine it is the same it is breaking now.
I think this statement weird. End-to-end encryption is very recent, the data asked by the judge is for communication made before this feature roll-out. So I'm assuming Whatsapp do have the information for these two particular cases. But I could be wrong.
Anyway, maybe they are just using it for PR support on their position against the court decision, betting that all of that Telegram new users will come back to Whatsapp after the suspension (that's what happened before).
WhatsApp publicly stated[1] in testimony before the Brazilian Congressional Committee on Cyber Crimes in December 2015 that they do not, and have not ever, retained the content of communications—regardless of E2E or not. Apparently, WhatsApp only retains messages until they are delivered.
When I buy a new cell phone my Whatsapp conversation history is lost but my Facebook message history is not. It's likely that Whatsapp discards the messages from their servers immediately after they confirm it has arrived to destination (the two check marks).
If the communication was made a long time ago, Whatsapp may no longer have it, encrypted or not.
You are assuming, just like the judge. That is not correct, you should trust in the company when they say that. The hole world works as that, trust. A judge cannot assume that they have that data, because they don't. This judge just dont have any tech acknowledge, thats the problem, people that dont understand what they are doing.
BTW, its not End-to-end encryption related, is just that they dont store that data in anywhere.
That's my thinking -- an inability to comply could have been addressed with the court. Instead, it appears that they had no representation in front of the court in order to make that argument, have hearings and otherwise determine that compliance is impossible.
The merits of the case are one thing, however not appearing to address those merits (or lack thereof) seems to be the failure point.
