globalfindings/10-brazil-digital-eca-investigation.md

Brazil Digital ECA Investigation: Age Verification Infrastructure, Entity Networks, and Cross-Country Coordination

This document investigates four structural questions raised by an independent researcher's timeline of Brazil's PL 2628/2022 (Digital ECA / Lei 15.211/2025):

1. Whether big tech's public "opposition" to age verification is performative
2. Which private companies will perform identity verification under the law
3. Whether the law contains adequate privacy protections for verification data
4. Whether the law's operating system provisions create device-level surveillance infrastructure
5. Whether Brazilian and American child protection entities share funding networks
6. Whether the global timing of age verification legislation indicates coordination

Part 1: The Law's Structure and What It Actually Requires

Operating System Provisions: Confirmed

Article 12 of Lei 15.211/2025 explicitly covers "provedores de sistemas operacionais de terminais" (providers of terminal operating systems). The obligations:

1. Take proportional, auditable, and technically secure measures to verify user age or age range, following LGPD principles
2. Allow parents/legal guardians to configure voluntary parental supervision mechanisms
3. Provide age signals to application providers via a secure API with privacy-by-design protections

This applies to Windows, macOS, iOS, Android, ChromeOS, SteamOS, and Linux distributions. The law states that "regardless of measures adopted by operating systems and app stores, application providers themselves must implement their own mechanisms". so OS-level verification does not relieve apps of their own obligations. This creates a layered verification architecture: OS verifies, app store verifies, and each app verifies independently.

The impact is already visible. Several Linux distributions (Arch 32, Bazzite, CachyOS) have begun geoblocking Brazilian IP addresses because 95% of Linux distributions are maintained by volunteer communities without legal representation (CNPJ) in Brazil and cannot practically implement age verification.

Sources:

• Lei 15.211/2025 full text: https://www.planalto.gov.br/ccivil_03/_ato2023-2026/2025/lei/L15211.htm
• ComplianceHub on OS requirements: https://compliancehub.wiki/brazil-age-verification-law-operating-systems/
• Linuxiac on distros blocking Brazil: https://linuxiac.com/linux-distributions-begin-blocking-brazil-access-over-new-digital-law/

Privacy Protections: Present in Principle, Absent in Practice

What the law contains:

• Article 12 references LGPD principles (Lei 13.709/2018)
• The API for age signals must be "pautada pela protecao da privacidade desde o padrao" (guided by privacy protection by design)
• Age verification data cannot be used for any purpose other than age confirmation
• Data minimization: the system should provide only the age assurance result without disclosing underlying sensitive information

What the law does NOT contain:

• No specific technical security requirements for how verification data must be stored, encrypted, transmitted, or deleted
• No mandatory data retention limits within the law itself (deferred to LGPD and future ANPD regulation)
• No requirement for independent security audits of verification providers
• No prohibition on specific high-risk verification methods
• No exemption for end-to-end encrypted services (NYU Stern called this "the statute's most significant weakness")
• Specific technical requirements deferred entirely to future ANPD regulation, with definitive guidelines not expected until August 2026

The Unicamp Journal noted: "Age verification mechanisms generally involve the indiscriminate collection of user data, with identification documents, facial biometrics, and behavioral profiles being retained and monetized by large commercial conglomerates, exposing users to risks of leaks, sale to third parties, and use of data for illicit purposes."

The ANPD published preliminary guidance on March 20, 2026 but has taken a technology-neutral position. No specific vendors have been approved or certified. Definitive guidelines expected August 2026.

Sources:

• Unicamp Journal: https://jornal.unicamp.br/en/edicao/738/aprovacao-do-eca-digital-traz-desafios-a-privacidade/
• NYU Stern analysis: https://bhr.stern.nyu.edu/quick-take/how-brazils-eca-digital-can-protect-kids-without-compromising-encryption/
• Biometric Update on ANPD guidance: https://www.biometricupdate.com/202603/andp-publishes-comprehensive-guide-to-age-assurance-as-brazilian-law-takes-effect
• MLex on ANPD position: https://www.mlex.com/mlex/articles/2420046/no-single-age-verification-solution-for-brazil-s-eca-digital-anpd-director-says

Part 2: Private Age Verification Companies Positioned for Brazil

The law places primary responsibility on platforms and service providers. It does not designate a government agency to perform verification. This means private companies will perform the verification. either in-house, through third-party vendors, or via API integrations with Serpro/Datavalid (a government database accessed through private-sector intermediaries).

Companies Already Operating in Brazil

Yoti (UK). Already partnered with Serpro (Brazil's federal data processing service). Shares users' CPF numbers with Serpro to verify age against the Federal Revenue's Individual Taxpayer Registry. Serpro retains the CPF number for 5 years as a billing record. Named by Ofcom as a recognized provider under the UK Online Safety Act. Participated in Australia's age assurance technology trial. Markets for UK, EU, France, Australia, US, and Brazil regulatory compliance.

• Source: https://www.yoti.com/privacy/age-verification/

Persona (US, Peter Thiel-backed). Partnered with Serpro since 2022 for biometric ID verification against government databases. Thiel's Founders Fund led Persona's $150M Series C and $200M Series D rounds. Discord tested then dropped Persona after its front-end code was found on a US government-authorized endpoint. Persona performs 269 distinct verification checks including screening for "adverse media" across 14 categories including terrorism and espionage.

• Source: https://www.prnewswire.com/news-releases/persona-partners-with-serpro-to-combat-identity-fraud-in-brazil-301628227.html
• PC Gamer on Discord/Persona/Thiel: https://www.pcgamer.com/software/platforms/oh-good-discords-age-verification-rollout-has-ties-to-palantir-co-founder-and-panopticon-architect-peter-thiel/
• Fortune on Discord dropping Persona: https://fortune.com/2026/02/24/discord-peter-thiel-backed-persona-identity-verification-breach/
• State of Surveillance on Persona government reporting: https://stateofsurveillance.org/news/persona-age-verification-surveillance-biometrics-government-reporting-2026/

Jumio (US). Launched "selfie.DONE" reusable identity platform in Brazil first. Verifies selfie biometrics against CPF numbers. VP of Latin America cited "strong demand" in Brazil's gaming and fintech sectors.

• Source: https://www.biometricupdate.com/202510/jumio-joins-surging-market-for-reusable-digital-identity-with-selfie-biometrics

k-ID. Selected by Discord as their age assurance vendor for Brazil (rolled out March 9, 2026). Uses facial age estimation or identity document submission.

• Source: https://support.discord.com/hc/en-us/articles/38860612202775-Age-Assurance-for-Brazilian-Users

FlagCheck (Brazil-native). Purpose-built Brazilian age verification API. CPF-to-age-check in under 2 seconds. Offers both CPF age check and CPF + face liveness endpoints.

• Source: https://flagcheck.com.br/blog/felca-law-brazil-2026

Veriff (Estonia). Actively marketing age verification solutions specifically for Brazil and Colombia, citing the Digital ECA.

• Source: https://www.veriff.com/identity-verification/age-verification-latam

iProov (UK). Expanded into Latin America with staff in Mexico, Brazil, and Colombia. Partner-led support for 175 enterprises. Provides biometric liveness detection.

• Source: https://www.biometricupdate.com/202603/latam-nations-ramp-up-regulations-for-age-restricted-content-online

ARGOS Identity. Provides integrated Serpro-based CPF verification. Focused on global gaming companies operating in Brazil.

• Source: https://blog.argosidentity.com/131220

Incode (Mexico). Uses AI models for facial age estimation. Has Brazil government eKYC integration.

AU10TIX: Israeli Intelligence Connections

AU10TIX Technologies B.V. is a subsidiary of ICTS International N.V., a Dutch company established in 1982 by former members of Shin Bet (Israel's internal security agency) and El Al airline security agents.

Founders and intelligence connections:

• Founded in 2002 by Ron Atzmon, who served in Shin Bet
• Ron Atzmon's father, Menachem Atzmon, was ICTS International's supervisory board chairman and was convicted in 1996 for campaign finance fraud while co-treasurer of Netanyahu's Likud party
• Confirmed Unit 8200 veterans on staff: Eliran Levi (Unit 8200 agent until 2016, joined AU10TIX 2022); Lior Emuna (intelligence analyst at Unit 8200, now analytics manager)
• VP of Product Management Nir Stern served in Israeli Air Force; General Counsel Udi Abram spent 5 years at Elbit Systems (Israel's largest weapons manufacturer); VP of Pre-Sales Elad Elazar was a major in the Israeli military

Major clients: X (Twitter), TikTok, Uber, PayPal, LinkedIn, Coinbase, eToro, Fiverr, Upwork, Bumble, Google, AirBnB.

2024 data breach: Admin credentials compromised by malware in December 2022, appeared on a public Telegram channel in March 2023, and were still working when security researchers checked in June 2024. an 18+ month exposure. The credentials provided access to a logging platform containing identity documents, names, dates of birth, nationalities, and document images. AU10TIX initially claimed credentials were "promptly rescinded," which was false.

2026 X/Israel incident: Anonymous X users reported their real names being Googled from Israel shortly after criticizing Israel's actions in Palestine, with many connecting this to AU10TIX's verification role for X.

AU10TIX cross-checks PII against government databases "from countries like Brazil and India" and has expanded via PayU into Latin America. No confirmed Digital ECA implementation contract found, but the company is positioned to compete.

Sources:

• State of Surveillance: https://stateofsurveillance.org/articles/corporate/au10tix-x-verification-israeli-intelligence-2025/
• MintPress on AU10TIX/X: https://www.mintpressnews.com/x-users-find-their-real-names-are-being-googled-in-israel-after-using-x-verification-software-au10tix/290703/
• CloudDefense on data breach: https://www.clouddefense.ai/major-identity-verification-firm-au10tix-exposes-user-data/
• Malwarebytes on document leak: https://www.malwarebytes.com/blog/news/2024/06/driving-licences-and-other-official-documents-leaked-by-authentication-service-used-by-uber-tiktok-x-and-more
• ICTS International: https://www.ictsintl.com/holdings/au10tix
• Naked Capitalism on X/AU10TIX biometrics: https://www.nakedcapitalism.com/2024/06/x-premium-users-face-stark-choice-hand-over-biometric-identitifiers-to-spooky-israeli-firm-or-get-demonetised.html

The Same Companies Across Every Jurisdiction

The same verification companies providing services in the US, UK, and EU are positioning for Brazil:

• Yoti (UK. primary UK OSA provider) is already operating in Brazil via Serpro
• Persona (US. used by Reddit, Discord, Roblox) has Serpro integration
• Jumio (US. used across US/EU) launched in Brazil first
• Veriff (Estonia. EU market leader) actively marketing for Brazil
• iProov (UK. used by UK government, EU banks) has staff in Brazil

The AVPA (Age Verification Providers Association), a trade body of 34 organizations formed in 2018, is a registered EU lobbyist and has published commentary on Brazil's age verification law, actively positioning its members for the Brazilian market.

• AVPA on Brazil: https://avpassociation.com/brazils-age-verification-law/
• AVPA EU lobbying: https://www.lobbyfacts.eu/datacard/age-verification-providers-association?rid=490034139503-15&sid=124558

Part 3: Entity Network Analysis: Brazilian and American Connections

Instituto Alana: The Itau Banking Dynasty Hub

Founded by siblings Ana Lucia Villela and Alfredo Villela, heirs to the Itau Unibanco banking fortune (Latin America's largest private bank). Ana Lucia sits on Itau Unibanco's board of directors. Net worth approximately $1.5 billion. The organization has three arms: Instituto Alana (Brazil), Alanapar (Brazil), and Alana Foundation (US, incorporated 2012 in Los Altos, CA).

US partnerships:

• Imaginable Futures (spun off from Pierre Omidyar's Omidyar Network in 2019, launched with $200M+ from eBay founder) lists Instituto Alana as a partner
• Alana Foundation donated $28.6M to MIT to create the Alana Down Syndrome Center
• Ana Lucia Villela sits on XPRIZE Foundation advisory board and is listed at Stanford's Down Syndrome Research Center
• Alana USA Foundation (EIN 39-2079600) provided $8.15M in grants in 2022 per IRS 990 filings

International network: Member of Child Rights Connect (85+ international orgs). Co-signed joint position paper with 5Rights Foundation (Baroness Kidron), Save the Children, Plan International, World Vision International, ECPAT, ChildFund Alliance, CRIN, SOS Children's Villages, and Terre des Hommes on children's rights in the digital environment, feeding into UN CRC General Comment No. 25 (2021).

Co-executive coordinator (with ANDI) of Agenda 227, the 500+ organization coalition that placed children at the center of Brazil's 2022 presidential election platform.

Sources:

• Alana USA Foundation ProPublica/IRS 990: https://projects.propublica.org/nonprofits/organizations/392079600
• Imaginable Futures partnership: https://imaginablefutures.com/partners/instituto-alana/
• Child Rights Connect joint submission: https://www.un.org/digital-emerging-technologies/sites/www.un.org.techenvoy/files/GDC-submission_Child_Rights_Connect_Taskforce.pdf
• Alana OHCHR submission on privacy: https://www.ohchr.org/sites/default/files/documents/cfi-subm/privacy-digital-age/subm-privacy-digital-age-cso-6-alana-institute.pdf

The Second Itau Heir: Fundacao Jose Luiz Egydio Setubal

Jose Luiz Setubal, a pediatrician and Itau heir (the "Egydio" family name is the founding family of Itau), runs Fundacao JLES. This foundation directly funds the Coalizao Brasileira pelo Fim da Violencia contra Criancas e Adolescentes and published joint policy briefs with them.

Two separate branches of the same banking dynasty fund different nodes of the same advocacy network: Ana Lucia Villela via Alana, Jose Luiz Setubal via FJLES.

Sources:

• FJLES support to Coalizao Brasileira: https://fundacaojles.org.br/n/noticia.php?id=19
• Jose Luiz Setubal Itau heir: https://forumsaudedigital.com.br/2018/09/29/jose-luiz-setubal-herdeiro-do-itau-investe-na-startup-de-saude-na-amparo/

Coalizao Brasileira pelo Fim da Violencia: The End Violence Pipeline

This coalition formed in late 2017 specifically to mobilize Brazil's government to join the Global Partnership to End Violence Against Children, a UN initiative launched in 2016. In early 2018, their lobbying succeeded. Brazil became a Pathfinding Country. The coalition now has 77+ member entities.

The Global Partnership's funders:

• UK Government. primary donor, GBP 40M initial commitment, plus GBP 16.5M specifically for online child sexual exploitation
• End Violence Fund hosted by UNICEF, with WeProtect Global Alliance advising on priorities
• Children's Investment Fund Foundation (CIFF). hedge fund billionaire Chris Hohn, $125M over 5 years pledged at 2024 Bogota ministerial
• Human Dignity Foundation, Oak Foundation, Porticus Global, Wellspring Philanthropic Fund, World Childhood Foundation
• Tech Coalition contributed $2.5M to the Safe Online Research Fund
• Total raised since 2016: over $83 million

Sources:

• End Violence Fund: https://www.end-violence.org/fund
• UK Government GBP 16.5M: https://www.end-violence.org/articles/uk-government-announces-ps165-million-investment-tackle-online-child-sexual-abuse-and
• CIFF $125M pledge: https://ciff.org/news/global/funding-announcement-at-the-ending-violence-against-children-ministerial-2024/
• Brazil Pathfinding Country: https://www.end-violence.org/country-dashboard/brazil
• ANDI coalition page: https://andi.org.br/redes-e-coalizoes/coalizao-brasileira-pelo-fim-da-violencia-contra-criancas-e-adolescentes/

Data Privacy Brasil: Ford, Omidyar, and Open Society

Funding sources identified:

• Luminate Group (spun off from Omidyar Network in 2018). $500,000 in 2024 for AI governance strategies
• Ford Foundation. general support grant for "personal data protection and digital rights"
• Ford Foundation's Spyware Accountability Initiative (seed funding from Apple, plus Open Society Foundations, Okta for Good, Craig Newmark Philanthropies)

International partnerships: Partner of Privacy International (UK). Member of Datasphere Initiative. Co-administers the Datafication and Democracy Fund with Paradigm Initiative (Nigeria) and Aapti Institute (India). Member of the Global South Alliance for digital rights (26 orgs).

Sources:

• Luminate/Data Privacy Brasil: https://luminategroup.com/investee/data-privacy-brasil
• Ford Foundation grant: https://www.fordfoundation.org/work/our-grants/awarded-grants/grants-database/associacao-data-privacy-brasil-de-pesquisa-143429/

ANDI: Agenda 227's Other Co-Coordinator

Historical funders: Open Society Foundations, Oxfam, Save the Children (Sweden, UK, Norway), Partners of the Americas, Plan International, ILO, PAHO.

• Source: https://andi.org.br/historico-de-parceiros/

IDEC: Gates, USAID, World Bank

Grant recipient from Co-Develop Fund, which pools capital from Bill & Melinda Gates Foundation, GIZ (German development agency), UNDP, USAID, and The World Bank. Member of Consumers International. Coordinator of the Digital Economy working group in C20 (G20 civil society track).

• Source: https://www.codevelop.fund/insights-1/co-develop-invests-in-instituto-brasileiro-de-defesa-do-consumidor-idec-to-improve-safety-amp-inclusion-in-digital-public-infrastructure

The Omidyar Network Hub

Pierre Omidyar's philanthropic network connects US and Brazilian child/digital entities through multiple channels:

• Luminate (spun off 2018) funds Data Privacy Brasil ($500K)
• Imaginable Futures (spun off 2019) partners with Instituto Alana
• Omidyar Network itself is a funder of Common Sense Media in the US

Common Sense Media is the primary US advocacy org behind KOSA (Kids Online Safety Act). Common Sense Media's other funders include Bezos Family Foundation, Gates Foundation, Oak Foundation, Carnegie Corporation, Chan Zuckerberg Initiative, Craig Newmark Philanthropies, Hewlett Foundation, and Michael and Susan Dell Foundation.

This means the same philanthropic network (Omidyar) funds both the Brazilian advocacy pipeline (via Alana and Data Privacy Brasil) and the American advocacy pipeline (via Common Sense Media / KOSA).

• Common Sense Media foundation partners: https://www.commonsensemedia.org/about-us/our-partners/foundation-partners

SaferNet Brasil: The NCMEC/ICMEC Operational Link

SaferNet Brasil connects the Brazilian ecosystem to NCMEC, ICMEC, Thorn, and WeProtect primarily on CSAM detection and reporting. Co-participated in Facebook child safety hackathon with NCMEC and Thorn. Grantee of the End Violence Safe Online Fund (D.I.S.C.O.V.E.R. project for Portuguese-language CSAM detection). ICMEC has a regional office in Brazil.

• SaferNet/End Violence: https://safeonline.global/safernet-brazil/
• SaferNet/Facebook/NCMEC/Thorn hackathon: https://about.fb.com/news/2020/06/fighting-child-exploitation-online/

Entity Connection Summary Table

Brazilian Entity	Connected To	Nature
Instituto Alana	5Rights Foundation (UK)	Joint UN CRC General Comment 25 submission
Instituto Alana	Imaginable Futures / Omidyar Network (US)	Funder/partner
Instituto Alana	MIT, Stanford, XPRIZE	Grants and board positions
Data Privacy Brasil	Luminate / Omidyar Network (US)	$500K grant
Data Privacy Brasil	Ford Foundation (US)	Direct grantee
Data Privacy Brasil	Open Society Foundations (US)	Spyware Accountability Initiative funding
ANDI (Agenda 227)	Open Society Foundations (US)	Historical funder
ANDI (Agenda 227)	Save the Children, Oxfam, Plan International	Historical funders
IDEC	Co-Develop (Gates, USAID, World Bank)	Grant recipient
SaferNet Brasil	NCMEC, Thorn, INHOPE	Co-participated Facebook hackathon
SaferNet Brasil	End Violence Safe Online Fund	Grantee
SaferNet Brasil	ICMEC	ICMEC regional office in Brazil
Coalizao Brasileira	Global Partnership to End Violence	Brazil became Pathfinding Country
Coalizao Brasileira	Fundacao JLES (Itau heir Setubal)	Directly funded
Fundacao Itau Social	UNICEF	Joint Itau Social-UNICEF Program

Part 4: Cross-Country Timing Analysis

The 2022 Inflection Point

In a single calendar year, age verification and child safety legislation was introduced or advanced simultaneously across multiple continents:

Jurisdiction	2022 Event
European Union	DSA agreed (April), signed (October), enters into force (November)
United Kingdom	Online Safety Bill formally introduced (March)
United States	KOSA introduced (February); Louisiana first state AV law
Brazil	PL 2628/2022 introduced (October/December)
California	Age-Appropriate Design Code Act signed (September). copied from UK 5Rights' AADC
EU (Chat Control)	Commission unveils CSAM scanning proposal
Australia	Online Safety Restricted Access Systems Declaration

Full Comparative Timeline

Year	US	UK	EU	Brazil	Australia	France	Other
2019	.	Online Harms White Paper	.	.	.	.	.
2020	.	AADC becomes law	DSA proposed (Dec)	.	.	.	.
2022	KOSA introduced (Feb)	OSB introduced (Mar)	DSA agreed (Apr), signed (Oct)	PL 2628 introduced	Restricted Access Declaration	.	California AADC signed (Sep)
2023	KOSA reintroduced (May)	OSA Royal Assent (Oct)	.	.	.	Under-15 law (Jun)	Canada S-210 passes Senate
2024	KOSA passes Senate (Jul)	.	DSA fully applies (Feb)	PL 2628 clears committee (Dec)	Under-16 ban passed (Nov)	Adult site AV standard (Oct)	.
2025	KOSA reintroduced	OSA goes live (Jul)	AV guidelines and pilot app (Jul)	PL 2628 passed and signed (Aug-Sep)	Ban enforced (Dec)	.	Italy AV enforced (Nov)
2026	State AV laws enforced	.	.	Enforcement begins (Mar)	.	Under-15 ban passed (Jan)	Malaysia ban (Jan), Indonesia ban (Mar)

Organizations That Appear Across Multiple Jurisdictions

5Rights Foundation (UK, founded 2018 by Baroness Kidron):

• UK: Wrote the Age Appropriate Design Code (AADC), became law 2020. Strengthened Online Safety Act.
• California/US: AADC copied almost verbatim as California Age-Appropriate Design Code Act (signed September 2022). Kidron called "arguably the most important and effective driver of data privacy and social media rules in the United States."
• EU: Principles integrated into DSA and AI Act.
• Australia, Indonesia, Canada, Argentina: AADC adopted or adapted.
• Global: Led coalition for UN Global Digital Compact. Engages with OECD, APEC, Global Privacy Assembly.
• Funding: Oak Foundation's Safe Online programme is a confirmed funder.
• Sources: https://5rightsfoundation.com/global/, https://dcjournal.com/the-british-are-coming-english-baroness-lobbies-to-change-u-s-internet-laws/

WeProtect Global Alliance: 100+ member governments. Board includes former NCMEC/ICMEC president (Chair), Thorn CEO Julie Cordua, European Commission official, UNICEF Director of Child Protection, US DOJ official, UAE Ministry of Interior official. Civil society members include 5Rights and ECPAT International.

• Source: https://www.weprotect.org/alliance/governance/board-members/

Oak Foundation (Swiss): Funded "Disrupting Harm" project ($15M) with INTERPOL, ECPAT, and UNICEF across 25 countries. Funds 5Rights Foundation, SaferNet Brasil, Fairplay/ParentsTogether. Program countries include US, EU, Brazil, India.

• Source: https://oakfnd.org/keeping-children-safe-online/

Thorn (US, founded 2009 by Ashton Kutcher): Met 20 EU lawmakers in 2021. Spent $630K+ lobbying for EU Chat Control. Registered as a charity in EU lobby database while its own technology could enforce the law it lobbied for. CEO Julie Cordua sits on WeProtect board. Member of ECLAG steering group alongside ECPAT, Missing Children Europe, IWF, Terre des Hommes, Brave Movement.

• EDRi: https://edri.org/our-work/how-a-hollywood-star-lobbies-the-eu-for-more-surveillance/
• Fortune: https://fortune.com/europe/2023/09/26/thorn-ashton-kutcher-ylva-johansson-csam-csa-regulation-european-commission-encryption-privacy-surveillance/

ICMEC (International Centre for Missing & Exploited Children): Former president chairs WeProtect board. Authored the Digital Age Assurance Act (DAAA) model legislation for US states, pushing device-level age verification. Receives Meta funding ($25K+ major donor). Severe financial distress: negative net assets of -$2.28M, 38% workforce reduction, board members personally loaned $1.117M to fund operations.

• ICMEC DAAA: https://cdn.icmec.org/wp-content/uploads/2024/10/Digital-Age-Assurance-Act-2024.pdf

UN CRC General Comment No. 25 (2021): The normative pipeline. Shaped by joint submissions from Instituto Alana, 5Rights Foundation, Save the Children, Plan International, World Vision, ECPAT, and others. Now cited as the legal basis for both the UK's Age Appropriate Design Code and Brazil's Digital ECA.

• Source: https://www.ohchr.org/en/documents/general-comments-and-recommendations/general-comment-no-25-2021-childrens-rights-relation

Part 5: Meta's Brazilian Lobbying Apparatus

Scale

Meta has the largest government relations team of any tech company in Brazil. at least 19 professionals. Google is second with 10 (13 counting YouTube). Across 15 major tech companies, 75 government relations professionals were identified by Agencia Publica/Nucleo. Two out of every three previously worked in government entities. About half were hired between 2021 and 2023, coinciding with the acceleration of regulatory debates.

Sources:

• Agencia Publica: https://apublica.org/2025/11/the-block-party-how-big-techs-lobby-avoided-regulation-in-brazil/
• Nucleo: https://nucleo.jor.br/english/2025-09-09-the-blocking-party-how-big-techs-lobby-avoided-regulation-in-brazil/

Key Personnel and Revolving Door

Marconi Edson Borges Machado. Meta Public Policy Manager. Political Science degree from University of Brasilia (2010). Previously Manager of Institutional Relations with the Legislative Power at the Confederacao Nacional das Instituicoes Financeiras (CNF. national confederation of financial institutions). At Meta since 2017. His LinkedIn describes his role as conducting research and monitoring legislation plus coordinating "legislative efforts."

Ghost-authorship: Intercept Brasil revealed metadata in official Chamber filings showed two amendments filed by Deputy Fernando Maximo were created by Machado. EMC 18/2025 eliminated the obligation for platforms to disclose semiannual content moderation reports. EMC 19/2025 removed the possibility of fines and criminal sanctions.

Meta's response confirmed the ghost-authorship while framing it as routine: "the contribution of Meta and other interested parties in the debate about Bill 2628 is public knowledge."

• Intercept Brasil: https://www.intercept.com.br/2025/08/14/deputado-bolsonarista-emenda-lobista-meta-lei-criancas-internet/

Tais Niffinegger. Meta Manager of Safety Policy, LATAM. Classic revolving door career:

1. Analyst at Brazilian Ministry of Social Security
2. Deputy Head of International Affairs at General Secretariat of the Presidency (SGPR)
3. Consultant at the OECD (digital economy policy, consumer policy)
4. Head of International Affairs at Anatel (Brazil's national telecom regulator)
5. Current: Meta

Testified before the Senate CCDD and Chamber CCOM on PL 2628/2022.

• LinkedIn: https://www.linkedin.com/in/taisniffinegger/

Kaliana Puppi Kalache. Meta Director of Public Policy, Legislative Branch. Career path:

1. Adviser to a judge at the Court of Justice of Parana
2. Coordinator of Legislative Process Division in Senator Ricardo Ferraco's office at the Federal Senate
3. Role at 99 (ride-hailing)
4. Meta: Head of Public Policies, promoted to Director early 2024. Harvard Kennedy School executive education in Negotiation Strategies (2024).

Documented by Agencia Publica approaching deputies in Chamber corridors on voting day, including Gustavo Gayer (PL-GO) and Gilvan da Federal (PL-ES). Reportedly played key coordinating role in securing support from the Evangelical Caucus.

• Agencia Publica: https://apublica.org/2025/08/criancas-nas-redes-bastidores-e-lobby-na-aprovacao-do-pl-2628/

Deputy Fernando Maximo (Uniao Brasil-RO): The Amendment Vehicle

Physician. Secretary of Health of Rondonia (2019-2022). First-term deputy elected 2022, 85,604 votes. Described by Intercept as a Bolsonarista deputy with no significant background in technology. Filed four amendments to PL 2628, all favoring platform interests. Two authored by Meta's Machado per metadata analysis.

Deputy Guilherme Boulos (PSOL-SP) filed a criminal complaint with the Attorney General (PGR) against Maximo for administrative advocacy (Article 321 of the Penal Code. "sponsoring, directly or indirectly, a private interest before public administration, using the quality of a public official"). Penalty: detention 1-3 months or fine; if interest is illegitimate, 3 months to 1 year plus fine.

• CartaCapital: https://www.cartacapital.com.br/politica/boulos-vai-a-pgr-contra-deputado-por-conluio-com-big-techs-em-pl-sobre-criancas-na-internet/

Conselho Digital: The Industry's Collective Vehicle

Legal entity CNPJ 35.808.843/0001-01, registered November 7, 2019. Founded as Instituto Cidadania Digital (ICD) by Felipe Melo Franca. Franca began working in the Chamber of Deputies, became parliamentary adviser to Deputy Vinicius Poit (Novo-SP), then in 2019 created ICD and began working for internet platforms by helping articulate the Mixed Parliamentary Front of the Economy and Digital Citizenship (Frente Parlamentar Digital).

Confirmed members: Google, Meta, Amazon, TikTok, X, Discord, Kwai, Hotmart, Uber, 99, Mercado Livre. Financed directly through corporate membership fees.

Structural parallel: Conselho Digital functions in Brazil the way NetChoice/CCIA function in the US. Google and Meta are members of both Conselho Digital in Brazil AND NetChoice/CCIA in the US. the same companies funding parallel lobbying organizations in both countries using identical arguments (over-removal, free expression, privacy concerns).

CCIA filed formal comments on Brazilian legislation directly, including on Bill No. 2768/2022 in December 2023 and on Brazil's AI bill. CCIA pushed the US Trade Representative to investigate Brazil for "digital trade barriers."

• SOMO: https://www.somo.nl/brazil-big-tech-cries-censorship-and-spreads-disinformation/
• CCIA on Brazil: https://ccianet.org/news/2025/09/ccias-comments-on-brazils-new-digital-competition-and-regulatory-bill/
• Nucleo: https://nucleo.jor.br/interativos/2023-05-25-quem-defende-interesses-bigtechs-congresso/

The Double Game: Public Opposition, Private Shaping

Meta did not openly oppose PL 2628. Unlike with PL 2630 (Fake News Bill), where Meta ran full-page newspaper ads and airport advertising campaigns, the political dynamics around child protection made outright opposition untenable after the Felca video.

What Meta actually did:

• Machado ghost-authored amendments to strip reporting obligations and remove sanctions
• Submitted technical notes questioning "duty of care"
• Kalache lobbied deputies in corridors on voting day, including Evangelical Caucus leadership
• Conselho Digital submitted collective technical note requesting reduced obligations
• Technical notes asked to exclude article requiring retention of abusive content data
• Suggested outsourcing notification responsibility to "certified and specialized entities"

As Flora de Castro Santana (Sleeping Giants Brasil) explained: "Big Tech supplies the technocratic talking points, and the far right translates them into open slogans about censorship to mobilise its base." This two-track strategy. quiet technical lobbying by company employees paired with loud populist opposition from aligned politicians. was documented across both PL 2628 and PL 2630.

• SOMO Big Tech Lobby Playbook: https://www.somo.nl/big-tech-lobby-playbook/

Part 6: The Performative Opposition Thesis

The user's hypothesis. that big tech's public opposition to age verification is a smokescreen. is supported by multiple converging data points:

1. CNBC/US News March 2026 reporting identifies that tech companies have "tacitly supported age verification as a less threatening alternative" to algorithmic regulation. Described as "regulatory capture disguised as compromise. instead of being forced to change how they design addictive products, platforms accept a verification requirement they can easily meet and that burdens smaller competitors disproportionately."

• CNBC: https://www.cnbc.com/2026/03/08/social-media-child-safety-internet-ai-surveillance.html
• US News: https://www.usnews.com/news/world/articles/2026-03-09/amid-wave-of-kids-online-safety-laws-age-checking-tech-comes-of-age

2. The same companies fund both sides. Google and Meta fund Conselho Digital (which publicly opposes the bill) while Meta's own lobbyists draft amendments that reshape the bill's enforcement mechanisms rather than kill it. The Tech Coalition (Meta, Google, Apple, Microsoft members) funds the End Violence Safe Online Research Fund that supports SaferNet Brasil, which advocated for the bill.

3. ICMEC receives Meta funding ($25K+ major donor) while writing model legislation (DAAA) that would require device-level age verification across US states.

4. The verification infrastructure benefits incumbents. Age verification requirements impose compliance costs that large platforms can absorb but that smaller competitors, open-source projects, and volunteer-maintained software (like Linux distributions) cannot. The Linux distro geoblocking of Brazil is the clearest illustration of this competitive moat effect.

5. The law creates a data collection mandate without security specifications. Platforms that already collect extensive user data are better positioned to comply than privacy-preserving alternatives. The absence of specific technical security requirements means the verification data. biometrics, government IDs, CPF numbers. can be processed through existing corporate data pipelines with minimal new constraints.

6. Peter Thiel's Palantir/surveillance infrastructure connects directly to age verification. Persona (Thiel-backed) partnered with Serpro in 2022. the same year PL 2628 was introduced. Persona performs 269 verification checks including "adverse media" screening. Discord tested then dropped Persona after government endpoint connections were discovered.