162 lines
20 KiB
Markdown
162 lines
20 KiB
Markdown
# Brazil Investigation: Standards Capture, Serpro Architecture, and Surveillance Infrastructure
|
|
## Standards Capture: 5Rights Writes the Standard, Yoti Gets Certified
|
|
|
|
5Rights Foundation led and co-developed the IEEE 2089.1 Standard for Online Age Verification. The Age Check Certification Scheme (ACCS) in the UK offers certification against this standard. Yoti Ltd's Facial Age Estimation has been certified under it, meeting ACCS 1:2020 Technical Requirements at Level 2.
|
|
|
|
5Rights advocates for legislation mandating age verification. It then co-writes the technical standard that companies must meet. Companies like Yoti that get certified against that standard profit from the legislation 5Rights advocated for. No direct financial payment between 5Rights and Yoti was found. The relationship is structural: 5Rights creates regulatory demand and writes the certification standard; Yoti builds technology certified against it. Both benefit.
|
|
|
|
The WeProtect Global Alliance intelligence briefing was co-authored with Yoti, demonstrating intermingling of advocacy and commercial interests within the same institutional spaces.
|
|
|
|
Source: 5Rights IEEE certification https://5rightsfoundation.com/age-checking-systems-can-now-be-certified-against-5rights-led-technical-standard/
|
|
Source: Yoti ACCS certification https://accscheme.com/registry/age-estimation/yoti-ltd/
|
|
|
|
## The Conflict-of-Interest Architecture
|
|
|
|
No smoking gun of direct payment from an age verification company to a child safety advocacy org was found. The relationship operates through four channels.
|
|
|
|
Channel 1, standards capture: 5Rights writes the IEEE 2089.1 standard. AVPA members (including Yoti) get certified against it. 5Rights also lobbies to make compliance mandatory.
|
|
|
|
Channel 2, philanthropic pipeline: Oak Foundation funds child safety orgs (ECPAT, 5Rights, WeProtect). The mandates those orgs advocate for create a market for AVPA members. Oak does not fund AVPA members directly. The pipeline from advocacy funding to market creation is clear.
|
|
|
|
Channel 3, big tech strategic funding: Meta ($26.3M US federal lobbying in 2025) covertly funded the Digital Childhood Alliance (DCA), an astroturf group with no EIN or incorporation records, to push the App Store Accountability Act nationally. The Heritage Foundation funds 3 of 6 named DCA coalition members (NCOSE, IFS, EPPC). The TBOTE Project's analysis of 4,433 grants ($2B) across five Arabella entities found zero dollars going to any child safety organization. Meta's age verification bills regulate operating systems (Apple/Google), not social media platforms.
|
|
|
|
Channel 4, revolving influence: WeProtect board members include Julie Cordua (Thorn CEO) and Douglas Griffiths (Oak Foundation president). A funder sits on the policy board of a grantee organization.
|
|
|
|
Source: TBOTE Project https://tboteproject.com/findings/
|
|
Source: CNBC March 2026 https://www.cnbc.com/2026/03/08/social-media-child-safety-internet-ai-surveillance.html
|
|
Source: EFF https://www.eff.org/deeplinks/2026/03/rep-finke-was-right-age-gating-isnt-about-kids-its-about-control
|
|
|
|
## The Felca Video: Organic, Not Coordinated
|
|
|
|
The Felca video (August 6, 2025) was an independent production. Felipe Bressanim Pereira spent approximately one year researching, working in 30-minute daily increments due to the distressing nature of the material. He demonetized the video, forfeiting an estimated R$100,000 in ad revenue and losing all advertising deals for that month. The only external participant was psychologist Ana Beatriz Chamat, interviewed on camera.
|
|
|
|
No evidence of funding, organizational backing, or political coordination was found. No child protection organization (Instituto Alana, SaferNet, Childhood) collaborated with or briefed Felca before publication. His trajectory shows a pivot from consumer-protection comedy (WePink foundation expose, NPC livestream critique) to investigative documentary. No political party affiliation was found. In March 2026, Felca publicly distanced himself from the law: "I did not create this law, politicians created it."
|
|
|
|
The structural question remains: Meta's text-weakening work was completed during the low-pressure committee phase (ghost-authored amendments in April 2025, CCOM hearing June 2025). The video arrived after the bill's strongest provision. duty of care. had already been targeted. The rapporteur's substitute text was published August 12, six days after the video. The resulting public pressure fast-tracked a bill whose core had already been gutted at industry insistence. Whether this timing was convenient is a different question from whether it was orchestrated. The evidence supports coincidence and organic virality.
|
|
|
|
Source: Felca demonetization https://www.noticiasaominuto.com/tech/2837754/felca-nao-monetizou-video-sobre-adultizacao-mas-quanto-teria-recebido
|
|
Source: One year research https://www.terra.com.br/diversao/gente/felca-revela-um-ano-de-pesquisas-para-video-adultizacao-com-45-milhoes-de-visualizacoes-por-tema-aversivo-30-minutos-ao-dia,d39f328312f213a435b07a528469d582r4m6tslj.html
|
|
Source: Felca distances from law https://www.cnnbrasil.com.br/tecnologia/apos-sofrer-acusacoes-felca-se-pronuncia-sobre-eca-digital-eu-nao-criei/
|
|
|
|
## The Bible Document: Meta Produced It, Camara-e.net Claimed Authorship
|
|
|
|
Meta produced a document listing biblical passages (Colossians 3:18, Timothy 2:12, Deuteronomy 22:28-29, Ephesians 5:22-23, Leviticus 20:13) that would allegedly be censored under PL 2630. The document was delivered on paper "to leave no traces." Three internal Meta sources confirmed this to Agencia Publica.
|
|
|
|
Camara Brasileira da Economia Digital (camara-e.net), whose members include Meta, Google, and TikTok, publicly claimed authorship after the document became public. Camara-e.net stated it "elaborated the document in response to a request from parliamentarians." The discrepancy is consistent with content laundering: Meta produces the material, the trade association claims authorship for distance.
|
|
|
|
Deputy Eli Borges (PL-TO), then leader of the Evangelical Parliamentary Front, mobilized the entire caucus after receiving this document. The PL 2630 vote was removed from the agenda on May 2, 2023, as a direct result. Kaliana Kalache was promoted to Director of Public Policy in early 2024, reportedly in recognition of her success in killing PL 2630 through the evangelical caucus strategy.
|
|
|
|
Source: Coletivo Bereia https://coletivobereia.com.br/conteudo-falso-com-uso-da-biblia-contra-projeto-de-lei-foi-oferecido-por-representantes-do-facebook-meta-a-deputados/
|
|
Source: Nucleo https://nucleo.jor.br/curtas/2023-04-27-associacao-pl-fake-news-censura-religiao/
|
|
Source: Agencia Publica https://apublica.org/2025/09/how-big-tech-killed-brazils-fake-news-bill/
|
|
|
|
## Evangelical Caucus and PL 2628: What Was Agreed
|
|
|
|
The Evangelical Caucus did NOT block PL 2628. The bill passed with symbolic vote. All blocs oriented "yes" except Partido Novo. The caucus had previously oriented 95% of its members to vote against PL 2630 (Fake News Bill) but did not take the same oppositional stance on PL 2628, the child protection bill.
|
|
|
|
The implicit arrangement: Meta manufactured fear of religious content removal. The caucus mobilized on that fear against PL 2630. For PL 2628, the caucus supported the bill after the "duty of care" provision was removed. Meta's concessions on the child protection bill (accepting the bill in weakened form rather than trying to kill it outright) appear to have secured caucus cooperation. Sostenes Cavalcante acknowledged the general pattern: "Every time there is a bill that will hurt their interests, they come to us here."
|
|
|
|
No formal written agreement exists. The arrangement was transactional and implicit. Kalache was promoted. Franca's Conselho Digital became the largest big tech lobbyist. The caucus claimed it protected religious freedom. Effective lobbying operates through shared interests, not contracts.
|
|
|
|
Source: Exame bancada 95% https://exame.com/brasil/bancada-evangelica-diz-que-95-dos-seus-membros-votarao-contra-o-pl-das-fake-news/
|
|
Source: Agencia Publica https://apublica.org/2025/08/criancas-nas-redes-bastidores-e-lobby-na-aprovacao-do-pl-2628/
|
|
|
|
## Duty of Care Removal: The Central Concession
|
|
|
|
Both Meta and Google filed technical notes opposing "dever de cuidado." Meta's Marconi Machado ghost-authored amendments through Deputy Fernando Maximo to eliminate reporting obligations and remove sanctions. The Conselho Digital filed a collective note in March 2024.
|
|
|
|
Rapporteur Jadyel Alencar argued the term lacked clear definition in Brazilian law and "could open space for broad and imprecise interpretations." His substitute text was entered into the system 47 seconds before the Chamber president initiated the order of the day. The replacement language. "duties of prevention, protection, information, and security". fragments the single overarching obligation into discrete categories easier for companies to argue partial compliance with.
|
|
|
|
Rafael Zanatta of Data Privacy Brasil assessed that the change "freed Big Tech from active responsibility". the obligation to hire dedicated teams and actively monitor for harms. The concept created an affirmative obligation; the replacement language does not.
|
|
|
|
The Senate restored the loot box ban (which the Chamber had removed, favoring the gaming industry) but did NOT restore the duty of care. Net result: social media platforms won their primary objective while the gaming industry lost. No direct evidence of a negotiated trade was found, but the social media lobby was demonstrably more aggressive. 19 Meta lobbyists versus an invisible gaming lobby.
|
|
|
|
Source: Data Privacy Brasil https://www.dataprivacybr.org/relatorio-e-substitutivo-do-projeto-de-lei-2628-2022-o-que-ha-de-novo-no-eca-digital/
|
|
Source: Agencia Publica https://apublica.org/2025/08/pl-2628-por-que-big-techs-sao-contra-trechos-do-projeto/
|
|
|
|
## ICMEC DAAA: Authored by Bob Cunningham, Structurally Parallel to Brazil Article 12
|
|
|
|
The Digital Age Assurance Act was authored by ICMEC. The primary contact is Robert "Bob" Cunningham, Director of Policy Engagement. ICMEC has negative net assets of -$2.28 million, persistent annual deficits, and cut its workforce 38% (21 to 13 employees), yet invested heavily in DAAA policy papers throughout 2024-2025.
|
|
|
|
The DAAA and Brazil's Article 12 are structurally parallel. Both mandate OS-level age verification. Both require a secure API sharing age bracket signals. Both ban self-declaration. Both require data minimization (age bracket only, no exact date of birth). Brazil goes further by requiring platforms to implement their own verification on top of OS signals.
|
|
|
|
California's AB 1043 (enacted 2025, co-sponsored by ICMEC and Children Now) was the first US state to adopt this framework. No direct evidence of ICMEC coordination with Brazilian legislators was found. The structural similarity reflects parallel policy development through the global child protection ecosystem, not necessarily direct drafting assistance.
|
|
|
|
Meta funds ICMEC ($25K+ donor). ICMEC's DAAA shifts regulatory burden to OS manufacturers (Apple, Google). Meta's App Store Accountability Act (pushed through the DCA astroturf) does the same. Both models protect social media platforms.
|
|
|
|
Source: DAAA PDF https://cdn.icmec.org/wp-content/uploads/2024/10/Digital-Age-Assurance-Act-2024.pdf
|
|
Source: ComplianceHub OS comparison https://compliancehub.wiki/brazil-age-verification-law-operating-systems/
|
|
|
|
## Coalition Legitimacy: Mostly Real, Partially Inflated
|
|
|
|
Of 12 coalition members sampled, 7-8 are established organizations with independent legal status, staff, and financial reporting. At least 2-3 are single-person enterprises (4Daddy), projects nested inside other organizations (Eu Me Protejo is a project of Instituto MetaSocial), or chapters of international programs without independent Brazilian legal personality (Girl Up Brasil operates under the UN Foundation umbrella).
|
|
|
|
No fabrication or shell organizations were found. The inflation mechanism is counting heterogeneous entities. major foundations, solo consultants, university research labs, volunteer projects, and umbrella associations. as equivalent "members." Abong (itself representing 250 NGOs) is counted as one member.
|
|
|
|
The coalition's primary funders (FJLES and Instituto Alana) share the same ultimate source: the Itau/Setubal family fortune. Two branches of one banking dynasty fund different nodes of the same advocacy network.
|
|
|
|
Coalition membership grew from approximately 40 (early reports) to 55 (November 2022) to 77 (current). Growth coincides with the PL 2628 advocacy push. "Membership" requires no financial commitment or formal qualification threshold. it is described as "voluntary activity, not presupposing any form of remuneration."
|
|
|
|
Source: Childhood Brasil coalition statement https://www.childhood.org.br/acoes-e-iniciativas/posicionamento-coalizao/
|
|
Source: FJLES coalition funding https://fundacaojles.org.br/n/noticia.php?id=19
|
|
|
|
## AU10TIX in Brazil: Active Through X, No Direct Contracts Found
|
|
|
|
X (formerly Twitter) began requiring age verification in Brazil on March 17, 2026 (Digital ECA effective date). X requests CPF, facial biometrics, photo of government documents, or credit card data. Globally, X uses AU10TIX for identity and selfie verification (introduced August 2023 for premium verification). As of July 2024, all X creators wanting to monetize must verify through AU10TIX.
|
|
|
|
AU10TIX is therefore operationally relevant in Brazil through its global client X, though no dedicated Brazilian subsidiary, Serpro partnership, or ANPD registration was found. TikTok also uses AU10TIX globally and is a Conselho Digital member. The February 2026 AU10TIX press release confirmed "teams across Latin America."
|
|
|
|
The 18-month data breach (December 2022 to June 2024) affected global client data. Brazilian users of X, TikTok, and Uber who submitted documents may have been exposed. Only Upwork switched providers after the breach.
|
|
|
|
Source: Brado Jornal X age verification https://www.bradojornal.com/noticias/tecnologia/2026/03/17/x-comeca-a-exigir-verificacao-de-idade-de-usuarios-no-brasil/
|
|
Source: State of Surveillance AU10TIX https://stateofsurveillance.org/articles/corporate/au10tix-x-verification-israeli-intelligence-2025/
|
|
|
|
## Serpro Data Flow: Full Architecture
|
|
|
|
Serpro's Datavalid API operates through a REST/JSON interface. Each client authenticates via OAuth2 using a unique Consumer Key and Consumer Secret tied to their contract and CNPJ. The client collects citizen data (CPF, name, date of birth, selfie, fingerprints), sends it to gateway.apiserpro.serpro.gov.br over TLS 1.2/1.3, and Datavalid compares it against government databases (Receita Federal for CPF, SENATRAN for CNH/biometrics with 85M+ records). Datavalid returns only a similarity index, never the underlying government data.
|
|
|
|
Serpro can see which company made each query, which CPF was queried, when, and what type of validation was requested. When Yoti queries Datavalid, Serpro sees "Yoti (contract X) queried CPF Y at timestamp Z." Serpro does not see which end platform triggered Yoti's query. that exists only in Yoti's systems. Serpro retains query logs for audit and billing. Yoti's privacy policy confirms Serpro retains CPFs for 5 years.
|
|
|
|
Nearly 2 billion validations performed through end of 2025. Datavalid holds ISO/IEC 27001 and 27701 certifications. Serpro generated R$128.4 million in profit in 2020 from selling Receita Federal data access through Portaria RFB No. 167/2022.
|
|
|
|
Source: Datavalid technical docs https://apicenter.estaleiro.serpro.gov.br/documentacao/datavalid/caracteristicas_tecnicas/
|
|
Source: Datavalid privacy notice https://www.serpro.gov.br/privacidade-protecao-dados/aviso-de-privacidade-datavalid
|
|
|
|
## The Sovereign Cloud Paradox
|
|
|
|
Serpro's "Nuvem de Governo" (Government Cloud), launched November 2023 with R$700M+ investment, uses foreign vendors' hardware installed inside Serpro data centers. AWS Outpost was activated October 2024, Google Distributed Cloud Air-Gapped was activated December 2024. Huawei, Oracle, and Microsoft equipment also installed. Original multicloud contracts (2019-2021): AWS R$71.2M, Oracle R$41.5M, IBM R$40.3M, Huawei R$23M, Microsoft R$22.6M.
|
|
|
|
Sean Roche, the AWS executive who arranged the partnership with Brazil's GSI (Gabinete de Seguranca Institucional), previously served as vice-director of the CIA's Directorate of Science and Technology (2015-2019) and is a retired U.S. Air Force colonel with service in Bosnia, Iraq, and Afghanistan.
|
|
|
|
Legal scholars argue (Conjur, March 3, 2026) that locating servers in Brazil is insufficient for sovereignty because the US CLOUD Act allows the US government to compel any company with American jurisdictional nexus to produce data stored anywhere in the world. Brazilian government data on AWS Outpost or Google GDC inside a Serpro data center may still be reachable by US court orders.
|
|
|
|
Caixa Economica Federal adopted Serpro's sovereign cloud hosted on Microsoft Azure at R$763.8 million over 5 years, acquired via bidding exemption.
|
|
|
|
Total Brazilian government spending on big tech: R$10 billion in a single year (June 2024 to June 2025). R$4.6 billion of that was federal government spending.
|
|
|
|
Source: Intercept Brasil https://www.intercept.com.br/2025/10/20/as-big-techs-transformaram-soberania-em-produto-e-o-brasil-comprou/
|
|
Source: Capital Digital CIA executive https://capitaldigital.com.br/serpro-discute-nuvem-soberana-com-ex-diretor-da-cia-atual-executivo-da-aws/
|
|
Source: Conjur sovereignty analysis https://www.conjur.com.br/2026-mar-03/localizar-o-servidor-no-brasil-nao-e-suficiente-para-soberania-digital/
|
|
Source: Intercept Brasil R$10B spending https://www.intercept.com.br/2025/07/08/brasil-torrou-10-bilhoes-em-um-ano-com-bigtechs/
|
|
|
|
## ANPD Certification Timeline
|
|
|
|
No companies have won ANPD certification. The timeline: March 17, 2026 law effective. March 20, 2026 preliminary guidance published. April 2026 public consultation on technology supplier guide. August 2026 definitive guidelines. August-November 2026 adaptation period with educational monitoring. January 2027 effective enforcement with fines.
|
|
|
|
ANPD shows preference for data-minimizing architectures: verifiable credentials, zero-knowledge proofs, "double-blind" architectures, token-based approaches returning only "over 13" / "16-18" / "over 18" signals. ANPD has explicit caution about facial biometrics.
|
|
|
|
Apple updated its Declared Age Range API on February 24, 2026, blocking Brazilian users from downloading 18+ apps without adult confirmation. Google released zero-knowledge proof libraries for age verification in March 2026. Epic Games already uses Serpro's CPF-based verification.
|
|
|
|
37 companies monitored by ANPD include Amazon, Apple, Google, Meta, Microsoft, Samsung, TikTok, Netflix, Disney+, HBO, Twitch, X, Telegram, Discord, Sony, Roblox, Epic Games, Valve, Riot Games, and Canonical (Ubuntu). None have publicly disclosed detailed compliance approaches.
|
|
|
|
Source: ANPD guidance https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-publica-orientacoes-preliminares-e-cronograma-para-afericao-de-idade-no-ambiente-digital
|
|
Source: Apple API https://www.biometricupdate.com/202602/apple-updates-declared-age-range-api-for-national-state-level-age-assurance-laws
|
|
|
|
## Conselho Digital Transparency: A Black Hole
|
|
|
|
No LAI requests targeting Conselho Digital found on Achados e Pedidos. No TCU or CGU audits. No lawmaker has requested financial transparency. The entity's SPED/ECD filing status can be checked at sped.fazenda.gov.br but the actual financial contents are not publicly accessible. Under Brazilian law, LAI applies to private nonprofits receiving public resources, but if the Conselho Digital's government cooperation is purely non-financial, LAI applicability is narrow.
|
|
|
|
An entity funded by the world's largest tech companies, that secretariated a congressional caucus, received the Chamber's highest honor, and signed cooperation agreements with the Ministry of Finance operates with zero public financial transparency. Brazilian private associations face no legal obligation to publish financial statements. The structural transparency gap is by design, not accident.
|
|
|
|
Source: LAI Article 2 https://www.planalto.gov.br/ccivil_03/_ato2011-2014/2011/lei/l12527.htm
|
|
Source: SPED filing requirements https://sped.rfb.gov.br/pagina/show/499
|