155 lines
23 KiB
Markdown
155 lines
23 KiB
Markdown
# Brazil Digital ECA Investigation: Conclusions
|
|
|
|
This document synthesizes findings from five investigation files (10-14) covering Brazil's PL 2628/2022 (Lei 15.211/2025), known as the Digital ECA or Lei Felca. The investigation examined the law's origins, the entities that shaped it, the infrastructure being built to implement it, and the financial and political interests behind it.
|
|
|
|
## What the Investigation Established
|
|
|
|
## 1. Age verification legislation is globally coordinated
|
|
|
|
2022 was the inflection point. In a single calendar year, the EU signed the Digital Services Act, the UK introduced the Online Safety Bill, the US Senate received KOSA, Brazil introduced PL 2628, California signed the Age-Appropriate Design Code (copied from the UK's 5Rights framework), Louisiana passed the first US state age verification law, and the EU unveiled its Chat Control proposal. By 2026, Australia, France, Malaysia, Indonesia, Italy, and multiple US states had followed.
|
|
|
|
The same organizations appear across every jurisdiction. 5Rights Foundation (Baroness Kidron) shaped legislation in the UK, EU, US/California, Australia, Indonesia, Canada, and Argentina. Oak Foundation funded 5Rights, ECPAT, SaferNet Brasil, and Fairplay/ParentsTogether across all these regions, and supported the End Violence partnership where WeProtect advises on priorities. WeProtect Global Alliance connects 100+ member governments with Thorn (CEO Julie Cordua on the board), ECPAT, and tech companies. Thorn spent $630K+ lobbying the EU for Chat Control while its CEO sat on WeProtect's board and its own technology could enforce the laws it lobbied for.
|
|
|
|
## 2. Brazilian and American advocacy pipelines share the same funders
|
|
|
|
Pierre Omidyar's philanthropic network connects both pipelines. Luminate (spun off from Omidyar Network in 2018) funds Data Privacy Brasil ($500K). Imaginable Futures (spun off 2019) partners with Instituto Alana. Omidyar Network itself funds Common Sense Media, the primary US organization behind KOSA.
|
|
|
|
The Itau banking dynasty is the central Brazilian node. Ana Lucia Villela (Itau board member, net worth ~$1.5B) founded Instituto Alana and the Alana Foundation USA ($8.15M in grants in 2022). Jose Luiz Setubal (Itau heir and shareholder) founded Fundacao JLES, which directly funds the Coalizao Brasileira pelo Fim da Violencia. Two branches of one banking family fund different nodes of the same advocacy network.
|
|
|
|
Instituto Alana co-signed the UN CRC General Comment No. 25 (2021) with 5Rights, Save the Children, ECPAT, Plan International, and others. That document is now cited as the legal basis for both the UK's Age Appropriate Design Code and Brazil's Digital ECA. The normative pipeline runs from joint UN submissions to national legislation.
|
|
|
|
## 3. The law creates a mandatory market for private surveillance companies
|
|
|
|
The Digital ECA places verification obligations on platforms, app stores, and operating system providers. It does not designate a government agency to verify. Private companies perform the verification. The same companies providing services in the US and UK are positioned for Brazil: Yoti (UK, already partnered with Serpro), Persona (US, Peter Thiel/Founders Fund, partnered with Serpro since 2022), Jumio (US, launched in Brazil first), Veriff (Estonia), iProov (UK), and AU10TIX (Israel, operationally active through X).
|
|
|
|
Persona's February 2026 exposure revealed 269 surveillance checks per user, facial recognition against watchlists, "adverse media" screening across 14 categories, built-in SAR filing to FinCEN and FINTRAC, internal codenames "Project SHADOW" and "Project LEGION," and 3-year data retention of biometric and identity information. The Persona-Serpro partnership remains active. ANPD has not opened any investigation into Persona.
|
|
|
|
FlagCheck, one of the Brazilian-native verification providers, is actually operated by Bitcoin P2P Servicos Digitais LTDA. No named founders, no public corporate identity beyond the CNPJ.
|
|
|
|
## 4. The law contains privacy principles but no enforceable security requirements
|
|
|
|
Article 12 references LGPD principles and states the age signal API must follow "privacy protection by design." The law bans using verification data for purposes other than age confirmation and requires data minimization.
|
|
|
|
The law does not specify how verification data must be stored, encrypted, transmitted, or deleted. No mandatory data retention limits exist within the law itself. No independent security audits of verification providers are required. No specific high-risk methods are prohibited. All technical specifics are deferred to ANPD regulation not finalized until August 2026, with enforcement beginning January 2027.
|
|
|
|
ANPD itself found that Serpro's Datavalid operates without full LGPD legal basis (Technical Note 39/2021). The MPDFT filed a representation with TCU in 2019 alleging Datavalid illegally uses CNH biometric data without consent. That TCU case remains pending after six years.
|
|
|
|
## 5. The operating system provisions create device-level identity infrastructure
|
|
|
|
Article 12 covers "provedores de sistemas operacionais de terminais." Windows, macOS, iOS, Android, ChromeOS, SteamOS, and Linux distributions must implement age verification and provide age signals to applications via a secure API. Platforms must also implement their own verification independently, creating layered verification: OS verifies, app store verifies, each app verifies.
|
|
|
|
This architecture mirrors ICMEC's Digital Age Assurance Act (DAAA) model legislation, authored by Bob Cunningham. The DAAA and Article 12 are structurally parallel: both mandate OS-level verification, both require secure API age bracket signals, both ban self-declaration, both require data minimization. Meta funds ICMEC ($25K+ donor). Both the DAAA and Meta's App Store Accountability Act shift regulatory burden from social media platforms to operating system manufacturers.
|
|
|
|
Linux distributions (Arch 32, Bazzite, CachyOS) began geoblocking Brazilian IP addresses because volunteer communities without legal representation in Brazil cannot comply.
|
|
|
|
## 6. Big tech's opposition is performative
|
|
|
|
CNBC and US News (March 2026) identified that tech companies "tacitly supported age verification as a less threatening alternative" to algorithmic regulation. The reporting described this as "regulatory capture disguised as compromise." Platforms accept a verification requirement they can easily meet while it burdens smaller competitors disproportionately.
|
|
|
|
Google and Meta fund parallel "opposition" lobbying in each jurisdiction. They are members of both Conselho Digital in Brazil and NetChoice/CCIA in the US. The same companies, the same arguments, the same structure. Meta ghost-authored amendments to weaken PL 2628 while the bill was in committee, then accepted the weakened version when public pressure made outright opposition untenable.
|
|
|
|
The most telling data point: Meta funds ICMEC, which writes model legislation for device-level verification. Meta also covertly funded the Digital Childhood Alliance, which pushes the App Store Accountability Act. Both models shift the compliance burden away from social media platforms and onto operating systems. Meta lobbied to weaken a bill that, even in its final form, serves Meta's competitive interests against smaller platforms and open-source software.
|
|
|
|
## 7. The Brazilian legislative process was captured by compromised actors
|
|
|
|
The rapporteur, Jadyel Alencar (Republicanos-PI), was designated by his own party colleague (CCOM president Julio Cesar Ribeiro, Republicanos-DF). Alencar has a criminal conviction for receiving stolen medical supplies (TRF1 confirmed, 3 years 6 months). He is a criminal defendant in an active MPF case for COVID supply fraud (charges accepted by the 3rd Federal Court, R$19M damages requested). His company raised mask prices from R$11 to R$189 during COVID. The Federal Police tracked R$48M in suspected money laundering through his company. He declared R$107.5M in assets but had a prison order for failing to pay R$6,306.48 in child support. He has 93 judicial processes on Escavador. The TRF1 4th Panel has a 2-1 majority to uphold his conviction (two judges voted to uphold, the third requested a review period, final judgment not yet published), which if confirmed would trigger Ficha Limpa ineligibility. No media questioned his designation as rapporteur of child protection legislation.
|
|
|
|
Alencar removed the "dever de cuidado" (duty of care) from PL 2628, the bill's most significant structural obligation, at the request of Meta and Google. His substitute text was entered into the system 47 seconds before the session opened.
|
|
|
|
The deputy who filed Meta's ghost-authored amendments, Fernando Maximo (now PL-RO), is under Federal Police investigation for R$3.2M in ambulance fraud with R$30M+ in shell company bank movements. The PGR has been completely silent for seven months on the ghost-authorship complaint. Maximo is running for the Senate, leading polls at 46.1%.
|
|
|
|
Every deputy Meta was documented contacting on PL 2628 voting day is under criminal investigation or has been convicted. Gustavo Gayer (PF-indicted for embezzlement, OSCIP fraud listing a baby as board member, R$70K cash seized). Sostenes Cavalcante (Operation Galho Fraco, R$469,700 cash seized, backdated property deed). Gilvan da Federal (10 judicial processes, convicted of gender-based political violence).
|
|
|
|
## 8. Meta's revolving door reaches the Finance Ministry
|
|
|
|
Dario Durigan served as Director of Public Policies at WhatsApp (Meta) from 2020 to 2023. He became Executive Secretary of the Ministry of Finance in June 2023. On March 19, 2026, President Lula named him Minister of Finance. The Finance Ministry oversees SECOM advertising budgets, tax policy for tech companies, and the SPA that signed the cooperation agreement with Conselho Digital. A former Meta executive controls all of this.
|
|
|
|
Meta has the largest government relations team of any tech company in Brazil: 19 professionals. Two-thirds previously worked in government. Yana Dumaresq served as Deputy Minister of Economy (2019-2021) before joining Meta. Murillo Laranjeira and Google's Marcelo Lacerda both came from Patri, the same Brasilia lobbying firm. Tais Niffinegger moved from Anatel (telecom regulator) and the Presidency to Meta. Kaliana Kalache came from the Senate.
|
|
|
|
SECOM spent R$35.8M on Meta platforms in 2025 (R$129.6M total internet advertising, a record). The government simultaneously funds Meta with tens of millions while a former Meta executive runs the ministry controlling those budgets. Meta funds Conselho Digital, which lobbies against platform regulation. Brazil has no lobbying disclosure law.
|
|
|
|
## 9. Conselho Digital operates in a transparency black hole
|
|
|
|
Conselho Digital do Brasil (CNPJ `35.808.843/0001-01`) has R$0 declared capital and a single registered officer (Felipe Melo Franca). Its corporate members include Google, Meta, Amazon, TikTok, Discord, Uber, Kwai, and Hotmart. No public financial statements exist. Brazilian private associations face no legal obligation to publish financials. The entity has never applied for OSCIP qualification, which would require transparency. Its estatuto is behind a restricted-access section of the website.
|
|
|
|
Franca co-founded MBL (Movimento Brasil Livre) in 2013 as a Students for Liberty front. He moved from Congressional staffer to Frente Parlamentar Digital executive secretary to Conselho Digital president. The ICD's founding partner was an iFood executive who used his @ifood.com.br email in the entity's statute. The Frente Parlamentar Digital was created with over 200 deputies and senators as signatories. The entity that secretariated it was funded by the companies the caucus was supposed to oversee.
|
|
|
|
No LAI requests targeting the Conselho Digital have been filed. No TCU or CGU audits exist. No lawmaker has requested financial transparency. The entity signed a cooperation agreement with the Ministry of Finance's SPA. It received the Chamber of Deputies' Medal of Legislative Merit.
|
|
|
|
## 10. Serpro is a data brokerage operation with intelligence agency access
|
|
|
|
Serpro processes 33 billion transactions annually, manages 30.4+ petabytes of data, and generated R$128.4M in profit selling Receita Federal data access in 2020 alone. Serpro's Datavalid API validates CPF data, performs facial recognition against 85M+ CNH database images, and processes fingerprint verification.
|
|
|
|
Serpro retains query logs showing which company queried which CPF and when. Each API client authenticates with a unique key tied to their contract. When the Digital ECA drives mass age verification queries, Serpro will hold a comprehensive map of which citizens use which platforms.
|
|
|
|
ABIN (Brazil's intelligence agency) requested full access to 76 million citizens' driver data through Serpro in 2020 (Intercept Brasil expose). The Federal Highway Police purchased an off-the-books copy of the entire 80M+ biometric database for R$205,722.80 in 2022, never published in any transparency portal. A Serpro employee was caught accessing STF ministers' tax records in February 2026, directly contradicting Serpro's claim that employees cannot access client data.
|
|
|
|
Serpro's "sovereign cloud" uses AWS Outpost and Google Distributed Cloud hardware inside Serpro data centers. The ex-vice-director of the CIA's Directorate of Science and Technology (Sean Roche) arranged the AWS partnership. The US CLOUD Act allows the US government to compel any company with American jurisdictional nexus to produce data stored anywhere. Total Brazilian government spending on big tech: R$10 billion in one year.
|
|
|
|
## 11. The Bible document was manufactured disinformation
|
|
|
|
Meta produced a document listing biblical passages that would allegedly be censored under PL 2630 (the Fake News Bill). Three internal Meta sources confirmed this to Agencia Publica. The document was delivered on paper "to leave no traces." Camara-e.net (whose members include Meta, Google, and TikTok) publicly claimed authorship after exposure. Deputy Eli Borges mobilized the entire Evangelical Caucus based on this document. PL 2630 was pulled from the agenda as a direct result. Kaliana Kalache was promoted to Director afterward.
|
|
|
|
Coletivo Bereia, a Brazilian digital verification collective, classified the document's claims as false content. No provision of PL 2630 would have censored Bible passages.
|
|
|
|
## 12. The Felca video was organic but structurally convenient
|
|
|
|
Felipe Bressanim Pereira spent one year independently researching child exploitation online, working in 30-minute daily increments. He demonetized the video, forfeiting approximately R$100,000. No organizational backing, political coordination, or external funding was found. The video was genuine.
|
|
|
|
The timing was structurally convenient for Meta. Meta's text-weakening work (ghost-authored amendments, duty of care removal, CCOM hearing lobbying) was completed during the low-pressure committee phase in April-June 2025. The Felca video arrived August 6, 2025, after the bill's strongest provision had already been targeted. The resulting public outcry fast-tracked a version of the bill that had already been gutted at industry insistence. The video did not cause the weakness. It caused the passage of a weak bill.
|
|
|
|
## 13. The policy architect operates across jurisdictions without democratic accountability
|
|
|
|
Baroness Beeban Kidron founded 5Rights, wrote the UK Age Appropriate Design Code (inserted into the Data Protection Act 2018), got it copied into California law (AB 2273), shaped the EU DSA and AI Act, and campaigned for three years with Instituto Alana to pass Brazil's Digital ECA. A FARA filing confirmed in June 2024 that 5Rights lobbied California legislative and executive officials, developed materials for elected officials, reviewed amendments, and negotiated bill language.
|
|
|
|
5Rights hired Nichole Rocha as Head of US Affairs. Rocha was formerly Chief Consultant to the California Assembly Privacy and Consumer Protection Committee, the committee that would consider the bill. Kidron co-vice-chaired the IEEE 2089.1 age verification standard. The certification program is chaired by Iain Corby, who simultaneously serves as Executive Director of the AVPA (the trade body for companies profiting from mandatory verification). The person who writes the legislation co-chairs the standard. The industry trade body chairs the certification. The companies that pay trade body dues sell compliance solutions for the legislation.
|
|
|
|
Kidron was a Paul Hamlyn Foundation director (2012-2015). PHF funded the establishment of 5Rights, including the Director's salary for the first two years. Elizabeth Denham, the UK Information Commissioner who implemented Kidron's AADC at the ICO, joined 5Rights as a director in January 2022. Kidron resigned from 5Rights' board on 28 July 2025, nine days before the Felca video that fast-tracked the Brazilian legislation she spent three years campaigning for.
|
|
|
|
Source: FARA filing https://efile.fara.gov/docs/7427-Short-Form-20240627-4.pdf
|
|
Source: UK Companies House 5Rights officers https://find-and-update.company-information.service.gov.uk/company/11271356/officers
|
|
Source: UK Companies House PHF officers https://find-and-update.company-information.service.gov.uk/company/05042279/officers
|
|
|
|
## 14. UNICEF is the institutional host, not a partner
|
|
|
|
UNICEF hosts the End Violence Against Children Partnership and Fund ($83M+), chairs its board through the Executive Director, and administers all money as hosted trust funds. Safe Online has a $100M portfolio across 106 projects. The Tech Coalition (Google, Meta, Microsoft) contributed $2.5M through a joint research fund. UNICEF is not advocating alongside the partnership. UNICEF is the partnership.
|
|
|
|
UNICEF Brazil explicitly called for "urgent approval" of PL 2628/2022. UNICEF runs a joint program with Itau Social, the social arm of the banking family (Villela/Setubal) that controls Instituto Alana, the NGO that submitted technical notes on the same bill. Ana Lucia Villela sits on the Itau Social Guidance Council.
|
|
|
|
UNICEF's own December 2025 policy note states "age estimation measures using biometric data pose an unacceptable risk and should not be used." The same organization that lobbied for PL 2628 warns against the verification methods the law requires. UNICEF's D-CRIA Toolbox is embedded in WeProtect's 2025 Global Threat Assessment as the recommended compliance framework, while UNICEF's Director of Child Protection sits on WeProtect's board.
|
|
|
|
Source: UNICEF Brazil PL 2628 https://www.unicef.org/brazil/comunicados-de-imprensa/unicef-pede-urgencia-na-aprovacao-do-projeto-de-lei-de-protecao-de-criancas
|
|
Source: UNICEF policy note https://www.unicef.org/documents/policy-note-drawing-line-digital-spaces
|
|
|
|
## 15. Financial institutions are embedded in the surveillance infrastructure
|
|
|
|
Barclays holds approximately GBP 1.6 billion (~$2B) in Palantir shares. Palantir was just given a trial contract with the Financial Conduct Authority to process the FCA's "data lake" of regulatory intelligence, including case files, fraud reports, and money laundering reports. The FCA regulates Barclays. The bank holds $2B in shares of the company processing its regulator's data.
|
|
|
|
Barclays participates in OneID open banking age verification (OneID is an AVPA member). Barclays invested in Evernym (self-sovereign identity, $8M pre-Series A via Barclays Ventures). Barclays was a GOV.UK Verify identity provider. Barclays is a founding member of Stop Scams UK, sharing real-time intelligence with Meta, Google, and Amazon.
|
|
|
|
The Itau banking dynasty in Brazil funds both sides of the advocacy pipeline through two branches of the same family. Serpro recently partnered with the London Stock Exchange Group for anti-money-laundering verification, connecting the Brazilian and UK financial identity ecosystems.
|
|
|
|
Source: Barclays Palantir holdings https://www.thenerve.news/p/palantir-uk-companies-investment-pension-fund-billions-legal-general-barclays-aviva-peter-thiel
|
|
Source: FCA Palantir contract https://www.theregister.com/2026/03/23/palantir_fca/
|
|
|
|
## The Structural Pattern
|
|
|
|
The investigation reveals a consistent architecture across jurisdictions:
|
|
|
|
1. One person (Baroness Kidron) and her foundation (5Rights) write the policy framework, the legislation, and co-chair the technical standard. The AVPA Executive Director chairs the certification program. AVPA members sell compliance solutions. The organization that defines "compliant" is the same network lobbying to make compliance mandatory.
|
|
|
|
2. UNICEF hosts the fund ($83M+), chairs the partnership board, administers the money, provides the compliance framework (D-CRIA), and lobbies for national implementation. The same organization that warns biometric age estimation "poses an unacceptable risk" advocates for laws requiring effective age verification.
|
|
|
|
3. National advocacy coalitions, funded by the same philanthropic networks (Omidyar, Oak, Ford, Open Society) and domestic banking dynasties (Itau/Setubal in Brazil, with UNICEF running a joint program with the Itau family's social foundation), translate those frameworks into national legislation.
|
|
|
|
4. Big tech companies publicly "oppose" the legislation while privately shaping it through ghost-authored amendments, revolving-door lobbyists, manufactured disinformation (the Bible document), and corrupted decision-makers (convicted rapporteur, indicted deputies). A former Meta/WhatsApp executive now runs Brazil's Finance Ministry.
|
|
|
|
5. The legislation creates a mandatory market for private identity verification companies (Persona, Yoti, Jumio, AU10TIX), backed by surveillance-capital investors (Thiel's Founders Fund) or founded by intelligence veterans (AU10TIX/Shin Bet). Persona runs 269 surveillance checks per user under codenames Project SHADOW and Project LEGION.
|
|
|
|
6. The verification infrastructure funnels through government data brokers (Serpro in Brazil) that retain query logs, have documented intelligence agency access (ABIN accessed 76M citizens' data), and sit on foreign cloud infrastructure (AWS, Google) subject to the CLOUD Act. An ex-CIA vice-director arranged the AWS partnership.
|
|
|
|
7. Financial institutions (Barclays holding $2B in Palantir while Palantir processes the regulator's data) and banking dynasties (Itau funding the advocacy while running joint programs with UNICEF) provide the capital layer connecting surveillance, regulation, and implementation.
|
|
|
|
8. No transparency mechanism captures any of these flows. Brazil has no lobbying law. Conselho Digital publishes no financial statements. Serpro's Datavalid operates without full LGPD legal basis per the ANPD's own determination. The TCU case challenging Datavalid has been pending for six years. 5Rights' EU lobby spending is not disclosed. The IEEE 2089.1 working group membership list is restricted.
|
|
|
|
The result is a surveillance infrastructure built under the banner of child protection, shaped by a single baroness's foundation, funded by overlapping philanthropic networks and banking dynasties, implemented by intelligence-linked verification companies, administered through a UN agency that contradicts its own policy, and funneled through government data brokers with documented intelligence agency access sitting on foreign cloud infrastructure subject to US law. The children are real. The exploitation is real. The protection is not what it appears to be.
|