*By Patrícia Araújo de Oliveira, Kátia Adriana Cardoso de Oliveira and Juliana de Albuquerque Gonçalves Saraiva
Theft or robbery, or even loss of a cell phone is always a headache. In cases like this, users enter a race against time to block the telephone line, the device (when possible), banking applications, cloud storage, emails and social networks.
The 17th Brazilian Public Security Yearbook [I] indicates a significant increase in theft and robbery of cell phones in the last year. In 2022, 999,223 cell phone robberies and thefts were recorded in the country. Aiming to reduce the frequency of this type of occurrence, the Ministry of Justice and Public Security (MJSP) launched, on December 22, 2023, an application that facilitates the quick blocking of the device, line and banking applications.
This is possible due to a partnership between the Ministry and Anatel (National Telecommunications Agency), Febraban (Brazilian Federation of Banks) and financial institutions. The application acts as a centralizer of the actions that are already carried out by most users when their cell phone is stolen or stolen. Despite being limited to banking applications, there are promises that other types of services such as Uber, Mercado Livre and Nubank will join the service, encouraging other digital platforms to also participate in the initiative, making the service more effective.
APPLICATION OPERATION
The application has three basic functionalities: (1) Telephone registration, (2) Registration of trusted people and (3) Occurrence registration (Figure 1). With “Phone Registration” it is possible to send this data from the device to telecommunications companies so that the line and device can be blocked. The “Register of trusted people” allows you to register people who will be authorized by the user to alert you to the loss, theft or theft of the device. In the “Occurrence Record” function, it is possible to send alerts to partners so that the necessary measures can be taken regarding theft or theft (but be careful, this action does not replace the police report). In addition to the features mentioned, the application integrated the remote location functionality already existing in the systems Android and iOS.
Access to the service is made after logging in with the account GOV.BR, available free of charge to all Brazilians. It is with this login that the Federal Government offers several other public services, such as the digital services of the INSS, a digital work card, The connect SUS, among others.
ACCESS TO PERSONAL DATA AND THE GENERAL DATA PROTECTION LAW
The General Personal Data Protection Law (LGPD), Law No. 13,709/2018 [II], represents a milestone in the protection of fundamental rights to freedom and privacy in Brazil. In 2022, the approval of Constitutional Amendment 115/22 elevated data protection to the level of a fundamental right, further expanding its scope and importance.
Data processing is any operation carried out with personal data, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information , modification, communication, transfer, diffusion or extraction.
Under the LGPD, two central figures stand out in the processing of personal data: the “controller”, responsible for decisions about data processing, and the “operator”, who carries out this processing under the orders of the controller. In the case of the Celular Seguro application, the controller is MJSP, which defined the hypothesis of data processing based on the holder's consent.
The LGPD establishes that consent must be expressed, freely, informed and unambiguous and must have a specific purpose, which under the terms of use of the application will be for: blocking devices, managing consent and sharing data with ABR TELECOM, the ANATEL, the financial and payment institutions participating in the Secure Cellular Service. If data subjects do not agree, they may revoke their consent at any time, and the data will be anonymized by processing agents. At this point, it is worth mentioning that there is no anonymization technique considered completely safe, and the LGPD also does not clarify what “reasonable efforts” would be to avoid the reversal of this anonymization. This is a topic pending regulation by the National Data Protection Authority, as indicated in item 11 of the regulatory agenda [III].
In practice, efficient management of personal data involves a delicate balance. Organizations must constantly consider what data to keep, for what reasons, and what to discard. Storing data unnecessarily involves risks, reinforcing the idea that minimizing these risks is directly linked to reducing the amount of data collected. Although zero risk is a utopia, careful data management can significantly mitigate the vulnerabilities associated with its processing.
It is also worth highlighting that the sharing of personal information carried out by the Federal Government with institutions linked to the “Celular Seguro” service, through the login of the GOV.BR, has a specific purpose, as stated on the Ministry of Justice website and in the application's Terms of Use. In this sense, there is support in the LGPD itself on the processing of personal data by the Public Authorities (arts. 23 to 30 of the law).
Furthermore, contrary to what is speculated on the internet, the Federal Government does not intend to collect data or monitor people unduly, through the use of the Celular Seguro application, even because most of the information necessary for its operation is already in possession of the Public Power, so that public services can be provided such as payment of benefits and scholarships, management of pensions by the INSS, vaccination control, among other services. Additionally, it is important to highlight that the Federal Government will not have access to bank accounts, nor, consequently, to the financial transactions and purchasing behavior of users of the Celular Seguro application.
PROCESSING OF PERSONAL DATA
The application collects data such as name, CPF, telephone number and email (for registration as a trusted person) (Figure 2-a), and brand/model, serial number (optional), operator, telephone number and IMEI[1] (optional) for phone registration (Figure 2-b). The other information necessary for its operation will be obtained from the database of the integrated solutions, such as Government and bank applications, and all communication is carried out using encryption (see illustration, Figure 3).
(a) Trustee registration (b) Device registration
Figure 2 – Celular Seguro application registration screens
Figure 3 – Integration of the Celular Seguro application
INFORMATION SECURITY AND RESPONSIBILITY
The terms of use of the application provide for the liability of both the controller and the operator, who, as a result of carrying out personal data processing activities, cause property, moral, individual or collective damage to others, in violation of data protection legislation. personal data.
Data processing agents must use technical and administrative measures capable of protecting personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or dissemination. Security incidents are events that affect at least one of the three main pillars of information security: confidentiality, integrity and availability.
If an incident involving personal data occurs, the National Data Protection Authority must be notified within 2 days of becoming aware of the fact, and the deadline may be extended by 30 days. Data holders must also be notified to prevent possible fraud and scams to which they may be subject due to the exposure of their personal data.
In this context, it is important to provide some clarifications about the secure application, which, with its launch, led to the emergence of several fake news indicating that the solution will work like spyware[2]. If we check the app information, no permission is required as no user data is collected during use or while the app is installed on the device.
To understand better, we can compare the permissions requested from a social network application installed on a cell phone, which requests access permissions to the camera, photos, videos, location, microphone and notifications (Figure 4). In this sense, the information entered into the application is passed on by the holder of the personal data, through free typing or copy/paste of cell phone information, making it technologically impossible for the Federal Government to continuously monitor your location, your camera, your microphone, or any means of obtaining private information.
(a) Secure Cellular Permissions (b) Social Network Permissions
Figure 4 – Comparison of the permissions of the Celular Seguro app and the social network app
It is important to highlight that most data leaks occurring in digital media are due to human error [IV] through Social Engineering[3]. For this reason, it is essential that users download the application from recommended platforms and do not share personal information with third parties, especially through unreliable digital means such as Whatsapp. Therefore, it is essential to pay attention to the correct means of installing and accessing the “Celular Seguro” application because it will not be made available by sending Links via SMS messages or via WhatsApp, nor even email attachments, only by downloading from Digital Stores for different operating systems Google Play and Apple Store.
WHAT CAN STILL BE IMPROVED
In the first version of the application, to register the phone, the brand and model of the device are automatically filled in. The IMEI, despite being optional, could, in future versions, be automatically filled in to make it easier for lay users. Another interesting feature would be the use of Government APIs to automatically fill in, for example, information related to a specific CPF.
Furthermore, the application does not offer the option of registering more than one line for the same device (although it is possible to register more than one for the same device). The option of including a second phone (as well as a second IMEI) would be a facilitator in the same registration.[4]) for cell phones that allow the use of two chips.
This text was limited to carrying out the analysis in light of the LGPD and carrying out verification on the user's side regarding the issue of information security and collection of unauthorized information, denying false information on the subject. Issues related to information security management are the responsibility of the bodies responsible for the solution, to apply basic structuring control of privacy and information security management such as continuous vulnerability management, penetration testing, incident response management, among others . In this context, it is appropriate to mention that the Federal Government, through the Ministry of Management and Innovation in Public Services, has a Privacy and Information Security Program (PPSI), which offers a series of documents and actions that aim to assist the maturity and resilience of Federal Government bodies and entities in relation to information security. Furthermore, on December 27, 2023, the Federal Government instituted the National Cybersecurity Policy (PNCiber), with the aim of promoting actions to combat malicious actions related to information security in the country.
About the authors:
Patricia Araujo de Oliveira
PhD in Computer Science from the University of Malaga (Spain)
ABES Think Tank Researcher
Adjunct Professor at the Federal University of Amapá
Currently works as IT Advisor for the National Cinema Agency
Kátia Adriana Cardoso de Oliveira
PhD student in Law, with a focus on Artificial Intelligence and Data Protection at the Centro Universitário de Brasília (CEUB/DF)
ABES Think Tank researcher in the area of privacy and data protection
OAB/DF lawyer specializing in digital law and data protection Federal Public Servant
Juliana de Albuquerque Gonçalves Saraiva
PhD in Computer Science from the Federal University of Pernambuco
Post-doctorate in Information Security from the Federal University of Pernambuco
OAB/RN lawyer specializing in Digital Law
Adjunct Professor at the Federal University of Paraíba
[1] IMEI is a unique identification number for the device.
[2] Spyware is a term used for espionage software, that is, any software that has malicious behavior with the aim of collecting information about a person or organization and sending it to another entity in a way that harms the user, violating their privacy, placing at risk to the security of your device or other means.
[3] Social Engineering is a manipulation technique that uses people's trust and naivety to obtain personal information or access to systems.
[4] For telecommunications networks, each IMEI is considered a different “device”. There may be more than one IMEI on the same cell phone if it is a device that supports more than one chip.
REFERENCES
[I] BRAZILIAN PUBLIC SECURITY FORUM. 17th Brazilian Public Security Yearbook. São Paulo: Brazilian Public Security Forum, 2023. Available at: Security Forum. Accessed on: December 24, 2023.
[II] BRAZIL. Law No. 13,709, of August 14, 2018. General Personal Data Protection Law. Official Gazette of the Union, Brasília, DF, 15 Aug. 2018. Section 1, p. 1. Available at: Highland. Accessed on: 23 Dec. 2023.
[III] BRAZIL. ANPD Ordinance No. 35, of November 4, 2022. Makes public the Regulatory Agenda for the biennium 2023-2024. Available in: Link. Accessed on 23 December. 2023.
[IV] “60% of company data leaks are due to human error”. Lecture at UPF had as its theme the General Data Protection Law with the presence of the Deputy Secretary of State for Public Security of RS. Available in: UPF
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
