Brazil's Federal Police is steadily building one of the most consequential surveillance prosecutions in the country's democratic history. The case — known as Operação Última Milha, or "Operation Last Mile" — centers on the use of FirstMile, a commercial geolocation tool developed by Cognyte (a 2021 spin-off of the Israeli surveillance vendor Verint), by Brazil's intelligence agency ABIN during the Bolsonaro administration. According to the investigation, the tool was deployed to track journalists, sitting judges, lawmakers, and political opponents without any judicial authorization — a flagrant breach of Brazilian constitutional and statutory law.
As prosecutors prepare further indictments and former ABIN officials face the courts, Brasília is once again being pulled into a familiar debate: should the country crack down on commercial spyware, on intelligence agencies, or on both? The answer matters not only for civil liberties but for Brazil's growing technology sector, which depends on stable, predictable rules.
What FirstMile Did, and What It Did Not Need
FirstMile reportedly exploits weaknesses in the global SS7 signaling protocol used by mobile carriers to route calls and text messages. By querying the network, it can locate a target's phone — often without the target ever knowing — and does not require malware to be installed on the device. ABIN reportedly acquired the system in 2018 under a contract worth roughly R$5.7 million and used it from 2019 onward, with Federal Police materials suggesting that an estimated 30,000 phone numbers were targeted over a four-year period.
Under Brazilian law, none of this should have been possible without a court order. Article 5 of the 1988 Constitution protects the inviolability of communications. Law 9.296/1996 requires judicial authorization for the interception of telecommunications data. The Lei Geral de Proteção de Dados (LGPD), in force since 2020, governs the handling of personal data — including location data — by both private and public actors. And the Marco Civil da Internet (Law 12.965/2014) imposes additional safeguards on connection and metadata records.
The problem in the FirstMile case is therefore not that the technology existed. It is that an intelligence agency operated outside the constitutional and statutory rules specifically designed to constrain it.
The Real Failure: Oversight, Not Innovation
It is tempting to read the scandal as a case for banning commercial cyber-intelligence tools outright — an approach increasingly fashionable in Europe and the United States after the NSO Group "Pegasus" revelations. Brazil should resist that impulse.
Lawful, court-supervised use of geolocation and communications data plays a legitimate role in counterterrorism, organized-crime, and kidnapping investigations — areas where Brazilian law enforcement has secured demonstrable wins. Blanket prohibitions on this category of technology would not have prevented ABIN's abuses, because the abuses were never authorized in the first place. What failed in Brazil was oversight: the joint parliamentary intelligence committee (CCAI), the Office of the Comptroller-General (CGU), and ABIN's own internal controls all reportedly missed years of unlawful targeting.
Three pro-innovation, proportionate reforms would address the actual failure:
- Mandatory judicial pre-authorization with a real audit trail. Every query to a geolocation or interception system used by Brazilian intelligence should be cryptographically logged and reviewable by a magistrate, with retention long enough to support meaningful post-hoc oversight.
- An empowered CCAI. The joint congressional intelligence committee should have the technical staff, security clearances, and dedicated budget to actually audit ABIN's tooling — not just receive periodic briefings.
- Vendor due-diligence rules, not bans. Brazil can require government buyers of surveillance technology to produce human-rights impact assessments and to use vendors that contractually limit unlawful use, mirroring the targeted approach the U.S. Commerce Department has taken via its Entity List rather than a wholesale prohibition.
Why the Tech Sector Should Care
Brazil is on track to become one of the world's most important digital markets. The country hosts a fast-growing fintech ecosystem, a substantial data-center buildout driven by AI demand, and an active legislative debate over the PL 2.338/2023 AI bill and the long-running PL das Fake News (PL 2.630/2020). Each of these depends on investor confidence that Brazilian institutions can both enable legitimate technology use and punish unlawful state misuse.
A clean prosecution of the FirstMile case is, in that sense, a feature rather than a bug. It demonstrates that Brazilian courts and federal police can hold even powerful intelligence actors accountable under existing law. It also reduces the political pressure for overbroad statutory responses — for example, sweeping prohibitions on "dual-use" cyber tools that would also catch legitimate cybersecurity firms, penetration testers, and threat-intelligence vendors operating in Brazil.
The Bottom Line
The FirstMile scandal is not, at its core, a story about a foreign spyware vendor. It is a story about Brazilian institutions enforcing Brazilian law against Brazilian officials who reportedly broke it. The right response is to strengthen the oversight architecture that failed — judicial pre-authorization, a real parliamentary watchdog, vendor due diligence — while keeping Brazil open to the legitimate technologies its security agencies and tech sector both need. Banning the tools rarely stops the abusers; reforming the rules just might.