Confusing source code rule in TPP creates long-term risks

| February 10, 2016
Photo: flickr/ Christiaan Colen

Like this article? rabble is reader-supported journalism. Chip in to keep stories like these coming.

Problems? Oh, the Trans-Pacific Partnership has a few! Read about them all in the new series The Trouble with the TPP.

Another Trouble with the TPP is its foray into the software industry. One of the more surprising provisions in the TPP's e-commerce chapter was the inclusion of a restriction on mandated source code disclosure. Article 14.17 states:

"No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory."

The provision is subject to some limitations. For example, it is "limited to mass market software or products containing such software and does not include software used for critical infrastructure." The source code disclosure rule is not found in any other current Canadian trade agreement, though leaked documents indicate that it does appear in a draft of the Trade in Services Agreement (TISA).

The provision has generated considerable uncertainty since key aspects are undefined. For instance, what is "mass market software or products containing such software"? There is no definition in the TPP nor a generally accepted definition for mass-market software or products, meaning it could include software sold to businesses or software in mass market products.

The inclusion of "software used for critical infrastructure" is similarly open to interpretation, raising the possibility of conflicts between mass market software and critical infrastructure software. Indeed, Stewart Baker, the former general counsel at the NSA, has noted:

"the ban doesn't apply to code run on critical infrastructure, which will make for endless disputes, since there's very little mass market software that doesn't run on computers involved in critical infrastructure."

Baker's concerns extend beyond the likelihood of confusion and disputes, as he also notes the long-term risks of including this provision in a trade deal:

"Right now, this is a measure U.S. software companies want. That's because we make most of the mass market software in the market. But that's likely to change, especially given the ease of entry into smart phone app markets. We're going to want protection against the introduction of malware into such software. The question of source code inspection is a tough one. If other countries can inspect U.S. source code, they'll find it easier to spot security flaws, so the U.S. government would like to keep other countries from doing that. But I doubt U.S. security agencies are comfortable letting Vietnam write apps that end up on the phones of their employees without the ability to inspect the source. In short, this is a tough policy call that is likely to look quite different in five years than it does today."

Confusion about the scope of the provision and worries about what it might mean longer term are just two of the concerns with the source code rule in the TPP. One more that brings in one of the founders of the Internet in tomorrow's post.

This piece originally appeared on Michael Geist's blog and is reprinted with permission.

Photo: flickr/ Christiaan Colen

embedded_video

Comments

We welcome your comments! rabble.ca embraces a pro-human rights, pro-feminist, anti-racist, queer-positive, anti-imperialist and pro-labour stance, and encourages discussions which develop progressive thought. Our full comment policy can be found here. Learn more about Disqus on rabble.ca and your privacy here. Please keep in mind:

Do

  • Tell the truth and avoid rumours.
  • Add context and background.
  • Report typos and logical fallacies.
  • Be respectful.
  • Respect copyright - link to articles.
  • Stay focused. Bring in-depth commentary to our discussion forum, babble.

Don't

  • Use oppressive/offensive language.
  • Libel or defame.
  • Bully or troll.
  • Post spam.
  • Engage trolls. Flag suspect activity instead.