Another Trouble with the TPP is its foray into the software industry. One of the more surprising provisions in the TPP’s e-commerce chapter was the inclusion of a restriction on mandated source code disclosure. Article 14.17 states:
No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.
The provision is subject to some limitations. For example, it is “limited to mass-market software or products containing such software and does not include software used for critical infrastructure.” The source code disclosure rule is not found in any other current Canadian trade agreement, though leaked documents indicate that it does appear in a draft of the Trade in Services Agreement (TISA).
The provision has generated considerable uncertainty since key aspects are undefined. For instance, what is “mass market software or products containing such software”? There is no definition in the TPP nor a generally accepted definition for mass market software or products, meaning it could include software sold to businesses or software in mass market products.
The inclusion of “software used for critical infrastructure” is similarly open to interpretation, raising the possibility of conflicts between mass market software and critical infrastructure software. Indeed, Stewart Baker, the former general counsel at the NSA, has noted:
“the ban doesn’t apply to code run on critical infrastructure, which will make for endless disputes, since there’s very little mass market software that doesn’t run on computers involved in critical infrastructure.”
Baker’s concerns extend beyond the likelihood of confusion and disputes, as he also notes the long term risks of including this provision in a trade deal:
Right now, this is a measure US software companies want. That’s because we make most of the mass market software in the market. But that’s likely to change, especially given the ease of entry into smart phone app markets. We’re going to want protection against the introduction of malware into such software. The question of source code inspection is a tough one. If other countries can inspect US source code, they’ll find it easier to spot security flaws, so the US government would like to keep other countries from doing that. But I doubt US security agencies are comfortable letting Vietnam write apps that end up on the phones of their employees without the ability to inspect the source. In short, this is a tough policy call that is likely to look quite different in five years than it does today.
Confusion about the scope of the provision and worries about what it might mean longer term are just two of the concerns with the source code rule in the TPP. One more that brings in one of the founders of the Internet in tomorrow’s post.
(prior posts in the series include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law, Day 11: Weak Privacy Standards, Day 12: Restrictions on Data Localization Requirements, Day 13: Ban on Data Transfer Restrictions, Day 14: No U.S. Assurances for Canada on Privacy, Day 15: Weak Anti-Spam Law Standards, Day 16: Intervening in Internet Governance, Day 17: Weak E-commerce Rules, Day 18: Failure to Protect Canadian Cultural Policy, Day 19: No Canadian Side Agreement to Advance Tech Sector, Day 20: Unenforceable Net Neutrality Rules, Day 21: U.S. Requires Canadian Anti-Counterfeiting Report Card, Day 22: Expanding Border Measures Without Court Oversight, Day 23: On Signing Day, What Comes Next?, Day 24: Missing Balance on IP Border Measures, Day 25: The Treaties With the Treaty, Day 26: Why It Limits Canadian Cultural Policies)