The news that the U.S. government has obtained a court order requiring Apple to assist law enforcement to break the encryption on an iPhone owned by one of the San Bernadino terrorists has sparked widespread concern. There is some debate over the scope of the judicial order – Techdirt points out that the order does not require Apple to break its encryption but rather allow the government to “brute force” the password without deleting the data – but it is clear that the goal is to limit the effectiveness of the encryption protections found on the popular device. Apple has issued a public letter stating its view that this is a dangerous precedent that could be repeated over and over again. Indeed, if a U.S. court can issue such an order, there is seemingly nothing to stop other governments from doing the same.
What does this have to do with the TPP?
The U.S. has suggested that the TPP would address these issues, claiming that the agreement:
Ensures that companies and individuals are able to use the cybersecurity and encryption tools they see fit, without arbitrary restrictions that could stifle free expression.
The Trouble with the TPP is that a closer examination of the deal reveals that it would not stop any member country from issuing an order similar to the U.S. one involving Apple. The U.S. claims involving encryption tools stem from Chapter 8 on Technical Barriers to Trade. Annex 8-B, Section A deals with cryptography:
With respect to a product that uses cryptography and is designed for commercial applications, no Party may impose or maintain a technical regulation or conformity assessment procedure that requires a manufacturer or supplier of the product, as a condition of the manufacture, sale, distribution, import or use of the product, to:
(a) transfer or provide access to a particular technology, production process, or other information (such as a private key or other secret parameter, algorithm specification or other design detail), that is proprietary to the manufacturer or supplier and relates to the cryptography in the product, to the Party or a person in the Party’s territory;
(b) partner with a person in its territory; or
(c) use or integrate a particular cryptographic algorithm or cipher, other than where the manufacture, sale, distribution, import or use of the product is by or for the government of the Party.
Taken on its own, this provision creates some limitations on legislated encryption backdoors. Yet as with many aspects of the TPP, the devil is in the details. This provision is quickly followed with this exception:
For greater certainty, nothing in this Section shall be construed to prevent law enforcement authorities from requiring service suppliers using encryption they control from providing, pursuant to legal procedures, unencrypted communications.
In other words, the TPP may permit the kind of order issued yesterday. In fact, the EFF points out that the TPP goes further, with several other loopholes and exceptions. It characterizes the end result in the following way:
So what appears on the surface to be strong protection for crypto software in the TPP is actually much weaker than it seems: it doesn’t prevent the government from requiring providers to give them access to decrypted data, it doesn’t protect developers against backdoor demands from their own government, it doesn’t protect tools from countries that aren’t TPP signatories, it doesn’t stop a country from demanding access to private keys of a product so long as this demand is not a condition of supply of that product within the country, and on top of all that, there is a sweeping national security exception that can override the provision altogether.
Apple has committed to fighting the judicial order. It might consider doing the same with the TPP.
(prior posts in the series include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law, Day 11: Weak Privacy Standards, Day 12: Restrictions on Data Localization Requirements, Day 13: Ban on Data Transfer Restrictions, Day 14: No U.S. Assurances for Canada on Privacy, Day 15: Weak Anti-Spam Law Standards, Day 16: Intervening in Internet Governance, Day 17: Weak E-commerce Rules, Day 18: Failure to Protect Canadian Cultural Policy, Day 19: No Canadian Side Agreement to Advance Tech Sector, Day 20: Unenforceable Net Neutrality Rules, Day 21: U.S. Requires Canadian Anti-Counterfeiting Report Card, Day 22: Expanding Border Measures Without Court Oversight, Day 23: On Signing Day, What Comes Next?, Day 24: Missing Balance on IP Border Measures, Day 25: The Treaties With the Treaty, Day 26: Why It Limits Canadian Cultural Policies, Day 27: Source Code Disclosure Confusion, Day 28: Privacy Risks from Source Code Rules, Day 29: Cultural Policy Innovation Uncertainty, Day 30: Losing Our Way on Geographical Indications, Day 31: Canadian Trademark Law Overhaul)