The U.S. Trade Representative (USTR) fears the grassroots tech community, and rightly so. Internet users are the community that killed SOPA and PIPA in the U.S. Congress and ACTA in the European Parliament. The USTR is right to fear that the same could happen to the Trans-Pacific Partnership agreement (TPP).
That's why they've taken such pains to present the TPP as being friendly to the Internet and tech users and have included a few provisions in the agreement that they can point to to justify this claim. We've covered (and debunked) some of these before—notably the free flow of information rules common to both TISA and the TPP—but there's another that deserves comment.
Under the heading “How the TPP Protects the Internet and Ensures Digital Freedom,” the USTR claims on its website that the TPP “ensures that companies and individuals are able to use the cybersecurity and encryption tools they see fit, without arbitrary restrictions that could stifle free expression.” This refers to a heretofore obscure provision hidden away in Annex 8-B of the Technical Barriers to Trade [PDF] chapter of the TPP, which provides:
With respect to a product that uses cryptography and is designed for commercial applications, no Party may impose or maintain a technical regulation or conformity assessment procedure that requires a manufacturer or supplier of the product, as a condition of the manufacture, sale, distribution, import or use of the product, to:
- transfer or provide access to a particular technology, production process, or other information (such as a private key or other secret parameter, algorithm specification or other design detail), that is proprietary to the manufacturer or supplier and relates to the cryptography in the product, to the Party or a person in the Party’s territory;
- partner with a person in its territory; or
- use or integrate a particular cryptographic algorithm or cipher, other than where the manufacture, sale, distribution, import or use of the product is by or for the government of the Party.
The USTR's characterization of these provision certainly seems to have convinced former Homeland Security policy secretary and NSA lawyer, Stewart Baker, who went so far as to proclaim in the Washington Post that the USTR wins the Crypto War. In his interpretation, the provision would prevent a TPP country from requiring a supplier of cryptographic software to provide it with a backdoor or “golden key," of the kind that law enforcement authorities have been demanding and that we have consistently and strongly denounced.
But this is much too rosy an interpretation, for several reasons. Most importantly, the provision quoted above is immediately followed by an exception whereby a service provider that uses encryption can still be required to provide unencrypted communications to law enforcement agencies pursuant to “legal procedures.” Since this is really all that law enforcement authorities are after, the fact that a provider can't actually be forced to disgorge the actual private key they are using, hardly matters at all.
But, for the sake of argument, supposing the government does want a product's private key, rather than just the decrypted communications, the TPP still allows them a way to get it. The Technical Barriers to Trade chapter is only about standards with which products must comply in order to be approved for commerce. Thus it prohibits the requirement that a private key allowing decryption be handed over as a condition of manufacture, sale distribution, import or use of the product. But it wouldn't do anything to prevent the government from seeking a court order against a software vendor requiring it to disclose the private key of a product that is lawfully marketed or supplied within the country.
Further, the Exceptions and General Provisions chapter provides that “Nothing in this Agreement shall be construed to … preclude a Party from applying measures that it considers necessary for the fulfilment of its obligations with respect to the maintenance or restoration of international peace or security, or the protection of its own essential security interests.” This lays the foundation for a government to override Annex 8-B altogether if it can claim that it considers it necessary to do so for national security reasons.
As if the above loopholes weren't large enough already, consider that the provision in Annex 8-B is only enforceable by other TPP countries. This means that if, say, the United States government compelled a home-grown encryption product such as Wickr to embed an encryption backdoor, there would be no restriction of trade between the TPP countries and thus no actionable claim under the TPP.
A similar situation would exist for products from non-TPP countries; nothing would prevent a TPP country from requiring the developers of, for instance, Telegram which is based in Germany, to backdoor their software. A claim under the TPP would only arise if the country demanding backdoor access to an encryption product, and the country from which that product is developed or supplied, are both different TPP signatories.
So what appears on the surface to be strong protection for crypto software in the TPP is actually much weaker than it seems: it doesn't prevent the government from requiring providers to give them access to decrypted data, it doesn't protect developers against backdoor demands from their own government, it doesn't protect tools from countries that aren't TPP signatories, it doesn't stop a country from demanding access to private keys of a product so long as this demand is not a condition of supply of that product within the country, and on top of all that, there is a sweeping national security exception that can override the provision altogether.
So much for winning the crypto wars.