James Thew - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How the Trans-Pacific Partnership agreement affects security

The Trans-Pacific Partnership agreement has riled up many in the security industry with some of its controversial provisions. Expert Mike Chapple explains its effect on cybersecurity.

The Trans-Pacific Partnership agreement has come under fire from a wide variety of opponents, including Internet activists and online privacy advocates who feel the agreement could jeopardize cybersecurity. Opponents of the agreement claim the proposed ban on source code audits, if approved as an international regulation, could hamper security efforts on a number of levels.

The Trans-Pacific Partnership agreement language was negotiated in secret by trade representatives from 12 Pacific Rim nations, including the United States, and with the notable exclusion of China. The public didn't see the text of the agreement until the negotiating nations released it in November. Trying to read the full Trans-Pacific Partnership agreement is a formidable task, as it weighs in at 30 chapters. Let's take a look at a few of the key provisions that affect cybersecurity and intellectual property rights.

Data flow agreement

Chapter 14 of the Trans-Pacific Partnership agreement, or TPP agreement, addresses electronic commerce and includes a number of provisions intended to "more effectively guarantee the security and privacy of Internet users," in the words of the U.S. Trade Representative. Many of these provisions concern the storage and flow of data across international borders.

One of the interesting TPP agreement provisions covers data center locality requirements. The language of chapter 14 clearly prohibits nations from requiring that companies "use or locate computing facilities in that party's territory as a condition for conducting business in that territory." There are some exceptions in the agreement when there are clear public policy concerns, but this language is intended to facilitate the cross-border use of cloud computing services.

Authentication safeguards

Privacy advocates are making hay about a provision in the TPP agreement that prevents nations from adopting laws requiring that companies disclose their product source code as a condition of importing it into a TPP signatory nation.

Chapter 14 also endorses the use of electronic authentication and explicitly endorses the legal validity of digital signatures, stating: "Except in circumstances otherwise provided for under its law, a Party shall not deny the legal validity of a signature solely on the basis that the signature is in electronic form." While electronic signatures are already commonly accepted and widely used in business transactions, this provision of the TPP agreement adds additional weight to their everyday use.

Prohibition on source code audit laws

Privacy advocates are making hay about a provision in the TPP agreement that prevents nations from adopting laws requiring that companies disclose their product source code as a condition of importing it into a TPP signatory nation. The Electronic Frontier Foundation, in particular, argues that this agreement constitutes "locking down U.S. policy on source code audit." They decry this as limiting the ability of the U.S. to enforce an important cybersecurity control. The reality, however, is that the U.S. does not currently have a law requiring source code audit.

The details of chapter 14 also include language in the source code audit section, reading "Nothing in this Article shall preclude…the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts." This leaves wide open the traditional means of facilitating source code reviews -- open source licensing agreements and private contracts.

Changes to intellectual property protection

Chapter 18 of the TPP agreement also contains important provisions for IT compliance professionals. This chapter, dedicated to intellectual property protections, adopts many of the U.S. intellectual property standards defined in the Digital Millennium Copyright Act (DMCA) as an international agreement. Specifically, it adopts language concerning ISP Safe Harbors and DRM. The TPP takes the Safe Harbor standards used by Internet service providers in the U.S. and extends them to all TPP nations. It also requires that nations signing the TPP adopt laws that prohibit circumventing digital rights management technology. Groups that opposed these provisions in the DMCA similarly object to their inclusion in the TPP.

A little more troubling are the criminal law requirements found in chapter 18. Countries adopting the TPP are required to implement laws that criminalize the violation of intellectual property protections including copyrights, trademarks and trade secrets. In addition to cases where the party gains commercially, TPP also requires criminalizing cases where there was no commercial gain but where there is "a substantial prejudicial impact on the interests of the copyright or related rights holder in relation to the marketplace." The EFF, in a blog post, argues that these provisions could criminalize many innocuous activities of normal citizens.

What's next for the Trans-Pacific Partnership agreement?

The draft TPP agreement is now complete and was released to the negotiating nations for signature. Implementation of the TPP requires that nations constituting 85% of the total GDP of the TPP nations sign the agreement within two years. This provision effectively gives the U.S. and Japan the ability to unilaterally veto the agreement by failing to ratify it, as both countries have more than 15% of the GDP requirement. Will the TPP agreement go into force? The clock is ticking.

Next Steps

Learn more about the end of Safe Harbor, including from the perspective of cloud providers

Find out how to stay compliant after the end of Safe Harbor

This was last published in January 2016

Dig Deeper on Information security laws, investigations and ethics