November 18, 2015 9:03AM

The TPP and Encryption

As we evaluate the TPP in the coming months, there will be a lot of talk about the "regulatory"/"governance" parts.  These aspects can be very difficult to evaluate.  Here's an illustration of why the assessment is so hard.

Over at the Volokh Conspiracy blog, Stewart Baker had a recent post in which he worried that a particular TPP provision would prevent the NSA/FBI etc. from demanding encryption keys from private companies.  Now, I have a different view of what constitutes good public policy, so if the TPP prevented this, I wouldn't be worried.  But does the TPP actually do this?

The provision in question is in the Technical Barriers to Trade chapter, in Annex 8-B, Section A, paras. 3-4 (pp. 22-23 of the linked document).  At first glance, it does seem as though it says what Mr. Baker thinks it says, as it provides that with respect to a product that uses cryptography and is designed for commercial applications, no TPP Party may require the transfer of a private key or something similar.  (Go to the link for the full legalese; also, note that the provision has other functions as well).

But, before we draw a final conclusion, we need to keep in mind the exceptions set out in another chapter

One particularly broad exception is for "security."  Article 29.2(b) says:  "Nothing in this Agreement shall be construed to: ... preclude a Party from applying measures that it considers necessary for the fulfilment of its obligations with respect to the maintenance or restoration of international peace or security, or the protection of its own essential security interests."  The word "considers," in the trade law context, usually means a provision is "self-judging," indicating that the government has a lot of leeway to do whatever it wants.  So, at least in theory, if the government demanding a private key invokes "security," it can pretty much do whatever it wants.

So how do we find out what the TPP provisions actually mean?  What do they require from governments in terms of demanding encryption keys?

The answer is, we don't know yet.  As with constitutions, trade agreements get elaborated through litigation.  At some point, a TPP Party may have concerns with the behavior of another Party on these issues, and bring a complaint, at which time a dispute panel will have to apply these provisions to the facts of the case.  Until then, there will be some uncertainty as to what exactly all of this means.

One final point is that the U.S. Trade Representative has provided summaries of the TPP provisions, and on this issue, here's what it says:  "TPP Parties will be prohibited from disclosure of proprietary information in order to comply with technical regulations or conformity assessment procedures, a requirement that some governments could use to expropriate proprietary information and disseminate it to competitors."  So they only mention a completely different purpose for this provision, not the private key part.  For those interested in the meaning of the TPP, whether members of Congress or ordinary citizens, it's worth asking the administration for some additional insight as to what the full impact of these provisions will be.