Updated. The TPP E-Commerce chapter has a provision banning requirements to transfer or provide access to software source code. This applies to “mass market software.”
Article 14.17: Source Code
1. No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.
2. For the purposes of this Article, software subject to paragraph 1 is limited to mass-market software or products containing such software and does not include software used for critical infrastructure.
3. Nothing in this Article shall preclude:
(a) the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts; or
(b) a Party from requiring the modification of source code of software necessary for that software to comply with laws or regulations which are not inconsistent with this Agreement.
4. This Article shall not be construed to affect requirements that relate to patent applications or granted patents, including any orders made by a judicial authority in relation to patent disputes, subject to safeguards against unauthorised disclosure under the law or practice of a Party.
I’m wondering how the GPL fares here, and how much money Microsoft spent lobbying to get this included in the TPP, or if the NSA has a role in this. One aspect of this provision is that governments cannot insist on source code transparency, for mass market software, even to address concerns over security or interoperability.
TPP text is now available here.
One might compare this provision to the European Commission open source strategy: http://ec.europa.eu/dgs/informatics/oss_tech/index_en.htm and the European Free/Open Source Software (F/OSS) licence, (EUPL), which includes provisions such as:
3. Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to distribute and/or communicate the Work.
. . .
Provision of Source Code: When distributing and/or communicating copies of the Work, the Licensee will provide a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available for as long as the Licensee continues to distribute and/or communicate the Work.
While the disclosure of the anti-open source provisions in the TPP came as a surprise to many, including KEI, the provision was reported in some press accounts a few weeks ago, based upon summaries of the text released by negotiators, but without the details of the proposal. See, for example:
- USTR, Summary of the Trans-Pacific Partnership Agreement
- In swipe at China, TPP bans demands for source code, October 23, 2015. the Japan News.
It turns out the anti-open source language was also seen in an earlier version of the secret TISA agreement published by Wikileaks, reminding us of the many secret fora where these issues are being considered. See:
- Glyn Moody, WikiLeaks releases secret TISA docs: The more evil sibling of TTIP and TPP. The new agreement that would hamstring governments and citizens even further. Ars technica. June 3, 2015, and
- Juha Saarinen, Trade agreement could prohibit open source code supply, May 29, 2015. ITNews.
Following the release of the TPP text, and the opportunity to real the actual language banning source code disclosures, there is now considerably more interest in this issue. See:
- Klint Finley, TRADE PACT COULD BAR GOVERNMENTS FROM AUDITING SOURCE CODE, November 5, 2015. Wired.
- Cory Doctorow, TPP will ban rules that require source-code disclosure, NOV 6, 2015, BoingBoing.
- Stewart Baker. USTR decides that no gov’t can have access to mass mkt s/w source code. Means we can’t review code from Vietnam. November 5, 2015. Twitter. (Among other things, Baker is a former General Counsel for the NSA).
More additional context, see:
- Anne Shields, IBM Succumbs to China’s Pressure to Probe Source Code, October 30, 2015, Market Realist.
One trade association that has lobbied USTR on this issue is the Business Software Alliance (BSA). This is from the BSA February 6, 2015 submission to USTR, on whether US trading partners should be designated Priority Foreign Country, Priority Watch List or Watch List in the 2015 Special 301 Report. (link here). The relevant sections are in the discussions about China, Brazil and Nigeria.
China, page 15.
Security: In early 2015, the Cyberspace Administration of China (CAC) announced that it had finalized a draft of the National Cybersecurity Review Regime, which is expected to be submitted to the Office of the Central Leading Small Group for Cybersecurity and Informatization for review. Details remain unclear, but the regime may exclude any ICT products or software that are not deemed “secure and controllable” by government authorities. Indications suggest that some of the criteria, such as requirements to disclose source code or turn over encryption algorithms and solutions, are designed to ensure that only domestic products will be eligible to qualify.
Brazil, Page 38.
Government Procurement Restrictions: Presidential Decree 8135/2013 (Decree 8135) regulates the use of ICT services provided to the federal government by private and state owned companies. The Ministries of Planning and Defense issued the first set of implementing regulations on May 5, 2014. The Decree states that federal entities and mixed capital ownership companies are restricted to approved stateowned suppliers (e.g., Telebras, Serpro, and Dataprev) that they can contract without bids. Full migration to approved systems must occur within five years.
The Ministry of Planning is currently developing regulations to enable implementation of Decree 8135 which include: technical specifications for standardized services; contract rules, conditions and prices; interoperability standards (referred to as e-PING); management of agency solicitation of services; and periodic price review. The draft regulations present multiple serious problems for BSA members, especially deviation from global standards and requirements to disclose or register source code and other intellectual property. BSA appreciates the opportunity provided by the Ministry of Planning to contribute input via public written comments, which we submitted in late 2014, and through subsequent meetings to be held in late February 2015. BSA hopes that, as a result of this dialogue, the Brazilian government will implement measures that effectively enhance the cybersecurity of government agencies without imposing unnecessary market access barriers to BSA member products and services.
Nigeria, page 66
In 2014, the Nigerian government released the Guidelines for Nigerian Content Development in Information and Communications Technology (Guidelines). If these guidelines are implemented, Nigeria would become one of the most restricted and closed ICT markets in the world. Specifically, the Guidelines impose stringent local content requirements for ICT hardware, software, and services for government and private sector procurements, restrict employment of non-Nigerian citizens in the sector, force technology transfer, require the disclosure of source code and other sensitive design elements as a condition of doing business, and impose severe data and server localization requirements.