An Analysis of the Digital Provisions in the TiSA Draft Drew Wilson | October 2, 2015 The Trades in Services Agreement (TiSA) is one of a number of secret trade agreements currently circulating behind closed doors. Like others, it contains digital provisions in a few “annexes”. We analyze these provisions as per the latest 2015 draft leak. The TiSA is a currently secret proposed trade agreement that, according to Wikipedia involved a number of North American, South American, European, and Asian countries. Notably, China isn’t one of the 24 countries involved in this trade agreement. Already, we’ve published analysis’ of both the latest leaked draft of Trans-Pacific Partnership (TPP) and the publicly released Comprehensive Economic and Trade Agreement (CETA). While the TPP and CETA were agreements known to us for a long time, TiSA is basically uncharted territory for us as this is the first time we’ve ever looked at this agreement. The latest draft leak of TiSA was from earlier this year and was published in full by Wikileaks in July. Compared to other leaked copies of these agreements, this one is a relatively recent leak. So, lets get straight into the text and commentary. We’re going to begin our examination wit the Electronic Commerce annex. This particular annex that we are reading can be downloaded or viewed on this Wikileaks page. Our PDF reader shows that it’s one page ahead of the actual pagination in the document. For simplicity, we’ll refer to the pagination in the actual document instead. Anti-Spam Provisions Our analysis starts on page 5 which shows the following: Article 5: Unsolicited Commercial Electronic [AU/CO/NZ propose: Messages] [EU propose; NO considering: Communications] 1. [AU/CA/CL/CO/CR/EU/IL/JP/KR/MX/NZ/NO/PE propose: Each Party shall [TW/TR propose: endeavour to] adopt or maintain measures regarding unsolicited commercial electronic [messages] [EU propose: communications] that:] (a) require suppliers of unsolicited commercial electronic messages to facilitate the ability of recipients to stop such messages; or [EU/NO propose; AU oppose: and] (b) require the consent, as specified according to the laws and regulations of each Party, of recipients to receive commercial electronic messages; [EU/NO oppose: or (c) otherwise provide for the minimization of unsolicited commercial electronic messages.]] 2. [AU/CA/CL/CO/IL/JP/KR/NZ/NO/PE propose: Each Party shall [TW/TR propose: endeavour to] provide recourse against suppliers of unsolicited commercial electronic messages who do not comply with its measures implemented pursuant to paragraph 1.] 3. [AU/CA/CL/CO/CR/EU/IL/KR/JP/NZ/NO/PE propose: The Parties shall endeavour to cooperate in cases of mutual concern regarding the regulation of unsolicited commercial electronic messages.] Judging by the different initials of different countries, a lot of this is in the earlier stages of discussion. Still, it’s interesting to see that anti-spam provisions are found in a trade agreement. A known issue with such mechanisms is that some spammers will implement an “unsubscribe” feature in the spam message. The purpose is not necessarily to allow recipients to unsubscribe to spam messages most of the time, but rather, act as a verification mechanism so that spammers know the e-mail in question is actively in use. It’s certainly possible that malware can be distributed through these links. Either way, there are plenty of spammers who do not operate within the confines of the law. The risk here is that individuals may be more inclined to click an unsubscribe link with the belief that it’s law that this is an actual way to stop receiving spam. I can’t really see how the first provision is going to really help things outside of providing a framework for legitimate businesses to operate under. What is of interest is the second provision which suggest that there would be actual penalties levied against spammers. What that recourse actually is simply isn’t specified. What might give these provisions teeth are actual investigative provisions. A setting up of a task force to investigate larger spam and malware campaigns might be an idea. Pouring some resources into stopping spammers might be a thought as well. One concern is that these provisions are seemingly directed at e-mail spam and maybe text messaging spam. That’s all well and good, but there are other forms of spam such as forum spam and comment spam. The widening of that scope might not be a bad thing in my view. How effective this will all be is definitely up in the air, but at least it’s a nice thought. The Transferring of Source Code Directly after on page 6 is the following: Article 6: [JP propose; CO oppose: Transfer or Access to Source Code 1. No Party may require the transfer of, or access to, source code of software owned by a person of another Party, as a condition of providing services related to such software in its territory. 2. For purposes of this Article, software subject to paragraph 1 is limited to mass-market software, and does not include software used for critical infrastructure.] This is probably the first time I’ve seen source code being explicitly discussed in a trade agreement. At first, this may sound like this relates to open source software, but a careful reading will reveal that this is simply related to closed source projects. It’s hard to see what implications there are, but the only thing that comes to mind is closed source encrypted communications. There might be a very small layer of added protection for developers here, but beyond that, I can’t personally think of how else this changes things based on this text. Security Interests Fast forward to page 11, we see the following: Article 14 [US propose: Nothing in Section III (Electronic Commerce) shall be construed to prevent any Party from taking any action which it considers necessary for the protection of its own essential security interests.] [CO/JP would like to clarify the meaning of “essential security interests” in paragraph 1 of this article.] [KR: Korea would like to have greater discussion on what is meant by “essential security interests” in this article.] Looking at the first part of this, “essential security interests” is certainly a vague term for such a broad exception. In fact, reading the second part, we aren’t the only ones that thought this and pretty much wondering about clarity as well. Obviously, the public isn’t permitted to observe actual discussions revolving around this international lawmaking, so we don’t know if something was said about clarity, but we can tell that questions were certainly raised about this. What concerns were specifically either raised or thought of when the US proposed this could be left for all kinds of speculation. For instance, is this in relationship to parties not being permitted to ask for source code in order to operate in a given jurisdiction? Is the US merely seeking a broad exception that could mean just about anything? Is the US attempting to shoe-horn surveillance of some kind into this agreement in this annex? A lot of possibilities, but there would be little, if anything, substantive to back up any of these possibilities. Proposed Articles Protection of DRM The section towards the end of the annex describes proposals for articles. The purpose was apparently to facilitate discussion. The first proposal that stuck out for us is found on page 15 which shows a US proposal that reads: [US propose: Article X.4: Local Technology 1. Subject to any [AU propose: terms,] conditions, limitations and qualifications set out in its Schedule, no Party may, in connection with the supply of a service, impose or enforce any requirement or enforce any commitment or undertaking: (a) to transfer a particular technology or other proprietary knowledge to a person in its territory; or (b) (i) to purchase, use, or accord a preference to, in its territory, technology of the Party or of persons of the Party6; or (ii) that prevents the purchase or use of particular technology in its territory so as to afford protection on the basis of nationality to its own services or services suppliers or to technology of the Party or persons of the Party. 2. Paragraph 1 does not apply: (a) when a Party authorizes use of an intellectual property right in accordance with Article 31 of the Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS Agreement), or to measures requiring the disclosure of proprietary information that fall within the scope of, and are consistent with, Article 39 of the TRIPS Agreement; or (b) when the requirement is imposed or the commitment or undertaking is enforced by a court, administrative tribunal, or competition authority to remedy a practice determined after judicial or administrative process to be anticompetitive under the Party’s competition laws.] After a couple of attempts to read through this, it gradually became clear that 2a is likely in reference to DRM. On the surface, this almost seems to override contract law, but this is simply government mandated restrictions. Anti-circumvention would fit the bill, but this is related to services. In that case, this can be in relationship to services like Steam or any vendor that restricts content via DRM. It’s unclear for us what other services would be out there that wouldn’t fall under this, so this is likely an explicit loophole being placed into this agreement. Of course, since it is just a discussion point, we can’t say it is definitely in the agreement, only that it’s a possible addition that is actively being proposed at this stage. Protection of Surveillance and Data Retention Another proposed section is found on page 17 which shows the following: [US propose: Article X.6: Movement of Information No Party may prevent a service supplier of another Party from transferring, accessing, processing or storing information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.] While this isn’t a proposal by the US to explicitly encourage surveillance and data retention, it does stop governments from preventing services from carrying out any sort of data retention. Given the long history of the US having warrantless wiretapping policies, this may be an attempt to later slurp up such personal information should a service happen to reside in the US. If a country does decide to take a more progressive stance on creating more robust privacy regulations, this agreement may hamper such actions. Repeated Call to Protect Security On page 18, the US seems obsessed with adding protections for the vague “essential security interests”. 4. Nothing in [Articles X.1 – X.8] shall be construed to prevent any Party from taking any action which it considers necessary for the protection of its own essential security interests.] Earlier, this exception seemed broad and vague – so much so that other parties were requesting clarity on the term. Since this is supposed to be a blanket exception on the proposed sections as well, this would apply to the aforementioned protection of data retention. Again, it’s not out of the question to assume that the US government may have an interest in slurping up as much personal data as possible. That is what we found in the Electronic Commerce annex. We now shift out focus onto the other annex that is of interest to us, that would be the Telecommunications Services annex of the agreement. You can follow along with our reading by viewing the document found on Wikileaks. Again, we’re going by the page number that is printed out in the page itself, not what a PDF reader will show (which is generally adding a page thanks to the cover sheet). Allowing VPNs to Exist The first thing that stuck out to us is the following on the end of page 1 going into page 2: 3. [AU/CA/CL/CO/CR/IL/JP/KR/PA/PE/US propose: Nothing in this Annex shall be construed: (a) to require a Party, or require a Party to compel any service supplier, to establish, construct, acquire, lease, operate, or provide telecommunications networks or services not offered to the public generally;] (b) to prevent a Party from prohibiting persons operating private networks from using their [US propose: private] networks to [US propose: supply] [US oppose: provide] public telecommunications networks or services to third persons.] It’s an interesting start to this annex. This appears to be a blanket protection to VPN providers to allow them to simply operate. There’s no additional protections beyond that, but it is an odd way to start because it makes us wonder what is in this annex if it has to start in this manner. Foreign Ownership of Telecommunications Foreign ownership is touched on in this annex. Judging by how hard it is to read thanks to how many variations of the text is proposed, it’s obviously still in the early stages of being hashed out: 1. [CO/JP/EU/CH/LI/NO propose; CA/CR/IL/KR/PE oppose: Foreign Ownership] [CO/JP propose: Each Party shall endeavour to] [CH propose: Parties should] [CO/JP/CH propose: allow] [CO/JP propose: full] [CO/JP/CH propose: foreign participation in] [JP propose: its] [CO/CH propose: their] [CO propose: electronic services,] and telecommunications services sectors, through establishment or other means] [CO/CH propose: without limitations of foreign capital participation]. [EU/IS/NO propose; KR/US oppose: No Party shall impose joint venture requirements or limit the participation of foreign capital in terms of maximum percentage limit on foreign shareholding or the total value of individual or aggregate foreign investment as a condition to supply telecommunication services through the establishment of a commercial presence.] [JP/KR propose: Subject to a Party’s schedule of specific commitments, [JP propose: each] [KR propose: a] Party shall not adopt or maintain [KR propose: market access or national treatment] limitations on [JP propose: full] foreign participation in its electronic commerce and telecommunications services sectors, through establishment or other means.] This would seem to allow not only foreign investment, but also foreign ownership of telecommunications services. Unsurprisingly, Canada is against this because of such tight laws surrounding foreign ownership in the first place. Many point out that this has protected a monopolistic marketplace for telecommunication companies. This would be a threat to that protected market. Roaming Charges We didn’t find much of interest (unless you consider ISP licenses, resale of licenses, circuitry, wireless spectrum auctions, and submarine cable regulation to be interesting) for quite some time until we hit page 32. This section was of mild interest: 3. [EU/IL/IS/NO/TR propose; CH/UY considering: Each Party ensure that suppliers] [TR propose; CH considering: provide] [EU/IS/IL/NO propose: ensure the provision of] information on rates for retail international mobile roaming services for voice, data, and text messages offered to [EU/IL/IS/TR propose; CH oppose: its] consumers. 3. [AU/CL/CO/PE propose: [e]ach Party shall ensure that: (a) suppliers of public telecommunications services in its territory; or (b) its telecommunications regulatory body; make public available retail rates for international mobile roaming services, for voice, data and text messages.]] This section doesn’t necessarily contain a dispute mechanism of any kind, but it does compel ISPs to make available rates in regards to roaming charges. It’s not much, but it’s something. The question is, would roaming rates be regulated? Apparently, no according to page 33: 7. [AU/NZ propose; TR oppose: For greater certainty: (a) nothing in this Article shall require a Party to regulate rates or conditions for international mobile roaming services; (b) no Party may, solely on the basis of any obligations owed to it by the regulating Party under a most-favoured-nation provision, or under a telecommunications-specific nondiscrimination provision, in any existing international trade agreement, seek or obtain for its suppliers access to regulated rates or conditions for wholesale international mobile roaming services that is provided under this Article.] Personal Information While definitions don’t typical house much of interest, there was this curious inclusion on page 40: [AU/CO/NZ propose: personal information means any information, including data, about an identified or identifiable natural person.] [Proponents will consult on this definition of personal information.] This took us off guard because we didn’t catch anything in the initial reading that related to personal information. Naturally, we did a word search for “personal information” and the term doesn’t exist in the rest of the Annex. Unless there are references to personal information in other another Annex that we missed, this ends up being a bit of an oddity to add. Of course, given how preliminary many of these sections come off, this could be touched on in future versions. Final Thoughts Considering this was the longest annex we examined, we were surprised at how little was in it that was relevant to our interests. We were expecting to see something about online surveillance and flow of personal data. In the end, all we got was a definition thrown in at the end. Of course, this could be a relief for now. Still, it is of concern to see an open door to surveillance in the Electronic Commerce annex. While this doesn’t have as many provisions that would be troubling to digital rights advocates to our knowledge compared to the TPP or CETA, we should point out that this appears to be in the earlier stages of development. Surveillance could be more explicitly referenced and added in these annexes. Traffic shaping could also be added. Intellectual property laws could worm their way in at some point. So, we will continue to monitor for developments in this trade agreement. Drew Wilson on Twitter: @icecube85 and Google+.