The TPP's ban on source-code disclosure requirements: bad news for information security

The secretly negotiated Trans Pacific Partnership is 2,000 pages' worth of regulatory favors for various industries, but one that stands out as particularly egregious is the ban on rules requiring source-code disclosure.

Hardly a day goes by without a researcher discovering critical flaws in devices ranging from hospital cardio servers to home alarm systems. Source code disclosure is an important step in making these devices more secure, allowing for independent scrutiny and auditing of tools that could literally kill us if their programming contains undisclosed defects.

TPP's ban on code auditing ties the hands of the countries that sign onto it, forbidding their legislatures and regulators from making rules that require vendors to disclose their source-code for regulatory approval or legal importation.

The Electronic Frontier Foundation's Jeremy Malcolm provides some vital context for what this rule means (less security for all of us) and where it comes from (the US Trade Rep wants to fight Chinese rules that require American companies to disclose sourcecode on products they export to China):

And the bad keeps on coming. Not only does the TPP foreclose rules that could require code to be open sourced or audited, it could also make it impossible for competition authorities to open up the market for the repair of products with embedded software. If the manufacturer of a car can't be required to give others access to the source code of the software that runs on its embedded computer systems, this seriously hinders an entire market for independent repair mechanics who could compete with its authorized repairers to work on that code, as well as markets for entrepreneurs to use their understanding of that code to make new devices that interoperate with vehicles, such as diagnostic tools and smartphone applications. This carries significant competition implications that the TPP negotiators, so far as we know, didn't even consider during their closed door negotiations in luxury hotels around the world…

…Although described by the USTR as "new," these requirements actually date from 2007 and are part of China's framework regulations for information security in critical infrastructure, known as the Multi-Level Protection Scheme (MLPS). The MLPS regulations limit products from being sold for use in Chinese information systems above a certain security level, unless their source code is disclosed to the government. Although this measure is presented as protection against security flaws and deliberate backdoors being inserted into critical software, it is also seen by U.S. companies as an impingement upon their ability to keep their code proprietary.

Assuming that this Chinese regulation is, in fact, a legitimate problem for U.S. companies, does the TPP actually address this very narrow problem? Not at all. First and most obviously, China is not a party to the TPP, and isn't likely to become one any time soon. But even if it were, the MLPS regulations only apply to software used in critical infrastructure—which is expressly exempted from the TPP provision anyway. So if anything, the provision makes even less sense than it seems to make at first glance.

TPP Threatens Security and Safety by Locking Down U.S. Policy on Source Code Audit
[Jeremy Malcolm/EFF]