Skip to main content

DEEPLINKS BLOG

Cyber-Espionage and Trade Agreements: An Ill-Fitting and Dangerous Combination

October 17, 2014

Yesterday's leak of a May 2014 draft of the Trans-Pacific Partnership (TPP) agreement revealed the addition of new text criminalizing the misuse of trade secrets through "computer systems", as mentioned in our previous post about the leak. This is a significant revelation, because we also know that trade secrets are planned for inclusion in the EU-US free trade agreement, TTIP (the Trans-Atlantic Trade and Investment Partnership). The revelation of the proposed text in the TPP provides a good indication that the same kind of language will likely also appear in TTIP. Frighteningly, this text contains no protections to safeguard the public interest.

Today we delve into this provision and its background in more depth.

Why Trade Secrets, and Why Now?

The US Trade Representative's sudden interest in trade secret protection arises largely from reports of widespread cyber-espionage against US companies emanating from China. This has also led to domestic proposals such as this year's Defend Trade Secrets Act, introduced in the Senate in April, and its companion House bill, the Trade Secrets Protection Act, which would create a new federal private right of action for trade secret theft.

In August this year, 31 law professors wrote a joint letter opposing these bills on a number of grounds, including that they are unbalanced, risking that they could be used for anti-competitive purposes, and that they have potential ancillary negative impacts on access to information. The professors write:

Labeling information as a trade secret has become a common way to prevent public and even regulatory access to important information ranging from the composition of hydraulic fracturing fluids to the code inside of voting machines, all of which have compelling (but not uncontroversial) reasons for public access in a democracy.

Even if these new US bills pass, their enforceability against foreigners will be, in practical terms, rather limited. The introduction of new language on trade secrets into both TPP and TTIP—which may become the United States' two largest trade agreements—is therefore a parallel tactic to address cyber-espionage on the global stage.

(Observant readers might have spotted an apparent flaw in this plan, given that China will not be a party to either of these agreements. But the reasoning is that if enough other countries agree on new global standards, diplomatic pressure can be applied on China to also comply. As the Europeans have put it, “The EU and the US also have a common interest in pursuing protection of trade secrets against misappropriation in third countries”.)

Paragraph 1—Trade Secrets

The language in the TPP, however, doesn't much resemble either of the current Congressional bills. This is because if the TPP is agreed, it will create an obligation on the US to ensure that it accords with domestic law, and the US Trade Representative is unable to guarantee that the bills currently in Congress will pass. Instead, the first paragraph is drawn from TRIPS, the multilateral treaty that sets a global minimum standard for so-called intellectual property protection, and the second and third paragraphs are brand new, but share lineage with both the Economic Espionage Act and the Computer Fraud and Abuse Act (CFAA).

This is where things get complicated—because the legal theories, methods and objectives of those two sources are actually quite different.

So beginning with paragraph 1: it very closely mirrors the language that TRIPS members (including all the TPP negotiating countries) have already agreed. It requires them to offer the means to prevent trade secrets from being disclosed to, acquired by, or used by others without consent in a manner contrary to honest commercial practices. This generally, as in the US, involves a private cause of action to be litigated in a civil court.

Paragraphs 2 and 3—Computer Espionage

Next, let's turn to paragraphs 2 and 3, which are worth setting out in full:

  1. Each Party shall provide for criminal [VN propose: or administrative] procedures and penalties for one or more of the following:
    1. the unauthorized, willful access to a trade secret held in a computer system;
    2. the unauthorized, willful misappropriation of a trade secret, including by means of a computer system; or
    3. the fraudulent {or unauthorized} disclosure of a trade secret, including by means of a computer system.
  2. A Party may, where appropriate, limit the availability of such criminal procedures or limit the level of penalties available in respect of the aforementioned activity to one or more of the following conditions:
    1. for purposes of commercial advantage or financial gain;
    2. related to a product or service in national or international commerce;
    3. intended to injure the owner of such trade secret;
    4. directed by or for the benefit of or in association with a foreign economic entity; or
    5. detrimental to a Party's economic interests, international relations, or national defense or national security.

These provisions are quite different from the first, because they make trade secret misappropriation a criminal offence. As noted above, these provisions partly draw on the US Economic Espionage Act. But they go considerably further, in that the offense is not required to be limited to cases where the owner is harmed and where someone else benefits from the trade secret misappropriation, both of which are conditions of the offense under current US law.

They also add a new offense of unauthorized, willful access to a trade secret held in a computer system, regardless of whether the trade secret is copied or disclosed. This provision has more in common with the CFAA which criminalizes anyone who “intentionally accesses a computer without authorization…and thereby obtains…information from any protected computer”—one of the provisions under which Aaron Swartz was charged.

So in sum, these provisions go further than current US law, potentially criminalizing anyone who gains access to secret information of commercial value. There are no safeguards to protect investigative journalists, security researchers or whistleblowers, who may obtain access to information without criminal or commercial intent. The inevitable result will be to chill the speech of those who might otherwise have a valid public interest justification for releasing information that had been kept secret.

The TPP and TTIP are, supposedly, free trade agreements; they are not the Cybercrime Convention. If this text were accepted, it would be the first time that a trade agreement would be used to criminalize those who obtain access to secret information held online, regardless of their motivation and without any public interest defenses. Like the rest of the IP chapter—but if anything, even more so—this goes far beyond the appropriate scope for an agreement that is being negotiated behind closed doors and away from public oversight.

We don't know for sure that these paragraphs are included in the current TPP text, as the leaked text is several months old. It also contains the disclaimer, “Parties are still reflecting on the new formulation for paragraphs 2 and 3.” As such a spokesperson for the US Trade Representative has had the gall yesterday to “strongly caution anyone from drawing premature conclusions of any kind based on supposed leaked text from unsubstantiated, unnamed sources”, as if we had any more official source of information on which to draw.

All we can say is that we had all better hope that these provisions don't make it into the final agreement, because they are amongst the most atrocious, overreaching and human-rights infringing provisions in the entire text of the TPP.

If you're in the US, please call on your representatives to vote no on the TPP's ratification:

TPP action button
JavaScript license information