The University of Maryland Data Breach: Insights and Questions

Wow, that brings back memories!

Wow, that brings back memories!

Gabriel J. Michael / gmichael at gwu dot edu

Yesterday evening, the University of Maryland announced that it had suffered a data breach exposing personally identifiable information of approximately 309,079 individuals, including current and former students, current and former faculty and staff, administration, and affiliated personnel.

Specifically, the University is reporting that attackers were able to copy a database containing the full names, Social Security Numbers (SSNs), birth dates, and University ID numbers (UIDs) of everyone issued a university ID since 1998.

The University’s response so far has been reasonable. The breach is thought to have occurred early Tuesday morning, and the University began notifying the public Wednesday evening, less than 48 hours later. Outside investigators are being brought in to examine what exactly happened.

However, there remain several serious issues that must be addressed by the University within the coming days and weeks to ensure an adequate and appropriate response to this incident. As an alumnus with some knowledge of the University’s security practices in the past, here are my thoughts.

The University Must Immediately Address Related Security Issues

I attended the University of Maryland, College Park, between 2003 and 2007. This morning, I logged into the Testudo registrar system using my Student ID number (SID) and PIN. As the Testudo website helpfully notes, your “Student ID, in most cases, will be your Social Security Number” and “Your PIN is originally set to your six (6) digit birth date (e.g. mmddyy or 012585).

In my case, both these statements were accurate, and I was able to log in and access the transcript request service using my SSN and birth date. I suspect this is the case for large numbers of alumni, if not current students. I vaguely remember changing this PIN while I attended the University, but even if I wanted to now, there is no obvious way to do so.

This means that the attackers (or more likely, anyone they have sold the data to) can currently request academic transcripts for any current or former student. Apart from the actual breach itself, this is almost certainly a separate FERPA violation. Unscrupulous individuals could use these transcripts in a variety of interesting ways.

If it has not already done so, the University should immediately begin monitoring the transcript request service and other related services that rely on the SID/PIN combination to prevent fraudulent access, and perhaps impose additional informational requirements before granting access to these services. The University should also advise affected individuals how they may change their PIN.

One Year of Free Credit Monitoring is Inadequate

As part of its response, the University has committed to providing “one year of free credit monitoring” through an as-yet unspecified company to those affected. While better than nothing, this is inadequate. Unlike data breaches involving credit or debit card numbers, which can be reissued, this breach released SSNs which are extremely difficult to change.

I was affected by the recent Target data breach, which exposed my credit card number to the attackers. However, my credit card company is issuing a new card with a new number, making the old card information useless. In contrast, the information obtained from the UMD data breach will remain valuable for decades to come. In fact, it will become even more valuable in a year when the free credit monitoring has expired.

The University Must Disclose the Technical Details of What Happened

So far, we know virtually nothing about the technical details of the attack. Given that the attack is still under investigation, this is understandable. However, when the investigation is complete, or at least when enough detail has been uncovered, the University must disclose the technical details of what exactly happened. There are several reasons why such disclosure is important.

First, it provides a valuable public service. If other organizations rely on similar security measures or software packages, they should have the opportunity to address the security flaws that affected the University. By not releasing details of the attack, the University would be ensuring that such attacks could be repeated in the future against other organizations.

Second, it allows us to verify University statements. The University is currently describing this incident as “sophisticated computer security attack.” The Diamondback is calling it a “massive cyberattack.” The University’s Chief Information Officer is saying ‘The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected… in contrast with typical attacks,’ claiming “These people picked through several locks to get to this data.”

Perhaps these statements are true, but given my previous experience with UMD’s security practices (discussed below), I have my doubts. The Target breach was a relatively sophisticated attack. Without any technical details, we don’t know if the UMD breach was due to carelessness, negligence, an honest mistake, or whether appropriate measures were actually in place and were simply defeated.

Third, by releasing the technical details of the attack, the University will be forced to discuss how they have responded to the attack to prevent its recurrence. Knowledgeable members of the public can then assess the response to see if it is adequate. In the past, the University has responded to security problems with a rushed and inappropriate response, creating further problems down the road (discussed below).

Could the Breach Have Been Easily Avoided?

Without technical details, there is no way to answer this question with any certainty. However, my previous experience with security practices at UMD gives me pause.

I attended UMD between 2003 and 2007. Between at least 2003 and 2006 (and probably earlier), the University used students’ SSN as their primary identifier. In order to get a transcript or interact with the registrar, you provided your SSN. If you lost your ID card, or forgot it when you went to the gym, a helpful student worker would ask, “What’s your soc?” (pronounced “sōsh”). Several times I remember having to write my SSN on the cover page of academic documents.

The SSN was also stored on the magnetic stripe of every students’ University ID card, although the number was not printed anywhere on the card.

This was a bad practice, and eventually the University began to transition from using SSNs to University ID numbers (UIDs). It also re-issued ID cards to the entire university population. This latter decision was at least in part prompted by the work of a group of students who were studying the University’s security and access protocols. I was informally involved with this group. For a detailed overview of their work (minus some redactions), read this paper.

Unfortunately, in its haste remove SSNs from ID cards and despite being warned about the problems it could cause, the University made the poor decision to replace the SSN with the UID. This presented a problem, since the UID was publicly accessible for the entire student/faculty/staff population on an LDAP directory server. This meant that a malicious individual could look up the UID of any individual, and create an ID card that would allow them physical access to any location the individual could normally access.

The university eventually rectified this mistake, if I recall correctly, by re-encoding the recently re-issued ID cards with a meaningless identifying number that was not publicly accessible, as they should have done in the first place.

I could go into much more detail about the above, but it is mostly technical and not necessarily related to the data breach. Along the same lines, when students discovered that the University was storing location access information from their ID cards, and even using this information in police investigations, the University initially denied this was the case.

I hope UMD does better this time. Perhaps there have been significant changes in the past seven years. But I’ll note that the transition away from SSNs was approved in back in 2005, and here we are, 9 years later, facing this breach.

Organizations Must Take Steps to Limit the Collection and Retention of Unnecessary Data

In closing, this incident highlights the danger of the collection and retention of unnecessary data. Note that I am not saying that this particular database should not have included the information it did. There are many valid reasons for the University to have a database with this kind of information; e.g., alumni from years past need to be able to access records, and the school needs a way of identifying that they are who they say they are. (Technically this can be accomplished without storing the actual SSN, but see the addendum below for why this approach might not work).

However, I think this kind of incident should lead us to think carefully before we assemble large databases of information that we do not necessarily need. For example, many states and localities are using license plate readers to collect location and timing information of cars. Very few police departments using this technology have developed rules or guidelines about who can access the data, how long it will be retained, for what purposes it can be used, and with what other organizations it can be shared. These are the sorts of things that should be thought about before collection begins, and not after a breach has occurred.

Addendum: One Facebook commenter asked why UMD couldn’t have simply used a hash function to avoid storing the SSN at all. Obviously it wouldn’t work for current students, since they need to issue W-2s, 1098-Ts and other tax documents, etc., that include the SSN, but why not for alumni?

There’s probably no good answer for why this wasn’t done, but there are probably many bad answers. E.g., there are probably reporting requirements to the state, IRS, law enforcement, etc. that might require the university to produce the SSNs of former students. Also, even if they did hash the SSNs, an attacker could easily brute force the relatively limited number of SSNs (9 digits, so 1 million combinations without considering rules which significantly reduce the search space) for each student unless the hashes had been salted, etc.. Now maybe that problem could have been solved by encryption rather than hashing. But given that this database might have been structured in 1998 or even earlier, it’s possible no one was thinking along high security lines back then.

Posted in General | Tagged , , , , | Leave a comment

Nicolas Rapold and Why the Public Domain Sucks

By now, most of you have probably read Nicolas Rapold’s New York Times piece on film and the public domain. Apart from demonstrating what seems to be an almost willful misunderstanding of how the public domain functions (e.g., there’s no mystery as to why Birth of a Nation is no longer under copyright), Rapold refers to the public domain as “purgatory” for film.

I don’t know why he didn’t simply call it “hell,” since purgatory implies that films will languish for a period of time before being restored to holiness of copyright protection.

Yes, the article is bad. It places the blame for poor quality releases at the feet of the public domain, without noting that the alternative is not high quality releases, but nothing. It suggests that the low prices of “discount DVD bins” are somehow a bad thing. It notes but does not engage the fact that in some cases, were films still under copyright, their directors would choose to keep them locked away from us. It fails to point to research indicating that copyright protection actually decreases the availability of older works.

All that being said, as it is, the public domain sucks.

It’s old. The rule of thumb is that works made prior to 1923 are in the public domain. This rule is inaccurate in both directions, since unpublished works made prior to 1923 might still be under copyright, and many works made after 1923 are in the public domain for a variety of reasons, such as their owners not renewing the copyright or failing to observe formalities. But all those exceptions are too complicated for normal people, so the pre-1923 rule of thumb abounds in the United States.

Because it’s so old, it’s often hard to use, outdated, offensive, or simply inaccurate. For example, Wikipedia incorporates some content from the 1911 edition of the Encyclopædia Britannica, but has a long list of caveats for contributors relying on the work.

And it’s boring. American Dad did a good send-up of the public domain in an episode where Roger explains that he and his band “cover public domain songs… Camptown Races, Baa Baa Black Sheep” before playing a rock version of “London Bridge.” Later in the episode, the audience is thoroughly unimpressed with their rendition of “Blue Tail Fly/Jimmy Crack Corn” (note the crickets at the end of the clip).

While this is a somewhat facetious example, the point remains. Public domain works are often out of style and not attractive or interesting to modern audiences, in large part due to their age.

Of course, the reason why the public domain is full of old and boring material is because copyrights have been repeatedly retroactively extended, ensuring that virtually nothing of any substantial economic value falls out of copyright protection. This is a vicious circle: the longer copyrights are extended, the less relevant the public domain seems. The less relevant it seems, the more writers like Rapold can call it “purgatory” with a straight face. The more writers like Rapold call it “purgatory,” the easier it is for people to claim the public domain isn’t valuable. And the less perceived value the public domain holds, the easier it is to argue for longer copyrights.

The public domain could be awesome. Every year, James Boyle’s outfit at Duke celebrates Public Domain Day, showcasing what could have entered the public domain were it not for retroactive copyright extensions. And not everything has to age out of copyright to enter the public domain: projects like Musopen aim to create modern, copyright-free recordings of classical music, and many classic works of literature and art were never copyrighted to begin with.

But apart from the gems (distinguished by their rarity), the public domain is mostly not awesome. There’s been suspicion for years that copyrights will be extended yet again to prevent anything from entering the public domain (in 2019, works from 1923 will finally fall out of copyright). I suspect this won’t happen, in part because there’s more political resistance to copyright maximalism today than during the last copyright term extension, but also because nothing of economic value will be lost when century-old works lose copyright protection.

Maybe I’ll get taken to task by people pointing out that Shakespeare, Les Misérables, and the Bible are all in the public domain. Fair enough. But what about the vast majority of copyrighted works that don’t or won’t stand the test of time? What value do they add to the public domain when they enter it a century after their creation? Little to none. Their value is largely confined to a contemporaneous audience. By extending copyright protection beyond this period of value, we ensure that even when they do lose copyright protection, we gain nothing.

So congratulations to the copyright lobby. You’ve successfully eviscerated the public domain to the point that you no longer need to ask for copyright term extensions.

Posted in General | Tagged , , | 1 Comment

The US Does Not Have the Highest IP Protection in the World

usa_number1

We’re #1 in IP! But that doesn’t mean we have the “highest” protections.

Gabriel J. Michael / gmichael at gwu dot edu

The text of this post is licensed CC BY-SA 4.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Public figures like to claim that the United States has the “highest” intellectual property (IP) protections in the world. For example, as Simon Lester over at Cato recently noted, in introducing the U.S. Department of Commerce’s Global Intellectual Property Center index, Senator Orrin Hatch claimed “The U.S. has the highest intellectual property rights standards in the world.”

Many other senators feel similarly. Back in 2011, 28 senators (including Hatch) wrote a letter to President Obama urging him “to preserve the highest standards of protection for intellectual property rights in the Trans-Pacific Partnership (TPP) Trade Agreement.”

Like many political claims, it’s not clear that these statements are even falsifiable. After all, what exactly does it mean to have the “highest” IP protections? How do we compare the “height” of IP protections across different areas like patents, copyrights, and trademarks?

But to the extent that such claims might be falsifiable, let’s take a look at the facts. It turns out that if you actually compare the “height” of various IP protections around the world, the U.S. frequently does not have the “highest” protections. In some cases, the U.S. doesn’t have any protections at all. Consider the following areas:

Copyright Terms

In the U.S., the normal copyright term for a natural person’s published work is the life of the author plus 70 years (terms are different for corporate works, unpublished works, etc., but let’s just consider the basic term).

  • Mexico’s comparable term is the life of the author plus 100 years. Note that this means in the ongoing Trans-Pacific Partnership negotiations, the United States is proposing a shorter copyright term than Mexico.
  • Côte d’Ivoire offers a term of life plus 99 years.
  • In Spain and Colombia, the basic term is the life of the author plus 80 years.
  • In Guatemala, Honduras, and Samoa, it’s life plus 75 years.

Data Exclusivity for Pharmaceutical Clinical Trial Data

Data exclusivity refers to intellectual property protection for the clinical trial data submitted by pharmaceutical firms to regulatory authorities in order to gain regulatory approval for drugs. Data exclusivity protection is separate from patent protection, and is generally automatic (i.e., it does not depend on novelty, etc.). Data exclusivity can create an effective monopoly for a drug in the absence of a patent, and even if a patent for a drug is invalidated. Data exclusivity is a sui generis form of intellectual property, first adopted in its current form in the U.S. in 1984. About 73 countries around the world offer U.S.-style data exclusivity.

  • Excluding biologics, the U.S. offers 5 years of data exclusivity.
  • In contrast, the European Union’s original data exclusivity law mandated a minimum of 6 years of protection. The current law mandates a minimum of 10 years.
  • Both Russia and China were obliged to offer 6 years of data exclusivity as part of their WTO accession agreements.
  • At one point, Guatemala offered 15 years of data exclusivity, although this was later rolled back.

Utility Models

Some U.S. readers may not even be aware that a significant number of countries around the world offer protection for utility models, a.k.a. “petty patents,” which are designed to protect incremental innovations, and thus have a lower threshold to obtain.

  • Over 60 countries offer protection for utility models, generally lasting from 7 to 10 years.
  • The U.S. does not offer any comparable protection (design patents are altogether different).

Surgical Patents

Many countries around the world do not allow surgical methods or procedures to be patented; alternatively, some countries allow such methods or procedures to be patented, but do not allow the patents to be enforced.

  • The U.S. takes the latter approach. In 1996, President Clinton signed an omnibus appropriations bill that included a rider prohibiting patent infringement suits against medical practitioners for potentially infringing medical or surgical procedures.
  • In contrast, Australia explicitly considered enacting a U.S.-style medical treatment defense to patent infringement, and rejected it.

Geographical Indications

This was Simon Lester’s example. Practically speaking, the United States offers roughly comparable protection to geographical indications in the form of collective and certification marks; specifically for wines, there are also American Viticultural Areas. However, the transatlantic dispute between the U.S. and the European Union is not so much over the failure of the U.S. to provide an adequate form of protection as it is over the failure of the U.S. to adequately protect European geographical indications.

  • While the EU-U.S. Wine Accord of 2006 resolved a number of long-standing issues, the EU had to accept the continued use of “semi-generic” names by U.S. winemakers. The most famous is of course Champagne, but other familiar names include Burgundy, Claret, Chablis, Port, and Sherry. U.S. winemakers must disclose the actual origin of the wine, but in practice this ends up looking like this:
j-roget-brut-american-champagne-california-usa-10094708

In order to legally free-ride on centuries of French tradition, just include “American” in really small font. For good measure, add in accented characters and other French words.

  • It’s also worth noting that in Europe, and increasingly in other parts of the world, geographical indications protect far more than just wine, e.g., spirits, cheeses, meats, coffees, teas, honey, and crystal. I find it amusing that I can walk into a supermarket and buy “Greek yogurt” and “Swiss cheese” that contains not a single ingredient from those countries. The U.K. did not find this amusing, and last year banned Chobani from selling “Greek yogurt” in England and Wales. U.S. firm Chobani bizarrely claimed that “Greek yogurt” was not defined by a reference to its place of origin.

Moral Rights

Moral rights include the right of attribution and artistic integrity, inter alia, and are often perpetual and inalienable. Technically the U.S. offers some moral rights to some creators under the Visual Artists Rights Act, but the scope is far more limited than in many other countries. For example, the VARA does not apply to musical or literary works.

Traditional Knowledge

I’m not going to get into the details of a fairly complex topic, but suffice it to say that the U.S. has no interest in protecting traditional knowledge through intellectual property law, and opposes other countries’ attempts to do so in discussions at the World Intellectual Property Organization.

Here’s a map of what countries currently protect traditional knowledge via intellectual property law:

map

Author’s data, collected mainly from WIPO Lex.

Fashion Design Protection

The U.S. has repeatedly failed to adopt fashion design protections similar to those offered in Europe.

Fair Use

Apart from shorter copyright and data exclusivity terms than many countries, the U.S.’s most egregious weakness in intellectual property protection is its broad fair use laws. Unlike the vast majority of countries in the world, which offer an exhaustive list of precisely defined limitation and exceptions to copyright, the U.S. fair use doctrine is so vague and abstract as to permit completely unforeseen uses of copyrighted works without requiring any license or permission from the copyright holder.

For example, such fair uses include time-shifting by reproducing entire video recordings, the digitization of entire printed works, and the copying of images and text to be used in search engine caches.

Best ≠ Highest

I know we're Americans, but even for us bigger isn't always better.

I know we’re Americans, but even for us bigger isn’t always better.

The implication of Hatch et al.’s statements, of course, is that not only does the U.S. have the “highest” intellectual property protection, it also has the best. That’s certainly what the Commerce Department believes.

But there’s a contradiction here: as I’ve shown above, the U.S. does not in fact have the “highest” intellectual property protection in many areas. Thus, if the U.S. does have the “best” IP protection in the world, this means that the best protection is not the highest protection.

Posted in General | Tagged , , , , , , , , , , , | Leave a comment

The Scourge of Secrecy: Evidence from the TPP Environment Chapter

Gabriel J. Michael / gmichael at gwu dot edu

This post is licensed CC-BY SA 3.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Today, Wikileaks released the third leak in its series on the Trans-Pacific Partnership. Today’s documents consist of a draft of the environment chapter and the chair’s report on the status of this chapter as of November 2013. Unlike earlier leaks, this one immediately received attention in the mainstream press, perhaps because of the recent introduction of Fast Track legislation in Congress.

The chapter draft does not contain country positions, but the chair’s report does. This is enough to construct a network graph as I previously did with the leaked intellectual property chapter. The results visually confirm that the U.S. position in the environment chapter is quite far from nearly every other party:

tpp_environment_net

As the New York Times put it, “It appears to be much tougher to negotiate environmental provisions in a 12-nation agreement.”

There’s a great deal of similarity between this network graph and and the multidimensional scaling graph I created for the intellectual property chapter:

tpp_ipIn both cases, the U.S. is a significant outlier compared to the rest of the negotiating parties, and Australia comes closest to the U.S. position, while everyone else clusters together. These graphs reveal that the U.S. likely faces similar negotiating dynamics on both the environment and intellectual property: the U.S. is on one side, and nearly everyone else is on the other side.

Despite facing similar opposition in both chapters, the U.S. has responded differently. In the intellectual property chapter, it has exerted “great pressure” to get other TPP parties to move to the U.S. position, and in most cases U.S. preferences are reflected in the draft text. Meanwhile, in the environment chapter, the U.S. has failed to have its preference for legally binding environmental provisions inserted into the current text.

Given that the U.S. faces similar opposition in both chapters, why has it succeeded in getting its preferences reflected in the intellectual property chapter, but not the environment chapter?

Simply put, it is a matter of priorities. Given a limited amount of bargaining leverage to be expended, the U.S. has chosen to use more in the intellectual property chapter and less in the environment chapter. Were its priorities different, the U.S. could probably have achieved its aims in the environment chapter.

The Times piece quotes an industry lobbyist comparing slow progress on environmental issues to the “centuries” it took to achieve higher labor standards. But if that’s the case, how is it that obtaining strong intellectual property standards has only taken 20 years, rather than centuries? It’s a matter of priorities.

And this is why the secrecy surrounding the TPP negotiations is so problematic. Without draft texts being released as negotiations progress, the public has no way of knowing where the U.S. is expending its bargaining leverage. Negotiating priorities are politically determined. Interest groups with access to the text will be able to lobby the government more effectively than those without access.

When the government chooses who has access to the text, or requires signing NDAs or otherwise limits public discourse by hiding essential information, it limits what issues can become political priorities.

Posted in General | Tagged , , , , , , , , | Leave a comment

When asked, vast majority of businesses say IP is not important

Gabriel J. Michael / gmichael at gwu dot edu

This post is licensed CC-BY SA 3.0, and may be shared and reposted with attribution. Please include a link back to this page, which will contain the most up-to-date version.

Last year, the U.S. Patent and Trademark Office released a widely cited report entitled “Intellectual Property and the U.S. Economy: Industries in Focus.” This report played up the importance of IP, claiming “the entire U.S. economy relies on some form of IP,” and estimated that “IP-intensive industries” accounted for 40 million American jobs and 35% of the U.S. GDP in 2010.

While many pro-IP groups hailed the report as demonstrating the importance of IP to the American economy, the report was panned by critics who pointed out that the definition of “IP-intensive industries” was so broad as to be meaningless. Indeed, according to the report, the number one IP-intensive industry by employment in the United States was… grocery stores. Furthermore, although supporters of stricter IP regulation and enforcement continue to rely on the report to justify policies relating to copyrights and patents, the vast majority of the report’s purported economic benefits were attributed to trademarks.

USPTO’s report was released in March 2012, and received a lot of attention. Yet just one month prior, the National Science Foundation (NSF) released the findings of a survey on business use of intellectual property. While a few sites picked up on the NSF report last year, it received far less media attention than it deserved. Why? Perhaps because it turns out that if you actually ask, the vast majority of businesses report that intellectual property is not important to them.

Infojustice.org was among the few noting that the NSF’s findings directly contradict the USPTO report. The initial NSF report, published in February 2012, included data from 2008. However, it has recently been updated to include data from 2009 and 2010.

But wait – surely I’m making all this up. If “IP-intensive” industries account for 40 million jobs and 35% of GDP, intellectual property must be very important to businesses. What’s this “vast majority,” then?

  • In 2010, 87.2% of businesses reported that trademarks were “not important” to them.
  • 90.1% of businesses reported that copyrights were “not important” to them.
  • 96.2% of businesses reported that patents were “not important” to them.

If you still think I’m making these numbers up (and I wouldn’t blame you if you did), head on over to the NSF’s page describing the survey, results, and methodology. Note that these results are consistent across the three years of the survey, and the survey itself is a representative sample across the country.

According to the NSF, the Business Research and Development and Innovation Survey (BRDIS) “is an annual, nationally representative sample survey of approximately 43,000 companies, including companies in manufacturing and nonmanufacturing industries. The target population for BRDIS consists of all for-profit companies that have five or more employees and that perform R&D in the United States.”

If you examine the details, the survey results begin to make more sense. Larger companies tend to report intellectual property as being more important; businesses designated as especially “R&D active” also place more importance on various kinds of intellectual property.

Nevertheless, the results of this survey (now in its third year) are striking. Even when looking at a sector where one would expect heavy reliance on intellectual property, the results do not match expectations. For example, take one of the most copyright-dependent sectors we can imagine: “R&D active” software publishing. In 2010, 51.4% of respondents in this sector said copyright was “very important”; 34.6% said it was “somewhat important”; and 13.9% said it was “not important.” That is, only about half of respondents in a purportedly heavily copyright-dependent sector describe copyright as “very important” to their business.

In my mind, there are two ways of interpreting these data: either all the survey respondents are totally uninformed about what is going on in their businesses, or formal intellectual property protection is far less important to the vast majority of U.S. businesses than some would like us to believe.

Some additional highlights:

  • 61.7% of businesses manufacturing computer and electronic products report that patents are “not important” to them.
  • 96.3% of businesses with less than 500 employees report that patents are “not important” to them.
  • 45.6% of businesses with 25,000 or more employees report that patents are “not important” to them.
  • 53.6% of businesses classified in the information sector (NAICS code 51 – i.e., a sector we’d expect to rely heavily on copyright) report that copyrights are “not important” to them.
  • Overall, businesses report that trade secrets are the most important form of intellectual property protection, with 13.2% of businesses calling trade secrets “very important” or “somewhat important.” Trademarks are a close second, with copyrights and patents significantly farther behind. Trailing in last place is sui generis protection for semiconductor mask works, although that is no surprise.

The complete 2008-2010 BRDIS survey data can be downloaded here, or you can check out the individual tables referenced in this post right now: Utility Patents, Design Patents, Trademarks, Copyrights, Trade Secrets, Mask Works.

Posted in General | Tagged , , , , , , , , , , , | 31 Comments

Which TPP proposals are most contentious?

Gabriel J. Michael / gmichael at gwu dot edu

This post is licensed CC-BY SA 3.0.

I’m back from South Africa, and today I’ll be attending “stakeholder presentations” on the Transatlantic Trade and Investment Partnership (TTIP)/Transatlantic Free Trade Area (TAFTA), a proposed bilateral agreement between the United States and the European Union. I’ll be live-tweeting from DC, so if you’re interested in what’s going on, please head over to Twitter. Right now, however, I wanted to update my sneak peek from last week, and offer some answers to the question: Which TPP proposals and chapters are most contentious?

As before, this analysis is based on the Wikileaks data reporting country positions on various proposals. Unlike before, rather than plotting differences between countries, in this post I plot differences between chapters and proposals. Thus, the farther apart two proposals/chapters are on a plot, the more disagreement exists among the negotiating parties with respect to that proposal/chapter.

First, we’ll take a look at all chapters combined. I struggled with the best way to approach this, but eventually settled on simply using column sums or column means of chapters to produce the distance matrix. Column sums are non-normalized, i.e., distance may be affected by the total number of proposals in a chapter. Column means are normalized. There’s no way to say which approach is better: column sums might exaggerate differences between chapters simply because we have more data on some chapters than others; on the other hand, if there really are fewer proposals in some chapters, column means might exaggerate the similarity between chapters. Given this, I’m including both charts.

tpp_proposals_all_col_sums tpp_proposals_all_col_means

The column sums approach will likely make more intuitive sense, given that most of the discussion has focused on chapters for which we have the most data. The intellectual property chapter is a huge outlier, denoting serious contention. Other contentious areas include the environment, market access, and investment chapters.

As noted above, the column means approach normalizes the number of proposals in each chapter. This almost certainly overstates the level of contention for chapters with only one leaked proposal (competition and customs). In spite of this, although the customs chapter now appears to be the most contentious, the intellectual property chapter is still quite contentious.

Before moving on to proposals in each individual chapter, I should emphasize that lack of contention does not mean acceptance. That is, proposals falling close to the origin may either be acceptable to most parties, or unacceptable to most parties.

tpp_issues_ip2

As I noted in last week’s sneak peek, looking at proposals in the intellectual property chapter, the most contention surrounds the issues of the TRIPS/WIPO exclusions to national treatment, the Chilean ISP copyright proposal, copyright technical protection mechanisms, and scent trademarks.

tpp_proposals_ecommerce

On e-commerce, the most contentious issue is dispute settlement. Dispute settlement generally means provisions designed to make treaty obligations legally enforceable.tpp_proposals_environment

In the environment chapter, there is significant disagreement on most proposals, although “subnational coverage” (presumably whether provisions apply to localities like states or provinces) and a biodiversity proposals appear uniquely contentious.

tpp_proposals_investment

From what I can gather, the “DL600 Annex” is a reference to investor-state dispute settlement (ISDS) provisions, one of the most troubling aspects of the TPP. Such provisions allow businesses to sue states for actions perceived to harm investment. One of the most high profile ISDS cases currently involves Philip Morris suing the Australian government over Australia’s plain packaging tobacco regulations.tpp_proposals_labor

In the labor chapter, dispute settlement again appears to be a contentious issue.tpp_proposals_legal

The legal chapter contains the controversial “medicines annex”, as well as a joint U.S.-Malaysia proposal on a “tobacco exception”. Earlier reports had indicated that the U.S. would not seek to exempt tobacco from tariff reductions, causing some public health groups to criticize the U.S. position. The “medicines annex” has been reported to be an attempt by the U.S. to undermine cost reduction measures for drug purchases in other countries.

As discussed above, it’s important to remember that less contention does not mean acceptance. The “medicines annex” in this chapter is a good example: while it is relatively close to the origin, this is because 9 of the 12 parties are rejecting the proposal.

The following graphs report issue distances/contention for the market access, rules of origin, services, and technical barriers to trade chapters.

The competition, customs, and government procurement chapters have too few proposals to perform multidimensional scaling, so they are not included. The sanitary/phytosanitary chapter is not included because one of the proposals (technical consultations) consists almost entirely of reserved positions.tpp_proposals_market_access tpp_proposals_rules_of_origin tpp_proposals_services tpp_proposals_tbt

Unlike my graphs of distances between country negotiating positions, in this post I’ve eliminated the assumption that a “reserved position” falls equidistant between rejection and acceptance of a proposal. Instead, reserved positions are treated as missing data.

Strictly speaking, it’s not clear that these divisions represent “chapters” or if they are just convenient divisions from the leaked document. While we know that there is an entire intellectual property chapter, other reporting has suggested that the “medicines annex” referred to in the “legal” chapter above is in fact part of a “transparency” chapter, for which we have little other information.

I am happy to share the code and data used in this post, although it is a mess and I am swamped with work right now, so it may be a while before I am able to make it presentable and respond to requests.

Posted in General | Tagged , , , , , , , , | Leave a comment

TPP Issue Distances: Sneak Peek

Gabriel J. Michael / gmichael at gwu dot edu

Thanks to a comment from Nick, who pointed out that by simply transposing the distance matrix, we can obtain “issue distances” rather than country distances. That is, the distance matrix will represent the dissimilarity between specific proposals in the text, rather than the dissimilarity of country positions. This approach can be extended to show distances between entire chapters. It presents some challenges in producing decent visualizations, though, so for now I’m just offering a sneak peek.

The following graph plots the proposals found in the intellectual property chapter of the TPP. The farther a proposal is from the center, the less agreement there is on the proposal among the negotiating parties:

tpp_issues_ip2

Thus, the most disagreement exists on the issues of the TRIPS/WIPO exclusions to national treatment, the Chilean ISP copyright proposal, copyright technical protection mechanisms, and scent trademarks.

Posted in General | Tagged , , , , | Leave a comment