Ch. 11: Procurement of secure technologies ITSS Legal Issues Working Group 11/8/96 11-2 Chapter 11 Procurement of Secure Technologies A. General Comments 1 B. NAFTA Procurement Chapter 4 C. GATT Procurement Code (1979) and the WTO Agreement on Government Procurement (1994) 7 D. NAFTA and the WTO 10 E. The Merit Program 10 F. Protecting cryptographic systems 10 G. The role of the Value Added Network (VAN) 12 H. Summary 15 A. General comments Government purchases information technology goods and services designed to protect the security of the government’s electronic information from the private sector on a regular basis. There are specific legal issues relating to the purchase of secure technologies that need to be taken into account. The protection of government’s sensitive information from unauthorized leak or disclosure is of paramount importance in any discussion of government procurement of information technology. Treasury Board has developed a comprehensive policy on Information Technology Security (ITS).1 ITS is intended to ensure the confidentiality of information stored, processed or transmitted electronically; the integrity of the information stored, processed or transmitted electronically; the integrity of the information and related processes and the availability of information, systems and services. Included under the umbrella of ITS are information technology hardware and software, networks, telecommunications and other interconnected equipment and facilities in which the equipment is housed. Related aspects of physical and personnel security must also be considered. Pursuant to the provisions of the Security policy, each government department contracting authority is responsible for ensuring that the Security policy is complied with and that contract documentation includes any necessary clauses. Departments may request that the RCMP or the Communications Security Establishment (CSE) review contractor’s compliance with particular ITS clauses. Obligations between the government and private parties may come from a number of sources: · Agreements that establish the respective contractual obligations and rights between commercial parties. Breach of these obligations may lead to a risk of damage and a finding of liability. · Obligations may be imposed or rights may be granted by statute or other forms of subordinate legislation (regulations, ministerial orders, or directives). · To be made enforceable as law in Canada, international conventions, such as GATT, NAFTA or maritime conventions, are introduced into Canadian law through federal or provincial statutes. A Memorandum of Understanding (MOU) is a document drawn up between governments or between government departments, agencies or branches, to establish respective obligations and rights. They are not considered to be legally binding, unlike contracts. Software licenses: general comments Government clients may, on occasion, purchase security software for a number of purposes. The government may wish to adapt software which is available on the market to implement in systems being designed for use in the government. The government may simply wish to purchase the software to apply it or implement it directly in government operations without any adaptation. Regardless of the purpose, the government should be aware of certain pitfalls associated with the purchase of security software on the market. First, software sellers may impose terms and conditions in the form of a “Shrink - Wrap” Licence. That is, purchase and use of the software would be interpreted by the software seller as an acceptance of their terms and conditions of Offer of the software. The imposition of terms and conditions by means of “Shrink - Wrap” Licences do not in any way depend on the signature by the client of any documents. Mere use of the software may lead to an interpretation that terms and conditions imposed by the seller would apply to the use of the software by the government. Certain licences may restrict the use of the software to certain situations. If the government intends to implement the software in a way that is contrary to the terms of a “User” licence, then, the government would be restricted from using the software in a way that is meaningful to the government’s needs or operations or the government would risk incurring damages for breach of such user licence. The software seller or owner may require confirmation that ownership in a derivative work would vest in the software owner and not in the Crown. That is, should the Crown adapt the software for application to a government system or government operations, the software owner may claim ownership of the adapted software as a derivative work. Any contract for the sale of software or licence may contain disclaimer clauses which limit the government’s right of recourse or remedy against the software owner or designer. Finally, all contracts of sale for software or licences should contain indemnities to protect the Crown against claims from software designers or sellers who allege infringement against their intellectual property rights arising from the sale to the Crown of security software. In Chapter 10, we noted that there are patent issues relating encryption technologies that must be addressed by any government department considering such purchases. All purchases of software and all licences relating to the use of software should be reviewed by departmental legal advisors. International trade obligations: general comments While government procurement of information technology must take place in compliance with the Government Security Policy, such procurement must also conform to Canada’s obligations under international agreements to which Canada is a signatory. An understanding of the scope and coverage of procurement provisions contained in the North American Free Trade Agreement (NAFTA), the General Agreement on Tariffs and Trade (GATT) Procurement Code and the recently concluded Uruguay Round World Trade Organization (WTO) Agreement on Government Procurement is necessary in order to ensure compliance with our international obligations. The discussion below focuses on the scope and coverage of procurement provisions in the NAFTA, the GATT Procurement Code and the Uruguay Round WTO Agreement on Government Procurement generally and also on how such provisions affect federal government procurement of secure information technology. In examining how international agreements may affect federal government procurement of secure information technology it is necessary to examine several factors such as: · whether the procuring entity is covered by an international agreement, · whether the value of the contract exceeds the threshold value for coverage, · the type of contract in terms of the classification of the good or service being procured, and · whether such good or service is covered or forms an exclusion from the liberalized tendering provisions of the international agreement. The scope and coverage of the NAFTA Procurement Chapter is outlined first, followed by a discussion of exceptions which may apply to the procurement of information technology. B. NAFTA Procurement Chapter Definition of procurement and monetary thresholds “Procurement” is defined broadly in NAFTA to include procurement by such methods as purchase, lease or rental, with or without an option to buy. However, the definition specifically excludes non-contractual agreements, any form of government assistance, and government provision of goods and services to persons or state, provincial and regional governments. Procurement contracts must meet certain minimum value thresholds before NAFTA applies. For Canadian and American federal government entities, the applicable threshold for goods contracts remains at the Canada-U.S. Free Trade Agreement (FTA) level of U.S. $25,000. The general threshold for contracts for goods, services, or any combination of goods and services for covered entities in all three NAFTA countries is U.S. $50,000.2 Coverage The Procurement Chapter applies to measures adopted or maintained by the three NAFTA Parties (Canada, Mexico and the U.S.A.) relating to procurement by federal government entities (such as departments or agencies) and enterprises (Crown corporations, utilities, or other parastatal organizations) specifically listed in the Annexes. The list of covered entities is extensive, covering virtually all federal government departments in the NAFTA countries. All goods and services procured by government entities and enterprises are covered, unless specifically exempted. Most-Favoured-Nation Treatment and Technical Specifications For covered procurements, NAFTA requires that each Party must accord to goods of another Party, to suppliers of such goods, and to service suppliers of another Party, treatment no less favourable than the most favourable treatment it accords to its own goods and suppliers, and to goods and suppliers of another Party. Moreover, no Party may treat a locally established supplier less favourably than another locally established supplier on the basis of degree of foreign affiliation or ownership, or discriminate against a locally established supplier on the basis that the goods or services offered by that supplier for the particular procurement are those of another Party. Article 1006 requires each Party to ensure that its procuring entities do not impose offsets. “Offsets” include the imposition of conditions that encourage local development by such methods as local content requirements, licensing of technology, or investment. For covered procurements, NAFTA requires that each Party ensure that its entities do not prepare, adopt or apply any technical specification with the purpose or the effect of creating unnecessary obstacles to trade. To this end, technical specifications, where appropriate, must be made in terms of performance criteria rather than by design or descriptive characteristics and be based on international standards, national technical regulations or recognized national standards. Technical standards may not require or refer to a particular trademark or name, patent, design or type, specific origin or producer or supplier unless there is no sufficiently precise or intelligible way of otherwise describing the procurement requirements and provided that, in such cases, words such as “or equivalent” are included in the tender documentation. Tendering Procedures and Bid Challenge NAFTA sets out the tendering procedures which must be followed for covered procurements. All of these procedures are designed to achieve a procurement process which is fair, transparent, non-discriminatory, and predictable. They include rules for the qualification of suppliers, the invitation to participate, the time limits for tendering and delivery, the submission, receipt and opening of tenders, and the awarding of contracts. Selective tendering procedures are those procedures under which, consistent with the relevant provisions of the Procurement Chapter, those suppliers invited to do so by the entity may submit a bid. Limited tendering procedures, where the entity contacts suppliers individually, are provided for under certain circumstances as discussed below. With limited exceptions, entities will be required to publish an invitation to participate for all procurements in the publications referred to in an annex.3 Article 1017 allows potential suppliers to seek a review of any aspect of the procurement process by an independent reviewing authority, which in Canada is the Canadian International Trade Tribunal. Under recent amendments to the Canadian International Trade Tribunal Act, if the CITT considers a procurement challenge under NAFTA Article 1017 to be valid, it must recommend a remedy. Among the remedies which can be recommended by the Tribunal are the re-evaluation of the bids, the termination of the contract, the awarding of the contract to the complainant, or the granting of compensation to the complainant. The procuring Canadian government institution is required to implement the recommendations of the CITT “to the greatest extent possible.” Exceptions to the NAFTA Procurement Chapter There are a number of exceptions provided for in NAFTA which may affect the manner of procurement of information technology. Appendix 1001.1b-2-B of the NAFTA sets out the Common Classification System agreed to by the NAFTA countries for services. Services are classified by category. For example, “Information Processing and Related Telecommunications Services” are detailed in category “D”. There are, however, exceptions to coverage under the Procurement Chapter. Such exceptions are detailed by NAFTA country in the annexes to the chapter. The Canadian schedule in Annex 1001.1b-2 lists those service contracts that Canada has excluded from the Procurement Chapter by major service category. In relation to information technology, several major service categories may apply. Some exceptions apply only to the Departments of Communications, Transport and Fisheries and Oceans.4 All research and development services and all basic telecom and communications services, as well as specific information processing and related telecommunications services are excluded with respect to procurements by all Canadian covered entities. In addition, there are a number of excluded service categories that may affect procurement of information technology.5 National security Article 1018(1) provides that: Nothing in this Chapter shall be construed to prevent a Party from taking any action or not disclosing any information which it considers necessary for the protection of its essential security interests relating to the procurement of arms, ammunition or war materials, or to procurements indispensable for national security or for national defense purposes.6 [emphasis added] Whether a purely subjective test is permissable in taking the position that a procurement is indispensible for national security or for national defense purposes has yet to be exmained by a NAFTA panel. “National security” is not defined in NAFTA, either in general definitions applicable to the agreement as a whole (Article 201), or in the definitions specific to the procurement Chapter (Article 1025).7 Limited tendering procedures Where a good or service is not excluded from coverage, the liberalized tendering procedures which covered entities are normally required to follow are set out in Articles 1008 through 1015. However, in certain circumstances, an entity is entitled to use limited tendering procedures instead. “Limited tendering procedures” are defined in Article 1025 as “procedures where an entity contacts suppliers individually, only in the circumstances and under the conditions specified in Article 1016.” [emphasis added] Article 1016 provides that an entity may use limited tendering procedures, and thus derogate from Articles 1008 through 1015, provided that such limited tendering procedures are not used with a view to avoiding maximum possible competition, or in a manner that would constitute a means of discrimination between suppliers of the other Parties to NAFTA, or protection of domestic suppliers. The use of limited tendering procedures is limited to the circumstances and subject to the conditions set out in Article 1016(2). Limited tendering procedures may apply to procurement of information technology under the circumstances outlined in Article 1016(2)(i) which provides as follows: An entity may use limited tendering procedures in the following circumstances and subject to the following conditions, as applicable ... (i) where an entity needs to procure consulting services regarding matters of a confidential nature, the disclosure of which could reasonably be expected to compromise government confidences, cause economic disruption or similarly be contrary to the public interest.” [emphasis added] Where a covered entity relies on the exception provided in Article 1016(2) in awarding a contract, it is required to prepare a report in writing on the contract awarded by it under this provision. Such a report must contain the name of the procuring entity, the value and kind of goods or services procured, the name of the country of origin, and a statement indicating the circumstances and conditions described in Article 1016(2) that justified the use of limited tendering. The entity must retain each such report for use, if required, under the bid challenge procedure provided for in Article 1017, the information requirements of Article 1019, or under the general dispute resolution mechanism set up by Chapter 20 of NAFTA. C. GATT Procurement Code (1979) and the WTO Agreement on Government Procurement (1994) The scope and coverage of the 1979 GATT Procurement Code (the “1979 Code”) and the 1994 World Trade Organization (WTO) Agreement on Government Procurement (the “WTO Agreement”) are outlined first, followed by a discussion of exceptions which may apply to the procurement of information technology. Definition of Procurement and Monetary Thresholds Under the WTO Agreement, “procurement” in terms of Canadian coverage is defined as transactions to acquire property, services or construction services for the direct benefit or use of the federal government. It includes procurement by such methods as purchase, lease or rental or hire purchase, with or without an option to buy, including any combination of products or services However, the definition specifically excludes non-contractual agreements, any form of government assistance, and government provision of goods and services. The annexes identify the thresholds applicable for goods, services and construction services. Under the WTO Agreement, the applicable threshold for purchases of goods and services by federal departments and agencies is SDR 130,000 ($223,000) and for construction services, SDR 5 million ($8.5 million). The applicable threshold for purchases of goods and services by federal enterprises has yet to be agreed upon but it is envisaged that the threshold will be SDR 355,000 ($604,000) and for construction services, SDR 5 million ($8.5 million). Scope and Coverage Canada is a signatory to the 1979 Code and will become a signatory to the WTO Agreement. The implementation date for the WTO Agreement is January 1, 1996. It is expected that about a dozen WTO member countries will become signatories to the WTO Agreement as of January 1, 1996. Bilateral negotiations continue in an effort to finalize the offers of coverage that have been made. The 1979 Code applies to goods only and is currently in force. The 1979 Code exempted the Department of Communications, Transport and Fisheries and Oceans. Effectively, this meant that procurement of telecommunications equipment was excluded because such procurement has historically been conducted by the Government Telecommunications Agency (GTA) on behalf of other government departments . The GTA has been resident in the Department of Communications. While under the existing 1979 Code service contracts are not included, services incidental to the supply of the goods are included provided that the value of such incidental services does not exceed the value of the goods. The WTO Agreement builds on the 1979 Code by increasing access to government markets for goods and equipment and for the first time extends coverage to include services and construction services. The WTO Agreement is included as an Annex to the Final Act of the Uruguay Round of multilateral trade negotiations.8 The WTO Agreement list of covered entities covers virtually all Canadian federal departments and agencies and now includes the Department of Communications, Transport and Fisheries and Oceans. Under the WTO Agreement, all goods procured by covered government entities and enterprises are covered, unless specifically exempted. In the information technology field, with respect to procurements by the Department of Communications, Department of Fisheries and Oceans and the Department of Transport, Canada has excluded from offered goods, any products falling under Federal Supply Classification Codes 70 (General purpose automatic data processing equipment, software, supplies and support equipment except 7010 ADPE configuration) and 74 (office machines, visible record equipment and automatic data processing equipment). Under the WTO Agreement, until there is a mutually agreed list of services to be covered by all Parties, services contracts listed in the Canada Annex are covered with respect to a particular Party only to the extent that such Party has provided reciprocal access to that service to Canada. The services related to information technology that are listed in the Canada Annex of offered services are set out in the endnote.9 Most-Favoured-Nation treatment and technical specifications The principles of national treatment set out in the NAFTA are also contained in the the 1979 Code and the WTO Agreement. Similarly, the NAFTA prohibition against employing offset requirements or using technical specifications as a non-tariff barrier to trade exists in the 1979 Code and the WTO Agreement as well. Tendering Procedures and Bid Challenge The tendering procedures under the WTO Agreement are generally the same as those under the NAFTA and the analysis oultined above with respect to NAFTA apply. Unlike the 1979 Code which provides only for a state to state dispute settlement procedure, the WTO Agreement requires that each Party provide an independent and impartial bid challenge mechanism within their domestic regimes. In Canada, such challenges will fall within the jurisdiction of the Canadian International Trade Tribunal. The mechanism is similar to that contained in the NAFTA. Exceptions to the 1979 Code and to the WTO Procurement WTO Agreement Both the 1979 Code and the WTO Agreement contain a national security exception which may affect the manner of procurement of information technology. This provision is identical to that contained in NAFTA Article 1018. The analysis outlined above with respect to NAFTA Article 1018 applies here as well. Limited tendering procedures Both the 1979 Code and the WTO Agreement permit selective and limited tendering under certain circumstances. Article XV of the WTO Agreement provides that an entity may use limited tendering procedures, and thus derogate from the provisions of Articles VII through XIV governing open and selective tendering procedures provided that such limited tendering procedures are not used with a view to avoiding maximum possible competition, or in a manner that would constitute a means of discrimination between suppliers of other Parties or protection of domestic producers or suppliers. Absent from both the 1979 Code and the WTO Agreement is a circumstance such as that set out in NAFTA Article 1016(2)(i) relating to procurement of consulting services regarding matters of a confidential nature, the disclosure of which could reasonably be expected to compromise government confidences [emphasis added]. This exception applies therefore, only to NAFTA procurements. D. NAFTA and the WTO NAFTA Article 1024 provides that upon completion of negotiations regarding government procurement in the Uruguay Round, the NAFTA Parties will increase the obligations and coverage contained in the NAFTA Procurement Chapter to a level at least commensurate with that of the 1979 Code. With respect to federal government entities no action need be taken in this regard since the NAFTA obligations and coverage meet those of the 1979 Code and in some respects exceed them. The NAFTA procurement provisions apply with respect to Mexico and the United States. The WTO Agreement will, upon entry into force, January 1, 1996, apply to countries that become signatories to that WTO Agreement. Mexico is not a signatory to the 1979 Code and is not expected to sign onto the WTO Agreement. The U.S. is a signatory to the 1979 Code and is expected to become a signatory to the WTO Agrement as well. It should be noted that where rights and obligations provided under the NAFTA are not included in the WTO Agreement, such NAFTA rights and obligations will continue to apply to Mexico and the U.S. E. The Merit Program The Merit Partnership Program is a program jointly administered by Industry Canada and Public Works and Government Services Canada. The program allows participating companies to be accorded non-discriminatory national treatment with respect to government purchases that would not normally be subject to procurement obligations under international agreements. The program essentially includes procurements of office equipment and computers by the Department of Communications, Transport, and Fisheries and Oceans as well as some procurements by the Department of National Defence and the RCMP. Agreements are negotiated on an individual basis with each participating company. The aim, therefore, is to allow such firms preferential treatment on the same basis as Canadian firms for federal government purchases that are not subject to international agreements. The agreements negotiated may include commitments regarding investment, research and development and /or strategic partnering in Canada. F. Protecting cryptographic systems Although any decision on the manner of procurement of secure information technology will have to be made on a case by case basis based on the goods or services required and the technical specifications of the particular contract, in general there are good grounds for refusing to differentiate betweeen the manner of procurement of those components of an encryption system which protect highly classified information from those components of the same system that relate to unclassified information in order to protect the highly sensitive information from unauthorized disclosure. The national security exception applies to the procurement of certain cryptographic systems. As an example, a good argument can be made that encrypted communications between the federal government and Canadian embassies abroad legitimately fall within the meaning of “national security.” Such communications, which are encrypted up the level of “Secret,” can relate to extremely sensitive issues concerning the conduct of Canada’s international relations, or to defense. For example, a system such as the Secure Integrated Global Network (“SIGNET”) will be the primary means of communications between Canadian Forces Attachés at larger missions and the Department of National Defense. Some messages sent between CFAs and DND through SIGNET will be classified at the level of “NATO Secret.” The sensitive nature of such cryptographic systems is also demonstrated by the fact that such systems, including SIGNET, are located in restricted access areas of Canadian embassies, and in the restricted access areas of the Department of Foreign Affairs and International Trade (DFAIT) headquarters. Unescorted access to these areas is limited, with very few exceptions, to Canada based employees who have a security clearance at a level of Secret or above. Whether the national security exemption for encryption systems such as SIGNET, should only apply to a classified system such as the SIGNET Classified Processing system (“SIGNET C”), which processes documents classified at the level of “Secret,” while open tendering requirements should apply to systems such as the SIGNET Designated Processing system (“SIGNET D”), which processes Unclassified and “Protected” documents, is an issue that must be addressed in determining what procurement requirements apply to contracts for information technology. Some encryption systems, for example the SIGNET D system in use by DFAIT, encrypts all data, even if unclassified, albeit at a lower level of encryption than SIGNET C uses. This is in recognition of the fact that even some Unclassified and Protected documents may be sensitive, the disclosure of which could compromise government confidences.10 For example, parts of the SIGNET D system extend into the sensitive areas of Canadian embassies, and to the restricted access areas of the DFAIT building. Any foreign supplier working in a restricted access area would need to be accompanied at all times by a security-cleared Canadian, thus effectively requiring two persons instead of one to undertake the work. More importantly, SIGNET D and SIGNET C are scheduled to be linked by the end of this year through a “Trusted Guard” software system. Once this link is established, it would be technically possible for a knowledgable person with access to the SIGNET D system to retrieve classified information from the SIGNET C system through such methods as a computer virus. Even if SIGNET D were not linked to SIGNET C, SIGNET D nonetheless processes protected data. Service contracts for SIGNET D should still be excluded from the procurement Chapter of NAFTA by virtue of the “government confidences” provision of Article 1016(2)(i) detailed above. Statutory protection for cryptographic systems It is interesting to note that such cryptographic systems have been provided statutory protection in the Access to Information Act. While this Act does not relate to procurement, it is indicative of the intent of Parliament to prevent the disclosure of information relating to the means by which the Canadian government communicates with its embassies abroad. Paragraph (I) of subsection 15(1) of the Act provides that: The head of a government institution may refuse to disclose any record requested under this Act that contains information the disclosure of which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada or the detection, prevention or suppression of subversive or hostile activities, including, without limiting the generality of the foregoing, any such information ... (i) relating to the communications or cryptographic systems of Canada or foreign states used (I) for the conduct of international affairs, (ii) for the defence of Canada or any state allied or associated with Canada, or (iii)in relation to the detection, prevention or suppression of subversive or hostile activities. [emphasis added] Conclusion The procurement provisions of the NAFTA, the 1979 Code and the WTO Agreement must be considered when procuring secure information technology in order to assess whether the entity and contract under consideration, are covered ones or whether they fall under any entity exclusion or goods or services classification exclusions. For covered contracts in which the open tendering requirements of such international agreements may otherwise apply, consideration of the tendering requirements including any applicable exceptions, such as the national security exception, or that relating to limited tendering under the NAFTA in order to avoid unauthorized disclosure of information which could reasonably be expected to compromise government confidences, cause economic disruption or similarly be contrary to the public interest, will have to be made in each particular case. G. The Role of the Value Added Network (VAN) A specific procurement issue relates to the use of value added networks (VANs). VANs are third party service providers that effect communications of electronic data between greater numbers of trading partners. They are analagous to a telephone system provider, but can provide additional services. A VAN can funcation as a ‘mailbox’ that facilitates electronic commerce. Rather than having direct communication links and protocols with each trading partner, an organization can use a single VAN and instruct all of its trading partners to forward their electronic documents to the VAN. The VAN can receive a document and store it in the ‘electronic mailbox’ of the designated recipient for retreival by it either as its convenience or at a designated time. In addition, using a VAN means that only the trading partner and the VAN must be electronically compatible, so that trading partners need not change their systems in order to communicate with numerous partners having different systems. VANs can serve other functions, such as message authentication, audit trail, store and forward services, compliance checking (to ensure transactions are in the format agreed upon by the trading partners), translation (to convert transactions into a format agreed to by the trading partner) and error checking. The nature of problems that may arise with a VAN’s services include crash of the system, disruption of service, breach of integrity and security to the system. The relationship between a trading partner and a VAN is generally contractual and contains much of what is contained in a Trading Partner Agreement. VANs, unlike telephone companies, are not regulated, and like telephone companies, seek to restrict their liability to degrees unacceptable to the federal government as a subscriber to the service. Common exculpatory clauses exclude or place financial limits on liability, and restrict the basis of liability and the burden of proof. “Liability may be restricted also through rules determining that the operator was liable only for direct loss or loss that the operator could reasonably foresee; for example, when a payment order or an acceptance of a contract offer is not transmitted properly, the liability may be limited to the fee paid for the transmission and to the interest lost because payment was made late.”11 The UN thought that “it might be acceptable to allow a broad freedom of contract in excluding liability so long as the user has a reasonable choice to pay a higher fee for a higher level of liability and that competition exists among network operators,” and “it was generally agreed that in principle the users and the networks should be free to agree on the level of liability of the network. This freedom, however, should be limited by a mandatory provision ensuring that the liability of the network was not excluded or set an unreasonably low level.” Obviously, the federal government is in a position of relative bargaining strength and should seek to minimize exculpatory clauses. As with Trading Partner Agreements, legal advisors should be involved in negotiations at the outset to address the nature and extent of the commercial risk being assumed. It is particularly important that the contract between the federal government and a VAN adequately address those matters which would affect the integrity and security of data, such as the loss or destruction of messages in the custody of a VAN, and access to a message by an unauthorized party. In preparing contracts with VANs, all departments should involve their legal advisors. The following checklist may be of assistance in reviewing or drafting a VAN agreement: · the nature of services to be maintained by the VAN, such as network and mailbox use; · the service levels to be maintained, such as response times, and the backup and contingency arrangements to be provided; · provision for continuity of supply of services and the term during which services are to be provided; · network and mailbox security, including requirements for time of mailbox clearing; · rights and obligations of all parties, including liability for errors; · provision for management and audit trails; · regular independent third party review or audit of the VAN and access for auditors; · responsibility to maintain adequate software to minimize risk of corruption or loss of data during transmission and when in storage; · warranty that software has been adequately tested and certified for integrity, that most recent EDI standards will be used, that all trading partners have been supplied with the latest version of translation software, and that the software used in message transmission is reliable; · charges for network access and transaction transmission and provision for amending same; agreement to payment procedures; · the allocation of charges among trading partners; · warranties for performance and reasonable remedies in the event that files or data are lost or destroyed, such as reconstruction or refund, and limits of liability for both parties; · the law of the contract, particularly if the VAN’s facilities are located outside of Canada; · “force majeure”; · confidentiality of information: what information may be disclosed by a VAN to other potential trading partners?; · the nature and extent of the transaction log to be maintained by the VAN, and for how long records must be retained (to assist in resolving disputes and questions between trading partners); · whether periodic reports will be provided by the VAN (to facilitate identification of transmission errors or data loss). The federal government, more than the private sector, is faced with the additional issue of the advisability of using a VAN which either stores data in, or transmits data through, networks outside of Canada. This issue is of particular concern with respect to regulations requiring filings which can be made electronically, and which contain criminal sanctions. Subsection 5(2) of the Criminal Code provides that “Subject to this Act or to any other Act of the Parliament of Canada, no person shall be convicted of an offence committed outside of Canada.” At common law, a court has no jurisdiction to enforce a public law of a foreign state. In addition, Canadian information stored or sent through the U.S. (or other countries) raises issues of extraterritoriality whereby a foreign government may appropriate the information. The reality of electronic communications is that it is generally difficult, if not impossible, to guarantee that electronic information will be transmitted only on Canadian territory. Thus, there are risks involved in using foreign VANs. However, the risks involved by having information transmitted through other territories are less than the risks involved if the information is stored in computers outside Canada. Unauthorized disclosure of confidential information supplied by Canadians that may occur outside Canada will not necessarily relieve a Canadian government department of its obligations and potential liabilities to protect that information from unauthorized disclosure. H. Summary Purchases of secure technologies should take into account the terms and conditions of ‘shrink-wrap’ licenses, where mere use of the technology may result in a constructive agreement to those terms and conditions. Note especially restrictions on use of the product and limitation of liability of the software provider for any defect or malfunction. Adapting proprietary software for a customized government use could, in some circumstances, result in a claim by the software owner of ownership or the adapted software. There are patent issues with many information technology security products, especially encryption technologies, which must be considered and addressed at the outset of any purchase. There are a variety of international trade obligations which govern procurement, especially the North American Free Trade Agreement and World Trade Organization requirements. The application of these requirements depends on who is doing the procuring, the monetary value of the procurement, the nature of the good or service being procured, and can set out formal tender procedures. In addition, it is generally a violation of the international agreements to set technical specifications in such a way that excludes bidders from other countries. However, these various obligations provide exceptions for goods and services regarding government confidences and national security. In addition, there are a variety of exceptions regarding service contracts for information technology. Any decision to procure secure technologies should take into consider the specific international trading requirements and exceptions. ENDNOTES _______________________________ 1 See Treasury Board Manual: Information and Administration Management Component on Security issued 09-06-1994. 2 For contracts for construction services, the threshold is U.S. $6.5 million. The conversion of these thresholds into Canadian dollars, in accordance with Annex 1001.1c, yields thresholds for federal government entities of Cdn $31,800 for goods, Cdn $63,700 for goods and services, and Cdn $8.2 million for contracts for construction services. These rates are in effect from January 1, 1994 to December 31, 1995. 3 The publications listed in the Annex for Canada are Government Business Opportunities and the Open Bidding Service. 4 FSC 58 Communications, Detection and Coherent Radiation Equipment (This is a very broadly defined grouping which is excluded under NAFTA for all Canadian covered entities but given current WTO obligations is effectively limited to the departments of Communications, Transport and Fisheries and Oceans ) FSC 70 Automatice data processing equipment, software supplies and support equipment FSC 74 Office machines, text processing systems and visible record equipment 5 Examples of major service categories that Canada has excluded from coverage under the Procurement Chapter of the NAFTA that may apply in relation to procurement contracts for information technology. A. Research and Development - All classes D. Information Processing and Related Telecommunications Services D304 ADP Telecommunications and Transmission Services, except those classified as “enhanced or value-added services” as defined in Article 1310 and that are expressly excluded from the reservations set out in Annex II, Schedule of Canada, II-C-3 or II-C-5. For the purposes of this provision, the procurement of “ADP Telecommunications and Transmission services” does not include the ownership or furnishing of facilities for the transmission of voice or data services. D305 ADP Teleprocessing and Timesharing Services D309 Information and Data Broadcasting or Data Distribution Services D316 Telecommunications Network Management Services D317 Automated News Service, Data Services, or Other Information Services. Buying data, the electronic equivalent of books, periodicals, newspapers, etc. D399 Other ADP and Telecommunications Services H. Quality Control, Testing and Inspection and Technical Representative Services Services for the Departments of Transport, Communications and Fisheries and Oceans respecting FSC 36 - (Special Industry Machinery), FSC 70 - (Automatic Data Processing Equipment, software supplies and support equipment) and FSC 74 (Office machines, text processing systems and visible record equipment) FSC 58 (Communications, Detection, and Coherent Radiation Equipment) J. Maintenance, Repair, Modification, Rebuilding and Installation of Equipment Services for the Departments of Transport, Communications and Fisheries and Oceans respecting FSC 36 - (Special Industry Machinery) FSC 70 - (Automatic Data Processing Equipment, software supplies and support equipment) and FSC 74 (Office machines, text processing systems and visible record equipment) FSC 58 (Communications, Detection, and Coherent Radiation Equipment) W. Lease or Rental of Equipment Services for the Departments of Transport, Communications and Fisheries and Oceans respecting FSC 36 - (Special Industry Machinery), FSC 70 - (Automatic Data processing Equipment, software supplies and support equipment) and FSC 74 (Office machines, text processing systems and visible record equipment) FSC 58 (Communications, Detection, and Coherent Radiation Equipment) In addition, in the Canadian schedule in Annex 1001.2b (“General Notes”), Canada has specifically excluded “contracts respecting FSC 58 (communications, detection and coherent radiation equipment).” FSC 5810 covers “Communications Security Equipment and Components”, while FSC 5811 encompasses “Other Cryptologic Equipment and Components”. Any goods or services contracts under these headings would be excluded from NAFTA. 6 Article 1018 is the national security clause applicable to the procurement chapter. Article 2102 provides a national security provision applicable to NAFTA as a whole, but it is stated to be subject to Article 1018. 7 Under the “General Notes” in the Canadian schedule to Annex 1001.2b, some guidance as to the meaning of Article 1018 is provided by the provision which states that “[p]ursuant to Article 1018, national security exceptions include oil purchases related to any strategic reserve requirements”, and “national security exceptions include procurements made in support of safeguarding nuclear materials or technology.” 8 The Final Act was adopted at a ministerial meeting in Marrakesh, Morocco on April 15, 1994 at which 124 countries and the Commission of the European Union were formally represented. Canadian legislation implementing our obligations under the WTO Agreements came into force on January 1, 1995. 9 The following is a list of offered services set out in the Canada Annex to the WTO Agrement on Procurement that may affect procurement of information technology: 842 Software implementation services, including systems and software consulting services, systems analysis, design, programming and maintenance services 843 Data processing services, including processing, tabulation and facilities management services 844 Data base services 845 Maintenance and repair services of office machinery and equipment including computers 849 Other computer services 7523 Electronic mail, voice mail, on-line information and data base retrieval, electronic data interchange (EDI), enhanced/value added facsimile services, including store and forward, store and retrieve 10 One example of this is commercial information being sent to and from DFAIT and Canadian missions through SIGNET. Such information would only be sent Unclassified or Protected, in accordance with the government’s security classification procedures. The information can nonetheless be very sensitive, and its disclosure could compromise Canadian trade or investment objectives overseas. 11 United Nations Commission on International Trade Law, Working Group on Electronic Data Interchange, Twenty-fifth session “Electronic Data Interchange - Outline of possible uniform rules on the legal aspects of electronic data interchange (EDI), (New York, 4-15 January 1993), 27 November 1992, Doc. ACN.9WG.IVWP.55, p. 30.