Articles

---

Proposed legislation to protect vendors has potentially high costs for software users.

The Uniform Computer Information Transactions Act (UCITA) was developed by the National Conference of Commissioners on Uniform State Laws. This proposed general format for state laws covering software licenses and other aspects of electronic commerce has generated controversy ever since it was introduced in 1999. The UCITA potentially has serious ramifications for network and security managers for software acquisition budgets, support costs, privacy, and denial-of-service (DoS) attacks.

Introduction

In July 1999, the National Conference of Commissioners on Uniform State Laws (NCCUSL) approved the controversial UCITA (Uniform Computer Information Transactions Act) proposal that would create common licensing rules for software and other IT transactions.

UCITA legislation in individual states (henceforth generically referred to as "UCITA") would regulate the sale and licensing of computer software, databases, online information, multimedia and other intellectual property presented in electronic form. The UCITA is sometimes described as a general commercial statute for cyberspace. UCITA-inspired legislation has been introduced to or passed by state legislatures in 15 states and the District of Columbia (complete list at http://www.bmck.com/ecommerce/ucitacomp.htm ).

Among other protections for vendors, the UCITA provides for

* rigid enforcement of shrink-wrapped licenses even though the buyer may not see or agree to the terms until after the software has been purchased;

* banning reverse engineering of proprietary software;

* allowing vendors to shut down software remotely if they suspect a violation of the licensing terms;

* easier disclaimer of written warranties.

Currently, UCITA is strongly supported by such organizations as the Software & Information Industry Association and by some software vendors such as Microsoft. It is strongly opposed by such organizations as the American Library Association (ALA), Association for Computing Machinery (ACM), Computer Professionals for Social Responsibility (CPSR), Electronic Frontier Foundation (EFF), the Institute of Electrical and Electronics Engineers (IEEE) and by 26 state attorneys general.

Arguments in Favor of UCITA

"UCITA was originally intended to be a revision to the Uniform Commercial Code (UCC), which has been adopted in almost all of the states and territories of the U.S. and which ensures consistent rules governing contract law from state to state. . . . Publishers and large software producers are the primary supporters of UCITA." -- American Library Association, "What is UCITA?" < http://www.ala.org/washoff/ucita/what.html

[Before summarizing the arguments presented in favor of UCITA, I want it clear that on balance, I oppose the UCITA. However, based on previous sad experience, I must respectfully request that the more excitable readers among you NOT shower me with abuse for presenting arguments with which I disagree.]

Proponents of the UCITA make the following key points:

1) The issue: Growth in e-business has outdated existing contract law dealing with intellectual property. The absence of clear guidelines makes it difficult to frame end-user license agreements (EULAs) in a uniform way from state to state. Conflicts between end-users and software and other content producers have been resolved through expensive and time-consuming civil tort proceedings. Standardization will reduce the cost of doing business and will therefore encourage small businesses to expand successfully into interstate commerce, free of the burden of having to worry about wildly varying laws in different jurisdictions in the USA. In addition, software and information-content vendors will have the choice of law and choice of venue for all legal disputes concerning EULAs. By default, the applicable laws and the venue governing EULAs are those of the vendor.

2) Shrink-wrap EULAs are those included inside the packages that consumers purchase; click-wrap EULAs are electronically displayed during purchase transactions and are typically acceded to by clicking on a button on screen. The UCITA makes click-wrap EULAs enforceable and allows for a period following purchase during which users can return the product for a full refund if they disagree with the EULA terms.

3) "UCITA rejects the 'perfect tender' rule for commercial licenses. One of the problems with Article 2 [of the Uniform Commercial Code] is that it requires delivery of goods that conform to the contract. Software is recognized as a product that cannot be made perfect and that it almost always will have bugs. . . . UCITA eliminates the perfect tender rule and replaces it with a substantial conformance standard. The perfect tender rule is retained for transactions involving consumers." -- SIIA "Summary of Benefits." < http://siia.net/sharedcontent/govt/issues/ucita/summary.html

4) As explained above, UCITA makes it easier for software and information publishers to include legally-binding terms explicitly disclaiming responsibility for the damages caused by defective software or inaccurate "informational content." Such freedom will encourage risk-taking by vendors because they won't have to worry about legal entanglements when they sell defective products; the net effect will be greater innovation and therefore, ultimately, better products and value for consumers.

5) The user interface is explicitly excluded from consideration as part of a computer program: "As used in this Act, 'computer program' refers to functional and operating aspects of a digital or similar system, whereas 'informational content' refers to material that communicates to a person." -- UCITA Official Comment 10 on Section 102. < http://www.law.upenn.edu/bll/ulc/ucita/ucita01.htm

6) UCITA establishes a framework for enforcing contractual limitations on use of covered products. The SIIA document quoted in section (3) above reads, "For instance, if a license agreement is for a certain term, it is not a breach of the contract for the licensor to put something in the software that prevents use of the software after the term expires. Similarly, if the license allows only a certain number of users, it is not a breach of the contract to put something in the software that prevents more users from logging on to the software." In particular, vendors may include and enforce a gag rule on commercial purchasers of their products, reducing the annoyance and expense caused by public disclosure of such inevitable flaws as bugs and design flaws in purchased software. As Official Comment 3 to Section 105 has it, "While a term that prohibits a person from criticizing the quality of software may raise public policy concerns if included in a shrink-wrap license for software distributed in the mass market, a similar provision included in an agreement between a developer and a company applicable to experimental or early version software not yet perfected for the marketplace would not raise similar concerns."

7) UCITA-based legislation may attract high-technology business to those states that pass such laws. "Such benefits could include helping to foster e-commerce within the state and becoming a magnet for emerging companies seeking an e-commerce-friendly location." -- Priscilla A. Walter, "UCITA: Establishing a legal infrastructure for e-commerce." < http://www.siia.net/sharedcontent/govt/issues/ucita/upgrade-may.html

Arguments Against UCITA

1. Changing the model for software use from purchase to licensing has implications for long-term budgeting and control of such products. For example, more products can be licensed to stop working at the end of a contract period.
   
   
   • Although there is nothing inherently improper in negotiating such contracts, there will be cases where users will want to continue using a specific version of an application program even if the vendor wants to push them to a newer version.
     
     
   • Resistance may be justified by compatibility reasons or because the users do not choose to upgrade their hardware or operating systems. Licenses could forbid them from continuing to use a discontinued product or unsupported version.
     
     
   • In addition, licensing in the world of servers and mainframes has always had problems associated with unilateral increases in license and support costs, sometimes including steep price rises when a user upgrades a system or increases the maximum number of concurrent users.
     
     
2. "Licensing" instead of "selling" software removes such purchases from state protection against unfair and deceptive trade practices. Even though "Most consumers think that they are buying a consumer product when they pay money for software," UCITA creates "confusion about the scope of existing consumer laws. . . [and] . . . fails to extend analogous consumer protection to mass-market software contracts that are functionally like other consumer product transactions, despite new legal labels." -- Jean Braucher, "UCITA: Objections from the consumer perspective." < http://www.cpsr.org/program/UCITA/braucher.rtf
   
   
3. Allowing vendors to reveal contract details for shrink-wrapped software after a consumer has purchased a license to a product makes comparison shopping difficult or impossible by individuals. Having committed money to a particular choice, individuals are less likely to go to the trouble of packing up their software and returning it for a refund. Why shouldn't there be a copy of the contract available as a tear-off sheet at all distributors or online?
   
   
4. Reducing penalties available to aggrieved customers who have suffered damage from bad software or bad information makes it less likely that vendors will spend money improving quality assurance: "UCITA makes it too easy for software publishers to avoid facing any legal consequences for defective software. Perhaps this is appropriate for some defects, but not for the ones the publisher knew about when it sold the product. Customers can't discover most of these defects with quick trials of the program -- it takes skill to find them during pre-use testing. By reducing the responsibility of software publishers to detect and eliminate problems before the product is released to the public, UCITA will result in the lowering of standards in our profession." -- Barbara Simons, "Letter from the President of the ACM re UCITA, July 12, 1999" < http://www.acm.org/usacm/IP/usacm-ucita.html >.
   
   
5. The proposed laws go a long way towards protecting vendors against the wrath of consumers confronted with bugs and design flaws, but there is no equivalent protection of consumers: UCITA fails to require vendor disclosure even of known defects.
   
   
6. To the rebuttal that a free market can deal with such problems through free choice by consumers, opponents retort that the free market is hardly improved by terms that restrict the free flow of information about products -- in particular, legal bans on critical discussion of software flaws by commercial customers and their employees as allowed in contracts under terms of the UCITA. Banning open discussion will inevitably have a chilling effect on the free flow of information, including publication of articles in technical publications. "By changing what would otherwise be considered a sale into a licensing transaction, UCITA permits software publishers to enforce contract provisions that may be onerous, burdensome or unreasonable, and places on the purchaser the burden and cost of proving that these provisions are unconscionable or 'against fundamental public policy.' Examples of these provisions include prohibitions against public criticism of the software and limitations on purchasers' rights to sell or dispose of software. The first provision prohibits the reviews, comparisons, and benchmark testing that are critical for an informed, competitive marketplace. The second issue could legally complicate transactions including corporate mergers/acquisitions, sales of small businesses, the operation of businesses dealing in second-hand software, and even yard sales." -- IEEE-USA Board of Directors, "Opposing adoption of the . . . [UCITA]. . . ." < http://www.ieeeusa.org/forum/POSITIONS/ucita.html
   
   
7. UCITA reduces the value of used software by making it possible to bar resale of uninstalled software products, thus reducing competition for new products.
   
   
8. UCITA makes it possible to choose a venue for legal proceedings entirely at the choice of the vendor; for example, a vendor could choose to have a hearing in Florida if a customer in Alaska sued for redress. Such arbitrary unilateral power makes it easier to discourage lawsuits even over legitimate consumer grievances.
   
   
9. The language of UCITA raises serious questions about the consequences of reverse engineering of commercially licensed software. Reverse engineering -- studying a product, including its compiled code, to understand how it works -- is essential to identify flaws and suggest corrections. It is also important to support interoperability of products from different makers. UCITA allows language that could make such study legally impossible.
   
   
10. The classification of the user interface as information rather than as part of the computer program itself is a transparent attempt to limit product liability. The user interface is not equivalent to, say, information presented in a document; it is an integral and critical component of all computer programs that require user input and produce human-readable output. Errors in the interface are potentially more serious than errors in information (e.g., a typographical error in output) and should not be insulated from legal redress.

A Nightmare Scenario

It is the year 2006. Jamal is the network manager for a company with 10,000 PCs running Fenestration YQ2, an older version of the Fenestration operating system (the current version is Fenestration YQ4). In 2003, Mocraherd, the software supplier, changed the terms of the software license so that each license expires after one year; to renew the license, Jamal's company has to pay a renewal fee -- or the operating system shuts down for good and the company has to purchase completely new licenses at a higher price. Now Mocraherd has told Jamal that he is required to upgrade to YQ5 within the next couple of months or lose his corporate licenses altogether.

The problem is that the new Fenestration YQ5 that's being advertised requires over 2 GB of free disc space for the operating system upgrade and a minimum of 512MB of RAM plus a 2.0 GHz processor as minimum configurations -- and upgrading the company's computers would cost at least $500 each. Including the cost of upgrading to YQ5 ($50 per system), that makes a total cost of around $5.5 million -- not including the cost of labor and downtime. Worse still, reports in the underground press (it's a violation of license to publish or read any material that is critical of Mocraherd or Fenestration version using Mocraherd products) indicate that the new YP version takes four hours to install, fails in a third of the installations, and does not support the type of printer, external removable hard drives, or scanners that Jamal has installed on half of his systems.

Jamal's options are limited. He knows that Fenestration YQ2 includes spyware that automatically reports on the states of all machines where it has been installed; he knows because in several cases, changing defective mother boards on some downed PCs resulted in complete shutdown of the operating system. Jamal's staff had to call Mocraherd and get permission to reactivate the OS using a new license code. Then all the installed Mocraherd products stopped working, so his staff spent hours on the phone to Mocraherd waiting for new activation codes for each computer. Jamal tried stopping the spyware from reaching the Internet using personal firewalls as well as the corporate firewall, but the Macroherd software eventually shut down when it could no longer receive encrypted continued-operation codes from Mocraherd.

Unfortunately, Jamal's staff consists of only 50 support staff for the 10,000 computers in the network; he simply does not see how they are going to install updates to all the computers in the company in a reasonable time. Worse still, the new Fenestration YQ5 OS does not run the old version of the Officious product suite (Verb word processor, Punctuate display software, Crunch spreadsheet and Excess database) and files created with the new version of the Officious suite are not usable by the old Officious products.

Jamal decides to investigate alternatives to running Mocraherd programs altogether. He scans a few articles online about possible competitors using the Mocraherd Internet Exploder browser; as far as he can see, the costs of conversion would be prohibitive and the range of programs is inadequate to replace the Mocraherd programs. In addition, ever since Mocraherd started suing companies for making their products and file formats interoperable with those used by the software giant, competing companies are withdrawing products and going bankrupt.

An hour later, he receives a legal writ via e-mail warning him that he has violated the terms of his software license by accessing sites that are hostile to the interests of Mocraherd. Then his computer shuts down due to a remote signal from the Mocraherd Web site. Because the corporate license covers all the computers in the company, all the other computers shut down within minutes too. Finally, the electrical power, telephone, and HVAC (heating, ventilation and air-conditioning) computers shut down too even though all of them are running on separate licenses of Fenestration YQ2. No matter: an error in the programming on the Mocraherd servers automatically assumes that all computers that are co-located are on the same license.

Jamal waits in the dark and wonders what to do next.

* * *

From the license for FrontPage 2002: "`You may not use the Software in connection with any site that disparages Microsoft, MSN, MSNBC, Expedia, or their products or services . . . ' the license reads in part." -- Ed Foster, "A punitive puppeteer?" < http://www.infoworld.com/articles/op/xml/01/09/17/010917opfoster.xml

Windows Update checks the Microsoft site every five minutes and alerts users when critical updates are available; in order to tell if such updates are required, each system reports on its configuration so the server process can tell if it needs changes. This process cannot be stopped once it starts (short of uninstalling the product). The Microsoft Knowledge Base confirms that no user intervention is permitted: "Question: Can I change the scheduled behavior of Windows Critical Update Notification? Answer: No, if the scheduled task is modified, the tool reverts to the default settings the next time Windows Critical Update Notification runs. Note that this behavior is by design to ensure that you are notified of updates in a timely manner."
http://support.microsoft.com/support/kb/articles/Q224/4/20.ASP

* * *

Whether what you have read so far about UCITA pleases you or horrifies you, go do your own research to see if this legislation will protect you and your corporate interests. Then contact your state lawmakers to let them know your stand on this approach to contract law.

You already know my opinion. Now go make up your own minds.

Recent Developments

On December 17, 2001, the UCITA Standby Committee of the National Conference on Commissioners on Uniform State Laws (NCCUSL) issued a report to their executive committee recommending changes to the draft Uniform Computer Information Transactions Act.

The Standby Committee's report explicitly acknowledged that, "The majority of the amendments were submitted by AFFECT, an organization comprised of diverse interest groups and some individual companies for the purpose of opposing UCITA." AFFECT is the Americans for Fair Electronic Commerce Transactions.

In my opinion, the most significant changes to the draft of UCITA that will be sent to state legislatures in future are as follows:

1. UCITA does not supersede any consumer-protection laws in force and applicable to the purchase or licensing of software.
2. Software sold through mass-market distribution must not be inactivated by the vendor (the so-called "self-help" provisions of the previous version) in cases of breach of license or contract.
3. Software licenses for products distributed to the public in final form (i.e., not as test versions) cannot extinguish First-Amendment rights of consumers to discuss, report, or criticize flaws in those products.
4. Explicit recognition that UCITA "does not displace the law of fraud, misrepresentation and unfair and deceptive practices as they may relate to intentional failure to disclose defects that are known to be material."
5. Explicit rejection of open-source software licenses (and also shareware licenses) from UCITA coverage. UCITA applies only to transactions involving the exchange of money.
6. Reverse engineering is accepted as a legitimate method for ensuring interoperability of licensed software with other products.

AFFECT issued a press release on January 4, 2002 criticizing the proposed amendments. ". . . [T]he proposed amendments fall far short of what is necessary to resolve the many issues of controversy." According to AFFECT board member David McMahon, "The proposed amendments give the appearance of compromise, without the substance of compromise. When scrutinized, the proposed amendments simply make a fundamentally flawed piece of legislation only slightly less flawed."

AFFECT analysts point out that, among other issues,

-- The UCITA revisions do not impose obligations on software vendors to reveal known flaws when selling software licenses.
-- Librarians' concerns about restrictions on transfer of software licenses have not been met because the revisions limit such transfers to programs already installed on donated computers.

In conclusion, it seems to me that the drafters of the UCITA are genuinely trying to respond to criticism. It remains to be seen whether these proposed changes are in fact accepted by the NCCUSL. Nonetheless, UCITA remains a topic of hot debate. Readers would do well to continue to monitor events as they evolve and to ensure that state legislators are intelligently informed about the issues.

If we technologists allow UCITA to be passed into state laws without full and open exploration of its implications, we will have failed in our professional responsibilities to society. This is our job, not someone else's. Get involved!


Resources

" Why We Must Fight UCITA" by Richard Stallman

American Library Association (ALA)

Americans for Fair Electronic Commerce Transactions (AFFECT), formerly 4CITE

Association for Computing Machinery (ACM) Letter concerning the UCITA (1999)

Computer Professionals for Social Responsibility (CPSR) fact sheet

Ed Foster's comments ( Infoworld Special Report) on UCITA

For the full text of the Final Act with Comments (August 23, 2001)

Institute of Electrical and Electronic Engineers (IEEE) UCITA Network

Press release from National Conference of Commissioners on Uniform State Laws

Press release from the Americans for Fair Electronic Commerce Transactions

Report of the UCITA Standby Committee

Software & Information Industry Association (S&IIA) " Summary of Benefits"

Thibodeau, P. (2001). " UCITA backers agreee to changes."

UCITA Online

M. E. Kabay, PhD, CISSP, is an associate professor of information assurance with the Department of Computer Information Systems at Norwich University, Northfield VT