March 3, 2000
Dear Representative,
We are writing to express our concerns about the negative impact the proposed Uniform Computer Information Transaction Act (UCITA) will have on small entrepreneurs, consultants, and all users of software. By allowing mass market software producers to protect themselves from liablility for product defects, UCITA will encourage a race to the bottom in terms of software quality and robustness. At a time when our efforts should be on improving the security and robustness of our national information infrastructure, we will instead be rewarding a "first out the door" mentality for software development. Worse yet, UCITA will legalize shrink-wrap licenses that prohibit reverse engineering - one of the tools used to fix defective software - and the publication of benchmarking articles that compare the quality of commercially available software products.
The Association for Computing Machinery is the oldest scientific, educational, and professional association of computer professionals and practitioners in the United States. ACM's U.S. Public Policy Committee (USACM) facilitates communication between computer professionals and policymakers on issues of concern to the computing community. The ACM's 80,000 members (60,000 in the US) represent a critical mass of computer scientists in education, industry, and government.
Many professionals in the software engineering industry consider UCITA to be a threat to the professionalism of their work, the safety of the public, the quality of products delivered to the public, and the long-term competitive position of the industry. We share the concerns expressed by our sister professional and scientific organizations, such as the Institute for Electrical and Electronic Engineers (IEEE-USA), the Software Engineering Institute, and the American Society for Quality. They have joined a diverse set of organizations, including consumer groups, legal scholars, and twenty-four attorneys general, in expressing opposition to UCITA.
UCITA enables software producers to limit their legal accountability for defective products, reducing the incentive for companies to examine products to detect software defects and ensure secure code. Software producers can disclaim warranties and restrict their liability to the purchase price of the software, even if the producer was aware of the defects or security vulnerabilities prior to sale. UCITA can lead to a lowering of standards in the computer field and undermine efforts to create a robust system that can endure rigorous scrutiny.
Vendors, moreover, can subject customers to non-negotiable terms through shrink-wrap licenses. Shrink-wrap licenses go into effect upon the installation and use of the software, and customers can be subjected to these terms even if the company refuses to disclose the terms to the customer before the sale. Because the terms are hidden, software vendors will be tempted to include outrageous provisions in the license. Customers will not be able to comparison shop over such issues as warranty or service policy. In most business contracts, customers will not have the right to return the product if they disagree with the terms, even further encouraging outrageous contract provisions.
Vendors could constrain the use of information for legitimate scientific, research, or educational purposes. Software publishers could enforce contract provisions that restrict a customer's right to sue for product defects. Through nondisclosure agreements, vendors could ban users from comparing software or publicizing information about insecure products. Researchers could be restricted from conducting benchmark studies of competitive products and publishing negative reviews. The prohibition of such speech harms the consumer, who is unable to read articles comparing products, and jeopardizes the information infrastructure by enabling companies to produce inferior software without the risk of having weaknesses exposed in the press. The speech restrictions also hinder educators, scholars, and creators of research-driven products because learning from mistakes is essential to the ongoing improvement of work.
UCITA allows publishers to ban reverse engineering by means of contractual use restrictions. Reverse engineering is critical for systems interoperability and facilitates the research, development, and testing of information processing systems. The software engineering and research communities utilize reverse engineering to investigate security risks and develop programs that impede the spread of viruses. UCITA allows software companies to impose upon computer researchers the onerous burden of undergoing litigation to get permission to use reverse engineering. The ban could stifle innovation among independent software engineers and limit their ability to create noncommercial applications for the public domain. Existing trade secret and copyright law permit reverse engineering, but UCITA allows publishers to unilaterally outlaw the practice.
UCITA may shift the balance of rights among intellectual property creators, publishers, and users in the United States by undermining the fair use and first sale provisions of intellectual property law. The legislation allows publishers to circumvent fair use protections for comparing competitive products, reverse engineering, and making copies of materials for use in non-profit, educational settings. UCITA impacts first sale doctrine by limiting users' rights to borrow, lend, and share copies of products. The restrictions could curtail access to published materials in the public domain, such as digitally stored documents in a public library.
UCITA's "self-help" provisions would permit software vendors to place software vulnerabilities in a business's software and threaten disruption of the business's critical systems if a licensee were to violate use restrictions. Even if the software vendor does not itself shut down a customer's software, by creating a weakness in the customer's system security, the vendor exposes the customer to attacks by third parties. If the vendor can shut down a customer's system remotely, someone else may be able to do so as well. UCITA imposes no risk of liability on vendors for third-party attacks, and these attacks could shut down hospital control systems, criminal record or fingerprint search systems, manufacturing assembly line control software, and other systems that are important to the safety and welfare of the public.
Independent software engineers and small consulting firms could also be negatively impacted by UCITA. The restrictions on the sale and transfer of used software and computers could hinder their ability to control costs and form partnerships. Furthermore, vendors can limit the right of licensees to contract independent service providers to perform maintenance functions.
In summary, we urge you to be cautious as you evaluate UCITA. Part of the ACM Code of Ethics states: "Excellence is perhaps the most important obligation of a professional. The computing professional must strive to achieve quality and to be cognizant of the serious negative consequences that may result from poor quality in a system." We urge you to carefully consider a bill that so many believe could cause long-term damage to America's most successful industry and to its customers. If there is any way we can be of assistance, please do not hesitate to call us at (202)544-4859. Thank you for your consideration.
Respectfully submitted,
Dr. Barbara Simons, President
Association for Computing Machinery
Eugene H. Spafford, Chair
U.S. ACM Public Policy Committee