January 30, 2003

Dear Chairman Wells:

USACM Concerns

USACM and many professionals in the software engineering industry consider UCITA to be a threat to the professionalism of their work, the safety of the public, the quality of products delivered to the public, and the long-term competitive position of the industry. In particular, USACM's concerns include:

*UCITA enables software producers to limit their legal accountability for defective products, reducing the incentive for companies and individuals to examine products to detect software defects and ensure secure code. Software producers can disclaim warranties and restrict their liability to the purchase price of the software, even if the producer was aware of the defects or security vulnerabilities prior to sale. UCITA can lead to a lowering of standards in the computer field and undermine efforts to create a robust system that can endure rigorous scrutiny.  At a time when our efforts should be on improving the security and robustness of our national information infrastructure, we will instead be rewarding a "first out the door" mentality for software development.

* Customers will not be able to comparison shop over such issues as warranty or service policy.  As shrink-wrap licenses go into effect upon the installation and use of the software, and customers can be subjected to these terms even if the company refuses to disclose the terms to the customer before the sale, UCITA could allow software vendors to include outrageous provisions in the license.

*Despite changes made by the drafting committee of the National Conference of Commissioners on Uniform State Laws (NCCUSL) that permit reverse engineering under limited circumstances to achieve interoperability, UCITA allows publishers to ban reverse engineering by means of contractual use restrictions in most instances. Reverse engineering is critical for systems interoperability and facilitates the research, development, and testing of information processing systems. The NCCUSL passed changes do not allow reverse engineering to conduct security-related research.  The software engineering and research communities utilize reverse engineering to investigate security risks and develop programs that impede the spread of viruses or to control other malicious behavior. UCITA allows companies to impose upon computer researchers the onerous burden of undergoing litigation to get permission to use reverse engineering. Restricting reverse engineering could stifle innovation among independent software engineers and limit their ability to create noncommercial applications for the public domain.

*Despite changes made by NCCUSL, UCITA's "self-help" provisions would permit software vendors to place software vulnerabilities in a purchaser's software. Even if the software vendor does not itself shut down a customer's software, by creating a weakness in the customer's system security, the vendor exposes the customer to attacks by third parties. If the vendor can shut down a customer's system remotely, someone else may be able to do so as well.

*UCITA's restrictions on the sale and transfer of used software and computers could hinder the ability of independent software engineers and small consulting firms to control costs and form partnerships.  Furthermore, vendors can limit the right of licensees to contract independent service providers to perform maintenance functions.

*Through nondisclosure agreements, UCITA permits vendors to ban users from comparing software or publicizing information about unsecure products. Researchers could be restricted from conducting benchmark studies of competitive products and publishing negative reviews. As a result, consumers are unable to read articles comparing products and learn about weaknesses.

USACM Conclusion

As there appears to be no urgent need for this legislation since business is being conducted under current law with limited examples of significant harm to either vendors or consumers, we believe that the best course of action for the ABA House of Delegates is to table consideration of UCITA until a thoughtful, balanced revision is made that respects the concerns of all segments of the population. In your efforts, we encourage you to investigate the views of the wide array of scientific, technical, professional, and consumer organizations who have registered public concerns with UCITA (see, for instance, <http://www.badsoftware.com/oppose.htm> and <http://www.4cite.org/who.html>).   This group also includes a number of commercial software vendors and electronic publishers.  We believe it significant that such a large and broadly-based group of organizations finds UCITA as drafted dangerous to small entrepreneurs, consultants, and all users of software.

If we can be of further assistance, please do not hesitate to call Jeff Grove, the Director of the ACM Policy Office, at (202)478-6312.  Thank you for the opportunity to comment on UCITA.

Sincerely,

Barbara Simons, Ph.D.
Eugene H. Spafford, Ph.D
Co-Chairs
U.S. ACM Public Policy Committee
Association for Computing Machinery

About USACM:

USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). ACM is the leading nonprofit membership organization of computer scientists and information technology professionals dedicated to advancing the art, science, engineering and application of information technology. Since 1947, ACM has been a pioneering force in fostering the open interchange of information and promoting both technical and ethical excellence in computing. Over 70,000 computer scientists and information technology professionals from around the world are members of ACM.