State Representative Chris Hart IV
Chairman,
Dear Chairman Hart:
We learned that you are currently soliciting input from
persons and entities in
As the co-chairs of ACM's U.S. Public Policy Committee
(USACM), we are pleased to take this opportunity to share USACM's concerns
about the potential negative impact the proposed Uniform Computer Information Transaction
Act (UCITA) could have on small entrepreneurs, consultants, and all users of
software. Per your request, we have provided brief replies to your questions.
We would be pleased to provide the House Committee on Information Technology
more detailed information if necessary.
Q1. Do you support or oppose adoption of UCITA in part or in
whole, and why? What parts of UCITA do you support or oppose, and why?
A1. While new UCITA laws in
* UCITA enables software producers to limit their legal
accountability for defective products, reducing the incentive for companies to
examine products to detect software defects and ensure secure code. Software producers
can disclaim warranties and restrict their liability to the purchase price of
the software, even if the producer was aware of the defects or security
vulnerabilities prior to sale. UCITA can lead to a lowering of standards in the
computer field and undermine efforts to create a robust system that can endure
rigorous scrutiny. At a time when our efforts should be on improving the
security and robustness of our national information infrastructure, we will
instead be rewarding a "first out the door" mentality for software
development.
* UCITA enables vendors to subject customers to
non-negotiable terms through shrink-wrap licenses. As shrink-wrap licenses go
into effect upon the installation and use of the software, and customers can be
subjected to these terms even if the company refuses to disclose the terms to
the customer before the sale, UCITA could allow software vendors to include outrageous
provisions in the license. Customers will not be able to comparison shop over
such issues as warranty or service policy.
* UCITA allows publishers to ban reverse engineering by
means of contractual use restrictions. Reverse engineering is critical for
systems interoperability and facilitates the research, development, and testing
of information processing systems. The software engineering and research communities
utilize reverse engineering to investigate security risks and develop programs
that impede the spread of viruses. UCITA allows software companies to impose
upon computer researchers the onerous burden of undergoing litigation to get
permission to use reverse engineering. The ban could stifle innovation among
independent software engineers and limit their ability to create noncommercial applications
for the public domain.
* UCITA may shift the balance of rights among intellectual
property creators, publishers, and users in the
* UCITA's "self-help"
provisions would permit software vendors to place software vulnerabilities in a
business's software and threaten disruption of the business's critical systems
if a licensee were to violate use restrictions. Even if the software vendor
does not itself shut down a customer's software, by creating a weakness in the
customer's system security, the vendor exposes the customer to attacks by third
parties. If the vendor can shut down a customer's system remotely, someone else
may be able to do so as well. UCITA imposes no risk of liability on vendors for
third-party attacks, and these attacks could shut down hospital control systems,
criminal record or fingerprint search systems, manufacturing assembly line
control software, and other systems that are important to the safety and
welfare of the public.
* Finally, independent software engineers and small
consulting firms could also be negatively impacted by UCITA. The restrictions
on the sale and transfer of used software and computers could hinder their
ability to control costs and form partnerships. Furthermore, vendors can limit
the right of licensees to contract independent service providers to perform maintenance
functions.
Q2.Do you believe your business communications/transactions
would be affected by UCITA, and if so, how and to what extent?
A2. Through nondisclosure agreements, UCITA permits vendors
to ban users from comparing software or publicizing information about unsecure products. Researchers could be restricted from
conducting benchmark studies of competitive products and publishing negative
reviews. The prohibition of such speech harms the consumer, who is unable to
read articles comparing products, and jeopardizes the information
infrastructure by enabling companies to produce inferior software without the
risk of having weaknesses exposed in the press. The speech restrictions also
hinder educators, scholars, and creators of research-driven products because learning
from mistakes is essential to the ongoing improvement of work.
Q3. Do you believe there are insurmountable obstacles
to adopting UCITA in part or in whole. If so, what are
those obstacles and why do you believe they cannot be overcome?
A3. Members of USACM and other organizations have
given deep thought to the provisions of the UCITA model legislation. As noted
in previous answers to questions 1 and 2, we have identified a number of
obvious deficiencies that, on their face, are not in the best interests of the
general public. UCITA seems to tip the merchant/consumer balance too far in
favor of the merchants at the expense of consumer protection and consumer
rights. It is beyond our ability, as technologists, to provide an alternative
bill (or replacement parts) that adequately redress this imbalance and also
serves the needs of the diverse populations involved in commerce. Furthermore,
the elements of the bill may not be separable in their effects.
As there appears to be no urgent need for this legislation
(business is being conducted under current law with limited examples of
pervasive harm to either vendors or consumers), we believe that the best course
of action is for the House Committee on Information Technology to defer
consideration of UCITA until a thoughtful, balanced revision is made that
respects the concerns of all segments of the population. In your efforts, we
encourage you to investigate the wide array of scientific, technical,
professional, and consumer organizations who have registered public concerns
with UCITA (see, for instance, <http://www.badsoftware.com/oppose.htm>
and
<http://www.4cite.org/who.html>).
This group also includes a number of commercial software vendors and electronic
publishers. We believe it significant that such a large and broadly-based
group of organizations finds UCITA to be concerning and potentially dangerous
to small entrepreneurs, consultants, and all users of software.
If way we can be of further assistance, please do not
hesitate to call Jeff Grove, the Director of the ACM Policy Office, at (202)659-9711.
Thank you for the opportunity to comment on UCITA.
Sincerely,
Barbara Simons, Ph.D.
Eugene H. Spafford, Ph.D.
Co-Chairs
Association for Computing Machinery