Educational CyberPlayGround ®

BAD SOFTWARE - The Right Of Return - Warranties for "Free" Software - ucita is dead

HISTORY OF UCITA

The American Bar Association (ABA) has decided not to endorse the controversial Uniform Computer Information Transaction Act (UCITA). 2/12/03 However, backers of the software licensing law still intend to push for more state adoptions. UCITA's drafter, the National Conference of Commissioners on Uniform State Laws (NCCUSL), said today that it intends to pursue adoption in states that have shown an interest in it. So far this year, UCITA has been introduced in only one legislature, that of the U.S. Virgin Islands. UCITA is intended to set uniform terms and conditions for software sales and electronic transactions. The measure is supported by vendors and trade groups, but opponents contend it gives vendors too much power.

ALAWON: American Library Association Washington Office Newsline
Volume 11, Number 85 October 25, 2002
In This Issue: UCITA WILL RIDE AGAIN IN 2003

<[1]> NCCUSL approves new amendments

In August 2002, The National Conference of Commissioners of Uniform State Laws (NCCUSL) approved 38 amendments to UCITA. The changes attempt to address criticisms made by libraries and their business and consumer partners as well as the American Bar Association. The changes are described as "substantive" by the UCITA Standby Committee that drafted them. However, when examined closely they actually amount to small changes that in some cases may appear to be real improvements but actually are not. (Go to www.affect.ucita.com for an analysis of these amendments in early November)

Approval of the amendments at the annual NCCUSL conference followed much controversy among NCCUSL commissioners. A petition drive initiated by several commissioners sought to have UCITA downgraded to a model law, a move that would have withdrawn active NCCUSL support for its passage and been a fatal blow to its legislative future. The petition was withdrawn.

It is significant that the controversy around UCITA continues, even within the ranks of NCCUSL. AFFECT, the national coalition opposing UCITA, will continue its active opposition to UCITA in any state where it is introduced and will continue to promote the organization of statewide coalitions.

NCCUSL is under enormous pressure to prove that these latest changes have substantively improved UCITA and that it can be a viable act in state legislatures. This pressure will undoubtedly fuel an intense effort, similar to that seen in 2001, to promote UCITA in state legislatures.

<[2]> NCCUSL approves library amendment

NCCUSL actually approved a narrow library amendment that permits the transfer or donation of software to public libraries, public elementary or secondary schools and consumers, as long as the software remains in the computer. This change was not one of those proposed by libraries. Although it takes a small step in the right direction, it falls far short of the activities permitted under the first sale provision of federal copyright law and does not apply to all libraries. To view the amendment, go to http://www.law.upenn.edu/. The library amendment is in Sec. 503 (2) (c ) of UCITA.

<[3]> What's still wrong with UCITA?

- -UCITA still validates terms in "shrink-wrap" and "click-on" contracts that would prohibit libraries from making a fair use of electronic materials, including the copying and archiving of digital products

- -UCITA still does not require vendors to reveal the terms of the license prior to purchase

- -UCITA still does not require software publishers to reveal known defects

- -Although UCITA now prohibits "electronic self-help" in certain situations, it still allows an "automatic restraint" provision that permits licensors to remotely shut down an organization's critical software

- -UCITA still allows vendors to change the terms of the contract after a purchaser agrees to the terms

- -UCITA still undermines federal copyright law by allowing vendors to prohibit reverse engineering for the purpose of detecting security holes

- -UCITA is still fundamentally biased to favor the needs of software publishers to the detriment of businesses, consumers and libraries

- -UCITA is still overly complex, hard to understand and in need of totalrevision

<[4]> Are you new to UCITA?
Visit the best UCITA websites. www.ala.org/washoff/ucita.html and www.affect.ucita.org

Save the date for UCITA at ALA Mid-winter

Comments and questions to:
Carol Ashworth
UCITA Grassroots Coordinator
cashworth@alawash.org

From: Cem Kaner <kaner@kaner.com>
Subject: New UCITA revisions -- first reactions 12/21/01

A few weeks ago, Professor Phil Koopman, Sharon Roberts, Professor Don Gotterbarn and I went to the 17th meeting of the Uniform Computer Information Transactions Act drafting committee (I've attended 16 of these meetings).

The drafting committee is under intense pressure to work a political compromise, because, after passing in Virginia and Maryland, UCITA has been rejected in every state that has considered it and three states have passed "bomb shelter" laws designed to keep UCITA-governed contract rules out of their states. The committee met privately, after the official meeting, and adopted 19 of the amendments.

A couple of things that I was advocating were passed, especially a ban on "self-help" (ability of a vendor to remotely shut down your system if there's a contract dispute between you and the vendor). This shuts down a serious security flaw that UCITA was encouraging large-system vendors to build into every significant piece of commercial software.

Here is my analysis of the amendments that were passed. Overall, I think we are still seeing a big trend favoring large companies over small companies and individuals. In this case, though, large customers are scoring some wins and smaller customers are picking up a little bit as a side-benefit.

2002 Kentucky Bar Association
TWELFTH ANNUAL ISSUES FOR CORPORATE COUNSEL
UCITA and Copyright Law: An Overview Will Montague Pg. 85
==================================


The National Conference on Uniform State Laws published an announcement today of 19 amendments to UCITA. These were written in response to a series of amendments proposed at the UCITA drafting committee meeting this November. These amendments are available at http://www.nccusl.org/nccusl/UCITA-2001-comm-fin.htm.

For the text of UCITA, see http://www.law.upenn.edu/bll/ulc/ucita/ucita01.htm.

For a detailed analysis (of mine) of UCITA, see http://www.badsoftware.com/engr2000.htm

Here are my first impressions of those amendments. Please feel free to circulate them.


1) Consumer protection

UCITA defines the typical consumer software transaction as an intangible license, the purchase of a right to use the software, rather than the sale of a copy of the software. So, when you buy a copy of Microsoft Word and a book on how to use Microsoft Word at your local computer store, you buy two things that contain copyrighted intellectual property. The sale of the book is a sale of goods under UCITA but under UCITA, the sale of the software is not. If you download that same book from Barnes & Noble, instead of buying the paper copy at Barnes & Noble, the book is treated like software under UCITA.

By defining consumer purchases of software as licenses, rather than sales, UCITA pulls consumer software out of the scope of all of the consumer protection statutes that protect buyers of "consumer goods." All of the consumer warranty laws, for example, are "consumer goods" laws.

The revisions to UCITA still pull software outside of the scope of the consumer warranty laws. The changes offer very little protection.


2) E-SIGN

In the second amendment, UCITA supercedes E-SIGN, except in certain listed sections. In general, I think that E-SIGN is more consumer-friendly than UCITA. I have not had time to analyze the new relationship between the two statutes.


3) Choice of Forum

The change proposed will make it slightly harder for vendors to make an outrageous choice of forum (where the customer must sue the vendor, if the customer wants to bring suit).


4) Electronic Self-Help

I am glad to see that UCITA has been revised in the way that Sharon Marsh Roberts (Independent Computer Consultants Association) and I recommended, with the support of the Society for Information Management. Electronic self-help is banned, but a vendor retains extensive power to protect its rights under UCITA. For example, the software can come with a built-in automatic termination, stopping performance after a specified number of days or uses. In the event of a dispute, the vendor can simply refuse to renew the license. The vendor can also get an injunction.


5) Public Criticism & Contract Laws

The amendment (section 105(d)) appears to address the public criticism issue, but leaves open a wide loophole. People are allowed to criticize a product that has been "offered in its final form to the general public." But anything that is not "in its final form" is not open to criticism. Let's consider Viruscan, published by McAfee. McAfee has issued licenses that ban publication of benchmarks or other reviews of Viruscan without McAfee's permission. Viruscan is updated frequently. I don't think it is ever in "final form." So it appears to be outside of the scope of this consumer protection. Anything that is sold with the promise of frequent automatic updates (think of the dot-NET business model) is, arguably, never in its "final form". Any vendor who wants to ban criticism of its products has an obvious way around 105(d).


6) Known Defects

This amendment specifically states that UCITA does not displace the laws of "fraud, including fraudulent inducement, misrepresentation, or unfair and deceptive practices." This amendment does nothing whatsoever. UCITA already does not displace these laws. To the best of my knowledge (which is fairly extensive on this point), every software publisher in the United States releases software with known defects, and many of those known defects are serious. It is very difficult to hold vendors accountable for this under current law. UCITA shields vendors further, by making it easier for them to disclaim warranties, harder for a customer to establish that a product demonstration upon which the customer relied actually created an express warranty, easier for the vendor to limit remedies, and harder for the customer to recover a "minimum adequate remedy.

What was proposed, time after time after time in the UCITA meetings, was that the drafting committee provide an affirmative incentive to manufacturers to reveal their known defects. This was in return for the many vendor protections being written into the statute. This amendment does not address that proposal and is no better than the unmodified UCITA.


7) Presentation of Later Terms

"Later terms" are contract terms that you see only after you pay for the product.

Amendment 7, new Section 216, appears to add nothing to UCITA's rules. The question is not whether some of the terms in the click-wrapped licenses will be enforced. Most people know that some contract terms will be presented in the box in some form or another. The question is which terms will be enforced and how much notice customers will have of those terms.

The new UCITA requirement is satisfied merely by putting a notice on the box that says, "Terms inside" or a statement when you start to download a product that contract terms will be presented later. This is trivially easy to satisfy. The only people who will have difficulty satisfying it will be the open source / free software community because so much of their software is already circulating and will continue to circulate. That software was not packaged in a way that will meet the new, fairly formal, UCITA requirements.

What was repeatedly requested was a requirement that customers could get a copy of the terms before the sale if they asked for the copy. This is one of the basic tenets of the consumer warranty laws that UCITA helps software publishers evade.

Under this amendment, customers will still have to pay for the software and start installing it (if that's how the vendor chooses to structure the deal, which most software vendors seem to want to do) before being able to discover the terms of the contract.

The "right of return" under UCITA is the same extremely weak "right" that it was before, more marketing fluff than a consumer benefit. Remember: even though this is promoted regularly as a consumer benefit, it was brought to the UCITA drafting committee by the representative of the Business Software Alliance and it has (to the best of my knowledge) never been endorsed by any consumer protection advocate.


8) Retention of Terms

Amendment 8 provides that the license must be provided to the customer in a form in which it can be printed and/or retained by the customer. That this is an improvement on the current UCITA is an illustration of the extent to which the current UCITA is poorly drafted. Of course the customer is entitled to a copy of the license that can be printed and retained. How can you hold the terms of a license against someone who can't even refer to it? What court would enforce the terms of a contract that the customer is allowed to see once and never again? Vendors need this rule as much as customers. Without it, they might sometimes be tempted to make terms irretrievable or to allow a product to ship with terms that happen to be irretrievable. In either case, they would face severe problems in the courts under current law, (including UCITA) because judges would be so unlikely to enforce such terms.


9) Open Source Software--Noncontractual Permissions

As the Reporter of the UCITA Drafting Committee pointed out in the November meeting, UCITA already does not cover permissions that are not intended as contracts. However, all of the open source and free software licenses / permissions that I have seen are in fact contracts. This amendment provides zero or almost zero protection to the Open Source / Free Software communities.


10) Warranties for "Free" Software

UCITA provides an important protection for free software and broadens it in a way that will also often serve vendors of non-free commercial software. It eliminates warranties for software when there is "no contract fee for the right to use, make copies of, modify, or distribute" the software. The critical word here is OR, which should be AND. With the OR in place, the vendor need only satisfy one of these conditions in order to claim that the software is free.

Here's an example: under this new definition of free software, Internet Explorer is free software because there is (currently) no contract fee for the right to use the software. That's all that is needed. You don't have to have the right to make copies of the software or modify it or reverse engineer it or obtain source code to it or distribute it, as long as you get a free right to use it.

So, if Vendor X sells you installation and support services and "throws in" the software "for free", the Vendor achieves free software status and no warranties apply. This is an easy way for a traditional software vendor to escape all warranty liability.

Warranty liability cannot be excluded, under this amendment, if the licensee is a consumer. Thus, genuinely free software is fully subject to consumer warranties. This is still going to be a big problem.

A point was made at the UCITA meeting that no one would sue free software developers anyway, because they don't have any assets. But universities and libraries and many businesses post free software at their websites. That makes them distributors, under UCITA, even if they are giving away software that was written to be given away. Universities, libraries, and many businesses do have deep pockets (i.e. they have insurance policies) -- if a credible threat of liability can be made against them, they will stop distributing free software.

So, what do we have? Microsoft gets to completely avoid warranty protection for business users of some of its products, and organizations that distribute free software (which Microsoft now appears to consider a competitive threat) can still be targeted for consumer lawsuits and thus might be successfully intimidated out of distributing the free software.


This is not a victory for the Free Software community.

11) Transfer

Software that comes with a computer can be transferred WITH THE COMPUTER as a gift to a library or K-12 school or from one consumer to another. This still allows the vendor to kill the market in used software and it allows only a minimal number of transfers of software. The general rule under UCITA will be that if you buy a copy of the software, you will not be able to sell it when you are done with it, or give it away unless you are willing to give away your computer with it.


12) Express Warranty by Sample, Model or Demonstration

This amendment improves the current UCITA by stating that the product must conform (rather than "reasonably conform") to the sample, model or demonstration. However, even as modified, UCITA section 402 provides that the following does not create a warranty: "a display or description of a portion of the information to illustrate the aesthetics, appeal, suitability to taste, subjective quality, or the like of informational content." It is not a breach of contract if there are differences in the user interface and usability (or in the aesthetics, appeal, suitability to taste or subjective quality) between the demonstrated model and the model shipped, even if these are material to the consumer.


13) Infringement and Hold Harmless Duties

I'm not sure of the effect of this amendment and therefore will not comment on it.


14) Implied Warranty Scope

The amendment specifies that the implied warranty runs from the licensor to ITS end-user licensee and to ITS distributor.

I'm not sure, but it looks to me as though UCITA is re-establishing a privity rule. I am unsure of the intent, but I expect that we will see the argument in court that Vendorsoft provided no warranty to Consumer because Consumer is the licensee of Distributorsoft, who distributes Vendorsoft's software. Given the other sections of UCITA, I don't think this argument would prevail, but if it is not to make room for an argument like this, I don't understand why this restrictive language is here.


15) Delete Section 308

In Section 308, current UCITA allows a vendor, after the sale, to terminate a license by determining that the duration of the license, as long as that duration has been "a reasonable time". It was never clear to me that this was a big deal (in comparison to the rules that would apply under Article 2) nor that this deletion offers a big advantage over what the courts will do in the absence of specific terms.


16) Delete Section 307(c)

Current UCITA 307(c) states that "(c) An agreement that does not specify the number of permitted users permits a number of users which is reasonable in light of the informational rights involved and the commercial circumstances existing at the time of the agreement." I'm not sure that deleting this will offer any advantage over what the courts will do in the absence of specific terms.


17) Section 605 Automatic Restraints

This is a clarifying amendment that closes a loophole that was apparently not intended by the drafting committee.


18) Corrects a typo, no policy impact


19) Reverse engineering

This is very narrow and not very useful. It is narrower than the provisions in DMCA that allow reverse engineering. It does not permit reverse engineering in order to detect security holes or defects or to enable repair of the security holes or other defects. Additionally, if "the elements" to be reverse engineered were ever previously "readily available to the licensee" (when he didn't need them) then the licensee can't reverse engineer to discover them now, when he does need them.


K) Scope

As the comments point out, the electronics manufacturers (who will be able to opt their goods within the scope of UCITA under the current scope) support the current scope. And no wonder! They get to apply UCITA's rules to their customers instead of Article 2's.

We proposed a rule that addressed safety-critical software, rather than one that tried to distinguish between embedded and nonembedded software. The drafting committee did nothing to restrain UCITA's application to safety-critical embedded software. Never during the UCITA drafting meetings did we discuss the potential consequences of applying UCITA to embedded software or, especially, safety critical software. There will undoubtedly be unintended consequences of the application of UCITA to this domain. Where lives are involved, I think it is grossly irresponsible to press forward with the application of a new body of law to an ill-considered domain.


-- Cem Kaner


Cem Kaner, J.D., Ph.D.
Professor, Department of Computer Sciences, Florida Institute of Technology

http://www.kaner.com http://www.badsoftware.com

Author (with Bach & Pettichord)
LESSONS LEARNED IN SOFTWARE TESTING (Wiley, 2001)
Author (with Falk & Nguyen)
TESTING COMPUTER SOFTWARE (2nd Ed, Wiley)
Author (with David Pels) of BAD SOFTWARE (Wiley, 1998)

This e-mail communication should not be interpreted as legal advice or a legal opinion. The transmission of this e-mail communication does not create an attorney-client relationship between me and you. Do not act or rely upon law-related information in this communication without seeking the advice of an attorney. Finally, nothing in this message should be interpreted as a "digital signature" or "electronic signature" that can create binding commercial transactions.