Software Legislation: Read the Fine Print

A Rev. 2 UCITA may not be enough to sway the other 48 states to adopt it, however. The new version of the proposed law still carries much of the old baggage: Opponents argue it gives vendors excessive control in the licensing of their software and information services, and its broad and complex content sometimes raises more questions than it resolves: When does embedded software falls under its authority?, for instance. There is some debate over whether UCITA is even necessary at all, since there's plenty of overlap between it and existing legislation, including state contract laws, the Uniform Electronic Transactions Act (UETA) and Uniform Commercial Code (UCC) already in use in many states.

UCITA makes the sale or licensing of software and other computer-based information, such as online databases, a contractual or licensing arrangement. That's a departure from how most software purchases are handled today, as a sale under copyright law. Copyright law lets you use software for noncommercial reasons like research, teaching, product-testing and reverse-engineering once you've purchased or licensed it. You can't reproduce and redistribute it for profit under copyright law, though.

The scary part about UCITA is that big-name vendors like AOL Time Warner, Intel, LexisNexis, Microsoft, Oracle and PeopleSoft get lots of leverage in how they define the terms of contracts and licenses--limiting your copyright privileges. You won't have as much bargaining power in custom-license deals with CRM (customer relationship management) and ERP (enterprise resource planning) software companies, for instance, since the act lets vendors prohibit you from reverse-engineering their products, except for the purpose of making them interoperable with other software. Shrink-wrap licenses will continue to be the norm for off-the-shelf purchases under UCITA (see "UCITA: Shrinking From Its Duties?").

Say you purchase a Web application that generates forms for your e-business customers. The forms use information stored in a back-end database that hous-es your customers' credit-card number and other personal information. The application runs fine--until someone posts your customer information and credit-card account numbers on the Web. You suspect a hacker has exploited the Web application. Under current copyright law, you could reverse-engineer the Web application to investigate or fix the security hole, and even post your findings and voice your opinion about the security hole in an online discussion group.

But under UCITA, you'd have fewer options if the vendor barred you from reverse-engineering it. That leaves you to buy another application or risk litigation by breaking the license to get to the bottom of the problem.The newest version of UCITA does come with some promising changes that could benefit IT, however. One of the biggest is the removal of an allowance in the original version that had let vendors remotely disable software if a user allegedly violated a license agreement. That's a hot button: It's akin to evicting a tenant without giving him due process. The new version of UCITA also specifies that the act does not replace existing state consumer-protection laws for unfair and deceptive business practices like price-fixing and other monopolistic actions. And it makes it clear that UCITA doesn't apply to free, open-source software such as Apache and Linux kernels. So you have the same freedoms as before with that kind of code.

Not all software-related contracts fall under UCITA's purview. While UCITA includes contracts for accessing computer information, the Internet and online electronic transactions and multimedia works, it excludes contracts for the distribution of printed information and for regulated telecommunication services and products. Unfortunately, UCITA doesn't break much new ground in remedies and damages in software-licensing disputes, nor in warranties. It spells out what most states and the industry already do in these situations--UCITA calls for vendors to provide so-called implied warranties that guarantee the application does what it was created to do. But UCITA gives vendors the option to add a disclaimer, which does nothing to make the warranties stick and hold software vendors responsible for the condition of their software.

And ironically, UCITA so far has caused more division than unity among the states. Some states, including Iowa, North Carolina and West Virginia, have taken pre-emptive strikes against UCITA, with so-called "bomb-shelter" acts that can protect you in some cases. If an IT manager in Iowa purchased a software package from a vendor in Virginia, for instance, he could take his case to a federal district court in his home state of Iowa, where he would have copyright exceptions like "fair use" on his side, and wouldn't have to battle the UCITA interpretation in Virginia. Still, these bomb-shelter acts aren't bombproof, and could be challenged as unconstitutional.

Don't Call Judge Judy

So how will UCITA be enforced? Like any contract or license, it's up to the state and federal courts. In most cases under today's copyright contract laws, if your software does not perform according to contract, that constitutes a so-called material breach in the contract or license. You can cancel the contract and sue for damages or return the software. The same is true under UCITA, so not much changes there.But vendors in the UCITA world have more clout in how they protect themselves in these situations. Although UCITA doesn't let vendors disable your software electronically if they suspect you violated the license, it does give them the power to "peacefully" repossess a CD-ROM or boxed copy of the software. (Beware when you escort visiting vendors through your facility if you live in a state that adopts UCITA.)

Meantime, it's up to each state to determine whether UCITA is worth it. This won't be an easy decision given the problems the act raises for IT and consumers, and the lack of clarity about how UCITA will apply to some software. Embedded software in the chipset of a VCR, for instance, may or may not be subject to UCITA. But UCITA does apply to the embedded software on a network-interface card (not NIC hardware).

With all this controversy and confusion surrounding UCITA, one school of thought is to flesh out the UCC regulations rather than having a separate set of laws for IT with UCITA. Technology advances and industry practices change quickly, so UCITA could become outdated before its time, and its inherent complexity could hamper its acceptance and enforcement. More important, such a law needs to protect--not override--existing rights under copyright law. That will only happen if IT gets a say in the law's adoption and implementation in each state.

The debate over UCITA begins in statehouses across the nation next year. Whether the act's shortcomings become painfully obvious, or whether the revised version gives UCITA new life, remains to be seen. Study UCITA carefully with the help of legal counsel and keep an eye out for it on your state legislature's agenda.

Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Write to him at [email protected].• AFFECT (Americans for Fair Electronic Commerce Transactions): National coalition of consumers, retail and manufacturing businesses, financial services institutions, technology professionals and librarians opposed to UCITA.

• Badsoftware.com: A consumer-protection guide to software issues, including UCITA.

• Computer Professionals for Social Responsibility: Alliance of computer scientists and other professionals that studies the impact of computer technology on society, and is lobbying against UCITA.

• IEEE: IEEE's position against UCITA.

• UCITA Legislative Action site: State-by-state update on UCITA's progress.• UCITA Online: Updates and information clearinghouse on all things UCITA.

• Uniform Law Commissioners: Official site of the NCCUSL, the group that drafted UCITA, and UCITA background.

• University of Pennsylvania Law School: UCITA drafts and proposed laws.Doesn't UCITA mean 'exit' in Italian?

No. That's uscita. UCITA is the Uniform Commercial Information Transactions Act proposed by the National Conference Commission on Uniform State Laws, or NCCUSL.

What does UCITA do?It provides the ground rules for the license, sale or transfer of software and other computer information in systems like online databases.

What prompted UCITA, and why should I care about it?

The NCCUSL decided that not having uniform commercial laws for selling, leasing and transferring software and other computer information across states and on the Web was detrimental. The hope was that a uniform act would reduce the cost of doing interstate business for vendors, and therefore reduce the cost to you, the IT buyer.

What will it take to make UCITA a law in my state?

Each state legislature has to propose it and enact it as a state law.Is it an all-or-nothing affair, or can a state enact some provisions of UCITA while leaving others?

The NCCUSL recommends states enact the entire proposed law for uniformity purposes. But state legislatures can modify or exclude certain provisions of UCITA.

Does UCITA outlaw free or open-source software?

No. Open-source software is not covered by UCITA, so it is not subject to implied warranties under the act.

Does UCITA allow shrink-wrap licenses?Yes, as long as the customer can return the product for a refund, including shipping costs, after he or she has opened the package and reviewed the license.

Does UCITA replace laws that cover unfair and deceptive business practices?

No. UCITA doesn't preclude state laws that prohibit unfair and deceptive business practices, such as price fixing, monopolistic behavior, fraud and deceptive advertising.

Does UCITA bar reverse-engineering?

No. But UCITA can limit reverse-engineering to only interoperability purposes.Don't expect much change to shrink-wrap and online software licensing rules under the Uniform Computer Information Transactions Act (UCITA). UCITA doesn't really change much here--it just upholds existing shrink-wrap and online software licensing regulations and practices.

Today, you don't get to see the terms of a software license until after you've paid for the product or opened an online database account. That's the nature of over-the-counter, shrink-wrap licenses in the mass market. Shrink-wrap licenses represent a contractual relationship between a software publisher or information services provider and the end user. This type of license has been a thorn in the side of IT managers and consumers for some time and it's gotten mixed reviews from state and federal courts. That's because breaking the seal of the software package means you accept the license (whether you've read it or not) and it then becomes binding between you and the software vendor.

The story is the same for online software purchases once you click the "I Agree" button. The difference is you get to read the terms of this so-called "click-through" license before you accept them. Some e-commerce sites, however, don't let you view the terms of the license before accepting them and making a purchase online. You only get to see the license when you download and install the software. Click-through licenses, like shrink-wrap, have held up in court also.

So what does UCITA do for these types of licenses? It sanctions these shrink-wrap and click-through licenses for mass-market software. But it also says if a vendor doesn't make its mass-market software license available for you to review before you make your purchase, you're entitled to a refund if you don't agree with the terms after you've broken the seal or downloaded the product. If all this sounds familiar, that's because UCITA's provisions are basically in line with today's industry practice and other regulations. What UCITA doesn't do is go the next step and require all kinds of software licenses be available to you before you buy. That would save both vendors and IT departments time and money in the long run.