Slashdot Mirror

woggo asks: "I need to benchmark two different JDBC drivers for a research project and would like to use a standard benchmark. I was able to find this implementation of TPC-W, but that is too much of a test of the Web server to be useful for my purposes. Does anyone know of a freely-available Java implementation of TPC-C? It needs to be reasonably conformant and I need to be able to cite the results in a paper without violating a license agreement, which would seem to exclude evaluation versions of products."

On Oct. 1, UCITA will become law in Maryland (Virginia passed a version of UCITA too, but delayed the effective date of the law until July 1, 2001). Infoworld has an article about Iowa considering "bomb-shelter" legislation to protect Iowans from UCITA-based laws passed in other states, and offers a few helpful hints for software purchasers. My suggestion is this: don't buy software from any UCITA-state company, or any national company whose licensing says you are bound by the laws of a UCITA-state. There's simply no reason to take risks like that.

A few weeks ago we ran Keep It Legal to Embarrass Big Companies , detailing Peacefire's decryption of X-Stop's blacklist. Then just a few days ago, we noted that CyberPatrol's encrypted list had also been cracked. Well, Mattel, the maker of CyberPatrol and a Big Company, decided it didn't like to be embarrassed -- so it's filing suit against the coders in Canada and Sweden. In addition to demanding the removal of the decryption utility, Mattel is also seeking the logfiles of the Swedish ISP that hosts the decryption utility, to identify everyone who has downloaded it to date. Update: 03/16 6:50 PM EDT by J : Today's news was filled with Mattel's PR lies about their suit. Analysis follows.

Update: 03/16 6:50 PM EDT by J : The problems started with the AP story (cited above). The decryption software posted by the activists was described as "a method for kids to deduce their parents' password and access [pornographic] Web sites."

This was the spin that Mattel's PR people put on the story. They surely didn't want the news media reporting that activists had posted software that exposes their secret, hidden blacklist to the light of day. That wouldn't sound so good - it might get people to ask "why are these blacklists encrypted at all?"

Instead, Mattel's PR decided to say that the decryption software allows kids to view pornography. Predictable - this is the same smear that's always dragged out - but the media swallowed it uncritically. (The AP story was repeated on cnet, and everywhere else that uses the AP feed.)

Even the normally-critical Declan McCullagh wrote a story for Wired whose opening sentence was corporate propaganda. "Toy-maker Mattel has sued two programmers who revealed how to circumvent its CyberPatrol blocking software." Thankfully, the rest of his article gave the full story.

Mattel is not upset about CPHack's minor feature of circumventing the program when installed. Peacefire has been distributing their own instructions to disable Cyber Patrol for months now, and hasn't been sued. (They're pretty simple instructions, too.)

Mattel is upset that people can see the flaws in their software which were previously hidden by encryption. They want to continue selling bad software and will use the full force of law to prevent you from learning how bad it is. Legal papers have already been served and the proceedings will presumably begin shortly. Stay tuned - and don't trust press releases.

Jason Bennett has returned with a review of Mark Minasi's The Software Conspiracy. The book is basically a well-informed perspective of the state of the software industry - how it functions, what it does, and what's really going on. Click below to learn more.

The Software Conspiracy author Mark Minasi pages 271 publisher McGraw-Hill, 09/1999 rating 8/10 reviewer Jason Bennett ISBN 0071348069 summary A non-technical (but well-informed) telling of the state of the software industry

Background

A short digression before I start my review of this quite interesting book. I had the privilege of spending a few days in Seattle at a Construx Software training event on OOA/OOD using UML (hi, ImageX!). Amazingly enough, seven hours of flying each way will give one plenty of reading time, even including talking with those herding into the seats around you. Although I almost missed seeing my hometown Titans in the Super Bowl, I feel it was time well spent. Alas, I didn't get to see Steve, but maybe he'll email me if he reads this. :-)

Nevertheless, on to the business at hand. My book reviews have generally centered around the concept of software engineering, and how to apply its principles to development efforts. This week's book is more of a review of the state of the industry, and where the industry is trying to go. It should come as no surprise to most people reading this that the picture is not particularly pretty. There is, however, a glimmer of hope, but only if we can shake off the combined forces of greed and apathy. Hey, I never said it was going to be easy! <g>

What's the book about?

I believe the book's subtitle just about sums it up: "Why software companies put out faulty products, how they can hurt you, and what you can do about it." As I said in the summary, this book is geared toward non-technical software users in an attempt to explain to them why their software breaks, and why they shouldn't take it anymore. Many parts of this book will be well-known to regular Slashdot readers, but I dare say there are parts that will raise your hackles, regardless.

Chapter 1 is more or less an overview of the theme of the book: that software bugs are bad, that consumers and the media tolerate those bugs to an unreasonable extent, and that those same consumers must act to stem the trend toward more broken software. I'll address his on-point evidence as I discuss the following chapters.

Chapter 2 addresses an important, if not always obvious question: why do software bugs exist in the first place? The short answer is that it's difficult to think of every possible interaction and exception when devising an algorithm. The author employs some interesting mental experiments in the process of the discussion to make this fact more evident to non-programmers. He also mentions some historically important bugs (including the recently-historical Y2K). So far, nothing earth shattering....

With Chapter 3, the journey moves from easy to confrontational. To sum the chapter's theme in one sentence, software is buggy because programmers are slack and customers are more slack. As a counterpoint to the oft-heard statement, "Bug-free software is impossible," Minasi examines the Capability Maturity Model in detail, including how it has been shown to reduce error rates, and why most firms do not employ it. You won't feel complimented by this explanation. In short, most software firms don't try very hard to keep defects out of their software because they expect defects to occur, and (according to one survey), 15% of software firms do not even bother to test their software at all before shipping. I'm always one to quote the adage about the three kinds of lies, but somehow I'm inclined to believe this one. Why don't firms test? Basically because they can get away with it, and programmers don't want to be told they've made a mistake. The argument that bug-free software is too expensive is, of course, the same argument the meat packing industry made at the end of the 19th century, that wholesome meat was too expensive and impossible to produce. Fortunately for everyone, that excuse was eventually put to rest. Minasi believes the software excuse should be equally put out of its misery. The author does make one point that I disagree with, however, in that he claims that process isn't really for "geniuses," only "regular" programmers. I would argue, however, that everyone needs process to channel whatever genius they may possess, and that structure does not stand counter to creativity. The author also addresses some of the shortcomings of the CMM, but in the end believes that the evidence behind process, any process, is overwhelming.

Chapter 4 moves into another arena near and dear to our hearts: UCITA. As I read this chapter, I kept finding my jaw hanging open in astonishment at the gall of the software industry and the law they have crafted. This book is fairly recent, and thus the information current, although I recommend checking Cem Kaner's site or Slashdot for the most recent information. I won't go into bloody detail here, but suffice to say under UCITA the software industry can disclaim all responsibility for their software, while simultaneously putting unreasonable restrictions on your usage of that software. Amazingly convenient, huh? You could also no longer treat software like a book, as the software industry would completely control the software even after you had purchased/licensed it. Needless to say, a raw deal for the consumer.

Chapter 5 proposes an interesting rehash of Yourdon's The Decline and Fall of the American Programmer. Now, before I proceed, I've never actually read that book, so this analogy is based on my understanding of Yourdon's thesis. Basically, Minasi compares today's software industry to the auto industry of the 1950's. At that time, cars had more or less reached technological maturity. Marketing ruled the industry, as all the car were more or less the same. Planned obsolescence was invented, and quality declined as more and more useless features (e.g. fins) were added to cars. Of course, we all know the end of that story. The Japanese car industry invaded and smacked Detroit around for a while before the American automakers were able to recover. Minasi proposes that the America software industry is in a similar situation today, and UCITA could exacerbate that tendency. Could another country's software industry rise up? Minasi doesn't really offer any competitors at this point, but the threat is certainly there.

Chapter 6 exhorts users to stand up for quality software, just as they would stand up for quality in other products. Write letters. Don't pay for bug fixes. Help stop UCITA. Nothing earth-shattering again, but important nonetheless.

Chapter 7, the conclusion, paints two pictures of the future, one rosy, where buggy software is brought under control, and one bleak. I won't spoil them for you, but suffice to say the bleak one might surprise you. In any event, and effective storytelling mechanism.

Finally, there is an appendix of how to fix you current software, or at least get around its problems. Programmers might scoff at the information contained therein, but your mother will likely find it useful.

What's Good?

If you don't want too technical of a read, and you're interested in why software is in its current state, this is an excellent and informative book. The rationale is sound, and the information on UCITA is important to educate others about its dangers, especially when the time comes for a vote in your state. In short, read this book if you're tired of crappy software, or you don't know why software is crappy.

What's Bad?

On the other hand, if you think process is silly, and you're doing the best you can, dangit, you won't enjoy this book. I would like to think that most open source proponents would understand the importance of testing, but then again I don't remember reading too many test plans for OS projects. Whatever. Regardless, this book might not be for you if you want a detailed, technical discussion of the state of software, and you're already well up on your UCITA info. YMMV.

So What's In It For Me?

Regardless of who you are, coder or suit, what this book discusses will impact you. The U.S. software industry is going to be fundamentally shaped for decades to come by what happens in the next few months and years. It behooves you to understand the implications of where we are going, regardless of where you stand on the issue.

• Table of Contents
• Introduction
  1. When Some Bugs Bite, They Kill
  2. Why Are There Bugs? How Defects Happen
  3. It Doesn't Take a Genius, It Just Takes a Process: Building Good Software
  4. Software and the Law
  5. Bugs and the Country: Software Economics
  6. Fighting Back: How to Improve Software
  7. The Future
• Appendix: Software Self-defense
• Endnotes
• Index

Maybe Peacefire's timing is bad. Two courts have recently said that the reverse-engineered DeCSS program is illegal to publish in the United States, and UCITA gets closer every second. Yet Peacefire today released a program that reverse-engineers the encryption on a list of sites blocked by a major censorware product. Maybe T-shirts that say 'X-Stop has a 68% error rate for blocking student homepages' will get classified as munitions next. Bennett Haselton shares his thoughts (below) on corporate crypto.

Bennett Haselton is the founder and head of Peacefire, an activist group to support the free-speech rights of young people. He suggests that you might want to download the X-Stop "smoking gun" evidence (4MB) before the company has a chance to remove it from their server.

The feature below was written by Mr.Haselton.

X-Stop is an Internet censoring program with an encrypted database of 370,000 URL's blocked under various categories: Sex, Drugs, Rock `n' Roll, etc. Their competitors like SurfWatch and Cyber Patrol also do not publish their blocked site lists; the officially given reason is to keep kids from using the lists to find smut on the Internet. This is silly, given how easy it is to find Internet porn without the aid of X-Stop's secret database (although if you still want to, you can download our codebreaker, follow the instructions to get the X-Stop list and decrypt it, and help yourself). But for the next part of our report, after we decoded the URL list, we looked at the first 50 URL's in the .edu domain that were still valid, and found that 34 of them were regular student home pages with nothing offensive (hence the "68% error rate" t-shirt slogan). None of those 34 students who responded to our e-mails could think of why X-Stop would want to block their pages.

X-Stop admits on their Web site that their database is put together by a Web spider called "Mudcrawler" and not by human reviewers, but even for a machine, a 68% error rate is pretty bad. And even though the real reason why these lists are encrypted is obviously to keep competitors from stealing them, this also makes it much harder for third parties to find out what the programs really block. In fact, X-Stop had once claimed that every URL on their list was reviewed by a human before getting blocked, but cyber lawyer Jonathan Wallace called them on it when he published "The X-Stop Files" in 1997, asking why X-Stop blocked several sites like the Quakers home page, the AIDS Quilt, and parts of Jonathan's own e-zine, The Ethical Spectacle. Peacefire also put up a page in 1998 about sites blocked by X-Stop, including an affirmative action site and a blind children's hospital. But these examples were all found through trial and error; today is the first day that the entire list of URL's has been made public. And to determine the 68% figure, it was necessary to have a copy of the entire list, so that the first 50 blocked sites could be used as a random sample.

So far, this is more or less the same story that took place in 1997 with another blocking program, CYBERsitter, right down to Jonathan Wallace posting a page about CYBERsitter and getting his site blocked. First, several people posted articles criticizing CYBERsitter's policies, and slowly CYBERsitter's public image deteriorated as word got out that they were blocking sites which criticized their company (even Time magazine got blocked, and then posted an article about how they found themselves on CYBERsitter's list). Then in April 1997, Peacefire released a program that broke the encryption on CYBERsitter's list of blocked URL's. CYBERsitter sent Peacefire a threatening letter demanding that we take down the program and remove all of our links to CYBERsitter's Web page. Jim Tyre, a volunteer lawyer and future founding member of the Censorware Project, sent CYBERsitter a reply telling them they had no case, and we never heard from them again. But UCITA, the Digital Millennium Copyright Act, and the two court injunctions against the right to post DeCSS, didn't exist in 1997. If we had released the CYBERsitter codebreaker today, would CYBERsitter actually file a lawsuit?

The outcome of the DeCSS court cases could, in fact, determine the rights of a private citizen to embarrass a big software company by reverse engineering their products and catching them in a lie. It's easy to forget the importance of legal protection for reverse engineering, because sometimes public opinion is enough: RealNetworks never sued Richard Smith when he revealed that copies of RealPlayer included a "globally unique identifier" to track user's listening habits, and Microsoft never sued Andrew Schulman when he discovered that Windows 3.1 threw up fake error messages about DR-DOS. These were large companies that would have been crucified if they had tried to sue someone for discovering something that the public thought they had a right to know anyway. But legal protections are still important, because sometimes public opinion isn't enough - when the software company doesn't have much of an online reputation to worry about, or when then they have a reputation but they don't care about it.

The RIAA, with their campaigns against MP3 technology and reverse-engineering SDMI, is an example of an organization that doesn't care about their online image - and why should they, since we all download our music for free anyway. CYBERsitter is another good example - they do care about their reputation, but in 1997 their image was that of a children's guardian angel and an ally in fighting government censorship, almost immune to criticism. It took an enormous amount of bad press - letters from CYBERsitter's CEO threatening ISP's and flaming people in general, and at one point actually mail-bombing a lady who sent them a complaint - before even advocates of blocking software started distancing themselves from the company. Even today, CYBERsitter's public image is fairly rosy, and their campaigns of legal harassment hardly affected their reputation at all. (What had you heard about CYBERsitter before you read this article?) It's hard to imagine Microsoft, for example, filing a similar lawsuit without embarrassing themselves and turning their intended target into a martyr. The real threat to "reverse engineering for the public good" is from medium-sized companies, small enough that not everything they do will get in the news, but still big enough to afford lots of lawyers.

This threat affects not just programmers, but even journalists who get anonymous tip-offs - like Brock Meeks and Declan McCullagh, who were threatened with an FBI investigation by CYBERsitter in 1996, after they published their "Keys to the Kingdom" article about sites that CYBERsitter and other "censorware" programs blocked. The part of the article that got them in so much trouble was this excerpt from CYBERsitter's bad- word file:

[up][the,his,her,your,my][ass,cunt,twat][,hole]
[wild,wet,net,cyber,have,making,having,getting,giving,phone][sex...]
[,up][the,his,her,your,my][butt,cunt,pussy,asshole,rectum,anus]
[,suck,lick][the,his,her,your,my][cock,dong,dick,penis,hard on...]
[gay,queer,bisexual][male,men,boy,group,rights,community,activities...]
[gay,queer,homosexual,lesbian,bisexual][society,culture]
[you][are][,a,an,too,to][stupid,dumb,ugly,fat,idiot,ass,fag,dolt,dummy]

If this now counts as a "trade secret" under the Digital Millennium Copyright Act, then our list of the 50 .edu sites blocked by X-Stop - and the study that found the 68% error rate - could be declared illegal. And under UCITA, CYBERsitter could even claim the enforceability of these excerpts from their license agreement:

Reverse Engineering Prohibited
Unauthorized reverse engineering of the Software, whether for edcucational, fair use, or other reason is expressly forbidden. For the purposes of this license the term "reverse engineering" shall apply to any and all information obtained by such methods as decompiling, decrypting, trial and error, or activity logging.

Non-Disclosure
Unauthorized disclosure of CYBERsitter operational details, hacks, work around methods, blocked sites, and blocked words or phrases are expressly prohibited.

So any CYBERsitter user who even discusses what the program blocks, would be in violation. Not that CYBERsitter would enforce this against everybody, but they probably would have liked to enforce it against Brock and Declan.

At this point, we don't know how X-Stop will respond to our report. But we do know that for all of their bluster, CYBERsitter never actually sued Brock, Declan or Peacefire. Given that CYBERsitter pursued the matter for months (and the fact that Brock and Declan had actual money), if CYBERsitter gave up, it's because they had no case. If the Digital Millennium Copyright Act, UCITA, or the DVD court rulings change that situation, then it will become much harder to criticize blocking software - or any kind of software - except for the user interface and other things that users can "see" without looking under the hood.

Bob Kopp writes "The state legislatures of Maryland and Virginia are among the first in the nation to consider passage of the Uniform Computer Information Transaction Act (UCITA). The Washington Post has coverage here. " The Federal Trade Commission says that UCITA allows software companies to place "restrictions on a consumer's right to sue for a product defect, to use the product, or even to publicly discuss or criticize the product." If you oppose UCITA and live in Maryland or Virginia, you need to call or fax your legislators immediately.

We were going to run this even before Ledge Kindred submitted it. Cem Kaner of Badsoftware.com has written a nice piece detailing the problems with UCITA, the new law which is being proposed across the United States and which will have terrible effects on the rights of software consumers.

A bit of background for readers unfamiliar with the process: The Uniform Commercial Code is a body of law which is enacted, pretty much identically, in all 50 states. The object is to have a similar business environment for the basics of commerce, so that neither buyers or sellers are blindsided. If the law is fair, both buyers and sellers benefit from uniform expectations about basic commercial transactions.

But of course, laws evolve. The Uniform Computer Information Transactions Act began its life as an amendment to the UCC, but it was so unbalanced in favor of software companies that one of the initial sponsoring organizations dropped out, and it could no longer be considered a UCC amendment. Yet it lives on.

UCITA legitimizes heinous license restrictions in software, actively promoting the worst software practices. Should it pass, the very concept of "used software" (video games, etc.) will disappear, since that can and will be prohibited by licensing terms. Better sell your Funcoland stock. Badsoftware.com has many more examples of how UCITA legitimizes things that big software companies only dream of today, such as prohibiting reverse engineering or even criticism of their products.

As you read this, UCITA is being pressed in states across the country, starting with those where the software industry giants have the most highly-paid lobbyists. Virginia appears to be one of the lead states, and is considering the bill right now in committee. By this time next year, UCITA is likely to be the law of the land. This may seem to be somewhat dry reading, but if you ever use non-GPL software or purchase a computer in the future, this is what you can look forward to. -- Michael Sims, michael @ slashdot.org

Cem Kaner writes:

The August 30th, 1999 issue of the National Law Journal carried an article favoring the Uniform Computer Information Transactions Act. I protested to the Journal about the bias of the article and was invited to write a response, but the inviting Editor left the Journal shortly thereafter, and my response was never published. The claims made in that article, which was written by the Chairman of the UCITA drafting committee and two of his colleagues, are being (and will continue to be) repeated to legislators who are considering the Act. Perhaps your readers will find this rebuttal of interest.

[Editor's note: the pro-UCITA article referenced above is available at http://test01.ljextra.com/na.archive.html/99/08/1999_0822_61.html.]

I grant permission to any reader to recirculate or publish this article, so long as it is attributed to me and published in its entirety (including endnotes). If you are recirculating or publishing it, please let me know.

THE UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT

In the August 30th, 1999 issue of the National Law Journal, Carlyle C. Ring, H. Lane Kneedler and Gail D. Jaspen presented the proposed Uniform Computer Information Transactions Act ("Uniform law for computer info transactions is offered"). Mr. Ring chaired the drafting committee that wrote UCITA.

UCITA is a proposed law that will govern all transactions involving computer software, electronic databases (such as WestLaw), downloaded books, and some entertainment products. It can also apply to computers and some other goods if their manufacturers put an appropriate notice in the product packaging.

Although the Ring et al. article reported years of work on UCITA as a proposed Article 2B addition to the UCC, it failed to mention that the UCC is a joint project between the American Law Institute (ALI) and the National Conference of Commissioners on Uniform State Laws (NCCUSL). It failed to mention that the ALI called for "fundamental revision" of the draft in May, 1998 (1) and withdrew from the project in April, 1999, effectively killing 2B as a UCC project. Thereafter, NCCUSL renamed the project as UCITA and went forward alone. The ALI members of the Article 2B drafting committee refused to join the UCITA drafting committee. (2)

Although authors Ring, Kneedler, and Jaspen acknowledged that UCITA is a controversial proposal, they listed only its supporters and not such opponents as the Attorneys-General of 24 states, the Bureaus of Competition, Consumer Protection, and Policy Planning of the United States Federal Trade Commission, the leading software developers' professional societies (such as the Association for Computing Machinery, the Institute of Electrical and Electronics Engineers, and the American Society for Quality, Software Division), software trade groups representing small developers (the Independent Computer Consultants Association, the Free software Foundation), the five main library associations, leading intellectual property experts (including the American Intellectual Property Law Association, Committee of Copyright and Literary Property of the Association of the Bar of the City of New York, and fifty intellectual property law professors), other copyright industry associations (such as the Motion Picture Association of America, the National Association of Broadcasters, and the Newspaper Association of America), and every consumer advocacy group that has looked at the bill. (3)

UCITA will have profound effects on intellectual property rights and the quality and security of computer software.

INTELLECTUAL PROPERTY

Under UCITA, almost all software-related transactions will be licensing transactions. When a consumer buys a copy of Microsoft Word and a copy of a book about the program, the software transaction would be a license while the book transaction is a sale, even if the two items were side by side, the customer bought them both from the same cashier, and the software license was not available to the customer until after she paid for the product and took it away. Under UCITA 102(a)(42) a transaction can be a license even if the licensee is given title to the transferred copy.

This is a shift from long-established treatment of intellectual property in the mass market. To see the history of this issue in copyright law, shepardize Jewelers' Mercantile Agency v. Jewelers' Pub. Co., 155 N.Y. 241 (1898) (rejected the fiction of a lease offered to all comers that restricted transfer of the book and use of information in it); Bobbs-Merrill Co. v. Straus, 210 U.S. 339 (1908) (rejected a restrictive notice on a book that prohibited the buyer from reselling the book for less than a minimum price. Under the first sale doctrine, publisher lost its property interest in an individual copy of a book once it sold that copy. The restrictive notice could not transform a sale into a license); RCA Mfg. Co. v. Whiteman, 114 F.2d 86 (2d Cir. 1940) (Licensing language on record albums could not convert a mass-market sale into a license.) For patent law, look at the doctrine of exhaustion, starting with Motion Picture Patents Co. v. Universal Film Manufacturing Co. 243 U.S. 502 (1917).

According to authors Ring, Kneedler, and Jaspen, "UCITA is intended neither to avoid nor to contradict the large body of existing federal intellectual property law." Others vigorously disagree. For example, the American Intellectual Property Law Association (4) protested to NCCUSL that UCITA "eliminates the 'first sale' doctrine" (which allows the owner of a copy to sell it or give it away). Under UCITA 503(2), "a term prohibiting transfer of a party's interest is enforceable, and a transfer made in violation of that term is a breach of contract and is ineffective." A vendor who puts a no-transfer clause in the license achieves a market-wide restriction -- equivalent to elimination of the first sale doctrine. By allowing vendors to enforce such restrictions in the mass-market, UCITA allows them to evade the federal balancing of private and public rights in intellectual property.(5)

Reverse engineering is another example of the intellectual property reach of UCITA. Reverse engineering is a normal engineering practice.(6) Clauses barring reverse engineering have been enforced in negotiated licenses, but not in mass market cases.(7) Some software publishers want to ban reverse engineering in the mass market. Despite authors Ring, Kneedler, and Jaspen's claim of UCITA's neutrality on this issue, UCITA makes contractual use restrictions (no-reverse-engineering is a use restriction) prima facie enforceable. Individual courts might rule that such a restriction is invalid under federal law or against public policy, but it will take several expensive court cases before software developers will know whether they can still lawfully reverse engineer mass-market software in the face of a shrink-wrapped contract term that claims that they cannot.

The AIPLA letter noted that "The President of . . . [NCCUSL], Gene Lebrun, wrote . . . that it is 'expressly stated in Section 2B-105 [that] Article 2B does not displace or change intellectual property law.' . . . We are extremely concerned that the proposed UCITA draft is not consistent with . . . the assurance of President Lebrun." UCITA Reporter Ray Nimmer complained of "distortions" in the debate on UCITA, identifying as a "misrepresentation" "that UCITA allows licensors to prevent licensees from commenting about the products. This allegation makes nice copy and superficial impact, but is simply untrue. You can scroll through the UCITA draft and will not find any such provision." (8) Opponents quickly point to UCITA section 102(a) (20), which defines "contractual use restriction" as "an enforceable restriction created by contract which concerns the use or disclosure of, or access to licensed information or informational rights, including a limitation on scope or manner of use." Section 307(b) states that "If a license expressly limits use of the information or informational rights, use in any other manner is a breach of contract." Under the statute's own definition, a nondisclosure clause is a contractual use restriction. Under Section 307(b), such a restriction is enforceable.

These provisions may keep vital information from the marketplace. Consider the following restrictions, downloaded (July 20, 1999) from www.mcafee.com, the website for VirusScan, a mass-market software product, on July 20, 1999.

"The customer shall not disclose the results of any benchmark test to any third party without McAfee's prior written approval."

"The customers will not publish reviews of the product without prior consent from McAfee."

Clauses like these are enforceable in traditional, negotiated licenses, and they are used to block magazine reviews.(9) UCITA arguably extends the enforceability of such clauses even in mass market products. Perhaps they will eventually be found to conflict with public policy but until then, the plain language of UCITA will have a chilling effect on criticism of mass-market products.

SOFTWARE SECURITY

UCITA section 816 allows software vendors to place disabling codes in software and to activate them remotely (such as by sending an e-mail) to shut down a customer's use of the product.

Such disabling codes create a hole in the customer's system security. UCITA section 816 remedies for wrongful use of such codes are probably not triggered if the software is shut down accidentally or by a third party (such as a cracker who learns the code or a disgruntled former employee of the vendor).

Self-help was portrayed in the UCITA meetings as something essential to protect the interests of small licensors. However, the only group attending the UCITA meetings that represents only small licensors, the Independent Computer Consultants Association, urged NCCUSL to reject self-help. It recommended that licensors be protected without creating the disabling code security risk to customers by statutory authorization for recovery of attorney fees by licensors who obtain an injunction to terminate misuse of the software. This proposal was repeatedly rejected.

CONSUMER PROTECTION

UCITA is hostile to customers of all sizes. It validates post-payment presentation of material terms and permits licensors to put in a form contract a term that allows them to keep changing terms. Licensors can exclude incidental and consequential damages even when an agreed remedy fails of its essential purpose. The drafters rejected proposals from the software engineering professional societies (ACM, IEEE, and ICCA) to allow customers to recover damages caused by defects that were known to the licensor but not documented or disclosed to the licensee. Instead, the standard form exclusion of incidental damages allows the licensor to charge a support fee (such as $5 per minute on the telephone) when a consumer calls to complain about a defect that was known by the licensor when it licensed the software. Software products are often sold in the mass market with hundreds or thousands of known defects. (10) For additional detailed notes on consumer impact of UCITA, see the articles in the note. (11)

Authors Ring, Kneedler, and Jaspen say that "UCITA alters no state laws relating to the applicability of consumer protection to databases, consumer services or software." In contrast, 24 Attorneys General and the Administrator of the Georgia Fair Business Practices Act said that UCITA's "rules deviate substantially from long established norms of consumer expectations. We are concerned that these deviations will invite overreaching that will ultimately interfere with the full realization of the potential of e-commerce in our states." (12)

The Attorneys General also said that UCITA's "prefatory note and reporter's comments incorrectly present the proposed statute as balanced and as leaving 'in place basic consumer protection laws' and 'adding new consumer and licensee protections that extend current law.' . . . [I]n instances in which provisions are described as new consumer protections, such as the contract formation and modification provisions discussed below, consumers actually have fewer rights than they do under present law. . . . NCCUSL . . . should revise the explanatory materials accompanying the statute to scrupulously identify the instances in which the policy choices embodied in the statute either extend or resolve controversies in current law and to clearly explain whether such extension or resolution favors sellers/licensors or buyers/licensees."

NOTES

(1) Jean Braucher, "Why UCITA, Like UCC Article 2B, is Premature and Unsound", UCC Bulletin, July 1999, www.2BGuide.com/docs/0499jb.html.

(2) (www.2BGuide.com/docs/50799dad.html).

(3) See www.badsoftware.com/oppose.htm and www.2bguide.com.

(4) Letter to NCCUSL, July 16, 1999.

(5) Robert P. Merges, "Intellectual Property and the Costs of Commercial Exchange: A Review Essay," 93 Mich. L. Rev. 1570, 1613, 1995; Mark A. Lemley, "Beyond Preemption: The Law and Policy of Intellectual Property Licensing," 87 Cal. L. Rev. 111,1999, http://papers.ssrn.com/paper.taf?abstract_id=3D98655.

(6) Cem Kaner, Article 2B and Reverse Engineering, UCC Bulletin, November, 1998, 1, www.badsoftware.com/reverse.htm.

(7) Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992); Vault Corp. v. Quaid Software Ltd., 847 F.2d 255 (5th Cir. 1988). "Correcting Some Myths About UCITA", http://www.2bguide.com/docs/rne.html

(8) "The Test That Wasn't" August 1999 PC Magazine 29. According to that article, Oracle "formally declined to let us [PC Magazine] publish any benchmark test results."

(9) Cem Kaner & David Pels, Bad Software: What To Do When Software Fails.

(10) Federal Trade Commission letter www.ftc.gov/be/v990010.htm; Steven Chow (a member of the UCITA drafting committee) "Proposed Uniform Computer Information Transactions Act: Bad For Commerce And Innovation" www.2bguide.com/docs/citopp.html; Cem Kaner, "Comments on Article 2B" (section-by-section analysis) October 1998, www.badsoftware.com/kanerncc.htm; "Bad Software: Who is Liable" (analyzes software economics and UCC 2B) May 1998, www.badsoftware.com/asqcirc.htm; and

(11) "Article 2B - Report from the November 13-15, 1998 Meeting", www.badsoftware.com/uccnov98.htm.

(12) Letter to NCCUSL, www.badsoftware.com/aglet1.htm and www.badsoftware.com/aglet2.htm.

We were going to run this even before Ledge Kindred submitted it. Cem Kaner of Badsoftware.com has written a nice piece detailing the problems with UCITA, the new law which is being proposed across the United States and which will have terrible effects on the rights of software consumers.

A bit of background for readers unfamiliar with the process: The Uniform Commercial Code is a body of law which is enacted, pretty much identically, in all 50 states. The object is to have a similar business environment for the basics of commerce, so that neither buyers or sellers are blindsided. If the law is fair, both buyers and sellers benefit from uniform expectations about basic commercial transactions.

But of course, laws evolve. The Uniform Computer Information Transactions Act began its life as an amendment to the UCC, but it was so unbalanced in favor of software companies that one of the initial sponsoring organizations dropped out, and it could no longer be considered a UCC amendment. Yet it lives on.

UCITA legitimizes heinous license restrictions in software, actively promoting the worst software practices. Should it pass, the very concept of "used software" (video games, etc.) will disappear, since that can and will be prohibited by licensing terms. Better sell your Funcoland stock. Badsoftware.com has many more examples of how UCITA legitimizes things that big software companies only dream of today, such as prohibiting reverse engineering or even criticism of their products.

As you read this, UCITA is being pressed in states across the country, starting with those where the software industry giants have the most highly-paid lobbyists. Virginia appears to be one of the lead states, and is considering the bill right now in committee. By this time next year, UCITA is likely to be the law of the land. This may seem to be somewhat dry reading, but if you ever use non-GPL software or purchase a computer in the future, this is what you can look forward to. -- Michael Sims, michael @ slashdot.org

Cem Kaner writes:

The August 30th, 1999 issue of the National Law Journal carried an article favoring the Uniform Computer Information Transactions Act. I protested to the Journal about the bias of the article and was invited to write a response, but the inviting Editor left the Journal shortly thereafter, and my response was never published. The claims made in that article, which was written by the Chairman of the UCITA drafting committee and two of his colleagues, are being (and will continue to be) repeated to legislators who are considering the Act. Perhaps your readers will find this rebuttal of interest.

[Editor's note: the pro-UCITA article referenced above is available at http://test01.ljextra.com/na.archive.html/99/08/1999_0822_61.html.]

I grant permission to any reader to recirculate or publish this article, so long as it is attributed to me and published in its entirety (including endnotes). If you are recirculating or publishing it, please let me know.

THE UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT

In the August 30th, 1999 issue of the National Law Journal, Carlyle C. Ring, H. Lane Kneedler and Gail D. Jaspen presented the proposed Uniform Computer Information Transactions Act ("Uniform law for computer info transactions is offered"). Mr. Ring chaired the drafting committee that wrote UCITA.

UCITA is a proposed law that will govern all transactions involving computer software, electronic databases (such as WestLaw), downloaded books, and some entertainment products. It can also apply to computers and some other goods if their manufacturers put an appropriate notice in the product packaging.

Although the Ring et al. article reported years of work on UCITA as a proposed Article 2B addition to the UCC, it failed to mention that the UCC is a joint project between the American Law Institute (ALI) and the National Conference of Commissioners on Uniform State Laws (NCCUSL). It failed to mention that the ALI called for "fundamental revision" of the draft in May, 1998 (1) and withdrew from the project in April, 1999, effectively killing 2B as a UCC project. Thereafter, NCCUSL renamed the project as UCITA and went forward alone. The ALI members of the Article 2B drafting committee refused to join the UCITA drafting committee. (2)

Although authors Ring, Kneedler, and Jaspen acknowledged that UCITA is a controversial proposal, they listed only its supporters and not such opponents as the Attorneys-General of 24 states, the Bureaus of Competition, Consumer Protection, and Policy Planning of the United States Federal Trade Commission, the leading software developers' professional societies (such as the Association for Computing Machinery, the Institute of Electrical and Electronics Engineers, and the American Society for Quality, Software Division), software trade groups representing small developers (the Independent Computer Consultants Association, the Free software Foundation), the five main library associations, leading intellectual property experts (including the American Intellectual Property Law Association, Committee of Copyright and Literary Property of the Association of the Bar of the City of New York, and fifty intellectual property law professors), other copyright industry associations (such as the Motion Picture Association of America, the National Association of Broadcasters, and the Newspaper Association of America), and every consumer advocacy group that has looked at the bill. (3)

UCITA will have profound effects on intellectual property rights and the quality and security of computer software.

INTELLECTUAL PROPERTY

Under UCITA, almost all software-related transactions will be licensing transactions. When a consumer buys a copy of Microsoft Word and a copy of a book about the program, the software transaction would be a license while the book transaction is a sale, even if the two items were side by side, the customer bought them both from the same cashier, and the software license was not available to the customer until after she paid for the product and took it away. Under UCITA 102(a)(42) a transaction can be a license even if the licensee is given title to the transferred copy.

This is a shift from long-established treatment of intellectual property in the mass market. To see the history of this issue in copyright law, shepardize Jewelers' Mercantile Agency v. Jewelers' Pub. Co., 155 N.Y. 241 (1898) (rejected the fiction of a lease offered to all comers that restricted transfer of the book and use of information in it); Bobbs-Merrill Co. v. Straus, 210 U.S. 339 (1908) (rejected a restrictive notice on a book that prohibited the buyer from reselling the book for less than a minimum price. Under the first sale doctrine, publisher lost its property interest in an individual copy of a book once it sold that copy. The restrictive notice could not transform a sale into a license); RCA Mfg. Co. v. Whiteman, 114 F.2d 86 (2d Cir. 1940) (Licensing language on record albums could not convert a mass-market sale into a license.) For patent law, look at the doctrine of exhaustion, starting with Motion Picture Patents Co. v. Universal Film Manufacturing Co. 243 U.S. 502 (1917).

According to authors Ring, Kneedler, and Jaspen, "UCITA is intended neither to avoid nor to contradict the large body of existing federal intellectual property law." Others vigorously disagree. For example, the American Intellectual Property Law Association (4) protested to NCCUSL that UCITA "eliminates the 'first sale' doctrine" (which allows the owner of a copy to sell it or give it away). Under UCITA 503(2), "a term prohibiting transfer of a party's interest is enforceable, and a transfer made in violation of that term is a breach of contract and is ineffective." A vendor who puts a no-transfer clause in the license achieves a market-wide restriction -- equivalent to elimination of the first sale doctrine. By allowing vendors to enforce such restrictions in the mass-market, UCITA allows them to evade the federal balancing of private and public rights in intellectual property.(5)

Reverse engineering is another example of the intellectual property reach of UCITA. Reverse engineering is a normal engineering practice.(6) Clauses barring reverse engineering have been enforced in negotiated licenses, but not in mass market cases.(7) Some software publishers want to ban reverse engineering in the mass market. Despite authors Ring, Kneedler, and Jaspen's claim of UCITA's neutrality on this issue, UCITA makes contractual use restrictions (no-reverse-engineering is a use restriction) prima facie enforceable. Individual courts might rule that such a restriction is invalid under federal law or against public policy, but it will take several expensive court cases before software developers will know whether they can still lawfully reverse engineer mass-market software in the face of a shrink-wrapped contract term that claims that they cannot.

The AIPLA letter noted that "The President of . . . [NCCUSL], Gene Lebrun, wrote . . . that it is 'expressly stated in Section 2B-105 [that] Article 2B does not displace or change intellectual property law.' . . . We are extremely concerned that the proposed UCITA draft is not consistent with . . . the assurance of President Lebrun." UCITA Reporter Ray Nimmer complained of "distortions" in the debate on UCITA, identifying as a "misrepresentation" "that UCITA allows licensors to prevent licensees from commenting about the products. This allegation makes nice copy and superficial impact, but is simply untrue. You can scroll through the UCITA draft and will not find any such provision." (8) Opponents quickly point to UCITA section 102(a) (20), which defines "contractual use restriction" as "an enforceable restriction created by contract which concerns the use or disclosure of, or access to licensed information or informational rights, including a limitation on scope or manner of use." Section 307(b) states that "If a license expressly limits use of the information or informational rights, use in any other manner is a breach of contract." Under the statute's own definition, a nondisclosure clause is a contractual use restriction. Under Section 307(b), such a restriction is enforceable.

These provisions may keep vital information from the marketplace. Consider the following restrictions, downloaded (July 20, 1999) from www.mcafee.com, the website for VirusScan, a mass-market software product, on July 20, 1999.

"The customer shall not disclose the results of any benchmark test to any third party without McAfee's prior written approval."

"The customers will not publish reviews of the product without prior consent from McAfee."

Clauses like these are enforceable in traditional, negotiated licenses, and they are used to block magazine reviews.(9) UCITA arguably extends the enforceability of such clauses even in mass market products. Perhaps they will eventually be found to conflict with public policy but until then, the plain language of UCITA will have a chilling effect on criticism of mass-market products.

SOFTWARE SECURITY

UCITA section 816 allows software vendors to place disabling codes in software and to activate them remotely (such as by sending an e-mail) to shut down a customer's use of the product.

Such disabling codes create a hole in the customer's system security. UCITA section 816 remedies for wrongful use of such codes are probably not triggered if the software is shut down accidentally or by a third party (such as a cracker who learns the code or a disgruntled former employee of the vendor).

Self-help was portrayed in the UCITA meetings as something essential to protect the interests of small licensors. However, the only group attending the UCITA meetings that represents only small licensors, the Independent Computer Consultants Association, urged NCCUSL to reject self-help. It recommended that licensors be protected without creating the disabling code security risk to customers by statutory authorization for recovery of attorney fees by licensors who obtain an injunction to terminate misuse of the software. This proposal was repeatedly rejected.

CONSUMER PROTECTION

UCITA is hostile to customers of all sizes. It validates post-payment presentation of material terms and permits licensors to put in a form contract a term that allows them to keep changing terms. Licensors can exclude incidental and consequential damages even when an agreed remedy fails of its essential purpose. The drafters rejected proposals from the software engineering professional societies (ACM, IEEE, and ICCA) to allow customers to recover damages caused by defects that were known to the licensor but not documented or disclosed to the licensee. Instead, the standard form exclusion of incidental damages allows the licensor to charge a support fee (such as $5 per minute on the telephone) when a consumer calls to complain about a defect that was known by the licensor when it licensed the software. Software products are often sold in the mass market with hundreds or thousands of known defects. (10) For additional detailed notes on consumer impact of UCITA, see the articles in the note. (11)

Authors Ring, Kneedler, and Jaspen say that "UCITA alters no state laws relating to the applicability of consumer protection to databases, consumer services or software." In contrast, 24 Attorneys General and the Administrator of the Georgia Fair Business Practices Act said that UCITA's "rules deviate substantially from long established norms of consumer expectations. We are concerned that these deviations will invite overreaching that will ultimately interfere with the full realization of the potential of e-commerce in our states." (12)

The Attorneys General also said that UCITA's "prefatory note and reporter's comments incorrectly present the proposed statute as balanced and as leaving 'in place basic consumer protection laws' and 'adding new consumer and licensee protections that extend current law.' . . . [I]n instances in which provisions are described as new consumer protections, such as the contract formation and modification provisions discussed below, consumers actually have fewer rights than they do under present law. . . . NCCUSL . . . should revise the explanatory materials accompanying the statute to scrupulously identify the instances in which the policy choices embodied in the statute either extend or resolve controversies in current law and to clearly explain whether such extension or resolution favors sellers/licensors or buyers/licensees."

NOTES

(1) Jean Braucher, "Why UCITA, Like UCC Article 2B, is Premature and Unsound", UCC Bulletin, July 1999, www.2BGuide.com/docs/0499jb.html.

(2) (www.2BGuide.com/docs/50799dad.html).

(3) See www.badsoftware.com/oppose.htm and www.2bguide.com.

(4) Letter to NCCUSL, July 16, 1999.

(5) Robert P. Merges, "Intellectual Property and the Costs of Commercial Exchange: A Review Essay," 93 Mich. L. Rev. 1570, 1613, 1995; Mark A. Lemley, "Beyond Preemption: The Law and Policy of Intellectual Property Licensing," 87 Cal. L. Rev. 111,1999, http://papers.ssrn.com/paper.taf?abstract_id=3D98655.

(6) Cem Kaner, Article 2B and Reverse Engineering, UCC Bulletin, November, 1998, 1, www.badsoftware.com/reverse.htm.

(7) Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992); Vault Corp. v. Quaid Software Ltd., 847 F.2d 255 (5th Cir. 1988). "Correcting Some Myths About UCITA", http://www.2bguide.com/docs/rne.html

(8) "The Test That Wasn't" August 1999 PC Magazine 29. According to that article, Oracle "formally declined to let us [PC Magazine] publish any benchmark test results."

(9) Cem Kaner & David Pels, Bad Software: What To Do When Software Fails.

(10) Federal Trade Commission letter www.ftc.gov/be/v990010.htm; Steven Chow (a member of the UCITA drafting committee) "Proposed Uniform Computer Information Transactions Act: Bad For Commerce And Innovation" www.2bguide.com/docs/citopp.html; Cem Kaner, "Comments on Article 2B" (section-by-section analysis) October 1998, www.badsoftware.com/kanerncc.htm; "Bad Software: Who is Liable" (analyzes software economics and UCC 2B) May 1998, www.badsoftware.com/asqcirc.htm; and

(11) "Article 2B - Report from the November 13-15, 1998 Meeting", www.badsoftware.com/uccnov98.htm.

(12) Letter to NCCUSL, www.badsoftware.com/aglet1.htm and www.badsoftware.com/aglet2.htm.