Slashdot Mirror
CIOs Worried About UCITA
NeXuSnine pointed out that CIOs of major companies are
starting to fight UCITA.
Personally, I like the argument floated by UCITA's supporters:
"Large businesses, theoretically, should be able to negotiate contracts with vendors that protect and exclude provisions they don't want." In other words, these UCITA supporters knew small businesses and individuals would get screwed, but they figured big companies wouldn't mind because they write their own rules anyway. Now, even some big businesses are worried UCITA goes too far.
Not only does UCITA make a direct attack on free software, by given the weight of law to any attempts by a company to frustrate hackers who try to reverse engineer protocol and file format capabilities, it provides a tool to prevent proponents of free software even discussing its advantages.
Under UCITA, a software company can make it an actionable breach of contract to say anything they don't like about their product. One of the reasons that free software has become more and more popular is that it has moved beyond being interesting to people who want to hack on source code or who care about freedom as a political concept; people are now using free software because proponents of Linux, *BSD, Apache, etc, have managed to convince people that free products can do the job better than non-free ones.
Consider: if UCITA had existed, Larry Wall might have found himself violating a license arrangement in developing Perl by including sh, awk, and sed features in the language. And even if he didn't, he wouldn't have been able to tell people about the virtues of Perl unless owners of the awk code had been prepared to allow him to explain that Perl is like awk, only better.
Likewise, how do you explain that Linux+Apache works better as a high-volume web server than Windows 95 + Personal Web Server? Microsoft could claim that the latter was suitable to run an ecommerce site with - and no-one who actually used the software would be able to disagree without being targeted for legal action. Oh, and a sudden inability to use the machine Windows was on.
Or, for a more concrete example, when it became apparent an early Service Pack for NT (1 or 2, I forget now) was corrupting NTFS volumes under certain circumstances, Microsoft refused to admit there was a problem. It was only after mainly Internet based lobbying and discussion of real world use of the SP that Microsoft were eventually forced to admit there was a mistake and correct it. Free software advocates can cite this as an example of why not to put data at the mercy of a closed-source company. Under UCITA, Microsoft could have sued anyone who claimed that the Service Pack was faulty, ignored the problem, and prevented anyone thereafter using it as PR. Sure, a bunch of people would have lost their data, but they're only customers.
Microsoft could intentionally take a piece of software I wrote, use it in some improper manner or figure out some way that my program can be made to fail on their machines, and then SUE ME FOR DAMAGES???
Ack!!! Stallman is right. This is a very serious problem! It's not even a question of whether joe blow could sue me if he wanted to- this apparently gives blanket permission for anyone or anyTHING, up to and including MS, to sue free software developers anytime they feel 'damaged'! It's a weapon, plain and simple.
At least things aren't going to change much if you are already resigned to being a _criminal_... in fact this makes the definition of 'criminal' potentially ridiculous and not commonsense at all. Instead of "What was your crime?" "I reverse engineered somebody's program" which is vaguely criminal-seeming, it could be "I wrote a text editor and gave it away for free and Microsoft deployed it on 600 desktops and upgraded a dll and my text editor broke so they are suing me for $50,000 in damages." To which the average person would say, "Huh??"
This is _messed_ _up_. When you read RMS on the matter, don't think solely in terms of end-users, individuals, potentially being able to sue free software authors and win. The worse problem is that it makes it possible for a Microsoft to set up a situation where somebody's software breaks in well-documented and accounted-for circumstances, then take that information and sue the developer under UCITA, obliterating them. Yes, this would be both cynical and blatantly using the legal system as a game and a weapon. Yes, it'd be unprecedented evilness. But lord, would it be effective and profitable to just shut down anybody giving away software by creating situations where their stuff failed and 'caused harm' and then suing.
Ack! This is almost too messed up to imagine. I have to wonder if the legal system itself, juries, judges would rebel at following through on the implications of all this. Surely in order to act on legislation of such evilness, human beings have to be convinced that it is in fact both 'the law' and just? There might be cases of "Your honor, in accordance with UCITA we find the defendant Guilty, as we were directed to do. We fine him One Cent..."
Maybe if this is successful, big software-using companies might start lobbying against software patents too?
After all, for every large software publisher like Microsoft or Lucent who benefit from software patents, there are a dozen equally large software users who lose out from the market distortion and lack of competition that software patents cause.
-- Ed Avis ed@membled.com
That's funny, when I dealt with IBM it was more like:
Our emulator works best, but it's free with the mainframe so no problem. If you need a couple extra CDs for it, we'll give you those free too. We'll even pay for the shipping.
They'll work on any PC.
If they don't work on a specific kind of PC, call us and we'll figure out how to make it work.
You should upgrade some of your PCs. The emulator won't give you good results on something that slow.
Buying new PCs from us? You have to specifically request monitors, we don't sell PCs with the monitor included, it's *ALWAYS* a seperate item, except on the PS/1.
Are you sure that was IBM you were dealing with? Your assertions run completely contrary to all my dealings with them.
Of course, perhaps your dealings were in a market size I'm not used to. I've only dealt with IBM in companies ranging from half a dozen employees to the Fortune 50 corp I work for now.
No, but it could stand to bar any form of reverse engineering... Even if the only purpose of it is to be able to interoperate. That pretty much kills off a LOT of opensource projects, right there. So in essense, it would bar opensource... Openstandards would only last until a company decided to extend them a smidgen more. By keeping those changes proprietary, they could "rightfully" sue anyone that was able to communicate with their software that was using a non-approved application, on the grounds that the only way the client software could commuicate with the server is if someone had reverse engineered the protocol... It could become very scary very quickly if UCITA passes.
Just follow these simple steps:
Oh, damn, Microsoft have beaten me to it....
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Lately I've been hearing from the hacker/geek community that big business is no good and should be abolished.
We need big business to be alive.
This is the step in the right direction to ensure the survivial of big corporations. Sure there's some companies like AOL who want to screw others, but without big business you'd probably still be working at a factory for minimum wage. And you'd have trouble making a good enough living to even own a house.
As far as I can say, this is the best thing business is doing right now.
(note to moderators: this is not flamebait)
US businesses that currently accept chip and PIN/signature
I feel like picking a fight with everyone who thinks they are right. - Rainmakers
(Sorry to diverge. I tried to submit this as a reply to the article. But I already posted a direct reply to the article on a different piece of the issue, and the Slashdot software thinks this is a repeat and won't post it. This thread seems the most closely related.)
The UCITA and the DMCA seem to interact tightly.
UCITA's "self help" provision says companies can write code that they can turn off if there's a dispute - by remote control or time-bombs - before the dispute is resolved in court.
DMCA makes it a felony to defeat such software "protection" schemes.
Discovery in the court case of the original dispute would expose the defeat of the protection scheme, even if it hadn't already been obvious from the continued operation of the company.
So the software purchasers are totally at the mercy of the software vendors.
And the software vendors don't need to announce the protection schemes. So there's no way to tell if they're there without reverse-engineering (which is almost certainly banned by the license under the UCITA and may be a crime under the DMCA), or finding out when the software stops working - at which point you're a felon if you even try to turn it back on to keep your business running.
Nasty.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Your average Joe isn't pushing this law. You know who's pushing this law? BIG BUSINESS! That's right. Who's pushing the DMCA? BIG BUSINESS! They'll merrily strip you of rights guaranteed you in the constitution in order to make a buck.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
However it is a precedent and I wouldn't be supprised if the UK or EU use this template for modelling there own laws.
I'm not entirely sure if I remember this correctly but I believe that the High Court over here in the UK ruled that end-user license agreements were not valid and had not power in law, so something like the UCITA as it stands could not become law over here. Of course they could still try to get the rest of it passed...
Molog
So Linus, what are we doing tonight?
So Linus, what are we going to do tonight?
The same thing we do every night Tux. Try to take over the world!
Yes there were those who thought that pro-slavery and the anti-slavery sides could peacfully get along. But the pro-slavery guys just kept pushing it, and pushing it, and being harsher on slaves, families, runnaways, until they just pushed it too far (they succeded from the union). I guess they just believed that slavery was a basic right. That without it there was no INCENTIVE bring forth America's glorious textile industry. And since they PUT EFFORT INTO IT, that is acquiring and training slaves, they only naturally assumed that ownership was their right. Of course slavery started out as indentrued servitude that had an EXPIRATION, but the slave owners quickly changed that. Only prestigious and respectable busisness men had slaves, and only thiefs would free them. Of course in hindsight, if only they realized that slavery wasn't a PROPERTY RIGHT they might have been able to avoid the harsh consequences that brought about it's end.
David
I can pirate software, then include it in my program. How would anyone know, unless they decompile portions of code? But that won't be allowed under the "click wrap" agreement!
[sarcism mode off]
Fight Spammers!
I don't think that other countries will likely simply 'model' their legislation after this bill. But as Big Money has vested interests in it in the US, pressure will be applied through the WTO to enforce the provisions in other countries.
Their clout enforcing intellectual property issues is astounding--here in Canada it looks like we will be required to extend the duration of patent rights in conformity with the WTO (read US), which will rapidly inflate our drug expenses.
I can't even imagine what the precedent is assumed to be... there certainly isn't one outside software (imagine renting a car whose engine cuts out on the highway because you exceeded the allowed mileage, or the company didn't like your monitored driving habits).
I think we're looking at the revival of intellectual serfdom, where one cannot buy anything to generate their own profit, but rather is required to rent at an arbitrary and changing price fixed by the intellectual nobility. I'm surprised software companies haven't already thought of software-for-shares arrangements already. Welcome the new economy.
I know that many folks here already know the issue. For everyone else....
www.gnu.org/philosophy/ucita.html
From the article: "You see, UCITA says that by default a software developer or distributor is completely liable for flaws in a program; but it also allows a shrink-wrap license to override the default. Sophisticated software companies that make proprietary software will use shrink-wrap licenses to avoid liability entirely. But amateurs, and self-employed contractors who develop software for others, will be often be shafted because they didn't know about this problem. And we free software developers won't have any reliable way to avoid the problem"
Here's a summary of the point: Free software can't avoid the increased, default, liability because a shrink-wrapped licence can't be applied to something that isn't shrink-wrapped!
That means that if you write something, and include a licence in a text file that says "no warranty", the "no warranty" licence doesn't apply -- you're still liable even if you never make a cent!
There are numerous other reasons why this -- to grab a quote from Ghostbusters -- is "A bad thing" for free software.
Come to think of it, the UCITA probably applies to Shareware, "free" programs from various web sites, and other non-shrink-wrapped commercial software, too. There's another angle...
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
First posting ever to slashdot. If I commit some cardinal sin, please forgive me.
1. UCITA allows for the "self help feature" to be installed in software. How many people think MS has allready hidden this feature deep in win2k in anticipation of UCITA passing? What would happen if some clever hackers were to start actively searching for it and documented how it could be exploited. How would major corporations react to find that such a security hole had intentionaly been inserted in win2k and they were not notified? I would love to see some hackers start looking for such a backdoor in order to educate people on how they had been scammed. This assuming of course, that MS really was dumb enough to jump the gun on installing a backdoor. I for one, would be willing to bet my first born that they are.
2. UCITA has a clause stating that "neither party is entitled to the source code". Now if someone uses GPL'ed code and then re-releases it under UCITA without the source, will they get away with it? The infamous "embrace and extend"? Most people argue that the GPL will supercede UCITA, and I agree that it should. What bothers me is that the GPL has never been tested. The GPL falls into the same trap as the EULA in that it is questionable in its ability to be enforced. How certain is the open source community that the GPL will hold water if tested in court against the UCITA?
You need to go to your management, wherever you work and say:
"There's an effort to get all 50 states to pass legislation called UCITA that removes the last vestige of liability from software vendors. It also makes it legal for them to insert back-doors into the software that, hypothetically, only they would be able to use to shut down your software if they feel that you've violated your license.
What I need you to do is a) ask yourself if you are comfortable with the current no-warantee nature of software let-alone new laws to further limit liability b) think about the damage that will be caused when the "hackers" figure out how to remotely shut down your software and c) start thinking about what our company should be doing to either support or oppose this law."
That's it. No frills. No "evil empire" scenario. Just present it in terms that they will understand and cannot afford to ignore. Anyone who can keep a business running will recognize the danger, here.
I've been thinking about adding a "At some point we may demand first born children from you. Or root beer." to the license on the code I send out. I wonder what legal would make of that...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Plenty of excellent resources and arguments.
The most important point nobody here seems to be mentioning is the fact that a remote shutdown system could be easily cracked and used maliciously. Someone is going to find out how to trigger the kill switch, and then we'd have a streak of DoS attacks that could cripple entire corperations. CEOs don't care about user inconveniences, but they'll think twice before allowing their entire corprate infrastructure to be knocked offline by some 12-year-old script kiddie.
What the heck is a 'sig'?
Thanks for buying our mainframe
- Now you need our emulator to access the mainframe from your personal computers.
- We'll sell you the emulators if you only run them on our PC's.
- But look, you only have to deal with us. No incompatability!
- You should upgrade your PC's. Our emulators won't run well on something that slow.
- Of course you need to buy new monitors. We don't sell computers without monitors!
So, the vendor gave us a decent price, all we ended up paying for was a lot of new 17 inch monitors to replace our year old 17 inch monitors, which replace the perfectly good 15 inch monitors. For obvious reason, the used monitor market in this town is doing a good business (We're not the only game in town, Some companies are giving them away...)The PC's are another story. We have been sold the worst chunks of hardware I can imagine. These motherboards are designed to never have a single component upgraded, so they're useless to anyone who gets our old ones. (Our last batch had microchannel...) At this point we could always get smart and say no and keep using the current system. However, when the vendor, under UTICA, can turn your system off, you are really at his mercy.
The frightening thing is that if a vendor can turn you off from a remote location, so can a hacker...
I wait for the day when a company's major competitor signs an exclusive contract with a vendor and the vendor turns off that client's software...:)
-----
No Zen is good zen
You try to lock someone into your product, and arrange that they cannot switch. It is when you have achieved lock-in that you can crank your profit margin.
:-(
Given the existence of subtle dependencies in software the achievement of lock-in has historically been surprisingly easy. The main problem is that after being burned so many times in one area customers are eager to run to anything resembling an open standard. The second problem is that given the reproducibility of software it is very easy for customers to not stick to the limits you want to enforce. Not surprisingly many of these limits have to do squeezing every penny, and more of them have to do with discouraging the existence of an open standard.
What UCITA is about is achieving through law more than can be achieved technologically. Of particular concern to the open source movement (which of course is an ultimate form of open standard) are the conditions meant to discourage open standards. For instance draconian prohibitions on reverse-engineering. Of particular concern to any CIO with a brain is...pretty much everything.
I wish the CIOs all of the best.
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
While legally this would not affect non-US users, it will in fact have an effect, especially if it is adopted in the majority of states. The software produced in the US will likely contain the enforcement mechanism for the self help provision of UCITA. As a result, the company will have the ability, if not the legal right to shut down your software (or is it their's now?) at will. Not legally, mind you. But that won't stop crackers, either.
wake up and find out that you are the eyes of the world.
The National Conference of Commissions on Uniform State Laws adopted UCITA in July. The conference recommends commercial code law and sends it to the 50 states for their adoption.
This organization seems to be a multi-state collection of regulators (i.e. members of state executive branches) acting as a national legislature. They debate in private (or at least with zero press coverage) and are heavily lobied. They construct the text of proposed laws and submit them to the state legislatures simultaneously.
So the general public goes from nothing to a bunch of identical bills simultaneously submitted in state legislators all over the country. And if they want to oppose them, or even modify them, they have a war on dozens of fronts, against a very organized group that has almost achieved its objective. They almost certainly lose in several states, after which the proposed legislation, in its original form, becomes a de-facto national standard. So they can't even modify a line.
Such laws are pervasive as federal laws. But they draw power their power from the several states, which are not as limited by the federal constitution. And there's no central place to repeal these laws - you have to get ALL the states to go along simultaneously.
I think that, at a minimum, the organization needs some serious sunlight - in the form of investigation and exposure to press - or alternative press - coverage of their operations and deliberations. (At least that way people could find out earlier when their ox is about to be gored, and maybe have a chance to head off bad legislation when it's in the formative stages.)
Beyond that, there's the question of whether it's proper for state executive branches to participate in the crafting of multi-state legislation. Is it intrusion on another branch's prerogatives? Is this one of the powers that is supposed to be reserved to the Federal government? Are "sunshine laws" violated?
This kind of coup is hardly unprecedented: It's is how we got a federal constitution in the first place: The Continental Congress set up a committee to propose some amendments to the Articles of Confederation (their "constitution"). The Federalists took over the committee, drafted the US Constitution, and bypassed the Continental Congress, submitting it to the states directly. It had a "bootloading" provision that when more than a fixed number of the states adopted it, it started, the adopters were detached from the Continental Congress (leaving it without a quorum) and attached to the Federation, and the rest of the states were out in the cold unless they signed up, too. (The Bill of Rights was the result of a rear-guard holding action by the Anti-Federalists, an allegedly minor concession they won in return for surrendering in a battle they were already losing.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If I were the CIO of a large company, I would be worried that my negotiating position would be much weaker with UCITA. After all, it pretty much creates a legal software cartel. Why would any member of this cartel break ranks and give me what I want, when I wouldn't be able to get it from any other vendor? But my real concern would be that the legislation could trigger an even greater decline in the quality of shrinkwrapped software.
On the other hand, if the measure passes and vendors make full use of it, the drive to all-Open Source could become unstoppable.
The difference between theory and practice is that, in theory, there is no difference between theory and practice.
The company I am a developer for, a MAJOR ERP vendor, ships many many different applications with each new release. We certify each release with a subset of 3rd-party software, including:
- The operating system (Windows plus a dozen or so Unixes, Mainframe OS's etc.)
- The middleware product
- Certain office suites which integrate with our stuff
- Reporting tools such as Crystal
- Web servers (the first two that popped into your head, for example)
- etc.
The list goes on and on. More importantly, we also BUILD our software with a bunch of 3rd-party products, which provide everything from the middleware API to the STL we use.
Now imagine how screwed we'd be if we couldn't count on support contracts and liability contracts from any of those vendors? The quality of our product would become a random quantity based on how charitable those 3rd-party vendors were feeling today. And we'd be forced to ship this crap to our customers, passing the joy on to them. Sure, we'd be somewhat legally protected from the wrath of our customers by the UCITA, but just because they couldn't sue us doesn't mean they have to buy from us. They'd probably go back to developing everything in-house or buying only from vendors who provide 100% of the functionality from a single site. As of today, I doubt there is a single vendor who can claim THAT.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
The article comments that big companies should have enough leverage to negotiate non-UCITA contracts if they don't like UCITA's provisions. A very interesting quote from one software purchaser gives the lie to that statement:
IOW, software companies naturally have a dominant negotiating position with corporate customers because of migration costs. If that's really true, why do companies need UCITA? You've got me.
Of course this is exactly the argument that ESR uses to show that businesses need free/open source software. If you get mission critical software from a sole source vendor, they already have your balls in a vise. All UCITA does is to make that a bit more explicit.
There's no point in questioning authority if you aren't going to listen to the answers.