About Us Calendar of Events Free Trials Books Contact Us Home
Public Utilities Report, Inc.

PRODUCTS:

Public Utilities Fortnightly & Spark

Utility Regulatory News
PUR Guide
PUR4th Series
 

NEW PRODUCT INFORMATION:
Fortnightly Magazine
Current Issue | Back Issues | Online Search | Order | Renew Subscription | Free Trial
Reprints | Staff | Media Kit
Spark Newsletter
Description | Current/Back Issues | Order

Point, Click, and Beware: What Utilities Should Know About the Uniform Computer Information Transactions Act


November 1, 2000
By Stanley A. Klein

 

How the new law can threaten system security—and bolster the case for open source software.

Every week, employees in all departments of a typical energy company might install new software and click their way through terms and conditions of use. They may open formatted spreadsheets or databases, entering the data that supports operations, load management, or marketing. System security is paramount, yet all is not secure. Under a new uniform law being considered for adoption in state after state, the publishers of commercial proprietary software may have a legal right to "inspect" the user's data warehouse at will. Worse yet, the smallest violation of terms that may be posted on the publisher's website could leave users open to various "self-help" remedies. Such self-help implies the right to terminate license agreements, bar access to data stored in proprietary formats, or even remote disablement, carried out by entering the user's system via certain "security holes," embedded in the software code for just such a purpose.

And since those security holes will be common knowledge, consider who else might gain access. Once let in, the invader could threaten the entire utility system—not just the one application with the shrink-wrap license.

This new law, known as the Uniform Computer Information Transactions Act, or UCITA, which recently became effective in Maryland and is being considered in other states, has potentially serious impacts for all businesses that use computers. But the effects are especially significant for utilities.

Over the past 40 years or so, the electric power industry has become highly dependent on sophisticated computers and communications systems. Electric power is consumed at the instant it is produced, and the computer and communications systems ensure that production and consumption are balanced instantaneously, the system is operated as reliably and efficiently as possible, and relevant accounting, maintenance, and business operations are supported appropriately.

And now comes utility restructuring, which only heightens this dependence. Competitive generation is giving rise to a wide range of new market structures and processes, including communications protocols and financial products, all of which depend heavily on associated computer and communications systems. Anything that adversely affects users of computer and communications systems has the potential also to disrupt the electric power industry. UCITA establishes rules and default contract provisions that are biased to benefit large software publishers and online services over their users, suppliers, and potential competitors. They favor the software publishers in contracting, use restrictions, warranties, and remedies. As will be discussed, protecting your company and its critical business data depends on taking software licenses seriously, studying their fine print, and requiring management and legal approval before accepting them. That will require revision of business processes, because licenses and changes will be presented to many employees in various circumstances. Computer and communications systems also must be designed and operated to avoid the adverse impacts of UCITA.

To avoid this maze, utilities might consider using open-source software. But if that is impossible or impractical, then systems at least should be designed and operated with contingency planning for loss of the right to read the proprietary formats of critical data files.

Vendor Rights: License, Restrictions and Remedies

The UCITA legislation is several hundred pages long, including about 80 pages of legislative text, plus "Reporter's Notes" that interpret the drafting committee intent. (See sidebar, "UCITA: A Legislative History.") Any brief discussion of UCITA can provide only an overview and a few examples of its impacts.1 Even so, such an introduction is clearly worthwhile. As a first step, consider the impacts of UCITA in several areas:

  • Acceptance of contracts,
  • Restrictions on transfer and use,
  • Warranties, remedies, and self-help (remote disablement).

Contract Acceptance. In the process of shopping and contracting for software, UCITA acts in many ways to give the upper hand to the software publisher or online service provider. Begin with the fact that licensors are allowed to conceal their contract terms from the licensees until long after the transaction ordinarily would be regarded as having been concluded, i.e., to the point at which the licensee is preparing to install the program and begin using it. According to an informal survey reported at the Maryland hearings by Steven Chow, a dissenting member of the drafting committee, 95 percent of software publishers will not reveal their license terms prior to purchase.

In one of the few improvements made in the Maryland hearings, the UCITA draft was amended to ensure that the licensee has a right to print the contract terms for review prior to "manifesting assent" and a right to have a copy accessible for subsequent reference. The lack of such rule in the draft language was not an oversight; it was discussed in the drafting committee, where licensors prevailed in their desire to have licensees dependent on them to even know what terms they had accepted. Of course, the licensor gets to define the actions that constitute manifestation of assent.

UCITA authorizes a number of ways for the software publisher or online service to change the terms of contracts after acceptance by the licensee. Under one method, the publisher simply posts the changes to a website. Continued use of the product after the web posting would constitute acceptance of the changes. But consider the problem of publishers including contract changes in the terms of a "click-wrap" agreement.

A click-wrap refers to the fine print that pops up on the computer screen from time to time, such as when a user initially installs the program, loads a bug fix, or installs a program update. The click-wrap situation can arise without prior notice, and the terms of acceptance may override agreements previously accepted by the licensee, including contracts negotiated by management and legal counsel. In another option, if the user allows an automatic, Internet-based update feature in the software, the update feature could include an "electronic agent" programmed to automatically accept accompanying contract changes on the user's behalf.

In comparison shopping and product selection, the licensee cannot depend on publicly available information to determine the capability and quality of the product. Under UCITA, shoppers can be forced to depend exclusively on what the licensor tells them about the product. UCITA also provides licensors with means for evading treatment of their sales claims and product demonstrations as express warranties.

UCITA grants control of shopping information to licensors by allowing them to enforce any use restrictions they include in their licenses, unless a restriction can be shown to violate a fundamental public policy whose enforcement clearly outweighs enforcement of the restriction. Some existing licenses that would be made enforceable under UCITA impose use restrictions that prohibit licensees from disclosing or publishing information about product quality, performance, and other relevant product comparisons. One might imagine that this violates the principles of free speech, but the large software publishers have been treating this issue as a matter of trade secrecy and non-disclosure, which also has a legal basis.

UCITA allows the software publisher to retain ownership not only of the intellectual property, but also of the software copy and the physical media received by the licensee. That takes away any user rights that are associated with "ownership" or "ownership of a copy" under relevant law.

UCITA includes a number of default provisions and other rules that can be used to abuse licensees and others. For example, there are at least two instances in which UCITA makes the plain language of a contract inoperable unless accompanied by other special language. These include a publisher's contract to correct defects and a contract for disclosure of an idea.

UCITA also contains a default provision allowing a software publisher to terminate arbitrarily almost any license after a "reasonable time" (for example, when the publisher decides to require the licensee to pay for upgrading the software). That license termination can be done even if the software license was purchased in a single payment (such as at a retail store), simply by including "source code" in the software package.2 UCITA does not define source code or state how much source code must be included to activate this provision. Note that the license for Windows 98 states that it contains source code—notably a sample program for the software feature implicated in many of the information security scares of the past few years.

Choosing Your Software Ten Points to Ponder

1. The licensor defines what actions will create acceptance of the contract.

2. Ninety-five percent of software publishers will not reveal their license terms prior to purchase.

3. UCITA allows the software publisher to change contract terms unilaterally.

4. In shopping for software, users cannot depend on public information on product quality.

5. In Maryland, it required an amendment to the uniform law to give users a right to access and print contract terms after acceptance.

6. Violation of a use restriction can automatically terminate the user's license and expose the user to federal criminal liability.

7. Software publishers can arbitrarily terminate almost any license after a "reasonable time."

8. Self-help rights allow software publishers to intrude on users and remotely disable the software.

9. Publishers can hide "security holes" in the product to allow them to intrude.

10. To reinforce self-help rights, publishers will design the product to prevent backup, recovery, or reinstallation. So once the product is killed, it stays dead. —S.A.K.

Use and Transfer. UCITA allows a software (or other "computer information") publisher to impose any use or transfer restriction, limited only by the creativity of the publisher's legal staff. As stated, UCITA creates an extremely high barrier to escaping such use and transfer restrictions.

Such transfer restrictions might even interfere with internal corporate restructuring or outside merger deals. Consider this example of a transfer restriction3 found in an existing license:

Neither this Agreement, nor any rights hereunder, may be assigned by operation of law or otherwise, in whole in part, by Client without the prior, written permission of [the software provider]. Any sale of more than fifty percent (50 percent) of the common voting stock of, or other right to control, Client shall be deemed an assignment. Any purported assignment without such permission shall be void.

Under UCITA, violation of a restriction automatically can terminate the license. Operation of software or use of information with a terminated license exposes the licensee to federal criminal penalties. Each time the user launches and opens a software application or uses the information stored within, data is copied internally within the user's computer. After a license is terminated, each internal copy operation is counted by applicable court decisions as a separate theft. When the cumulative value of thefts within a six-month period reaches $1,000, federal law4 is violated. At $2,500, it becomes a felony. For example, if a user discloses information to a prospective purchaser on defects or product performance of a $100 computer program (where prohibited by the license) and then uses the program every day for a month, the user can be prosecuted for a federal felony.

One of the most serious, and common, software use restrictions is prohibition of reverse engineering—that is, the evaluation of software to discover its internal workings. Reverse engineering is a critical part of computer technology. Under federal intellectual property law, it is regarded as fair use, explicitly allowed for certain purposes—including interoperability, information security, and privacy protection—under the Digital Millennium Copyright Act. UCITA essentially allows a non-negotiable contract to be created that waives these protections.

The technical implications of a reverse-engineering restriction are far-reaching. Although UCITA recognizes that the licensee's data belongs to the licensee, if the data is stored in the licensor's proprietary format, the licensee's access to the data effectively can be blocked by termination of the license. Allowing restriction of reverse engineering stifles competition by preventing the creation and offering of products that can read the licensor's formats or otherwise interoperate with the licensor's products. In effect, that allows the licensor to make it difficult, expensive, or infeasible for the licensee to escape using its product, even if the product is defective or no longer satisfies the licensee's needs.

UCITA also contains no protections for licensee privacy. A simple extension of the theory that the publisher owns the software and can restrict its use leads to the concept that the publisher can inspect the use of the software to enforce the license terms. That would imply that the publisher can embed technology in the software that reports back to the publisher regarding relevant aspects of the software's use. For example, one restriction found in a license forbids the use of the supplied clip art to create any document that is scandalous or disparaging (with choice of law being that of Ireland). Enforcement of such restrictions could lead to intrusive violations of privacy, which recently have been reported as feasible with certain products.

Warranty and Self-help. The warranty provisions of UCITA allow large software publishers to substantially escape liability for defects, evade express warranties, and impede customers seeking to protect their rights. UCITA allows the publisher to escape liability (and even charge a fee) for reporting a defect known to the publisher, undisclosed to the licensee,5 and planned to remain unfixed.

Self-help occurs when a party to a legal dispute "helps itself" to a solution instead of depending on a court. The common example is automobile repossession.

The self-help provisions of UCITA create a potentially serious threat to the information security of licensees' computer systems. Such threats are especially serious for utilities, as they represent an element of the national critical infrastructure. UCITA allows the licensor to intrude on the licensee's system and remotely disable its software if the licensor believes the licensee has violated the license terms. This right might accrue if the licensee dares to (1) publish a prohibited review of the software, (2) disclose defects or performance information prohibited by the license, (3) reorganize without the licensor's permission, or (4) use the software in a manner or for a purpose prohibited by the license.

UCITA provides a few legal protections for the licensee. An extra click-wrap term must be accepted, and the licensee is entitled to prior notice. A Maryland amendment, later adopted by UCITA's drafting committee, prohibits use of self-help on "mass-market" software. According to a column by Ed Foster in Infoworld,6 the definition of "mass market" does not necessarily protect business users or include software obtained in business-to-business venues. Also, in a recent column,7 Foster reported that a separate provision of UCITA allowing "electronic regulation of performance" appears to include an additional variation of self-help.

To enable a publisher to exercise self-help, information security holes that permit the publisher to intrude must be embedded in the product. However, the danger posed by UCITA self-help is independent of the legalities of its exercise. All users will receive a product with the security holes, unless the publisher creates a separate version for delivery where self-help cannot be exercised. Also, if the user can restore the product from backup or reinstall it from original media, any self-help intrusion will pose at most a temporary disruption. Therefore, the publisher must design the product to interfere with the user's ability to perform backup and recovery, so once the product is "killed" it stays "dead."

The critical problem is that use of the security holes is not limited to the publisher. Anyone who discovers how to use them can perform a "denial of service" attack on the licensee (for that is what self-help is called in information security terms), and may be able to gain entry for other malicious purposes. Under UCITA's warranty provisions, the software publisher can completely escape liability for malicious third-party intrusion that exploits the self-help features. Also, innocent third parties harmed by a licensor's improper use of self-help are not allowed to sue the licensor whose action harmed them.

The location of the self-help-capable software within the organization is no protection. For example, if the self-help capability is located in an office product in the accounting department, a malicious intruder might be able to use that entry point as a means of attacking the real-time utility operations. A security gap in any part of an enterprise can become the entry point for malicious intrusion on other parts of the enterprise.

One of the most important legal notices that can be sent under UCITA is a notice that the software publisher intends to exercise self-help. However, under the e-commerce provisions of UCITA, a notice is deemed "received" when it enters the system of the recipient's Internet service provider, even if no person ever sees it. Furthermore, the notice is deemed received even if it is deliberately formatted to be intercepted and dumped by the filters that might be used by the recipient to intercept unwanted commercial e-mail (so-called "spam"). Such formatting is simple. For example, under the default rules of the Microsoft Outlook spam filter (as reported on the Risks Forum8), a message containing a double exclamation point, a dollar sign, and ",000" anywhere in the text will be treated as spam. It is easy to construct a legal notice that contains these elements.

User Protection: Defensive Strategies for Employees and Management

In spite of UCITA's pervasive intrusions, utilities can map out an organized defensive strategy to protect data and system security. A strategy for protecting your business9 necessarily involves changes in management oversight and business processes.

Managerial Oversight. Senior management and legal counsel must become extensively involved in reviewing, approving, and managing software licenses and related issues. Under UCITA, a "shrink-wrap" license accepted by a junior receiving clerk merely by opening the software package—or a click-wrap license accepted by a junior technician—is just as binding on the corporation as a contract signed by the CEO with full legal review. Either license could override the provisions of a CEO-signed contract.

Legal counsel should become thoroughly familiar with UCITA and with the analyses of its problems. Excellent analyses include those of Cem Kaner10 and Elaine McDonald11 (although they do not identify all of the problems, which continue to be discovered).

Management should adopt policies and practices to ensure that all software license terms are reviewed and approved by legal counsel and appropriate managers before they are accepted. These precautions should not be limited to software, and especially not limited to initial acquisition of products within the scope of UCITA. They should include every time anyone in the organization is confronted with a shrink-wrap situation, a click-wrap situation, the potential activation of an electronic agent, or an e-commerce situation within the scope of UCITA.

Shrink-wraps and click-wraps can arise any time new information is obtained from a software or information publisher. That could include bug fixes, software updates, database updates, virus signature updates, technical notices and other clarifying documentation, or any access to online services. An electronic agent, programmed by the licensor to accept license changes automatically, could be activated by any software option that includes an online connection to the licensor directly or indirectly. Accordingly, there should be management, legal, and technical review prior to selection of any such software options.

In ongoing relationships, licensors are allowed by UCITA to include provisions in their licenses establishing that changes become effective when posted to a web page. If any such licenses are accepted, there must be active, daily monitoring of the relevant web pages. According to Kaner, these contracts can be made non-cancelable (even if the new license terms are onerous), but at least management and legal counsel will be alerted to the situation.

Business Processes. The policies and practices requiring review and approval of license terms will require changes in associated business processes. For example, there will need to be explicit procedures for referring licenses and license changes for review/approval, and for ensuring that once approval is obtained, the license terms accepted (in the manifestation of assent process) are the same as those approved by management. That is especially important when the license is an online click-wrap and the terms may have been changed by the licensor during the approval process.

Other business processes that will need to be changed include the processes of product selection and procurement, the management of post-installation product acceptance and warranty claims, and the process of receiving notifications on e-commerce contracts.

In most current procurement processes, the product selection phase ends when an order is placed. Under UCITA, the product selection phase must be continued until management approves the license terms. One way to do this is to continue to evaluate alternative products until license terms have been approved on one of the candidate products. Indeed, if license terms (e.g., warranties, use restrictions, transfer restrictions, demand for self-help) are of concern in the selection and comparison process (as they should be), these terms may not be known until just prior to initial product installation, even if there is a negotiated contract.

The process of managing warranty claims should be centralized with management and legal participation. According to Kaner, some situations will require the licensee to perform extensive testing of a defective product to discover all defects prior to taking action to reject the product. The testing required of the licensee may turn out to be greater than that performed by the software publisher.

The process for receiving legal notices in e-commerce contracts will need to be carefully constructed. Issues that will need to be addressed in constructing this process include spam/porn filtering, coverage of notice addresses during travel, illness, or vacation status of the primary recipient, logging/tracking, and involvement of management and legal staff where necessary.

Open Source Software: A Third Way?

One good way to avoid some of the worst aspects of UCITA is to avoid proprietary software altogether. Fortunately, there is a large and important body of software that is not proprietary. It is variously12 called "free software," "open-source software," or "open code." This software runs roughly 40 percent of Internet service providers and e-commerce sites, is used in the mail sorting operations of the U.S. Postal Service, and serves mission-critical functions in numerous businesses including a small but growing number of utilities and utility-related services.

Examples of widely used software systems that are non-proprietary include GNU/Linux, FreeBSD, Apache, and Samba. There are a number of widely published licenses under which this software is distributed. The most famous of these licenses is the GNU General Public License originated and maintained by the Free Software Foundation. Other licenses can be found on the website of the Open Source Initiative.

The core principle of the non-proprietary software movement is the free distribution of the intellectual property in the software, which is developed by volunteer participants. A significant number of the "volunteers" actually are paid by their employers to participate. For example, university and government laboratories have contributed much software to the non-proprietary movement, and a recent report by the President's Information Technology Advisory Committee13 (PITAC) recommends that the nation's supercomputing effort be based on open source software.

Many commercial companies participate in the non-proprietary movement, and their business models and development processes are very different from those of proprietary software providers. Non-proprietary software companies add value to the otherwise free intellectual property by providing convenient distribution on media, system integration, user support, warranty support, information security support, enhanced documentation, and other services.14

The disadvantages of non-proprietary software include greater requirements for expertise, occasionally spotty support/cooperation by device manufacturers, and lack of many popular applications. The application picture is changing rapidly. For example, there are at least four office suites, two proprietary and two non-proprietary, available for GNU/Linux.

The advantages of non-proprietary software are many, however. It does not contain odious transfer or use restrictions that can result in federal criminal penalties if they are violated. It does not contain security holes placed there to enable self-help. It has warranty and damages disclaimers similar to those found in proprietary software, but non-proprietary software leaves the user in much better position. Although the demands for expertise and support are currently somewhat greater with non-proprietary software, the quality and reliability are at least equal to that of proprietary software.

With non-proprietary software, if all else fails, the user has access to the source code. In principle, that allows anyone to identify the cause of a problem and either fix the problem or develop a workaround. The development status, bug lists, and future plans for non-proprietary software often are posted on the Internet, so at least the user can be fully informed. With proprietary software, many large businesses use "software escrow" (contingent access to the source code) as protection against the proprietary publisher going out of business, dropping the product, or failing to provide support. For non-proprietary software, software escrow is not only unnecessary, but its equivalent protections are available to everyone without making formal arrangements.

If proprietary software must be used, it should be configured and operated with a view toward maintaining access to data even if the right to use the software is lost. In general, this means avoiding proprietary formats and interfaces, including proprietary extensions to standard formats and interfaces. That especially applies if the proprietary format or interface appeared on the market after UCITA became effective, or if the format had not been reverse engineered at the time UCITA became effective. The reverse-engineering restriction is likely to chill competition and development of compatible products, even if courts eventually strike it down. A landmark case in the area of reverse engineering was Sega vs. Accolade. Accolade won the case, allowing it to perform reverse engineering, but winning the case bankrupted the company.

UCITA: A Legislative History
A process so controversial that the American Law Institute simply dropped out.

As a model uniform law, the Uniform Computer Information Transactions Act (UCITA)1 has no effect until it is adopted as law in a particular state.

In Maryland, for example, UCITA became effective on Oct. 1.2 It becomes effective in Virginia on July 1, 2001 (after a study to propose amendments), and is being considered for enactment by other states. To date it has been blocked only in Iowa, but only for one year.

Nevertheless, the law can achieve effective nationwide coverage because of "choice of law" provisions typically included in business contracts and software licenses. Thus, UCITA can affect all businesses that use computers and exert a magnified effect on businesses such as utilities, which form a part of the national critical infrastructure.

Drafting Process. UCITA was prepared in a controversial process3 by the National Conference of Commissioners on Uniform State Laws (NCCUSL). It started out as a draft update to the Uniform Commercial Code (UCC), a joint project of NCCUSL and the American Law Institute. The UCC is enacted individually in each state based on wording provided by NCCUSL and ALI. UCC Article 2 governs contracts for goods and services. The UCC establishes default contract provisions (for example, if there is no written contract) and places limits on certain types of contract provisions (such as standard form contracts presented to consumers).

UCITA started out as draft UCC Article 2B. Controversy over both the draft and the drafting process became so great that the American Law Institute dropped out of the project, preventing it from becoming part of the UCC. NCCUSL changed the name, adopted the draft on its own and sent it to the states for enactment.

Scope. UCITA covers transactions involving "computer information," which is defined as including anything in a form capable of being processed by a computer. "Mixed transactions" involving both goods and services can be "opted in." UCITA thus covers software, electronic books, information services, online services, and any equipment having an embedded computer.4 Embedded computers are found throughout substations, generation plants, metering equipment, pole-top equipment, and office equipment. Identification, testing, and remediation of embedded computers was the largest component of the effort that addressed the Y2K problem. Now any software, equipment, or services similar to the types listed on a utility's Y2K inventory and purchased after Oct. 1 may be subject to UCITA. All that is needed is a non-negotiable "shrink-wrap" or "click-wrap" license included with the product and citing the law of a state that has enacted UCITA.

A shrink-wrap license is one that is accepted when someone opens the package. A click-wrap license is one that typically appears during software installation and contains the equivalent of several pages of fine print viewed through a small window on the computer screen. The window has arrangements (scroll bars) to move around in the document, and buttons saying, "I Accept," and "I Don't Accept." The contract becomes effective when someone clicks on the "I Accept" button.

Purpose and Rationale. Prior to enactment of UCITA, much uncertainty existed regarding the legal status of such contracts, the terms they contain, and other customer-abusive business practices of software publishers and online service providers. UCITA is designed to give such contracts, their terms, and the other business practices iron-clad legality, and otherwise work to the advantage of the large software publishers and online service providers and to the disadvantage of everyone else who deals with them—customers, small suppliers, and potential competitors.

UCITA is part of the complex of cyberlaw issues,5 including Napster, DeCSS, CueCat, and Omnivore, that have attracted much attention in recent months. In the resolution6 that precipitated ALI's dropping out of the drafting process, ALI described UCITA as "a flawed approach to basic issues of contract law," and a "delegation of regulatory power to licensors who draft form [non-negotiable] contracts." In his book, Code and Other Laws of Cyberspace,7 Lawrence Lessig discusses UCITA in the context of issues that have serious implications for Constitutional rights.

The provisions of UCITA should be viewed not only in the light of present technology, but considering what abuses might be legally enabled using future technology or technology that has been developed but not yet released on the market. Lessig warns that law must be considered in the light of relevant computer code. —S.A.K.

  1. For a list of URLs that provide information on UCITA, see www.ieeeusa.org/grassroots/ucita/ucitalinks.html.
  2. For the bill as enacted in Maryland, see the enrolled version of HB 19 on http://mlis.state.md.us/2000rs/billfile/hb0019.htm.
  3. Both UCITA and the adoption process continue to be highly controversial. For example, the Federal Trade Commission has an active inquiry on some of its aspects. The filings in that inquiry are posted at www.ftc.gov/bcp/workshops/warranty/comments/index.html. For a commentary on the process itself, see Ed Foster, "Observations on the UCITA drafting process," at www.infoworld.com/ucita.
  4. Cem Kaner and David Pels, in their FTC filing (posted at www.badsoftware.com), state that it is impossible to draw a bright line between embedded computing and other uses of software. They state that any differential treatment of goods and software can be gamed by manufacturers in the design of their products.
  5. A good source of information on these issues is Slashdot (http://slashdot.org). The Napster case is mostly about music copyrights, but it has attracted amicus briefs from well-known companies on other issues. The DeCSS case is about Digital Video Disk movies, but IEEE-USA submitted an amicus brief on the issue of reverse engineering. At this writing, the CueCat situation hasn't resulted in a lawsuit, but it is about reverse engineering and open-source publication of a program to read the output of a bar code reader device. Carnivore is the FBI's proposed Internet wiretap system.
  6. The resolution is the Braucher-Linzer motion posted at http://207.103.196.3/ali/braucher.htm.
  7. Basic Books, 1999, ISBN 0-465-03913-8.

Avoiding proprietary formats helps not only if the publisher declares the license expired (which in many cases it can do after a "reasonable time"), but also if the software later proves defective or diverges from compatibility with the user's future plans. With off-the-shelf products it can take as long as a few years to discover that a software selection was a mistake. By then there may be extensive quantities of data formatted by the software. Unless steps are taken early to avoid proprietary formats, the cost of switching to a more compatible product can be prohibitive.

In some cases, the product is much less efficient when its proprietary format is not used. In these cases, an alternative is to frequently backup the data in a non-proprietary format.

Examples of other system design and operation issues include design of the system used for tracking and managing licenses and design of the system that supports the process for receiving legal notices under e-commerce contracts.

Dealing With Self-Help: Firewalls and Beyond

In using proprietary software, the most important thing to remember is that "self-help" is synonymous with information security "denial of service" attack. The best protection is to avoid any software that includes provisions for either self-help or electronic regulation of performance. If that is not possible, then it is critical to know exactly what provisions are included in the software. (Elaine McDonald has a relevant practice tip for corporate counsel.)

If self-help-capable software must be used, the system that uses it should be isolated from external networks and from mission-critical systems. In this regard, the contract terms are irrelevant; the security vulnerability is based on the self-help capability being in the software for use where contract terms may permit. A firewall is not likely to provide sufficient isolation; eliminating or carefully controlling physical connection is required.

Any software that limits the process of backup and recovery or requires involvement of the licensor in the process of backup and recovery should be treated as having self-help capability. The licensee should be able to backup, restore, reinstall,15or recover from faults without any restriction or involvement of the licensor. Any requirement for connecting to an external network to perform backup, recovery, or reinstallation should be treated as an involvement of the licensor.

Stanley A. Klein is a consultant in computers, communications, and management science with a focus on technical issue analysis in information security, computer project risk assessment, and a variety of other areas. He is a member of the Institute of Electrical and Electronics Engineers USA Committee on Communications and Information Policy, the IEEE-USA Task Force on UCITA, IEEE Standards Coordinating Committee 36 (on utility communications), and International Electrotechnical Commission Technical Committee 57 Working Group 15 (on information security for electric power data and communications). As a member of IEEE-USA/CCIP Klein followed the development of UCC 2B and UCITA and participated in drafting of the IEEE-USA position opposing UCITA. As an individual, but drawing on information from IEEE and other sources, he testified at the Maryland hearing and participated in the public House and Senate work sessions held on the Maryland bill. He is principal consultant of Stan Klein Associates LLC, and can be reached at sklein@cpcug.org or by phone at 301-881-4087.

  1. The author is not a lawyer and depends on legal references (and in a few cases his own reading of the law and software experience) to identify problems and issues. One excellent legal analysis of UCITA is Cem Kaner, "Software Engineering and UCITA" Journal of Computer and Information Law, Vol. 18, No. 2, Winter 1999/2000, posted at www.badsoftware.com. It was included as Appendix J to the author's Federal Trade Commission filing and also is posted on the IEEE-USA web page, both with permission. Another paper by Kaner, "Why You Should Oppose UCITA," also is posted at www.badsoftware.com, and is included in the author's filing, as are several other materials referenced in both that filing and here. Other material by Kaner, such as summaries of relevant legal cases, can be found at www.badsoftware.com or www.kaner.com.
  2. Maryland amended UCITA to require that any term limiting license duration be conspicuous. Such pseudo-protective language frequently has been placed in UCITA both by the drafting committee and the Maryland amendments. Enforcement of a default provision does not require its rules to be stated in a contract term.
  3. Some other examples of license terms are included in S.A. Klein, "UCITA_A Proposed Law You Need to Know About," The Monitor (publication of the Capital PC User Group), March 2000. The issue can be downloaded from www.cpcug.org/user/monitor The text of the article as submitted is included as Appendix A in the author's filing to the FTC.
  4. The "No Electronic Theft Act." 17 U.S.C. 506(a)(2).
  5. A case preceding UCITA is discussed at www.4cite.org/bbook/slashdt.html. For a Competitive Information Technology Economy is a coalition of organizations that oppose UCITA. Its website, www.4cite.org, is another good source of information.
  6. Ed Foster's "Gripe Line" column, Infoworld, April 21, 2000. His columns are archived at www.infoworld.com
  7. Ed Foster's "Gripe Line" column, Infoworld, Aug. 18, 2000.
  8. Archived as Risks 20.89x at http://catless.ncl.ac.uk or at ftp://ftp.sri.com/risks. The text required special handling because part of the Risks distribution is sent as e-mail and inclusion of the spam criteria descriptions could cause the Risks discussion itself to be treated as spam. The Risks Forum is sponsored by the Association for Computing Machinery Committee on Computers and Public Policy.
  9. Slides for a presentation discussing the issues of protection from UCITA can be found at www.cpcug.org/user/comm/UCITA-700/index.htm. The presentation was given at the Capital PC User Group on July 10, 2000.
  10. Kaner, Cem, "Software Engineering and UCITA," see note 1.
  11. McDonald, Elaine, "Protecting Your Business Client Against the Pitfalls of UCITA: Practice Tips for Licensees' Counsel," Principal Financial Group, August 2000. Available by request; send an e-mail to mcdonald.elaine@principal.com.
  12. "Free Software" is the term used by the Free Software Foundation, www.fsf.org or www.gnu.org. "Open Source" is the term used by the Open Source Initiative, www.opensource.org. "Open code" is a term used by Lessig, in his book, "Code and Other Laws of Cyberspace," Basic Books, 1999, ISBN 0-465-03913-8. This article uses the term "non-proprietary" to refer to all of these terms.
  13. A news report and a link to the letter can be found on Slashdot. At press time, the author had not been able to find the PITAC report itself.
  14. The activities of non-proprietary software companies are discussed in several of the FTC filings, for example, the filing of Richard Stallman, president of the Free Software Foundation.
  15. Some software is so complex and occasionally unstable that reinstallation often is recommended as a means of countering certain types of faults. Also, recovery from a hard drive failure may require reinstallation.

Articles found on this page are available to Internet subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.




Public Utilities Reports 8229 Boone Boulevard, Suite 400, Vienna, VA 22182-2623
Voice: (703) 847-7720 Toll Free: (800) 368-5001 FAX: (703) 847-0683
Copyright © 2007 PUR Inc.
Email: pur@pur.com

 Public Utilities Reports, Inc.