Subject: New UCITA revisions -- first reactions
Date: Fri, 21 Dec 2001 01:15:49 -0500
From: Cem Kaner To: USACM-INFO@ACM.ORG
A few weeks ago, Phil Koopman, Sharon Roberts, Don Gotterbarn and I
went to the 17th meeting of the Uniform Computer Information
Transactions Act drafting committee (I've attended 16 of these
meetings).
The drafting committee is under intense pressure to work a political
compromise, because, after passing in Virginia and Maryland, UCITA
has been rejected in every state that has considered it and three
states have passed "bomb shelter" laws designed to keep
UCITA-governed contract rules out of their states. The committee met
privately, after the official meeting, and adopted 19 of the
amendments.
A couple of things that I was advocating were passed, especially a
ban on "self-help" (ability of a vendor to remotely shut down your
system if there's a contract dispute between you and the vendor).
Here is my analysis of the amendments that were passed. Overall, I
think we are still seeing a big trend favoring large companies over
small companies and individuals. In this case, though, large
customers are scoring some wins and smaller customers are picking up
a little bit as a side-benefit.
==================================
The National Conference on Uniform State Laws published an
announcement today of 19 amendments to UCITA. These were written in
response to a series of amendments proposed at the UCITA drafting
committee meeting this November. These amendments are available at
http://www.nccusl.org/nccusl/UCITA-2001-comm-fin.htm.
Here are my first impressions of those amendments. Please feel free
to circulate them.
1) Consumer protection
UCITA defines the typical consumer software transaction as an
intangible license, the purchase of a right to use the software,
rather than the sale of a copy of the software. So, when you buy a
copy of Microsoft Word and a book on how to use Microsoft Word at
your local computer store, you buy two things that contain
copyrighted intellectual property. The sale of the book is a sale of
goods under UCITA but under UCITA, the sale of the software is not.
If you download that same book from Barnes & Noble, instead of
buying the paper copy at Barnes & Noble, the book is treated like
software under UCITA.
By defining consumer purchases of software as licenses, rather than
sales, UCITA pulls consumer software out of the scope of all of the
consumer protection statutes that protect buyers of "consumer
goods." All of the consumer warranty laws, for example, are
"consumer goods" laws.
The revisions to UCITA still pull software outside of the scope of
the consumer warranty laws. The changes offer very little
protection.
2) E-SIGN
In the second amendment, UCITA supercedes E-SIGN, except in certain
listed sections. In general, I think that E-SIGN is more
consumer-friendly than UCITA. I have not had time to analyze the new
relationship between the two statutes.
3) Choice of Forum
The change proposed will make it slightly harder for vendors to make
an outrageous choice of forum (where the customer must sue the
vendor, if the customer wants to bring suit).
4) Electronic Self-Help
I am glad to see that UCITA has been revised in the way that Sharon
Marsh Roberts (Independent Computer Consultants Association) and I
recommended, with the support of the Society for Information
Management. Electronic self-help is banned, but a vendor retains
extensive power to protect its rights under UCITA. For example, the
software can come with a built-in automatic termination, stopping
performance after a specified number of days or uses. In the event
of a dispute, the vendor can simply refuse to renew the license. The
vendor can also get an injunction.
5) Public Criticism & Contract Laws
The amendment (section 105(d)) appears to address the public
criticism issue, but leaves open a wide loophole. People are allowed
to criticize a product that has been "offered in its final form to
the general public." But anything that is not "in its final form" is
not open to criticism. Let's consider Viruscan, published by McAfee.
McAfee has issued licenses that ban publication of benchmarks or
other reviews of Viruscan without McAfee's permission. Viruscan is
updated frequently. I don't think it is ever in "final form." So it
appears to be outside of the scope of this consumer protection.
Anything that is sold with the promise of frequent automatic updates
(think of the dot-NET business model) is, arguably, never in its
"final form". Any vendor who wants to ban criticism of its products
has an obvious way around 105(d).
6) Known Defects
This amendment specifically states that UCITA does not displace the
laws of "fraud, including fraudulent inducement, misrepresentation,
or unfair and deceptive practices." This amendment does nothing
whatsoever. UCITA already does not displace these laws. To the best
of my knowledge (which is fairly extensive on this point), every
software publisher in the United States releases software with known
defects, and many of those known defects are serious. It is very
difficult to hold vendors accountable for this under current law.
UCITA shields vendors further, by making it easier for them to
disclaim warranties, harder for a customer to establish that a
product demonstration upon which the customer relied actually
created an express warranty, easier for the vendor to limit
remedies, and harder for the customer to recover a "minimum adequate
remedy.
What was proposed, time after time after time in the UCITA meetings,
was that the drafting committee provide an affirmative incentive to
manufacturers to reveal their known defects. This was in return for
the many vendor protections being written into the statute. This
amendment does not address that proposal and is no better than the
unmodified UCITA.
7) Presentation of Later Terms
Amendment 7, new Section 216, appears to add nothing. The question is
not whether some of the terms in the click-wrapped licenses will be
enforced. Most people know that some contract terms will be
presented in the box in some form or another. The question is which
terms will be enforced and how much notice customers will have of
those terms.
This requirement is satisfied merely by putting a notice on the box
that says, "Terms inside" or a statement when you start to download
a product that contract terms will be presented later.
What was repeatedly requested was a requirement that customers could
get a copy of the terms before the sale if they asked for the copy.
This is one of the basic tenets of the consumer warranty laws that
UCITA helps software publishers evade.
Under this amendment, customers will still have to pay for the
software and start installing it (if that's how the vendor chooses
to structure the deal, which most software vendors seem to want to
do) before being able to discover the terms of the contract.
The "right of return" under UCITA is the same extremely weak "right"
that it was before, more marketing fluff than a consumer benefit.
Remember: even though this is promoted regularly as a consumer
benefit, it was brought to the UCITA drafting committee by the
representative of the Business Software Alliance and it has (to the
best of my knowledge) never been endorsed by any consumer protection
advocate.
8) Retention of Terms
Amendment 8 provides that the license must be provided to the
customer in a form in which it can be printed and/or retained by the
customer. That this is an improvement on the current UCITA is an
illustration of the extent to which the current UCITA is poorly
drafted. Of course the customer is entitled to a copy of the license
that can be printed and retained. How can you hold the terms of a
license against someone who can't even refer to it? What court would
enforce the terms of a contract that the customer is allowed to see
once and never again? Vendors need this rule as much as customers.
Without it, they might sometimes be tempted to make terms
irretrievable or to allow a product to ship with terms that happen
to be irretrievable. In either case, they would face severe problems
in the courts under current law, (including UCITA) because judges
would be so unlikely to enforce such terms.
9) Open Source Software--Noncontractual Permissions
As the Reporter of the UCITA Drafting Committee pointed out in the
November meeting, UCITA already does not cover permissions that are
not intended as contracts. However, all of the open source and free
software licenses / permissions that I have seen are in fact
contracts. This amendment provides zero or almost zero protection to
the Open Source / Free Software communities.
10) Warranties for "Free" Software
UCITA provides an important protection for free software and broadens
it in a way that will also often serve vendors of non-free
commercial software. It eliminates warranties for software when
there is "no contract fee for the right to use, make copies of,
modify, or distribute" the software. The critical word here is OR,
which should be AND. With the OR in place, the vendor need only
satisfy one of these conditions in order to claim that the software
is free.
Here's an example: under this new definition of free software,
Internet Explorer is free software because there is (currently) no
contract fee for the right to use the software. That's all that is
needed. You don't have to have the right to make copies of the
software or modify it or reverse engineer it or obtain source code
to it or distribute it, as long as you get a free right to use it.
So, if Vendor X sells you installation and support services and
"throws in" the software "for free", the Vendor achieves free
software status and no warranties apply. This is an easy way for a
traditional software vendor to escape all warranty liability.
Warranty liability cannot be excluded, under this amendment, if the
licensee is a consumer. Thus, genuinely free software is fully
subject to consumer warranties. This is still going to be a big
problem.
A point was made at the UCITA meeting that no one would sue free
software developers anyway, because they don't have any assets. But
universities and libraries and many businesses post free software at
their websites. That makes them distributors, under UCITA, even if
they are giving away software that was written to be given away.
Universities, libraries, and many businesses do have deep pockets
(i.e. they have insurance policies) -- if a credible threat of
liability can be made against them, they will stop distributing free
software.
So, what do we have? Microsoft gets to completely avoid warranty
protection for business users of some of its products, and
organizations that distribute free software (which Microsoft now
appears to consider a competitive threat) can still be targeted for
consumer lawsuits and thus might be successfully intimidated out of
distributing the free software.
This is not a victory for the Free Software community.
11) Transfer
Software that comes with a computer can be transferred WITH THE
COMPUTER as a gift to a library or K-12 school or from one consumer
to another. This still allows the vendor to kill the market in used
software and it allows only a minimal number of transfers of
software. The general rule under UCITA will be that if you buy a
copy of the software, you will not be able to sell it when you are
done with it, or give it away unless you are willing to give away
your computer with it.
12) Express Warranty by Sample, Model or Demonstration
This amendment improves the current UCITA by stating that the product
must conform (rather than "reasonably conform") to the sample, model
or demonstration. However, even as modified, UCITA section 402
provides that the following does not create a warranty: "a display
or description of a portion of the information to illustrate the
aesthetics, appeal, suitability to taste, subjective quality, or the
like of informational content." It is not a breach of contract if
there are differences in the user interface and usability (or in the
aesthetics, appeal, suitability to taste or subjective quality)
between the demonstrated model and the model shipped, even if these
are material to the consumer.
13) Infringement and Hold Harmless Duties
I'm not sure of the effect of this amendment and therefore will not
comment on it.
14) Implied Warranty Scope
The amendment specifies that the implied warranty runs from the
licensor to ITS end-user licensee and to ITS distributor.
I'm not sure, but it looks to me as though UCITA is re-establishing a
privity rule. I am unsure of the intent, but I expect that we will
see the argument in court that Vendorsoft provided no warranty to
Consumer because Consumer is the licensee of Distributorsoft, who
distributes Vendorsoft's software. Given the other sections of
UCITA, I don't think this argument would prevail, but if it is not
to make room for an argument like this, I don't understand why this
restrictive language is here.
15) Delete Section 308
In Section 308, current UCITA allows a vendor, after the sale, to
terminate a license by determining that the duration of the license,
as long as that duration has been "a reasonable time". It was never
clear to me that this was a big deal (in comparison to the rules
that would apply under Article 2) nor that this deletion offers a
big advantage over what the courts will do in the absence of
specific terms.
16) Delete Section 307(c)
Current UCITA 307(c) states that "(c) An agreement that does not
specify the number of permitted users permits a number of users
which is reasonable in light of the informational rights involved
and the commercial circumstances existing at the time of the
agreement." I'm not sure that deleting this will offer any advantage
over what the courts will do in the absence of specific terms.
17) Section 605 Automatic Restraints
This is a clarifying amendment that closes a loophole that was
apparently not intended by the drafting committee.
18) Corrects a typo, no policy impact
19) Reverse engineering
This is very narrow and not very useful. It is narrower than the
provisions in DMCA that allow reverse engineering. It does not
permit reverse engineering in order to detect security holes or
defects or to enable repair of the security holes or other defects.
Additionally, if "the elements" to be reverse engineered were ever
previously "readily available to the licensee" (when he didn't need
them) then the licensee can't reverse engineer to discover them now,
when he does need them.
K) Scope
As the comments point out, the electronics manufacturers (who will be
able to opt their goods within the scope of UCITA under the current
scope) support the current scope. And no wonder! They get to apply
UCITA's rules to their customers instead of Article 2's.
We proposed a rule that addressed safety-critical software, rather
than one that tried to distinguish between embedded and nonembedded
software. The drafting committee did nothing to restrain UCITA's
application to safety-critical embedded software. Never during the
UCITA drafting meetings did we discuss the potential consequences of
applying UCITA to embedded software or, especially, safety critical
software. There will undoubtedly be unintended consequences of the
application of UCITA to this domain. Where lives are involved, I
think it is grossly irresponsible to press forward with the
application of a new body of law to an ill-considered domain.
-- Cem Kaner
This e-mail communication should not be interpreted as legal advice
or a legal opinion. The transmission of this e-mail communication
does not create an attorney-client relationship between me and you.
Do not act or rely upon law-related information in this
communication without seeking the advice of an attorney. Finally,
nothing in this message should be interpreted as a "digital
signature" or "electronic signature" that can create binding
commercial transactions.