SAN MATEO (04/24/2000) - On Oct. 1, the Uniform Computer Information Transaction Act (UCITA) will become law in Maryland. IT managers, you'd better begin preparing your defenses now. In fact, you might want to build an anti-UCITA bomb shelter.
Although totally outgunned by the deep pockets of the software lobby, the anti-UCITA forces, headed up by 4Cite (For a Competitive Information and Technology Economy, the anti-UCITA coalition to which InfoWorld belongs), did a heroic job of fighting against the bill while it was debated in the Maryland Legislature. And enough Maryland legislators got the message that several amendments to significantly defang UCITA were given consideration, particularly in the Senate.
The law approved by both houses, however, contains mostly cosmetic changes while leaving all the dangerous stuff untouched. You might have heard that Maryland's version of UCITA protects consumers against defective software by not allowing vendors to disclaim the implied warranty. That would be a significant change if it weren't for UCITA's narrow definition of a consumer:
It applies only to those who acquire a product "primarily for personal, family, or household purposes" and specifically not for "professional or commercial purposes." Unless you buy a word processor only to write letters to Aunt Jane, it's not a consumer transaction under Maryland's UCITA and you're out of luck if the product doesn't work.
Another "fix" in Maryland's UCITA that doesn't help in the real world is an amendment to the notorious electronic self-help provision that says the right to disable software products remotely cannot be exercised in "mass-market transactions." Mass market is another term in UCITA that sounds good but is actually so oddly defined that it might not mean anything at all. (A New Jersey legislative commission, after studying the UCITA reporter's comment on mass-market transactions, noted that "In light of the comment, it would appear that the purchase of a single shrink-wrapped copy of Microsoft Office at a mass-market retail outlet such as Staples or OfficeMax by a four-person law firm would not fall within the UCITA definition of a 'mass market transaction.'
") You can bet, though, that IT purchases of any sort don't come under any mass-market protections.
Maryland's electronic self-help fix fails on another count as well. It prevents vendors from exercising self-help in a mass-market transaction, but it doesn't prevent them from including a remote disabling mechanism in a mass-market product. The distinction is important, because it's highly unlikely anyone actually will follow UCITA's formal rules for exercising electronic self-help.
What is more likely is that vendors will include backdoors and time bombs for anti-piracy or other purposes. Should a customer discover that the remote disabling capability is there -- perhaps after suffering a disaster due to it being triggered accidentally -- UCITA protects the vendor from liability.
This brings me to the first and most important defensive measure every IT organization should take to prepare for a world where UCITA exists even in a few states: Starting now, demand that vendors warrant that their products are not self-help capable. Make that demand a critical part of your software procurement process. According to some readers, not only are many corporations doing just that, but several government agencies are also considering revisions to their procurement practices. This isn't surprising, particularly in the case of organizations for critical infrastructures. The possibility that any software inside the firewall could have unknown self-help mechanisms raises enormous security issues. Corporations and agencies that don't start asking vendors very pointed questions will soon be guilty of a dereliction of duty.
Electronic self-help is just the most scary item on the list of UCITA horrors.
I'm beginning to compile examples from readers of anti-UCITA defense tactics, which I'll share at a later date. In the meantime, there is one thing you can push for in your state that could protect everyone against UCITA.
Several concerned corporations in Iowa have helped promote what has been called bomb-shelter legislation to protect all Iowa customers, consumers, and businesses from UCITA or UCITA-like laws in other states.
The bomb-shelter law says that a transaction between an Iowa party and a party that tries to invoke the law of a UCITA state will instead be subject to the laws of Iowa -- a fine example of Midwestern common sense, if you ask me. An amendment to this effect was passed by the Iowa House as part of its Electronic Transaction Act (HF 2205) and now awaits consideration by the Senate. Software industry lobbyists are swarming into the state like angry mosquitoes. Perhaps some of the common sense that has been lacking on either shore of the Potomac will be found in more abundance in the Midwest.
Got a complaint about how a vendor is treating you? Write to Ed Foster, InfoWorld's reader advocate, at firstname.lastname@example.org.