FRAMINGHAM (08/11/2000) - The group that drafted UCITA has backed off slightly from one of the more controversial measures in the proposed software-licensing law: a so-called self-help provision that allows vendors to remotely disable the software they sell to users. But that may not be much solace to corporate users.
At its annual meeting, which ended Aug. 4, the U.S. National Conference of Commissioners on Uniform State Laws agreed to end the self-help provision for mass-market software sold via retail channels. However, the provision remains in effect for other types of software, such as customizable applications purchased by companies.
Software vendors could take advantage of the self-help capabilities allowed by the Uniform Computer Information Transaction Act (UCITA) to cut off users who they claim haven't paid their license fees or who allegedly have violated their contracts in other ways, such as by having more end users than their licenses allow. That's one of the reasons opponents have claimed that the draft law gives too much power to vendors at the expense of their customers.
Carlyle Ring, a former general counsel at Atlantic Research Corp. in Gainesville, Fla., who heads the UCITA drafting committee, said the prohibition of self-help actions by vendors of mass-market software was originally included in a version of the licensing law approved by the state of Maryland in April.
Officials attending the conference "thought that it was a change that alleviated some measure of concern" for users, Ring said.
UCITA, which was sent to the legislatures of all U.S. states and territories for their consideration in July of last year, seeks to bring a set of consistent rules to software contracts and licensing agreements. But it has been plagued by controversy almost since the Chicago-based conference of commissioners, with representatives from all 50 states, first began drafting the law back in 1996.
Maryland and Virginia are the only two states that have adopted UCITA thus far.
The law has drawn considerable opposition from corporate CIOs, who are particularly worried that the self-help provision will pose security risks to their systems and give software vendors the upper hand in licensing negotiations.
Cem Kaner, an attorney and computer science professor at the Florida Institute of Technology in Melbourne, said the change made to UCITA at the recent meeting is "insignificant" for corporate users.
Although consumers would be exempt from the self-help provision, a company that buys a large quantity of off-the-shelf software wouldn't likely fall under the definition of mass-market customer, he said. In addition, any applications purchased via a site license wouldn't be clear of the provision, nor would virus updates or software products bought through a subscription service, according to Kaner.
But the biggest drawback for companies isn't that their software could be turned off, Kaner said. Rather, it's the potential for vendors to open up security holes in corporate systems through self-help mechanisms. "UCITA imposes no liability on the vendors," he said. "They create a hole in your security at no risk to themselves."Bill Zumwalt, CIO at Temple, Texas-based McLane Co., a major wholesale distributor, called the change "a very clever move on the part of the [UCITA] proponents, because it enables them to say, Mr. and Mrs. John Doe, you won't be impacted by this.' "The restriction against mass-market self-help "does not offer any value" to businesses, he added. Zumwalt said the thing that most concerns him about UCITA is its ability to offer "a human element of control" over a company's business systems. "That is a high-risk situation," he added.
Ring argued that the self-help provision can't be included in software contracts by vendors unless end users give their specific consent. Ring said he negotiated many technology contracts at his former job and frequently had vendors change contracts to include terms that were more acceptable to Atlantic Research.
But, Zumwalt said, even if a company negotiates a contract with a vendor that prohibits self-help or automatic turn-offs, the capability is still being built into a system. "It's another level of risk that we didn't have to worry about yesterday," he said.
And the self-help provision is only one of a number of items in UCITA that have been criticized by end users and other opponents.
The amendments made earlier this month by the conference of commissioners "do not address the broader concerns raised by UCITA," said Jonathan Band, a partner at Morrison & Forester LLP in Washington, who is representing the American Library Association and some software developers who also oppose the draft law.
Addressing the broader concerns, Ring acknowledged that further changes to UCITA are possible.
"We continue to look at areas of concern," Ring said. "If we were perfect, we'd get it correct the first time, wouldn't we?"