Software Licenses Get Worse

Slimbob wrote in with the word about UCITA, a wonderful little law that, if passed allows for remote shutdown of software if you violate the license, make shrink wrap license more enforceable, and outlaw reverse engineering, amongst other gems. Get more details here. Thanks to C.Scott Ananian for sending us a UCITA page, with the TeX version of the letter to be sent and more information.

10 cents worth of contract law

Here are two basic issues in contract law:

What contracts can't you make? I can't agree to work for less than the minimum wage. I can't agree to rent an apartment without hot water. I can't agree to sell my organs. Putting it another way, while I might agree to do these things, I can't be held to that agreement.

What are the default terms? If I agree to paint your house, but we don't set a time for doing it, and you sue me when I don't do it, I can't avoid the lawsuit by saying I'll paint your house in the year 2019. The court will say that the parties understood that I would do the job in a reasonable time (perhaps a month). In cases like this, where the parties don't address a particular point in their agreement, the law will generally supply a default term in order to make the contract enforceable.

Keeping the foregoing in mind, this proposed law does the following things: (1) It tells you what kind of software licenses you can't agree to -- and by the sound of it, not very much is out of bounds. (2) It tells you what the default terms will be when a license doesn't fill everything in.

The suggestion that this proposal represents some sort of government intrustion into the software maker/consumer relationship doesn't seem fair. Under this law, every consumer gets enough rope to hang themselves with; there's very little that's prohibited. As for the default terms, you're free to contract around them if you don't like them. By libertarian lights, this law is -- if anything -- too slanted in favor of consumers.

(That doesn't mean it's a good law, of course; it just means that if you consider yourself an anti-government sort, you should understand what this proposed law would[n't] do.)

The proposal formerly known as UCC 2B

By way of background (missing from the article from InfoWorld), UCITA was until recently the proposed UCC 2B. The proposal to add a provision to the Uniform Commercial Code to deal with software licenses was until recently a joint project of the American Law Institute (ALI) and the National Conference of Commissioners on Uniform State Laws (NCCUSL) [nccusl.org]. The proposal was so awful, and attacked by so many people [2bguide.com] (especially legal academics!) that the ALI pulled out [2bguide.com]. This is unusual.

NCCUSL historically is less likely to throw roadblocks in the way of a proposal once a drafting committee says it's done. On the other hand, this one is so controversial, for so many, many reasons, that there is a little hope that the steamroller can be stopped. Uniform Commissioners are political appointees, usually by state governors, so if you or your firm happens to have any pull in your state, a word to the (un)wise might help. Furthermore, even if it passes NCCUSL it then has to be adopted state-by-state, so there's another chance to fight it.

For my account of why an earlier draft was bad for e-commerce (the latest draft is bad in slightly different ways) see 2B as Legal Software for Electronic Contracting -- Operating System or Trojan Horse? [miami.edu].

A. Michael Froomkin [mailto]
U. Miami School of Law,POB 248087
Coral Gables, FL 33124,USA

How long until internet connections are required?

How long until internet connections are required to install software that registers itself? Ore reuqires a 'net connection each time you run it? Or maybe just periodically?
* What if you reinstall it?
* What if you reinstall you're whole HD (after a crash)?
* What if you upgrade to a whole new machine?

I think SW vendors need to address these 3 issues before thay can even think of any sort of auto-remote-kill-the-pirates-and-a-few-honest-guys -along-the-way-oh-well protection scheme.

Anyone wanna bet a lobbyist wrote this bill?

....give vendors the right to repossess software by disabling it remotely

What gives them that right?"

The letter of the law, it seems. A similar concept is already in force; anyone suckered into buying a Divx player agreed to this cute little statement in the Divx contractual agreement...

"YOU ACKNOWLEDGE AND AGREE THAT YOU POSSESS ONLY A NONEXCLUSIVE, LIMITED LICENSE TO VIEW THE MATERIALS CONTAINED ON THE DIVX DISCS AND THAT YOU HAVE NO OWNERSHIP OR OTHER PROPRIETARY INTEREST IN SUCH MATERIALS."

This allows them to prevent a movie from being viewed, say, if you forget to pay your bill, or a company wishes to put a movie "on moratorium".

Yes, less than 300 000 people bought those infected DVD players. Yes, it will probably die in a year or so. The ideology that birthed Divx, the concept of complete corporate control over the use of software (including the data on certain DVDs), is being adopted throughout the software and entertainment industries. The rush to create a "pay-per-listen" music format is one example; this software license bill from hell is another.

More fun statements...

"...but your warranty says that I can return it if it doesn't work as it says it would." "Too bad. We've disclaimed that warranty."

And...

"[the bill] says manufacturers are not liable for the poor quality of their products,"

These statements, and the states of mind they represent, would be unacceptable to consumers in any other product. Somehow, software manufacturers can get away with substandard products; this legislation would give that dangerous mindset legal backing.

I get the sick feeling the software lobby can get laws like this passed because the current political establishment has no idea how software works, and are unable to draw important distinctions and similarities between software products and other products. Thus, large corporations and powerful lobbies with enough money can tell the aforementioned clueless politicians how a particular law should be written, which just happens to work in their favour. I think it's time for some hackers who know how to deal with software and the Internet to get political office, before it's too late.

Take a breath, and RTF Bill!

One of the difficulties in working through all the hype on both sides, is that the shift from UCC2B to UCITA leaves us without a specific draft to criticize. Critics are free to exaggerate supposed defects, and of course, advocates can do the same. Anyway, before taking the article's word for it, look at the last drafts of UCC2B [upenn.edu], ask yourself why critics aren't really citing its language, and consider well whether you are being completely and honestly informed by critics or advocates alike.

UCC2B is not all bad, and not all good, IMHO. However, some of the comments in the subject article strain credulity and, regrettably, much of it is demagoguery from various special interest groups trying to stir up dissent.

For example, shrinkwraps. Shrinkwraps are not the enemy of open source -- to the contrary, they are part of what makes the open source license "virus"es work. Some here have argued that this law can somehow have retroactive effect on already existing contracts and past reverse engineering -- Not so, indeed, a law that changed existing contract rights would be unconstitutional. In short, while I understand why the software defect plaintiff's lobby is all in a huff about greater certainty in enforcing shrinkwraps, I'm not sure that the OSS community shouldn't be planting itself squarely on the fence on the issue.

Some other points made in the article:

prevent the transfer of licenses from one party to another without vendor permission;

Of course, this can be (and often is) accomplished under the status quo with a commonly used contract provision. I actually prefer the common law default to the language of UCC2B, but I don't see this as either new or particularly egregious.

allow vendors to disclaim warrantees; and

Vendors can presently disclaim warrantees.

outlaw reverse engineering.

I believe you can review the last draft in vain to find a provision outlawing reverse engineering. Still further, it is doubtful that a state law could do so under present law without violating the Supremacy Clause of the Constitution. Indeed, the last draft of the UCC2B has an express example in the commentary expressly noting circumstances where unconsented reverse engineering is not a breach!

Why are they exaggerating if their case is so strong? Think about it. Its not.

I find great flaws in the UCC2B as do others. However, while flawed, it is not the unmitigated disaster it is held out to be by its critics (although it is certainly special interest legislation). As is often the case, the truth is more interesting.

I do believe slashdotters should educate themselves about this bill, study its provisions (the real ones, not the straw men) and judge for themselves what should be the law. But UCITA is not suprise legislation -- these proposals have been brewing now for years. Consider them carefully, and use what power you have, particularly now that it is no longer UCC, to help your legislators to separate the wheat from the chaff.

So, RTF Bill, read the commentary on both sides, and judge for yourselves.

Ooh! Please pass this law!

From what it says in the article, vendors can already decide to repossess software. A case with Revlon is cited. However this would add an air of legitimacy to it and encourage proprietary vendors to build backdoors into their software. In addition this law would allow vendors to disclaim all warranties and increase the strength of the EULA.

Given the rather questionable EULAs in effect today and the rather questionable software quality in proprietary software, I don't think any manager in his right mind would be willing to stake his job on a piece of software under the terms set forth here.

I can only see this as a boon to the open source software movement, which would offer the following over proprietary:

1) A much more agreeable license. If a license is Open Source, no one will ever try to repossess your software.

2) No warrantee, but if you're using a package and something breaks, you can at least fix it yourself in the worst case.

3) It's free. If your company merges with another one, you don't have to ask anyone for additional licenses or permission to use current licenses.

4) No proprietary file formats. No need to reverse engineer anything. Your data is not being held hostage by anyone.

5) Your terms, mostly. You can do anything you want with the software, with the only restriction being that you make any improvements you make available to everyone.

So you see, I hope this law passes because the sooner everyone is demanding open source, the easier my life will be.

GREAT!!!

This is the best thing that could happen for open source software. The publishers are closing ranks and restricting their users more and more. We have reached a critical mass with Apache, sendmail, emacs, etc. and don't need to worry about the 'reverse-engineering' provisions of this law.

Corporations will come our way in droves if we point out that not only don't we implement UCITA and its noisome 'self-help' strictures, they can see that we don't for themselves. Also, since they own the source, _no one_ can take their software away from them. We should be trumpeting this from the highest peaks. Can you imagine what fear this will strike into the PHB's and suits when they find out that if they don't accede to punishing 'licensing terms' __________ (--Oracle, Microsoft, SAP, Peoplesoft, Baan, etc.--) (fill in the blank) will remotely disable their software throughout their enterprise, from the desktops to the server farms, into the mainframes and down to the data warehouse. Most painfully, the courts and the legislatures will let them!!! Talk about a gun to your head!!! "Sure the data is yours. Try to get at it!"

However, we DO need to beat these fsckers at their own game and protect our 'prior art' at all times when it is obvious (IIS, Exchange, Notes, etc.) that they are the ones doing the reverse engineering. In these cases we need to insist that all these products conform to the liceses they were initially released under or these anal-retentive zipperheads will find themselves in court!!! Also, we need to DEMAND participation in the standards bodies, so they cannot lock the standards (as Rational and Microsoft have done and continue to do.)

The only threat I see here is from Adobe. Anyone know if they still have any claim to PostScript?

Unbelievable

This is absolutely crazy. If you read the article carefully enough, you can pick out SEVERAL controlling issues:

....give vendors the right to repossess software by disabling it remotely

What gives them that right? If you lend a laptop computer to a friend, and he didn't return it when you asked him to, does that mean you can break into his house and take it?

....prevent the transfer of licenses from one party to another without vendor permission

"Hello, Mr. Gates. I'm selling my computer to someone, And I'd like your permission to give him my copy of Windows as well." Now, Microsoft can just as easily say "No, afraid not. BUT, he's perfectly entitled to buy his OWN copy!"

....allow vendors to disclaim warrantees

"...but your warranty says that I can return it if it doesn't work as it says it would."
"Too bad. We've disclaimed that warranty."

I've noticed on the chart that Microsoft was in full favor of this bill. (suprise!) Some other stupid items follow:

McCabe added that vendors are not permitted to exercise self-help if the vendors are aware of third parties that could suffer serious losses because of it.

So, if a company is confronted with this, they can simply say: "But we had no idea!"

Software vendors argue that they are within their rights to limit the use of their products.

Absolutely, but if you want to limit it, you limit it in the actual design of the software. You don't crumble a company's infrastructure just because of a licensing agreement.

"[the bill] says manufacturers are not liable for the poor quality of their products,"

Gee...looks like Microsoft is off the hook. Answer this: If the maker of the software isn't responsible if it sucks, who is?

"If I have to guarantee that my software will perform the way you think it's going to perform, that's going to be costly for me," Winpro's Harris says.

Actually, that's correct. Expecting Microsoft Excel to walk your dog isn't reasonable. BUT, expecting Microsoft Windows not to crash every hour, is. The idea is that Software manufacturers have to guarantee that the software will perform the way THEY claim it will perform. But if it doesn't,"...manufacturers are not liable for the poor quality of their products."

Seems to me, that software vendors want to take more responsibility when it comes to them getting their money, but when it comes to their software not performing at it's expected level, they don't want ANY responsibility. It's a 2 way street, folks. They're just trying to put up One-Way signs.

-- Give him Head? Be a Beacon?

Death Knell

This sounds like a death knell for commercial/closed software if it gets passed into law. Does a company *really* want to give its competitors the ability to shut down its systems remotely? How long will it take for somebody to write an exploit to prematurely trigger the self-destruct? Oh sorry, they called it the "self help feature", didn't they?

I'd much rather stick to open source, so I know that nobody else will be controlling that assembly line or office environment. Talk about a massive DoS attack...

Take it to the Supreme Court...

Somehow I doubt this would ever hold up under judicial review. The whole intellectual property set-up, as explicitly set forth in the Constitution and federal copyright law, is an exchange. On the one hand, the owner of a copyright is given exclusive rights to copy, redistribute, etc. On the other hand, they voluntarily cede rights to the founding ideas to the public. Reverse engineering is therefore legal, since copyright confers absolutely no rights to any founding ideas behind a copyrighted work. I think the Supreme Court would overturn this in a heartbeat. The only sticking point is that (technically, at least), a EULA is a voluntary contract, and it is possible to voluntarily refuse to exercise one's rights under a contract. That would be legally enforceable, if the SC took the view of EULAs as full contracts. However, currently, it's more likely that extreme provisions of EULAs will be looked upon as unenforceable (at least two federal district court decisions have come down this way).

I guess the simplest way to put it is that the proposed law directly contradicts both federal copyright law and the underlying (constitutional) motives behind IP law. In that light, I fail to see how it could survive judicial review.

--
"Perfection is achieved, not when there is nothing left to add, but when there is nothing left to take away. "

If software were cars...

(licence contained on dashboard)

Welcome to your Microsoft Car. By opening the door of this car, you have agreed to this contact and are legally bound by its terms.

You are hearby granted licence to drive this car for purpose of leisure only, within the radius of 50 miles of point of purchase.
Should you wish to use this care for commerical purposes, or for distances longer than 50 miles, you must purchase an upgrade to this licence, details of costs are available from your local MS office

This car comes without any warranty, evnt those assumed for fitness of purpose.
If this car breaks down, we will disclaim liabilty, and not be liable for any damges resulting thereof.

This car has been fitted with the lastest cut-off system, whereby we can remotely imobilise your car in the case we are in suspicion of you breaching your licencening agreements (eg for commerical use, more than 50 miles, or listening to music in mp3 instead of microsoft format)

In no case will we be liable for the damages resulting from cutoff, not even if life or money is lost as a consequence therof. any fines for stopping in the midst of the freeway must be borne by the customer.

If you even wish to sell your car, you must contact us for permission to do so, permission may be granted in exceptional circumstances, the normal requiremnt is for a second owner to purchase the licence to use the car from us. We will retain any monies thereof, and you will also be unable to use the car hencewith.

You may not attempt to guess what is wrong with the car, if it splutters and stops, you may *not* assume that it is out of petrol and attempt to refuel. Yu must bring it to a MS approved dealer, where he will apply the required fix (for an appropiate fee). Attempting to refuel the car, will result in breach of the licence, and your car may be cut off at any day henceforth. The petrol gauge is for use of a Microsoft certificed mechanic for diagnositic purposes only.

As the car is the primary mode of transport, any other modes of transport are deemed copies, and are subject to patent laws. Any mode of device which transports a person, goods, information or thought from two distinct places will be covered. injunctions are currently in place against bicycles, wheelbarrows, televisions, and telepaths in the respective categories.

This casr is equipped with the latest map guidance, so it can tell you (and us) hwere exactly you are in the world. On each entry to the car, it will ask you "where do you want to go today?" If you answer correctly, it will transport you there. Any attempt to visit one of our competitiors will result in imediate terminition of your licence.

This MS care is fully compatible with all othe MS road users, howevrer any crashs as a result of contact with other road users will be deemed to be the fault of the non-MS road user, and MS will not be liable.

this product is only supported on MS stamdard road. For a definition of the word "supported" please see licence 345, section 4, paragraph 5, with excpemptions for cases detailed in sections 1 through 4.

Thank you for *choosing* an MSCAR, the only car that can get through an MS toll bridge in under 3 hours. Our competitors (which you are free to choose, of course, subject to fillout the relevent documentation) seem to be unable to cope with this simple transport protocol.


--

Re:Enforcement?

I will be interested in how they enforce this world wide, since remotely disabeling software is certainly a prohibited in the UK by the computer misuse act 1990. I even recall a case where a company refused to pay a software development company. The software developer remotely disabled the software, and was successfuly prosecuted under section 3 of the computer misuse act.

As I understand it if a person from the US brought thier laptop into the UK, and had the software disabled remotely they they would be able to prosecute the software vendor.

Stephen

Section 3 of the computer misuse act follows:

Computer Misuse Act 1990 (UK) Section 3

3.(1) A Person is guilty of an offence if -

(a) he does any act which causes an unauthorised modification of the
contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the
requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an
intent to cause a modification of the contents of any computer and by so
doing -

(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any
computer; or
(c) to impair the operation of any such program or the reliability of any
such data.

(3) The intent need not be directed at -

(a) any particular computer;
(b) any particular program or data or a program or data of any
particular kind; or
(c) any particular modification or a modification of any particular
kind.

(4) For the purposes of subsection (1)(b) above the requisite knowledge is
knowledge that any modification he intends to cause is unauthorised.

(5) It is immaterial for the purposes of this section whether an unauthorised
modification or any intended effect of it of a kind mentioned in
subsection (2) above is, or is intended to be, permanent or merely
temporary.

(6) For the purposes of the Criminal Damage Act 1971 a modification of
the contents of a computer shall not be regarded as damaging any
computer or computer storage medium unless its effect on that computer
or computer storage medium impairs its physical condition.

(7) A person guilty of an offence under this section shall be liable -

(a) on summary conviction, to imprisonment for a term not exceeding
six months or to a fine not exceeding the statutory maximum or to
both; and
(b) on conviction on indictment, to imprisonment for a term not
exceeding five years or to a fine or to both.

Not all fun and games for open software

Yes, I can see how this might help OSS (or whatever), but I can see how it would hurt it just as bad. You do realize this has the potential to kill WINE and Samba, right? The reverse-engineering clause would kill those. I suppose you could do something with WINE by using the programming references, but you're not going to get as far as you might by reverse engineering Windows (and no telling how liberal their definition of reverse engineering will be; you really can't be bug-for-bug compatible without doing some kind of reverse engineering).

One thing I'm not clear on: what kind of a law is this? It says that once it's ratified by a group of state attorneys general and then passed by a few state legislatures, it will become law. Since when is that how things work?

Taunting the Dinosaurs

If there's ever been a time for the open source community to make itself known, this is it. Now, more than ever, we have proof of the damage to the consumer that intellectual property concerns can do. Apparently, if we give our legislators enough rope, they will gleefully hang themselves.

Here's what you can do:

- Talk to management. Get them to see what intellectual property concerns will do to their bottom line. Then suggest the alternative: open source [opensource.org].

- Support things like Consumer Reports [consumerreports.com], and the Better Business Bureau.

- Inform would-be software buyers of the tradeoffs to buying proprietary software.

It's a decidedly different tact. If you're on the open-source train, I'd have a good laugh right now, because these [microsoft.com] people are putting the nails in their own coffin, free of charge -- The ultimate compliment to the OSS movement [opensource.org].



--

Petition

Looks like Infoworld is collecting e-mail signatures for a petition against this thing. Look at the bottom of this page [infoworld.com] for details. The address is ucita@infoworld.com [mailto].

Time to put the /. effect to good use?

Letter to My Congressman

Here's a copy of a letter I just fired off to my Congressman. (Hope it's accurate...):

To the Honorable Janice D. Schakowski:

The federal government has always been a leader in consumer protection. Unfortunately, our state governments are not always so progressive. The National Conference of Commissioners on Uniform State Laws (NCCUSL) is planning to meet in July to vote on the ratification of the proposed Uniform Computer Information Transactions Act ("the Act"). The Act is a revival of the highly criticized "2B" amendment to the Uniform Commerical Code (UCC). The Act would be an unmitigated disaster for consumers of software products. Among its provisions, the Act would:

-- Drastically increase the enforceability of "shrink wrap" software licenses. These licenses are typically included inside the sealed software packages that appear on store shelves. Consumers have no ability to negotiate terms or even see what it is they are agreeing to prior to paying for the software. These licenses often contain draconian terms such as prohibiting anyone from publishing bechmarks or evaluations of the software without the manufacturers permission (ie, muzzling free speech), prohibiting the transfer of the product to a third party (ie, gutting First Sale rights under copyright law), and prohibiting reverse engineering (ie, gutting Fair Use rights under copyright law).

-- Allows software vendors to more easily disclaim any warranties and escape liability for defective products.

-- Gives specific authorization for software vendors to remotely disable software if the vendor believes its license terms have been broken -- without any finding of this fact by a court or other neutral body, no due process for accused license violators, and insufficient safeguards for customers who might not even find out they have been accused of a violation until such time as their software has been shut off. Even a threat to revoke the license of a mission critical software product could be an unfair bargaining lever against small businesses without the resources to fight back.

I urge you to investigate this matter and take steps to ensure that software consumers are adequately protected. Most software sales involve some form of interstate commerce and so federal jurisdiction should apply if Congress decides to exercise its authority in this matter. It is imperative that Congress put the states on notice that it will not tolerate legislation that harms consumers and benefits only multi-million and billion dollar corporations. It is important to act fast because if the NCCUSL approves this "model" legislation in July, it is highly likely that state legislatures will give rubberstamp approval to it just as they do to UCC changes. If that happens, Congress should not hesitate to override this anti-consumer state legislation.

Software manufacturers are already entitled to 95 years of protection under existing copyright laws, including both civil and criminal penalties for copyright infringers. It is imperative that the existing rights of consumers under copyright law are not stripped away by an added layer of contract rights granted at the state level.

For additional information on the Act, please see the article "Licensing time bomb: Software-law dispute explodes as enactment draws near" in InfoWorld magazine. This article is available on the World Wide Web at http://www.infoworld.com/cgi-bin/displayStory.pl?/ features/990531ucita.htm Additional InfoWorld articles about the Act are available at http://www.infoworld.com/cgi-bin/displayStory.pl?/ features/990528ucitareport.htm

Thank you for taking the time to consider my concerns.

Sincerely,

Aaron M. Renn
arenn@urbanophile.com

Oh, my.

1. This is draconian legislation (or whatever you want to call it) in every sense of the word. The software companies will not be held liable for the software to work, and they can kill "your" copy of their product on a whim.

2. The belief that the consumer market will be able to police the proposed legislation, putting companies out of business if they shut users down, is so absolutely ludicrous that it's almost funny. The average consumer deals with MS failing on a daily basis, and yet continue to purchase their products, although there are others out there. This will make it even MORE difficult to bring competition and fair play into the market. I don't think frightening can be used too much here.

3. Big Brother, here we come. This is the complete and total annihilation of any rights that a software purchaser may have had before. Not allowed to resell/give/transfer a software package without vendor permission? WTF is with micromanaging consumer use/reuse? Again, we're looking at a very scary scenario here. If this passes, what is to prevent the federal government to pass a similar law/set of laws? What is to prevent them from passing a similar law/set of laws with provisions that the NSA/FBI/CIA have access to every shred of data on every individual's computer system? This is the logical progression from such a law, and if this happens, it will become VERY difficult to get rid of.

The gist of what I read in the aforemention article is that the software companies (and is anyone really suprised that MS is in favor of this?) want complete and total control of what users can and cannot do on their computers. I can agree with the concern about piracy and RE, to an extent. HOWEVER, without RE (reverse engineering) we'd probably not even have half the products (payware and otherwise) that we have today. This is including Windows (c'mon, Xerox and Apple had a GUI LONG before MS even thought of it, and need I bring up Mesa, Samba, etc? All solid products making use of RE to figure out necessary hidden/proprietary protocols).

The only way to stop such a draconion piece of legislation is to make it crystal clear to our state legislatures (for those of us who are in the USA) that anyone who votes FOR this thing will have a bitch of a time getting reelected. We also need to make it clear that there WILL be a series of court challenges to this legislation, as I seriously doubt the ACLU will allow for this to occur.