ALERT:  a danger to the Public and a danger to the development of Safe Quality Software in new legislation

CLICK here to learn more about UCITA

 A white paper from the Software Engineering Ethics Research Institute (SEERI) to Software Professionals

 Several states are considering legislation that directly threatens the well being of our populace and the health of software development in the United States. The proposed legislation, the Uniform Computer Information Transactions Act (UCITA) would govern all contracts for the development, sale, licensing, maintenance, and support of computer software.(1)  UCITA began as a proposal to amend the Uniform Commercial Code (UCC) to cover software.  The UCC is designed to guarantee the safety and merchantability of all products purchased in the US.   The American Law Institute (ALI) and the National Conference of Commissioners on Uniform State Laws (NCCUSL) supported an amendment to the UCC.  The amendment would extend the UCC to regulate transactions involving intangible goods (computer software, online databases and other information products in digital form).  

The law, however, as currently written, would eliminate past gains in understanding and defining the responsibilities of computing professionals.  UCITA as written: 

a.   would allow companies to release software without disclosing known faults;

b.   mandates that developers are not liable for any damages resulting from these known faults; 

c.   requires the developers consent for others to disclose faults discovered with their software; 

d.  allows software--called "self-help"-- to be incorporated into products which can remotely disable the software which runs the product; and 

e.  asserts that developers of software with "self-help" are not liable for damages should the software be disabled by a third party.  

To appreciate the importance of maintaining an acceptable standard of professional responsibility, consider the reaction to the numerous charges and complaints made against a large tire manufacture for distributing tires that are defective.  One major concern is that the tires proved to be defective but of equal concern is the appearance that:

1.      Testing done by the company revealed these defects four years before the recall.

2.    The tires were, nevertheless, distributed with full knowledge of the risk to the consumer.

3.      The company had over 1,000 complaints and still did nothing.

4.      The consumers were kept in the dark about known the risks of these tires.

5.      Actions 1-4 contributed to over 100 fatalities and over 800 injuries.

This apparent failure of responsibility is unacceptable and has quite reasonably generated a flurry of legislative activity to prevent similar activity and legislation to provide penalties for those who withhold critical safety data.(2) 

What is startling and unacceptable to professional software developers is that UCITA, however, would condone and encourage activities like 1-4 for software,

A.     UCITA denies the vendor's responsibility to do thorough tests.  UCITA allows vendors to deny all liability even when they release software with known bugs where disastrous results could have been foreseen. UCITA protects vendors from lawsuits when they knowingly distribute software with bugs even if they hide this knowledge from users.

The justification for this denial of liability is the vendor’s claim that programs are complex and they can't show the software to be error free.  The Act makes the customer responsible for testing.  All professional responsibility of the vendor, with their cadre of trained developers, is passed on to the client.  UCITA denies the responsibility of the vendor to do thorough tests. (3)

B. If a customer finds an error in the software, the act also prohibits any re-engineering of the product to fix the bug. Laws that discourage the development of reliable software or make it more difficult to detect software problems are clearly against any standards of professional practice. 

Those lucky enough to detect one of these bugs before it does damage are prohibited by UCITA from publishing the results of their tests or publishing other criticisms without the vendor’s permission. Under UCITA, vendors must grant permission to release or to use this information for legitimate scientific, research, or educational purposes. Controlled information, however, also includes benchmarks, security warning, and negative reviews.  And to make matters even worse, UCITA would legislate a gag order on anyone who discovered flaws or dangers in a software product.    We could not imagine a law that prohibited revealing the dangers in defective life critical software.  UCITA prohibits revealing defects in licensed software unless the developers themselves give you permission to reveal such defects.

C.  In order to protect their licenses, vendors are allowed to exercise “electronic self-help”.  “Electronic self-help” is the right of vendors to electronically repossess their software if they feel the terms of their contract have been violated: for example “self-help” could be embedded code in an application that can disable software. Embedded code raises numerous security issues.  But vendors don’t have to worry about this because UCITA also protects them from any liability from the damage that results when a third party uses “self help” to disable your code intentionally or accidentally.  The existence of Microsoft’s Office registration wizard indicates that we should not be optimistic that vendors will not use (and perhaps abuse) this self-help feature of the act. 

A version of UCITA for the automobile tire industry, in other words, would have allowed the tire manufacturer to deny all responsibility for producing faulty tires, have relived manufacturers of all responsibility and liability for the 100 plus deaths caused by their defective tires, as well as distributing tires with known defects and hiding those defects would be acceptable.  Moreover, if UCITA covered tires, the tire manufacturer’s permission is required by those who want to warn the populace of the potential danger. 

It is surprising that this legislation is even being considered.    Since UCITA’s initial formulation various groups have aligned against it. In the early stages the ALI withdrew its support, apparently because the document reflects a persistent bias in favor of companies who publish or sell software.(4)  But NCCUSL went forward with the proposal. Many groups have rejected the proposal (5) for a variety of reasons (6).  Among those who reject the proposal are the ACM, IEEE, and 26 states’ attorneys general. 

BUT THE ACT IS BEING PASSED ANYWAY.  Even though UCITA seems unconstitutional with its limits on free speech, it has already (October 2000) been approved by some states.  The Act is being considered by one state at a time. Virginia has approved it. Maryland has approved it. They have legislated that computer developers are not responsible. Arizona, Delaware, District of Columbia, Hawaii, and New Jersey are considering it.  

There are at least two major problems with this Act. The first is that it puts software users at very high risk.  If this act is passed we “..will encourage a race to the bottom in terms of software quality.”(7)    A second problem is the harm it does to the developing profession of software engineering. 

All computing professionals should be embarrassed by what this Act says about the state of the profession. Software engineers have been improving methods of software development and establishing standards to improve quality. Corporations have adopted various software process improvement models such as CMM and Six SIGMA (8) and IEEE software engineering standards. Even though adopting such statistical control techniques involves extra work, software engineers have generally approved the use of the best quality control techniques. Corporations and professional organizations have committed themselves to the use of these standards when they publicly adopted the Software Engineering Code of Ethics and Professional Practice (9).  These improvements are the hope for the future of software quality and safety.  UCITA, however, runs contrary to the spirit of the Code by (10) essentially removing all incentives for such improvement and by legislating non-disclosure of bugs, preventing such improvements.  

The Software Engineering Ethics Research Institute was formed to promote the development of ethical and professional practices that address the impacts of software engineering and related technologies on society.  SEERI is opposed to this ACT because we think Ed Foster, a columnist for InfoWorld, had it right when he said,  “One way or another, the fight over UCITA is going to mark a watershed in the software industry’s development.  It will either lead to the day when the software industry fully accepts the responsibilities it has to its customers or the day when it finally rejects those responsibilities.”(11) 

UCITA effectively legislates away these improvements, provides negative incentive for these improvements and we believe thereby endangers the populace.  This bill is clearly opposed to any reasonable standards of software engineering. We urge you to actively oppose this Act.  

The problem is what can we do about it?  The IEEE-USA has recently put together an IEEE_USA Advocacy Kit (12) as an information resource for those who are “concerned and willing to take personal action to contact their state legislatures urging them to oppose passage of the model law.” 

Legislators are busy people and WE need to call their attention to the issues, but sending comments on UCITA before a particular state legislature starts to evaluate the proposal will probably not be effective.  To facilitate timely communications with your legislators, you can access the Software Engineering Ethics Research Institute web site  http://seeri.etsu.edu/register.shtm and provide them with your email address and state of residence name.  They will notify you when UCITA is being considered in your state. They will also provide you with the email addresses of your legislators so that you can communicate your views on UCITA directly to them.   

(1) http://www.acm.org/usacm/copyright/

(2) www.4cite.org (For A Competitive Information and Technology Economy)

(3) www.acm.org/usacm/copyright/ucita.cacm.htm letter from Barbara Simons past ACM president.