white paper from the Software Engineering Ethics Research Institute
(SEERI) to Software Professionals
states are considering legislation that directly threatens the well
being of our populace and the health of software development in
the United States. The proposed legislation, the Uniform Computer
Information Transactions Act (UCITA) would govern all contracts
for the development, sale, licensing, maintenance, and support of
computer software.(1) UCITA began as a proposal to amend the
Uniform Commercial Code (UCC) to cover software. The UCC is
designed to guarantee the safety and merchantability of all products
purchased in the US. The American Law Institute (ALI) and
the National Conference of Commissioners on Uniform State Laws (NCCUSL)
supported an amendment to the UCC. The amendment would extend
the UCC to regulate transactions involving intangible goods (computer
software, online databases and other information products in digital
law, however, as currently written, would eliminate past gains in
understanding and defining the responsibilities of computing professionals.
UCITA as written:
allow companies to release software without disclosing known faults;
mandates that developers are not liable for any damages resulting
from these known faults;
requires the developers consent for others to disclose faults discovered
with their software;
software--called "self-help"-- to be incorporated into
products which can remotely disable the software which runs
the product; and
that developers of software with "self-help" are not liable
for damages should the software be disabled by a third party.
appreciate the importance of maintaining an acceptable standard
of professional responsibility, consider the reaction to the numerous
charges and complaints made against a large tire manufacture for
distributing tires that are defective.
One major concern is that the tires proved to be defective
but of equal concern is the appearance that:
Testing done by the company revealed these defects four years
before the recall.
tires were, nevertheless, distributed with full knowledge of the
risk to the consumer.
The company had over 1,000 complaints and still did nothing.
The consumers were kept in the dark about known the risks
of these tires.
Actions 1-4 contributed to over 100 fatalities and over 800
failure of responsibility is unacceptable and has quite reasonably
generated a flurry of legislative activity to prevent similar activity
and legislation to provide penalties for those who withhold critical
What is startling
and unacceptable to professional software developers is that UCITA,
however, would condone and encourage activities like 1-4 for software,
UCITA denies the vendor's responsibility to do thorough tests.
UCITA allows vendors to deny all liability even when they
release software with known bugs where disastrous results could
have been foreseen. UCITA protects vendors from lawsuits when they
knowingly distribute software with bugs even if they hide this knowledge
for this denial of liability is the vendors claim that programs
are complex and they can't show the software to be error free. The Act makes the customer
responsible for testing. All
professional responsibility of the vendor, with their cadre of trained
developers, is passed on to the client.
UCITA denies the responsibility of the vendor to do thorough
a customer finds an error in the software, the act also prohibits
any re-engineering of the product to fix the bug. Laws that discourage
the development of reliable software or make it more difficult to
detect software problems are clearly against any standards of professional
lucky enough to detect one of these bugs before it does damage are
prohibited by UCITA from publishing the results of their tests or
publishing other criticisms without the vendors permission.
Under UCITA, vendors must grant permission to release or to use
this information for legitimate scientific, research, or educational
purposes. Controlled information, however, also includes benchmarks,
security warning, and negative reviews. And to make matters even worse, UCITA would legislate a gag
order on anyone who discovered flaws or dangers in a software product.
We could not imagine a law that prohibited revealing the
dangers in defective life critical software.
UCITA prohibits revealing defects in licensed software unless
the developers themselves give you permission to reveal such defects.
In order to protect their licenses, vendors are allowed to
exercise electronic self-help. Electronic
self-help is the right of vendors to electronically repossess
their software if they feel the terms of their contract have
been violated: for example self-help could be embedded
code in an application that can disable software. Embedded code
raises numerous security issues.
But vendors dont have to worry about this because UCITA
also protects them from any liability from the damage that results
when a third party uses self help to disable your code
intentionally or accidentally.
The existence of Microsofts Office registration wizard
indicates that we should not be optimistic that vendors will not
use (and perhaps abuse) this self-help feature of the act.
A version of
UCITA for the automobile tire industry, in other words, would have
allowed the tire manufacturer to deny all responsibility for producing
faulty tires, have relived manufacturers of all responsibility and
liability for the 100 plus deaths caused by their defective tires,
as well as distributing tires with known defects and hiding those
defects would be acceptable. Moreover, if UCITA covered tires, the tire manufacturers
permission is required by those who want to warn the populace of
the potential danger.
is surprising that this legislation is even being considered.
Since UCITAs initial formulation various
groups have aligned against it. In the early stages the ALI withdrew
its support, apparently because the document reflects a persistent
bias in favor of companies who publish or sell software.(4)
But NCCUSL went forward with the proposal. Many groups have
rejected the proposal (5) for a variety of reasons (6).
Among those who reject the proposal are the ACM, IEEE, and
26 states attorneys general.
THE ACT IS BEING PASSED ANYWAY.
Even though UCITA seems unconstitutional with its limits
on free speech, it has already (October 2000) been approved by some
states. The Act is
being considered by one state at a time. Virginia has approved it.
Maryland has approved it. They have legislated that computer developers
are not responsible. Arizona, Delaware, District of Columbia, Hawaii,
and New Jersey are considering it.
There are at
least two major problems with this Act. The first is that it puts
software users at very high risk.
If this act is passed we ..will encourage a race to
the bottom in terms of software quality.(7)
A second problem is the harm it does to the
developing profession of software engineering.
professionals should be embarrassed by what this Act says about
the state of the profession. Software engineers have been improving
methods of software development and establishing standards to improve
quality. Corporations have adopted various software process improvement
models such as CMM and Six SIGMA (8) and IEEE software engineering
standards. Even though adopting such statistical control techniques
involves extra work, software engineers have generally approved
the use of the best quality control techniques. Corporations and
professional organizations have committed themselves to the use
of these standards when they publicly adopted the Software Engineering
Code of Ethics and Professional Practice (9).
These improvements are the hope for the future of software
quality and safety. UCITA,
however, runs contrary to the spirit of the Code by (10) essentially
removing all incentives for such improvement and by legislating
non-disclosure of bugs, preventing such improvements.
Engineering Ethics Research Institute was formed to promote the
development of ethical and professional practices that address the
impacts of software engineering and related technologies on society.
SEERI is opposed to this ACT because we think Ed Foster,
a columnist for InfoWorld, had it right when he said,
One way or another, the fight over UCITA is going to
mark a watershed in the software industrys development.
It will either lead to the day when the software industry
fully accepts the responsibilities it has to its customers or the
day when it finally rejects those responsibilities.(11)
legislates away these improvements, provides negative incentive
for these improvements and we believe thereby endangers the populace.
This bill is clearly opposed to any reasonable standards
of software engineering. We urge you to actively oppose this Act.
The problem is
what can we do about it? The
IEEE-USA has recently put together an IEEE_USA Advocacy Kit (12)
as an information resource for those who are concerned and
willing to take personal action to contact their state legislatures
urging them to oppose passage of the model law.
are busy people and WE need to call their attention to the
issues, but sending comments on UCITA before a particular state
legislature starts to evaluate the proposal will probably not be
effective. To facilitate
timely communications with your legislators, you can access the
Software Engineering Ethics Research Institute web site
and provide them with your email address and state of residence
name. They will notify
you when UCITA is being considered in your state. They will also
provide you with the email addresses of your legislators so that
you can communicate your views on UCITA directly to them.
(For A Competitive Information and Technology Economy)
letter from Barbara Simons past ACM president.
For a list of groups opposing UCITA see Opposing Adoption
of the Uniform Computer Information Transactions Act (UCITA) By
the States," Approved By the IEEE-USA Board of Directors (Feb.
Also see Federal Trade
Commission letter to chair of NCCUSL (www.ftc.gov/be/v990010.htm)
David Card, Sorting out Six Sigma and CMM, IEEE Software
The Code affirms the software engineers responsibilities to
society and a commitment to report defective and dangerous software.
1.03. Approve software only if they have a well-founded belief
that it is safe, meets specifications, passes appropriate tests,
and does not diminish quality of life, diminish privacy or harm
the environment. .6.08. Take responsibility for detecting,
correcting, and reporting errors in software and associated documents
on which they work.
A law that says you must ask permission to report any dangerous
situation is in direct opposition to the Code. 1.04. Disclose
to appropriate persons or authorities any actual or potential danger
to the user, the public, or the environment, that they reasonably
believe to be associated with software or related documents.
Ed Foster of InfoWorld, the only journalist following the process
from the beginning, has campaigned against this bill since
the beginning. A short list of reason for opposition are http://archive.infoworld.com/ucita/
here to learn more about UCITA
Director: Dr. Donald Gotterbarn
This page was last updated on 03/27/06