Computing Applications

Inside Risks: Shrink-Wrapping Our Rights

  1. Article
  2. Author

Laws relating to computers, software, and the Internet are being proposed and passed at such a breathless rate that even those of us trying to follow them are having trouble keeping up. Unfortunately, bad laws, such as the Uniform Computer Information Transactions Act (UCITA), are likely to encourage other bad laws, such as proposals to increase surveillance of the Internet. Yet, few people have heard of UCITA, an extraordinary example of a legal proposal with far-reaching consequences. Because commerce is regulated at the state level in the U.S., UCITA is being considered in several states; Virginia and Maryland have passed it.

UCITA will write into state law some of the most egregious excesses contained in shrink-wrap software licenses. These include statements that disclaim liability for any damages caused by the software, regardless of how irresponsible the software manufacturer might have been. Shrink-wrap licenses may forbid reverse engineering, even to fix bugs. Manufacturers may prohibit the non-approved use of proprietary formats. They can prohibit the publication of benchmarking results. By contrast, software vendors may modify the terms of the license, with only email notification. They may remotely disable the software if they decide that the terms of the license have been violated. There is no need for court approval, and it is unlikely that the manufacturer would be held liable for any harm created by the shutdown, whether or not the shutdown was groundless. (The mere existence of such mechanisms is likely to enable denial-of-service attacks from anywhere.)

Since small contractors probably will have a contract that holds them liable for damages, the little guys may be forced to pay for damages resulting from buggy commercial software. Furthermore, the small business owner may be unable to sell the software portion of the business to another company, because most shrink-wrap licenses require the permission of the software vendor before a transfer of software can occur.

Very few manufacturers of other products have the chutzpah to disclaim all liability for any damage whatsoever caused by defects in their products, and most states restrict the effectiveness of such disclaimers. Software vendors base their non-liability claim on the notion that they are selling only licenses, not ‘goods’. Consequently, so the argument goes, U.S. federal and state consumer protection laws, such as the Magnuson-Moss Warranty Act, do not apply. The strong anti-consumer component of UCITA resulted in opposition from 26 state attorneys-general, as well as consumer groups and professional societies such as the IEEE-USA, the U.S. Technology Policy Committee of ACM (USACM), and the Software Engineering Institute. (see www.acm.org/usacm/copyright for more information).

When most people learn of UCITA, they assume the unreasonable components of software licenses won’t survive court challenges. But because there is very little relevant case law, UCITA could make it difficult for courts to reverse the terms of a shrink-wrap license.

Quoting from the state attorneys-general letter (www.tao.ca/wind/rre/0821.htm), "We believe the current draft puts forward legal rules that thwart the common sense expectations of buyers and sellers in the real world. We are concerned that the policy choices embodied in these new rules seem to almost invariably favor a relatively small number of vendors to the detriment of millions of businesses and consumers who purchase computer software and subscribe to Internet services. …[UCITA] rules deviate substantially from long-established norms of consumer expectations. We are concerned that these deviations will invite overreaching that will ultimately interfere with the full realization of the potential of e-commerce in our states."

We know that it is almost impossible to write bug-free software. But UCITA will remove any legal incentives to develop trustworthy software, because there need be no liability. While the software industry is pressuring the states to pass UCITA, law enforcement is pressuring Congress to enact laws that increase law enforcement’s rights to monitor email and the Net. Congress, concerned about the insecurities of our information infrastructure, is listening. So, in addition to the risks relating to unsecure and non-robust software implied by UCITA, we also have the risk of increased surveillance and the accompanying threats to speech and privacy.

If you want to learn about the status of UCITA in your state and how you might get involved, information is available from a coalition of UCITA opponents at www.4cite.org.

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More