RECOMMENDED AMENDMENTS TO VIRGINIA Proposed By: The Institute of Electrical and
Electronics 1828 L Street, N.W., Suite 1202 Submitted to the Virginia Joint Commission on Science
and Technology The Institute of Electrical and Electronics Engineers, Inc. is a non-profit, technical professional association with more than 350,000 individual members in 150 countries. Through its members, the IEEE is a leading technical authority and produces 30 percent of the world’s annual published literature in electrical engineering, computers and control technology. IEEE-USA is the U.S. arm of IEEE created to support the careers and public-policy interests of the nearly 240,000 electrical, electronics, computer and software engineers who are U.S. members of the IEEE, including the 8,900 IEEE members who live and work in Virginia. IEEE-USA is concerned that UCITA will enable practices that discourage competition and innovation. Instead of promoting high-tech entrepreneurism and economic development within the states, we firmly believe that it will actually work to discourage the same. These concerns are outlined in our UCITA position statement, which is available at http://www.ieeeusa.org/forum/positions/ucita.html. Since Virginia has adopted the model law, IEEE-USA recommends adoption of the following amendments, which are designed to facilitate the practice of software and systems engineering and to help ameliorate the most adverse prospective effects of UCITA. Proposal #1: Amend § 59.1-502.9. Mass-market license, by adding proposed new subparagraph (a)(3)– Computer Security and Privacy
Rationale: Computer Security and Privacy The "electronic self-help" provisions of UCITA (see §59.1-508.16(a)) allow software publishers to embed security vulnerabilities and other functions in their software design to allow remote access, and to disclaim liability for harm caused by negligent use or misuse of those functions. Without liability as an incentive to ensure careful programming and proper utilization of the "electronic self-help" right by the licensor, UCITA will inadvertently facilitate "denial-of-service" attacks (remote disablement or destruction of the software and/or theft of data) either by accidental triggering or purposeful exploitation of these functions by malicious intruders. Computer security and the privacy of data are of critical importance to public acceptance of E-Commerce and the continued growth of the Internet, which is an important driver of Virginia's economy. IEEE-USA notes an amendment proposed by the National Conference of Commissioners on Uniform State Laws (NCCUSL) (see Amendment #5 of August 23, 2000 proposed by Carlyle C. Ring, Jr.) that would prohibit use of "electronic self help" in mass market transactions and reinforce the requirement of manifest agreement by the parties to authorize resort to "electronic self help." IEEE-USA welcomes this proposed narrowing, but notes that it does not solve the basic problem addressed by our amendment, which concerns accountability for the actual design of security vulnerabilities into the software. Under the NCCUSL amendment, a software vendor would still be allowed to insert a "back door" into the software for prospective "electronic self-help" purposes, and disclaim liability for any resulting damage, even if there was no authorization or actual utilization of that "electronic self help" capability by the software publisher. In short, security holes could still be a serious problem even if consumers are not directly subjected to "electronic self help" by the software publisher. Proposal #2: Amend § 59.1-502.9. Mass-market license, by adding proposed new subparagraph (d)(1):
Rationale for (d)(1): Analysis and Reverse Engineering As originally passed in Virginia, UCITA would permit licensors to enforce contracts of adhesion which eliminate the ability of licensees to independently verify the claims of licensors, to effectively utilize computer information in secure and complex systems, to effectively diagnose and report bugs in software, or to independently create compatible products. This amendment preserves these abilities for licensees of mass-market computer information provided that the licensees follow all applicable law. The ability of licensors to analyze mass-market computer information is crucial to the maintenance of a fair, competitive, and innovative technology marketplace. Licensees frequently need to analyze software and other computer information in order to better understand how to utilize it and to fill in the gaps in the licensor's documentation and support; to verify the security and privacy characteristics, and validate compliance with usage requirements. Because of their vested interests, the licensor and its closest allies cannot be expected to provide such analysis in an independent and objective manner. Finally, the ability to legally and cleanly reverse engineer proprietary protocols and file formats is needed to enable the development of innovative new products that are compatible with those that dominate the installed base of today. Legal reverse engineering must generally be performed on retail copies of software, because dominant vendors do not wish to help their competitors gain compatibility with their products. Permitting licensors to preclude reverse engineering of mass-market computer information is a recipe for a lack of consumer choice, poor interoperability between products, and stagnation of the entire technology industry. Existing computer information licenses already attempt to impose restrictions on analysis and reverse engineering by licensees of mass-market computer information; but without UCITA, such terms of these "contracts of adhesion" are not universally enforceable. This amendment shelters analysis of mass-market computer information provided it is done in a manner which is legal under copyright, patent, trade secret, and all other applicable law. Lawful reverse engineering of software promotes the advancement of scientific learning, technological improvements and enhances the public interest. Lawful reverse engineering of computer programs is also fundamental to the development of programs and software-related technology. The term ‘reverse engineering’ means the discovery by engineering techniques of the underlying ideas and principles that govern how a machine, computer program, or other technological device works. Engineers use this information for many purposes, including making other products interoperate with the target product that is the subject of the reverse engineering. These practices have been recognized by the courts to be consistent with Federal intellectual property law and in no way can be equated with any form of "piracy." This amendment does not shelter licensees who illegally copy products or who engage in any other unlawful form of reverse engineering or analysis. Illegal abuses by licensees would be actionable both under the other law and under UCITA as a breach of contract under this amendment. For more information on the importance and appropriate uses of reverse engineering, see the related IEEE-USA position statement at http://www.ieeeusa.org/forum/positions/reverse.html. Proposal #3: Amend § 59.1-502.9. Mass-market license, by adding proposed new subparagraph (d)(2):
Rationale for (d)(2) --- Public Commentary Existing mass-market computer information licenses already attempt to impose restrictions on the free speech rights of licensees and of journalists, but such terms are not generally enforceable without UCITA. This amendment restores the ability for a free press and an informed consumer base to publish objective and independent reviews of computer information products. The proposed revision only applies to computer information, which is itself already generally available to the public under the terms of a mass-market license. It would therefore in no way interfere with standard industry practices such as negotiated non-disclosure agreements, restrictions on public disclosure concerning "beta test" software, or special terms which apply to "pre-release" computer information. Proposal #4: Amend § 59.1-502.9. Mass-market license, by adding proposed new subparagraph (d)(3):
Rationale (d)(3): Use With Competing Products Without this amendment, dominant computer information licensors would be able to use UCITA to eliminate any possibility for competition by precluding the use of new, innovative, products from other sources in conjunction with their dominant products. Proposal #5: Amend § 508.3(d), Contractual Modification of a Remedy, by adding the following text (in italics):
Rationale: The intent of this amendment is to provide a strong incentive for disclosure, in support of competition and risk reduction for customers. It is not to punish software publishers for honest mistakes or for things that they don't know about. It is impossible for a software publisher to test for all of the defects that might be in its products, but some publishers release products with serious defects that they know about. IEEE-USA believes that significant known defects should be disclosed to the customer. This enables the customer to choose between products, to avoid using a product in a way that triggers a failure, or to minimize the impact of a failure after it has happened. Customer knowledge is particularly important under UCITA because UCITA grants licensors of mass-market software so much leeway to define the warranties and remedies they provide to customers. Unfortunately, if only one company discloses its known defects, less ethical competitors can use the disclosed information as a competitive weapon, attacking the quality of the honest company's software without disclosing the (perhaps much lower) quality of their own. This amendment provides an incentive for disclosure by all mass-market licensors. It does not force accountability on the licensor who simply doesn't know about a defect. Nor does it force software licensors to disclose all of their defects. If a defect causes no losses, the licensor who does not disclose the defect will not have liability. But if the licensor expects that a defect may cause losses, its best course is disclosure. The licensor can avoid paying damages for losses caused by any disclosed defect, but will have to reimburse up to $500 per customer for losses caused by a known but undisclosed defect. The amendment also provides a standard for disclosure. The language is intended to be favorable to the honest licensor who attempts in good faith to write a good disclosure. The disclosure is sufficient, under this amendment, if the licensor reasonably believes that it would be informative and useful to someone who the licensor reasonably believes would be a typical member of the market. The Institute of Electrical and Electronics
Engineers - United States of America | Top of Page | UCITA Network | Policy Log | Public Policy Forum | IEEE-USA | Last Update: 21 Oct. 2000 Copyright © 2000, The
Institute of Electrical and Electronics Engineers, Inc. |
