Skip the navigation

UCITA still haunts IT

August 23, 2002 12:00 PM ET

Computerworld - WASHINGTON -- It's been called a time bomb, code capable of disabling software, and some users fear its use could become pervasive if the controversial software law UCITA succeeds.
The Uniform Computer Information Transaction Act (UCITA), due for a renewed push for state-by-state adoption next year, lets vendors include code to trigger a shutdown if, for instance, a user's license has expired.
It's a type of code that poses operational and security issues for IT, said Ken Tyminski, chief security officer at Prudential Financial in Newark, N.J. A time bomb, or a software restraint, is a potential bug that can be triggered without warning, sending business systems crashing. Or it can be activated maliciously and give hackers a back door to your network.
"That, to me, is very, very dangerous for the [insurance] industry and companies at large," Tyminski said. In response, Prudential is ensuring that its vendor contracts prevent any use of these systems.
This type of code "can cripple the business, and it can do it in a method where there has been absolutely no due process, there has been no chance at remediation, no chance at explanation," he said.
Corporate Fears
The mere existence of restraint software or time bombs also raises security issues. Robert O'Connor, director of network integration services at Pennsylvania State University in University Park, warns, for instance, that a disgruntled former vendor employee could trigger such a system. "I don't trust anything like that," he said.
This concern about software restraints in a section of UCITA called "electronic regulation of performance" underscores the ongoing fears that users have about this complex software licensing law.
UCITA's authors, the National Conference of Commissioners on Uniform State Laws, tried to appease opponents by removing a "self-help" provision that would allow a vendor to remotely disable software in a contract dispute. But that change simply shifted attention to other parts of the law.
For example, the Institute of Electrical and Electronics Engineers Inc. in New York claims that UCITA's provisions give vendors the right to build in back doors, creating a potentially dramatic shift in software licensing.
"The industry is pushing very hard to turn it into a mainframe licensing model, where you will pay for your software on a year basis," said Alan Plastow, president of the International Association of IT Asset Managers in Akron, Ohio. "That requires the use of automatic restraints or it requires the use of a metering process."
But users aren't jumping on board. Also, Microsoft Corp. has said it has no plans to use embedded self-help features.
The use of software restraints won't help vendors win contracts with large enterprises, said Steve McHale, an analyst at IDC in Framingham, Mass. But such techniques could be attractive to vendors of pricey programs, such as engineering software systems.
Critics also assail UCITA because it protects vendors from liability. The Center for National Software Studies, formed earlier this year, is examining the problems with software quality and is working on a set of recommendations. UCITA's liability-limiting provision gives vendors little incentive to worry about the consequences of mistakes, said Alan Salisbury, who heads the Camp Springs, Md.-based center.

Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.

Our Commenting Policies