UCITA Still Haunts IT

Computerworld - Washington

It has been called a time bomb—code capable of disabling software—and some users fear its use could become pervasive if the controversial software law UCITA succeeds.


The Uniform Computer Information Transactions Act (UCITA), due for a renewed push for state-by-state adoption next year, lets vendors include code to trigger a shutdown if, for instance, a user's license has expired.


That type of code poses operational and security issues for IT, said Ken Tyminski, chief security officer at Prudential Financial in Newark, N.J. A time bomb or software restraint is a potential bug that could be triggered without warning, sending business systems crashing. Or it could be activated maliciously, giving hackers a back door to networks.


"That, to me, is very, very dangerous for the [insurance] industry and companies at large," Tyminski said. In response, Prudential is ensuring that its vendor contracts prevent any use of such systems.


This type of code "can cripple the business, and it can do it in a method where there has been absolutely no due process, there has been no chance at remediation, no chance at explanation," Tyminski said.


Corporate Fears


The mere existence of any restraint software or time bombs raises other security issues as well. Robert O'Connor, director of network integration services at Pennsylvania State University in University Park, warns, for instance, that a disgruntled former vendor employee could trigger such a system. "I don't trust anything like that," he said.


Users' concern about software restraints that are described in a section of UCITA called "electronic regulation of performance" underscores the ongoing fears they have about this complex licensing law.


UCITA's authors, the National Conference of Commissioners on Uniform State Laws, tried to appease opponents by banning the previously allowed "self-help" provision that allowed vendors to remotely disable software in a contract dispute. But that change simply shifted attention to other parts of the law.


For example, the Institute of Electrical and Electronics Engineers Inc. in New York claims that UCITA's provisions give vendors the right to build in back doors, which would result in a dramatic shift in software licensing.


"The industry is pushing very hard to turn it into a mainframe licensing model, where you will pay for your software on a yearly basis," said Alan Plastow, president of the International Association of IT Asset Managers in Akron, Ohio. "That requires the use of automatic restraints, or it requires the use of a metering process."


But users aren't jumping on board. And Microsoft Corp. has said it has no plans to use embedded self-help features.