UK braced for tough US licensing laws

US software licensing proposals that form the Uniform Computer Information Transaction Act (UCITA) have raised concerns about breaches of UK data protection laws and parts of the Computer Misuse Act.

The Act has already been agreed at US federal level and is undergoing adoption procedures by a number of state legislatures. It gives vendors the power to insert a 'timebomb' into customer software, enabling them to shut down the entire system remotely without a court order.

Users will be given 15 days' notice of any remote shutdown, but concerns are growing that the warnings may go astray because the vendor may not hold the company's current address or the employee who signed the agreement may have left the company, for example.

When finally agreed by US legislators, the Draconian powers are likely to appear in UK software licences and filter into the statute books.

The Federation Against Software Theft (Fast) issued a warning two weeks ago to UK companies buying US software, advising them to study the Act in conjunction with any licensing agreement.

Remote control
Laurie Westwood, a Fast regional investigator, says: "The effects of UCITA will be wide-ranging and allow the possibility of publishers switching off software remotely."

Support for the legislation comes from the Business Software Alliance (BSA), a coalition of software manufacturers including Computer Associates, Lotus and Microsoft.

Richard Stagg, senior security architect at Information Risk Management, says he law creates several possible nightmare scenarios for network managers. "It probably doesn't matter much if you lose control of your word processing packages for a few hours while the matter is sorted out. But can you imagine what would happen if Microsoft decided you had not paid for one server's worth of Windows NT and decided to shut down your entire network?"

Stagg says that under current data protection legislation vendors should not have the ability to gather detailed information about the way a customer runs applications on a network, unless the company gives them direct access to the network.

"I just can't see any company allowing any vendor that amount of power to achieve a goal that is not in their interest," he says.

This is not the first time companies have been put under pressure to divulge information about their software. In a get-tough policy two years ago, the BSA contacted many small and medium-sized enterprises and asked them to submit to a 'voluntary audit'.

A BSA spokesman said at the time: "If companies refuse to provide us with details, it is logical for us to assume they have something to hide and we could get a court order to inspect their systems."

In the case of UCITA, a company that does not want the software clauses in its contract may not be allowed access to name-brand products such as Windows 2000. Stagg says there are real security concerns in allowing UCITA-approved software into a system.

"If disabling codes are put into software, there are no security defences in the world that could make sure they would not be exploitable," he says. "There will be people who will make it their business to find these codes and work out a way to switch off a company's software, either for a laugh or for industrial cyber-attacks."

Getting in on the Act
There are other legal, cultural and technical problems in the UK with allowing a vendor access to the network. "We have the Computer Misuse Act and the Data Protection Act, which could be broken if the vendor switches off software," says Stagg.

"Another problem is it really is up to the vendor to prove that illegal software is being used by the customer rather than the other way around. A scenario could arise where the vendor switches off software that the user has the right to have."

It is not yet clear whether UK Data Protection Registrar Elizabeth France will be involved in the row. A spokesman for the Registrar expressed concern that UCITA may breach part of the Data Protection Act, which states: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The spokesman said: "This requires data controllers to implement appropriate safeguards for information. There may be a contradiction if there is a legal obligation to delete everything, or if the software is switched off and it causes any loss of data."

Cem Kaner, software developer, lawyer and the author of the book Bad Software, says the legislation will force companies to spend large sums of money on checking licensing agreements on shrink-wrapped products.

"Large companies spend about as much on shrink-wrapped software as they do on non shrink-wrapped software," says Kaner. "Today, most businesses don't devote significant resources to the negotiation of shrink-wrapped licences. They will now have to start doing so, because the default rules are shifting in favour of the licensor."