Editorial by Eugene Spafford
CERIAS at Purdue University
August 4, 2000

The biggest threats in the next decade to information security may not be malicious hackers and viruses. They are going to be bad law, passed by ill-informed legislators, and pushed by greedy and unscrupulous commercial interests with lots of money with which to lobby. Those companies are going to seek to further expand (bad) law protecting intellectual property, curtailing consumer rights, and further protecting them from consequence for their production of bad software. You don't believe it?  If you live in the US, consider the following scenario: You buy some shrink-wrapped software for use in your business or at home. As part of that purchase: 

Sounds absurd, doesn't it?  Impossible, perhaps?  Unfortunately not -- it is currently embodied in state law in both Maryland and Virginia, and will soon be considered by the state legislatures in the other 48 states. If a vendor chooses to write any of the above-mentioned provisions into a software license, state contract law will allow and support it. The vehicle for this travesty is UCITA -- the Uniform Computer Information Technology Act.  Ostensibly an update of the Uniform Commercial Code in each state, the process of drafting the act was co-opted by some of the largest entertainment and software firms.  The result is something that is opposed by a Who's Who of the computing and consumer-rights milieu -- including the IEEE, ACM, MPAA, ALA, Consumer's Union, and the FTC. (See www.badsoftware.com/oppose.htm for an incomplete list of opponents.)  Why is UCITA such a threat when it is so obviously bad for consumers and the IT industry (and security people in particular)? Mainly because of the complexity of the issue and the money involved. The draft act is several hundreds pages of dense legalize that is beyond the ability of most state legislators to analyze. So, they are depending on the word of knowledgeable experts to understand the impact. Unfortunately, the companies that stand to gain the most are also lobbying the most strongly on this issue. The mantra heard in MD and VA from these lobbyists was that if the states didn't pass UCITA then they would not be able to complete for high-tech jobs and dollars. This is persuasive to legislators who don't otherwise understand the issues. How would it play in the halls of your state capitol?  So, what can *you* do?  Well, first of all, educate yourself about the issues. Start with Barbara Simon's editorial "Shrink-Wrapping Our Rights" in the Inside Risks column of CACM (vol #8, August 2000); also available at www.csl.sri.com/neumann/insiderisks.html. You can also find articles about UCITA and its impact at www.ucita.org/. Then, you need to communicate with your state legislators about the problems this law would bring to your state if passed, and your opinion thereto. Remember -- the insider threat is not simply from employees. The software you use may well be the biggest threat, along with its vendor. What good is security technology when the law doesn't let you protect yourself?