It's Round 2 for the Uniform Computer Information Transactions Act (UCITA), which arrives at state legislatures next year with a new look. And if your state adopts the recently retooled contract law, read your software license carefully or risk signing away your right to reverse-engineer or even publicly critique software.

UCITA is aimed at making the sale or license of software and other computer-based information consistent from state to state and among the U.S. territories. Only two states, Maryland and Virginia, have adopted the act so far. The National Conference Commission on Uniform State Laws (NCCUSL), the group of stateappointed lawyers, judges and law professors that drafted UCITA, revised UCITA earlier this year to allay concerns that it gave software vendors and information-service providers an unfair advantage over IT organizations and consumers.

A Rev. 2 UCITA may not be enough to sway the other 48 states to adopt it, however. The new version of the proposed law still carries much of the old baggage: Opponents argue it gives vendors excessive control in the licensing of their software and information services, and its broad and complex content sometimes raises more questions than it resolves: When does embedded software falls under its authority?, for instance. There is some debate over whether UCITA is even necessary at all, since there's plenty of overlap between it and existing legislation, including state contract laws, the Uniform Electronic Transactions Act (UETA) and Uniform Commercial Code (UCC) already in use in many states.

UCITA makes the sale or licensing of software and other computer-based information, such as online databases, a contractual or licensing arrangement. That's a departure from how most software purchases are handled today, as a sale under copyright law. Copyright law lets you use software for noncommercial reasons like research, teaching, product-testing and reverse-engineering once you've purchased or licensed it. You can't reproduce and redistribute it for profit under copyright law, though.

The scary part about UCITA is that big-name vendors like AOL Time Warner, Intel, LexisNexis, Microsoft, Oracle and PeopleSoft get lots of leverage in how they define the terms of contracts and licenses-limiting your copyright privileges. You won't have as much bargaining power in custom-license deals with CRM (customer relationship management) and ERP (enterprise resource planning) software companies, for instance, since the act lets vendors prohibit you from reverseengineering their products, except for the purpose of making them interoperable with other software. Shrinkwrap licenses will continue to be the norm for off-theshelf purchases under UCITA (see "UCITA: Shrinking From Its Duties?" page 114).

Say you purchase a Web application that generates forms for your e-business customers. The forms use information stored in a back-end database that houses your customers' credit-card number and other personal information. The application runs fine-until someone posts your customer information and creditcard account numbers on the Web. You suspect a hacker has exploited the Web application. Under current copyright law, you could reverse-engineer the Web application to investigate or fix the security hole, and even post your findings and voice your opinion about the security hole in an online discussion group.

But under UCITA, you'd have fewer options if the vendor barred you from reverse-engineering it. That leaves you to buy another application or risk litigation by breaking the license to get to the bottom of the problem.

The newest version of UCITA does come with some promising changes that could benefit IT, however. One of the biggest is the removal of an allowance in the original version that had let vendors remotely disable software if a user allegedly violated a license agreement. That's a hot button: It's akin to evicting a tenant without giving him due process. The new version of UCITA also specifies that the act does not replace existing state consumer-protection laws for unfair and deceptive business practices like price-fixing and other monopolistic actions. And it makes it clear that UCITA doesn't apply to free, open-source software such as Apache and Linux kernels. So you have the same freedoms as before with that kind of code.

Not all software-related contracts fall under UCITA's purview. While UCITA includes contracts for accessing computer information, the Internet and online electronic transactions and multimedia works, it excludes contracts for the distribution of printed information and for regulated telecommunication services and products.

DA BOMB

UNFORTUNATELY, UCITA DOESN'T BREAK much new ground in remedies and damages in software-licensing disputes, nor in warranties. It spells out what most states and the industry already do in these situationsUCITA calls for vendors to provide so-called implied warranties that guarantee the application does what it was created to do. But UCITA gives vendors the option to add a disclaimer, which does nothing to make the warranties stick and hold software vendors responsible for the condition of their software.

And ironically, UCITA so far has caused more division than unity among the states. Some states, including Iowa, North Carolina and West Virginia, have taken pre-emptive strikes against UCITA, with socalled "bomb-shelter" acts that can protect you in some cases. If an IT manager in Iowa purchased a software package from a vendor in Virginia, for instance, he could take his case to a federal district court in his home state of Iowa, where he would have copyright exceptions like "fair use" on his side, and wouldn't have to battle the UCITA interpretation in Virginia. Still, these bomb-shelter acts aren't bombproof, and could be challenged as unconstitutional.

DON'T CALL JUDGE JUDY

SO HOW WILL UCITA BE ENFORCED? Like any contract or license, it's up to the state and federal courts. In most cases under today's copyright contract laws, if your software does not perform according to contract, that constitutes a so-called material breach in the contract or license. You can cancel the contract and sue for damages or return the software. The same is true under UCITA, so not much changes there.

But vendors in the UCITA world have more clout in how they protect themselves in these situations. Although UCITA doesn't let vendors disable your software electronically if they suspect you violated the license, it does give them the power to "peacefully" repossess a CD-ROM or boxed copy of the software. (Beware when you escort visiting vendors through your facility if you live in a state that adopts UCITA.)

Meantime, it's up to each state to determine whether UCITA is worth it. This won't be an easy decision given the problems the act raises for IT and consumers, and the lack of clarity about how UCITA will apply to some software. Embedded software in the chipset of a VCR, for instance, may or may not be subject to UCITA. But UCITA does apply to the embedded software on a network-interface card (not NIC hardware).

With all this controversy and confusion surrounding UCITA, one school of thought is to flesh out the UCC regulations rather than having a separate set of laws for IT with UCITA. Technology advances and industry practices change quickly, so UCITA could become outdated before its time, and its inherent complexity could hamper its acceptance and enforcement. More important, such a law needs to protect-not override-existing rights under copyright law. That will only happen if IT gets a say in the law's adoption and implementation in each state.

The debate over UCITA begins in statehouses across the nation next year. Whether the act's shortcomings become painfully obvious, or whether the revised version gives UCITA new life, remains to be seen. Study UCITA carefully with the help of legal counsel and keep an eye out for it on your state legislature's agenda.