Return to Bad Software: What To Do When Software Fails.


Article 2B is Fundamentally Unfair to Mass-Market Software Customers

Cem Kaner

Submitted to the American Law Institute for its Article 2B review

October, 1997

Copyright (c) Cem Kaner. All rights reserved


Note to the American Law Institute:

I prepared this memo for private circulation to a few colleagues. I've been repeatedly asked to send this to you as background for your October meeting. Unfortunately, other circumstances make it impossible for me to timely revise this to the extent appropriate for submission to you. I apologize for the length of the memo and for the lack of several citations. Despite its faults, I hope that you find the memo useful.

My qualifications for addressing you are noted at the end of this memo.


 

To the best of my knowledge, no advocate for mass-market customer who has studied Article 2B thinks that 2B is even marginally acceptable. It is a fundamentally unfair draft statute that will result in lower quality products, lower customer confidence, and a weaker domestic industry.

Some people see Article 2B as a law that will encourage the development of a primarily American industry. I applaud the sentiment, but I think that some people don’t realize how geographically diverse the industry is. Would you still support the terms of this bill if the primary manufacturers of software were Japanese, German, Indian, Israeli and Brazilian? These and other countries are providing increasingly powerful competitors. The marketplace is more global than it might first look.

Overview of the Problems

My comments focus on transactions involving off-the-shelf software that comes with a shrink-wrap or clickwrap license.

Article 2B denies the mass-market customer most remedies, even a refund of the fee charged by the publisher for calling to report problems. Customers are entitled to refunds only for "material" breaches of contract, and 2B redefines "material" to be narrower and less inclusive than the Restatement of Contracts. Article 2B denies the remedies even when the customer’s damages are caused by a defect that was known to the publisher before the product was released for sale, that the publisher chose not to fix and chose not to warn the customer about.

Article 2B lets publishers pick what law will govern their sales and where customers can sue them. There are no geographical restrictions and no requirement of any relationship between the law, the forum and any party or aspect of the transaction. Small claims court actions will be unavailable (when exclusive jurisdiction is given to a higher-level court) or prohibitively expensive (in a state or country far, far away). Article 2B is forum shopping gone wild, and available only to the publisher. There are slight restrictions on this if the customer is a "consumer" who uses the software for strictly non-business, non-professional purposes (the teacher who does research or writes assignments at home is not acting as a consumer, nor is the unemployed secretary who tries out some home-based network marketing scheme and uses a computer to manage her mailing lists and print fliers.) Few customers with meritorious cases will have the ability to bring a lawsuit against a publisher.

Article 2B settles the Battle of the Forms (the traditional problem of conflicting terms and expectations set between the publisher and the customer) by creating a new set of procedures that will ensure that the publisher wins the battle. The publisher gets the last shot, in the "mass-market license agreement," which the publisher need not even make available to the customer until after the customer has paid for the product, taken it away, and started installing it on his computer. With extremely few exceptions, all of the terms in this "license" "agreement" will be fully enforceable against the customer as if he had reviewed, discussed, and signed a paper contract before the sale.

Article 2B adopts wholesale the publisher’s view that it is merely granting a license to use intellectual property when it sells someone a software product. There is no difference between selling the right to read a book from a computer disk and the right to read a book on paper. There is no reason in principle that we should declare one transaction a license and the other (for now) as a sale. Customers do not view their purchases of MS Word, etc. as licensing transactions. Once 2B characterizes the transaction as a licensing transaction, it then allows publishers to exploit their freedom from first sale rights and fair use doctrines, which can be limited by license. In a mass-market software license, software publishers can (and some do) forbid customers from publishing critical articles about the product (nondisclosure/confidentiality provisions), from lending the product to a friend, from using it where and when and on what machine they want, from getting third party support for the product (see MAI v. Peak Computing), from using the product to create a competing product, from reverse engineering a product in order to make one product that is interoperable with another, etc.

In various forms, Article 2B has been under development since 1986, with extensive publisher input and influence and relatively little input or influence in favor of customers, authors, and small development teams. Paragraph by paragraph, the language of 2B has been polished and optimized. The extent of the bias of the statute is pervasive. The statute blesses the mass-market adhesion contract, delivered post-sale. Here are examples of the terms that the publisher can include:

The President of the Software Publishers Association recently testified that competition in the software publishing industry was threatened, and that publishers were being harmed by being handed "take it or leave it" licenses by more powerful publishers. (Wasch, K., Federal Trade Commission Hearings on Global and Innovation-Based Competition, Testimony of Ken Wasch, December 20, 1995, downloaded from www.spa.org/gvmnt/papers/kentest.htm). Yet that same association publishes a standard form, take-it-or-leave-it license for publisher use with end customers. (Software Publishers Association, Model PC Software License Agreement (and Explanatory Comments), 1993.) We should recognize that what is unfair for the gander is also unfair for the goose.

The Problems in Detail

The rest of this memo will review Article 2B section by section, highlighting provisions that I think are weak or objectionable. The reporter’s comments often seem worse to me than the black letter, a cause for concern about the potential tone and content of the Official Comments. But for this memo, I will generally skip the reporter’s comments.

The current draft of Article 2B is nearly 250 pages long, much of it single-spaced. The Sacramento draft ran over 300 pages. I cannot repeat the statute in this memo. I’ve tried to make my comments intelligible to a reader who doesn’t have the draft handy, but you will find them easier to follow if you have the September, 1997 draft in hand. You can retrieve it from www.law.upenn/bll/ulc/ulc.htm.

2B-102(a) (7) Definition of Conspicuous

Article 2 case law has consistently held that disclaimers of implied warranties must be conspicuous at the time of, or before the time of, the sale. In software, we see this principle adhered to in Step-Saver Data Systems, Inc. v. Wyse Technology and The Software Link, Inc., 939 F.2d 91 (3rd Cir., 1991), Arizona Retail Systems, Inc. v. The Software Link, 831 F. Supp. 759, (D. Ariz., 1993) and Tandy Corp.v. McCrimmon 414 S.E.2d (Ga. Ct. App., 1991). In early drafts of Article 2B, the Reporter’s Notes explicitly stated that Article 2B would "overrule" the Step-Saver decision. There are also non-software cases. Here is Clark & Smith’s summary from The Law of Product Warranties (1984; supplemented 1994) p. 8-18:

For those of us who lack X-Ray eyes, a disclaimer that is packaged inside of a box is non-visible and therefore inconspicuous at the time of sale. How could anyone but Orwell define something that is hidden as conspicuous?

One of the core tenets of consumer protection is the notion of informed choice. Critical information about a product is made available to the consumer at or before the sale so the consumer is in a position to understand the relative benefits from competing products. The conspicuousness clause makes sure that the customer (not just a consumer in Article 2 -- any customer) becomes aware of particularly oppressive terms (such as a seller’s refusal to guarantee that its product is fit for its normal purposes) before the sale.

Earlier this year, I attempted to survey the warranty practices of the industry and I gave up on obtaining a statistically convincing sample. These licenses are often hard to get without buying the product. A normal customer will not learn the terms of competing products’ licenses, not even terms that we would call material (availability of remedies, existence of a warranty, existence of a promise to attempt to fix defects, how many weeks or months of free support is available, etc.)

By allowing publishers to postpone the customer’s discovery of "conspicuous" terms until after the sale, Article 2B lets the publisher avoid giving customers informed choice, while still being able to later say to the customer, "We told you that was the agreement. What’s your problem?"

It seems to me that the requirement of "conspicuousness" has become largely meaningless under this scheme. The customer doesn’t learn of the must-be-conspicuous term until after the purchase decision has been made and the customer is trying to use the product. At this point, the customer will probably not ask for a refund. We have replaced an information-transmission requirement with a formality.

Article 2B leaves the regulation of the integrity of the industry to a supposedly free market that will kill bad companies through competition. But here, 2B lets the worst companies hide their practices until after customers have paid their money, when it is too late to look for competitive terms. What public policy is served by this anti-competitive approach to the definition of conspicuousness?

(Note: The approach adopted by the Drafting Committee for the November, 1997 draft doesn't solve this problem. It makes it slightly easier for a customer to take back the product, but no easier for the customer to do comparative shopping. You still accept or reject the license without knowledge of competitors' terms.)

2B-102(a)(8) Definition of Consumer

Article 2B refers to individuals (consumers) rather than to products (consumer goods). A consumer is narrowly defined to be only someone who uses a product for personal, family, or household use. A person is not a consumer if she buys a word processing program to run a home office (even an unemployed person who is desperately setting up a home-based network marketing business), to do research at home (a high school teacher or professor or graduate student), or to write the Next Great Novel. A 7-11 owner and a solo practitioner dentist are treated as sophisticated business people, with no buyer protection. They have no more leverage, and no more knowledge, than a "typical" consumer. In the computer world, there are very few true consumers. The product empowers people at home to do business and professional things at home, making classical consumers into businesses for purposes of this statute.

2B-102(a)(10) Anti-Competitive Contractual Use Restrictions

‘Contractual use restrictions’ include obligations of nondisclosure and confidentiality and limitations on scope, manner, method or location of use to the extent that these obligations or duties are created by the contract.

In a mass-market product, who is the publisher keeping secrets from when it includes a nondisclosure restriction? Any person willing to pay the price can examine the product, so the nondisclosure is not there to keep secrets safe from competitors. Instead, this type of clause is useful and used to stop people from publishing detailed critical reviews of the product. Some publishers are more direct about this than others. For example, one license reads "The customer will not publish reviews of the product without prior written consent from McAfee." I’m aware of one dispute between a software publisher and a magazine publisher over exactly this issue. Ultimately, the magazine publisher printed its review. With the explicit authorization of nondisclosure use restrictions in 2B, however, magazines--and, especially, the more-easily-intimidated private persons who maintain websites or post messages on newsgroups--will be more easily chilled.

If integrity in the marketplace is to be protected by competition, what public policy is served by restricting the free flow of information about products? This approach is anti-competitive.

2B-102(a)(11) Definition of Copy

The definition of a copy in 2B includes temporary fixation. Previous drafts of 2B have explicitly cited to MAI Systems Corp. v. Peak Computer, Inc. (991 F. 2d 511, 9th Circuit, 1993), a controversial case. The citation is no longer in the reporter’s notes, but the holding is: "Moving information into a computer memory makes a copy of that information." My understanding is that this is a proposal that was not adopted at WIPO and has not been adopted by Congress. MAI created the rule and applied it in a most interesting situation.

MAI supplied computers, including an operating system to run the computer and diagnostics for the computer. Peak was a third party service organization. Customers would call in Peak to maintain their computers. If you had an MAI computer, the Peak staff member would come onto your site, turn on your machine, boot its operating system, run the diagnostics that came with the machine, and then do what was necessary. In this situation, MAI and Peak are competitors for your service business. MAI was able to stop Peak from servicing MAI computers because MAI’s license restricted use of the software to not more than three of the customer’s "bone fide employees." Even though Peak was working at the customer’s site, at the request of the customer, running software licensed to the customer, and MAI supplied this software to the customer specifically to be run on this computer, Peak was a contractor, not an employee of the customer. Therefore, Peak’s use of the software was a violation of the terms of MAI’s license, and was (because loading software into memory is a copying) therefore a copyright infringement. The MAI case is controversial, but 2B adopts its view.

What public policy is served by restricting competition in the service market?

2B-102(a)(14) Definition of Direct Damages

The definition of direct damages does not (as I somewhat uncertainly read the statute) include the value of an equivalent performance from another supplier. If you promise to sell me a product that has the X feature for $100, and you deliver something that can’t X, then I should be able to either demand a refund or to obtain something that does have the X feature. If I cover by buying the least expensive X-equipped program for $200, you should reimburse me the full $200 (and I should return your product), as a matter of direct damages.

2B-102(a)(21) Definition of Incidental Damages

Incidental damages includes the cost of calling the publisher to report a defect, to request support for a defect, and to request a refund. The publisher can charge you $30 (a common number) for each of these calls. When you give up all hope of making the product work and demand a refund, the publisher won’t have to repay you these charges if it excludes incidental damages in its remedy limitations clause.

On average, it takes 30 minutes to reach an appropriate support technician when you call for software support. On average, you are left on hold for 15 minutes before talking to anyone. 1.5 hour waiting times on hold are not uncommon. One cross-industry study of hold times showed software as the worst industry for leaving people on hold. The industry has widespread knowledge of service levels and call abandonment rates. Long hold times are not accidental—their effect is that a large proportion of people who call to complain will give up waiting and hang up. Imposing very long hold times on the customer (with the knowledge that the large majority of callers will hang up), is the opposite of cooperating with a customer to help that customer mitigate its losses. This customer’s incidental losses are being driven through the roof (cost of staff-member’s time on hold plus the cost of the call itself). Article 2B lets the publisher impose these taxes on customers, without forcing them to reimburse the customer when the customer complains about a genuine defect in the product. (For supporting data, see Kaner, Article 2B and Software Customer Dissatisfaction, available at www.badsoftware.com.)

To a large degree, incidental damages of software customers are directly traceable to the quality of support provided by the software publisher. These should not be excludable.

2B-102(a)(23) Definition of Informational Content

Information content probably includes the contents of any database. The problem is the generality of the definition. It's one thing to shield publishers from liability for errors in their statements. It's something else to shield publishers from errors (including errors in formatting of information) that have purely functional effects. For example, in a database the difference between "00" and "2000" in a date field is a difference in informational content that will have major functional effects.

2B-102(a)(29) Definition of Mass-Market Transaction

Classification as "mass-market" is important because several fundamental rights go away if a transaction is not "mass-market." For example, the customer loses first sale rights to transfer the copy of the program, loses the right to conspicuous notice of some terms, loses perfect tender rights, has no right to a virus-free product, etc. A transaction is not mass market if:

2B-102(a)(30) Definition of Merchant

"Merchant" includes someone who has "knowledge or skill peculiar to the practices or information involved in the transaction." Relative to a program that provides information about poison mushrooms, a medical doctor is a merchant even though that doctor might be clueless about computers and programs. A wide range of unsophisticated buyers will be "merchants" under this definition.

2B-102(a)(34) Definition of Receive

Under 2B-102, an electronic copy is received when it enters an information processing or storage system in a form capable of being processed or viewed by a system of that type, and the recipient has designated this system as the place where s/he receives copies.

Suppose that you have a dial-in account with an Internet Service Provider (ISP). To use a hypothetical example, suppose you have an account on whoopsnet.net. You order some information and it is emailed to you at whoopsnet. Unfortunately, before you download the information from the whoopsnet server, or while you are downloading, whoops, there’s an error and your file goes away. You haven’t received this file, but this definition says that you have. If you want the file again, 2B lets the merchant say that you have to pay for it again.

The argument can be made that this rule is not terribly unfair, but I want to raise a flag of bias here. In this case, we see an error on the licensee’s system and the default rule in 2B is zero tolerance. If the copy is delivered to the licensee’s ISP and there is any error after that, that error is the licensee’s problem and the licensor is entitled to payment even though the licensee never got the benefit of the information.

But what happens if there is an error by the licensor, such as a defect in the software? Typically, 2B will be very forgiving of licensor’s errors.

2B-102(a)(43) Definition of Substantial Performance

Substantial performance merely means performance that is not so terrible as to be a material breach. Given 2B’s unique definition of "material" this is not very substantial performance at all.

2B-103(d)(4) Definition of Scope; Embedded Software

The definition of embedded software is ambiguous to the point of not being useful. My understanding is that the Reporter would welcome a better definition and I’m preparing a memo for distribution to the Drafting Committee that might help. But note a loophole that might have been intentional. A publisher of embedded software (e.g. brake software for your car) can un-embed it, for this definition, simply by making the software the subject of a separate license. The liability and other customer protection rules are dramatically different in Article 2 and Article 2B. This section allows the product’s publisher to make its own choice about whether its embedded software belongs to Article 2 or 2B.

2B-104(a)(3) Reduced Applicability of Consumer Protection Rules

If there is a conflict between 2B and a consumer protection statute, 2B-104 says the consumer protection statute applies. This has frequently been touted as evidence that 2B doesn’t take away any significant consumer protections. But this larger statement is not true. 2B says that when you go to a store and buy a packaged software product, you are buying a license, not goods. It thus takes packaged software products out of the scope of every state and federal consumer protection law that applies specifically to sales of goods (such as the Magnuson-Moss Act), eliminating these laws’ safety net for consumers.

2B-104(b)(3) Conspicuousness

2B-104(b)(3) states that requirements in other laws that a term in a contract be conspicuous are declared satisfied so long as the requirements of conspicuousness imposed by 2B are applied.

2B does not require that a conspicuous term be available to a customer when the product is sold. To the extent that the other law’s requirement of conspicuousness was adopted to further a policy of informing the customer of key information before or at the time that the customer was to make the buying decision, 2B thwarts that policy.

2B-108(a) Choice of Law

Without restriction, 2B says that a choice of law in an agreement is enforceable. The choice of law term need not be conspicuous. For packaged software, the "agreement" will typically be a non-negotiable document, written by the publisher, and not available to the customer until after the sale is complete and the product is taken away. There is no requirement that the choice law bear any relationship to the transaction or the parties, and there is no provision, as in Article 1, for conflicts of law that involve a fundamental policy of the customer’s state. Instead, 2B says that, without restriction, the publisher gets to choose what state’s or country’s law it would like to have governing this agreement.

2B-109 Choice of Forum

Except for "consumer" transactions, the publisher gets to specify whatever state or country’s court it likes as the exclusive judicial forum. There are no restrictions. A California company can require a California customer to sue in Nigeria.

"Consumers" have a modest additional protection: the specified forum must be one which would either have jurisdiction over the consumer for some other reason or be a choice that is not both unreasonable and unjust as to that consumer. A choice of forum that is far away, has no jurisdiction over the person, and is both unreasonable and unjust is OK for mass-market customers.

Small Claims Court actions will be prohibitively expensive (because of the distant forum) if they are allowed at all under the contract. Article 2B will simply eliminate the ability of most small customers to sue a software publisher.

Of course, some small customers can make a lawsuit affordable by banding together in class action against a dishonest publisher. But now we see that possibility being closed too. Here is some of the mass-market license provided for a computer game delivered with General Mills Corn Chex, as part of a joint marketing effort with America Online:

Does Article 2B provide any protection against this? Once a clause like this becomes widespread in the industry, will it ever be ruled unconscionable?

It has been joked that 2B-109 lays the groundwork for the main public benefit of Article 2B—the reinvigoration of the Space Program. Software industry funding will flow to NASA, it’s said, so long as NASA will agree that the first moon colonists will build a courthouse.

The broad scope of the 2B forum selection clause is no drafting error; it is a deliberate choice, after much discussion of the probable consequences, by the Drafting Committee.

2B-110 Definition of Material Breach of Contract

A breach of contract is material

  1. "if the contract so provides" (In the mass-market case, the contract is a non-negotiable document written by the publisher, so nothing in the contract will provide that a breach by the publisher is material);
  2. "if the breach caused or may cause substantial harm to the aggrieved party, including imposing costs that significantly exceed the contract value" (So a breach is not material if dealing with the product’s defects only costs the customer as much again as the price paid for the product)
  3. "the breach will substantially deprive the aggrieved party of a benefit it reasonably expected under the contract."

Contrast this with the Restatement of Contracts, which is what Article 2B’s notes claims 2B’s definition is based on. They say that the Restatement lists five significant factors for evaluating materiality:

  1. the extent to which the injured party will be deprived of the benefit he or she reasonably expected; (In 2B, the aggrieved party must be substantially deprived of the benefit—a lesser deprivation doesn’t count.)
  2. the extent to which the injured party can be adequately compensated for the benefit of which he will be deprived; (2B doesn’t include this factor, but the mass-market customer will not be compensated—incidental and consequential damages will be unavailable.)
  3. the extent to which the party failing to perform or to offer to perform will suffer forfeiture; (In the case of mass-market products, no risk of forfeiture exists. The publisher is selling to many customers and will earn its compensation based on the behavior of the marketplace as a whole, not on one customer.)
  4. the likelihood that the party failing to perform or to offer to perform will cure the failure, taking into account all the circumstances, including any reasonable assurances; (This is not a factor in 2B’s definition. Software publishers have no responsibility to attempt to cure defects in mass-market products. Only in more expensive products.)
  5. the extent to which the behavior of the party failing to perform or to offer to perform comports with standards of good faith and fair dealing. ("Fair dealing" is a foreign concept in 2B and not one of the factors in determining the materiality of a breach.)

Imagine a case in which the publisher’s advertising materials falsely (but not provably fraudulently) imply a certain capability in a product. Thousands of people have bought this product. A customer buys the product and this feature doesn’t work. Other features do, so the publisher can argue that the customer isn’t substantially deprived of the benefit of the product, but he wants a fix or a refund. The publisher refuses to fix it. Under the Restatement, this customer will probably get a refund, but under 2B, this customer will be lucky to get a partial refund—which might be much less than the charges incurred in the calls to the publisher to report the problem and demand the refund.

2B-110(d) Remedies for non-material breach

2B says that if there is a non-material breach, the aggrieved party is entitled to the remedies provided for in the agreement and in Article 2B. 2B allows the publisher to exclude incidental and consequential damages, and it allows the mass-market publisher to refuse to attempt to cure a defect. The mass-market license gives the publisher virtually all of the terms it asks for, specifically including non-conspicuous remedy limitations, and therefore the only remedy likely to be available under the agreement and the Article will be a partial refund. The cost to the customer involved in obtaining a partial refund might be much higher than the refund.

By the way, if there is a refund, how much does the customer get? Who decides? What recourse does the customer have if she doesn't agree with the publisher's offer?

2B-111 Unconscionable Contract or Term

Unconscionable contracts are forbidden. Unfortunately, courts almost never find UCC-governed contracts unconscionable. In Article 2B, several harsh terms are specifically permitted (such as remedy limitations, post-sale warranty disclaimers, etc.) and therefore it would be hard for a court to find, as a matter of law, that a combination of these terms make a contract unconscionable.

2B-112 Manifestation of Assent and 2B-113 Opportunity to Review

A party will be deemed to have manifested assent to a contract that she never sees until after the sale as long as the contract is displayed to the party in a way that allows the party to reject the contract and demand a refund. Mere retention of the product is not sufficient to bind the party to the contract, but use of the product after seeing the terms probably is.

A shrink-wrap disclaimer of warranties becomes binding on the customer when the customer "manifests assent" to the disclaimer. In the case of a retail purchase, the typical sequence is as follows:

  1. (a) The customer goes to the store
     

     

    (b) The customer looks at various products. None of them provides warranty information on the box.

  2. Despite the Federal Trade Commission Regulation, "Pre-sale availability of written warranty terms" (15 CFR §702.3), most software stores won’t open the box to let the customer read the warranty or disclaimer.
  3. The customer buys a program and takes it home or to the office.
  4. (e) The customer opens the box and starts installing the software.
     

     

    (f) During installation, the program displays the warranty disclaimer. The customer can click "OK" to keep installing the program or can take the program back to the store. 2B requires the store to give the customer a refund, and most stores will do this (but not without wasting some of the customer’s time in the process). If the store will not refund opened software packages, the customer can bring a lawsuit (maybe in some other state or country) or call the software publisher (paying toll charges and possibly paying the publisher’s standard charge for telephone support), get authorization to return the program, repackage and ship the program, and eventually get a refund.

    If the customer returns the program, the customer gets to go back to step (a) and repeat the process. Eventually the customer will find a suitable set of terms, or he’ll run out of competitors or he’ll run out of time and take what he gets.

    (g) If the customer clicks "OK" then 2B says that this post-sale disclaimer of warranties has been expressly agreed to by the customer and it is therefore binding on the customer.

Based on my discussions with individual Committee members and based on the discussions at the drafting Committee meetings, I am convinced that a majority of the Committee:

2B-112 False Manifestion of Assent

Go to the store. Buy a program. The product contains oppressive terms that you would not have accepted, but you don’t see them on the box and don’t expect to find them inside. Take the program back to your office.

I don’t think that you’ve done anything like manifesting assent in any of these cases. Situations like this are everyday events, though. And they are so common because people normally and reasonably expect that they complete their contracting and buying when they go shopping, choose a product, and pay for it. At the point that you install the product, unless you are a software publisher’s lawyer or an Article 2B Drafting Committee member, you probably believe that you have passed the point of shopping and entered the realm of using the product. The task ahead of you is to make efficient use of the thing, not to protect yourself against sharp practices that should have come up when you were shopping.

We’ve discussed these scenarios a few times during the Article 2B meetings. Obviously, the result has to be that the customer is bound. If not, everybody will hire contract technicians to install all of their software! The language of 2B will probably be improved this year to make that result more certain.

The point of these examples is that they illustrate that the collection of "manifest assent" is really just a formality that allows us to create a legal fiction that the customer has agreed to the terms of the license, or at least, that there is some fairness in binding the customer to terms that were kept unavailable throughout the purchasing negotiations.

If you disagree, and think that in current commercial reality, it is is more than a formality when you click "I Agree" in order to keep installing the software, that’s interesting. Think about the implications. Every time a company buys a new program, it should have corporate counsel on-hand (or at least a senior purchasing officer) to review the terms of the software contract.

2B-115 (b) Attribution Procedure—Reasonableness

An attribution procedure is determined to be commercially reasonable (or not) as a matter of law, by the court. This is curious—what legal authority should a judge consult to determine whether DES is a commercially reasonable encryption method this year?

2B-115(c) Attribution Procedure-Unreasonableness

The comments on this section specify that "An attribution procedure derives from agreement." Presumably, however, "agreement" can be part of the mass-market license "agreement." This gives opportunity for the following mischief.

Suppose that the publisher specifies a method for technical-support-related communication between publisher and customer. The publisher charges for the use of technical support services (i.e. it charges to answer questions). The contract includes an attribution procedure, for orders for technical support information. The procedure is commercially unreasonable. A third party exploits a weakness in the security system, impersonates the customer, and uses thousands of dollars in support services. Who pays?

The publisher pays unless "it disclosed the nature of the risk to the other party." As long as the publisher discloses the risks in that long, boring click-and-click-and-click-to-install-this-program "agreement," the customer will bear its own losses for using an insecure communications procedure specified by the publisher.

2B-116(a) Attribution of the Behavior of an Agent

2B-118 Authentication Effect and Proof: Electronic Agent Operations

Any electronic message that is sent in your name is attributed to you if it was sent by your electronic agent, a computer program that you use to originate or interpret messages, etc.

What if the program runs wild and orders you several days’ viewing worth of on-line movies? Do you have to pay for this?

There’s certainly a natural justice in saying "Of course. You are accountable for the consequences of your actions, including your stupid computer program’s actions." 2B-116(a)(1) adopts this approach.

Notice, though, our lack of tolerance of error on the part of this customer. Take this a step back. Suppose that your electronic agent ran wild because of an error in the underlying program. You configured the agent, but the software itself was written by ShipIt Software (a hypothetical company). Can you go back to ShipIt and say, "Your mistake caused my agent to run wild? Pay for the movies?" Nooooooooo. The publisher gets to exclude all those damages. That’s because we understand that software has bugs, and it would be unreasonable to expect bug-free performance from any program. Therefore, we cannot tax the publisher with huge risk of damages.

Given that software bugs are inevitable, shouldn’t we spread the risk a bit and at least partially relieve the customer of consequences of his agent program’s errors? Especially if the errors were caused by a bug that is demonstrably the error of the software itself, and not a configuration error by the customer?

2B’s approach is inconsistent. Where the error belongs to the publisher, the publisher is shielded from liability. Where the error belongs to the customer, or to the product that the customer bought from the publisher, the customer is held fully liable.

What principle (beyond the notion of rewarding publishers for vastly outnumbering and outspending customer advocates through the history of the drafting process) has us spread the risk (to customers, away from publishers) in one case, and focus the risk (on customers, away from publishers and other sellers) in the other?

2B-116(a)(3) and (b) Theft of a Digital Signature

The most widely discussed authentication procedure involves public-key-encryption-based digital signatures. The system is remarkably secure, except for the potential loss of your private key. If someone gets a copy of your key, they can sign your documents and impersonate you.

I have a PGP public key encryption pair. I have not registered the key pair with a Certification Authority because I think that only an insane person, an ignorant person, or a fool would choose to accept Article 2B’s risk allocation under modern technology. I advise my clients in this way. (Article 2B is not law, but it is already influential.)

Here are some examples to illustrate the point:

Sender (who calls herself S) sends a message to Recipient (who calls himself R) who checks with Certification Authority (CA) whether the encryption key attributed to S is properly registered with the CA and not repudiated or suspended. CA says the message is a valid S-message and so R ships merchandise to the address specified by Sender. Unfortunately, Sender is a crook and is impersonating S. No one knows who Sender is, Sender is long gone, and the merchandise has disappeared.

Who should pay for the stolen merchandise?

There is no fair allocation of risk here. S, R, and CA are all potential victims of the crook. There is no argument in principle that makes S or R or CA the fairer target to hit.

2B-116(b) creates a presumption that the spoofed message came from S (the customer, in this transaction) and puts the burden of proof on S to prove that he was not negligent. The underlying assumption is that a fraudulent sender would have gained access to S's key through S's negligence. Therefore, the burden of proof will be on S to prove non-negligence, which S can probably not do, even if S was non-negligent. The draft Uniform Electronic Transactions Act used to follow the same risk allocation, but the drafting committee is reconsidering this.

Unfortunately, reasonable, prudent people may have their key read and copied by a third party under circumstances that look like "normal course of business" situations, without any fault on the part of the key-holder.

Example 1: Electronic Registration

How often have you bought software and, while installing it, been encouraged to register the software electronically? In this case, you fill in a form, and the registration program will then dial the software publisher and upload the registration information to the publisher.

A couple of years ago, a company that makes a widely used electronic registration tool received an award in a software operations conference. The rationale for the award was that the tool facilitated software technical support, because it transmitted information about the customer's computer configuration as well as the information filled out by the customer. This additional information will help a support person troubleshoot your system, if you call for help.

Understand this transaction. You fill out a form that appears harmless. You allow the publisher to send this information to itself. Unknown to you, the tool lets the publisher send additional information, perhaps including a copy of your directory structure, your registry of software and hardware, your configuration files, and other stuff. This is happening today, and has been happening for several years.

I am not aware of any electronic registration program that was designed with a criminal purpose, but if programs can read your private directory structure, registry files, etc., and transmit THAT information, they can just as well also transfer all of your PGP-related information.

If your digital signature could be used like cash to order merchandise, someone will use an electronic registration technique to get this information. It's just a matter of time.

Very few customers realize that, when they register software electronically (which is the normal and requested mode by many software publishers), they might also be transmitting plenty of other private information about themselves. A reasonable, prudent person would probably not recognize electronic registration of retail software as a security risk. But it is.

If a third party gains access to the customer's key in this way, how will the customer prove non-negligence? How will the customer ever come to realize that this was the means of access?

Example 2: Electronic Bug Reporting

There are several emerging standards for customers to report bugs (defects) electronically to software publishers. I am most familiar with E-Support, which is a reporting system developed by the Software Support Professionals Association (SSPA) and Touchstone Software. My firm is a member company of SSPA. I support its work and personally trust its executives. This use of E-Support as an example is in no way a criticism of SSPA or Touchstone.

Here you are, using your favorite word processor (I'll call it BugWare 97) from your favorite vendor (Let's use a hypothetical vendor name, ShipIt Software). The program fails. Under a system like E-Support, you can now bring up an electronic bug report form and write your complaint/query/plea for help. (The software running on your computer system is an E-Support "client".) You have probably not been trained in software quality control and therefore your bug report will probably miss or obscure some important information. E-Support copes with this by taking a snapshot of parts of your system. It looks at your memory, system files of various kinds, etc. You are made aware of this by the E-Support folks--there is no element here of unfair surprise. You can configure E-Support so that it only transmits certain classes of information, and does not transmit other classes of information.

When the E-Support client takes a snapshot of your system, it encrypts the snapshot. You never get to see what E-Support actually sends in its bug report. The snapshot, along with a plaintext copy of the bug report that you typed, goes back to the e-support server (probably via your e-mail system). The e-support server passes the message to ShipIt Software. It might also forward the message to your printer manufacturer, or to some third party whose product is on your system and might interact with BugWare in a way that makes a problem with one of those products appear to be a BugWare bug. If the receiver of this message is an e-support licensee, then it has the means to decrypt the e-support message and see your configuration. If it is not an e-support licensee, then it can read the plaintext complaint that you wrote, which it receives at no charge.

However, it cannot decrypt the information about your system.

I believe that the E-Support people are honest and have designed this system in good faith.

But what about a hypothetical product, C-Support, an E-Support look-alike manufactured by your favorite cluster of organized criminals? There is no C-support today, but if you create a financial incentive for stealing encryption keys, they can use a C-support client to do it.

Would a reasonable, prudent person recognize this as a security risk? Maybe you lawyers would say "of course." It sure looks like an obvious risk to me. But when I raised it at an SSPA forum, some attendees (executives, with years of computer support, diagnostics, or service management experience) expressed surprise and dismay that this could be a security risk. In my experience discussing this with customers and technical support specialists, unless I flag the issue to them (directly or indirectly), the security concern is rarely spontaneously raised as a potential problem with the system.

Therefore, I conclude that reasonable, prudent customers might reasonably believe that it is reasonable practice to file electronic bug reports.

So, if C-Support (the hypothetical criminal variation of E-support) took your encryption key from your system when you filed an electronic bug report, how would you know? How would you prove your non-negligence at trial?

Example 3—Repairs

If you have a technician service your computer, guess what – the technician has access to your hard disk. If you have an encryption key on the disk, the technician could steal it.

Example 4—Remote Control

It is common to allow a remote technician to use a program called "Remote control" in order to diagnose problems with your computer or program. This is strongly encouraged by several software companies and it can save you a lot of time and expense. Some publishers offer discounts to customers who use remote control. Remote Control allows a technician who has called in over a telephone line, to control the computer as if they were right there at your keyboard.

A diagnostic session can take quite a while, and a reasonable person might walk away from this unintelligible series of commands being issued by the support technician, get a cup of coffee, and come back when the problem is closer to resolution.

The technician can download documents from your computer, probably in ways that would not be obvious (as to the content being taken) to a normal observer.

Example 5—Browser Security, Java Security, Etc.

We constantly hear that Browser X, or integrated office product Y, has some security flaw that allows a web site owner to put up a program that scans your hard disk when you visit their web site. Then we hear that this bug is fixed, just download version 3.04.02.21a and all will be well (until we find a new bug, which will be fixed in 3.04.02.21b).

Anyone who logs onto the internet might hit the web site of an unknown criminal who exploits an unpublicized new security flaw and gains access to the user's files. How will a reasonable, prudent person prove that they were non-negligent if this is how their key was discovered (and they don't know this)?

Example 6—Good Old Fashioned Hacking

Buy a fax modem. Connect it to the phone jack. Set the computer up to answer the phone when you're away, either to receive voice calls or faxes

(Let's not even think about modem calls). Someone calls. They thereby connect to your peripheral device on your computer, and now have the opportunity to hack your machine. They copy your key and you never realize that your machine was hacked. How do you prove your non-negligence?

Should we say that it is negligent to set your fax-modem to auto-answer? Maybe I'd personally agree (I don't do this), but this is common practice among computer owners. How can we call the ordinary behavior or reasonable people, "negligent"?

Example 7—Computer Literate Housekeepers

It is common practice to let your housekeeper clean your house while you are not there. What stops the housekeeper from turning on your computer when you're out and copying the contents of your hard disk to her portable hard drive? Nothing. And there'll be no trace of this on the typical home computer.

It would be unreasonable to declare a societally normal practice "negligent." But if your housekeeper steals your key, how do you prove non-negligence (unless you learn that your housekeeper is the thief)?

Conclusion on Digital Signature Theft

There are more examples, but this is enough to make the point. Normal, prudent people who behave in ways that I would call not-unreasonable, can still be in a position in which their encryption key is discovered.

If your key is compromised, without your knowledge, how much are you at risk? You stand to lose everything. The house, the dog, all of your money, your credit rating, unlimited liability. The crook’s computer(s) can crank out thousands of relatively small orders for merchandise in a relatively short period of time.

Rather than arguing over who to stick with the risk of potentially huge liabilities, I think that we should provide incentives in the law—to the greatest degree that is reasonably practicable—to reduce the potential liability. In another paper (Kaner, C., The Insecurity of the Digital Signature, distributed to the Drafting Committees for the Uniform Electronic Transactions Act and for the Uniform Commercial Code, Article 2B, September, 1997) I suggested a capabilities-based approach that would reduce total losses and give the customer more control over the security of her key, in a way that would make it fairer to attribute losses to the customer. To implement this, however, we need supporting actions by CA’s. If we load all of the risk onto customers, we have no assurance whatsoever that certification authorities or sellers will do the best that they can to help customers limit their risks.

We have absolutely no assurance that CA’s and other vendors will go out of their way to improve customer security, when the customer bears all the risk of a breach of security. Competition might result in this, but we can’t rely on that:

2B-117 Detection of Changes and Errors: Consumer Defenses

On May 29, 1997, Professor Jay Dratler submitted Risk Allocation in On-Line, Mass-Market Transactions to the Article 2B drafting committee, arguing that "the Article 2B drafting process has fallen seriously off track" by unreasonably allocating risks to customers. He raised three sources of error in on-line transactions, noted that Article 2B allocates the risk of error to the customer in each case, and that this "gives vendors little or no incentive to do what they can do to reduce the risk of busted transactions through better design of hardware, software, systems, and procedures."

Professor Dratler pointed out that "the risk allocation of this draft is skewed even in comparison to other parts of the Uniform Commercial Code. In comparison with the current draft of Article 2, for example, the risks of busted transactions fall heavily on users than vendors, despite the fact that vendors in Article 2B transactions bear considerably les risk of actual monetary loss. Unlike Article 2 transactions involving tangible goods, Article 2B transactions involve intangibles, and therefore busted transactions generally involve neither marginal cost nor lost opportunity cost to the vendor." 2B is protecting sellers from errors that cost them virtually nothing, by charging customers the full fee for the accidental transaction.

Professor Dratler discussed three examples of errors:

  1. Fraud and unauthorized use: As noted in the discussion of 2B-116, Article 2B still allocates the risk of this loss to the customer, unless the customer can prove a negative (non-negligence, over an undetermined period of time, relative to an unknown risk).
  2. Electronic error: this includes mechanical errors, such as keybounces, and telecommunications transmission errors, and other technologically induced errors. 2B-117 sometimes allows the consumer to escape liability for these errors, but still holds the mass-market customer accountable for them. The Reporters Notes to 2B-117 says that this "proposal stems from materials submitted by Professor Jay Dratler who described the risks of electronic and system errors and suggested the development of a simple remedy, at least presumptively for a consumer as a means to encourage use of electronic commerce and avoid unjust results."
  3. But in the section on electronic error, Dratler didn’t restrict his remarks to consumers. He said,
     

     

    Especially in mass-market transactions, consumers and small businesses are powerless to make these complex engineering tradeoffs because they have little knowledge of, and virtually no control over, the aspects of the systems involved. . . Under these circumstances, a facially neutral default rule imposing risks on innocent and clueless consumers and small businesses that are ostensibly equal to the risks that vendors must bear is a recipe for disaster.

    When there is error without fault on the part of the customer, why should the customer be protected under 2B-117(c) only if he is a consumer?

  4. Good-faith user error: Dratler gave persuasive examples of using errors that were triggered by badly designed software user interfaces. His examples involved costs to the customer of thousands of dollars. These amounts take these transactions out of the realm of 2B’s definition of mass-market, even though in all other respects they are obviously mass-market transactions. These transactions should be protected, as should all other mass-market and consumer transactions.
  • Good-faith user error (continued): 2B-117(e) defines an "electronic error" as including "acts of the consumer in a system that did not reasonably allow for correction of the error." I don’t know what "did not reasonably allow for correction" means. What about the system that lets the customer correct an error, if she realizes that an error has been made, but that doesn’t alert the customer to suspicious conditions? Is there a reasonable allowance here or not?
     

     

    A program’s user interface determines the probability that a normal person will make a given type of error. Software publishers know a great deal about user error and about ways to design systems that make specific types of errors more or less likely. This is a common subject of research; it fits within a few related academic disciplines. For example, there are doctoral programs and professional societies in Computer-Human Interaction and in Human Factors / Ergonomics.

    Many attorneys understand sharp practices in traditional sales environments. Computers offer a new technology with new techniques for confusing customers, enticing them into deals with surprising terms. Innocent errors pose one class of problems. Motivated errors pose another.

    Article 2B should protect the customer (consumer, mass-market, and mass-market without the artificial price tag limits) under circumstances including "acts of the consumer in a system that made the customer’s error likely or that did not reasonably allow for correction of the error."

  • 2B-119(b) Effect of receipt of a message

    2B-119(b) says that "an electronic message is effective when received, even if no individual is aware of its receipt." See the notes on the definition of "receive" in 2B-102(a)(34), above. If the customer has an e-mail account with a internet service provider, the message will be "received" when it reaches the customer’s mailbox with the ISP. If the message is lost by the ISP, or corrupted during downloading from the ISP to the customer’s computer, it is still "effective."

    Why should this be? Why should we attribute knowledge to someone, at a time that they don’t have it, and/or under circumstances in which they won’t ever have it?

    2B-208 Mass-Market Licenses

    In the last 50 years of commercial sales law, standard forms have been treated with mistrust. (In mass-market software, the standard form is the preprinted, non-negotiable form inside the box.) Both sides use them, but neither side reads them. As a result, the UCC seeks to enforce the negotiated terms of a sale and to limit the opportunity for one side to deal unfairly with the other by oppressive clauses in its fine print form. This approach is reversed in Article 2B.

    Under Article 2B, the mass-market license is fully enforceable even if contains harsh terms that the customer cannot discover until after starting to use it. These provisions were expressly written to override the Software Link decisions (Step-Saver Data Systems, Inc. v. Wyse Technology and The Software Link, Inc., 939 F.2d 91, 3d Circuit, 1991; Arizona Retail Systems, Inc. v. The Software Link, 831 F. Supp. 759, D. Ariz., 1993), which held that a post-sale disclaimer of all warranties was a material change to the contract that would not automatically become part of the contract.

    In Article 2B, in the mass-market software case, licensors are given a mechanism for displaying their standard form on the software screen and requiring the customer to press "OK" to accept the licensor's terms. The licensee can accept most terms with a single "OK" (or "I AGREE") but has to click "OK" separately for terms that must be conspicuous. If the customer doesn't reject the entire transaction, then each and every one of the seller's terms is now enforceable no matter how unreasonable.

    So long as the seller displays the relevant term during installation of the software, and the customer clicks "OK" to continue installing the product, the seller’s mass-market license will even override specifically negotiated parts of the agreement (see 2B-208(a)(2) . Why should a contract of adhesion ever be able to override a specifically negotiated term?

    Similarly, Article 2B provides a clean mechanism for the inclusion of refusal terms in mass-market adhesion contracts. A refusal term is one that the seller "should know would cause an ordinary reasonable person acquiring this type of information in the general mass market to refuse the license if that party knew that the license contained the particular term." (see 2B-208(a)(1)). All the seller has to do is to make the term conspicuous and get the customer to click "OK" when the term is displayed on the screen. Publishers have protested that even this trivial nod toward informed purchasing is too much, and so the September 25, 1997 draft of 2B contains a recommended addition:

    Why should Article 2B gives the seller an easy method for obtaining "assent" to terms that even the seller knows would cause reasonable customers to reject the entire deal? Why should we allow refusal terms in contracts of adhesion at all?

    (The September, 1997, Drafting Committee meeting considered some issues here and agreed to a Band-Aid. Shrink-wrapped licenses today provide that if you don't agree to the terms of a license, you can return the product for a refund. I don't think that I've seen a presented-post-sale software license that didn't include this. Article 2B takes this two steps further. First, it provides that if you bought the software from a retailer, the retailer is required to give you a refund (I think that a strong argument can be made to require a retailer to do this under current law.) Additionally, in its next draft 2B will probably provide that the publisher is required to reimburse the customer for provable out-of-pocket expenses associated with obtaining a refund.

    However, if the customer doesn't reject the license and return the software, all of the terms are binding except for those that are determined by the courts to be unconscionable.)

    2B-209 Equation of Negotiated Terms and Non-Negotiated "Manifest Assent"

    Section 2B-209 establishes a hierarchy of terms in the event that the parties exchange standard forms that have conflicting terms. In 2B-209(a)(1), the highest tier includes: "negotiated terms agreed to by the parties and any term in a form if the party claiming exclusion of the term agreed, including by manifest assent, to the term."

    Manifest assent is collected from the customer after she has finished bargaining for the software, when she is trying to use the product she has already paid for, taken possession of, and taken away. The method of collection is to put up a series of messages to which the customer has to click "OK" or "I AGREE" in order to continue with or finish the installation. This mechanical clicking is hardly an "agreement." The customers that I know tell me that they are merely performing a required formality in order to get working a product that the customer has already paid for and taken home?

    By elevating this meaningless clicking to the same level as a term that was truly negotiated, Article 2B helps the seller to win the battle of the forms in the non-mass-market case. Because the seller can include its terms as part of the installation of the product itself, the customer is always forced to confront and agree to the seller’s terms, or to give up on the product. The customer has no such power in its transactions with the publisher. For example, you can’t force the publisher into a "manifest-assent"-collecting series of steps when the publisher installs your check in its bank, but the publisher can always force you to go through a "manifest-assent" collecting series of steps when you attempt to install the publisher’s software on your computer.

    You can’t insert a compulsory contract renegotiation phase just before performance, but the publisher can and does, and 2B treats this as a respectable way of doing business.

    2B-209(d) Definition of Material Alteration

    To determine whether a proposed term will materially alter an agreement, 2B-209(d) directs the court to consider "the customs and practices of the applicable trade and industry for transactions of the type." Unfortunately, there is a great deal of controversy about what the customs and practices of this industry are. Article 2B proceeds from the assumption that the shrink-wrapped piece of paper that claims to be a contract, that publishers have been stuffing in software boxes for years, defines the customs and practices of the industry. But buyers of these products haven’t been taking these pieces of paper seriously, and many law review articles have opined that the licenses are invalid in whole or in part (indicating that customer assumptions are far from unreasonable).

    The entire contracting paradigm (hide the controversial terms until after the customer pays his money, and then seek to enforce them) is a study in sharp practices, and this statute recognizes these as normal. It would take an unusually extreme term to be "material" if we think in terms of the industry’s view of its customs and practices.

    2B-304(b) Contract Modification

    In a continuing contract, the publisher or access provider is allowed to modify its terms, if the underlying contract allows for modification. 2B-304(b) allows the mass-market customer the right to terminate the contract if it doesn't agree with the modifications. Why restrict this to mass-market customers?

    2B-304(c) Notification of Modifications

    Under 2B-304(c) "A contractual term that specifies standards for reasonable notification is enforceable unless the standards are manifestly unreasonable in light of the commercial circumstances." Why let the publisher impose an unreasonable standard in a contract of adhesion, restricting scrutiny to standards that are "manifestly unreasonable"?

    2B-306(b) Exclusive Dealing Contracts

    What is the duty of a book publisher to promote a book that it is publishing? Article 2B has gradually shifted the standards from "best efforts" to "commercially reasonable efforts" (an objective standard) to "good faith efforts."

    The adoption of "good faith" was done explicitly in response to a request from a representative of the Motion Pictures Association of America, to change the standard in a way that eliminates the plaintiff’s opportunity to provide testimony about practices that are common in the industry, rather than at this particular publisher. One of the book publishers' representatives spoke against this change because it would be too unfair to writers.

    The issue of promotion of books is a major controversy between authors and publishers. Authors spend months or years writing a book, typically receiving on a small advance against royalties ($1000 to $20,000 are common, as is $0.00). The cost of actual publication (layout and first printing) are not trivial, but they are often much lower than the costs of the author. Why reduce a publisher’s duty to help the author recover her costs?

    If an exclusive dealer is going to do a worthless job of promotion, and is under no legal duty to make even commercially reasonable efforts to promote the work, then Article 2B should balance this by allowing the author to quickly recapture his rights in the book when the publisher’s efforts fall below some modest standard.

    2B-307(c) Interpretation of Grant: Updates

    If you sign an update contract with a publisher, 2B does not require the publisher to provide you with updates to your software. It only requires the publisher to send you those updates (if any) that the publisher develops and makes generally available.

    An update contract should either bind the publisher to provide the customer with updates or it should conspicuously advise the customer, requiring assent to the term, that the publisher is taking the customer’s money while not promising to deliver anything.

    2B-308 (2) License Terms in Over-the-Internet Sales are not Perpetual. Why not?

    The assumption that the license to use a sold copy runs perpetually is stated in 2B-308(2) but is restricted to cases in which a tangible copy of a product is sold or licensed. Delivery over the Net doesn’t count because no copy on a physical medium is included.

    Why should your rights in a piece of information differ depending on whether you bought the product at a physical store or an electronic store?

    2B-309 (a)(2) Interface with Trade Secrets Law

    2B-309(2) says that when a party receives data for processing from another party, "The party receiving, processing, or handling the information and its agents shall use reasonable care to hold the information in confidence . . ." Is a reasonable care standard appropriate or should it be substantially higher? How does this compare to the State's trade secret laws? Why should we cover confidentiality here, when trade secrets and business confidences are extensively covered in other statutes?

    2B-311 Viruses

    The July draft of Article 2B named the virus section as one of five new consumer protections offered by Article 2B. The September section is slightly improved from the July version, which created a contributory negligence standard that eliminated almost all opportunities for customers to hold publishers liable, but it is still outrageous. Here are some of the issues:

    (2B-311 will probably go away in the next draft of 2B. Instead, publishers will disclaim their liability for viruses as part of their disclaimer of the implied warranty of merchantability.)

    2B-402(a) Express Warranty and Basis of the Bargain

    402(a) says that statements of fact by the seller become warranties if they are part of the basis of the bargain. The definition of "basis of the bargain" is unclear and subject to wide differences across the states. It will mean that in some states, documentation and help that comes with a product, that the customer sees after buying the software, will not be part of the "basis of the bargain."

    If all of the publisher's statements in the post-sale license can be held against the customer, it is only fair that all of the publisher's statements of fact about the product, that come with the product, can be held against the publisher. Why don't we make this clear, avoiding the need for state-by-state litigation of the issue?

    2B-402(a)(2) Demos are no Longer Warranties

    2B restricts warranties to samples, models, and demonstrations of a final product. The Reporter's Notes say that this is to deal with the use of beta software (which I agree should not usually create a warranty as to the final product). However:

    2B-402(a)(2) Reasonable Conformance

    Why does the product need only to reasonably conform to the sample, model or demonstration? Why should it not conform? Why will we have to determine what the contract is by litigation?

    Think about what 2B-402(a) is setting up for the negotiations between customers and publishers. When the customer calls with a complaint, the publisher's representative gets to deny that the product is required to meet the documentation, the samples, models, or the demonstrations. 402 ensures that there is no clear rule. Without litigating, the customer has nothing that she can clearly and unambiguously hold the publisher to.

    Where is the public interest in ambiguating the terms of contracts?

    2B-402(b)(2) Elimination of Several Warranties

    402(b) says that "a display or description of a portion of the information to illustrate the aesthetics or market appeal of informational content, or a statement purporting to be the licensor's opinion or commendation of the information does not create a warranty."

    This is a new loophole for publishers and should be eliminated. If a publisher puts a screen shot of its product's screens or sample output on the product's box or in its advertisement, the customer should be able to rely on it as an accurate picture or sample output.

    2B-403 Implied Warranty-Display Not a Warranty

    403(b) says that "a display of a portion of the information to illustrate the aesthetics or market appeal of informational content, or a statement purporting to be the licensor's opinion or commendation of the information does not create a warranty."

    This is a new loophole for publishers and should be eliminated. If a publisher puts a screen shot of its product's screens or sample output on the product's box or in its advertisement, the customer should be able to rely on it as an accurate picture or sample output.

    2B-502(b) First Purchaser Rights

    An anonymous purchaser of software should be able to sell or lend their copy of software. 2B-502 allows sale but doesn't mention lending (see 307, what is not granted is reserved). 2B-502 allows resale only for mass-market purchasers. What about the $1000 mass-sold product?

    2B-504(b)(2) Financier's Too-Limited Rights

    Financier takes a security interest in Customer's copy of a program. The customer has a nonexclusive license and the transaction is not mass-market. Financier has a right to forbid Customer from using the software, but can't resell it. This creates a worst-of-all-possible words situation for the licensee and the financier. The asset value declines over time but the lender can't resell it and recoup losses.

    2B-609 Right to Inspect: Elimination of Perfect Tender in Many Cases

    Article 2 gives the buyer a right to inspect the goods. If circumstances don't allow inspection before the sale, then the customer has the right to inspect after the sale, during a brief inspection period. The duration of a post-sale inspection period depends on the circumstances. Courts have granted as much as 6 months.

    Section 2B-609 takes away the right to inspect after the sale:

    As stated, the licensee has a right to a pre-payment or acceptance inspection. Now, watch:

    In most software sales, the customer has no opportunity to inspect before payment. Therefore, the customer has no right to inspect software in most cases.

    If I understand this correctly, 2B eliminates the perfect tender rule for mass-market software in most cases, because the customer either inspects the software before the sale (rarely possible) or accepts the software without a right of inspection. (I am not sure whether 2B-612 solves this problem; I think not.)

    Also note that the mass-market licensee can't reject for nonconformity in the tender, just for nonconformity in the product itself.

    2B-601, 609 Perfect Tender Gone for Non-Mass-Market Transactions

    In contrast with Article 2, non-mass-market licensees don't have a perfect tender right, either for defective product or for nonconformity. I think it is unreasonable to take away this right just because the product is higher priced.

    2B-616 Too Narrow Definition of End User

    An end user should not be restricted to someone who has acquired delivery of information only "by delivery on a physical medium".

    2B-619 No Mass-Market Right to Cure

    The Magnuson-Moss Act gives consumers the right to receive a non-defective product, rather than a refund, unless this is commercially unreasonable.

    2B-619 reverses this. It imposes a duty to attempt a cure on licensors of non-mass-market software, but not for mass-market software. Why cut off this remedy for mass-market customers?

    Article 2B cuts mass-market customers off from all forms of compensatory damages (all sellers will exclude damages in their adhesion contract.). A cure is the customer's only opportunity for anything approaching a benefit of the bargain remedy under the statute. Why cut this off too?

    2B-624 Risk of Loss

    The risk of loss passes to the customer "on receipt" of the information, but the information is received when it hits the customer's ISP, whether or not the customer actually gets it.

    The marginal cost to the publisher of re-supplying the information is small, usually much smaller than the cost to the customer of having to repurchase the information that was never received the first time. Why force the customer to absorb the full loss, instead of absorbing the supplier's transaction cost to replace lost information? Why create a windfall for the publisher at the expense of the customer?

    2B-703 Modification of Remedy

    Where the original remedy fails of its essential purpose, why provide the customer with no remedy?

    Why should the seller of a product with a known, unrevealed defect be able to exclude all liability for damages that were easily foreseeable as a nature consequence of the defect?

    Why should we exclude incidental expenses when, in mass-market software, these are often driven by the incalcitrance of the publisher--refusing to answer the phone, demanding payment for talking to customers, denying the existence of known bugs, etc.?

    2B-705 Statute of Limitations: Tolling

    In the mass-market case, the statute of limitations is only one year (i.e. the adhesion contract is allowed to drop the statute to one year and there is no conspicuousness requirement or other disincentive to reducing it, so everyone will). 2B should toll the statute during the period that the customer is negotiating with the publisher for a repair or replacement, or is awaiting a promised repair or replacement.

    2B-705 Statute of Limitations: Discovery Rule

    The breach of warranty occurs and the cause of action accrue at time of delivery of the product.

    Query: suppose that the warranty runs 2 years, and the statute of limitations runs 1 year. Doesn’t the statute of limitations for a product that was defective on day 1 run out at the end of 1 year, a year before the warranty? If not, does it end at the end of 2 years?

    Shouldn't the statute start running, within the warranty period, when the customer discovers the defect and not when the defect is delivered to the customer?

    2B-708 Damages

    The licensor gets full damages. The licensee will not, because the licensor can exclude categories of licensee damages in the adhesion contract.

    2B-716 Self-Help

    This is so controversial that I'll leave it for other discussions.
     
     

    About Cem Kaner

    Cem Kaner attends Article 2B meetings and Uniform Electronic Transactions Act meetings as an observer. He practices law, usually representing individual developers, small development services companies, and customers. He also consults on technical and management issues and teaches within the software development community. 

    His book, Testing Computer Software, received the Award of Excellence in the Society for Technical Communication’s 1993 Northern California Technical Publications Competition. It is currently the best selling book in its area. 

    Kaner has managed every aspect of software development, including software development projects, software testing groups and user documentation groups. He has also worked as a programmer, a human factors analyst / UI designer, a salesperson, a technical writer, and an associate in an organization development consulting firm. He teaches courses on software testing and on the law of software quality at UC Berkeley Extension, at UC Santa Cruz Extension, and by private arrangement.

    He has also served pro bono as a Deputy District Attorney, as an investigator/mediator for Santa Clara County’s Consumer Affairs Department, and as an Examiner for the California Quality Awards. 

    Kaner holds a B.A. (Math, Philosophy, 1974), a J.D. (1993), and a Ph.D. (Experimental Psychology, 1984) and is Certified in Quality Engineering by the American Society for Quality Control.


    Return to Bad Software: What To Do When Software Fails.

    The articles at this web site are not legal advice. They do not establish a lawyer/client relationship between me and you. I took care to ensure that they were well researched at the time that I wrote them, but the law changes quickly. By the time you read this material, it may be out of date. Also, the laws of the different States are not the same. These discussions might not apply to your circumstances. Please do not take legal action on the basis of what you read here, without consulting your own attorney.
    Questions or problems regarding this web site should be directed to Cem Kaner, kaner@kaner.com.
    Last modified: Sunday October 26, 1997. Copyright © 1997, Cem Kaner. All rights reserved.