If you plan to pay for software, you often can’t find published comparative evaluations. Why is that? The answer is a censorship regime that you’ve probably never heard of.
The DeWitt Clause is a common end-user license agreement provision in software that prevents people (such as researchers and scientists) from publishing information (like benchmarks) with system names unless the supplier approves it. Real benchmarks typically show the weaknesses of systems, so unsurprisingly, suppliers often don’t approve the publication of thorough research. In fact, many researchers won’t even start this kind of analysis, because they know they won’t be able to publish the results. The clause was originally created to squelch database research being performed by Dr. David DeWitt, but it’s become widespread in the software industry.
“The Devil’s in the DeWitt Clause” by Brian Moran (SQL Server Pro, Apr 2, 2003) discusses some of the arguments that vendors give to justify the DeWitt clause. As he summarizes later in “DeWitt Clauses: Serving the Wrong Master”, they are:
In the end, though, Moran states that “I don’t believe that DeWitt clauses serve customers’ best interest”. Indeed, I will go further and say that they directly opppose society’s interests. If vendors continue to be able to legally censor information, then society has no way to get or debate the information. The problem isn’t deception; we already have laws against deception. It’s true that evaluations can be misunderstood, but the solution there is to let other people try to repeat the findings and publish their own comments. And let’s be honest: the DeWitt clause has nothing to do with preventing publication of misleading or grossly inaccurate results. The clause is named after efforts to squelch Dr. DeWitt’s research, and no one argues that Dr. DeWitt was clueless or deceptive. Indeed, Dr. David DeWitt is the winner of many awards specifically in the area of databases (the area he was benchmarking), including the ACM Software System Award and the IEEE Emanuel R. Piore Award. These clauses are purely government-enabled censorship - and they are government-enabled censorship, because companies are using government courts to go after people who dare to publish truth.
You can learn much more from the report “Vendor Truth Serum” by Dr. Gregory Klass and Dr. Eric Burger (Georgetown University, Software and Security Research Center, 22 September 2016). They show that this inability to publish analysis of software is significantly hampering the security of our software. To make software secure, you really need to use tools. Which tools? Well, that’s a problem. They note that, “With many tools to choose from, a real issue is deciding which tools a given developer needs to use to ensure satisfactory test coverage over their software artifact. What is needed is a way for developers to know which tools provide what coverage, so they can make informed choices and accomplish satisfactory testing in minimal time at minimal expense. Unfortunately, there are common industry contractual practices which inhibits making such knowledge generally available.”
A serious problem is that these clauses have a corrosive effect within the areas they are used. Once one supplier adds a DeWitt clause, the others can feel that they are at a disadvantage without one. After all, when a supplier uses a Dewitt clause, then their product cannot be rigorously critiqued in public using repeatable benchmarks, and the other suppliers can be critiqued. I am actually sympathetic to the suppliers who add DeWitt clauses because their competitors do so... but that kind of decision should never be necessary.
Open source software (OSS) licenses don’t have DeWitt clauses, but again, this can mislead potential customers. The OSS can be legally critiqued, but not their competitors. Unsurprisingly, this can mislead people.
There is a theory that people can just choose to not get involved with these contracts, but this theory is silly. If you’re going to publish a benchmark of a particular important product, you cannot avoid those contracts. The supplier of a product is typically the only legal source for that product. That’s especially true for researchers, who typically do not have the funds necessary to pay extra to get permission to be critical. Also, because suppliers are pressured to add a DeWitt clause once their competitors use one, it often becomes impractical to compare common products across an entire field.
There is a precedence for making such clauses illegal. In December 2016 U.S. president Obama signed the Consumer Review Fairness Act of 2016 (H.R. 5111), which had earlier passed both houses of Congress unanimously. The bill countered a dangerous trend: “businesses inserting clauses into their form contracts that attempt to limit their customers’ ability to criticize products and services online.” Unfortunately, this law appears to only affect consumer contracts. My current guess is that this law would not prohibit enforcement of a DeWitt clause. But it is a model for what such a future law would look like.
Please don’t tell me that DeWitt clauses are acceptable because “government should stay out contracts”. That’s rediculous; DeWitt clauses unnecessarily bring the government in to situations where it doesn’t belong to enforce these unconscionable clauses. The government should not be in the business of censoring free speech and preventing free markets, and that’s what these clauses do. The current situation inhibits free markets, because it’s not possible for customers to learn from others about the products they are considering using.
I believe these clauses should be struck down on first amendment grounds. But that seems unlikely. So instead, I’d like to see a law, similar to the Consumer Review Fairness Act, that makes the various forms of the DeWitt clause illegal. If you produce good software, you should not be afraid to have it benchmarked. If you produce terrible software, you should be working to make it better, not working to muzzle the truth. I believe society is best served by letting people independently evaluate products and publish their results; it’s time to let that happen.
Feel free to see my home page at https://www.dwheeler.com. You may also want to look at my paper Why OSS/FS? Look at the Numbers! and my book on how to develop secure programs.
(C) Copyright 2017 David A. Wheeler. Released under Creative Commons Attribution-ShareAlike version 3.0 or later (CC-BY-SA-3.0+).