AGENCY:

Federal Trade Commission.

ACTION:

Proposed consent agreement.

SUMMARY:

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.

DATES:

Comments must be received on or before January 20, 2016.

ADDRESSES:

Interested parties may file a comment at https://ftcpublic.commentworks.com/​ftc/​oracleconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “In the Matter of Oracle Corporation,—Consent Agreement; File No. 132 3115” on your comment and file your comment online at https://ftcpublic.commentworks.com/​ftc/​oracleconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write “In the Matter of Oracle Corporation,—Consent Agreement; File No. 132 3115” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT:

Andrea Arias (202) 326-2715 or Jacqueline Conner (202) 326-2844, Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for December 21, 2015), on the World Wide Web at: http://www.ftc.gov/​os/​actions.shtm.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 20, 2016. Write “In the Matter of Oracle Corporation,—Consent Agreement; File No. 132 3115” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/​os/​publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which . . . is privileged or confidential,” as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).^[1] Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/​ftc/​oracleconsent by following the instructions on the web-based form. If this Notice appears at http://www.regulations.gov/​#!home,, you also may file a comment through that Web site.

If you file your comment on paper, write “In the Matter of Oracle Start Printed Page 81327Corporation,—Consent Agreement; File No. 132 3115” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before January 20, 2016. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/​ftc/​privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order applicable to Oracle Corporation (“Oracle”).

The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order.

Oracle is a Delaware corporation that, among other things, develops the Java computing platform, which is used to power applications that, for example, allow consumers to play online games, chat with people online, calculate mortgage interest, and view images in 3D. Consumers primarily use the Java Platform, Standard Edition (“Java SE”). When an update to Java SE was available, a consumer would typically receive a prompt to update the software. When the consumer proceeded to install the update, the consumer would encounter a series of installation screens, which stated that “Java provides safe and secure access to the world of amazing Java content,” and that Java SE updates and a consumer's “system” would have “the latest . . . security improvements.” During the Java SE update process, however, Oracle did not inform consumers that Java SE updates automatically removed only the most recent prior iteration of Java SE installed on the consumer's computer, even if the consumer had multiple iterations of Java SE installed, and that the update would not remove any iteration released prior to Java SE iteration 6 update 10. As such, after the update process, consumers could still have additional older, insecure iterations of Java SE installed on their computers, which attackers targeted to obtain consumers' personal information through malware designed to exploit vulnerabilities (“exploit kits”).

The Commission's complaint alleges that Oracle violated Section 5(a) of the FTC Act by failing to disclose that, in numerous instances, updating Java SE would not delete or replace all older iterations of Java SE on a consumer's computer, and as a result, a consumer's computer could still have iterations of Java SE installed that are vulnerable to security risks. This fact would be material to consumers' decisions whether to take further action after “updating” Java SE to protect their computers, in light of Oracle's representations to consumers that by updating Java SE, users would ensure that Java SE on their computers had the latest security improvements.

The complaint further alleges that, by failing to inform consumers that the Java SE update process did not remove all prior iterations of the software, Oracle left some consumers vulnerable to a serious, well-known, and reasonably foreseeable security risk that attackers would target these computers through exploit kits, resulting in the theft of personal information. Consumers with insecure iterations of Java SE on their computers were vulnerable to exploit kits targeting Java SE vulnerabilities while browsing infected Web sites or clicking on nefarious links. Attackers used exploit kits targeting Java SE vulnerabilities to install key loggers that captured consumers' usernames and passwords, which could be used to log into a consumer's PayPal, bank, and credit card accounts. Other Java SE exploit kits may have resulted in the unauthorized acquisition and transmission of sensitive personal information for the purpose of targeted spear-phishing campaigns.

The proposed order contains provisions designed to prevent Oracle from engaging in the future in practices similar to those alleged in the complaint.

Part I of the proposed order prohibits Oracle from misrepresenting (1) the privacy or security of the covered software on a consumer's computer, including but not limited to the effect on privacy or security of any installation or update of the covered software; and (2) how to uninstall older iterations of the covered software.

Part II of the proposed order requires Oracle to ensure that during any installation or update of any iteration of Java SE released after the date of service of the order, Oracle:

(1) clearly and conspicuously discloses to the consumer all iterations of Java SE 1.4.2 or later, other than any iteration(s) released within the last quarter, currently installed on the consumer's computer;

(2) clearly and conspicuously explains that there may be risks to the security of the consumer's computer if the consumer chooses not to remove any iterations of Java SE older than the iteration(s) released within the last quarter currently installed on the consumer's computer; and

(3) clearly and conspicuously discloses which iterations of Java SE 1.4.2 or later, other than any iteration(s) released within the last quarter, that remain installed following installation or update of Java SE, and clearly and conspicuously provides instructions describing how consumers can effectively uninstall these iterations.

Part III of the proposed order requires Oracle to notify consumers who downloaded, installed, or updated Java SE that, in some instances, they may have older, insecure iterations of Java SE on their computers; and provide instructions to such consumers on how to remove these older iterations. In addition, for three (3) years, Oracle must provide an uninstall tool that allows consumers to uninstall iterations of Java SE 1.4.2 or later; a page on their primary Web site that explains how to uninstall older, insecure iterations of Java SE; and free support through an electronic form to help consumers with their update and/or uninstall issues.

Parts IV through VIII of the proposed order are standard reporting and compliance provisions. Part IV requires Oracle to retain documents relating to its compliance with the order for a five-year period. Part V requires dissemination of the order now and in the future to all current and future principals, officers, directors, and managers, and to persons with managerial or supervisory responsibilities relating to Parts I-III of the order. Part VI ensures notification to the FTC of changes in corporate status. Part VII mandates that Oracle submit a Start Printed Page 81328compliance report to the FTC within 90 days, and periodically thereafter as requested. Part VIII is a provision “sunsetting” the order after twenty (20) years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint or order or to modify the order's terms in any way.

Footnotes