80 FR 81326 - Oracle Corporation; Analysis of Proposed Consent Order To Aid Public Comment

FEDERAL TRADE COMMISSION

Federal Register Volume 80, Issue 249 (December 29, 2015)

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

[Federal Register Volume 80, Number 249 (Tuesday, December 29, 2015)]
[Notices]
[Pages 81326-81328]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2015-32634]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3115]


Oracle Corporation; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the draft complaint and the terms of the consent 
order--embodied in the consent agreement--that would settle these 
allegations.

DATES: Comments must be received on or before January 20, 2016.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/oracleconsent online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``In the Matter of 
Oracle Corporation,--Consent Agreement; File No. 132 3115'' on your 
comment and file your comment online at https://ftcpublic.commentworks.com/ftc/oracleconsent by following the 
instructions on the web-based form. If you prefer to file your comment 
on paper, write ``In the Matter of Oracle Corporation,--Consent 
Agreement; File No. 132 3115'' on your comment and on the envelope, and 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 
(Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Andrea Arias (202) 326-2715 or 
Jacqueline Conner (202) 326-2844, Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for December 21, 2015), on the World Wide Web 
at: http://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 20, 
2016. Write ``In the Matter of Oracle Corporation,--Consent Agreement; 
File No. 132 3115'' on your comment. Your comment--including your name 
and your state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission Web 
site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission tries to remove individuals' home contact 
information from comments before placing them on the Commission Web 
site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/oracleconsent by following the instructions on the web-based form. 
If this Notice appears at http://www.regulations.gov/#!home, you also 
may file a comment through that Web site.
    If you file your comment on paper, write ``In the Matter of Oracle

[[Page 81327]]

Corporation,--Consent Agreement; File No. 132 3115'' on your comment 
and on the envelope, and mail your comment to the following address: 
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania 
Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, 
Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your 
paper comment to the Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before January 20, 2016. You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order applicable to Oracle 
Corporation (``Oracle'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    Oracle is a Delaware corporation that, among other things, develops 
the Java computing platform, which is used to power applications that, 
for example, allow consumers to play online games, chat with people 
online, calculate mortgage interest, and view images in 3D. Consumers 
primarily use the Java Platform, Standard Edition (``Java SE''). When 
an update to Java SE was available, a consumer would typically receive 
a prompt to update the software. When the consumer proceeded to install 
the update, the consumer would encounter a series of installation 
screens, which stated that ``Java provides safe and secure access to 
the world of amazing Java content,'' and that Java SE updates and a 
consumer's ``system'' would have ``the latest . . . security 
improvements.'' During the Java SE update process, however, Oracle did 
not inform consumers that Java SE updates automatically removed only 
the most recent prior iteration of Java SE installed on the consumer's 
computer, even if the consumer had multiple iterations of Java SE 
installed, and that the update would not remove any iteration released 
prior to Java SE iteration 6 update 10. As such, after the update 
process, consumers could still have additional older, insecure 
iterations of Java SE installed on their computers, which attackers 
targeted to obtain consumers' personal information through malware 
designed to exploit vulnerabilities (``exploit kits'').
    The Commission's complaint alleges that Oracle violated Section 
5(a) of the FTC Act by failing to disclose that, in numerous instances, 
updating Java SE would not delete or replace all older iterations of 
Java SE on a consumer's computer, and as a result, a consumer's 
computer could still have iterations of Java SE installed that are 
vulnerable to security risks. This fact would be material to consumers' 
decisions whether to take further action after ``updating'' Java SE to 
protect their computers, in light of Oracle's representations to 
consumers that by updating Java SE, users would ensure that Java SE on 
their computers had the latest security improvements.
    The complaint further alleges that, by failing to inform consumers 
that the Java SE update process did not remove all prior iterations of 
the software, Oracle left some consumers vulnerable to a serious, well-
known, and reasonably foreseeable security risk that attackers would 
target these computers through exploit kits, resulting in the theft of 
personal information. Consumers with insecure iterations of Java SE on 
their computers were vulnerable to exploit kits targeting Java SE 
vulnerabilities while browsing infected Web sites or clicking on 
nefarious links. Attackers used exploit kits targeting Java SE 
vulnerabilities to install key loggers that captured consumers' 
usernames and passwords, which could be used to log into a consumer's 
PayPal, bank, and credit card accounts. Other Java SE exploit kits may 
have resulted in the unauthorized acquisition and transmission of 
sensitive personal information for the purpose of targeted spear-
phishing campaigns.
    The proposed order contains provisions designed to prevent Oracle 
from engaging in the future in practices similar to those alleged in 
the complaint.
    Part I of the proposed order prohibits Oracle from misrepresenting 
(1) the privacy or security of the covered software on a consumer's 
computer, including but not limited to the effect on privacy or 
security of any installation or update of the covered software; and (2) 
how to uninstall older iterations of the covered software.
    Part II of the proposed order requires Oracle to ensure that during 
any installation or update of any iteration of Java SE released after 
the date of service of the order, Oracle:
    (1) clearly and conspicuously discloses to the consumer all 
iterations of Java SE 1.4.2 or later, other than any iteration(s) 
released within the last quarter, currently installed on the consumer's 
computer;
    (2) clearly and conspicuously explains that there may be risks to 
the security of the consumer's computer if the consumer chooses not to 
remove any iterations of Java SE older than the iteration(s) released 
within the last quarter currently installed on the consumer's computer; 
and
    (3) clearly and conspicuously discloses which iterations of Java SE 
1.4.2 or later, other than any iteration(s) released within the last 
quarter, that remain installed following installation or update of Java 
SE, and clearly and conspicuously provides instructions describing how 
consumers can effectively uninstall these iterations.
    Part III of the proposed order requires Oracle to notify consumers 
who downloaded, installed, or updated Java SE that, in some instances, 
they may have older, insecure iterations of Java SE on their computers; 
and provide instructions to such consumers on how to remove these older 
iterations. In addition, for three (3) years, Oracle must provide an 
uninstall tool that allows consumers to uninstall iterations of Java SE 
1.4.2 or later; a page on their primary Web site that explains how to 
uninstall older, insecure iterations of Java SE; and free support 
through an electronic form to help consumers with their update and/or 
uninstall issues.
    Parts IV through VIII of the proposed order are standard reporting 
and compliance provisions. Part IV requires Oracle to retain documents 
relating to its compliance with the order for a five-year period. Part 
V requires dissemination of the order now and in the future to all 
current and future principals, officers, directors, and managers, and 
to persons with managerial or supervisory responsibilities relating to 
Parts I-III of the order. Part VI ensures notification to the FTC of 
changes in corporate status. Part VII mandates that Oracle submit a

[[Page 81328]]

compliance report to the FTC within 90 days, and periodically 
thereafter as requested. Part VIII is a provision ``sunsetting'' the 
order after twenty (20) years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint or order or to modify the 
order's terms in any way.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2015-32634 Filed 12-28-15; 8:45 am]
 BILLING CODE 6750-01-P