Oracle settles with Federal Trade Commission regarding deceptive trade practices about Java Software updates

December 23, 2015 |

The Federal Trade Commission (“FTC”) has a long track record of taking enforcement action against companies that make misleading statements about privacy protections, data security, compliance with the recently demolished Safe Harbour Agreement and other privacy related matters.

On Monday, US time, Oracle was the latest to enter into a consent orders arising out of claims that it deceived consumers about the security provided in updates to Java.  The security problems were identified by Oracle in 2010 and certainly by 2011 it knew that its update process was insufficient.

The media release provides:

Oracle has agreed to settle Federal Trade Commission charges that it deceived consumers about the security provided by updates to its Java Platform, Standard Edition software (Java SE), which is installed on more than 850 million personal computers. Under the terms of a proposed consent order, Oracle will be required to give consumers the ability to easily uninstall insecure, older versions of Java SE.

“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”

Oracle’s Java SE provides support for a vast array of features consumers use when browsing the web, including browser-based calculators, online gaming, chatrooms, and 3D image viewing.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.

In its complaint, the FTC alleges that Oracle promised consumers that by installing its updates to Java SE both the updates and the consumer’s system would be “safe and secure” with the “latest… security updates.” During the update process, however, Oracle failed to inform consumers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other earlier versions of Java SE that might be installed on their computer, and did not uninstall any versions released prior to Java SE version 6 update 10. As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to being hacked.

In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process. Internal documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers.

While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE. The updates continued to remove only the most recent version of Java SE installed until August 2014.

The complaint charges that this failure to disclose the limitations of the updates in light of the statements made about the security benefits of the updates was deceptive and in violation of Section 5 of the FTC Act.

Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.

The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.

The proposed consent orders relevantly provides:

I
IT IS ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, in or affecting commerce, must no misrepresent: (1) the privacy or security of the Covered Software on a consumer’s computer, including but not limited to the effect on privacy or security of any installation or update of the Covered Software; or (2) how to uninstall older Iterations of the Covered Software.
 II
IT IS FURTHER ORDERED that respondent and its officers, agents, representatives, and employees, whether acting directly or indirectly, must ensure that during any installation or update to any Iteration of Java SE released after the date of service of this order, respondent:
A. Clearly and Conspicuously discloses to the consumer all Iterations of Java SE 1.4.2 or later, other than any Iteration(s) Released Within the Last Quarter, currently installed on the consumer’s computer;
B. Clearly and Conspicuously explains that there may be risks to the security of the consumer’s computer if the consumer chooses not to remove any Iterations of Java SE older than the Iteration(s) Released Within The Last Quarter currently installed on the consumer’s computer; and
C. Clearly and Conspicuously discloses which Iterations of Java SE 1.4.2 or later, other than any Iteration(s) Released Within the LastQuarter, that remain installed following installation or update of Java SE, and Clearly and Conspicuously provides instructions describing how consumers can effectively uninstall these Iterations.
III.
IT IS FURTHER ORDERED that respondent and its officers, agents, representatives,and employees, whether acting directly or indirectly, must notify Affected Consumers, Clearly and Conspicuously that in some instances, they may have older, insecure Iterations of Java SE on their computers. Such notification shall include effective, Clear and Conspicuous instructions on how to remove these older Iterations. Notification shall include, but not be limited to, each of the following means:
A. Posting of a Clear and Conspicuous hyperlink on the home page of respondent’s primary,consumer-facing website for Java SE. Such hyperlink must read “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE.” The hyperlink should connect to a sample of the letter shown in Attachment A. This hyperlink and sample letter must be posted no later than ten (10) days after the date of service of the order and for at least two years following posting;
B. On or before ten (10) days after the date of service of this order, provide Clear and Conspicuous notice to Affected Consumers regarding the contents of Attachment A. Respondent shall inform Affected Consumers by:
1. Contacting Avast Software, AVG Technologies, ESET North America, Avira, Inc., McAfee, Inc., Symantec Corporation, Trend Micro, Inc., and Mozilla Corporation to request that these entities publish this notice in their security bulletins;
2. Sending a Twitter notification via respondent’s primary Twitter account for Java SE, the text of which shall read “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE,” and link to a sample of the letter shown in Attachment A; and
3. Sending a Facebook notification via respondent’s primary Facebook account for Java SE, the text of which shall read “IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE,” and link to a sample of the letter shown in Attachment A; and
C. On or before ten (10) days after the date of service of this order and for three (3) years thereafter, providing prompt and free help to Affected Consumers through:
1. An uninstall tool that allows Affected Consumers to uninstall Iterations of Java SE, 1.4.2 or later;
2. A page on respondent’s primary, consumer-facing website for Java SE that Clearly and Conspicuously explains how to uninstall Iterations of Java SE, and provides a link to the uninstall tool referenced in Part III.C.1; and
3. A Clear and Conspicuous electronic form, specific to update and uninstall issues, available on respondent’s primary, consumer-facing website for Java SE. Respondent shall answer within a reasonable time, by email, consumers who fill out such form.
IV.
IT IS FURTHER ORDERED that respondent shall maintain and, upon request, make available to the Federal Trade Commission for inspection and copying, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this order, including but not limited to:
A. All advertisements, promotional materials, installation and user guides, websites, and installation screens containing any representations covered by this order, as well as all materials used or relied upon in making or disseminating the representation;
B. All release notes for all Java SE Iterations, including the Iterations’ release dates; and
C. Any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order.
V.
IT IS FURTHER ORDERED that respondent, and its successors and assigns, must deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, employees, agents, and representatives having managerial or supervisory responsibilities relating to Parts I – III of this order. Respondent must deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order,and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery must be at least ten (10) days prior to the change in structure.Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.
VI.
IT IS FURTHER ORDERED that respondent, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order,including, but not limited to, dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor company; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. …
VII.
IT IS FURTHER ORDERED that respondent, and its successors and assigns, within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail
the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.
VIII.
This order will terminate twenty (20) years from the date of its issuance, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:
A. Any Part in this order that terminates in less than twenty (20) years;
B. This order’s application to any respondent that is not named as a defendant in such complaint; and
 C. This order if such complaint is filed after the order has terminated pursuant to this Part.
Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal

As is common with settlements of this nature the reputational damage is significant.  That is the case here with Oracle ordered to admit on its website that it lost the plot on Java security, Oracle settles with the FTC over ‘deceptive’ Java security promises and Oracle ordered to blitz users with Java security warnings.

One Response to “Oracle settles with Federal Trade Commission regarding deceptive trade practices about Java Software updates”

  1. Oracle settles with Federal Trade Commission regarding deceptive trade practices about Java Software updates | Australian Law Blogs

    […] Oracle settles with Federal Trade Commission regarding deceptive trade practices about Java Software… […]

Leave a Reply





Verified by MonsterInsights