Yesterday the Federal Trade Commission (FTC) announced that Oracle has agreed to settle charges that it deceived consumers about the security provided by updates to its Java Platform, Standard Edition software (Java SE), which is installed on more than 850 million personal computers. Oracle’s Java SE provides support for a vast array of features consumers use when browsing the web, including browser-based calculators, online gaming, chatrooms, and 3D image viewing.
If the proposed consent order were to be approved, Oracle would be required to give consumers the ability to easily uninstall insecure, older versions of Java SE.
The Commission issued a complaint and accepted this proposed consent order by a vote of 4-0, which commonly does happen all at the same time given how the FTC investigates matters before bringing a complaint. It is not much of an exaggeration to say that when the FTC is charging you settle. Resistance is futile. The agency will cross every T and dot every I in advance of filing a complaint. So when a company is given the opportunity to accept a consent order to resolve the matter immediately they almost always do.
The FTC will now publish a description of the consent agreement in the Federal Register. The agreement will be subject to public comment for 30 days, beginning yesterday and continuing through Jan. 20, 2016. Thereafter the Commission will decide whether to make the proposed consent order final, which is typically the outcome.
“When a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “The FTC’s settlement requires Oracle to give Java users the tools and information they need to protect their computers.”
According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.
In its complaint, the FTC alleged that Oracle promised consumers that by installing its updates to Java SE both the updates and the consumer’s system would be “safe and secure” with the “latest… security updates.” During the update process, however, Oracle failed to inform consumers that the Java SE update automatically removed only the most recent prior version of the software, and did not remove any other earlier versions of Java SE that might be installed on their computer, and did not uninstall any versions released prior to Java SE version 6 update 10. As a result, after updating Java SE, consumers could still have additional older, insecure versions of the software on their computers that were vulnerable to exploitation by hackers.
In 2011, according to the FTC’s complaint, Oracle was aware of the insufficiency of its update process, yet did not initially remedy the process. Internal documents stated that the “Java update mechanism is not aggressive enough or simply not working,” and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers.
While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE. The updates continued to remove only the most recent version of Java SE installed until August 2014.
The FTC argued that the failure to remove older versions coupled with the failure to adequately inform users created a false impression that consumers were safe when they were not. The complaint charges that this failure to disclose the limitations of the updates in light of the statements made about the security benefits of the updates was deceptive and in violation of Section 5 of the FTC Act.
Under the terms of the proposed consent order, Oracle will be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.
The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.