The Federal Trade Commission (FTC) has tagged Oracle for misleading consumers about the security of Java SE.
Brian Fung writes in Nearly a billion PCs run this notoriously insecure software. Now Oracle has to clean it up:
Oracle, one of the nation’s largest tech companies, is settling federal charges that it misled consumers about the security of its software, which is installed on roughly 850 million computers around the world.
The company won’t be paying a fine, and it isn’t admitting to any wrongdoing or fault in its settlement with the Federal Trade Commission. But Oracle will be required to tell consumers explicitly if they have outdated, insecure copies of the software — and to help them remove it.
The software, known as Java SE, helps power many of the features consumers expect to see when they browse the Web, from browser-based games to online chatrooms. But security experts say Java is notoriously vulnerable to attack. It has been linked to a staggering array of security flaws that can enable hackers to steal personal information from users, including the login information for people’s financial accounts, the FTC said.
When Oracle bought Java in 2010, it knew that Java was insecure, the FTC alleged in its initial complaint. Internal corporate records seized by the FTC noted that the “Java update mechanism is not aggressive enough or simply not working.”
Although the company issued updates to fix the vulnerabilities as they were discovered, the updates didn’t uninstall the older, problematic versions of Java, leaving them on the customer’s computer. Oracle never informed users of the fact, the FTC alleged, enabling hackers take advantage of those unpatched flaws.
…
Even though the FTC settlement does not carry any admission of wrongdoing or fault, there’s all that discovery already done by the FTC, would be a shame to see it go to waste.
Do you see a common law negligence claim against Oracle for knowing Java SE was insecure and taking no steps to cure the insecurity or even warn consumers of the security defect?
Using Federal Rule 23 as an example (most states follow Rule 23):
(a) Prerequisites. One or more members of a class may sue or be sued as representative parties on behalf of all members only if:
(1) the class is so numerous that joinder of all members is impracticable;
(2) there are questions of law or fact common to the class;
(3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and
(4) the representative parties will fairly and adequately protect the interests of the class.
Looks like we have:
- To numerous to join, I’d say almost 1 billion fits that requirement
- Common questions of law and fact, common law liability and common facts
- Typical claims and defenses (Oracle’s defense will be: “We have friends in government.”)
- Parties will fairly represent the class (pick your class reps carefull)
There are other class action suit requirements but on the surface of it, Oracle could be on its way to a very bad Christmas by 2016.
PS: One additional factor in favor of using Oracle as a software liability target is its personification in Larry Ellison. Ellison is no Scrooge but he isn’t a very sympathetic character. Having an arrogant defendant always helps in liability cases.