Privacy & Information Security Law Blog

On December 21, 2015, the Federal Trade Commission announced software company Oracle Corporation (“Oracle”) has agreed to settle FTC charges that accused the company of misrepresenting the security of its software updates. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company had deceived consumers about the security provided by updates to the Java Platform, Standard Edition software (“Java SE”).

Java SE is a version of the Java computing platform commonly installed on personal computers to enable consumers to run various types of Java-compatible applications on their computers. In its complaint, the FTC alleged that the process for updating Java SE made it likely that consumers unknowingly would have older, insecure versions of Java SE remaining on their computers, despite the company’s representations to consumers that installing the update would be “safe and secure” and provide “the latest…security improvements.” In light of this representation, the FTC believed that Oracle misrepresented the security of its update process by failing to adequately disclose that older and less secure versions of the software could remain on the consumer’s computer. As a result, the FTC charged Oracle with engaging in a deceptive act or practice in violation of Section 5 of the FTC Act. According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “[w]hen a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software.”

The proposed Consent Order will prohibit Oracle from misrepresenting the privacy and security of its consumer-facing software, and require Oracle to inform consumers how to uninstall older iterations of such software. In addition, the Consent Order will require Oracle to clearly and conspicuously disclose to consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of keeping the older software on the device and provide instructions on how to uninstall it. The Consent Order also will require that Oracle provide consumers with several forms of notice about the settlement and how consumers can remove older versions of the software. Under the Consent Order, Oracle must post the notice on its website and via social media (i.e., on Twitter and Facebook), and also must request that third party software developers publish the notice in their security bulletins.