Oracle Corporation; Analysis of Proposed Consent Order To Aid Public Comment, 81326-81328 [2015-32634]

Download as PDF 81326 Federal Register / Vol. 80, No. 249 / Tuesday, December 29, 2015 / Notices Federal Reserve, and provides for the disclosures outlined above. (12 CFR part 208, subpart H) The obligation of SMBs to make these disclosures is mandatory. Since the Federal Reserve does not collect any information, no issue of confidentiality normally arises. Abstract: Subpart H of Regulation H was adopted pursuant to section 305 of the Gramm-Leach-Bliley Act of 1999, which required the federal banking agencies to issue joint regulations governing retail sales practices, solicitations, advertising, and offers of insurance by, on behalf of, or at the offices of insured depository institutions. The insurance consumer protection rules in Regulation H require depository institutions to prepare and provide certain disclosures to consumers. Covered persons are required to make certain disclosures before the completion of the initial sale of an insurance product or annuity to a consumer and at the time a consumer applies for an extension of credit in connection with which and insurance product or annuity is solicited, offered, or sold. Current Actions: On October 22, 2015, the Federal Reserve published a notice in the Federal Register (80 FR 64000) requesting public comment for 60 days on the extension, without revision, of the Disclosure Requirements in Connection With Subpart H of Regulation H. The comment period for this notice expired on December 21, 2015. The Federal Reserve did not receive any comments. The information collection will be extended for three years, without revision, as proposed. Board of Governors of the Federal Reserve System, December 23, 2015. Robert deV. Frierson, Secretary of the Board. [FR Doc. 2015–32700 Filed 12–28–15; 8:45 am] BILLING CODE 6210–01–P FEDERAL TRADE COMMISSION [File No. 132 3115] Oracle Corporation; Analysis of Proposed Consent Order To Aid Public Comment Federal Trade Commission. Proposed consent agreement. asabaliauskas on DSK5VPTVN1PROD with NOTICES AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent SUMMARY: VerDate Sep<11>2014 19:17 Dec 28, 2015 Jkt 238001 agreement—that would settle these allegations. DATES: Comments must be received on or before January 20, 2016. ADDRESSES: Interested parties may file a comment at https:// ftcpublic.commentworks.com/ftc/ oracleconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘In the Matter of Oracle Corporation,—Consent Agreement; File No. 132 3115’’ on your comment and file your comment online at https:// ftcpublic.commentworks.com/ftc/ oracleconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write ‘‘In the Matter of Oracle Corporation,—Consent Agreement; File No. 132 3115’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Andrea Arias (202) 326–2715 or Jacqueline Conner (202) 326–2844, Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for December 21, 2015), on the World Wide Web at: http:// www.ftc.gov/os/actions.shtm. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 20, 2016. Write ‘‘In the Matter of Oracle Corporation,—Consent Agreement; File No. 132 3115’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this PO 00000 Frm 00055 Fmt 4703 Sfmt 4703 proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which . . . is privileged or confidential,’’ as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).1 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ oracleconsent by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘In the Matter of Oracle 1 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). E:\FR\FM\29DEN1.SGM 29DEN1 Federal Register / Vol. 80, No. 249 / Tuesday, December 29, 2015 / Notices asabaliauskas on DSK5VPTVN1PROD with NOTICES Corporation,—Consent Agreement; File No. 132 3115’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before January 20, 2016. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at http://www.ftc.gov/ftc/privacy.htm. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order applicable to Oracle Corporation (‘‘Oracle’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement’s proposed order. Oracle is a Delaware corporation that, among other things, develops the Java computing platform, which is used to power applications that, for example, allow consumers to play online games, chat with people online, calculate mortgage interest, and view images in 3D. Consumers primarily use the Java Platform, Standard Edition (‘‘Java SE’’). When an update to Java SE was available, a consumer would typically receive a prompt to update the software. When the consumer proceeded to install the update, the consumer would encounter a series of installation screens, which stated that ‘‘Java provides safe and secure access to the world of amazing Java content,’’ and VerDate Sep<11>2014 19:17 Dec 28, 2015 Jkt 238001 that Java SE updates and a consumer’s ‘‘system’’ would have ‘‘the latest . . . security improvements.’’ During the Java SE update process, however, Oracle did not inform consumers that Java SE updates automatically removed only the most recent prior iteration of Java SE installed on the consumer’s computer, even if the consumer had multiple iterations of Java SE installed, and that the update would not remove any iteration released prior to Java SE iteration 6 update 10. As such, after the update process, consumers could still have additional older, insecure iterations of Java SE installed on their computers, which attackers targeted to obtain consumers’ personal information through malware designed to exploit vulnerabilities (‘‘exploit kits’’). The Commission’s complaint alleges that Oracle violated Section 5(a) of the FTC Act by failing to disclose that, in numerous instances, updating Java SE would not delete or replace all older iterations of Java SE on a consumer’s computer, and as a result, a consumer’s computer could still have iterations of Java SE installed that are vulnerable to security risks. This fact would be material to consumers’ decisions whether to take further action after ‘‘updating’’ Java SE to protect their computers, in light of Oracle’s representations to consumers that by updating Java SE, users would ensure that Java SE on their computers had the latest security improvements. The complaint further alleges that, by failing to inform consumers that the Java SE update process did not remove all prior iterations of the software, Oracle left some consumers vulnerable to a serious, well-known, and reasonably foreseeable security risk that attackers would target these computers through exploit kits, resulting in the theft of personal information. Consumers with insecure iterations of Java SE on their computers were vulnerable to exploit kits targeting Java SE vulnerabilities while browsing infected Web sites or clicking on nefarious links. Attackers used exploit kits targeting Java SE vulnerabilities to install key loggers that captured consumers’ usernames and passwords, which could be used to log into a consumer’s PayPal, bank, and credit card accounts. Other Java SE exploit kits may have resulted in the unauthorized acquisition and transmission of sensitive personal information for the purpose of targeted spear-phishing campaigns. The proposed order contains provisions designed to prevent Oracle from engaging in the future in practices similar to those alleged in the complaint. PO 00000 Frm 00056 Fmt 4703 Sfmt 4703 81327 Part I of the proposed order prohibits Oracle from misrepresenting (1) the privacy or security of the covered software on a consumer’s computer, including but not limited to the effect on privacy or security of any installation or update of the covered software; and (2) how to uninstall older iterations of the covered software. Part II of the proposed order requires Oracle to ensure that during any installation or update of any iteration of Java SE released after the date of service of the order, Oracle: (1) clearly and conspicuously discloses to the consumer all iterations of Java SE 1.4.2 or later, other than any iteration(s) released within the last quarter, currently installed on the consumer’s computer; (2) clearly and conspicuously explains that there may be risks to the security of the consumer’s computer if the consumer chooses not to remove any iterations of Java SE older than the iteration(s) released within the last quarter currently installed on the consumer’s computer; and (3) clearly and conspicuously discloses which iterations of Java SE 1.4.2 or later, other than any iteration(s) released within the last quarter, that remain installed following installation or update of Java SE, and clearly and conspicuously provides instructions describing how consumers can effectively uninstall these iterations. Part III of the proposed order requires Oracle to notify consumers who downloaded, installed, or updated Java SE that, in some instances, they may have older, insecure iterations of Java SE on their computers; and provide instructions to such consumers on how to remove these older iterations. In addition, for three (3) years, Oracle must provide an uninstall tool that allows consumers to uninstall iterations of Java SE 1.4.2 or later; a page on their primary Web site that explains how to uninstall older, insecure iterations of Java SE; and free support through an electronic form to help consumers with their update and/or uninstall issues. Parts IV through VIII of the proposed order are standard reporting and compliance provisions. Part IV requires Oracle to retain documents relating to its compliance with the order for a fiveyear period. Part V requires dissemination of the order now and in the future to all current and future principals, officers, directors, and managers, and to persons with managerial or supervisory responsibilities relating to Parts I–III of the order. Part VI ensures notification to the FTC of changes in corporate status. Part VII mandates that Oracle submit a E:\FR\FM\29DEN1.SGM 29DEN1 81328 Federal Register / Vol. 80, No. 249 / Tuesday, December 29, 2015 / Notices motorcycles, and $0.19 for moving purposes), pursuant to the process discussed above. This notice of subject bulletin is the only notification to agencies of revisions to the POV mileage rates for official travel and relocation other than the changes posted on GSA’s Web site. DEPARTMENT OF DEFENSE By direction of the Commission. Donald S. Clark, Secretary. Effective: December 29, 2015. Applicability: This notice applies to travel and relocation performed on or after January 1, 2016 through December 31, 2016. Submission for OMB Review; High Global Warming Potential Hydrofluorocarbons [FR Doc. 2015–32634 Filed 12–28–15; 8:45 am] FOR FURTHER INFORMATION CONTACT: compliance report to the FTC within 90 days, and periodically thereafter as requested. Part VIII is a provision ‘‘sunsetting’’ the order after twenty (20) years, with certain exceptions. The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint or order or to modify the order’s terms in any way. BILLING CODE 6750–01–P GENERAL SERVICES ADMINISTRATION [Notice–FTR–2015–01; Docket 2015–0002; Sequence 1] Change in Standard Procedure Office of Government-Wide Policy (OGP), General Services Administration (GSA). ACTION: Notice of FTR Bulletin 16–02, Calendar Year (CY) 2016 Privately Owned Vehicle (POV) Mileage Reimbursement Rates and Standard Mileage Rate for Moving Purposes (Relocation Allowances). AGENCY: The General Services Administration (GSA) uses the single standard mileage rate established by the Internal Revenue Service (IRS) as the mileage rate for privately owned automobiles (POA). In addition, the IRS’ mileage rate for medical or moving purposes is used to determine the POA rate when a Government-furnished automobile is authorized. This IRS rate also establishes the standard mileage rate for moving purposes as it pertains to official relocation. Finally, GSA’s annual privately owned airplane and motorcycle mileage reimbursement rate reviews have resulted in new CY 2016 rates. GSA conducts independent airplane and motorcycle studies that evaluate various factors, such as the cost of fuel, the depreciation of the original vehicles costs, maintenance and insurance, and/or by applying consumer price index data. FTR Bulletin 16–02 establishes the new CY 2016 POV mileage reimbursement rates for official temporary duty and relocation travel ($0.54 for POAs, $0.19 for POAs when a Government furnished automobile is authorized, $1.17 for privately owned airplanes, $0.51 for privately owned asabaliauskas on DSK5VPTVN1PROD with NOTICES VerDate Sep<11>2014 19:17 Dec 28, 2015 Jkt 238001 For clarification of content, please contact Mr. Cy Greenidge, Office of Government-wide Policy, Office of Asset and Transportation Management, at 202–219–2349, or by email at travelpolicy@gsa.gov. Please cite Notice of FTR Bulletin 16–02. SUPPLEMENTARY INFORMATION: 2016 Privately Owned Vehicle (POV) Mileage Reimbursement Rates; 2016 Standard Mileage Rate for Moving Purposes SUMMARY: DATES: GSA posts the POV mileage reimbursement rates, formerly published in 41 CFR Chapter 301, solely on the internet at www.gsa.gov/mileage. Also, posted on this site is the standard mileage rate for moving purposes. This process, implemented in FTR Amendment 2010–07, 75 FR 72965 (November 29, 2010), FTR Amendment 2007–03, 72 FR 35187 (June 27, 2007), and FTR Amendment 2007–06, 72 FR 70234 (December 11, 2007), ensures more timely updates regarding mileage reimbursement rates by GSA for Federal employees who are on official travel or relocating. Notices published periodically in the Federal Register, such as this one, and the changes posted on the GSA Web site, now constitute the only notification to Federal agencies of revisions to the POV mileage reimbursement rates and the standard mileage reimbursement rate for moving purposes. Dated: December 23, 2015. Alexander J. Kurien, Deputy Associate Administrator, Office of Asset and Transportation Management, Office of Government-wide Policy. [FR Doc. 2015–32745 Filed 12–28–15; 8:45 am] BILLING CODE 6820–14–P PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION [Docket 2015–0055; Sequence 51] Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Notice of request for public comments regarding a new OMB clearance. AGENCY: Under the provisions of the Paperwork Reduction Act, the Regulatory Secretariat Division will be submitting to the Office of Management and Budget (OMB) a request to review and approve a new information collection requirement concerning High Global Warming Potential Hydrofluorocarbons. A notice was published in the Federal Register at 80 FR 26883, on May 11, 2015. Sixteen comments were received. DATES: Submit comments on or before January 28, 2016. ADDRESSES: Submit comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to: Office of Information and Regulatory Affairs of OMB, Attention: Desk Officer for GSA, Room 10236, NEOB, Washington, DC 20503. Additionally submit a copy to GSA by any of the following methods: • Regulations.gov: http:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by searching for OMB control number ‘‘9000–0191; High Global Warming Potential Hydrofluorocarbons.’’ Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘9000–0191; High Global Warming Potential Hydrofluorocarbons.’’ Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘9000–0191; High Global Warming Potential Hydrofluorocarbons’’ on your attached document. • Mail: General Services Administration, Regulatory Secretariat Division (MVCB), ATTN: Ms. Flowers, 1800 F Street NW., Washington, DC 20405. Instructions: Please submit comments only and cite Information Collection SUMMARY: E:\FR\FM\29DEN1.SGM 29DEN1

Agencies

[Federal Register Volume 80, Number 249 (Tuesday, December 29, 2015)]
[Notices]
[Pages 81326-81328]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-32634]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3115]


Oracle Corporation; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the draft complaint and the terms of the consent 
order--embodied in the consent agreement--that would settle these 
allegations.

DATES: Comments must be received on or before January 20, 2016.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/oracleconsent online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``In the Matter of 
Oracle Corporation,--Consent Agreement; File No. 132 3115'' on your 
comment and file your comment online at https://ftcpublic.commentworks.com/ftc/oracleconsent by following the 
instructions on the web-based form. If you prefer to file your comment 
on paper, write ``In the Matter of Oracle Corporation,--Consent 
Agreement; File No. 132 3115'' on your comment and on the envelope, and 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 
(Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Andrea Arias (202) 326-2715 or 
Jacqueline Conner (202) 326-2844, Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for December 21, 2015), on the World Wide Web 
at: http://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 20, 
2016. Write ``In the Matter of Oracle Corporation,--Consent Agreement; 
File No. 132 3115'' on your comment. Your comment--including your name 
and your state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission Web 
site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of 
discretion, the Commission tries to remove individuals' home contact 
information from comments before placing them on the Commission Web 
site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/oracleconsent by following the instructions on the web-based form. 
If this Notice appears at http://www.regulations.gov/#!home, you also 
may file a comment through that Web site.
    If you file your comment on paper, write ``In the Matter of Oracle

[[Page 81327]]

Corporation,--Consent Agreement; File No. 132 3115'' on your comment 
and on the envelope, and mail your comment to the following address: 
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania 
Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, 
Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your 
paper comment to the Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before January 20, 2016. You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order applicable to Oracle 
Corporation (``Oracle'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    Oracle is a Delaware corporation that, among other things, develops 
the Java computing platform, which is used to power applications that, 
for example, allow consumers to play online games, chat with people 
online, calculate mortgage interest, and view images in 3D. Consumers 
primarily use the Java Platform, Standard Edition (``Java SE''). When 
an update to Java SE was available, a consumer would typically receive 
a prompt to update the software. When the consumer proceeded to install 
the update, the consumer would encounter a series of installation 
screens, which stated that ``Java provides safe and secure access to 
the world of amazing Java content,'' and that Java SE updates and a 
consumer's ``system'' would have ``the latest . . . security 
improvements.'' During the Java SE update process, however, Oracle did 
not inform consumers that Java SE updates automatically removed only 
the most recent prior iteration of Java SE installed on the consumer's 
computer, even if the consumer had multiple iterations of Java SE 
installed, and that the update would not remove any iteration released 
prior to Java SE iteration 6 update 10. As such, after the update 
process, consumers could still have additional older, insecure 
iterations of Java SE installed on their computers, which attackers 
targeted to obtain consumers' personal information through malware 
designed to exploit vulnerabilities (``exploit kits'').
    The Commission's complaint alleges that Oracle violated Section 
5(a) of the FTC Act by failing to disclose that, in numerous instances, 
updating Java SE would not delete or replace all older iterations of 
Java SE on a consumer's computer, and as a result, a consumer's 
computer could still have iterations of Java SE installed that are 
vulnerable to security risks. This fact would be material to consumers' 
decisions whether to take further action after ``updating'' Java SE to 
protect their computers, in light of Oracle's representations to 
consumers that by updating Java SE, users would ensure that Java SE on 
their computers had the latest security improvements.
    The complaint further alleges that, by failing to inform consumers 
that the Java SE update process did not remove all prior iterations of 
the software, Oracle left some consumers vulnerable to a serious, well-
known, and reasonably foreseeable security risk that attackers would 
target these computers through exploit kits, resulting in the theft of 
personal information. Consumers with insecure iterations of Java SE on 
their computers were vulnerable to exploit kits targeting Java SE 
vulnerabilities while browsing infected Web sites or clicking on 
nefarious links. Attackers used exploit kits targeting Java SE 
vulnerabilities to install key loggers that captured consumers' 
usernames and passwords, which could be used to log into a consumer's 
PayPal, bank, and credit card accounts. Other Java SE exploit kits may 
have resulted in the unauthorized acquisition and transmission of 
sensitive personal information for the purpose of targeted spear-
phishing campaigns.
    The proposed order contains provisions designed to prevent Oracle 
from engaging in the future in practices similar to those alleged in 
the complaint.
    Part I of the proposed order prohibits Oracle from misrepresenting 
(1) the privacy or security of the covered software on a consumer's 
computer, including but not limited to the effect on privacy or 
security of any installation or update of the covered software; and (2) 
how to uninstall older iterations of the covered software.
    Part II of the proposed order requires Oracle to ensure that during 
any installation or update of any iteration of Java SE released after 
the date of service of the order, Oracle:
    (1) clearly and conspicuously discloses to the consumer all 
iterations of Java SE 1.4.2 or later, other than any iteration(s) 
released within the last quarter, currently installed on the consumer's 
computer;
    (2) clearly and conspicuously explains that there may be risks to 
the security of the consumer's computer if the consumer chooses not to 
remove any iterations of Java SE older than the iteration(s) released 
within the last quarter currently installed on the consumer's computer; 
and
    (3) clearly and conspicuously discloses which iterations of Java SE 
1.4.2 or later, other than any iteration(s) released within the last 
quarter, that remain installed following installation or update of Java 
SE, and clearly and conspicuously provides instructions describing how 
consumers can effectively uninstall these iterations.
    Part III of the proposed order requires Oracle to notify consumers 
who downloaded, installed, or updated Java SE that, in some instances, 
they may have older, insecure iterations of Java SE on their computers; 
and provide instructions to such consumers on how to remove these older 
iterations. In addition, for three (3) years, Oracle must provide an 
uninstall tool that allows consumers to uninstall iterations of Java SE 
1.4.2 or later; a page on their primary Web site that explains how to 
uninstall older, insecure iterations of Java SE; and free support 
through an electronic form to help consumers with their update and/or 
uninstall issues.
    Parts IV through VIII of the proposed order are standard reporting 
and compliance provisions. Part IV requires Oracle to retain documents 
relating to its compliance with the order for a five-year period. Part 
V requires dissemination of the order now and in the future to all 
current and future principals, officers, directors, and managers, and 
to persons with managerial or supervisory responsibilities relating to 
Parts I-III of the order. Part VI ensures notification to the FTC of 
changes in corporate status. Part VII mandates that Oracle submit a

[[Page 81328]]

compliance report to the FTC within 90 days, and periodically 
thereafter as requested. Part VIII is a provision ``sunsetting'' the 
order after twenty (20) years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint or order or to modify the 
order's terms in any way.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2015-32634 Filed 12-28-15; 8:45 am]
 BILLING CODE 6750-01-P