Oracle Corporation; Analysis of Proposed Consent Order To Aid Public Comment, 81326-81328 [2015-32634]
Download as PDF
<![CDATA[
81326
Federal Register / Vol. 80, No. 249 / Tuesday, December 29, 2015 / Notices
Federal Reserve, and provides for the
disclosures outlined above. (12 CFR part
208, subpart H) The obligation of SMBs
to make these disclosures is mandatory.
Since the Federal Reserve does not
collect any information, no issue of
confidentiality normally arises.
Abstract: Subpart H of Regulation H
was adopted pursuant to section 305 of
the Gramm-Leach-Bliley Act of 1999,
which required the federal banking
agencies to issue joint regulations
governing retail sales practices,
solicitations, advertising, and offers of
insurance by, on behalf of, or at the
offices of insured depository
institutions. The insurance consumer
protection rules in Regulation H require
depository institutions to prepare and
provide certain disclosures to
consumers. Covered persons are
required to make certain disclosures
before the completion of the initial sale
of an insurance product or annuity to a
consumer and at the time a consumer
applies for an extension of credit in
connection with which and insurance
product or annuity is solicited, offered,
or sold.
Current Actions: On October 22, 2015,
the Federal Reserve published a notice
in the Federal Register (80 FR 64000)
requesting public comment for 60 days
on the extension, without revision, of
the Disclosure Requirements in
Connection With Subpart H of
Regulation H. The comment period for
this notice expired on December 21,
2015. The Federal Reserve did not
receive any comments. The information
collection will be extended for three
years, without revision, as proposed.
Board of Governors of the Federal Reserve
System, December 23, 2015.
Robert deV. Frierson,
Secretary of the Board.
[FR Doc. 2015–32700 Filed 12–28–15; 8:45 am]
BILLING CODE 6210–01–P
FEDERAL TRADE COMMISSION
[File No. 132 3115]
Oracle Corporation; Analysis of
Proposed Consent Order To Aid Public
Comment
Federal Trade Commission.
Proposed consent agreement.
asabaliauskas on DSK5VPTVN1PROD with NOTICES
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
SUMMARY:
VerDate Sep<11>2014
19:17 Dec 28, 2015
Jkt 238001
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before January 20, 2016.
ADDRESSES: Interested parties may file a
comment at https://
ftcpublic.commentworks.com/ftc/
oracleconsent online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘In the Matter of Oracle
Corporation,—Consent Agreement; File
No. 132 3115’’ on your comment and
file your comment online at https://
ftcpublic.commentworks.com/ftc/
oracleconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, write ‘‘In the Matter of Oracle
Corporation,—Consent Agreement; File
No. 132 3115’’ on your comment and on
the envelope, and mail your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW., Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW.,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Andrea Arias (202) 326–2715 or
Jacqueline Conner (202) 326–2844,
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for December 21, 2015), on
the World Wide Web at: https://
www.ftc.gov/os/actions.shtm.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before January 20, 2016. Write ‘‘In the
Matter of Oracle Corporation,—Consent
Agreement; File No. 132 3115’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
PO 00000
Frm 00055
Fmt 4703
Sfmt 4703
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which . . . is
privileged or confidential,’’ as discussed
in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
oracleconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘In the Matter of Oracle
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
E:\FR\FM\29DEN1.SGM
29DEN1
Federal Register / Vol. 80, No. 249 / Tuesday, December 29, 2015 / Notices
asabaliauskas on DSK5VPTVN1PROD with NOTICES
Corporation,—Consent Agreement; File
No. 132 3115’’ on your comment and on
the envelope, and mail your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW., Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW.,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before January 20, 2016. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission’s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, an
agreement containing a consent order
applicable to Oracle Corporation
(‘‘Oracle’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Oracle is a Delaware corporation that,
among other things, develops the Java
computing platform, which is used to
power applications that, for example,
allow consumers to play online games,
chat with people online, calculate
mortgage interest, and view images in
3D. Consumers primarily use the Java
Platform, Standard Edition (‘‘Java SE’’).
When an update to Java SE was
available, a consumer would typically
receive a prompt to update the software.
When the consumer proceeded to install
the update, the consumer would
encounter a series of installation
screens, which stated that ‘‘Java
provides safe and secure access to the
world of amazing Java content,’’ and
VerDate Sep<11>2014
19:17 Dec 28, 2015
Jkt 238001
that Java SE updates and a consumer’s
‘‘system’’ would have ‘‘the latest . . .
security improvements.’’ During the
Java SE update process, however, Oracle
did not inform consumers that Java SE
updates automatically removed only the
most recent prior iteration of Java SE
installed on the consumer’s computer,
even if the consumer had multiple
iterations of Java SE installed, and that
the update would not remove any
iteration released prior to Java SE
iteration 6 update 10. As such, after the
update process, consumers could still
have additional older, insecure
iterations of Java SE installed on their
computers, which attackers targeted to
obtain consumers’ personal information
through malware designed to exploit
vulnerabilities (‘‘exploit kits’’).
The Commission’s complaint alleges
that Oracle violated Section 5(a) of the
FTC Act by failing to disclose that, in
numerous instances, updating Java SE
would not delete or replace all older
iterations of Java SE on a consumer’s
computer, and as a result, a consumer’s
computer could still have iterations of
Java SE installed that are vulnerable to
security risks. This fact would be
material to consumers’ decisions
whether to take further action after
‘‘updating’’ Java SE to protect their
computers, in light of Oracle’s
representations to consumers that by
updating Java SE, users would ensure
that Java SE on their computers had the
latest security improvements.
The complaint further alleges that, by
failing to inform consumers that the Java
SE update process did not remove all
prior iterations of the software, Oracle
left some consumers vulnerable to a
serious, well-known, and reasonably
foreseeable security risk that attackers
would target these computers through
exploit kits, resulting in the theft of
personal information. Consumers with
insecure iterations of Java SE on their
computers were vulnerable to exploit
kits targeting Java SE vulnerabilities
while browsing infected Web sites or
clicking on nefarious links. Attackers
used exploit kits targeting Java SE
vulnerabilities to install key loggers that
captured consumers’ usernames and
passwords, which could be used to log
into a consumer’s PayPal, bank, and
credit card accounts. Other Java SE
exploit kits may have resulted in the
unauthorized acquisition and
transmission of sensitive personal
information for the purpose of targeted
spear-phishing campaigns.
The proposed order contains
provisions designed to prevent Oracle
from engaging in the future in practices
similar to those alleged in the
complaint.
PO 00000
Frm 00056
Fmt 4703
Sfmt 4703
81327
Part I of the proposed order prohibits
Oracle from misrepresenting (1) the
privacy or security of the covered
software on a consumer’s computer,
including but not limited to the effect
on privacy or security of any installation
or update of the covered software; and
(2) how to uninstall older iterations of
the covered software.
Part II of the proposed order requires
Oracle to ensure that during any
installation or update of any iteration of
Java SE released after the date of service
of the order, Oracle:
(1) clearly and conspicuously
discloses to the consumer all iterations
of Java SE 1.4.2 or later, other than any
iteration(s) released within the last
quarter, currently installed on the
consumer’s computer;
(2) clearly and conspicuously
explains that there may be risks to the
security of the consumer’s computer if
the consumer chooses not to remove any
iterations of Java SE older than the
iteration(s) released within the last
quarter currently installed on the
consumer’s computer; and
(3) clearly and conspicuously
discloses which iterations of Java SE
1.4.2 or later, other than any iteration(s)
released within the last quarter, that
remain installed following installation
or update of Java SE, and clearly and
conspicuously provides instructions
describing how consumers can
effectively uninstall these iterations.
Part III of the proposed order requires
Oracle to notify consumers who
downloaded, installed, or updated Java
SE that, in some instances, they may
have older, insecure iterations of Java
SE on their computers; and provide
instructions to such consumers on how
to remove these older iterations. In
addition, for three (3) years, Oracle must
provide an uninstall tool that allows
consumers to uninstall iterations of Java
SE 1.4.2 or later; a page on their primary
Web site that explains how to uninstall
older, insecure iterations of Java SE; and
free support through an electronic form
to help consumers with their update
and/or uninstall issues.
Parts IV through VIII of the proposed
order are standard reporting and
compliance provisions. Part IV requires
Oracle to retain documents relating to
its compliance with the order for a fiveyear period. Part V requires
dissemination of the order now and in
the future to all current and future
principals, officers, directors, and
managers, and to persons with
managerial or supervisory
responsibilities relating to Parts I–III of
the order. Part VI ensures notification to
the FTC of changes in corporate status.
Part VII mandates that Oracle submit a
E:\FR\FM\29DEN1.SGM
29DEN1
81328
Federal Register / Vol. 80, No. 249 / Tuesday, December 29, 2015 / Notices
motorcycles, and $0.19 for moving
purposes), pursuant to the process
discussed above. This notice of subject
bulletin is the only notification to
agencies of revisions to the POV mileage
rates for official travel and relocation
other than the changes posted on GSA’s
Web site.
DEPARTMENT OF DEFENSE
By direction of the Commission.
Donald S. Clark,
Secretary.
Effective: December 29, 2015.
Applicability: This notice applies to
travel and relocation performed on or
after January 1, 2016 through December
31, 2016.
Submission for OMB Review; High
Global Warming Potential
Hydrofluorocarbons
[FR Doc. 2015–32634 Filed 12–28–15; 8:45 am]
FOR FURTHER INFORMATION CONTACT:
compliance report to the FTC within 90
days, and periodically thereafter as
requested. Part VIII is a provision
‘‘sunsetting’’ the order after twenty (20)
years, with certain exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed complaint or order or to
modify the order’s terms in any way.
BILLING CODE 6750–01–P
GENERAL SERVICES
ADMINISTRATION
[Notice–FTR–2015–01; Docket 2015–0002;
Sequence 1]
Change in Standard Procedure
Office of Government-Wide
Policy (OGP), General Services
Administration (GSA).
ACTION: Notice of FTR Bulletin 16–02,
Calendar Year (CY) 2016 Privately
Owned Vehicle (POV) Mileage
Reimbursement Rates and Standard
Mileage Rate for Moving Purposes
(Relocation Allowances).
AGENCY:
The General Services
Administration (GSA) uses the single
standard mileage rate established by the
Internal Revenue Service (IRS) as the
mileage rate for privately owned
automobiles (POA). In addition, the IRS’
mileage rate for medical or moving
purposes is used to determine the POA
rate when a Government-furnished
automobile is authorized. This IRS rate
also establishes the standard mileage
rate for moving purposes as it pertains
to official relocation. Finally, GSA’s
annual privately owned airplane and
motorcycle mileage reimbursement rate
reviews have resulted in new CY 2016
rates. GSA conducts independent
airplane and motorcycle studies that
evaluate various factors, such as the cost
of fuel, the depreciation of the original
vehicles costs, maintenance and
insurance, and/or by applying consumer
price index data. FTR Bulletin 16–02
establishes the new CY 2016 POV
mileage reimbursement rates for official
temporary duty and relocation travel
($0.54 for POAs, $0.19 for POAs when
a Government furnished automobile is
authorized, $1.17 for privately owned
airplanes, $0.51 for privately owned
asabaliauskas on DSK5VPTVN1PROD with NOTICES
VerDate Sep<11>2014
19:17 Dec 28, 2015
Jkt 238001
For
clarification of content, please contact
Mr. Cy Greenidge, Office of
Government-wide Policy, Office of
Asset and Transportation Management,
at 202–219–2349, or by email at
travelpolicy@gsa.gov. Please cite Notice
of FTR Bulletin 16–02.
SUPPLEMENTARY INFORMATION:
2016 Privately Owned Vehicle (POV)
Mileage Reimbursement Rates; 2016
Standard Mileage Rate for Moving
Purposes
SUMMARY:
DATES:
GSA posts the POV mileage
reimbursement rates, formerly
published in 41 CFR Chapter 301, solely
on the internet at www.gsa.gov/mileage.
Also, posted on this site is the standard
mileage rate for moving purposes. This
process, implemented in FTR
Amendment 2010–07, 75 FR 72965
(November 29, 2010), FTR Amendment
2007–03, 72 FR 35187 (June 27, 2007),
and FTR Amendment 2007–06, 72 FR
70234 (December 11, 2007), ensures
more timely updates regarding mileage
reimbursement rates by GSA for Federal
employees who are on official travel or
relocating. Notices published
periodically in the Federal Register,
such as this one, and the changes posted
on the GSA Web site, now constitute the
only notification to Federal agencies of
revisions to the POV mileage
reimbursement rates and the standard
mileage reimbursement rate for moving
purposes.
Dated: December 23, 2015.
Alexander J. Kurien,
Deputy Associate Administrator, Office of
Asset and Transportation Management,
Office of Government-wide Policy.
[FR Doc. 2015–32745 Filed 12–28–15; 8:45 am]
BILLING CODE 6820–14–P
PO 00000
Frm 00057
Fmt 4703
Sfmt 4703
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
[Docket 2015–0055; Sequence 51]
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Notice of request for public
comments regarding a new OMB
clearance.
AGENCY:
Under the provisions of the
Paperwork Reduction Act, the
Regulatory Secretariat Division will be
submitting to the Office of Management
and Budget (OMB) a request to review
and approve a new information
collection requirement concerning High
Global Warming Potential
Hydrofluorocarbons. A notice was
published in the Federal Register at 80
FR 26883, on May 11, 2015. Sixteen
comments were received.
DATES: Submit comments on or before
January 28, 2016.
ADDRESSES: Submit comments regarding
this burden estimate or any other aspect
of this collection of information,
including suggestions for reducing this
burden to: Office of Information and
Regulatory Affairs of OMB, Attention:
Desk Officer for GSA, Room 10236,
NEOB, Washington, DC 20503.
Additionally submit a copy to GSA by
any of the following methods:
• Regulations.gov: https://
www.regulations.gov. Submit comments
via the Federal eRulemaking portal by
searching for OMB control number
‘‘9000–0191; High Global Warming
Potential Hydrofluorocarbons.’’ Select
the link ‘‘Submit a Comment’’ that
corresponds with ‘‘9000–0191; High
Global Warming Potential
Hydrofluorocarbons.’’ Follow the
instructions provided at the ‘‘Submit a
Comment’’ screen. Please include your
name, company name (if any), and
‘‘9000–0191; High Global Warming
Potential Hydrofluorocarbons’’ on your
attached document.
• Mail: General Services
Administration, Regulatory Secretariat
Division (MVCB), ATTN: Ms. Flowers,
1800 F Street NW., Washington, DC
20405.
Instructions: Please submit comments
only and cite Information Collection
SUMMARY:
E:\FR\FM\29DEN1.SGM
29DEN1
]]>Agencies
[Federal Register Volume 80, Number 249 (Tuesday, December 29, 2015)]
[Notices]
[Pages 81326-81328]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-32634]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 132 3115]
Oracle Corporation; Analysis of Proposed Consent Order To Aid
Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the draft complaint and the terms of the consent
order--embodied in the consent agreement--that would settle these
allegations.
DATES: Comments must be received on or before January 20, 2016.
ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/oracleconsent online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``In the Matter of
Oracle Corporation,--Consent Agreement; File No. 132 3115'' on your
comment and file your comment online at https://ftcpublic.commentworks.com/ftc/oracleconsent by following the
instructions on the web-based form. If you prefer to file your comment
on paper, write ``In the Matter of Oracle Corporation,--Consent
Agreement; File No. 132 3115'' on your comment and on the envelope, and
mail your comment to the following address: Federal Trade Commission,
Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610
(Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Andrea Arias (202) 326-2715 or
Jacqueline Conner (202) 326-2844, Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for December 21, 2015), on the World Wide Web
at: https://www.ftc.gov/os/actions.shtm.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before January 20,
2016. Write ``In the Matter of Oracle Corporation,--Consent Agreement;
File No. 132 3115'' on your comment. Your comment--including your name
and your state--will be placed on the public record of this proceeding,
including, to the extent practicable, on the public Commission Web
site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of
discretion, the Commission tries to remove individuals' home contact
information from comments before placing them on the Commission Web
site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which . . . is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/oracleconsent by following the instructions on the web-based form.
If this Notice appears at https://www.regulations.gov/#!home, you also
may file a comment through that Web site.
If you file your comment on paper, write ``In the Matter of Oracle
[[Page 81327]]
Corporation,--Consent Agreement; File No. 132 3115'' on your comment
and on the envelope, and mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor,
Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your
paper comment to the Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before January 20, 2016. You can find more
information, including routine uses permitted by the Privacy Act, in
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order applicable to Oracle
Corporation (``Oracle'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Oracle is a Delaware corporation that, among other things, develops
the Java computing platform, which is used to power applications that,
for example, allow consumers to play online games, chat with people
online, calculate mortgage interest, and view images in 3D. Consumers
primarily use the Java Platform, Standard Edition (``Java SE''). When
an update to Java SE was available, a consumer would typically receive
a prompt to update the software. When the consumer proceeded to install
the update, the consumer would encounter a series of installation
screens, which stated that ``Java provides safe and secure access to
the world of amazing Java content,'' and that Java SE updates and a
consumer's ``system'' would have ``the latest . . . security
improvements.'' During the Java SE update process, however, Oracle did
not inform consumers that Java SE updates automatically removed only
the most recent prior iteration of Java SE installed on the consumer's
computer, even if the consumer had multiple iterations of Java SE
installed, and that the update would not remove any iteration released
prior to Java SE iteration 6 update 10. As such, after the update
process, consumers could still have additional older, insecure
iterations of Java SE installed on their computers, which attackers
targeted to obtain consumers' personal information through malware
designed to exploit vulnerabilities (``exploit kits'').
The Commission's complaint alleges that Oracle violated Section
5(a) of the FTC Act by failing to disclose that, in numerous instances,
updating Java SE would not delete or replace all older iterations of
Java SE on a consumer's computer, and as a result, a consumer's
computer could still have iterations of Java SE installed that are
vulnerable to security risks. This fact would be material to consumers'
decisions whether to take further action after ``updating'' Java SE to
protect their computers, in light of Oracle's representations to
consumers that by updating Java SE, users would ensure that Java SE on
their computers had the latest security improvements.
The complaint further alleges that, by failing to inform consumers
that the Java SE update process did not remove all prior iterations of
the software, Oracle left some consumers vulnerable to a serious, well-
known, and reasonably foreseeable security risk that attackers would
target these computers through exploit kits, resulting in the theft of
personal information. Consumers with insecure iterations of Java SE on
their computers were vulnerable to exploit kits targeting Java SE
vulnerabilities while browsing infected Web sites or clicking on
nefarious links. Attackers used exploit kits targeting Java SE
vulnerabilities to install key loggers that captured consumers'
usernames and passwords, which could be used to log into a consumer's
PayPal, bank, and credit card accounts. Other Java SE exploit kits may
have resulted in the unauthorized acquisition and transmission of
sensitive personal information for the purpose of targeted spear-
phishing campaigns.
The proposed order contains provisions designed to prevent Oracle
from engaging in the future in practices similar to those alleged in
the complaint.
Part I of the proposed order prohibits Oracle from misrepresenting
(1) the privacy or security of the covered software on a consumer's
computer, including but not limited to the effect on privacy or
security of any installation or update of the covered software; and (2)
how to uninstall older iterations of the covered software.
Part II of the proposed order requires Oracle to ensure that during
any installation or update of any iteration of Java SE released after
the date of service of the order, Oracle:
(1) clearly and conspicuously discloses to the consumer all
iterations of Java SE 1.4.2 or later, other than any iteration(s)
released within the last quarter, currently installed on the consumer's
computer;
(2) clearly and conspicuously explains that there may be risks to
the security of the consumer's computer if the consumer chooses not to
remove any iterations of Java SE older than the iteration(s) released
within the last quarter currently installed on the consumer's computer;
and
(3) clearly and conspicuously discloses which iterations of Java SE
1.4.2 or later, other than any iteration(s) released within the last
quarter, that remain installed following installation or update of Java
SE, and clearly and conspicuously provides instructions describing how
consumers can effectively uninstall these iterations.
Part III of the proposed order requires Oracle to notify consumers
who downloaded, installed, or updated Java SE that, in some instances,
they may have older, insecure iterations of Java SE on their computers;
and provide instructions to such consumers on how to remove these older
iterations. In addition, for three (3) years, Oracle must provide an
uninstall tool that allows consumers to uninstall iterations of Java SE
1.4.2 or later; a page on their primary Web site that explains how to
uninstall older, insecure iterations of Java SE; and free support
through an electronic form to help consumers with their update and/or
uninstall issues.
Parts IV through VIII of the proposed order are standard reporting
and compliance provisions. Part IV requires Oracle to retain documents
relating to its compliance with the order for a five-year period. Part
V requires dissemination of the order now and in the future to all
current and future principals, officers, directors, and managers, and
to persons with managerial or supervisory responsibilities relating to
Parts I-III of the order. Part VI ensures notification to the FTC of
changes in corporate status. Part VII mandates that Oracle submit a
[[Page 81328]]
compliance report to the FTC within 90 days, and periodically
thereafter as requested. Part VIII is a provision ``sunsetting'' the
order after twenty (20) years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order or to modify the
order's terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2015-32634 Filed 12-28-15; 8:45 am]
BILLING CODE 6750-01-P
