Written by Pam Fulmer from Tactical Law.
Many Oracle customers understand that Oracle is not their friend and Oracle has been accused by many of using hard ball audit tactics (if not downright fraud) against Oracle customers to boost sales of Oracle cloud and other software. Oracle’s notoriety for conducting predatory audits of its customers continues to grow and Oracle customers should be on high alert as we wait for a decision by the U.S. Supreme Court in the Google vs. Oracle case. In fact, we at Tactical Law are seeing an uptick in companies complaining of being contacted by Oracle about Java. Although we are not aware of Oracle conducting formal audits of its customers relating to Java, Oracle has been probing with sales and other teams to informally obtain information about the customer’s usage of Java. Don’t fall for this Oracle trap. Instead, take action now to identify any potential issues with your use of Java, and protect yourself from what we believe will be a new wave of Oracle audits of Java in the months to come.
What is Oracle doing now? From what we can tell Oracle has been assembling a team of, for the most part, recent college graduates with little prior job experience to speak of, to begin informally reaching out to Oracle customer’s concerning the customer’s use of Java. Do not pick up the phone or respond to any emails from the Oracle Java team unless you receive a formal audit notice. Also resist any questions concerning Java and your VMware environment from these informal Oracle probes. Cooperation now with these fishing expeditions will only get you in trouble, as Oracle appears to be attempting to assert its non-contractual view of what it means to “use” Oracle software as it pertains to processor based licensing and VMware environments.
Why are Oracle customers at risk as it pertains to their use of Java? In April of 2019 Oracle changed how it was licensing Java. As one Oracle expert consultant has explained:
“In the past, both OpenJDK and Oracle JDK were licensed under the same Binary Code License, which included a combination of both free and paid commercial terms. However, starting with Java 11 […], Oracle changed to using the “GNU General Public License v2, with the Classpath Exception (GPLv2+CPE)” license for OpenJDK and a commercial license (Java SE Subscription or Java SE Desktop Subscription) for Oracle JDK.” House of Brick Blog Post.
The Oracle Technology Network License Agreement for Oracle Java SE is a click-through agreement that you must agree to in order to download Java SE. Importantly we advise that companies ensure that their IT Departments have directives in place making clear that not all employees have authority to agree to such click-through agreements, and prohibiting them from doing so without the authorization of management after careful consideration of the potential risks.
The SE license provides that:
Oracle is willing to authorize Your access to software associated with this License Agreement (“Agreement”) only upon the condition that You accept that this Agreement governs Your use of the software. By selecting the “Accept License Agreement” button or box (or the equivalent) or installing or using the Programs, You indicate Your acceptance of this Agreement and Your agreement, as an authorized representative of Your company or organization (if being acquired for use by an entity) or as an individual, to comply with the license terms that apply to the software that You wish to download and access. If You are not willing to be bound by this Agreement, do not select the “Accept License Agreement” button or box (or the equivalent) and do not download or access the software.
We have seen examples where unauthorized employees have downloaded software and agreed to terms such as those in the Oracle Java SE license. Although perhaps there are legal arguments that those employees were not authorized to download the software, and therefore the company is not bound, it is better to not need to climb that hill in the first place.
What are the risks of agreeing to the Java SE license? Execution of this license by companies who are not thinking through the potential liability issues raise significant areas of risk. For example, the license provides that:
“License Rights and Restrictions Oracle grants You a nonexclusive, nontransferable, limited license to use the Programs, subject to the restrictions stated in this Agreement and Program Documentation, only for:
(i) Personal Use,
(ii) Development Use,
(iii) Oracle Approved Product Use, and/or
(iv) Oracle Cloud Infrastructure Use.
You may allow Your Contractor(s) to use the Programs, provided they are acting on Your behalf to exercise license rights granted in this Agreement and further provided that You are responsible for their compliance with this Agreement in such use. You will have a written agreement with Your Contractor(s) that strictly limits their right to use the Programs and that otherwise protects Oracle’s intellectual property rights to the same extent as this Agreement. You may make copies of the Programs to the extent reasonably necessary to exercise the license rights granted in this Agreement.”
So say a company uses the Java SE in development. The license agreement provides that right.
“Development Use” is defined as “Your internal use of the Programs to develop, test, prototype and demonstrate Your Applications. For purposes of clarity, the “to develop” grant includes using the Programs to run profilers, debuggers and Integrated Development Environments (IDE Tools) where the primary purpose of the IDE Tools is profiling, debugging and source code editing Applications.”
However, should the company then begin using the software in production, the company would then be outside the scope of the licensed use. The Java SE license also contains an audit clause allowing Oracle to audit the companies use of the programs. As a result, once the software is used in production it is incumbent on the company to obtain a proper license. We will discuss more about this issue below.
Another potential pitfall is what constitutes “Oracle Approved Product Use”. According to the license:
“Oracle Approved Product Use” refers to Your internal use of the Programs only to run: (a) the product(s) identified as Schedule A Products at https://java.com/oaa; and/or (b) software Applications developed using the products identified as Schedule B Products at java.com/oaa by an Oracle authorized licensee of such Schedule B Products. If You are unsure whether the Application You intend to run using the Programs is developed using a Schedule B Product, please contact your Application provider.”
What does this mean? Certain types of Oracle products are included in the Oracle approved use and certain third party products may be as well. So companies should ensure that the Oracle products that they are using are included and that other applications the company is using are as well. The Java SE license provides that any other uses not specified require another license. According to the license agreement:
“[a]ll rights not expressly granted in this Agreement are reserved by Oracle. If You want to use the Programs for any purpose other than as expressly permitted under this Agreement, You must obtain from Oracle or an Oracle reseller a valid Program license under a separate agreement permitting such use.”
What happens if a company needs to obtain a Java license for commercial use? Companies who need to obtain a license for commercial use will enter into an Ordering Document with Oracle to purchase an annual subscription for Java. That Ordering Document will also require that the customer execute an Oracle Master Agreement (“OMA”). In the licensing definitions included in the OMA or Ordering Document, the customer will find the definition of what constitutes “use” as it pertains to the processor metric. This then is where Oracle will attempt to put into play its extra-contractual assertions of what it means for Oracle software to be “installed and/or running” In other words Oracle’s “prospective use” argument and its strained (and in our opinion incorrect) interpretation of what it means for Oracle software to be “installed and/or running”. Clients running VMware can expect that Oracle will likely allege large compliance gaps for use of Java in VMware environments given Oracle’s past audit track record. So be prepared.
How can a company protect itself now and prepare for the inevitable Oracle audit? Companies should take steps now to see seek legal and technical advice concerning what are the best practices for staying compliant and mitigating the risks associated with use of Java and its implications for future Oracle audits. Now is the time for companies to retain expert consultants who can analyze the company’s IT environment and identify what applications are Oracle approved products, etc. Such experts can also advise if there are ways to use OpenJDK instead of Oracle JDK, the commercial version, which can save on licensing costs and mitigate risks.
What is the lesson learned from this blog post? Companies should not respond to Oracle’s attempts at soft audits of its usage of Java. Ignore these overtures and instead take steps to understand your legal rights and your compliance position. It is much better to go to Oracle and put in your order for exactly what licenses you need to be compliant rather than allowing Oracle to come in and poke around in your environment and then serve up a large non-compliance bill.
Link to the original article: https://www.tacticallawgroup.com/oracle-software-audit-blog/warning-to-oracle-customers-dont-be-fooled-by-oracles-java-playbook-oracle-is-not-your-friend
Content used with permission from the original author, Pam Fulmer from Tactical Law.
