The Federal Trade Commission has settled claims against Oracle that it deceived consumers about security updates to Oracle’s Java Platform, Standard Edition software (Java SE).  Java SE, which is used for interactive web browsing, is installed on more than 850 million personal computers.

In its complaint, the FTC alleged that Oracle has known of vulnerabilities affecting older versions of Java SE since it acquired the program in 2010.  The issue arose because users could have downloaded multiple versions of Java SE which were stored in separate files on their devices.  The FTC claimed that as Oracle patched these vulnerabilities and rolled out updates to users, the software used to update Java SE updated only the most recent version persisting on the device.  In other words, Oracle did not assess what files were on the user’s device and either remove older versions of the program or update all versions on the device.  Users were left with the belief that security holes had been patched, without realizing that the older versions of Java SE left on their computers could continue to be exploited by hackers.

The FTC claimed that despite knowing of these problems, Oracle did not tell consumers that they needed to manually uninstall older versions of Java SE.  Instead, Oracle told consumers they would be “safe and secure” if they installed security updates.  The complaint alleges that these failures to disclose and affirmative statements were deceptive, in violation of Section 5 of the FTC Act.

Thus, under the terms of a proposed consent order, Oracle must provide consumers with the ability to easily uninstall older versions of Java SE that left software users vulnerable to hacking and malware attacks.  Oracle will do so by notifying consumers as they update Java SE whether they have old versions of the software on their computer, as well as informing them of the risks posed by older software.  Additionally, the new updating software must give users the option to uninstall older versions of Java SE.  No fine or penalty would be assessed as part of the proposed settlement.

The Commission voted 4-0 to issue the complaint and accept the proposed consent order.

The Oracle settlement suggests that companies should make sure that the assurances provided to consumers closely track the reality of their business operations.  The FTC took a broad stance on Oracle’s statements accompanying the updates that installation would improve security and that using Java would be “safe and secure.”  Generally this statement would be true as to the version of Java that triggered the prompt to update.  However, the FTC’s position presumes that most users do not understand how to manage their devices and control the software resident on those devices.  Likewise, the FTC alleges that Oracle knew that there was a version control issue on consumers’ devices and that the security patch being offered would leave any unsophisticated user open to known vulnerabilities if those older version remained on the device.  Ultimately, the key is to make certain that the consumer-facing disclosures are written by individuals who understand technology and business realities, and that such disclosures inform consumers of vulnerabilities that are not corrected by the updates or are not otherwise remedied.  In the end, such communications further the ultimate goals of better security and customer satisfaction.