Oracle is settling with the FTC over its failure to alert users to vulnerabilities in its Java software, which operates behind-the-scenes on virtually all consumer computers. Like pretty much all software, Java contains vulnerabilities that are found from time to time and then fixed during ordinary-course security updates. Until recently, however, the Java update mechanism didn’t automatically remove prior, vulnerable versions of Java when installing the newer version. Therefore, security flaws in these outdated versions remained on users' systems even after the users believed they had plugged security holes. According to the FTC, Oracle didn’t sufficiently disclose this flaw to users, and therefore violated Section 5(a) of the Federal Trade Commission Act.
Oracle isn’t paying fines or admitting liability, but it is agreeing to a remediation order. Two points deserve mention:
First, the order provides that Oracle “must not misrepresent . . . the privacy or security of the Covered Software on a consumer’s computer, including but not limited to the effect on privacy or security of any installation or update of the Covered Software.” The order doesn’t provide any more detail than that. Similar “obey the law” orders are longstanding favorites of administrative agencies because of their flexibility—and are subject to the longstanding criticism that they impose the penalty of contempt on persons and companies who haven’t received meaningful notice of exactly what is and isn’t prohibited. Combined with the widely-fretted-about breadth of the FTC’s newfound authority to regulate cyber security (*ahem, Wyndham*), this practice doesn’t bode well for predictability in cybersecurity regulation.
The second interesting aspect of the remedial order is its creativity. Oracle is required to tell users about Java’s vulnerabilities not only in conventional ways—like through public notices and through the update mechanism itself—but also through social media. Oracle will publish consumer notices through Facebook and Twitter, and the FTC itself is publicising the vulnerabilities through its consumer blog.