Oracle finally targets Java non-payers – six years after plucking Sun

Thought Java was 'free'? Think again (and you owe us $$$ in 2017)

Oracle is massively ramping up audits of Java customers it claims are in breach of its licences – six years after it bought Sun Microsystems.

A growing number of Oracle customers and partners have been approached by Larry Ellison’s firm, which claims they are out of compliance on Java.

Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services (LMS) division chasing down people for payment, we are told by people familiar with the matter.

The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licences.

In response, industry compliance specialists are themselves ramping up, hiring Java experts and expanding in anticipation of increased action from LMS in 2017 on Java. Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.

The flavour of Java in contention is Java SE, which has three paid-for packages that range from $40 to $300 per named user and from $5,000 to $15,000 for a processor licence.

(For what it's worth, these paid-for binary distributions are separate from the open-source OpenJDK project, which is free to use. Java SE is a binary distribution that can be free. It has some paid-for features – and to enable them in production, you usually have to flip a switch like -XX:+UnlockCommercialFeatures – but, as we shall see, the situation is not completely clear for all customers.)

The Register has learned of one customer in the retail industry with 80,000 PCs that was informed by Oracle it was in breach of its Java SE agreement. Oracle apparently told another Java customer it owed $100,000 – but the bill was slashed to $30,000 upon challenge.

Experts are now advising extreme caution in downloading Java SE while those who’ve downloaded should review their use – and be prepared before LMS comes calling. Those gurus separately told The Reg of an upswing in customers seeking help on Java licensing after being contacted by LMS in the second half of 2016.

“Oracle has started marking this as an issue,” one expert told The Reg on condition of anonymity. Our source claimed there had been a jump in enquiries in the past five months.

Craig Guarente, chief executive and founder of Palisade Compliance, told us Oracle’s not drawing the line at customers either, with partners feeling the LMS heat, too.

“Oracle is targeting its partners. That makes people angry because they are helping Oracle,” he told us. "Partners want to know: 'How could Oracle do this to me?' Java is something that comes up more and more with our clients because Oracle is pushing them more and more."

The root cause seems to be the false perception that Java is always “free.”

That impression dates from the time of Sun; Java under Sun was available for free – as it is under Oracle – but for a while Sun did charge a licensee fee to companies like IBM and makers of Blu-ray players, though for the vast majority, Java came minus charge. That was because Sun used Java as the thin end of the wedge to help sales of its systems.

Oracle has taken the decision to monetise Java more aggressively.

Java SE is a broad and all-encompassing download that includes Java SE Advanced Desktop, introduced by Oracle in February 2014, and Java SE Advanced and Java SE Suite, introduced by Oracle in May 2011.

As we've said, Java SE can be free, although Java SE Advanced Desktop, Advanced and Suite are not. Java SE Suite, for example, costs $300 per named user with a support bill of $66; there’s a per-processor option of $15,000 with a $3,300 support bill. Java SE comes with the free JDK and JRE, but Advanced Desktop, Advanced and Suite layer in additional capabilities such as Java Mission Control and Flight Recorder also known as JRockit Mission Control and JRockit Flight Recorder.

Also included is the Microsoft Windows Installer Enterprise JRE Installer for large-scale rollout of Java.

Java SE is free for what Oracle defines as “general purpose computing” – devices that in the words of its licence cover desktops, notebooks, smartphones and tablets. It is not free for what Oracle’s licence defines as “specialized embedded computers used in intelligent systems”, which Oracle further defines as – among other things – mobile phones, handheld devices, networking switches and Blu-Ray players.

It sounds simple enough, doesn't it? But it is customers in these general-purpose settings getting hit by LMS. The term "general purpose" computing is too loosely defined, allowing Oracle to claim customers' applications are specialised and therefore ding them with invoices.

There’s also no way to separate the paid-for Java SE component products from the free Java SE umbrella at download as Oracle doesn’t offer separate installations – they're all bundled together and that leads to confusion and mistakes down the line when paid-for features are unexpectedly used.

You only become a designated user of, say, Java SE Suite, when you enable the necessary bits associated with that package – and then you pay accordingly. If you switch on features, deliberately or accidentally, and then forget about them or no longer need them, you may end up with a bill from Oracle you didn't expect.

For example, if you want to roll out Java SE in a big deployment, as you would following the development of your app, you’ll need Microsoft Windows Installer Enterprise JRE Installer – and that’s not part of the free Java SE.

“People aren’t aware,” Guarente told The Reg. “They think Java is free – because it’s open source so you can use it. It’s not that the contracts are unclear; there’s a basic misunderstanding."

Our anonymous compliance expert also added:

If you download Java you get everything and you need to make sure you are installing only the components you are entitled to and you need to remove the bits you aren’t using. Commercial use is any use of those paid features. ’General purpose’ is vaguely defined – hence the reason for a lot of disputes.

The moment you start to deliver something that lets end users obtain products and services after your Java SE app has been distributed, your software stops being general purpose – and that’s something more organisations are using such apps for. “Oracle wants to make money from that,” our source said.

Why is Oracle acting now, six years into owning Java through the Sun acquisition?

It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers’ Java estates on which to proceed.

LMS is now poised to aggressively chase Java SE users in 2017.

“I expect Oracle will increase this in 2017,” Guarente told The Reg. “All the trends show Oracle’s LMS audit team is being more aggressive and trying to drive more revenue than they were last year or the year before. I don’t think 2017 is going to see a kinder and gentler Oracle.“

What should you do?

“If you download Java, you get everything – and you need to make sure you are installing only the components you are entitled to and you need to remove the bits you aren’t using,” our anonymous expert warned.

“If you [already] have Java, make sure of the specific components you are really using and how they are being used and based on that, validate if you are having issued before Oracle figures it out.”

Oracle did not comment for this article despite repeated requests from The Register. ®

Similar topics

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022