Business

Oracle demands $12K from network biz that doesn't use its software

Mistake, fishing expedition, or attempt to hold a company liable for its customers?

By Thomas Claburn in San Francisco

105 SHARE

Merula Limited, a UK-based network service provider, recently received a bill from Oracle for $12,200 for using the company's proprietary VirtualBox Extension Pack, which provides extra capabilities for the free GPL-licensed VirtualBox hypervisor.

For Richard Palmer, director of the company, this was a perplexing demand. As he explained to The Register, "Merula does not operate or manage any computer using VirtualBox or any Oracle software."

Oracle provided the company with a range of IP addresses, more than 100, that it claimed had been using its proprietary VirtualBox Extension Pack in conjunction with VirtualBox installations.

It's claimed that Oracle's software phones home to report where it's being used, though the company may be repurposing VirtualBox telemetry for its audits. Or it may simply be checking the IP addresses associated with downloads of the software and contacting address registrants to seek payment.

According to Palmer, while the IP addresses cited fall within Merula's assignment range, they're not all those used by the biz, which runs a virtual network for several other companies that control their own IP addresses. So those it does control aren't part of its core or hosting environment; rather they're used by customers on broadband connections.

In short, Palmer believes Oracle is billing the wrong entity. Yet Oracle's message to the company suggests it wants to hold Merula accountable for the software used by its customers.

"Although your organization might be an ISP however if your use is outside of your customer base beyond 30 days, payments are due to Oracle," the confusingly worded billing demand says.

For the past three days, The Register has been seeking clarification from Oracle about whether this is actually the company's intention. It may just be that Merula was billed by mistake, but Palmer expressed doubt about that.

An Oracle spokesperson told The Register that a UK sales representative intends to get in touch with Merula to clear things up. Palmer, however, on Thursday said he hadn't heard anything further since the initial billing demand.

He said he wonders whether Oracle's demand might be a fishing expedition to get Merula to cough up customer data, similar to the scattershot legal demands that music companies in the past directed at ISPs to get the identities of subscribers sharing copyrighted music. Having that data would make it easier for Oracle to target payment demands.

And Palmer is not alone in that suspicion. In a phone interview with The Register, David Woodard, COO of House of Brick Technologies, a Nebraska-based IT consultancy, said normally when a company sends another a bill, there's usually some sort of agreement or contract between them.

"It seems like a fishing expedition," Woodard said. "Normally, when we see Oracle say these IP addresses have downloaded this software, we haven't seen it get to the point where they send them a bill."

Woodard said that while Oracle was within its rights to go after license violators, it ought to be sure it's invoicing the right people.

Palmer's experience appears not to be unique either. A recently deleted Reddit post, preserved presently in Google's web cache, contains a similar anecdote. Another Reddit post from a year ago tells the same story. And a Reddit post from earlier this month says as much.

Paul Berg, a software licensing consultant, expressed concern about Oracle's software license auditing practices in an email to The Register.

"When companies use their legal department as a profit center it is highly indicative that the products they claim they are incorporated to provide are no longer competitive in the marketplace," he said.

"They are not seeing a path for themselves to change that either, as evidenced by the fact they are more willing to damage their brand with a broad campaign of litigation against the small parties already using portions of their product, which are both their best potential new customers and unable to successfully defend themselves, rather than market to them and bring them into compliance." ®

Sign up to our NewsletterGet IT in your inbox daily

105 Comments

Keep Reading

Oracle staff say Larry Ellison's fundraiser for Trump is against 'company ethics' – Oracle, ethics... what dimension have we fallen into?

Ah, bless

Oracle teases prospect of playing nicely with open-source Java in update to WebLogic application server

'Low cost of ownership'? This must be an April Fools

Oracle OKs Oracle investors to sue Oracle: Put NetSuite suit before a judge – board panel

Investors peeved Larry Ellison owned 40% of the biz he paid billions in Big Red cash to buy

Oracle leaves its heart in San Francisco – or it would do if, you know, Oracle had a heart

OpenWorld moving to Vegas, baby: SF now too expensive not to mention the filthy streets, open drug use...

Campaigners cry foul play as Oracle funds conservative lobby group supporting its court case against Google

Google-funded think tanks need to sit back and, er, have a think

Oracle makes some certifications and cloudy content free, in case you have time on your hands

Mum? Dad? What was lockdown like? It went by in a flash, junior, because we studied for a database certification

Oracle staffers in Europe weather cloudy job cuts: As many as 1,300 workers face chop after sales slide

Database giant needs 'adapt its spending to its revenue situation'

SPARCs fly as Oracle recharges Arm server processor designer Ampere with $40m

Ohm my God

Kiwi tax probe squeezed $25m out of Microsoft – now it's Oracle's turn

New Zealand's Inland Revenue Department has questions about transfer pricing

Some good coronavirus news: Monster Google-Oracle API copyright battle on hold as bio-nasty shuts Supremes

Tesla Delaware lawsuit also delayed

Tech Resources

10 Critical Issues to Cover in Your Vendor Security Questionnaires

In today’s perilous cyber world, it’s crucial for companies to assess and monitor the security of their vendors, suppliers and business partners. Failing to do so can be risky, because hackers frequently steal sensitive enterprise data by targeting the third parties to which enterprises are connected.

2020 CrowdStrike Global Threat Report

The 2020 Global Threat Report is one of the industry's most highly anticipated reports on today's most significant cyber threats and adversaries.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?

The Data-Driven Case for CI

What does a high performing technology delivery team look like? How do you know if your team is doing well?