Business

Oracle demands $12K from network biz that doesn't use its software

Mistake, fishing expedition, or attempt to hold a company liable for its customers?

By Thomas Claburn in San Francisco

105 SHARE

Merula Limited, a UK-based network service provider, recently received a bill from Oracle for $12,200 for using the company's proprietary VirtualBox Extension Pack, which provides extra capabilities for the free GPL-licensed VirtualBox hypervisor.

For Richard Palmer, director of the company, this was a perplexing demand. As he explained to The Register, "Merula does not operate or manage any computer using VirtualBox or any Oracle software."

Oracle provided the company with a range of IP addresses, more than 100, that it claimed had been using its proprietary VirtualBox Extension Pack in conjunction with VirtualBox installations.

It's claimed that Oracle's software phones home to report where it's being used, though the company may be repurposing VirtualBox telemetry for its audits. Or it may simply be checking the IP addresses associated with downloads of the software and contacting address registrants to seek payment.

According to Palmer, while the IP addresses cited fall within Merula's assignment range, they're not all those used by the biz, which runs a virtual network for several other companies that control their own IP addresses. So those it does control aren't part of its core or hosting environment; rather they're used by customers on broadband connections.

In short, Palmer believes Oracle is billing the wrong entity. Yet Oracle's message to the company suggests it wants to hold Merula accountable for the software used by its customers.

"Although your organization might be an ISP however if your use is outside of your customer base beyond 30 days, payments are due to Oracle," the confusingly worded billing demand says.

For the past three days, The Register has been seeking clarification from Oracle about whether this is actually the company's intention. It may just be that Merula was billed by mistake, but Palmer expressed doubt about that.

An Oracle spokesperson told The Register that a UK sales representative intends to get in touch with Merula to clear things up. Palmer, however, on Thursday said he hadn't heard anything further since the initial billing demand.

He said he wonders whether Oracle's demand might be a fishing expedition to get Merula to cough up customer data, similar to the scattershot legal demands that music companies in the past directed at ISPs to get the identities of subscribers sharing copyrighted music. Having that data would make it easier for Oracle to target payment demands.

And Palmer is not alone in that suspicion. In a phone interview with The Register, David Woodard, COO of House of Brick Technologies, a Nebraska-based IT consultancy, said normally when a company sends another a bill, there's usually some sort of agreement or contract between them.

"It seems like a fishing expedition," Woodard said. "Normally, when we see Oracle say these IP addresses have downloaded this software, we haven't seen it get to the point where they send them a bill."

Woodard said that while Oracle was within its rights to go after license violators, it ought to be sure it's invoicing the right people.

Palmer's experience appears not to be unique either. A recently deleted Reddit post, preserved presently in Google's web cache, contains a similar anecdote. Another Reddit post from a year ago tells the same story. And a Reddit post from earlier this month says as much.

Paul Berg, a software licensing consultant, expressed concern about Oracle's software license auditing practices in an email to The Register.

"When companies use their legal department as a profit center it is highly indicative that the products they claim they are incorporated to provide are no longer competitive in the marketplace," he said.

"They are not seeing a path for themselves to change that either, as evidenced by the fact they are more willing to damage their brand with a broad campaign of litigation against the small parties already using portions of their product, which are both their best potential new customers and unable to successfully defend themselves, rather than market to them and bring them into compliance." ®

Sign up to our NewsletterGet IT in your inbox daily

105 Comments

More from The Register

Oracle leaves its heart in San Francisco – or it would do if, you know, Oracle had a heart

OpenWorld knees-up moving to Vegas, baby, because SF too expensive

Oracle OKs Oracle investors to sue Oracle: Put NetSuite suit before a judge – board panel

Investors peeved Larry Ellison owned 40% of the biz he paid billions in Big Red cash to buy

SPARCs fly as Oracle recharges Arm server processor designer Ampere with $40m

Ohm my God

Kiwi tax probe squeezed $25m out of Microsoft – now it's Oracle's turn

New Zealand's Inland Revenue Department has questions about transfer pricing

We're free in 3... 2... 1! Amazon unhooks its last Oracle database, nothing breaks and life goes on

No Big Red now in use other than by third-party apps, firm claims

Scrambling for cloud relevance, Oracle hires... 2,000? Yes, that sounds like a nice round number

Let's all pretend that we don't remember the layoffs in March

Gone in a flash: Oracle lays off hundreds as the biz formerly known as Pillar Data is shuttered

The conference call equivalent of being taken round the back and...

Former Oracle product manager says he was forced out for refusing to deceive customers. Now he's suing the biz

Database giant insists that ain't so, will fight lawsuit

Oracle and Google will fight in court over Java AGAIN and this time it's going to the Supremes

The case that just won't die

IT sales star wins $660k lawsuit against Oracle in Qatar – but can't collect, because the Oracle he sued suddenly vanished

Database biz shifted its assets to another biz mid-trial

Whitepapers

Faster Response with CrowdStrike and MITRE ATT&CK

Today’s threat landscape has created new challenges for security analysts and incident responders.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

The politics and practicalities of IT procurement

Having more options available can be quite liberating, but for some, the additional choices and decisions can become almost paralysing.