Mistake, phishing expedition, or an attempt by Oracle to hold a company liable for its customers?
Merula Limited, a UK-based network service provider, recently received a bill from Oracle for $12,200 for using the company’s proprietary VirtualBox Extension Pack, which provides extra capabilities for the free GPL-licensed VirtualBox hypervisor.
For Richard Palmer, director of the company, this was a perplexing demand. As he explained to The Register, “Merula does not operate or manage any computer using VirtualBox or any Oracle software.”
Oracle provided the company with a range of IP addresses, more than 100, that it claimed had been using its proprietary VirtualBox Extension Pack in conjunction with VirtualBox installations.
It’s claimed that Oracle’s software phones home to report where it’s being used, though the company may be repurposing VirtualBox telemetry for its audits. Or it may simply be checking the IP addresses associated with downloads of the software and contacting address registrants to seek payment.
According to Palmer, while the IP addresses cited fall within Merula’s assignment range, they’re not all those used by the biz, which runs a virtual network for several other companies that control their own IP addresses. So those it does control aren’t part of its core or hosting environment; rather they’re used by customers on broadband connections.
In short, Palmer believes Oracle is billing the wrong entity. Yet Oracle’s message to the company suggests it wants to hold Merula accountable for the software used by its customers.
“Although your organization might be an ISP however if your use is outside of your customer base beyond 30 days, payments are due to Oracle,” the confusingly worded billing demand says.
For the past three days, The Register has been seeking clarification from Oracle about whether this is actually the company’s intention. It may just be that Merula was billed by mistake, but Palmer expressed doubt about that.
An Oracle spokesperson told The Register that a UK sales representative intends to get in touch with Merula to clear things up. Palmer, however, on Thursday said he hadn’t heard anything further since the initial billing demand.
He said he wonders whether Oracle’s demand might be a fishing expedition to get Merula to cough up customer data, similar to the scattershot legal demands that music companies in the past directed at ISPs to get the identities of subscribers sharing copyrighted music. Having that data would make it easier for Oracle to target payment demands.
And Palmer is not alone in that suspicion. In a phone interview with The Register, David Woodard, COO of House of Brick Technologies, a Nebraska-based IT consultancy, said normally when a company sends another a bill, there’s usually some sort of agreement or contract between them.
“It seems like a fishing expedition,” Woodard said. “Normally, when we see Oracle say these IP addresses have downloaded this software, we haven’t seen it get to the point where they send them a bill.”
Woodard said that while Oracle was within its rights to go after license violators, it ought to be sure it’s invoicing the right people.
Palmer’s experience appears not to be unique either. A recently deleted Reddit post, preserved presently in Google’s web cache, contains a similar anecdote. Another Reddit post from a year ago tells the same story. And a Reddit post from earlier this month says as much.
Paul Berg, a software licensing consultant, expressed concern about Oracle’s software license auditing practices in an email to The Register.
“When companies use their legal department as a profit center it is highly indicative that the products they claim they are incorporated to provide are no longer competitive in the marketplace,” he said.