Is Oracle non-compliant? An academic evaluation of Oracle’s licensing policy

The story of a 3.2 billion Euro claim

Contracts are generally referred to as “Terms and Conditions”. The conditions are the rules of the contract, and the term definitions are most of the time “rule-based”. The text of the contract can only be read with the specifics of every definition – to the letter - of a term in mind. Every legal consultant knows this.?

The “Terms and Conditions” for software centre around licences. A license is a right to use the software, but you do not own the software. You purchase a right if you buy a license, and this right is limited. Limitations can be set for the number of users, number of installations, number of servers, number of employees or whatever metric a software producer sees fit for their product to get the maximum profit.

With a user metric, it must be very precisely defined what a “user” is. This can be a person, an account, the maximum number of persons connected at the same time or the total number of persons that have access or are authorised for access. Another often-used metric is the “processor” metric. Every producer has its own definition of “Processor”, and the producers sometimes allow custom customer changes in these definitions. Oracle, for example, has a very specific definition of a processor[note 1]. Within that definition, the licensed right of use is limited to a calculated number of physical cores[1].

If a company purchased four processor licences for Oracle products, an engineer would nowadays create a virtual server with four virtual processors to install these products.

But a virtual server is a part of a cluster of physical servers. An average cluster will have 3 (physical servers), and normal physical servers can have 32 cores. If the cluster is set in a high-availability environment, the cluster will probably be mirrored in another location. This means a total of 6x32=192 physical cores are present.

According to the software producer Oracle and the small details of their terms and conditions, you then need an additional 92 licences. With an average price of 50.000,00 euros per license, this quite common misinterpretation of terms will lead, in this example, to a 4,6-million-euro non-compliance claim. But the reality is far worse. Large companies, governments and institutions have multiple connected clusters and are increasingly using cloud solutions. They easily exceed thousands of cores within their IT environment. You need an extensive team of licensing experts to understand how the legal text in the terms and conditions translates to reality. Mistakes are easily made, and they have huge financial consequences. The producers know this and audit frequently, especially when they need to boost their turnover.

As a result of audits, the Dutch government received a non-compliance claim of 3.2 billion euros [32], and the company Mars received a 200 million non-compliance claim and a lengthy legal battle[3]. These examples are just the tip of the iceberg. A large percentage of the revenue of big software producers is related to the outcome of audits[4]. The cases of the Dutch Government and Mars were settled out of court, accompanied by a non-disclosure agreement.

Analysis of the story of the claim worth 3.2 billion.

If the conditions prescribe you must licence every processor, the outcome of this licensing process will be very different if the definition of the term “processor” is a physical core, physical processor, processor socket, allocated processor, allocated core, virtual processor, or virtual processor capacity.?

Architects designing a system, the engineers installing the system, and the employees of the IT operations department use a general and very operational definition of the concept of “processor”. It is best expressed in the ISO 97/1 915 norm adopted within IATE [5],?the European Union Terminology database. A processor is a “(..)functional unit that interprets and executes instructions.”. There is no guarantee the employees use any specified definition of a term. Most likely, the definition these employees use refers to a personal interpretation of the general container concept of “processor”.?

In the last decade, virtualisation has greatly increased. Virtual servers and cloud services with virtual processors and virtual capacity replaced “bare metal” server installations. Thus, in the definitions of the architect and engineers, a processor has become something virtual with an appointed virtual size. Engineers and architects typically do not read the license agreements and therefore do not know the limitation of the contractual term “processor”. Procurement and assisting legal consultants do seldom inform the architects and engineers about the limitations of the terms and conditions within their contracts. After signing, the contracts are safely stored by the finance department and only checked to pay the annual support and maintenance fees.

For the architects to do their work effectively and with the least amount of risk for the large financial consequences after an audit, they must design and implement systems within the legal constraints of the “terms and conditions”. To do this, they need to understand and apply every definition of “processer” imposed by all relevant producers.

And to some degree, they know these definitions. Typically, a cluster or cloud architect or project managers know the definitions associated with this platform software. These definitions are the constraints and most important variables within their business case to create a platform.

But they do not know the terms of conditions of the application software that is installed on these platforms. And why should they? They only deliver the platform. Their services are captured in a service level agreement (SLA) with their customers. SLAs are expressed in terms like “performance”, “integrity”, “continuity”, and “availability”. If they need to add more processors to solve performance issues, they must.

It is up to the application and database engineers from the customer to install the application software and be responsible for compliance with these installations. But they can’t because they do not affect the controls. Note that the SLA between the platform provider and customer is in direct conflict with the “terms and conditions” from the software producer.

This example shows the concepts and definitions of words are actively altered to serve a purpose. This goal need not always have integrity.

Without applying, or being able to apply, the explicit definition as stated in the thesaurus of the “terms and conditions”, people relapse to a personal definition. When the word is equal to a common word, it is increasingly likely people relate to the general concept of the word to create their own definition. Distinct different definitions need distinct different names of terms; otherwise, they will not be recognised as such. Furthermore, it looks like they are also likely to formulate their definitions in a general principle than formulate their definition in a strict rule. In a future article, I will present the results of my research on this phenomenon.

A new industry

Though it seems that large software producers already have knowledge of this phenomenon and exploit it to the max, the people who sign the contract are not responsible for the installations, and the people who are responsible for the installations are not able to influence the controls needed to manage the terms and conditions of the contract. The terms and conditions put the controls of a contract in the hand of a group of people who are not involved and have conflicting interests.?

In response to the opportunism of the producers, a whole new industry of third-party auditors, counter-auditors, audit-defence consultants, license consultants, software asset management consultants and software asset management software producers is created. The cost of all these friendly services should be added to the total financial exposure audits impose. It indicates serious money is to be made if you can create semantic confusion with legally bounding definitions of terms. It suggests a seemingly deliberate act to use general concepts like “processor” and alter the concepts of these terms to your advantage.

An academic evaluation

People create simple, usable personal concepts to represent difficult technical objects. Within a context, they alter all related concepts to fit these into the full narrative. Complex legally bounding definitions will not survive within the architects’ and engineers’ personal concepts of these terms, especially when the definition is disconnected from the daily operational reality. Humans tend to alter new concepts to let them fit in their existing concepts representing reality. This subsequently leads to an altered state of the perception of reality and to cognitive dissonance.

This example shows that architects, platform engineers, application engineers, IT operations, procurement, and legal consultants are at risk of living in their own altered reality. They have different concepts of the same words. These people are also key personnel when it comes to cybersecurity. They all have the same strategic and tactical goals: keep the organisation operational and keep the assets of the organisation secure. In the end, they have to work together.?

?Value of information

Boell & Cecez-Kecmanovic [6] created an “ extended semiotic framework” to evaluate information. In future articles, I will make an in-depth analysis of this framework. To summarise their research, they concluded information contains a set of 14 concrete non-hierarchical and interacting attributes that are all part of the same continuum. Boell & Cecez-Kecmanovic concluded: “Attributes of information allow us to dissect information into different aspects that can be observed empirically and therefore practically guide research and development of IS.” As a model, it is possible to value attributes to determine if the information is valuable.

?Semiotic evaluation of Oracle’s licensing policy

To determine if the information in the Oracle case is valuable information, I created a simple graphical visualisation to value information based on the 14 attributes. The value of the information graph. With this, I made an adaptation of the visualization of the framework to present the continuum as a circle instead of layers and attributes stacked on top of each other. The layers of the Boell & Cecez-Kecmanovic visualisation are not included to keep the visualisation simple. Only the attributes. There is an endless variety of values possible for an attribute. A simple yes/no Boolean is the simplest. The attribute contributes (green) to valuable information, or the attribute does not contribute (red) to valuable information. The result will be a variation of “red” and “green” attributes. Even if all but one attribute is “red”, the information is somewhat valuable and allows information to be classified into amounts of valued attributes. Circumstances should reveal whether lower-value information is acceptable.??

The created graph is now a visualisation of an impression of the value of information expressed in true nominal values. The colours in the graph represent this nominal data (it contributes or does not). There is no ordinal relation between the attributes or the parts of information. But it is possible to create some degree of ordinal relation between units of information.

Description of attributes for the Value of Information Graph.

The contractual definition of the processor within the context of the socio-world of technical IT personnel?

Starting a 12:00. IT objects, physical and virtual, exist (Physical Existence),?are detectable and distinguishable (Detectability), IT personnel should be able, based on specifications of definitions, to identify the physical and virtual object and use them as applied concepts. (Apprehensibility). The contractual definitions do not comprehend the operational concepts of the term processor (Comprehensibility). The contractual definition of processor contains large amounts of information that conflict with the general concept of processor used in daily operations. (Level of Detail). The definitions are largely unknown, but the terms are not! The terms belong to the normal curriculum of IT personnel. The term processor is a general concept, but this general concept has been replaced by a significantly different definition (Novelty). The definition has a purpose but does not relate to the daily operations of the recipient. Though the goal does not comply with the generally accepted concept, it does comply with the goal of the information itself. (Goal reference), and is relevant for the task of IT personnel (Value to a recipient), is relevant for the time (Time Dependence), and is essential for the operation (Contingency). The contractual information is sometimes shared with technical IT personnel and translated to operational guidelines. These guidelines conflict with the latest technical guidelines and developments (like virtualisation and cloud) and are mostly neglected. Technical IT personnel usually do not (or are not able to) verify the technical details of the contract (Cultural dependency). For technical IT personnel the contractual definition of "processor" is NOT part of the technical domain (Subject or Domain Dependency) The processor definition is hard to read. The true limitations are an indirect consequence of the text and refer to other definitions that also do not relate to the general concept. It is possible to make a wrong interpretation (Specificity and Depth), The information should be trustworthy, but most IT personnel feel betrayed after an audit or claim and consequently do not trust the producer in anything?(Matter of Trust). ?

Conclusion

Based on this academic analysis, there are two problems with Oracle Licensing Policy:

1. The definition does not comply with the general concept of the object and,
2. The definition is not understood by IT personnel and is very difficult to translate to IT operations. The definition is largely known, is not trusted and does not comply with daily operations. The "material definition" is not a part of the socio-world of IT personnel.

Given the large financial consequences, the contractual information Oracle provides has low informative value.

All large software producers have similar licencing policies and definitions of terms. And because they all use different definitions of the same terms, they make understanding, adaption and implementation only worse, or even impossible. The definitions do not comply with the concepts IT personnel (humans) have of these terms. In the case of Oracle's processor definition, the definition is so far removed from everyday reality?that it has become impossible to understand and manage. The goal of the information is to transfer structured data to knowledge (i will cover this in a future article). Oracle fails to do so in 7 out of 14 attributes of information. Based on a semiotic perspective about information within the human language, Oracle is effectively non-compliant.

Olivier van der Post

I will post more articles about information in de cyber domain in future.

#cybersecurity,?#semantics,?#semiotics,?#ITAM,?#SAM,?#iso27002,?#Oracle, #Licensemanagement, #processor

A large part of the above text is part of the master's thesis:

O.V. van der Post, "How can semantics become a cybersecurity risk." Universiteit Leiden, 2023

supervisors:?Oscar Koeroo,?Zeki Erkin

[note 1] "Processor: shall be defined as all processors where the Oracle programs are installed and/or running. Programs licensed on a processor basis may be accessed by your internal users (including agents and contractors) and by your third-party users. The number of required licenses shall be determined by multiplying the total number of cores of the processor by a core processor licensing factor specified on the Oracle Processor Core Factor Table which can be accessed at https://oracle.com/contracts. All cores on all multicore chips for each licensed program are to be aggregated before multiplying by the appropriate core processor licensing factor and all fractions of a number are to be rounded up to the next whole number. When licensing Oracle programs with Standard Edition One, Standard Edition 2 or Standard Edition in the product name (with the exception of WebCenter Enterprise Capture Standard Edition, Java SE Support, Java SE Advanced, and Java SE Suite), a processor is counted equivalent to an occupied socket; however, in the case of multi-chip modules, each chip in the multi-chip module is counted as one occupied socket." [1]

Bibliography

[1]?????Oracle, “Oracle Technology Global Price List Software Investment Guide,” pp. 1–13, 2012, [Online]. Available: https://www.oracle.com/us/corporate/pricing/technology-price-list-070617.pdf.

[2]?????C. Dieleman, “Oracle dreigde Rijk met boete van 3,2 miljard euro,” Computable, 2019. https://www.computable.nl/artikel/nieuws/overheid/6817183/250449/oracle-dreigde-rijk-met-boete-van-32-miljard-euro.html (accessed Dec. 29, 2022).

[3]?????C. Saran, “Mars court filings reveal extent of Oracle licence probe,” Computereekly.com, 2016, [Online]. Available: https://www.computerweekly.com/news/4500271261/Mars-filings-reveal-extent-of-Oracle-licence-probe.

[4]?????S. Snapp, “what percentage of revenues do sap and oracle get from audits,” Brightwork Research & Analysis, 2019.

[5]?????IATE, “IATE Interactive Terminology for Europe,” EU Parlement, 2022. https://www.europarl.europa.eu/translation/en/terminology/about-iate#:~:text=IATE.

[6]?????S. Boell and D. Cecez-Kecmanovic, Attributes of Information., vol. 1. 2010.