knowledge & insights

Oracle Litigation Update: Data Privacy and Oracle’s So-Called “Surveillance Machine”

Beeman & Muchmore, LLP is not involved in the below-mentioned data privacy class action matter in any capacity. All information contained herein has been taken from the public record.

That Oracle has again found itself the target of a robust class action – this time concerning data privacy – is hardly surprising. With a complaint filed right on the heels of the (likely) settlement of the Oracle Securities Litigation, Oracle appears to be fielding yet another litigation hot potato. (Side note: we attended the September 17, 2022, settlement hearing in the Oracle Securities Litigation and will update our readers on it shortly. Bottom line? Settlement is a near certainty.)

While most of our updates on Oracle’s litigation exploits are attempts to read the tea leaves as to the impact on Oracle licensees, this post is a little different. Nothing in the complaint mentions Oracle’s enterprise licensing and auditing tactics, and accordingly, any impact on licensees is likely to be discrete and difficult to predict. But lack of specific licensing issues aside, the allegations in this complaint are far reaching and important.

We have long believed that Oracle’s intentional efforts to fan the flames of techlash – with aggressive political posturing and acerbic attacks on the cloud providers it envied (Google, Amazon, etc.)  –  served the dual purpose of: (1) weakening the adversaries that it was having difficulty competing against; and (2) creating a distraction from Oracle’s own dubious practices. That Oracle may face a comeuppance for this destructive market activity can only be a good thing.

The Facts. On August 19, 2022, the San Francisco-based stalwart plaintiff’s firm Lieff Cabraser Heimann & Bernstein, LLP filed a 66-page complaint in the U.S. District Court for the Northern District of California. The robust complaint named three class representatives: Michael Katz-Lacabe, privacy rights activist and founder of The Center for Human Rights and Privacy; Dr. Jennifer Golbeck, an expert in social networks, social media, privacy, and security on the web and associate professor of computer science at the University of Maryland; and Dr. Johnny Ryan, privacy advocate, scholar and a Senior Fellow at both the Irish Council for Civil Liberties and at the Open Markets Institute.

The three class representatives claim that they are acting on behalf of worldwide Internet users who have been subject to Oracle’s privacy violations. The introductory paragraph to the complaint states:

This complaint sets forth how the regularly conducted business practices of defendant Oracle America, Inc. (“Oracle”) amount to a deliberate and purposeful surveillance of the general population via their digital and online existence. In the course of functioning as a worldwide data broker, Oracle has created a network that tracks in real-time and records indefinitely the personal information of hundreds of millions of people. Oracle sells this detailed personal information to third parties, either directly, or through its “ID Graph” and other related products and services derived from this data.

As summarized by TechCrunch, the totality of the allegations suggest that the “tech giant’s ‘worldwide surveillance machine’ has amassed detailed dossiers on some five billion people, accusing the company and its adtech and advertising subsidiaries of violating the privacy of the majority of the people on Earth.”

The seven causes of action include alleged violations of: (1) the United States Constitution (“Invasion of Privacy Under the California Constitution”; (2) California statutory and common law (“Intrusion Upon Seclusion Under California Common Law”; “Violations of the Unfair Competition Law”, Cal. Bus. & Prof Code § 17200, et seq., Violation of the California Invasion of Privacy Act”); (3) Federal statutory law (“Violation of the Federal Wiretap Act”, 18 U.S.C. § 2510, et. seq.); equitable principles (“Unjust Enrichment”). A final count for declaratory relief rounds out the causes of action (“Declaratory Judgment that Oracle Wrongfully Accessed, Collected, Stored, Disclosed, Sold, and Otherwise Improperly Used Plaintiffs’ Private Data and Injunctive Relief”).

The Irony. While we have no part in the suit, we cannot help but reflect on the irony that not long ago, Ken Glueck, Oracle’s executive vice president and Chief Washington Lobbyist, loudly accused Google of the exact same thing. From Page 39 of the complaint:

Oracle has itself acknowledged the highly problematic nature of its own profile building conduct, albeit indirectly. Without a trace of irony, Oracle has argued to legislators both in the U.S. and internationally that its business rival Google wrongfully builds “shadow profiles,” “using massive amounts of consumer data, not all of which it discloses to consumers, to microtarge[t] advertising” to consumers without their consent. However, Oracle’s description of Google’s conduct is a virtually word-for-word description of its own conduct as a data broker.

According to Oracle, Google’s “shadow profiles” are:

[M]assive, largely hidden datasets of online and offline activities. This information is collected through an extensive web of Google [cf. Oracle] services, which is difficult, if not impossible to avoid. It is largely collected invisibly and without consumer consent. Processed by algorithms and artificial intelligence, this data reveals an intimate picture of a specific consumer’s movements, socio-economics, demographics, “likes,” activities and more. It may or may not be associated with a specific users’ name, but the specificity of this information defines the individual in such detail that a name is unnecessary.

The hypocrisy of Oracle’s lobbying efforts on this front has been noted by commentators in the press.

According to Spiceworks, Oracle ID Graph is one of the Oracle services under fire. In a 2016 presentation, Larry Ellison, Oracle co-founder and CTO, bragged that there were five billion consumers in the service almost a year after the launch of ID Graph. “How many people are on Earth? Seven billion,” Ellison said at the time. “Two billion to go.” Spiceworks continued:

Bart Willemsen, analyst and VP at Gartner, expressed that Ellison had no business boasting of Oracle, a primarily enterprise-focused company, having so much user data. He wrote, “To present a slide like this, advertising you have *5 billion consumer profiles* and are proud of it, while being Oracle, a company hardly any regular digital consumer even thinks they’re actively interacting with or connected to…is BEGGING for attention.”

We wrote a 3-part series of blog posts in 2020 which focused on Oracle’s interest in leading the charge of social media app TikTok. Given this recent suit filed, a notable piece of the Oracle/TikTok puzzle was Oracle’s desperate attempt to distance itself from the ‘Techlash’ movement while pointing fingers at other Big Tech companies, such as Google, for crossing the privacy boundaries of tech users. In Part 1 of our blog series, we wrote:

A large part of Oracle’s success in villainizing tech companies has been attributed to Ken Glueck. Just this past February, The Wall Street Journal published a profile of Ken Glueck, crediting him as “a major force behind the increased government scrutiny of leading technology companies.” Improbably, Oracle was favorably portrayed as an underdog “punching above its weight” by taking on Facebook, Amazon and Google and others:


Glueck’s response to the ‘Techlash’ phenomenon was to distance Oracle from it as much as possible. After claiming for years that 97% of Fortune 500 companies use its products, Glueck distinguished Oracle from other tech companies by relying on its licensing model as the key differentiator. Glueck stated,

We have been working hard to point out that there is no techlash. There is a substantial backlash against the business model where purportedly ‘free services’ are offered in exchange for massive and unconstrained collection of consumer data untethered to the underlying service. Winter is here for that business model.

Based on this recent filing, it appears that winter may, instead, be here for Oracle.

We also can’t help but to note that Mara Hvistendahl, a Pulitzer Prize-nominated journalist and friend of Beeman & Muchmore, secured a small bit of vindication against Oracle. In February 2021, The Intercept published a scathing expose of Oracle entitled “How Oracle Sells Repression in China” with the blistering tagline: “In its bid for TikTok, Oracle was supposed to prevent data from being passed to Chinese police. Instead, it’s been marketing its own software for their surveillance work.” Ken Glueck himself jumped into the fray and issued a nearly 2,000-word screed attacking Ms. Hvistendahl and The Intercept. Shortly thereafter, he actually attempted to dox Ms. Hvistendahl via Twitter (which, thankfully earned him a temporarily suspended account).

We are happy to report that Ms. Hvistendahl’s excellent reporting on Oracle’s surveillance behavior earned her five citations in the operative complaint, supporting the allegation that Oracle “has marketed its surveillance products to governments, police or paramilitary forces, including China, Brazil, Mexico, Pakistan, and the United Arab Emirates.”

*           *           *

These allegations against Oracle are serious and troubling. We will keep an eye on this matter and, as always, will strive to keep our friends, clients and colleagues informed.

Published on 9/22/2022

Software licensors are known for vague contracts—they’ve made a business of it. 

Read the latest industry news.

Recommended Reading