Oracle’s New Business Model of Java Audits: A Q&A with Palisade’s Craig Guarente

In a recent edition of the Early Adopter Podcast, Dan Woods spoke with Palisade Compliance’s CEO Craig Guarente about Oracle’s increasing practice of auditing its customers for their use of Java. Recently, Oracle has focused its innovation as much or more on licensing and audit practices as it has on technology. It seems a lot of the company’s energy is going toward how to maximize the amount of money it gets from its customers through licenses. The latest example of this involves the Java language which Oracle acquired in its acquisition of Sun Microsystems.

Java has a runtime that is widely available and used for free most of the time powering many software programs. Oracle also sells a licensed version of the runtime with enhanced support and security patches. Oracle has long been in the business of using its leverage on software audits to encourage customers to buy more products. It’s now starting to do audits aimed at promoting sales of its Java premium version.

Guarente, CEO of Palisade Compliance, offers a unique perspective on this. Palisade is a consultancy that helps companies navigate licensing audits and negotiations with Oracle. This is an edited version of the podcast conversation.

Woods: Craig, I’d like you to introduce yourself to everybody. Who are you? What’s your background? And how did you become an expert in Oracle licensing?

Guarente: My background is that I grew up at Oracle. I started with Oracle in 1995 as a contract specialist, drafting license agreements, and worked my way up through that organization to the point where I left in 2011, 16 years later. I was their global VP of contracts and business practices. I managed the compliance LMS team. I had a few other roles while I was at Oracle and then left and started Palisade as an independent voice to help Oracle customers.

What does LMS mean?

License management services. It’s their audit team. When you get that letter from Oracle, it’s coming from LMS.

For people who aren’t Oracle nerds like we are, can you explain the way that Oracle uses audits and licenses and how different it is from most other software companies?

Oracle nerd. That’s a good description here. Because we think about this all the time, and we’ll talk to clients. Oracle software is throughout the stack. It’s the database, it’s the middleware, it’s the applications. Now it’s embedded in the hardware. So that’s one thing that’s different about Oracle is just they want to be an end to end. It makes it really difficult for customers to just stop using Oracle and to use something else. You know just try to stop using Windows, right? You have to replace everything else in your stack, maybe even your hardware. That’s the challenge with Oracle. They embed some pretty onerous terms into their contracts — to the point where even if a customer can technically move away from Oracle products, contractually they are still paying Oracle money for stuff they’re not even using which is pretty amazing.

One of its innovations is the way that Oracle has imitated open source in that the company has taken away prior restraint from using its software. Like in the world of open source anybody can innovate without prior restraint because they can just grab the source code and do whatever they want with it. In the world of Oracle, the prior restraint has been taken away from the use of the software. Unlike most software vendors, Oracle takes all of the license keys off of software that it buys when it does an acquisition and the Oracle software doesn’t come with any license keys. You can just use it as much as you want.

Yes. That’s the way they distribute their software. Which again, is innovative. And I was at Oracle for maybe 50 or 60 of the acquisitions that they’ve done. And I remember meeting after meeting where Oracle would have bought a company that had software keys and codes and one of the first things Oracle did was remove them. The interesting thing there is often it’s the customers who wanted those keys removed. They want to use more stuff from X, Y, Z company, and they didn’t want to go through the contracting process. They just wanted free access and say, “Hey, if we use it, we’ll pay for it.” So Oracle is more than happy to oblige. But be careful what you wish for, because you may get it. Oracle pulls all that stuff out, and now you’ve got DBAs and technical people downloading things from the Oracle website and they don’t know what they’re licensed for. They just start using the stuff because they think it’s unlimited, or it’s included with what they already bought. So that presents a real challenge for customers who are trying to manage their Oracle usage.

Oracle is not just saying, “Oh, we trust you to pay us.” They then have an audit process. And could you explain how that process works and what happens? I want to make sure that we all understand the Oracle cycle before we talk about what’s happening with Java.

Sure. And actually, what’s happening with Java is a little different. Basically, what Oracle will do is, as we said, you can download whatever you want. You can use whatever you want, technically. But contractually, there are limitations on what you can use. So Oracle, the LMS team, the audit team, will send a letter to a specific Oracle customer and say, “Hey, per our contract, we’re allowed to audit you, and we’re going to conduct an audit right now.” And there’s a back and forth and a give and take and information is shared from client to Oracle, and Oracle will generate a position. Think about getting audited by the tax authorities. You get that letter from the IRS and now you’ve got to send them all kinds of information, and they will tell you if you owe them more money. That’s similar to the way that Oracle does it. But actually, they have fewer restraints, because they take a very liberal interpretation of what’s required for licensing or not. And if you get an audit letter from Oracle, it’s not an accident. You’ve been targeted for an audit and Oracle thinks that there’s money to be had.

Then the idea is that it’s not just an audit where they say, “Okay, you used two extra database licenses. So let’s go to a price list and figure out how much you should pay on those,” because almost all Oracle software is deeply discounted. And so if you did say, “Oh, I used two extra database licenses,” and you went to a price list and said, “Okay, here’s full price for those database licenses,” those would likely cost a lot more than you’re paying now. So after the audit finds that you’re in violation, there’s a big, big number that you would have to pay to come into compliance. And that’s when the negotiations begin. What happens at that stage?

 If you go through that process with Oracle without challenging them, at the end of the day, you’re going to get what they call a final report from Oracle which will have “you need to buy this many of these licenses,” and the numbers could be a million. It could be $10 million. It could be $100 million. It could be 500 million dollars if you would go back to the list price. And you’re right. That’s when you negotiate. So what Oracle will do is, through the audit, they’ll throw the biggest number against the wall and then the sales team will say, “But if you do this unlimited deal for $10 million, we’ll let go of that $100 million dollars number. We’ll forget about that noncompliance.” So a client looks at that and goes, “Well, it’s either $100 million or $10 million. Boy, $10 million looks really good.” And what they’ve done is not only give Oracle 10 million dollars that they might not have had to do, but now Oracle puts all new contracts in place and really tightens up and limits a customer’s future flexibility. So it’s a double win for Oracle. They get money, and then they lock you in even further. It’s an amazing strategy.

It’s worked so well that they actually have an acronym for it: ABC, audit, bargain, close. If you’re looking at this from an Oracle shareholder perspective, it seems to be working.

It’s working because it generates a ton of money. It’s a huge revenue source for Oracle. On the other hand, you piss off a lot of customers by doing this. And the more aggressive you get with your auditing, the more frustrated your customers get with you. We’ve seen many, many cases where Oracle had audited customers to get them to buy Oracle Cloud. And customers have bought Oracle Cloud with no intention of using it. And I think that from a shareholder perspective can be worrisome. How much of this cloud revenue is based on audits?

Now let’s get to the Java aspect. The audit process is now looking not just at the traditional software licenses, but it is also looking at the use of Java. And then what is the Audit, Bargain, Java strategy that they’re developing?

They’re approaching Java differently right now. They haven’t fully implemented the ABC strategy with Java. It’s taken them about ten years to try to monetize Java. And we actually haven’t seen an official Oracle audit for Java. Oracle’s being really smart about this, because they’re not auditing customers to get them to buy java, but they’re worrying customers to get them to buy Java. I’ll give you a great example. We were at a trade show a few months ago, and someone came up to us. And of course, we asked them, “Are you an Oracle customer?” And they said, “We’re not an Oracle customer now, but we just saw Oracle’s Java changes. And I have a feeling we’re going to be a big Oracle customer very soon.”

Now explain the vulnerability that you would have with respect to Java. How does somebody, by using a downloaded, free runtime, become vulnerable to Oracle?

Here’s what Oracle did. They made many changes in how they distribute and support Java. But I’ll give you one example. The way Oracle supports Java now is a little different. It changed this month. You use a version of Java, the current version of Java, Oracle will support that version, quote-unquote, for free for six months. After that six months, if you want support for that version, you have to pay for it. So in August of 2019, if you’re using a version that came out in January of 2019, that’s not free anymore. You have to pay for support. So customers are left with, I could either get a license from Oracle and pay for support, or I could run a version of Java for free, but it’s unsupported. So if there’s a hole or a patch or an update or something security-wise, they’re running without that. Or, I can update my version of Java every six months and then I don’t have to pay for it. I can just update it every six months. But that’s a hassle in itself, trying to redo your implementation of Java every six months. So technically, it’s possible to run without that license and to not pay Oracle. But again, brilliant strategy by Oracle. They built the rules in such a way that it really behooves a customer who’s going to use Oracle Java to get a license.

They don’t have to be able to be criticized for taking Java that was free and making it costly, because they can always say, “No. It’s still free. You can still use it”?

Yes. But I think the consumers of Java are a lot smarter than that. So I think Oracle is taking that hit, but they don’t care. This is going to generate billions of dollars for them. I think the tipping point will come as Java gets forked and more companies have alternatives. Amazon came out with a version of Java recently that they say will be supported forever at no cost. It’s going to require some other firms to step up and provide that support and provide that maintenance, ongoing.

When is this a serious problem for a company and when is it not?

I think it will become a serious problem if you are out of compliance with your license, and you haven’t bought that license from Oracle, and you’re using it in a noncompliant way. Eventually, Oracle will knock on your door and say, “Hey, we know you’re doing this.” And they’re going to go back and they’re going to find these huge audit problems.

When is it that you have to worry about that?

I think people need to worry about it now. The rules changed in June. Now, if you’re using a prior version and you’re going onto Oracle’s support website and downloading patches and updates for something that technically you can’t do anymore, that’s a problem. It’s only a matter of time. Unless they turn over their customer base from this free version to this paid version relatively quickly, the official audit letters will eventually come. It just matches what Oracle has done in every other line of business that they’ve had.

How can people reduce their risk of a Java audit?

The first thing is getting educated, is really understanding what the rules are, what the policies are. And then understanding how you’re using it. And then understanding what your options are or alternatives. And not just options in terms of licensing from Oracle. But options in terms of Java products that are not Oracle, like open source Java. Again, I mentioned AWS or if it’s Red Hat or whoever who has versions of these products that you can use. We had one client who said — their words not mine — “Java is the cockroach of the Internet. It’s just everywhere.” So that’s going to be the problem is you’ve got Java everywhere.

This whole general audit-based revenue optimization, revenue increase strategy, how long can Oracle do this? And do you think it’s having any lasting damage to their business?

I don’t think it is. I think there is a reputational problem. You’ve mentioned that Oracle is often at the bottom of the list of preferred vendors because of these types of things. Maybe not because of the technology, but because of their behavior. And we’ve seen that with Oracle Cloud. I think one of the reasons why Oracle Cloud is not performing where they would want it to is because customers are very hesitant to trust Oracle. If you have Oracle on-premise in a traditional deployment, and Oracle audits you, you have to give Oracle information for them to make a determination. If you’re using Oracle Cloud, all of a sudden, your data is all with Oracle. And it comes down to do you trust them? Do you trust that they’re going to treat you differently than they treated you before? I think they’re going to ride that wave as long as they can. And when you hear Larry Ellison talking about the future of Oracle, he actually always goes back to the database. Even for Oracle Cloud cloud, he talks about Oracle’s technology and how it’s better than AWS or Microsoft or IBM. He doesn’t say their cloud is better. He says that their database is better. So everything they do and they’ve done for the last 30 years has been to lock customers into their database. And with Java, it’s a little different. You can’t lock in a Java user based on your use of Oracle databases. That’s why I think Oracle is sort of hedging its bets with Java audits and not going in there as strongly. It’s too soon. Give it ten years. Give it five years when you’re stuck in Oracle’s ecosystem and Oracle needs money. Then they’ll start auditing. Right now, there’s so much buzz going on around Java, they don’t have to audit.