In this interview, I discussed Java audits and how organizations should react when they receive emails from Oracle. The e-mail you receive is the first step in an Oracle audit (soft) process that usually lasts 3-12 months.
I have supported over 50 organizations in formal and soft audits, and now I want to share the inside story of the industry.
I hope it helps. If you need further assistance, please use the contact form at the bottom of the page.
Has Oracle reached out to you about a Java license? Download our Oracle Java Audit white paper to learn how to respond and avoid common pitfalls.
In the white paper, we cover:
- Recommendations for responding to an Oracle soft audit
- Oracle’s soft audit process
- Oracle’s formal audit process
- The kind of data Oracle may have on your organization’s Java product downloads.
Java Licensing and Java Audit – Interview
Interviewer: What are the current trends in Java licensing and Java Audits?
Fredrik Filipsson: Oracle is working hard to boost revenue with large-scale audit campaigns. They use their sales team for soft audits, their official audit team, GLAS, and even their legal and business practices. The number of audits is likely at an all-time high, surpassing their big cloud audit from 2015-2017.
Interviewer: What do you mean when you say “large-scale audits”?
Fredrik Filipsson: Oracle is most likely auditing several customers currently; the audits are just at different phases. Some are in initial outreach; others are when Oracle is pressuring the CFO/CEO/CIO to sign multi-year agreements, even if the organization has no need for Java (uninstalled) or only needs it for a short time, such as one year.
Interviewer: What exactly is a soft audit?
Fredrik Filipsson: A soft audit is when Oracle contacts existing and potential customers to discuss Java use and licensing at a specific organization.
Interviewer: How does it work?
Fredrik Filipsson: Oracle starts friendly. They contact IT professionals to get them to share information about their Java deployments. It often begins with an inquiry about which version of Java they use. Once Oracle has that information, they quickly escalate to a commercial discussion to secure employee licensing.
Interviewer: And what type of agreement does Oracle want you to buy?
Fredrik Filipsson: Oracle had had detailed logs of all licensable Java downloads from your organization since 2019, when Java became commercial. If a customer says they’ve uninstalled Java or only want a one-year license, Oracle responds that this doesn’t solve the retroactive usage issue. They push for payment for all past years of usage. They often make 3-10-year agreements seem more attractive but usually offer one year forward plus retroactive usage or three and five-year agreements.
Interviewer: What should an organization do if contacted by Oracle about Java licensing?
Fredrik Filipsson: Get outside help immediately. The quicker you get guidance on what to share, the better the outcome. Even if you’ve shared detailed usage info, like Excel files or emails, experts can help avoid retroactive fees. We had a client who shared deployment data and then uninstalled all Java. Through negotiation strategies, we helped them walk away without paying for past usage.
Interviewer: What other challenges do organizations face with Java?
Fredrik Filipsson: Security updates and accidental downloads are major issues. It’s hard to control. Oracle gets quarterly reports of download records and insists that you buy licenses.
Interviewer: How do Java audits compare to traditional Oracle audits?
Fredrik Filipsson: Java audits are much worse. Oracle demands huge sums for Java, even with limited usage. The price they ask doesn’t match the value. In formal and soft Java audits, Oracle is extremely aggressive and makes legal threats unless a contract is signed. This can be very intimidating for those unfamiliar with Oracle’s tactics or legal team. Many customers likely negotiate just to make the problem go away.
Interviewer: How does a soft audit compare to a formal audit?
Fredrik Filipsson: The main difference is the individuals conducting the formal audit, who are professional auditors from Oracle’s GLAS team. They use scripts and questionnaires to audit your organization. Ignoring a soft audit approach will likely lead to a formal audit, which can be costly and time-consuming to fight off.
Interviewer: So what do you recommend?
Fredrik Filipsson: Understand your Java licensing estate and ensure you didn’t fall into any licensing traps. Once you’re confident in your position, many of our clients decide to get off Java. This can take anywhere from one month to several years. We help organizations delay the soft audit process, pushing back against Oracle’s requests without crossing the line, thus preventing a formal audit.
Interviewer: How does an organization assess the risk of Java licensing?
Fredrik Filipsson: You take all your full-time, part-time, temporary, and contractor employees over the last 12 months. That’s your peak number of employee licenses. The price list is publicly available. If you’ve had Java running since 2019, multiply that figure by five years. That’s the liability you face.
Interviewer: Can we use existing Oracle relationships to stop the audit?
Fredrik Filipsson: In our experience, no, you cannot. Large Oracle customers invest tens of millions in Oracle cloud and support fees. They’ve all tried to leverage existing relationships to stop the audit, but they’ve been unsuccessful.
Interviewer: What about retroactive fees for the years we didn’t have a license?
Fredrik Filipsson: That’s the biggest challenge organizations face, as nobody wants to pay for retroactive use. We’ve developed a strategy with over 50 organizations where none had to pay for retroactive licensing. If they purchased Java, it was only what they needed, such as a one-year agreement. Our contract guarantees reimbursement of our service fees if you pay for retroactive licensing.
Interviewer: What tactics are Oracle using to force customers to buy Java SE?
Fredrik Filipsson: We’ve seen many tactics. Oracle emails clients that they’ll take legal action if they don’t execute the Java agreement by a certain date. They often involve their auditors in the soft audit process, blurring the line between a formal and soft audit. Oracle’s business practices and legal teams apply pressure to “resolve compliance questions,” which are subtle threats before a formal audit.
Interviewer: How does someone work with Redress Compliance?
Fredrik Filipsson: We’ve helped over 50 organizations with Java licensing this year alone and over 150 in the past four years. We offer our services remotely via meeting platforms and email. We’re usually available to start within 48 hours of signing a contract. We cover all time zones, including the US, Europe, the Middle East, and Asia.