Data privacy

Oracle faces class action alleging it violated privacy of 5 billion people

“Oracle has violated the privacy of billions of people across the globe,” claims one of the named plaintiffs.
article cover

Francis Scialabba

· 3 min read

Oracle is facing a class-action lawsuit in California district court that alleges it assembled “detailed dossiers” on 5 billion people, benefiting to the tune of $42.4 billion in annual revenue, according to the Register.

According to the complaint, Oracle’s data collection on hundreds of millions of people via its “ID Graph” product amounts to “deliberate and purposeful surveillance of the general population via their digital and online existence,” to which they could not have consented. The named plaintiff representatives include Johnny Ryan, a senior fellow at the nonprofit Irish Council for Civil Liberties; Center for Human Rights and Privacy Research Director Michael Katz-Lacabe; and Jennifer Golbeck, University of Maryland computer science professor.

“Oracle has violated the privacy of billions of people across the globe,” Ryan claimed in a statement on the ICCL website. “This is a Fortune 500 company on a dangerous mission to track where every person in the world goes, and what they do. We are taking this action to stop Oracle’s surveillance machine.”

As TechCrunch noted, because federal data privacy laws are effectively nonexistent in the US outside of specific categories like health records, the suit claims Oracle violated a melange of other laws. Those include the California State Constitution and Invasion of Privacy Act, as well as the federal Electronic Communications Privacy Act (which extended wiretapping laws to include electronic and digital communications). Similar lawsuits in Europe have faced difficulty, and the approach of claiming Oracle violated a “patchwork” of laws has yet to be tested in the US, according to TechCrunch.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Data the suit says Oracle— collected via methods like BlueKai tracking cookies and website-embedded JavaScript—includes sweeping histories on almost every facet of a person’s life that can be tracked: names, addresses, device identifiers, location data, purchase histories, and “proxies for medical information that Oracle purports not to share,” like “emergency medicine.” Additionally, the suit claims that Oracle’s Data Marketplace and its partners participating in it “sell highly intrusive and offensive” data such as the demographics of Black Lives Matter protesters, political affiliations, real-time phone locations, and race.

Access to the market is “restricted to buyers and sellers, so individuals whose data is being bought and sold have no reasonable insight into what occurs there or the extent of Oracle’s violations of their privacy rights,” the suit claims.

The complaint pointed to a 2016 presentation in which Chief Technology Officer Larry Ellison describes ID Graph as allowing “a combination of real-time looking at all of their social activity, real-time looking at where they are including micro-locations” like aisles of a store, adding, “this is scaring the lawyers [who] are shaking their heads and putting their hands over their eyes”; Ellison added that information could be combined with demographic profiles to generate predictions about future purchases.

Oracle didn’t immediately respond to a request for comment from IT Brew on this story.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.