Editor’s Note: In response to The Intercept’s recent coverage of Oracle, the company’s executive vice president and lobbyist Ken Glueck wrote two lengthy posts on Oracle’s blog that went beyond normal media discourse. In the first post, he published the email and Signal number of Intercept reporter Mara Hvistendahl, who reported and wrote two stories about Oracle’s marketing of its analytics software for surveillance by police in Brazil, China, and the United Arab Emirates. In the second post, he called for people who had information about Hvistendahl to send it to his Protonmail account. (The call for details on Hvistendahl was removed Wednesday evening. An archived version is here.) He later posted Hvistendahl’s contact information on Twitter, which temporarily suspended Glueck for violating its terms of service.
Glueck’s personal attacks on our reporter are appalling and unprofessional, and his attacks on her work are baseless and uninformed. Mara Hvistendahl is a veteran journalist and former China-based foreign correspondent who has long covered the tech sector and whose work has been nominated for a Pulitzer Prize. Each of her recent Oracle articles was the culmination of months of investigation, research, and editing by a team of journalists, and each entailed extensive back and forth with company representatives prior to publication. (Tatiana Dias contributed significant reporting to the first story and separately published an investigation for The Intercept Brasil.) The Intercept stands behind Hvistendahl and our Oracle stories and condemns Ken Glueck’s bullying on behalf of his employer, Oracle. This type of conduct has become increasingly common from prominent tech companies faced with journalists doing their jobs, but it should not be normalized.
Glueck’s blog posts make a number of false accusations. He says that in Hvistendahl’s initial approach, she was vague in her communications with Oracle and only sent the company a list of questions “after some e-mail prodding.” In fact, she outlined her findings in detail in her first email and sent Oracle additional emails attaching and/or linking to the documents she planned to write about. Glueck wrote of the first investigation, “This 4,695-word feature was published without a single actual discussion with Oracle” and said Hvistendahl “was not willing to actually speak to us on the phone.” In fact, we quoted the company’s emailed responses at length, and for that first article, Oracle’s public relations staff only offered to talk on background. Glueck writes that editor Ryan Tate “ghosted” him. In fact, Tate spent 44 minutes on the phone with Glueck shortly after the first article was published. (At Oracle’s insistence, the call was on background, but it was recorded.)
This type of conduct has become increasingly common from prominent tech companies faced with journalists doing their jobs, but it should not be normalized.
In the second post, Glueck accuses Hvistendahl of fabricating a comment attributed to Mark Hurd from an earnings call. “She cites a 2012 quote from former-Oracle CEO Mark Hurd that Oracle is ‘ramping up its business in Asia’ (yes, that’s quoted in its entirety from the story),” he writes. Glueck then alleges: “If you read the transcript, [Hurd] was specifically talking about ‘ramping up’ the launch of a brand-new product at the time. The ‘business in Asia’ part is just fabricated.”
But if you do in fact read the transcript and compare it to the article, as Glueck recommends, it turns out that Glueck is the one misstating what was said. Hurd said on the call, “We’re ramping up now in Asia.” Hvistendahl paraphrased that as Hurd saying “Oracle was ‘ramping up’ its business in Asia.” (Hurd separately used the word “ramping” in reference to a product.)
Glueck accuses Hvistendahl of misrepresenting a sale of Oracle hardware to China’s State Administration of Radio, Film, and Television, as it was known at the time. Glueck asserts that Oracle’s last sale to that client involved an “Oracle StorageTek tape drive worth $54,057.00, including product support and freight.” That may be true, but the government document linked to in the story describes the Oracle Exadata server being sold for 1.19 million RMB, or $193,800 at the time.
He accuses her of misrepresenting a server that is “less than 24 inches tall” as “towering.” But Hvistendahl uses that adjective in reference to the full server rack, which was taller than many people at the conference where it was displayed.
Glueck claims that a Chinese-language Oracle document cited by The Intercept (and since removed from its location on Oracle’s website) is a presentation of a 311 system in New York City. In fact, while the presentation mentions such a system in passing, it also boasts that Oracle technology was used in the pilot of China’s grid management management system, a network of neighborhood-level social monitoring and control. The document further states that Oracle’s technology helped power China’s “Golden Shield” surveillance project, which one expert called “instrumental” in returning members of the country’s Uyghur minority to their home region of Xinjiang, where many were detained.
Oracle has not refuted any facts contained in our articles about its activity in China. Our coverage showed how Oracle marketed its technology for surveillance by authorities in China and in repressive regimes around the world; revealed the company’s services to the Chinese public security bureau repressing Uyghurs in the Xinjiang region; and described the web of local resellers that facilitate and obscure such ethically dubious transfers. Oracle’s blog posts have actually confirmed the veracity of various company slide decks used in our reporting, which show Oracle employees explaining in detail how the company’s technology can be deployed for surveillance in China.
On April 8, as Hvistendahl was wrapping up her reporting on the second article, Oracle arranged for her to speak with Ken Glueck on the record. That interview lasted 55 minutes. In it, Glueck aggressively reversed the messaging Oracle has routinely used with customers and in China. For example, one of Oracle’s Chinese partners manufactures a server derived from hardware that Oracle markets as having “dramatically better performance” and as “the best platform to run the Oracle Database.” In Glueck’s description, the Chinese version of the server became a “small-scale device” that “doesn’t have the capacity” to run “any kind of public sector, broadly used, system.” A document presented at an Oracle conference by an Oracle employee as showing how a “Chinese Police Department” used an Oracle product to cull information on suspects from “documents, social media, web content, chat rooms, flight records, hotel stay registries, and publically [sic] available open datasets” was presented by Glueck as a “proof of concept set of ideas … like a Harvard Business Review case study.” Oracle repeatedly boasted on its website that its technology helped Chinese police conduct surveillance; Glueck downplayed this help, saying that Oracle merely provided an “underlying piece of software that somebody else would have to build capabilities on top of.” And so on.
The interview, in other words, was typical of Oracle’s response to our reporting, across its communications with us and its outrageous blog posts: Glueck tried to minimize the importance of Oracle’s own statements about its activities in China, which were key to our conclusions, and to downplay its extensive links to repression in that country.
What follows is an edited transcript of the conversation.
Mara Hvistendahl: I would love to get more clarity on where Oracle draws the line, particularly overseas — not just in China but in other countries. Your responses made clear that you follow all the laws and export controls. But there are notable holes in the export control regulations. So I would like to know where the line is.
Ken Glueck: I’m afraid I can’t really help you much. You’ve seen our published policies. You know what the export control regulations and laws are. Obviously we adhere to those to the letter of the law, and I’ve indicated in our written comments that we go beyond that. But two problems: One is that I don’t know what you mean by the rest of the world. You’d have to identify particular countries. Two is that I think that we all have different definitions of what surveillance might be.
“We all have different definitions of what surveillance might be.”
MH: What’s Oracle’s definition of when something makes you uncomfortable in a human rights context?
KG: Mara, I’m looking for what the industry standard is, to see if our practices exceed or are lower than whatever the standard is. I haven’t recently gone to other companies’ policies, [but] we’ve said on the record that we go beyond what one might anticipate from the export control regulations.
MH: The reason I did this article is I found PowerPoints that appear to be marketing technology for use by police [in China, the UAE, and other repressive regimes] for surveillance purposes on Oracle’s site, not on other companies’ sites. [That’s] not to say that other companies don’t have problems.
To get into those presentations specifically, I read your blog post that you wrote. And you mentioned that Oracle has 140,000 employees around the world. Do employees just have the right to post whatever they want on Oracle’s site? How did those presentations end up there?
KG: That’s a fair question. I wrote in the blog post that we regret that they’re up there, and they didn’t reflect the current status of our business. The problem, as you can imagine, we obviously can exercise controls at different points in the sales process. And ultimately our control rests in our export compliance program, which has responsibility for our global compliance and then can go beyond what is required in the law. That is obviously a point of control for a large multinational corporation. What is more complicated, of course, is employees that might create a PowerPoint presentation and just post it on our site. We were clear and I think I explained to you that I can’t control for that. You pointed out [the presentations] — that’s something that we’ve been looking at. But it’s a marketing PowerPoint that one of 140,000 employees put up there.
Look, I recognize the slides. Those are not really Chinese slides. Those are slides that we used in the United States and Europe and then they were extrapolated [to China]. But salespeople want to sell. Salespeople want to market. I have no evidence that those PowerPoints were ever even presented to a customer. But I also didn’t hide from them, right?
“Salespeople want to sell. Salespeople want to market.”
MH: I would assume that it’s a fairly limited number of employees who are able to post on Oracle’s website. Is that right?
Spokesperson: Mara, this is Deborah Hellinger. I can look into that and get back to you, OK? This is definitely outside Ken Glueck’s scope.
KG: Deborah will get back to you, but we treat our website much like I think you would be in favor of treating any other large internet situation, which is that employees can post what employees want to post. And that’s all healthy. Usually.
MH: So in terms of where Oracle draws the line: Your responses were clear that you make efforts to not sell to entities that are listed. For example in Xinjiang, [Oracle’s] business with the Public Security Bureau stopped in 2019, I believe, after the Public Security Bureau was listed by the Commerce Department.
There was pretty widespread awareness of the [internment] camps in Xinjiang in 2017 and 2018. And you were doing business with the police department in the region for two years, after that was widely known. Why only stop in 2019?
KG: So I think you have — we have a couple issues we need to unpack. One is what products are being sold. Two is for what purposes. We’ve been clear with you on the record. We’ve given you, I think, 12 fully filled pages of on-the-record responses. But you also have to take a step back. These products are mass-market commodity products. There’s nothing special about them. And secondly, it’s easy to say “police,” but you need to take the next step and say, what are these products being used for? And we were very clear with you that if it’s an HR product, that’s just not a surveillance product.
[Editor: Oracle documents indicate the company provided “data security solutions” to the public security bureau in Xinjiang. Oracle also told The Intercept that it partnered with a company that does extensive work with the operator of many internment camps in the region.]
But what I can’t do is go back and unpack every one of these transactions for you. I don’t see any evidence that Oracle sold software as part of any surveillance systems. If your position is that a 311 system for a smart city to a public entity in China is a problem, I take that on board.
MH: You take that on board — meaning?
KG: Meaning, I understand what you’re saying. I just don’t think there’s consensus that that’s problematic.
MH: There’s fairly extensive documentation that smart cities in the Chinese context entail extensive surveillance. That’s even clear in the PowerPoints on Oracle’s site, because they mention smart cities on one hand and then they mentioned facial recognition, DNA collection, and so forth in the same context.
KG: I think that PowerPoint presentation was part of a New York City presentation.
[Editor: Glueck appears to be referring to this presentation on smart cities. Slide 10 shows a broad array of sensitive citizen data — including DNA, mental illness records, and other medical information — being converted into ones and zeros. Slide 5 states that Oracle technology was used in China’s Golden Shield program, which, among other outcomes, resulted in the forced return of improperly registered Uyghurs to Xinjiang, where many were detained. The presentation also references New York City’s 311 system.]
MH: This was marketing Oracle’s capabilities for smart cities in China. You’re saying smart cities in China, you have no concerns about them?
KG: I didn’t say that. I said I understand your concern. Remember, to the extent that Oracle is even used, it would be used as an underlying piece of software that somebody else would have to build capabilities on top of. You can’t order the Oracle smart city software. That doesn’t exist. If you want to go hire a big systems integrator to go either write or prepackage a set of smart city applications, then somebody can do that on top of what, again, is mass-market commodity software. There are a million different choices from using the Oracle database that are widely available almost completely for free.
“I understand your concern. To the extent that Oracle is used, it would be used as an underlying piece of software.”
I’ve looked into even prior to you and I starting to exchange [communications], a lot of these Golden Shield or Golden programs. And as far as I can tell, they’re almost entirely homegrown and open-source technology.
MH: Right, but this article is about Oracle’s technology. And it’s clear from looking at other materials that Oracle has marketed its capabilities [and] its analytics software to police around the world. One of the capabilities that Oracle is marketing is the ability to mine social media, to draw on different sources of data, and give some police a platform similar to Palantir Gotham, which has gotten a lot of scrutiny.
KG: We were clear in our responses and in my blog that we absolutely provide software and services to national security entities around the world. What you and I have been caught up on a little bit is that while some of those capabilities have wound up in marketing materials, the problem is that you’ve yet to show me a transaction or a use case where Oracle software winds up in a surveillance system in China. And what we’re now talking about — which is fair, I understand your point — is things that are on the periphery of surveillance. Your position, as I understand it, is if it’s sold to a police department for whatever purposes, then it’s a problem. I understand that.
“We absolutely provide software and service to national security entities around the world.”
MH: No. My position is if it’s marketed to police for surveillance purposes that that is —
KG: Well, you have to show me that something was sold, because we’ve been on the record with you.
MH: Right, well it’s your interpretation. I think we differ on that.
KG: [inaudible] I’ve invested a lot of time and money in going through all these transactions. I’m just telling you, and we are on the record with you, that I don’t find the transactions you’re concerned about. I fully understand the marketing, but none of those marketing presentations as far as I can tell were ever converted into actual sales and uses.
MH: They use words like “client” and “use case,” [as in] this is an actual case that was implemented. And I spoke with a former Oracle employee who told me that they had corresponded with the department [in China that used the analytics software].
KG: They don’t. What these presentations talk about is use cases. It’s like a proposed use case. I know that because I can go through the presentations, and we don’t offer this software.
MH: Why would they have included actual screenshots of what appears to be actual data in a specific province in that case?
KG: Because in some cases there are existing third-party tools that have been built on top of our capabilities that you can go buy.
Look, that’s the way technology works, right? If you want to do a smart city, you can’t come to Oracle, swipe a credit card, and download the smart city application. That’s just not available. But in terms of concepts and ideas, yes, these presentations exist. Our problem though, between you and I — our problem, it’s not even a disagreement — is you have yet to show me a conversion where some of the software went from a marketing PowerPoint presentation to an actual implementation somewhere. And I can’t find them either.
MH: They describe police departments as “clients.”
KG: I’ve been around this for 30 years. I think that when you look at what a client is, the definition is anybody that uses any of our technology. So I went back and looked at that, and the example that had been given — yes, a police department is a client. It just happened to be a client for a completely noninteresting HR application. Now, is that police department technically a client? Sure, they are. Is the logo legitimate? Sure it is. It’s a reference of somebody who’s a client, but not for the purposes that you’re concerned about.
[Editor: The presentation referenced by The Intercept that called a Chinese provincial police department a “client” said the client was in need of an intelligence platform. Another presentation in the same story referred to how a provincial police “customer” could use Oracle software to help with “police intelligence analysis,” including by linking networks of suspicious people based on hotel registration records and generating “security case heat map[s].”]
MH: So you’re saying that they are entirely theoretical. Presentations for OpenWorld — are they reviewed by Oracle’s counsel before they’re presented? [Editor: One presentation detailing data analytics work with an unnamed Chinese police department was given at Oracle OpenWorld.]
KG: On the presentations that we’ve been both circling around, I understand how you can interpret something. I’m not criticizing, but I know what that presentation is. That’s like a Harvard Business Review case study. It’s a “Hey, here’s the proof of concept set of ideas.” That’s just what it is. And it was never converted into an actual implementation.
With regard to review by counsel, the answer is, of course, things that are presented to the marketplace are checked for accuracy. We don’t want to be saying something [inaudible] the marketplace. But part of the problem — and this is not a criticism — is there are a lot of words that you read that are not the way they’re used in technology. [Editor: Glueck goes on to explain cloud computing.]
MH: OK. So how about Oracle’s partners? Can you explain a little bit about the vetting process and the auditing process for partners? The responses that [Oracle spokesperson] Jessica [Moore] sent pointed out or argued that there’s no partner in China that does not do some objectionable business, and that if you use the standard of not working with anyone who’s doing something objectionable, there would be no partners. So how do you decide which partners you do work with overseas?
KG: I can’t go through that with you, based on the rules you’ve set up. [Editor: The only conditions for the interview were that it be on the record and taped for accuracy.] But we do vet partners. We have a track record globally of ending partner relationships where there has been some violation in our view. We do audit partners. And the primary rationale for the auditing — just because something is sold to a partner doesn’t relieve us of our export compliance obligations.
KG: We are required to, and we do, conduct periodic audits. To the extent we discover a problem, we will remedy it or end the relationship. But the issue in China is that the normal course of doing business is through partners. That’s the way it is. I’ll let you offer judgment as to — maybe you can give me a list of partners you think are not objectionable. But we stand behind the partners that we do business with. We’re comfortable with them. We audit them regularly. I can’t control whether or not you’ve identified that some partner does business in a way that is separate from Oracle, maybe with another partner, maybe on their own, that you determine to be objectionable. I can only control for what I [inaudible].
“We stand behind the partners that we do business with. We’re comfortable with them.”
MH: Have you ended relationships with Chinese partners in the past on the basis of an audit or what you found?
KG: We have.
MH: OK. And what do the audits entail?
Spokesperson: We have time for just one more question.
KG: I’m OK, Jess. I think there’s a commonly understood definition of an audit.
MH: Are you going in and looking at their websites and their work, or are you — ?
Spokesperson: I think we’re going to have to decline comment, Ken.
KG: You’ve established the rules for this, so I’m going to say what I’ve said. If you want to have a different conversation, we’d be happy to have a different conversation.
MH: OK. What about the Dengyun hardware that Oracle localized in China; did you want to speak about that? [Editor: Dengyun is a database server that appears to be derived from Oracle’s Exadata X8-2 Database Machine. In marketing materials, Oracle describes the Database Machine as “the best platform to run the Oracle Database” and as a “high-performance” solution “engineered to deliver dramatically better performance.”]
KG: The Dengyun is an appliance. It’s a hardware appliance that includes software. It involves no transfer of intellectual property, as I’ve described to you. It involves no transfer of source code, as I’ve described. It’s a prepackaged appliance. It’s a small-scale device. By definition, this partnership and this product is not the kind of appliance that you could even run a surveillance system on, no matter how you define it. That’s not to say that we obviously don’t have different hardware capabilities, but this is a very limited, small-scale kind of appliance. What I do know, but I can’t tell it to you because of the rules you’ve set up is, I know how many have been sold, and I know the configurations of what these systems are. And I’m prepared to say to you that these are not the kinds of systems one would build a surveillance system around.
MH: What do you mean? It could house data, though? You need multiple components to build a system, right? You need facial recognition, you need this and this and this and this, which is why these aggregators —
KG: Now, Mara, you do need all of that, but you also need scale, and you need capacity. And these are small-scale systems. Look, I know what the configuration is. This is the kind of thing that you’d run a medium-sized business’s internal transactions on. It’s not the kind of thing you could stand up to run any kind of public sector, broadly used, system. It just doesn’t have the capacity. Even if you strung dozens of these together, it doesn’t have the capacity.
I also know how many have been sold. And I’m confident that if the Chinese government wanted to stand up a surveillance system of any kind, this would not be what they would choose. It’s just not enough horsepower.
The Intercept: “What did those audits entail?” Spokesperson: “I think we’re going to have to decline to comment, Ken.”
MH: I got interested because I found this notice from Beijing police saying that they had purchased [the Dengyun server], or plan to purchase it as part of this surveillance system. And it was one of several technologies [listed].
KG: But I don’t know what they’re using it for. It could be for a very small piece of something. I’m just telling you, I know what the specifications are. It’s like if you as a consumer were to buy a $400 Chromebook when what you really want to do is very high-end video manipulation as part of your program. It’s just the wrong tool for the job.
What you would do is you would go buy a very high-end fast processor Mac, and you’d be processing tons of video. So I’m saying that the specifications of this appliance, this piece of hardware — it’s just not the right fit.
MH: So are you not concerned that Oracle technology could be bought by a police department, for example — under the premise of using it for tax purposes or just for data storage, without specifying what kind of data it is — and that [the project] would then turn out, because it’s Chinese police, to involve surveillance?
KG: Two things. One is, I’ve already said to you that it’s just not a rational decision anybody would make. But sure. We have obligations to audit and to comply with both end user and end use. Now I think I said to you in writing the last time we went through this: Is it possible that somebody uses something for an unintended purpose? I can’t — We don’t think so, but sure, that’s possible. But then you come back to why in the world would I use this tool when I’ve got a zillion other options available to me that are far more capable for this kind of purpose. Now you could say, “Look, the Oracle database itself, outside of this Dengyun offering, could be used for surveillance purposes.” That is certainly true. I’m just focused right now on the Dengyun offering. I know the specifications, and it’s just not the kind of tool one would pick.
“Is it possible that somebody uses something for an unintended purpose? We don’t think so, but sure, that’s possible.
When you asked me the question, and I go back and I look at the specifications and I look at the quantity of these units that have been sold. I can very confidently say to you, as we did on the record in writing, that these products are not being used for the kinds of use cases that you’ve articulated.
MH: In your responses, both to my first article and I believe the second one as well, you use this word “implementable” — that the PowerPoints that I found don’t portray actual implementable solutions, and that there was virtually no evidence of these solutions being implemented. Why not just say, “Our technology is not used this way in China”? What do you mean by “implementations”?
KG: OK, so [let’s] come back to our two businesses. Maybe I’m just parsing words and I’m using industry standard terms. If we’re getting caught up on semantics, I don’t mean to. What I was trying to say to you is that a lot of the use cases that are represented in these PowerPoints are not purchasable solutions in the kind of way that you would go and purchase Microsoft Excel. Right? That’s a purchasable solution.
A lot of these solutions are things that one would have to do a lot of custom work with a systems integrator and build the code to enable a lot of these capabilities. The way that the software works is that these capabilities are built on top of other underlying capabilities. You mentioned analytics. It is certainly true that we have analytics software, but somebody’s got to write code and say, “Here’s the data set that we want to analyze and here are the questions we want to ask and here’s the results we want to get.”
MH: Right. And those presentations said —
KG: When I say “implementable solution,” it’s that on those PowerPoints, I don’t actually see anything that somebody could swipe their credit card and buy tomorrow. I see something that somebody would have to go and build. Again, I don’t mean to say that those PowerPoints aren’t real. Of course they’re real. They are just marketing information. And it’s a proof of concept. It’s advertising, as you would expect it to be. It’s marketing, as you would expect it to be.
MH: I guess I wouldn’t expect Oracle or any other major U.S. company to be going and saying, “We can help you analyze DNA and facial recognition images and so forth.”
KG: I don’t think we’ve said that. I don’t think those PowerPoints say that.
MH: They do.
KG: Again, what I can’t do is if some employee wants to say something — again, let’s come back to the beginning where you and I started. And maybe you can help me as to what the better answer is.
Ultimately in compliance programs, you have to identify where are the choke points where you can enforce policy. And if you think about the sales cycle, you have to identify: Here’s the point at which I can enforce policy. And I’m not really concerned about things south of that point, and obviously I’m concerned about things north of that point. But we don’t enforce policy around what an employee might create on a PowerPoint. I can’t do that. This employee might not even be there tomorrow. They might be there. I don’t know how one would ever do that, and that’s bizarre —
MH: You don’t enforce —
KG: — in the way the industry works. I can enforce what’s actually sold and the end user it’s sold to and the end use. That I can enforce.
MH: OK. So you can’t enforce what an employee creates and posts on your website?
KG: Can I enforce what’s on our website? Yeah, of course I can. And look, Mara, before you raised these issues three weeks ago, I didn’t know those presentations existed on our website. We’ve learned something. But again, you can’t use a PowerPoint to surveil somebody. You have to actually use technology to surveil somebody.
“Before you raised these issues three weeks ago, I didn’t know those presentations existed on our website. We’ve learned something.”
So if your position is you’re concerned about PowerPoints, I take your point. And we learned that those exist and I got it. But again, what you haven’t done is, you haven’t shown me is, here’s actual cases where Oracle software is being used for things that you’ve defined as objectionable.
MH: The Dengyun case of the Beijing police department using it in a major surveillance project seems objectionable to me.
KG: Mara, it can’t be for a major surveillance project. That is incorrect. It cannot be by definition for a major surveillance project. Could it be implemented as part of something somewhere? I just don’t know the answer to that. But by definition, this product is not of sufficient scale to do what you think it does.
MH: Is there anything else that we didn’t cover that you would like to get into?
KG: I thought our blog was pretty clear. You know, you can expect a response to whatever it is you do. You’ve seen in our responses, we do take issue with the entire premise of what you’re writing. I understand where you’re coming from. I’m not critical about it, but we do take issue with it.
If you look at Oracle relative to every single one of our competitors, which does matter, I think that everybody else is going in one direction and we’ve gone the other direction. And that’s a matter of public record. So I’m confused by these inquiries.
Furthermore, we’ve now talked indirectly for weeks, and what I’m still missing is the actual solutions that exist somewhere that are problematic. I understand we’ve sort of got this fuzzy area where — define it however you want to define it, but the systems that you and I would agree on that are clearly of a surveillance nature, you’ve done nothing to show me that Oracle technology exists for any of those systems.