Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
[email protected] Paper No. 42 571-272-7822 Entered: August 15, 2017
UNITED STATES PATENT AND TRADEMARK OFFICE ____________
BEFORE THE PATENT TRIAL AND APPEAL BOARD
____________
UNITED SERVICES AUTOMOBILE ASSOCIATION, Petitioner,
v. NADER ASGHARI-KAMRANI and KAMRAN ASGHARI-KAMRANI,
Patent Owner. ____________
Case CBM2016-00063
Patent 8,266,432 B2 ____________
Before JONI Y. CHANG, JUSTIN T. ARBES, and FRANCES L. IPPOLITO, Administrative Patent Judges.
CHANG, Administrative Patent Judge.
FINAL WRITTEN DECISION 35 U.S.C. § 328(a); 37 C.F.R. § 42.73
CBM2016-00063 Patent 8,266,432 B2
2
I. INTRODUCTION United Services Automobile Association (“Petitioner”) filed a Petition
requesting a review of claims 1–55 of U.S. Patent No. 8,266,432 B2
(Ex. 1001, “the ’432 patent”) under the transitional program for covered
business method patents.1 Paper 2 (“Pet.”). Nader Asghari-Kamrani and
Kamran Asghari-Kamrani (collectively, “Patent Owner”) filed a Preliminary
Response to the Petition and a statutory disclaimer of claims 4 and 29.
Paper 11 (“Prelim. Resp.”); Ex. 2001. Petitioner filed a Reply to the
Preliminary Response. Paper 13. Pursuant to 35 U.S.C. § 324 and § 18(a)
of the AIA, we instituted this covered business method patent review, only
as to claims 1–3, 5–28, and 30–55 of the ’432 patent. Paper 14 (“Dec.”).
During the course of trial, Patent Owner filed a Response to the
Petition (Paper 22, “PO Resp.”) and a statutory disclaimer of claims 11, 46,
49, and 53 (Ex. 2007), and Petitioner filed a Reply (Paper 26, “Reply”) to
the Patent Owner Response. In addition, pursuant to our authorization,
Patent Owner filed an additional brief (Paper 29) on the issue of whether the
’432 patent is eligible for covered business method patent review in light of
the decision issued by the U.S. Court of Appeals for the Federal Circuit in
Secure Axcess, LLC v. PNC Bank Nat’l Ass’n, 848 F.3d 1370 (Fed. Cir.
2017). Petitioner filed a Reply (Paper 30) to Patent Owner’s additional
brief. Petitioner also filed a Motion to Exclude Evidence (Paper 32), and
1 See § 18(a) of the Leahy-Smith America Invents Act, Pub. L. No. 112-29, 125 Stat. 284, 329 (2011) (“AIA”).
CBM2016-00063 Patent 8,266,432 B2
3
Patent Owner filed an Opposition (Paper 37) to Petitioner’s Motion.
Petitioner filed a Reply (Paper 39) in support of its Motion. No oral hearing
was held. Paper 41, 3. Patent Owner filed a Motion for Observation
(Paper 31) on certain cross-examination testimony of Petitioner’s declarant,
and Petitioner filed a Response (Paper 36). Petitioner also filed a Motion for
Observation (Paper 33) on the cross-examination testimony, and Patent
Owner filed a Response (Paper 38).
We have jurisdiction under 35 U.S.C. § 6. This Final Written
Decision is issued pursuant to 35 U.S.C. § 328(a) and 37 C.F.R. § 42.73.
For the reasons that follow, we determine that Petitioner has shown by a
preponderance of the evidence that claims 1–3, 5–10, 12–28, 30–45, 47, 48,
50–52, 54, and 55 (“the challenged claims”) of the ’432 patent are
unpatentable.
A. Related Matters
The parties indicate that the ’432 patent is involved in
Asghari-Kamrani et al. v. United Services Auto. Ass’n, Case No. 2:15-cv-
00478-RGD-LRL (E.D. Va.), and Case IPR2015-01842, which has been
denied institution. Pet. 2; Paper 5, 2. The ’432 patent also is subject to a
covered business method patent review in CBM2016-00064. A final written
decision in CBM2016-00064 is entered concurrently with this Decision.
B. The ’432 Patent
The ’432 patent relates to “a system and method provided by a
Central-Entity for centralized identification and authentication of users and
CBM2016-00063 Patent 8,266,432 B2
4
their transactions to increase security in e-commerce.” Ex. 1001, 2:52–55.
A central-entity is said to allow a user to purchase goods and services from
an external-entity (e.g., a merchant) using the user’s digital identity without
revealing confidential personal or financial information, by generating a
dynamic, non-predictable and time-dependable secure code for the user per
the user’s request. Id. at 3:35–40. Examples of central-entities include
banks and credit card issuing companies. Id. at 2:16–18. In a transaction
between the user and the external-entity, the user presents his user name and
secure code as a digital identity to the external-entity for identification. Id.
at Abstract, 2:19–21, 3:19–21, 4:55–58. The external-entity depends on the
central-entity to identify and authenticate the user and transaction. Id.
C. Illustrative Claim
Of the challenged claims, claims 1, 25, 48, and 52 are independent.
Claims 2, 3, 5–10, and 12–24 depend ultimately from claim 1; claims 26–28,
30–45, and 47 depend either directly or indirectly from claim 25; claim 50
depends directly from claim 48; and claims 54 and 55 depend directly from
claim 52. Claim 1, reproduced below, is illustrative:
1. A method for authenticating a user during an electronic transaction between the user and an external-entity, the method comprising: receiving electronically a request for a dynamic code for the user by a computer associated with a central-entity during the transaction between the user and the external-entity; generating by the central-entity during the transaction a dynamic code for the user in response to the request, wherein the dynamic
CBM2016-00063 Patent 8,266,432 B2
5
code is valid for a predefined time and becomes invalid after being used; providing by the computer associated with the central-entity said generated dynamic code to the user during the transaction; receiving electronically by the central-entity a request for authenticating the user from a computer associated with the external-entity based on a user-specific information and the dynamic code as a digital identity included in the request which said dynamic code was received by the user during the transaction and was provided to the external-entity by the user during the transaction; and authenticating by the central-entity the user and providing a result of the authenticating to the external-entity during the transaction if the digital identity is valid.
Ex. 1001, 6:24–47.
D. Prior Art Relied Upon
Petitioner relies upon the following prior art references:
Norefors US 2006/0094403 A1 May 4, 2006 (Ex. 1032) (filed Dec. 12, 2005; continuation of application filed June 18, 2003) Brown US 5,740,361 Apr. 14, 1998 (Ex. 1035)
CBM2016-00063 Patent 8,266,432 B2
7
specification with reasonable clarity, deliberateness, and precision. In re
Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).
Here, the Specification of the ’432 patent sets forth the definitions for
certain claim terms. Ex. 1001, 2:10–12, 2:19–26, 2:35–45, 3:4–6. We
adopted those lexicographical definitions as our preliminary claim
constructions in the Decision on Institution. Dec. 15–16. Petitioner does not
challenge those claim constructions. See generally Reply. However, Patent
Owner proposes different constructions for certain terms. PO Resp. 3–10.
We note that only those terms which are in controversy need to be
construed, and only to the extent necessary to resolve the controversy. Vivid
Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999).
Here, we find it necessary to address only the claim terms below.
“user”
Claim 1 recites “authenticating a user during an electronic transaction
between the user and an external-entity.” Ex. 1001, 6:24–25. Independent
claims 25, 48, and 52 include similar language. The Specification expressly
defines the term “user”:
For convenience, the term “user” is used throughout to represent both a typical person consuming goods and services as well as a business consuming goods and services.
Id. at 2:10–12 (emphasis added).
In the Decision on Institution (Dec. 15), we adopted the definition set
forth in the Specification, construing the claim term “user” as “a person or
business consuming goods and services.” Neither party challenges this
CBM2016-00063 Patent 8,266,432 B2
8
construction. PO Resp. 2−3; see generally Reply. We discern no reason to
modify our claim construction set forth in the Decision on Institution with
respect to this claim term. Therefore, for purposes of this Final Written
Decision, we maintain our claim construction.
“external-entity”
As noted above, claim 1 recites “authenticating a user during an
electronic transaction between the user and an external-entity,” and the
remaining independent claims include similar language. The Specification
expressly defines the claim term “external-entity” in the “Background of the
Invention” Section:
As also used herein, an “External-Entity” is any party offering goods or services that users utilize by directly providing their UserName and SecureCode as digital identity. Such entity could be a merchant, service provider or an online site. An “External-Entity” could also be an entity that receives the user’s digital identity indirectly from the user through another External-Entity, in order to authenticate the user, such entity could be a bank or a credit card issuing company.
Ex. 1001, 2:19–26 (emphasis added).
The Specification further defines this term in the “Summary of the
Invention” Section by providing the following:
A plurality of the External-Entities: An External-Entity is any party offering goods or services in e-commerce and needs to authenticate the users based on digital identity.
Id. at 3:4–6 (emphasis added).
CBM2016-00063 Patent 8,266,432 B2
9
Petitioner adopts only the portion of the definition in the “Background
of the Invention” Section as its proposed claim construction. Pet. 6–7 (citing
Ex. 1001, 2:19–21). In its Preliminary Response, Patent Owner did not
propose any claim construction. Prelim. Resp. 36−37. In the Decision on
Institution, we adopted Petitioner’s proposed claim construction. Dec. 15.
After institution, however, Patent Owner adopts only the portion of the
definition in the “Summary of the Invention” Section as its proposed claim
construction. PO Resp. 6 (citing Ex. 1001, 3:4–6).
We agree with Patent Owner in part. Both cited sections of the
Specification set forth what an external-entity “is,” indicating an intent to
define the term. See Ex. 1001, 2:19–26, 3:4–6. In view of the Specification
as a whole, we construe the claim term “external-entity” in accordance with
the aforementioned definitions—“any party offering goods or services in
e-commerce that users utilize by directly providing their UserName and
SecureCode as digital identity, and that needs to authenticate the users based
on digital identity.”
“central-entity”
Each independent claim (and thus each challenged claim) requires a
“central-entity” to authenticate a user during an electronic transaction
between the user and the external-entity. For example, claim 1 recites
“authenticating by the central-entity the user and providing a result of the
authenticating to the external-entity during the transaction if the digital
CBM2016-00063 Patent 8,266,432 B2
10
identity is valid.” Ex. 1001, 6:45–47. The Specification expressly defines
the term “central-entity”:
As used herein, a “Central-Entity” is any party that has user’s personal and/or financial information, UserName, Password and generates [a] dynamic, non-predictable and time dependable SecureCode for the user. Example of Central-Entity are: banks, credit card issuing companies or any intermediary service companies.
Ex. 1001, 2:13–18. The Specification also defines the term “SecureCode”:
The term “SecureCode” is used herein to denote any dynamic, non-predictable and time dependent alphanumeric code, secret code, PIN or other code, which may be broadcast to the user over a communication network, and may be used as part of a digital identity to identify a user as an authorized user.
Id. at 2:35–40.
In its Petition, Petitioner adopts the above definition of a
“central-entity” as its proposed claim construction. Pet. 6−7. In its
Preliminary Response, Patent Owner did not propose any claim construction.
Prelim. Resp. 36−37. In the Decision on Institution, we adopted the
definitions of “central-entity” and “SecureCode” set forth in the
Specification. Dec. 16.
After institution, Patent Owner proposes to construe the claim term
“central-entity” as follows:
a party comprising one or more computing devices that has user’s personal, financial, identification information, UserName, and/or Password and provides dynamic, non-predictable and time dependable code for the user.
CBM2016-00063 Patent 8,266,432 B2
11
PO Resp. 5. Patent Owner seems to adopt the definition in the Specification,
with modifications, as its proposed claim construction. Id. at 3–5.
We decline to adopt Patent Owner’s proposed construction because it
would not be consistent with the Specification, and the modifications
improperly import an extraneous limitation into the claims and substantively
broaden the claim scope. Specifically, Patent Owner’s proposed
construction would import an extraneous limitation—“one or more
computing devices.” Each claim at issue already expressly requires one or
more computers associated with a central-entity. Id. at 6:28, 7:57–8:7, 9:7,
10:7–25. Adopting Patent Owner’s proposed construction would conflict
with the broader term “party” used in the lexicographical definition above
and potentially render the “computer” limitations superfluous.
Additionally, Patent Owner’s proposed construction would introduce
the following modifications to the lexicographical definition: (1) moving
“and/or” to a different location in the list of information possessed by the
central-entity, (2) changing “generates” to “provides,” (3) changing
“SecureCode” to “code,” and (4) adding “identification information.” These
modifications would substantively broaden the claim scope. For example,
under Patent Owner’s proposed claim construction, possessing the
UserName, Password, and SecureCode would be optional. These
substantive modifications are not supported by the Specification.
We are not persuaded by Patent Owner’s argument that “the
‘central-entity’ does not necessarily possess or use personal and/or financial
information, a UserName, and a Password,” such that “the Central-Entity
CBM2016-00063 Patent 8,266,432 B2
12
has some or all of such user information described in the Background.” PO
Resp. 3–5. The portions of the Specification cited by Patent Owner do not
support Patent Owner’s proposed construction because they address the
items of information that are used for performing a transaction and
authenticating a user, not the items of information possessed by the
central-entity. Id. at 4 (citing Ex. 1001, 2:27–34, 2:41–43, 5:5–58, Fig. 2,
Steps D–L). Patent Owner’s argument conflates the information that is
possessed by the central-entity with the information that is used for
performing a transaction and authenticating a user. Id. The lexicographical
definition expressly listed the information that is possessed by the
central-entity—namely, “any party that has user’s personal and/or financial
information, UserName, Password and generates [a] dynamic . . .
SecureCode for the user.” Ex. 1001, 2:13–16 (emphases added). Patent
Owner also does not articulate, nor can we discern, a sufficient reason for
changing “generates” to “provides” and changing “SecureCode” to “code.”
For these reasons, we decline to adopt Patent Owner’s proposed
construction. Rather, as in the Decision on Institution (Dec. 16), we
adopt the definition in the Specification here as our claim
construction, and interpret “central-entity” to mean “any party that has
a user’s personal and/or financial information, UserName, and
Password, and generates a dynamic, non-predictable and time
dependable SecureCode for the user,” where a “SecureCode” is “any
dynamic, non-predictable and time dependent alphanumeric code,
secret code, PIN or other code, which may be broadcast to the user
CBM2016-00063 Patent 8,266,432 B2
13
over a communication network, and may be used as part of a digital
identity to identify a user as an authorized user.”
“digital identity”
Each independent claim requires an authentication request based on
“a user-specific information and the dynamic code as a digital identity.”
See, e.g., Ex. 1001, 6:38–44. The Specification expressly defines the claim
term “digital identity”:
The term “digital identity” is used herein to denote a combination of user’s “SecureCode” and user’s information such as “UserName,” which may result in a dynamic, non-predictable and time dependable digital identity that could be used to identify a user as an authorized user.
Id. at 2:41–45 (emphasis added).
Neither party proposes a claim construction for this term. In the
Decision on Institution, we adopted the express definition as our
construction. Dec. 16. The parties do not provide, nor do we discern, a
reason to modify that construction. Therefore, for purposes of this Final
Written Decision, we maintain our claim construction set forth in the
Institution Decision, in accordance with the Specification’s definition,
construing “digital identity” as “a combination of a user’s SecureCode and
the user’s information such as UserName, which may result in a dynamic,
non-predictable and time dependable digital identity that could be used to
identify a user as an authorized user.”
CBM2016-00063 Patent 8,266,432 B2
14
“dynamic code”
The claim term “dynamic code” appears in each independent claim.
For instance, claim 1 recites “receiving electronically a request for a
dynamic code for the user by a computer associated with a central-entity
during the transaction between the user and the external-entity.” Ex. 1001,
6:27–30. The Specification does not define the term “dynamic code,” but
rather defines the term “SecureCode” as follows:
The term “SecureCode” is used herein to denote any dynamic, non-predictable and time dependent alphanumeric code, secret code, PIN or other code, which may be broadcast to the user over a communication network, and may be used as part of a digital identity to identify a user as an authorized user.
Id. at 2:35–40 (emphasis added).
Petitioner proposes to construe the claim term “dynamic code” to
include a “dynamic, non-predictable and time dependent alphanumeric code,
secret code, PIN or other code, which may be broadcast to the user over a
communication network, and may be used as a part of a digital identity to
identify a user as an authorized user.” Pet. 9. In its Preliminary Response,
Patent Owner did not propose any claim construction. Prelim. Resp. 36−37.
In the Decision on Institution, we construed the claim term “dynamic code”
to encompass an “alphanumeric code that is non-predictable and time
dependent, which may be broadcast to the user over a communication
network, and may be used as a part of a digital identity to identify a user as
an authorized user,” in light of the Specification including the claim
language. Dec. 17−18 (emphases added).
CBM2016-00063 Patent 8,266,432 B2
15
Subsequent to institution, Patent Owner argues that the claimed
“dynamic code” corresponds to the disclosed “SecureCode,” citing the
above-reproduced definition for support. PO Resp. 10 (citing Ex. 1001,
2:35-40). We recognize that although the claims do not use the term
“SecureCode,” the written description appears to use the terms
“SecureCode” and “dynamic code” interchangeably in certain contexts.
For example, claim 1 also recites receiving a request for authenticating a
user based on “a user-specific information and the dynamic code as a digital
identity.” Ex. 1001, 6:38–42. The Specification defines the term “digital
identity” as “a combination of user’s ‘SecureCode’ and user’s information
such as ‘UserName,’” and explains that the central-entity “generates [a]
dynamic, non-predictable and time dependent SecureCode for the user.” Id.
at 2:41−43, 3:14–24. Nevertheless, because the above definition of
“SecureCode” itself includes the word “dynamic” (id. at 2:35–40), we do not
construe the claim term “dynamic code” to be interchangeable with
“SecureCode” for all situations. For example, construing “dynamic code” to
include “other code,” without more, would render the word “dynamic”
superfluous. See Cat Tech LLC v. TubeMaster, Inc., 528 F.3d 871, 885
(Fed. Cir. 2008) (noting that “[c]laims are interpreted with an eye toward
giving effect to all terms in the claim”) (quotation omitted); see also
Aristocrat Techs. Australia Pty Ltd. v. Int’l Game Tech., 709 F.3d 1348,
1356–57 (Fed. Cir. 2013) (declining to adopt the appellants’ proposed
construction because it would render another limitation “superfluous”).
CBM2016-00063 Patent 8,266,432 B2
16
Patent Owner also argues that the ’432 patent “does not require that
the SecureCode be alphanumeric.” PO Resp. 10 (citing Ex. 2010 ¶¶ 39–40).
In light of the Specification and surrounding claim language, we agree with
Patent Owner that the claim term “dynamic code” encompasses
alphanumeric and non-alphanumeric codes that are non-predictable and
time dependent. Indeed, as Petitioner notes (Reply 19), claims 1 and 25
recite a “dynamic code,” whereas claims 48 and 52 recite the “dynamic code
is alphanumeric.” Based on claim differentiation, the full scope of “dynamic
code” includes non-alphanumeric codes that are non-predictable and time
dependent. Accordingly, we construe the claim term “dynamic code” to
encompass “alphanumeric and non-alphanumeric codes that are
non-predictable and time dependent, which may be broadcast to the user
over a communication network, and may be used as a part of a digital
identity to identify a user as an authorized user.” No further construction as
to this term is necessary for purposes of this Decision. See Vivid Techs., 200
F.3d at 803.
“transaction”
As noted above, claim 1 recites “authenticating a user during an
electronic transaction between the user and an external-entity,” and the
remaining independent claims include similar language. Petitioner argues
that the claim term “transaction” should be construed to include “attempts
[by a user] to access a restricted web site or attempts to buy services or
products . . . through a standard interface provided by [an] External-Entity
CBM2016-00063 Patent 8,266,432 B2
17
. . . and selects digital identity as his identification and authorization or
payment option,” as described in the Specification of the ’432 patent.
Pet. 8–9 (citing Ex. 1001, 5:5–22). Patent Owner appears to agree with
Petitioner’s argument because Patent Owner argues that the disclosure of
accessing a restricted website of an external-entity by a user provides written
description support for the claimed transaction. PO Resp. 17; see also id.
at 9. Patent Owner also contends that the claim term “transaction” should
not be construed as a single transaction. Id. at 6−7.
Figures 4 and 5 of the ’432 patent are reproduced below.
CBM2016-00063 Patent 8,266,432 B2
18
Figure 4 shows the steps of the transaction phase, whereas Figure 5
illustrates the steps of the identification and authorization phase that involve
utilizing a centralized identification and authentication system and method.
Ex. 1001, 5:5–43. The steps in the transaction phase, as illustrated in
Figure 4, and the steps in the identification and authorization phase, as
illustrated in Figure 5, are performed during the same transaction between
the user and external-entity. Id. at 5:5–43, Figs. 4, 5.
In light of the Specification and drawings, we agree with Petitioner’s
interpretation of the term “transaction” insofar as it includes the user’s
attempt to get access to the external-entity’s restricted website, or to
purchase goods or services from the external-entity. Id. at 5:5–10, Fig. 4,
step 110. Further, we observe that the transaction is not completed until the
central-entity sends an approval or a denial to the external-entity. Id. at
5:35–43, Fig. 5, steps 140, 150.
However, we are not persuaded by Patent Owner’s argument that the
claim term “transaction” should not be construed as a single transaction. PO
Resp. 6–7. This argument squarely contradicts (1) Patent Owner’s claim
construction submitted in Case IPR2015-01842 that involves the same patent
and claims as those in the instant proceeding (Ex. 1027, 21–23), and (2)
Patent Owner’s other arguments presented in the instant proceeding (PO
Resp. 8–9). Notably, Patent Owner argued in Case IPR2015-01842 that the
steps described in Figure 4 of the ’432 patent are performed during the same
transaction because the dynamic code is for one-time use; whenever the user
starts a new transaction and needs an authentication process, the user needs
CBM2016-00063 Patent 8,266,432 B2
19
to restart those steps again. Ex. 1027, 22–23 (citing Ex. 1001, 4:12–14, 5:5–
22, Fig. 4).
Patent Owner’s argument (PO Resp. 6–7) also contradicts its other
argument, in the instant proceeding, that the claim term “during the
transaction” includes the steps or functions performed during the transaction
phase and the authorization phase involved in using the centralized
identification and authentication system (id. at 8–9).4 In fact, Patent Owner
acknowledges that each independent claim requires the recited steps or
functions to be performed during the same transaction between the user and
external-entity. Id. at 17−19.
For these reasons, we construe “the transaction,” as recited in each
step or function of each independent claim, to refer back to the same
“electronic transaction between the user and an external-entity” recited in
the preamble. See NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282,
1306 (Fed. Cir. 2005); Warner-Lambert Co. v. Apotex Corp., 316 F.3d 1348,
1356 (Fed. Cir. 2003) (noting that the definite article “the” is a word of
limitation, particularizing the subject which it precedes). No further
construction is necessary for purposes of this Decision. See Vivid Techs.,
200 F.3d at 803.
4 Patent Owner proposes construing “during the transaction” to mean “a period after the initiation of the transaction between a user and an external-entity and before the transaction is completed.” PO Resp. 8–9.
CBM2016-00063 Patent 8,266,432 B2
20
B. Whether the ’432 Patent is a Covered Business Method Patent
1. Financial Product or Service
A covered business method (“CBM”) patent is “a patent that claims a
method or corresponding apparatus for performing data processing or other
operations used in the practice, administration, or management of a financial
product or service, except that the term does not include patents for
technological inventions.” AIA § 18(d)(1); 37 C.F.R. § 42.301(a). A patent
is eligible for review if it has at least one claim directed to a covered
business method. See Transitional Program for Covered Business Method
Patents—Definitions of Covered Business Method Patent and Technological
Invention, 77 Fed. Reg. 48,734, 48,736 (Response to Comment 8).
Our reviewing court has explained that Ҥ 18(d)(1) directs us to
examine the claims when deciding whether a patent is a CBM patent.” Blue
Calypso, LLC v. Groupon, Inc., 815 F.3d 1331, 1340 (Fed. Cir. 2016)
(finding that the challenged patent was eligible for review because the
claims recited “an express financial component in the form of a subsidy”
that was “central to the operation of the claimed invention”). “CBM patents
are limited to those with claims that are directed to methods and apparatuses
of particular types and with particular uses ‘in the practice, administration,
or management of a financial produce or service.’” Unwired Planet, LLC v.
Google Inc., 841 F.3d 1376, 1382 (Fed. Cir. 2016). “Necessarily, the
statutory definition of a CBM patent requires that the patent have a claim
that contains, however phrased, a financial activity element.” Secure
Axcess, 848 F.3d at 1381. Furthermore, “the definition of ‘covered business
CBM2016-00063 Patent 8,266,432 B2
21
method patent’ is not limited to products and services of only the financial
industry” and “on its face covers a wide range of finance-related activities.”
Versata Dev. Grp., Inc. v. SAP Am., Inc., 793 F.3d 1306, 1326–27 (Fed. Cir.
2015).
Here, Petitioner takes the position that the ’432 patent is a covered
business method patent, arguing that the “method for authenticating a user of
claim 1 is used for data processing in the practice, administration, and
management of financial products and services; specifically, for processing
user financial information for electronic purchases.” Pet. 9–12. According
to Petitioner, the claims at issue are directed to “a Central-Entity for
centralized identification and authentication of users and their transactions
to increase security and e-commerce.” Id. at 10–11 (citing Ex. 1001, 2:51–
3:6). Petitioner explains that claim 1 is directed to a method for
authenticating a user during a transaction between the user and an external
entity, and dependent claim 4 (subsequently disclaimed) requires that the
transaction be a financial transaction. Id.; Ex. 1001, 6:24–47, 6:61–62.
Patent Owner counters that the challenged claims “literally do not
recite any commercial or financial transactions,” and “lack any recitation of
financial terminology or activity.” PO Resp. 28; Paper 29, 2–4. In Patent
Owner’s view, the claimed authentication method and system do not involve
a financial product or service, but rather are, at most, merely incidental or
complementary to a financial activity. Paper 29, 4–5. Although Patent
Owner confirms that the ’432 patent describes commercial and financial
transactions, Patent Owner argues that “others are not (e.g., accessing a
CBM2016-00063 Patent 8,266,432 B2
22
restricted website)” and any sales or financial transactions are not part of the
claimed authentication. PO Resp. 28–29 (emphasis omitted). Patent Owner
contends that “the term ‘external entity’ is not recited as a financial product
or service in the claims but as a party for example having a restricted
website that requires user authentication before allowing access or offering
its product or service.” Paper 29, 3–4.
Upon consideration of the parties’ contentions and supporting
evidence, we determine that Petitioner has established that claim 1, when
properly construed, recites a method for performing data processing or other
operations used in the practice, administration, or management of a financial
product or service. See Secure Axcess, 848 F.3d at 1381 (“[T]he phrasing of
a qualifying claim does not require particular talismanic words. When
properly construed in light of the written description, the claim need only
require one of a ‘wide range of finance-related activities’” . . . . (citations
omitted)).
Claim 1 recites a method “for authenticating a user during an
electronic transaction between the user and an external-entity”5 and
requires, in the body of the claim, a central-entity to perform each recited
step “during the transaction.” Ex. 1001, 6:24–26 (emphases added). As
5 In this proceeding, the parties do not dispute that the preamble of each independent claim is a claim limitation. For purposes of this Decision, we proceed on the assumption that it is. Regardless, though, the terms we analyze herein (e.g., “transaction,” “user,” “external-entity,” and “central-entity”) also appear in the body of the claim.
CBM2016-00063 Patent 8,266,432 B2
23
discussed in the claim construction section of this Decision (Section II.A),
the Specification expressly sets forth the definitions for the claim terms
“user,” “external-entity,” and “central-entity.” Applying those
lexicographical definitions, claim 1 requires authenticating a “user” (a
person or business consuming goods and services) during an electronic
transaction between such a person or business and an “external-entity” (any
party offering goods or services in e-commerce that users utilize by directly
providing their UserName and SecureCode as digital identity, and that needs
to authenticate the users based on digital identity”). Id. at 2:10–26, 3:4–6,
6:24–47. Claim 1 also requires a “central-entity” (any party that has a user’s
personal and/or financial information, UserName, and Password, and
generates a dynamic, non-predictable and time dependable SecureCode for
the user) to perform the authentication.
We are not persuaded by Patent Owner’s arguments, as they
improperly ignore the lexicographical definitions of the claim terms and fail
to account for the financial nature of those definitions. See In re Paulsen,
30 F.3d 1475, 1480 (Fed. Cir. 1994) (a patentee may act as his or her own
lexicographer and clearly set forth a definition of the claim term in the
specification); Phillips v. AWH Corp., 415 F.3d 1303, 1316 (Fed. Cir. 2005)
(en banc) (explaining that “our cases recognize that the specification may
reveal a special definition given to a claim term by the patentee that differs
from the meaning it would otherwise possess[; i]n such cases, the inventor’s
lexicography governs”) (citing CCS Fitness, Inc. v. Brunswick Corp., 288
F.3d 1359, 1366 (Fed. Cir. 2002)). Indeed, as noted above (Section II.A),
CBM2016-00063 Patent 8,266,432 B2
24
Patent Owner urges us to interpret the claim term “external-entity” to be a
“party offering goods or services in e-commerce and [that] needs to
authenticate the users based on digital identity.” PO Resp. 6 (emphasis
added). By Patent Owner’s own admission, therefore, claim 1 involves a
transaction taking place in e-commerce. As Petitioner notes (Paper 30, 2–3),
Patent Owner’s declarant, Alfred C. Weaver, Ph.D., confirms the financial
nature of the claim, testifying that “e-commerce” refers to “[t]ransfer of
information over a network in the context of buying and selling products and
services.” Ex. 1068, 77:10–78:6 (emphasis added).
Patent Owner’s arguments also narrowly focus on the “restricted
website” embodiment disclosed in the Specification, improperly
characterizing that embodiment as non-financial. Notably, that embodiment
involves accessing a “restricted website” that is provided by a business
offering goods or services in e-commerce for its customers to access.
Ex. 1001, 1:30–2:9, 4:12–14 (attempts to get access to a restricted website,
or to buy goods or services, are part of “the transaction of a customer”).
The Specification explicitly explains that “the increase of businesses
utilizing e-commerce ha[s] [led] to a dramatic increase in customers
releasing confidential personal and financial information, in the form of
social security numbers, names, addresses, credit card numbers and bank
account numbers, to identify themselves.” Id. at 1:30–37 (emphasis added).
According to the Specification, there was a need at the time of the invention
for secured e-commerce transactions between a business offering goods or
services and its customers. Id. at 1:30–2:9. The Specification discloses that
CBM2016-00063 Patent 8,266,432 B2
25
the invention is related to a system and method provided by a central-entity
for centralized identification and authentication of persons or businesses
consuming goods and services, and their transactions to increase security in
e-commerce, allowing the persons or businesses “to purchase goods and
services from an External-Entity using their digital identity, preferably
without revealing confidential personal or financial information.” Id. at
2:52–55, 3:35–40.
In light of the Specification, claim 1, when construed properly, is
directed to a method for authenticating a customer during a transaction
between a seller and the customer in e-commerce. That transaction in
e-commerce includes the customer accessing the seller’s restricted website,
or purchasing goods or services from the seller. In fact, Patent Owner
admits, and Dr. Weaver testifies, that one of ordinary skill in the art would
have understood that “intrabank funds transfer transactions would be within
the scope of the claimed invention.” PO Resp. 7, 26 (asserting that an
electronic transfer of funds between a customer and business provides
written description support for the claimed “transaction”); Ex. 2010 ¶ 37.
Funds transfers, accessing bank accounts electronically, and buying
and selling goods or services in e-commerce are activities that are financial
in nature; and allowing secured electronic sales transactions, funds transfers
between two financial institutions, or access to a financial institution’s
system for banking services amount to providing a financial service. We are
persuaded that claim 1, as properly construed, contains a financial activity
element.
CBM2016-00063 Patent 8,266,432 B2
26
For these reasons, we determine that Petitioner has demonstrated that
claim 1 of the ’432 patent is directed to a method for performing data
processing used in the practice, administration, or management of a financial
product or service. Consequently, the ’432 patent satisfies the “financial
product or service” component of the definition for a covered business
method patent under § 18(d)(1) of the AIA.
2. Technological Invention Exception
The definition of “covered business method patent” in § 18(d)(1) of
the AIA excludes patents for “technological inventions.” When determining
whether a patent is excluded under this exception, we consider “whether the
claimed subject matter as a whole recites a technological feature that is
novel and unobvious over the prior art; and solves a technical problem using
a technical solution.” 37 C.F.R. § 42.301(b). Both prongs must be satisfied
in order for the patent to be excluded as a technological invention. See
Apple Inc. v. Ameranth, Inc., 842 F.3d 1229, 1240 (Fed. Cir. 2016) (“We
need not address this argument regarding whether the first prong of 37
C.F.R. § 42.301(b) was met, as we affirm the Board’s determination on the
second prong of the regulation. . . .”); see also 157 CONG. REC. S1364 (daily
ed. Mar. 8, 2011) (Sen. Schumer stated the “‘technological invention’
exception only excludes those patents whose novelty turns on a
technological innovation over the prior art and are concerned with a
technical problem which is solved with a technical solution”) (emphases
CBM2016-00063 Patent 8,266,432 B2
27
added). Therefore, a patent would not be excluded as a technological
invention if one of the prongs is deficient.
The following claim drafting techniques, for example, typically do not
render a patent a technological invention:
(a) Mere recitation of known technologies, such as computer hardware, communication or computer networks, software, memory, computer-readable storage medium, scanners, display devices or databases, or specialized machines, such as an ATM or point of sale device.
(b) Reciting the use of known prior art technology to accomplish a process or method, even if that process or method is novel and non-obvious.
(c) Combining prior art structures to achieve the normal, expected, or predictable result of that combination.
Office Patent Trial Practice Guide, 77 Fed. Reg. 48,756, 48,763–64
(Aug. 14, 2012).
Here, Petitioner asserts that the ’432 patent is not directed to a
technological invention, and, thus, should not be excluded from the
definition of a covered business method patent. Pet. 12–16. In Petitioner’s
view, the Specification confirms that the computer-related limitations recited
in the claims are merely standard computer features. Id. at 14 (citing
Ex. 1001, 5:5–10, 4:67–5:4).
In our Institution Decision (Dec. 12–13), we determined that the claim
elements that were allegedly novel technological features—a centralized
authentication system (central-entity), the digital identity (user specific
information and dynamic code), and the communication between the
centralized system, external-entity, and user during a transaction—appear to
CBM2016-00063 Patent 8,266,432 B2
28
have been known in the art, in light of the prior art in this record. See, e.g.,
Ex. 1032. Subsequent to institution, neither party disagrees with our
analysis as to the “technological invention” exception under § 18(d) of AIA.
See generally PO Resp.; Reply.
Indeed, those claim elements merely utilize generic computers. See,
e.g., Ex. 1001, 6:27–30 (“a computer associated with a central-entity”).
And, using user-specific information (e.g., a user name) and a dynamic code
(e.g., a one-time password) for authenticating a user was known in the art at
the time of the invention. See, e.g., Ex. 1032 ¶¶ 9, 48. Reciting the use of
known prior art features to perform a method does not render a patent a
technological invention. Moreover, Petitioner explains sufficiently why
claim 1, as a whole, does not recite a technological feature that is novel and
non-obvious over the prior art of record. Pet. 28–56 (explaining how
claim 1, as a whole, is anticipated by Norefors). Claim 1 is merely the
recitation of known technologies to perform a method, which indicates that
it is not a patent for a technological invention. See Office Patent Trial
Practice Guide, 77 Fed. Reg. at 48,764 (examples (a) and (b), which are
reproduced above).
In view of the foregoing, we maintain our determination that claim 1,
as a whole, does not recite a technological feature that is novel and
non-obvious over the prior art. Because one of the prongs set forth in 37
C.F.R. § 42.301(b), for determining whether a patent is a technological
invention, is deficient, it is not necessary for us to address Petitioner’s
arguments regarding whether the claimed subject matter solves a technical
CBM2016-00063 Patent 8,266,432 B2
29
problem using a technical solution. Pet. 14–16. Accordingly, the ’432
patent is not excluded as a technological invention.
3. Conclusion
For the foregoing reasons, we conclude that the ’432 patent is a
covered business method patent under AIA § 18(d)(1) and is eligible for
review using the transitional covered business method patent program.
C. Principles of Law
To establish anticipation, each and every element in a claim, arranged
as recited in the claim, must be found in a single prior art reference. Net
MoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1369 (Fed. Cir. 2008). It is
well settled that “the reference need not satisfy an ipsissimis verbis test.” In
re Gleave, 560 F.3d 1331, 1334 (Fed. Cir. 2009); In re Bond, 910 F.2d 831,
832–33 (Fed. Cir. 1990). In an anticipation analysis, “it is proper to take
into account not only specific teachings of the reference but also the
inferences which one skilled in the art would reasonably be expected to draw
therefrom.” In re Preda, 401 F.2d 825, 826 (CCPA 1968); In re Graves, 69
F.3d 1147, 1152 (Fed. Cir. 1995) (“A reference anticipates a claim if it
discloses the claimed invention ‘such that a skilled artisan could take its
teachings in combination with his own knowledge of the particular art and
be in possession of the invention.’” (citation and emphasis omitted)). Prior
art references must be “considered together with the knowledge of one of
ordinary skill in the pertinent art.” Paulsen, 30 F.3d at 1480 (quoting In re
Samour, 571 F.2d 559, 562 (CCPA 1978)).
CBM2016-00063 Patent 8,266,432 B2
30
A patent claim is unpatentable under 35 U.S.C. § 103(a) if the
differences between the claimed subject matter and the prior art are such that
the subject matter, as a whole, would have been obvious at the time the
invention was made to a person having ordinary skill in the art to which said
subject matter pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406
(2007). The question of obviousness is resolved on the basis of underlying
factual determinations including: (1) the scope and content of the prior art;
(2) any differences between the claimed subject matter and the prior art;
(3) the level of ordinary skill in the art; and (4) objective evidence of
nonobviousness. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966).
D. Level of Ordinary Skill
In determining the level of ordinary skill in the art, various factors
may be considered, including the “type of problems encountered in the art;
prior art solutions to those problems; rapidity with which innovations are
made; sophistication of the technology; and educational level of active
workers in the field.” In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995)
(citation omitted). Petitioner’s declarant, Seth Nielson, Ph.D., testifies that a
person with ordinary skill in the art “would have had a Bachelor of Science
Degree in Electrical Engineering, Computer Engineering, or Computer
Science with related work experience.” Ex. 1003 ¶ 26. Patent Owner’s
declarant, Dr. Weaver, testifies similarly that such an artisan would have had
a Bachelor of Science Degree in these technical fields “or a related technical
degree, possibly with some additional post-degree work experience with
CBM2016-00063 Patent 8,266,432 B2
31
system engineering (or equivalent).” Ex. 2010 ¶ 28. We do not discern any
meaningful differences between the parties’ assessments of the level of
ordinary skill in the art, particularly given Dr. Weaver’s assessment of what
experience an ordinarily skilled artisan “possibly” would have had.
Therefore, we adopt Dr. Nielson’s assessment of a person with ordinary skill
in the art. We further note that the prior art of record in the instant
proceeding reflects the appropriate level of ordinary skill in the art. See
Okajima v. Bourdeau, 261 F.3d 1350, 1354–55 (Fed. Cir. 2001) (“the prior
art itself reflects an appropriate level” of ordinary skill in the art).
E. Whether the ’432 Patent is Entitled to the Benefit of a Prior Filing Date
Under 35 U.S.C. § 120, a patent claim is entitled to the benefit of the
filing date of a prior-filed application only if the original disclosure of the
prior-filed application provides written description support for the patent
claim as required by 35 U.S.C. § 112, first paragraph. In re NTP, Inc., 654
F.3d 1268, 1276–77 (Fed. Cir. 2011); see also Augustine Med., Inc. v.
Gaymar Indus., Inc., 181 F.3d 1291, 1302–03 (Fed. Cir. 1999) (noting that
different claims of a continuation-in-part application may receive different
effective filing dates because subject matter that arises for the first time in a
continuation-in-part application does not receive the benefit of the filing date
of the parent application). The test for determining compliance with the
written description requirement is whether the original disclosure of the
prior-filed application reasonably would have conveyed to a person having
ordinary skill in the art that the inventor had possession of the claimed
CBM2016-00063 Patent 8,266,432 B2
32
subject matter at the time of the prior-filed application’s filing date. Ariad
Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010) (en
banc); Vas-Cath Inc. v. Mahurkar, 935 F.2d 1555, 1563–64 (Fed. Cir. 1991).
Here, the application that issued as the ’432 patent has an actual filing
date of September 15, 2008. Ex. 1001, [22]. The ’432 patent claims, as a
continuation-in-part application, the benefit of the filing dates of the
following prior-filed, non-provisional applications (Ex. 2008):
(1) U.S. Patent Application No. 09/940,635 (Ex. 1016, “the ’635
application”), which was filed on August 29, 2001, and issued as U.S.
Patent No. 7,356,837 B2 (Ex. 1005, [21], [22], [10], “the ’837 patent”);
(2) U.S. Patent Application No. 11/239,0466 (Ex. 1014, “the ’046
application”), which was filed on September 30, 2005, and issued as U.S.
Patent No. 7,444,676 B1 (Ex. 1015, [21], [22], [10], “the ’676 patent”); and
(3) U.S. Patent Application No. 11/333,400 (Ex. 2009, “the ’400
application”), which was filed on January 18, 2006, and issued as U.S.
Patent No. 8,281,129 B1 (Ex. 2004, [21], [22], [10], “the ’129 patent”).
It is undisputed that there can be no copendency between the ’635
application, which issued as a patent on April 8, 2008, and the application
that issued as the ’432 patent, which was filed on September 15, 2008,
6 There appears to be a typographical error in the Certificate of Correction issued on October 25, 2016. Although the correction to the Specification of the ’432 patent correctly lists “Ser. No. 11/239,046,” the correction to the title page lists “No. 11/239,048.” Ex. 2008; see also Ex. 2006, 3 (correctly listing “11/239,046”).
CBM2016-00063 Patent 8,266,432 B2
33
unless there is an intermediate application that meets the requirements of
§ 120. Compare Ex. 1001, [22], with Ex. 1005, [45]. Patent Owner takes
the position that each of the ’400 application and the ’046 application
qualifies as such an intermediate application. PO Resp. 11–27.
Patent Owner’s chart (reproduced below with annotations) shows the
’432 patent’s benefit claims (Prelim. Resp. 38).
Similar to Patent Owner’s chart above, the Certificate of Correction, which
was issued on October 25, 2016, after we instituted this trial, also shows that
the ’432 patent claims the benefit of the filing date of the ’635 application,
through either the ’400 application or the ’046 application. Ex. 2008, 1–2.
The parties’ dispute centers on whether either of these intermediate
applications, as originally filed, provides adequate written description
support for the challenged claims. Petitioner argues that, because neither
intermediate application provides the required written description support,
Norefors, which published on May 4, 2006, prior to the actual filing date
CBM2016-00063 Patent 8,266,432 B2
34
(September 15, 2008) of the ’432 patent, is prior art under § 102(b). Pet. 4,
16–28; Reply 12–35. Patent Owner disagrees, arguing that the claims at
issue are entitled to the benefit of the filing date (August 29, 2001) of the
’635 application, thereby antedating Norefors, because the original
disclosure each of the ’400 application and the ’046 application provides
adequate written description support for the challenged claims. PO Resp.
12–28.
1. Burden of Proof
As an initial matter, we note that Petitioner has the burden of
persuasion to prove unpatentability by a preponderance of the evidence and
also has the initial burden of production. See Dynamic Drinkware, LLC v.
Nat’l Graphics, Inc., 800 F.3d 1375, 1380 (Fed. Cir. 2015). As discussed in
the Institution Decision, we determined that Petitioner satisfied its initial
burden of production by presenting sufficient explanations with supporting
evidence that the claims of the ’432 patent are not entitled to the benefit of
the filing dates of the ’635 application and the ’046 application—the benefit
claims presented in the ’432 patent at the time of filing the Petition.
Dec. 20–29; Pet. 16–28; Ex. 1003 ¶¶ 37–64; Exs. 1005, 1014, 1016.
At the preliminary stage of this proceeding, Patent Owner did not
challenge Petitioner’s assertions that Norefors either anticipates or, in
combination with Brown, renders obvious the challenged claims. Prelim.
Resp. 76–78. Instead, Patent Owner argued that Norefors is not prior art.
Id. We noted in our Institution Decision that the burden of production
CBM2016-00063 Patent 8,266,432 B2
35
shifted to Patent Owner to show that the challenged claims are entitled to the
benefit of an earlier effective filing date that is before the relevant date of
Norefors. Dec. 20–29, citing Dynamic Drinkware, 800 F.3d at 1380
(“The burden of production then shifted to [Patent Owner] to argue or
produce evidence that either [the reference] does not actually anticipate, or,
as was argued in this case, that [the reference] is not prior art because the
asserted claims in the [involved] patent are entitled to the benefit of a filing
date (constructive or otherwise) prior to the filing date of [the reference].”);
PowerOasis, Inc. v. T-Mobile USA, Inc., 522 F.3d 1299, 1305 (Fed. Cir.
2008) (“When neither the PTO nor the board has previously considered
priority, there is simply no reason to presume that claims in a
[continuation-in-part] application are entitled to the effective filing date of
an earlier filed application.”).
After institution, Patent Owner submitted a copy of the Decision
granting Patent Owner’s Petition to Accept an Unintentionally Delayed
Benefit Claim (Ex. 2006) and the Certificate of Correction for correcting the
benefit claims of the ’432 patent (Ex. 2008). Patent Owner alleges that the
correction establishes another chain of benefit claims to the filing date of the
’635 application through the ’400 application. PO Resp. 10–11.
However, this merely shows that Patent Owner has corrected the ’432
patent to add a specific reference for the ’400 application. See Ex. 2006, 1
(petition decision stating that “[t]his acceptance should not be construed as
meaning that any claim in this patent is entitled to the benefit of the
prior-filed applications”). Patent Owner still has the burden to show
CBM2016-00063 Patent 8,266,432 B2
36
sufficiently that the original disclosure of at least one of the intermediate
applications—the ’400 application or the ’046 application—provides
adequate written description support for the challenged claims. See Tech.
Licensing Corp. v. Videotek, Inc., 545 F.3d 1316, 1327 (Fed. Cir. 2008)
(explaining that the patentee’s burden of production for showing an asserted
reference is not prior art includes “not only the existence of the earlier
application, but why the written description in the earlier application
supports the claim”); see also Research Corp. Techs., Inc. v. Microsoft
Corp., 627 F.3d 859, 870–71 (Fed. Cir. 2010) (holding that the patentee
carries the burden to show entitlement to a priority date when the patentee
relies on that priority date to overcome an anticipation or obviousness
argument). We will address below each of the intermediate applications in
turn.
2. Whether the ’400 application supports the challenged claims
Patent Owner alleges that the ’129 patent7 provides adequate written
description support for the challenged claims of the ’432 patent. PO Resp.
13–20. As support, Patent Owner proffers detailed explanations (id.), claim
charts (id., App’x 1), and Dr. Weaver’s testimony (Ex. 2010 ¶¶ 42–53).
7 Patent Owner asserts that the specification and drawings of the ’129 patent “are substantially identical to those of the originally-filed application 11/333,400 (Ex. 2009).” PO Resp. 13. Petitioner does not challenge this assertion. Both parties cite to the ’129 patent, rather than the ’400 application’s original disclosure. For efficiency, we cite to the ’129 patent as well.
CBM2016-00063 Patent 8,266,432 B2
37
Petitioner counters that the ’129 patent fails to provide adequate written
description support for certain claim elements, citing Dr. Nielson’s
testimony for support. Reply 15–26 (citing Ex. 1054 ¶¶ 42−67).
For the reasons that follow, we determine that Patent Owner fails to
demonstrate sufficiently that the ’129 patent provides adequate written
description support for the claim elements addressed below.
Dynamic code
Independent claims 1 and 25 of the ’432 patent each require a
central-entity to generate a dynamic code for a user. Ex. 1001, 6:24–57,
7:54–8:7. As discussed above in the claim construction section of this
Decision (Section II.A), we agree with Patent Owner that the claim term
“dynamic code” encompasses alphanumeric and non-alphanumeric codes
that are non-predictable and time dependent. PO Resp. 10.
In its Response, Patent Owner contends that an ordinarily skilled
artisan would have reasonably concluded that the “dynamic key” disclosed
in the ’129 patent “provides sufficient written description support for the
claimed ‘dynamic code’ of the ’432 Patent, as construed,” citing
Dr. Weaver’s testimony for support. Id. at 19–20 (citing Ex. 2004, 8:13–22;
Ex. 2008 ¶ 53). However, the portion of the ’129 patent relied upon by
Patent Owner and Dr. Weaver merely discloses that the “dynamic key is an
alphanumeric code,” but it does not describe a non-alphanumeric code.
Ex. 2004, 8:13–22 (emphasis added). Dr. Weaver’s testimony merely
repeats Patent Owner’s contention. Ex. 2010 ¶ 53. In fact, there is no
explanation as to why a person of ordinary skill in the art would have
CBM2016-00063 Patent 8,266,432 B2
38
understood the inventor of the ’129 patent to have possession of a
non-alphanumeric dynamic code. PO Resp. 20; Ex. 2010 ¶ 53.
Although the prior-filed application need not describe the claimed
subject matter in precisely the same terms as found in the claims at issue, the
prior-filed application must convey with reasonable clarity to a person with
ordinary skill in the art that, as of the filing date sought, the patentee was in
possession of the full scope of the claims, as construed. X2Y Attenuators,
LLC v. ITC, 757 F.3d 1358, 1365 (Fed. Cir. 2014). “[I]t is well settled that a
written description analysis depends on a proper claim construction because,
among other reasons, a claim is entitled to the priority date of an earlier
application only if the earlier specification provides sufficient written
support for the full scope of the claim.” Id.; Tech. Licensing, 545 F.3d at
1331–32; see also LizardTech, Inc. v. Earth Resource Mapping, Inc., 424
F.3d 1336, 1345 (Fed. Cir. 2005) (explaining that “[w]hether the flaw in the
specification is regarded as a failure to demonstrate that the patentee
possessed the full scope of the invention recited in [the claim] or a failure to
enable the full breadth of that claim, the specification provides inadequate
support for the claim under section 112, paragraph one”).
For the reasons stated above, we determine that Patent Owner fails to
establish sufficiently that the original disclosure of the ’400 application
(or the ’129 patent) provides adequate written description support for the
aforementioned “dynamic code” claim element, as required by independent
claims 1 and 25, and dependent claims 2, 3, 5–10, 12–24, 26–28, 30–45,
and 47.
CBM2016-00063 Patent 8,266,432 B2
39
Authenticating a user during an electronic transaction
Each independent claim (and thus each challenged claim) of the ’432
patent requires authenticating a user during an electronic transaction
between the user and an external-entity. Ex. 1001, 6:24–10:32. As Patent
Owner acknowledges, the steps or functions recited in each independent
claim are required to be performed during the transaction between the user
and external-entity. PO Resp. 17−19. For example, claim 1 recites
“authenticating by the central-entity the user and providing a result of the
authenticating to the external-entity during the transaction if the digital
identity is valid.” Ex. 1001, 6:45−47.
Patent Owner confirms that the ’129 patent “does not expressly state
that certain functions are performed ‘during a transaction,’ as recited in the
claims” of the ’432 patent. PO Resp. 17. Nevertheless, Patent Owner
argues that an ordinarily skilled artisan would have reasonably concluded
that the ’129 patent discloses that the recited steps or functions are
performed during a transaction between the user and external-entity, as
required by the claims. Id. As support, Patent Owner cites to both Figure 2
of the ’432 patent and Figure 2a of the ’129 patent, arguing that both patents
disclose a process in which an entity authenticates a user during a period
after an electronic transaction between a user and external-entity is initiated,
and before such a transaction is permitted to be completed. Id. at 17–19
(citing Ex. 2004, 9:15–49, Fig. 2a; Ex. 2010 ¶¶ 49–52).
Patent Owner’s argument and Dr. Weaver’s testimony are conclusory,
and use the disclosure of the ’432 patent to fill in the gaps of the ’129 patent.
CBM2016-00063 Patent 8,266,432 B2
40
Notably, a discussion that combines both Figure 2 of the ’432 patent and
Figure 2a of the ’129 patent does not address whether the ’129 patent itself
has sufficient written description support for the challenged claims of the
’432 patent.
As our reviewing court has recognized, “the issue is whether a person
skilled in the art would understand from the earlier application alone,
without consulting the new matter in the [later] patent, that the inventor had
possession of the claimed [subject matter]” when the earlier application was
filed. Tech. Licensing, 545 F.3d at 1333–34 (emphasis added). In
Lockwood, the court held:
While the meaning of terms, phrases, or diagrams in a disclosure is to be explained or interpreted from the vantage point of one skilled in the art, all the limitations must appear in the specification. The question is not whether a claimed invention is an obvious variant of that which is disclosed in the specification. Rather, a prior application itself must describe an invention, and do so in sufficient detail that one skilled in the art can clearly conclude that the inventor invented the claimed invention as of the filing date sought.
Lockwood v. Am. Airlines, Inc., 107 F.3d 1565, 1571–72 (Fed. Cir. 1997)
(emphases added).
As noted above, the claims require authenticating a user by the
central-entity and providing a result of the authentication to the
external-entity during the transaction between the user and external-entity if
the digital identity is valid. Ex. 1001, 6:45−47. To be clear, the
authentication by the central-entity is not the transaction between the user
CBM2016-00063 Patent 8,266,432 B2
41
and external-entity because the authentication must be completed before the
transaction is completed.
Notably, the ’432 patent describes a customer’s attempt to access a
seller’s restricted website, or to purchase goods or services from a seller, as a
transaction between the seller and its customer. Ex. 1001, 4:12–14, 5:5–43,
Fig. 4, claims 6, 31. In contrast, the portion of the ’129 patent (Ex. 2004,
9:15–49, Fig. 2a.) relied upon by Patent Owner (PO Resp. 17–19) and
Dr. Weaver (Ex. 2010 ¶¶ 49–52) discloses merely an authentication process,
not a transaction between a user and an external-entity, as required by the
claims of the ’432 patent.
Patent Owner’s explanation uses the ’432 patent’s disclosure,
regarding accessing a restricted website, to fill in the gaps of the ’129 patent.
PO Resp. 17–19. In addition, Patent Owner’s explanation of “an example
embodiment” of the ’129 patent referring to a generic transaction (id. at 18–
19) is not supported by the cited portions of the ’129 patent. Dr. Weaver’s
testimony that Figure 2 of the ’129 patent “discloses that the
trusted-authenticator 30 authenticates an individual 10 before a transaction
can be completed between the individual 10 and the business 20” also is not
supported by the ’129 patent itself. Ex. 2010 ¶¶ 49–52.
At best, the ’129 patent describes an interaction between business 20
and individual 10 when business 20 requests static and dynamic keys from
individual 10 (step 110) and individual 10 provides the keys to business 20
(step 112). Ex. 2004, 9:15−49, Fig. 2a. However, this interaction occurs
prior to the following steps of authentication: (1) sending the authentication
CBM2016-00063 Patent 8,266,432 B2
42
message by business 20 to trusted-authenticator 30 (step 120);
(2) authenticating the user by trusted-authenticator 30; and (3) sending the
result of the authentication by trusted-authenticator 30 to business 20
(step 126). Id. In short, authenticating the user and sending the
authentication result by trusted-authenticator 30 are performed after the
interaction between business 20 and individual 10, not during a transaction
between business 20 and individual 10, as required by the claims. Id. As
such, we are not persuaded by Patent Owner’s contentions (PO Resp.
17−19) and Dr. Weaver’s testimony (Ex. 2010 ¶¶ 49–52). See Rohm and
Haas Co. v. Brotech Corp., 127 F.3d 1089, 1092 (Fed. Cir. 1997) (nothing
requires a fact finder to credit the inadequately explained testimony of an
expert).
For the reasons stated above, we determine that Patent Owner fails to
demonstrate sufficiently that the original disclosure of the ’400 application
(or the ’129 patent) provides adequate written description support for the
claimed transaction and “authenticating by the central-entity the user and
providing a result of the authenticating to the external-entity during the
transaction” between the user and external-entity, as required by the
challenged claims.
Two central-entity computers
Each of independent claims 25, 48, and 52 of the ’432 patent requires
two central-entity computers. Ex. 1001, 7:54–8:7, 9:3–30, 10:5–25. For
example, claim 25 recites “a first central-entity computer adapted to:
generate a dynamic code for the user” and “a second central-entity computer
CBM2016-00063 Patent 8,266,432 B2
43
adapted to validate a digital identity in response to an authentication
request.” Id. at 7:57–65. Each of dependent claims 26–28, 30–45, 47, 50,
51, 54, and 55, by virtue of their dependence, also requires two central-entity
computers.
In this regard, Patent Owner argues that “[a]s construed, the trusted
authenticator 30 of FIG. 2a can comprise two computing devices, including
a first computing device that generates dynamic codes (e.g., a random
number generator unit) and provides such codes to users,” and “a second
computing device that authenticates keys (e.g., an authentication unit).” PO
Resp., App’x 1, pp. 13, 15, 22, 24, 25 (emphasis added).
However, as Petitioner and Dr. Nielson note (Reply 24–26; Ex. 1054
¶¶ 57, 62, 67), trusted authenticator 30, as shown in Figure 2a of the ’129
patent, does not have two computing devices. Ex. 2004, Fig. 2a.
Significantly, Patent Owner does not cite, nor can we discern, any other
portion of the ’129 patent that discloses two computing devices associated
with the trusted authenticator, much less “a random number generator unit”
and “an authentication unit.” Patent Owner’s attorney argument is entitled
to little probative value, as it is conclusory and unsupported by credible
factual evidence. In re Geisler, 116 F.3d 1465, 1470 (Fed. Cir. 1997)
(attorney arguments and conclusory statements that are unsupported by
factual evidence are entitled to little probative value); see also Estee Lauder
Inc. v. L’Oreal, S.A., 129 F.3d 588, 595 (Fed. Cir. 1997) (arguments of
counsel cannot take the place of evidence lacking in the record).
CBM2016-00063 Patent 8,266,432 B2
44
It is well settled that “[e]ntitlement to a filing date does not extend to
subject matter which is not disclosed, but would be obvious over what is
expressly disclosed.” Lockwood, 107 F.3d at 1571–72. “It is not sufficient
for purposes of the written description requirement of § 112 that the
disclosure, when combined with the knowledge in the art, would lead one to
speculate as to modifications that the inventor might have envisioned, but
failed to disclose.” Id. at 1572. Nor does the fact that the claimed subject
matter could have been “envisioned” from the earlier disclosure establish
adequate written description support. Goeddel v. Sugano, 617 F.3d 1350,
1356 (Fed. Cir. 2010).
For the foregoing reasons, we determine that Patent Owner has not
established sufficiently that the original disclosure of the ’400 application
(or the ’129 patent) provides adequate written description support for the
invention recited in any of the challenged claims of the ’432 patent.
3. Whether the ’046 application supports the challenged claims
Patent Owner alleges that the ’676 patent8 provides adequate written
description support for the challenged claims of the ’432 patent. PO Resp.
21–28. As support, Patent Owner proffers detailed explanations (id.), claim
8 Patent Owner asserts that the specification and drawings of the ’676 patent “are substantially identical to those of the originally-filed application 11/239,046 (Ex. 1014).” PO Resp. 21. Petitioner does not challenge this assertion. Both parties cite to the ’676 patent, rather than the ’046 application’s original disclosure. For efficiency, we cite to the ’676 patent as well.
CBM2016-00063 Patent 8,266,432 B2
45
charts (id., App’x 2) and Dr. Weaver’s testimony (Ex. 2010 ¶¶ 63–76).
Petitioner counters that the ’046 application fails to provide adequate written
description support for certain claim elements, citing Dr. Nielson’s
testimony for support. Reply 26–35 (citing Ex. 1054 ¶¶ 84−111).
For the reasons that follow, we determine that Patent Owner fails to
demonstrate sufficiently that the ’676 patent provides adequate written
description support for the claim elements addressed below.
Dynamic code and Digital identity
Each independent claim requires the central-entity to generate
“a dynamic code for the user,” and an authentication request based on
“a user-specific information and the dynamic code as the digital identity.”
See, e.g., Ex. 1001, 6:31−32, 38–44 (emphases added). As discussed above
in the claim construction section (Section II.A), we construe the claim term
“dynamic code” to encompass alphanumeric and non-alphanumeric codes
that are non-predictable and time dependent. Consistent with the definition
in the Specification, we also construe the claim term “digital identity” as “a
combination of a user’s SecureCode and the user’s information such as
UserName, which may result in a dynamic, non-predictable and time
dependable digital identity that could be used to identify a user as an
authorized user.” Id. at 2:41–43, 3:22–23. More importantly, the claim
language itself requires the claimed “digital identity” to include both a
user-specific information and a dynamic code.
Patent Owner argues that the “digital identity” disclosed in the ’676
patent (“the ’676 digital identity”) provides sufficient written description
CBM2016-00063 Patent 8,266,432 B2
46
support for the claimed “dynamic code” in the ’432 patent. PO Resp. 27,
App’x 2, pp. 2, 12–13, 19, 23−24; Ex. 2010 ¶ 76. We agree that the
definition of the ’676 digital identity—“a dynamic, non-predictable and time
dependent alphanumeric code” (Ex. 1015, 4:43–50)—describes an
alphanumeric “dynamic code,” as required by certain challenged claims in
the ’432 patent. Compare Ex. 1015, 4:43–54 (’676 patent definition of
“digital identity”), with Ex. 1001, 2:35–40 (’432 patent definition of
“SecureCode”).
However, as Petitioner correctly notes (Reply 30–31), Patent Owner
in its claim chart attempts to map the ’676 digital identity to both the
claimed “dynamic code” and the claimed “digital identity.” PO Resp.,
App’x 2, pp. 2−4, 12–15, 19−21, 23−25. As discussed above, the claimed
“dynamic code” and the claimed “digital identity” are different. See Section
II.A. supra (construing these terms).
Patent Owner’s showing ignores that the claimed “digital identity”
requires a combination of a user-specific information and a dynamic code,
not merely a dynamic code. See id. Patent Owner’s argument also conflates
the ’676 digital identity with the ’432 patent’s digital identity, using the
disclosure of the ’432 patent to fill in the gaps of the ’676 patent. Id. As we
discuss above, to satisfy the written description support requirement, the
“prior application itself must describe” the challenged claims in sufficient
detail. Lockwood, 107 F.3d at 1571−72; Tech. Licensing, 545 F.3d at 1333–
34.
CBM2016-00063 Patent 8,266,432 B2
47
Dr. Weaver’s testimony (Ex. 2010 ¶ 76) merely repeats Patent
Owner’s argument (PO Resp. 27). Neither Patent Owner nor Dr. Weaver
proffers any explanation as to where the ’676 patent discloses a digital
identity that includes a combination of a user-specific information and a
dynamic code, as required by each challenged claim. PO Resp. 27, App’x 2,
pp. 2−4, 12–15, 19−21, 23−25; Ex. 2010 ¶ 76.
For the reasons stated above, we determine that Patent Owner fails to
establish sufficiently that the original disclosure of the ’046 application
(or the ’676 patent) provides adequate written description support for the
aforementioned “digital identity” claim element, as required by each
challenged claim.
Authenticating a user during an electronic transaction
Each challenged claim requires the following steps or functions to be
performed by a central-entity during a transaction between a user and an
external-entity: (1) the central-entity providing a dynamic code to the user;
(2) the central-entity receiving an authentication request from the
external-entity; and (3) the central-entity providing a result of the
authentication to the external-entity if the digital identity is valid. Ex. 1001,
6:24–10:32.
Patent Owner argues that an electronic funds transfer between an
originator and a receiver, as disclosed in the ’676 patent, provides written
description support for the claimed “transaction.” PO Resp. 25–27.
CBM2016-00063 Patent 8,266,432 B2
48
Figure 8 of the ’676 patent is reproduced below.
Figure 8 above illustrates the online payment transaction between
originator 20 and receiver 40, relied upon by Patent Owner (PO Resp. 25–
27) and Dr. Weaver (Ex. 2010 ¶¶ 73–75). Patent Owner avers that the ’676
patent provides support for the claimed user (originator 20), external-entity
(receiver 40), and central-entity (Digital Identity Operator or DID Operator
30). PO Resp. 21–25, App’x 2, page 1.
Petitioner counters that Patent Owner has not shown sufficiently that
the ’676 patent provides adequate written description support for the
aforementioned steps, as required by each challenged claim. Reply 31–34;
Ex. 1054 ¶¶ 72–86. We agree with Petitioner.
CBM2016-00063 Patent 8,266,432 B2
49
As to the first aforementioned step or function, which requires a
central-entity providing the dynamic code to the user, Patent Owner asserts
that DID Operator 30 (the alleged central-entity), in the ’676 patent,
forwards a digital identity to OPFI (Originating Participating Financial
Institution) 25, and then OPFI 25 presents it to originator 20 (the alleged
user). PO Resp., App’x 2, pp. 2–3, 12–13, 19–20, 24–25. However, as
Dr. Nielson correctly explains, “in the ’676 patent, the OPFI 25, not the DID
Operator 30, provides the digital identity 10 to the user.” Ex. 1054 ¶ 86.
Dr. Nielson testifies that this difference between the challenged claims and
the ’676 patent is significant because the ’676 patent discloses a relationship
between the originator and the OPFI, and a relationship between the various
PFIs and the DID Operator, but not between the originator and the DID
Operator. Id. Dr. Nielson further testifies that there is no existing trusted
relationship between the originator and DID Operator in the ’676 patent. Id.
Dr. Nielson’s testimony is consistent with the disclosure of the ’676 patent
and is persuasive.
Indeed, in the ’432 patent, the central-entity centralizes the user’s
personal and financial information and the authentication of the user.
Ex. 1001, 2:52–59, 3:30–40, 4:3–17. In contrast, DID Operator 30, in the
’676 patent, is merely “the digital identity authority that provides digital
identity-based authentication and authorization services to the Participating
Financial Institutions (PFIs).” Ex. 1015, 9:57–10:6 (emphasis added). In
fact, as the ’676 patent describes, originator 20 must authenticate himself or
CBM2016-00063 Patent 8,266,432 B2
50
herself first to OPFI 25, and then OPFI 25 starts the payment process by
requesting a digital identity from DID Operator 30. Id. at 11:50–56.
For these reasons, we are not persuaded that Patent Owner has shown
sufficiently that the ’676 patent provides adequate written description
support for the claimed step or function that requires a central-entity
providing a dynamic code to the user.
With respect to the second aforementioned claimed step or function,
which requires the central-entity to receive an authentication request from
the external-entity, Patent Owner asserts that RPFI (Receiving Participating
Financial Institution) 35 sends a Digital Identity Message to DID Operator
30. PO Resp., App’x 2, pp. 3–4, 14–15, 20–21, 25. Importantly, as
Petitioner notes (Reply 31), DID Operator 30 (the alleged central-entity)
receives the message from RPFI 35, not receiver 40 (the alleged external-
entity). Dr. Nielson testifies that this difference is significant because
communicating through an additional party increases “opportunity for the
digital identity to be intercepted or compromised, decreasing security.”
Ex. 1054 ¶ 85. Neither Patent Owner, nor Dr. Weaver, explains this
deficiency in their analysis. PO Resp., App’x 2, page 3; Ex. 2010 ¶¶ 70–75.
Based on the evidence before us, we are not persuaded that Patent Owner
has shown sufficiently that the ’676 patent provides adequate written
description support for the claimed step or function that requires the
central-entity to receive an authentication request from the external-entity.
With respect to the third aforementioned claimed step or function,
which requires the central-entity to provide a result of the authentication to
CBM2016-00063 Patent 8,266,432 B2
51
the external-entity, Patent Owner contends DID Operator 30 sends a
message to OPFI 25 upon successful validation and identification, and RPFI
35 transfers the funds to receiver’s account and notifies receiver 40
accordingly. PO Resp., App’x 2, pp. 4–5, 15–16, 21–23, 26–27. Again,
Petitioner’s arguments to the contrary, supported by the disclosure of the
’676 patent and the testimony of Dr. Nielson, are persuasive. As Petitioner
points out (Reply 33–34), the DID Operator’s message is sent to OPFI 25,
not receiver 40 (the alleged external-entity), and the subsequent funds
transfer and notification is sent by RPFI 35, not the DID Operator (the
alleged central-entity). Ex. 1015, 12:31–51. Moreover, Dr. Nielson testifies
that the subsequent transfer of funds and notification “are not provided to the
receiver by the DID Operator and are not the result of the authentication
made by the DID Operator.” Ex. 1054 ¶ 78 (citing Ex. 1015, Fig. 6, steps
158, 160, Fig. 7, steps 182, 195, Fig. 10, steps 265, 268, Fig. 11, steps 288,
298). Based on the evidence before us, we are not persuaded that Patent
Owner has shown sufficiently that the ’676 patent provides adequate written
description support for the claimed step or function that requires the
central-entity to provide a result of the authentication to the external-entity.
For the foregoing reasons, we determine that Patent Owner has not
shown sufficiently that the original disclosure of the ’046 application (or the
’676 patent) provides adequate written description support for the
aforementioned steps or functions to be performed by a central-entity during
a transaction between a user and an external-entity, as required by each
challenged claim.
CBM2016-00063 Patent 8,266,432 B2
52
Two central-entity computers
Each of independent claims 25, 48, and 52 of the ’432 patent requires
two central-entity computers. Ex. 1001, 7:54–8:7, 9:3–30, 10:5–25. In this
regard, Patent Owner argues that “[a]s construed, the DID Operator 30 can
comprise two computing devices, including a first computing device that
generates digital identities (e.g., using a random number generator unit) and
provides such codes to originators 20 via OPFI 25,” and “a second
computing device that authenticates keys (e.g., an authentication unit).” PO
Resp., App’x 2, pp. 12, 14, 21, 23, 25 (emphasis added).
However, as Petitioner and Dr. Nielson note (Reply 34–35; Ex. 1054
¶¶ 95, 103, 111), DID Operator 30, as shown in Figure 8 of the ’676 patent,
does not have two computing devices. Ex. 1015, Fig. 8. Significantly,
Patent Owner does not cite, nor can we discern, any other portion of the ’676
patent that discloses two computing devices associated with DID Operator
30, much less “a random number generator unit” and “an authentication
unit.” See Lockwood, 107 F.3d at 1572. Patent Owner’s attorney argument
is entitled to little probative value, as it is conclusory and unsupported by
credible factual evidence. See Geisler, 116 F.3d at 1470; Estee Lauder, 129
F.3d at 595.
Based on the evidence in this record, we determine that Patent Owner
has not established sufficiently that the original disclosure of the ’046
application (or the ’676 patent) provides adequate written description
support for the invention recited in any of the challenged claims of the ’432
patent.
CBM2016-00063 Patent 8,266,432 B2
53
4. Conclusion on the Benefit Claims
For the foregoing reasons, we conclude that Patent Owner fails to
establish sufficiently that the original disclosure of either the ’400
application or the ’046 application provides adequate written description
support for the challenged claims. Consequently, the challenged claims of
the ’432 patent are not entitled to the benefit of the prior filing dates of the
’400 application, the ’046 application, and the ’635 application. As a result,
Norefors—published on May 4, 2006, before the actual filing date of the
’432 patent (September 15, 2008)—is prior art under 35 U.S.C. § 102(b) as
to the challenged claims.
F. Anticipation Ground Based on Norefors
Petitioner asserts that claims 1, 3, 5–8, 12, 13, 15–27, 30–42, 44, 45,
47, 48, 50–52, 54, and 55 are unpatentable under § 102(b) as anticipated by
Norefors. Pet. 28–56. In support of its assertion, Petitioner provides
detailed explanations as to how Norefors describes each claim limitation. Id.
Petitioner also directs us to relevant portions of Dr. Nielson’s Declaration
for support. Ex. 1003.
Patent Owner does not challenge Petitioner’s anticipation analysis
substantively, but instead maintains that Norefors is not prior art relative to
the challenged claims because the claims are entitled to a priority date of
August 29, 2001, which is prior to the filing date of Norefors. PO Resp. 27–
28. As discussed above, however, Patent Owner has not established such an
CBM2016-00063 Patent 8,266,432 B2
54
entitlement, and, consequently, Norefors is prior art as to the challenged
claims.
Upon review of Petitioner’s contentions and supporting evidence, and
based on the full trial record, we agree with and adopt as our findings
Dr. Nielson’s unrebutted testimony regarding Norefors (Ex. 1003 ¶¶ 65–87)
and determine that Petitioner has demonstrated by a preponderance of the
evidence that Norefors describes the subject matter of claims 1, 3, 5–8, 12,
13, 15–27, 30–42, 44, 45, 47–48, 50–52, 54, and 55. In our discussion
below, we provide a brief summary of Norefors, and then we address certain
claim limitations as examples.
Norefors describes “an arrangement and a method for providing an
end user with access to an IP network.” Ex. 1032 ¶ 1. Figure 1 of Norefors
is reproduced below.
Figure 1 of Norefors depicts an arrangement through which access to
an IP network login can be provided. Id. ¶¶ 4, 48–55. The arrangement
includes user station 2, access server 3, web server 4, authentication
server 5, and mobile telephone system 6. Id. According to Norefors, access
CBM2016-00063 Patent 8,266,432 B2
55
server 3 is run by an Internet Service Provider (“ISP”) or a Wireless ISP, and
authentication server 5 may be a Radius Remote Access Dial-in server or a
Diameter server. Id. The organization running the access server can be a
different organization from the operator that controls the web and
authentication nodes, and has a commercial relationship with the user. Id.
Based on the evidence before us, we are persuaded by Petitioner’s
analysis, supported by Dr. Nielson’s unrebutted testimony, that Norefors
describes a method and apparatus for authenticating a user during an
electronic transaction (an access to the IP network) with an external-entity
(access server), in which a central-entity (operator controlling web server
and authentication server) generates a dynamic code (a one-time password
(“OTP”)) for the user and authenticates the user based on a user-specific
information (user name) and the dynamic code (OTP) as a digital identity, as
required by independent claims 1, 25, 48, and 52. Pet. 28–56; Ex. 1032
¶¶ 48–57, Figs. 1–3; Ex. 1003 ¶¶ 65–70.
CBM2016-00063 Patent 8,266,432 B2
56
Petitioner’s first annotated Figure 3 of Norefors is reproduced below
(Pet. 36).
Notably, Petitioner’s first annotated Figure 3 (steps 1–7) above
illustrates that, during the access transaction between the user and
external-entity (access server), the central-entity (operator controlling the
web server and authentication server) electronically receives a request for a
dynamic code (an OTP), generates a dynamic code (an OTP) for the user,
and provides the dynamic code (the OTP) to the user. Pet. 36–37; Ex. 1003
¶¶ 71–74; Ex. 1032 ¶ 56 (authentication server provides and forwards an
OTP to SMS-C of a mobile communications system, which transfers the
OTP to the user), Fig. 3.
CBM2016-00063 Patent 8,266,432 B2
57
Petitioner’s second annotated Figure 3 is reproduced below (Pet. 43).
Petitioner’s second annotated Figure 3 (steps 16–18) above illustrates
that the central-entity (the operator controlling the authentication server)
electronically receives an authentication request from the external-entity (the
access server) based on a user name and the dynamic code (the OTP) as
digital identity, and then authenticates the user and provides a result of the
authentication to the external-entity (the access server) during the access
transaction if the digital identity is valid. Pet. 41–44; Ex. 1003 ¶ 75;
Ex. 1032 ¶ 57 (the login message is sent to the access server (step 16); an
authentication request is subsequently sent to the Radius authentication
CBM2016-00063 Patent 8,266,432 B2
58
server (step 17); and the Radius authentication server responds with an
access accept message to the access server and the access server opens the
communication (step 18)), Fig. 3. Having considered the evidence in the full
trial record, we are persuaded that Norefors describes the subject matter of
independent claims 1, 25, 48, and 52.
As to dependent claims 3, 5–8, 12, 13, 15–24, 26, 27, 30–42, 44, 45,
47, 50, 51, 54, and 55, we also are persuaded by Petitioner’s analysis, which
is supported by Dr. Nielson’s unrebutted testimony, that Norefors describes
the additional limitations recited in these dependent claims. Pet. 44–56;
Ex. 1003 ¶¶ 65–87. For example, Petitioner explains how Norefors
describes that the user name and OTP are used in a non-financial transaction
for logging into a restricted IP network over a communication network that
is coupled with the user workstation, access server, web server, and
authentication server, as required by claims 3, 5–8, 15–17, 24, 30–35, 44,
47, 50, 51, 54, and 55. Id. at 44–45, 55–56; Ex. 1032 ¶¶ 2–7, 10–43, 49–60,
Figs. 1–3. As another example, Petitioner explains how Norefors describes
that if the OTP is invalid, the digital identity is invalid, and if the OTP is
valid, the digital identity is valid, as required by claims 20, 21, 38, and 39.
Pet. 48–49; Ex. 1032 ¶¶ 9 (“the second login phase only is performed if the
OTP is valid”), 11 (in the second phase, the user name and the OTP are used
as password), 33 (“checking the validity/authenticity of the user credentials,
e.g., password, user name, in authentication server”), 55 (“An authentication
request is then sent from the access server to the authentication server, which
checks the user credentials, 114, to verify if they are valid.”).
CBM2016-00063 Patent 8,266,432 B2
59
The explanations and supporting evidence provided by Petitioner as to
how each element of claims 1, 3, 5–8, 12, 13, 15–27, 30–42, 44, 45, 47, 48,
50–52, 54, and 55 is disclosed by Norefors have merit and are unrebutted by
Patent Owner. Based on the full trial record, we determine that Petitioner
has demonstrated by a preponderance of the evidence that these claims are
unpatentable under § 102(b) as anticipated by Norefors.
G. Obviousness of Claims over Norefors and Brown
Petitioner asserts that claims 2, 9, 10, 14, 28, and 43 are unpatentable
under 35 U.S.C. § 103(a) as obvious over the combination of Norefors and
Brown. Pet. 56–62, 64–66. Patent Owner does not challenge Petitioner’s
analysis substantively, but instead maintains that Norefors is not prior art
relative to the challenged claims because the claims are entitled to a priority
date of August 29, 2001, prior to the filing date of Norefors. PO Resp. 27–
28. As we discuss above, however, Patent Owner has not established such
an entitlement, and, consequently, Norefors is prior art as to the challenged
claims.
Upon review of Petitioner’s contentions and supporting evidence, and
based on the full trial record, we agree with and adopt as our findings
Dr. Nielson’s unrebutted testimony regarding Norefors and Brown (Ex. 1003
¶¶ 65–98) and determine that Petitioner has demonstrated by a
preponderance of the evidence that the combination of Norefors and Brown
renders obvious claims 2, 9, 10, 14, 28, and 43. Pet. 58–62, 64–66. To
support its arguments regarding this obviousness ground, Petitioner relies on
CBM2016-00063 Patent 8,266,432 B2
60
its anticipation analysis based on Norefors for the limitations recited in
independent claims 1 and 25 (Pet. 28–56; Ex. 1003 ¶¶ 65–87), and explains
how the combination of Norefors and Brown teaches the additional
limitations expressly recited in dependent claims 2, 9, 10, 14, 28, and 43. Id.
at 56–62, 64–66. Citing to Dr. Nielson’s testimony, Petitioner also
articulates reasons to combine the teachings of Norefors and Brown. Id. at
57–62, 64–66. For the reasons discussed above, we are persuaded that
Petitioner has demonstrated by a preponderance of the evidence that the
independent claims are anticipated by Norefors.9 We focus below on
Petitioner’s showing as to the additional limitations of the dependent claims.
Brown describes a system and method for authenticating users and
services during an on-line transaction over a network. Ex. 1035, Abstract,
1:6–40. Figure 1 of Brown is reproduced below.
9 A brief overview of Norefors has been provided in our anticipation analysis above.
CBM2016-00063 Patent 8,266,432 B2
61
Figure 1 of Brown illustrates an authentication process involving three
entities: (1) users 12, 14, (2) services 20, 22, and (3) authentication deity 16,
18. Id. at 5:16–21, 6:19–25. The entities communicate with one another via
computer network 10 (e.g., Internet). Id. at 6:26–27.
To provide a secured transmission of a session key between the
entities, Brown describes a technique for encrypting or algorithmically
combining a session key with user-specific information (e.g., the user name
and pass-phrase) using a hash function. Id. at 7:10–35, 9:26–32, 9:42–47,
9:55–56, 18:4–11. In particular, Brown’s authentication deity generates
obscured copies of the session key by combining the session key with the
user-specific information, using an “MD5 hash algorithm” on the
user-specific information and then performing an XOR of the hash with the
session key. Id. Claim 2 recites “combining said generated dynamic code with the
user-specific information using a predetermined algorithm to form a
combined dynamic code and user specific information.” Ex. 1001, 6:48–52
(emphasis added). Claim 28 recites a similar limitation. Id. at 8:12–16. In
this regard, Petitioner explains that the login message of Norefors includes
both an OTP (a dynamic code) and the user name. Pet. 58 (citing Ex. 1032
¶ 57, Fig. 3). As Petitioner notes, Brown describes a technique for
encrypting or algorithmically combining a session key (a dynamic code)
with user-specific information (e.g., the user name and pass-phrase), using
an MD5 hash algorithm to provide additional security. Id. at 58–59 (citing
Ex. 1035, 7:10–35, 9:42–47; 18:4–11). Dr. Nielson testifies that, in view of
CBM2016-00063 Patent 8,266,432 B2
62
both Norefors and Brown sharing the same goal of improving transaction
security over a communication network, an ordinarily skilled artisan would
have had reason to “supplement the login message of Norefors with
additional details from Brown’s authentication message to include a
combined user name and OTP using, for example, an MD5 hash algorithm
on the user specific information (such as username) and then XOR the hash
with the dynamic code (such as the OTP),” to avoid exposure of the login
information in an unsecure manner. Ex. 1003 ¶ 89.
As to the limitation of claim 2 that requires maintaining the combined
information at the central-entity, Dr. Nielson explains that the combined
information would have been stored at the authentication server of Norefors,
as modified by Brown, because Norefors discloses that the user credentials
are stored at the authentication server (a central-entity). Id. ¶ 90 (citing
Ex. 1032 ¶¶ 55, 57, 58, Fig. 3).
Claim 2 also requires comparing the combined information with a
received combined dynamic code and user-specific information to validate
the user. Ex. 1001, 6:55–57. For this limitation, Petitioner notes that
Norefors discloses checking the stored user credentials to verify if they are
valid when an authentication request is sent from the access server to the
authentication server. Pet. 60 (citing Ex. 1032 ¶¶ 55, 57). According to
Dr. Nielson, an ordinarily skilled artisan would have understood in light of
that disclosure that Norefors, as modified by Brown, would check the stored
user credentials by comparing the stored combined information with a
CBM2016-00063 Patent 8,266,432 B2
63
received combined information to verify that the user credentials are correct.
Ex. 1003 ¶ 91.
Claims 9 and 10 depend from claim 2, and further require the
central-entity to use the combined information for authenticating a user’s
identity. Ex. 1001, 7:9–11. As to these claims, Petitioner explains that the
authentication server of Norefors, as modified by Brown, would use the
combined information to authenticate the user’s identity, because Norefors
expressly discloses that the authentication server (a central-entity) checks the
user credentials to verify if they are valid. Pet. 61 (citing Ex. 1003 ¶ 92,
Ex. 1032 ¶¶ 55, 57).
Claim 14, which depends from claim 1, requires the central-entity to
generate the dynamic code with dependence on the user information.
Ex. 1001, 7:23–25. Claim 43 requires a similar limitation. Id. at 8:56–58.
As Petitioner explains, Brown teaches generating the session key (a dynamic
code) with dependence on the user name so that the session key is more
user-specific. Pet. 64–65 (citing Ex. 1035, 9:3–9, 9:12–20). Dr. Nielson
testifies that an ordinarily skilled artisan would have had reason to modify
the authentication server of Norefors to generate the OTP (a dynamic code)
with dependence on the user name, as taught by Brown, providing
incremental authentication options to “Norefors’ already robust disclosure of
generating the OTP without altering any operating principle.” Ex. 1003
¶ 98.
The explanations and supporting evidence provided by Petitioner as to
how each element of claims 2, 9, 10, 14, 28, and 43 is taught by the
CBM2016-00063 Patent 8,266,432 B2
64
combined teachings of Norefors and Brown have merit and are unrebutted
by Patent Owner. Based on the full trial record, we determine that Petitioner
has demonstrated by a preponderance of the evidence that these claims are
unpatentable under § 103(a) as obvious over the combination of Norefors
and Brown.
H. Petitioner’s Motion to Exclude
Petitioner filed a Motion to Exclude Evidence (Paper 32, “Mot.”),
seeking to exclude: (1) Patent Owner’s Exhibit 2008, which includes the
Certification of Correction of the ’432 patent (id. at 2–12); and (2) Exhibit
2010, Section VII, Paragraphs 41–61, a portion of the Declaration of
Dr. Weaver (id. at 12–15). Patent Owner filed an Opposition to Petitioner’s
Motion to Exclude Evidence. Paper 37. Petitioner filed a Reply to Patent
Owner’s Opposition to Petitioner’s Motion to Exclude Evidence. Paper 39.
Under the particular circumstances in this case, we need not assess the
merits of Petitioner’s Motion to Exclude Evidence. As discussed above,
even without excluding Patent Owner’s supporting evidence, we have
determined that Norefors is prior art under 35 U.S.C. § 102(b) as to the
challenged claims, and Petitioner has demonstrated by a preponderance of
the evidence that the challenged claims are unpatentable. Accordingly,
Petitioner’s Motion to Exclude Evidence is dismissed as moot.
I. Motions for Observation
Patent Owner’s observations are directed to the cross-examination
testimony of Petitioner’s declarant, Dr. Nielson, who submitted a declaration
CBM2016-00063 Patent 8,266,432 B2
65
with Petitioner’s Reply (Ex. 1054) and subsequently was cross-examined
after Petitioner filed its Reply (Ex. 2014). We have considered Patent
Owner’s observations (Paper 31) and Petitioner’s responses (Paper 36) in
rendering this Decision, and have accorded the testimony the appropriate
weight as explained above.
Petitioner’s observations (Paper 33), however, have not been
considered. The Office Patent Trial Practice Guide describes the use of
observations on cross-examination as follows:
In the event that cross-examination occurs after a party has filed its last substantive paper on an issue, such cross-examination may result in testimony that should be called to the Board’s attention, but the party does not believe a motion to exclude the testimony is warranted. The Board may authorize the filing of observations to identify such testimony and responses to observations, as defined below.
The party taking the cross-examination files the observations. The opposing party may file a response to an observation. The opposing party may not file observations without express prior authorization.
77 Fed. Reg. 48,756, 48,767–68 (Aug. 14, 2012) (emphasis added). Thus, it
is the party taking the cross-examination that typically files observations,
and the reason for permitting observations is that the cross-examination
takes place after the party has filed its last substantive paper, such that the
party has no way to bring relevant testimony to the Board’s attention. The
rationale for observations does not apply to Petitioner’s observations here, as
Petitioner seeks to file separate observations on the cross-examination
testimony of its own witness. Accordingly, we have not considered
CBM2016-00063 Patent 8,266,432 B2
67
For PETITIONER: W. Karl Renner Thomas Rozylowicz Timothy Riffe FISH & RICHARDSON P.C. [email protected] [email protected] [email protected]
For PATENT OWNER: Jae Youn Kim Harold L. Novick Sang Ho Lee Steven Ashburn NOVICK, KIM & LEE, PLLC [email protected] [email protected] [email protected] [email protected]