Cosmokey Solutions GMBH & Co. v. Duo Security LLC, Federal Circuit 2021 (Software Patents)

Reducing complexity, in an authentication method, provides a technical improvement over conventional authentication methods. Applicant’s specification emphasizes the inventive nature of these steps and describes how authentication complexity is reduced.

CosmoKey’s U.S. Patent No. 9,246,903 was found to be ineligible under 35 U.S.C. 101 by a District Court.

The patent is titled “Authentication Method” and discloses an authentication method that is both low in complexity and high in security.

The patent specification indicates that when a user communicates with a remote transaction partner (e.g., a bank, a store, or a secured database) via the Internet, “it is important to assure that an individual that identifies itself as an authorized user is actually the person it alleges to be.”  The specification also describes several conventional authentication methods involving a user’s mobile phone.

The specification purports to improve on conventional mobile phone authentication methods in that the “authentication function is normally inactive and is activated by the user only preliminarily for the transaction, said response from the second communication channel includes the information that the authentication is active, and the authentication function is automatically deactivated.”  “In this method, the complexity of the authentication function can be reduced significantly” because all that is required “from the authentication function is to permit the authentication device to detect whether or not this function is active” and “the only activity that is required from the user for authentication purposes is to activate the authentication function [within] a suitable timing.” The authentication function is activated within a certain (preferably short) time window after the transmission of the user identification. Since the authentication function is normally inactive, the authentication will almost certainly fail when a third party fraudulently identifies itself as the user in order to initiate a transaction. Then, the authentication would be successful only in the very unlikely event that the true user happens to activate the authentication function of his mobile device just in the right moment. Even in this unlikely case the fraud could be detected. Thus, notwithstanding the low complexity, the method according to the invention offers a high level of security.

Claim 1 is the sole independent claim of the patent and recites:

1. A method of authenticating a user to a transaction at a terminal, comprising the steps of:

  • transmitting a user identification from the terminal to a transaction partner via a first communication channel,
  • providing an authentication step in which an authentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user,
  • as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel,
  • ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction,
  • ensuring that said response from the second communication channel includes information that the authentication function is active, and
  • thereafter ensuring that the authentication function is automatically deactivated.

Under Alice step one, the Federal Circuit considered “what the patent asserts to be the `focus of the claimed advance over the prior art.'”  The district court held that the claims “are directed to the abstract idea of authentication —that is, the verification of identity to permit access to transactions.” The Federal Circuit was not convinced that this broad characterization of the focus of the claimed advance is correct. Rather, the claims and written description suggest that the focus of the claimed advance is activation of the authentication function, communication of the activation within a predetermined time, and automatic deactivation of the authentication function, such that the invention provides enhanced security and low complexity with minimal user input. The critical question then is whether this correct characterization of what the claims are directed to is either an abstract idea or a specific improvement in computer verification and authentication techniques.

The Federal Circuit stated that they need not answer this question, however, because even if they accepted the district court’s narrow characterization of the patent claims, the claims satisfy Alice step two.

The patent claims and specification recite a specific improvement to authentication that increases security, prevents unauthorized access by a third party, is easily implemented, and can advantageously be carried out with mobile devices of low complexity. Contrary to the district court’s conclusion, the patent discloses a technical solution to a security problem in networks and computers. While authentication of a user’s identity using two communication channels and a mobile phone was known at the time of the invention, nothing in the specification or anywhere else in the record supports the district court’s suggestion that the last four claim steps—including (1) “as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel”; (2) “ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction”; followed by (3) “ensuring that said response from the second communication channel includes information that the authentication function is active”; and (4) “thereafter ensuring that the authentication function is automatically deactivated,” are conventional.

TECSEC V ADOBE, SAP, CISCO, SYBASE, SOFTWARE AG, ORACLE, FEDERAL CIRCUIT 2020 (SOFTWARE PATENTS)

Multilevel security claims were patent eligible because they were directed to solving a technical problem specific to computer network security. The district court correctly rejected Adobe’s ineligibility challenge.

TecSec owns U.S. Patent Nos. 5,369,702, 5,680,452, 5,717,755, and 5,898,781, the patents involved in this case. The patents are entitled “Distributed Cryptographic Object Method” (“DCOM”) and claim particular systems and methods for multi-level security of various kinds of files being transmitted in a data network. The DCOM patents describe a method in which a digital object—e.g., a document, video, or spreadsheet—is assigned a level of security that corresponds to a certain combination of access controls and encryption. The encrypted object can then be embedded or “nested” within a “container object,” which, if itself encrypted and access-controlled, provides a second layer of security.

U.S. Patent No. 5,369,702

Claim 1 of U.S. Patent No. 5,369,702 is representative of the asserted claims and recites:

A method for providing multi-level multimedia security in a data network, comprising the steps of:

  • A) accessing an object-oriented key manager;
  • B) selecting an object to encrypt;
  • C) selecting a label for the object;
  • D) selecting an encryption algorithm;
  • E) encrypting the object according to the encryption algorithm;
  • F) labelling the encrypted object;
  • G) reading the object label;
  • H) determining access authorization based on the object label; and
  • I) decrypting the object if access authorization is granted.

Alice v CLS Two Step Test

35 U.S.C. § 101 contains an important implicit exception: Laws of nature, natural phenomena, and abstract ideas are not patentable. Alice Corp. Pty. Ltd. v. CLS Bank Int’l. In Alice, the Supreme Court explained that a “claim falls outside § 101 where (1) it is ‘directed to’ a patent-ineligible concept, i.e., a law of nature, natural phenomenon, or abstract idea, and (2), if so, the particular elements of the claim, considered ‘both individually and “as an ordered combination,”’ do not add enough to ‘“transform the nature of the claim” into a patent-eligible application.’”

The Federal Circuit We has approached the Step 1 “directed to” inquiry by asking “what the patent asserts to be the ‘focus of the claimed advance over the prior art.  And the Federal Circuit has reiterated the Supreme Court’s caution against “overgeneralizing claims” in the § 101 analysis, explaining that characterizing the claims at “a high level of abstraction” that is “untethered from the language of the claims all but ensures that the exceptions to § 101 swallow the rule.” Enfish

The Federal Circuit stated that, in cases involving software innovations, this inquiry often turns on whether the claims focus on specific asserted improvements in computer capabilities or instead on a process or system that qualifies an abstract idea for which computers are invoked merely as a tool.  Software can make patent-eligible improvements to computer technology, and related claims are eligible as long as they are directed to non-abstract improvements to the functionality of a computer or network platform itself.

The Federal Circuit stated that they have found claims directed to such eligible matter in a number of cases where they made two inquiries of significance here: whether the focus of the claimed advance is on a solution to “a problem specifically arising in the realm of computer networks” or computers, as in DDR v Hotels.com, and whether the claim is properly characterized as identifying a “specific” improvement in computer capabilities or network functionality, rather than only claiming a desirable result or function, Uniloc v LG Electronics.

Alice Step 1

The Step 1 “directed to” analysis called for by the cases depends on an accurate characterization of what the claims require and of what the patent asserts to be the claimed advance.  Unfortunately, a case can turn out either way depending on whether the Federal Circuit decides to characterize a claim as being directed to an abstract concept.

Adobe argued to the district court that “the claims are directed to the impermissibly abstract idea of managing access to objects using multiple levels of encryption.” But that characterization of the representative claims is materially inaccurate. To arrive at it, Adobe had to disregard elements of the claims at issue that the specification makes clear are important parts of the claimed advance in the combination of elements.  According to the Federal Circuit, It goes beyond managing access to objects using multiple levels of encryption, as required by “multi-level . . . security.” Notably, it expressly requires, as well, accessing an “object-oriented key manager” and specified uses of a “label” as well as encryption for the access management.  To disregard those express claim elements is to proceed at “a high level of abstraction” that is “untethered from the claim language” and that overgeneralizes the claim.

According to the Federal Circuit, the specification elaborates in a way that simultaneously shows that the claims at issue are directed at solving a problem specific to computer data networks. The patent focuses on allowing for the simultaneous transmission of secure information to a large group of recipients connected to a decentralized network—an important feature of data networks—but without uniform access to all data by all recipients. The proposed improvement involves, among other things, labeling together with encryption. Using a secure labelling regimen, a network manager or user can be assured that only those messages meant for a certain person, group of persons, and/or location(s) are in fact received, decrypted, and read by the intended receiver.

Thus, the specification, as well as the claims, were used in determining whether the claims are directed to an impermissibly abstract idea.

This kind of analysis arguably should have been performed in Alice Step 2, where the courts are supposed to determine if there is something substantially more than the abstract idea.

MULTI LEVEL SECURITY ISN’T ALWAYS ABSTRACT

The Federal Circuit went on to state that while non-computer settings may have security issues addressed by multilevel security, it does not follow that all patents relating to multilevel security are necessarily ineligible for patenting. Here, although the patent involves multilevel security, that does not negate the conclusion that the patent is aimed at solving a particular problem of multicasting computer networks.

By way of comparison, in Uniloc v LG Electronics, the Federal Circuit held the claims at issue to be directed to solving a problem of reducing communication time by using otherwise-unused space in a particular protocol-based system, even though reducing communication time by using such available blank space (or, generally, reducing resource use by using otherwise-unused available resources) is a goal in many settings.

Adobe came up with a new definition of what it considered to be the abstract idea.  When Adobe discussed its formulation of the asserted abstract idea, it did not meaningfully address the combination. Rather, it asserted the “common-place” character of the individual component techniques generally. But that approach is insufficient where, as is true here for the reasons we have explained, it is the combination of techniques that is “what the patent asserts to be the focus of the claimed advance over the prior art.”

The Federal Circuit concluded that the district court correctly rejected Adobe’s ineligibility challenge.

Thus, novelty comes into play.  Contrary to what is considered to be proper practice, it may be worthwhile to have some discussion, in a patent application, of what combination of techniques may be novel, and how that improves problems in a system.

 

American Axle & Manufacturing Inc. v. Neapco Holdings, FEDERAL CIRCUIT 2019 (LAWS OF NATURE)

Even patent applications covering mechanical inventions can be invalidated using the same Alice Corp. v CLS case law used to invalidate software patents.

American Axle & Manufacturing, Inc. sued Neapco alleging infringement of U.S. Patent No. 7,774,911.

The patent generally relates to a method for manufacturing driveline propeller shafts with liners that are designed to attenuate vibrations transmitted through a shaft assembly.

Bending mode vibration is a phenomenon wherein energy is transmitted longitudinally along the shaft and causes the shaft to bend at one or more locations. Torsion mode vibration is a phenomenon wherein energy is transmitted tangentially through the shaft and causes the shaft to twist. Shell mode vibration is a phenomenon wherein as standing wave is transmitted circumferentially about the shaft and causes the cross-section of the shaft to deflect or bend along one or more axes. These vibration modes correspond to different frequencies.

Claims 1 and 22 are representative and recite:

1. A method for manufacturing a shaft assembly of a driveline system, the driveline system further including a first driveline component and a second driveline component, the shaft assembly being adapted to transmit torque between the first driveline component and the second driveline component, the method comprising:

  • providing a hollow shaft member;
  • tuning at least one liner to attenuate at least two types of vibration transmitted through the shaft member; and
  • positioning the at least one liner within the shaft member such that the at least one liner is configured to damp shell mode vibrations in the shaft member by an amount that is greater than or equal to about 2%, and the at least one liner is also configured to damp bending mode vibrations in the shaft member, the at least one liner being tuned to within about ±20% of a bending mode natural frequency of the shaft assembly as installed in the driveline system.

22. A method for manufacturing a shaft assembly of a driveline system, the driveline system further including a first driveline component and a second driveline component, the shaft assembly being adapted to transmit torque between the first driveline component and the second driveline component, the method comprising:

  • providing a hollow shaft member;
  • tuning a mass and a stiffness of at least one liner, and
  • inserting the at least one liner into the shaft member;
  • wherein the at least one liner is a tuned resistive absorber for attenuating shell mode vibrations and wherein the at least one liner is a tuned reactive absorber for attenuating bending mode vibrations.

The district court construed the term tuning to mean “controlling the mass and stiffness of at least one liner to configure the liner to match the relevant frequency or frequencies.”  Neither party contested this construction.

According to the patent’s specification, prior art liners, weights, and dampers that were designed to individually attenuate each of the three propshaft vibration modes—bending, shell, and torsion—already existed. But these prior art damping methods were assertedly not suitable for attenuating two vibration modes simultaneously.

The district court concluded that the Asserted Claims as a whole are directed to laws of nature: Hooke’s law and friction damping.

The Federal Circuit’s analysis of 35 U.S.C. § 101 follows the Supreme Court’s two-step test established in Mayo and Alice Corp. Pty. Ltd. v. CLS Bank International, 573 U.S. 208 (2014). At step one of the Mayo/Alice test, we ask whether the claims are directed to a law of nature, natural phenomenon, or abstract idea. Alice, 573 U.S. at 217 (citing Mayo, 566 U.S. at 77). If the claims are so directed, the Federal Circuit then asks whether the claims embody some “inventive concept”—i.e., whether the claims contain “an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself.’”

AAM agreed that the selection of frequencies for the liners to damp the vibrations of the propshaft at least in part involves an application of Hooke’s law.Hooke’s law is a natural law that mathematically relates the mass and/or stiffness of an object to the frequency with which that object oscillates (vibrates). Here, both parties’ witnesses agreed that Hooke’s law undergirds the design of a liner so that it exhibits a desired damping frequency pursuant to the claimed invention. Neapco’s expert, Dr. Becker, stated that the tuning limitations claim “nothing more than Hooke’s law . . . [and/or] the law of nature / natural phenomenon for friction damping.”

AAM argued that the claims are not merely directed to Hooke’s law. AAM pointed to testimony suggesting that tuning a liner such that it attenuates two different vibration modes is a process that involves more than simple application of Hooke’s law.

The problem with AAM’s argument was that the solution to these desired results is not claimed in the patent. The Federal Circuit has repeatedly held that features that are not claimed are irrelevant as to step 1 or step 2 of the Mayo/Alice analysis.

This distinction between results and means is fundamental to the step 1 eligibility analysis, including in law-of-nature cases, not just abstract-idea cases.

The Federal Circuit stated that as to Mayo/Alice step 2, nothing in the claims qualifies as an “inventive concept” to transform the claims into patent eligible matter.

The Federal Circuit concluded that Claims 1 and 22 are not patent eligible.

As a patent drafting tip, claims of both software patents and mechanical patents should be drafted so as to include detail of how a problem is solved.  Claims should not just be directed to laws of nature, but as to how the solution is achieved.  In a software patent application, describe and claim some details of what’s under the hood (the algorithm) in a claim, not just the result.  Inventors:  give your patent attorney lots of details including flowcharts, in addition to screen shots. There is a common misconception that providing details in the specification means that the resulting patent will be too narrow. That is not true. The protection provided by a patent is determined by the claims, not the specification. A detailed specification does not necessarily mean narrow claims–instead, details in the specification provide the possibility of saving a patent application that is rejected as being patent-ineligible under Alice. Provide access to your programmers and require that the programmers cooperate with the patent attorney.

 

Finjan Inc., v. Blue Coat Systems, Inc., Federal Circuit 2018 (Software Patents)

Finjan brought suit against Blue Coat for infringement of software patents directed to identifying and protecting against malware.  One of the software patents is directed to a method of providing computer security by scanning a downloadable and attaching the results of that scan to the downloadable itself in the form of a “security profile.”

Claim 1 of the patent reads:

1. A method comprising:

  • receiving by an inspector a Downloadable;
  • generating by the inspector a first Downloadable security profile that identifies suspicious code in the received Downloadable; and
  • linking by the inspector the first Downloadable security profile to the Downloadable before a web server makes the Downloadable available to web clients.

The parties agreed that “Downloadable” should be construed to mean “an executable application program, which is downloaded from a source computer and run on the destination computer.” Additionally, the district court construed “Downloadable security profile that identifies suspicious code in the received Downloadable” to mean “a profile that identifies code in the received Downloadable that performs hostile or potentially hostile operations.”

The Federal Circuit noted that they had previously determined in Intellectual Ventures I LLC v. Symantec Corp. that, by itself, virus screening is well-known and constitutes an abstract idea. They also found that performing the virus scan on an intermediary computer—so as to ensure that files are scanned before they can reach a user’s computer— is a “perfectly conventional” approach and is also abstract.   However, they felt that, here, the claimed method does a
good deal more.

The method of claim 1 scans a downloadable and attaches the virus scan results to the downloadable in the form of a newly generated file:  a “security profile that identifies suspicious code in the received Downloadable.”

The district court’s claim construction decision emphasized that this “identify suspicious code” limitation can only be satisfied if the security profile includes “details about the suspicious code in the received downloadable, such as . . . ‘all potentially hostile or suspicious code operations that may be attempted by the Downloadable.’”  The security profile must include the information about potentially hostile operations produced by a “behavior-based” virus scan. This operation is distinguished from traditional, “code-matching” virus scans that are limited to recognizing the presence of previously-identified viruses, typically by comparing the code in a downloadable to a database of known suspicious code. The question, then, is whether this behavior-based virus scan constitutes an improvement in computer functionality. The Federal Circuit believes that it does.

The “behavior-based” approach to virus scanning was pioneered by Finjan and is disclosed in the software patent’s specification.  Traditional “code-matching” systems simply look for the presence of known viruses.

“Behavior-based” scans can analyze a downloadable’s code and determine whether it performs potentially dangerous or unwanted operations—such as renaming or deleting files. Because security profiles communicate the granular information about potentially suspicious code made available by behavior-based scans, they can be used to protect against previously unknown viruses as well as “obfuscated code”—known viruses that have been cosmetically modified to avoid detection by code-matching virus scans.

The security profile approach also enables more flexible and nuanced virus filtering. After an inspector generates a security profile for a downloadable, a user’s computer can determine whether to access that downloadable by reviewing its security profile according to the rules in whatever “security policy” is associated with the user. Administrators can easily tailor access by applying different security policies to different users or types of users. And having the security profile include information about particular potential threats enables administrators to craft security policies with highly granular rules and to alter those security policies in response to evolving threats.

The Federal Circuit’s cases confirm that software inventions can make “non-abstract improvements to computer technology” and be deemed patent-eligible subject matter at step 1 of the Alice software patent inquiry. In Enfish, for example, the Federal Circuit determined that claims related to a database architecture that used a new, self-referential logical table were non-abstract because they focused on “an improvement to computer functionality itself, not on economic or other tasks for which a computer is used in its ordinary capacity.”

The self referential database found patent eligible in Enfish did more than allow computers to perform familiar tasks with greater speed and efficiency; it actually permitted users to
launch and construct databases in a new way. While deployment of a traditional relational database involved extensive modeling and configuration of the various database, Enfish’s self-referential database could be launched with no or only minimal column definitions and configured and adapted “on-the-fly.”

Similarly, according to the Federal Circuit, the software patent method of claim 1 employs a new kind of file that enables a computer security system to do things it could not do before. The security profile approach allows access to be tailored for different users and ensures that threats are identified before a file reaches a user’s computer. The fact that the security profile identifies suspicious code allows the system to accumulate and utilize newly available, behavior-based information about potential threats. According to the Federal Circuit, the asserted claims are therefore directed to a non-abstract improvement in computer functionality, rather than the abstract idea of computer security at large.

Patent eligibility determinations seem to vary greatly based on the judges on the Federal Circuit panel hearing the case.  In this case, the novelty of the method seemed to influence the patent-eligibility determination.  If novelty is a main consideration, why even bother with the Alice 35 U.S.C. 101 analysis when reviewing software patents?  While the claim was short, many claim terms were construed as requiring very specific steps.  That may have helped with the patent-eligibility determination.

Smart Systems Innovations v. Chicago Transit Authority, Federal Circuit 2017 (Software Patents)

The software patents in this case relate to inventions designed to allow riders to access mass transit by using existing bankcards, such as debit and credit cards, without the need for first buying dedicated fare-cards, paper tickets, or tokens.  The District Court had held that the patent claims are directed to an abstract idea and otherwise lack an inventive concept, such that they are patent ineligible under 35 U.S.C. § 101.On appeal, the Federal Circuit noted that they needed to use the framework set forth in the Supreme Court’s decision in Alice Corp. Pty Ltd. v. CLS Bank International. A patent claim falls outside § 101 where (1) it is “directed to” a patent-ineligible concept, i.e., a law of nature, natural phenomenon, or abstract idea, and (2) if so, the particular elements of the claim, considered “both individually and ‘as an ordered combination,’” do not add enough to “‘transform the nature of the claim’ into a patent-eligible application.”

Claim 14 of one of the software patents recites:

A method for validating entry into a first transit system using a bankcard terminal, the method comprising:

  • downloading, from a processing system associated with a set of transit systems including the first transit system, a set of bankcard records comprising, for each bankcard record in the set, an identifier of a bankcard previously registered with the processing system, and wherein the set of bankcard records identifies bankcards from a plurality of issuers;
  • receiving, from a bankcard reader, bankcard data comprising data from a bankcard currently presented by a holder of the bankcard, wherein the bankcard comprises one of a credit card and a debit card;
  • determining an identifier based on at least part of the bankcard data from the currently presented bankcard;
  • determining whether the currently presented bankcard is contained in the set of bankcard records;
  • verifying the currently presented bankcard with a bankcard verification system, if the bankcard was not contained in the set of bankcard records; and
  • denying access, if the act of verifying the currently presented bankcard with the bankcard verification system results in a determination of an invalid bankcard.

The district court had taken the position that the software patents here really only cover an abstract concept: paying for a subway or bus ride with a credit card.  On appeal, SSI argued that some of the patents disclose inventions that “operate in the tangible world” and satisfy a public demand for more convenient travel that did not exist in the prior art.  SSI also argued that other ones of the patents similarly do not concern an abstract idea because their claims “overcome challenges created by the storage limitations that exist with conventional tangible bankcards.

The Federal Circuit stated that the claims are directed to the formation of financial transactions in a particular field (i.e., mass transit) and data collection related to such transactions. The claims of the software patents are not directed to a new type of bankcard, turnstile, or database, nor do the claims provide a method for processing data that improves existing technological processes. Rather, the claims are directed to the collection, storage, and recognition of data. SSI also argued that the asserted claims are not directed to an abstract idea because they apply to a concrete field; namely mass transit.

The Federal Circuit concluded that the software patent’s claims are not directed to a combined order of specific rules that improve any technological process, but rather invoke computers in the collection and arrangement of data. Claims with such character do not escape the abstract idea exception under Alice step one according to the Federal Circuit.

With regard to Alice step two, the Federal Circuit stated that the asserted claims fail to provide an inventive concept.  When claims like the asserted software patent claims are directed to an abstract idea and “merely require generic computer implementation, they do not move into section 101 eligibility territory.

Thus, the software patent claims were held to not be patent-eligible.

More interesting than the majority opinion in this case was the well-reasoned dissent.

According to Judge Linn, the language of Section 101 is well-recognized as providing a wide and permissive scope for  patent eligibility.  He cited to the Supreme Court decision in Bilski v. Kappos, (quoting the Supreme Court’s decision in Diamond v. Chakrabarty) (“In choosing such expansive terms . . . modified by the comprehensive ‘any,’ Congress plainly contemplated that the patent laws would be given wide scope.”). Within this expansive provision, the Supreme Court has recognized “an important implicit exception: Laws of nature, natural phenomena, and abstract ideas are not patentable.

These three “exceptions” share a common origin and address what the Supreme Court saw and has often reiterated as a related set of common concerns. “A principle, in the abstract, is a fundamental truth; an original cause; a motive; these cannot be patented, as no one can claim in either of them an exclusive right.”

According to the dissent, there is no principled difference between the judicially recognized exception relating to “abstract ideas” and those relating to laws of nature and natural phenomena. All three nonstatutory exceptions are intended to foreclose only those claims that preempt and thereby preclude or inhibit human ingenuity with regard to basic building blocks of scientific or technological activity. They are intended to be read narrowly.  At some level, all inventions, including software inventions, embody, use, reflect, rest upon, or apply laws of nature, natural phenomena, or abstract ideas.