IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`Asghari-Kamrani, et al.
`In re Patent of:
`8,266,432 Attorney Docket No.: 36137-0007CP1
`U.S. Patent No.:
`September 11, 2012
`
`Issue Date:
`Appl. Serial No.: 12/210,926
`
`Filing Date:
`September 15, 2008
`
`Title:
`CENTRALIZED IDENTIFICATION AND
`AUTHENTICATION SYSTEM AND METHOD
`
`
`DECLARATION OF SETH NIELSON
`
`I.
`
`Personal Work Experience and Awards
`
` My name is Seth Nielson, Adjunct Associate Research Scientist at
`
`The Johns Hopkins University. I am also currently the Founder and Chief Scientist
`
`of Crimson Vista, Inc., an independent consulting firm. In addition to the below
`
`summary, a copy of my current curriculum vitae more fully setting forth my
`
`experience and qualifications is submitted herewith as Appendix A.
`
`
`
`I have more than 15 years of dual industrial and academic experience
`
`in Computer Science. I received a B.S. in Computer Science in 2000 and my M.S.
`
`in Computer Science in 2004, both from Brigham Young University in Provo, UT.
`
`I received my Ph.D. in Computer Science in 2009 from Rice University in
`
`Houston, TX. My doctoral dissertation concerned “Designing Incentives for Peer-
`
`to-Peer Systems.” I am the recipient of the Brown Fellowship and a Graduate
`
`Fellowship from the Rice University Computer Science Department. I was also a
`
`John and Eileen Tietze Fellow.
`
`
`
`Page 1 of 59
`
`
`USAA-1003
`
`
`
`
`Asghari-Kamrani, et al.
`In re Patent of:
`8,266,432 Attorney Docket No.: 36137-0007CP1
`U.S. Patent No.:
`September 11, 2012
`
`Issue Date:
`Appl. Serial No.: 12/210,926
`
`Filing Date:
`September 15, 2008
`
`Title:
`CENTRALIZED IDENTIFICATION AND
`AUTHENTICATION SYSTEM AND METHOD
`
`
`DECLARATION OF SETH NIELSON
`
`I.
`
`Personal Work Experience and Awards
`
` My name is Seth Nielson, Adjunct Associate Research Scientist at
`
`The Johns Hopkins University. I am also currently the Founder and Chief Scientist
`
`of Crimson Vista, Inc., an independent consulting firm. In addition to the below
`
`summary, a copy of my current curriculum vitae more fully setting forth my
`
`experience and qualifications is submitted herewith as Appendix A.
`
`
`
`I have more than 15 years of dual industrial and academic experience
`
`in Computer Science. I received a B.S. in Computer Science in 2000 and my M.S.
`
`in Computer Science in 2004, both from Brigham Young University in Provo, UT.
`
`I received my Ph.D. in Computer Science in 2009 from Rice University in
`
`Houston, TX. My doctoral dissertation concerned “Designing Incentives for Peer-
`
`to-Peer Systems.” I am the recipient of the Brown Fellowship and a Graduate
`
`Fellowship from the Rice University Computer Science Department. I was also a
`
`John and Eileen Tietze Fellow.
`
`
`
`Page 1 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`During my final undergraduate semester, I worked both as a teaching
`
`assistant for the Computer Networking course and as a researcher in the
`
`Networked Computing Lab. In these capacities, I assisted students in debugging
`
`and designing their TCP/IP protocol stacks, ARP protocol implementations, and
`
`RPC projects. I also collaborated in investigating statistical traffic engineering for
`
`bandwidth allocation which culminated in a published paper entitled, “Effective
`
`Bandwidth for Traffic Engineering.”
`
`
`
`Effective bandwidth relates to the concept of bandwidth reservation
`
`for quality of service guarantees. On data connections designed to carry large
`
`quantities of data for many users, some users may pay extra to guarantee a certain
`
`quality of service. Nevertheless, given enough users, at any given time some
`
`percentage of users with guarantees will not be utilizing their full capacity.
`
`Effective bandwidth is a statistical model that dictates how many users can be
`
`guaranteed service under these conditions.
`
`
`
`During my graduate work I have also published additional papers
`
`related to networking and computer security. In 2005, I published a paper entitled,
`
`“A Taxonomy of Rational Attacks.” This paper categorized and described the
`
`various types of attacks that one might see in a decentralized, peer-to-peer (p2p)
`
`network. When there is no centralized authority, users have to cooperate to obtain
`
`
`
`
`Page 2 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`service. The term “rational attacks” refers to the economic incentives to not
`
`cooperate while still exploiting the system for service.
`
` My thesis, “Designing Incentives for Peer-to-Peer Systems” built on
`
`this concept. Given a network where participants cannot be forced to cooperate,
`
`the operation of said network must induce cooperation by design of the outcomes.
`
`In other words, it must be in each participant’s best interest to contribute to the
`
`cooperative operation. Experiments included simulated extensions to the
`
`BitTorrent peer-to-peer protocol for long-term identities and mechanisms for
`
`cooperative anonymity. I constructed my own simulator of the BitTorrent
`
`protocol, and simulated thousands of hours of operations. For further accuracy and
`
`realism, I cooperated with researchers at other universities that provided me with
`
`real data traces of BitTorrent users that used long term identifiers such as a login
`
`name.
`
`
`
`From 2001 through 2003, I worked as a software engineer at
`
`Metrowerks (formerly Lineo, Inc.). There I gained substantial experience in
`
`software architecture, computer networking, and technical project management. In
`
`particular, I developed and maintained the GUI for the Embedix SDK, ported the
`
`Linx GUI of the Embedix SDK to Windows, created an automated system to
`
`forward Linux python scripts to a Windows GUI, and developed a packaging and
`
`automated updating system for client software.
`
`Page 3 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`During the 2004 fall semester of my Ph.D. program at Rice
`
`University, I identified a security vulnerability in the Google Desktop Search that
`
`could have allowed hackers to compromise users’ computers and obtain private
`
`information. After contacting Google and assisting them in closing the
`
`vulnerability, we published the details of our investigation.
`
`
`
`Later, in 2005, I completed an internship at Google, where I designed
`
`and implemented a solution to privacy loss in Google Web Accelerator. The
`
`Google Web Accelerator was designed to increase the speed of browsing the
`
`Internet. Once installed on a user’s computer, the browser would request all
`
`content through a Google Proxy. The proxy performed pre-fetching and extensive
`
`caching in order to provide fast and responsive service to the user. At the time of
`
`my internship, news reports had identified odd problems in which users of the
`
`Accelerator were accessing other individual’s private pages. During my internship,
`
`I designed and implemented a prototype solution for this issue.
`
` From 2005 through 2011, I worked as a Security Analyst and later a
`
`Senior Security Analyst for Independent Security Evaluators. There, I developed a
`
`parallel-processing based security tool, developed a FIPS-certified encryption
`
`library, developed hardware-accelerated encryption algorithms, developed
`
`encrypted file-system prototypes, developed an encryption library for an ISE
`
`client, performed port-scanning analyses, evaluated security protocols using formal
`
`Page 4 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`methods and hand analysis, and evaluated security failures. I also designed and
`
`managed the implementation of a secure communication technology that splits
`
`trust between multiple SSL Certificate Authorities (CA), so that if one CA is
`
`compromised, the communication stream can still be safely authenticated. My
`
`work on the secure communications technology project led to the issuance of
`
`multiple patents including U.S. 8,745,372 entitled ―Systems and Methods for
`
`Securing Data in Motion.
`
`
`
`In 2011, I began work as a Research Scientist at Harbor Labs and later
`
`was promoted to the position of Principal. I served a wide range of clients
`
`providing them with specialized consulting in network security, network
`
`communications, software architecture, and programming languages. I have
`
`analyzed an extensive collection of commercial software, including software
`
`related to secure email, cloud-based multimedia delivery, document signing, anti-
`
`virus and anti-intrusion, high-performance routing, networking protocol stacks in
`
`mobile devices, PBX telecommunications software, VoIP, and peer-to-peer
`
`communications. I have also analyzed security considerations for potential
`
`technology acquisitions, re-created heuristic signatures for 1995-era viruses, and
`
`re-created a 1995-era network for testing virus scanners of that time period in
`
`gateway virus scanning. I, and teams under my direction, also review technologies
`
`
`
`
`Page 5 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`for compliance with various standards such as HIPAA and also for security
`
`vulnerabilities.
`
`
`
`In particular, I have reviewed and analyzed the design and
`
`implementation of multiple security-related gateway products. This includes
`
`industrial-grade firewalls that employ anti-virus and anti-malware engines for
`
`processing network traffic. I have also reviewed other gateway products that
`
`provide secure storage to cloud devices.
`
`
`
`I have also assessed the security and privacy technologies and policies
`
`provided by a third-party vendor to the Center for Copyright Infringement (CCI).
`
`CCI represents content owners, such as the RIAA and the MPAA, in finding and
`
`reducing piracy online. Because this process necessarily involves collecting
`
`information about private individuals, I was asked to investigate and determine that
`
`the information collected from online computing devices was adequately
`
`safeguarded and protected.
`
` One of my final assignments with Harbor Labs was leading an
`
`engagement with a large biomedical device firm in a one-year analysis of the
`
`security of their products. In particular, medical devices were for some time not
`
`considered significant threats in terms of computer security. However, recent
`
`demonstrations by security researchers of the various ways in which a malicious
`
`individual might harm a person hooked up to a medical device has shifted the
`
`Page 6 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`thinking in the industry. Accordingly, I assisted this company in the analysis of
`
`their products, their process, and their future roadmap in order to ensure that
`
`patients are not harmed. These evaluations, under my direction, analyzed design
`
`documents, hardware, and a broad range of additional resources in order to expose
`
`as many potential problems as possible for remediation. The security of these
`
`systems depends, in part, on the architecture and deployment of the networks in
`
`which they operate.
`
`
`
`I have now formed my own consulting company, Crimson Vista, Inc.
`
`I am already serving a wide range of clients in similar capacities, providing
`
`specialized research and analysis on topics of computer security, networking, and
`
`programming languages.
`
`
`
`In 2014 I received an appointment as a Lecturer at Johns Hopkins
`
`University and in 2015 I advanced to an Adjunct Associate Research Scientist. My
`
`responsibilities at Johns Hopkins include teaching classes, mentoring students, and
`
`conducting research. More specifically, I currently teach the Network Security
`
`course for which I created the curriculum from scratch. As part of this curriculum,
`
`I designed a novel experimentation framework for allowing students to both build
`
`and attack security protocols. The course covered topics ranging from
`
`cryptography and access controls to network architecture and user psychology.
`
`
`
`
`Page 7 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
` One of the components of the students’ lab work is to create a
`
`protected sandbox for running untrusted code. The sandbox must provide access to
`
`the system in a manner that cannot be exploited. Conversely, the other half of their
`
`assignment is to design exploitative code that attempts to bypass and/or neutralize
`
`the protections of the sandbox environment. This experimental framework enables
`
`the students to learn about creating, identifying, and neutralizing malware such as
`
`viruses.
`
`
`
`In addition to my course instruction, I also mentor Masters students at
`
`Johns Hopkins in their capstone projects. These projects include networking
`
`security and privacy concerns across a wide range of technologies including iOS
`
`security, BitCoin, SSL vulnerabilities, and Twitter botnets. These are all
`
`contemporary issues in practical computer security.
`
` One group of students and I investigated the known Heartbleed
`
`vulnerability in certain versions of OpenSSL. Under my direction, the students
`
`created a vulnerable server to test. Once they were able to re-create the known
`
`vulnerability, they explored other ways of testing and finding vulnerabilities of the
`
`same sort using, for example, fuzzing.
`
` Another student performed an analysis on “bots” in social media such
`
`as Twitter. Twitter relies on advertising to make money as the individual users are
`
`not charged for their accounts. This advertising process is based, in part, on
`
`Page 8 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`identifying “influential” individuals (i.e., individuals with a large number of
`
`friends). Unfortunately, “bots” are computer programs that can act like a real
`
`person on social media sites. Individuals will sell buyers an arbitrary number of
`
`“friends” that are, in fact, just bots. My student and I created an approach for
`
`mapping out these so-called “botnets” in a novel way that may be useful in
`
`deterring such botnets. We are currently working on a draft of this research to be
`
`submitted for publication.
`
`
`
`I first served as an expert witness at the request of RMail in 2012.
`
`Since that time, I have been hired by numerous law firms to provide them and their
`
`clients with expert consultation and expert testimony, often in the areas of patent
`
`infringement litigation related to Computer Science.
`
` Based on my above-described 15 years of education, and dual
`
`industrial and academic experience in Computer Science, I have specialized
`
`knowledge in the field of computer security, network security, network
`
`communications, cryptography, and software architecture. I believe that I am
`
`considered to be an expert in the field of computer science generally, and more
`
`specifically in the fields of IT security and authentication.
`
`II. Materials Considered
`
`
`
`In writing this Declaration, I have considered the following: my own
`
`knowledge and experience, including my work experience in the fields of
`
`Page 9 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`computer science and IT security and authentication; my industry experience with
`
`those subjects; and my experience in working with others involved in those fields.
`
`I have also analyzed the following publications and materials, in addition to other
`
`materials I cite in my declaration:
`
` U.S. Patent No. 8,266,432 and its accompanying prosecution history
`
`(“the ‘432 Patent”, Ex. 1001, 1002)
`
` U.S. Patent No. 7,356,837 (“the ‘837 Patent” or “‘837”, Ex. 1005)
`
` U.S. Patent No. 7,444,676 (“the ‘676 Patent” or “’676”, Ex. 1015)
`
` U.S. Patent Application Publication 2006/0094403 to Norefors et al.
`
`(“Norefors”)
`
` Radius, IEEE RFC (Request for Comments) 2865 (incorporated by US
`
`2006/0094403 A1 to Norefors)
`
` U.S. Patent Application Publication No.: US 20030080183 to
`
`Rajasekaran et al (“Rajasekaran”)
`
` U.S. Patent No. 5,740,361 to Brown (“Brown”)
`
` Patent Owner Preliminary Response United Services Automobile
`
`Association v. NADER ASGHARI-KAMRANI and KAMRAN
`
`ASGHARI-KAMRANI, IPR2015-01842, Paper 7
`
`
`
`
`
`
`Page 10 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
` Although for the sake of brevity this Declaration refers to selected
`
`portions of the cited references, it should be understood that one of ordinary skill in
`
`the art would view the references cited herein in their entirety, and in combination
`
`with other references cited herein or cited within the references themselves. The
`
`references used in this Declaration, therefore, should be viewed as being
`
`incorporated herein in their entirety.
`
`
`
`I am not currently and have not at any time in the past been an
`
`employee of United Services Automobile Association, Inc. (“USAA”). I have
`
`been engaged in the present matter to provide my independent analysis of the
`
`issues raised in the petition for post-grant review of the ‘432 patent. I received no
`
`compensation for this declaration beyond my normal hourly compensation based
`
`on my time actually spent studying the matter, and I will not receive any added
`
`compensation based on the outcome of this post-grant review of the ‘432 patent.
`
`III. Person of Ordinary Skill in the Art
`
`
`
`I am familiar with the content of the ‘432 patent, and I have reviewed
`
`the other references cited above in this declaration. Counsel has informed me that
`
`I should consider these materials through the lens of one of ordinary skill in the art
`
`related to the ‘432 patent at the time of the invention. I believe that a person
`
`having ordinary skill in the art at the effective filing date of the ‘432 Patent
`
`Page 11 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`(“PHOSITA”) would have had a Bachelor of Science Degree in Electrical
`
`Engineering, Computer Engineering, or Computer Science with related work
`
`experience. Individuals with additional education or additional industry
`
`experience could still be of ordinary skill in the art if that additional aspect
`
`compensates for a deficit in one of the other aspects of the requirements stated
`
`above. I base my evaluation of a person of ordinary skill in this art on my own
`
`personal experience, including my knowledge of students, colleagues, and related
`
`professionals at the time of interest.
`
`IV. Overview of the ‘432 Patent
`
` The ‘432 Patent claims and describes systems and methods relating to
`
`financial activity; specifically for centralized processing of user financial
`
`information for electronic purchases. See ‘432 Patent at Abstract, 2:51-3:6, claims
`
`1, 25, 48, and 52. In the words of the Patent Owner, the claims of the ‘432 Patent
`
`are directed to “a Central-Entity for centralized identification and authentication of
`
`users and their transactions to increase security and e-commerce.” See ‘432 at
`
`2:51-3:6. In more detail, the subject matter of the claims is not tied, for example,
`
`to a specific machine, and fail to transform an article into a different state or thing.
`
`Id. The independent claims of the ‘432 Patent do recite computer-related terms
`
`such as “electronic transaction,” “computer,” “digital identity,” and “dynamic
`
`code,” but these are generic computer terms referring to concepts that were well
`
`Page 12 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`understood by the effective filing date of the ‘432 Patent. Indeed, as described in
`
`more detail below, in my opinion, the claims of the ’432 Patent altogether fail to
`
`recite a novel and unobvious technological feature, just as they fail to recite a
`
`technical problem solved by a technical solution.
`
` The specification of the ‘432 Patent confirms that the computer-
`
`related terms cited in the ‘432 Patent’s claims do in fact relate to technology that is
`
`merely, in the words of the Patent Owner, “standard.” See, e.g., ‘432 at 5:5-10
`
`(describing that “the user 10 attempts to access a restricted web site or attempts to
`
`buy services or products 110, as illustrated in FIG. 4, through a standard interface
`
`provided by the External-Entity 20, similar to what exists today and selects digital
`
`identity as his identification and authorization or payment option”) (emphasis
`
`added), 4:67-5:4 (“The user 10 registers at the Central-Entity 30, 100, 104 and
`
`receives his account and login information such as UserName and Password 108.
`
`User 10 can access his account at any time by accessing the Central-Entity’s
`
`system using a communication network 50 and logging into the system.”).
`
`Consequently, the claims of the ‘432 Patent are not transformed into a
`
`technological invention by mere recitation of generic computer-related terms.
`
` The ’432 Patent fails even to recite a technical problem, and instead
`
`addresses the non-technical tasks of allowing users “to participate in e-commerce
`
`without worrying about [] privacy and security” and “be[ing] simple for businesses
`
`Page 13 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`to adopt and also doesn’t require the financial institutions to change their existing
`
`systems.” ‘432 at 1:60-2:4. To “keep merchants, service providers, Internet sites
`
`and financial institutions satisfied by positively identifying and authenticating the
`
`users,” ‘432 at 3:47-49, the specification touts the use of “digital identity” as “a
`
`combination of [the] user’s ‘SecureCode’ and user’s information.” ‘432, 2:35-44.
`
`According to the specification, “The SecureCode is preferably implemented
`
`through the use of an indicator [which] has two states: ‘on’ for valid and ‘off’ for
`
`invalid.” ‘432, 5:62-64. This purported solution is trivial. Indeed, the solution
`
`proposed in the ‘432 Patent to this non-technical problem is nothing more
`
`application of well-known art to achieve a normal, expected, and predictable result:
`
`the use of user-provided personal and financial information to a financial
`
`institution for user identification and authentication. See e.g., ‘432 at Abstract,
`
`1:61-2:4.
`
`
`
`Insofar as claim 1 recites “A method for authenticating a user during
`
`an electronic transaction between the user and an external-entity” that includes
`
`“generating by the central-entity during the transaction a dynamic code for the user
`
`in response to the request,” ‘432:6:24-34, these various steps can be performed by
`
`an non-computer entity. Tellingly, the specification defines the “User” as “both a
`
`typical person consuming goods and services as well as a business consuming
`
`goods and services;” the “Central-Entity” as “any party that has user’s personal
`
`Page 14 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`and/or financial information, UserName, Password and generates dynamic, non-
`
`predictable and time dependable SecureCode for the user [such as] banks, credit
`
`card issuing companies or any intermediary service companies;” and the “External-
`
`Entity” as “any party offering goods or services that users utilize by directly
`
`providing their UserName and SecureCode as digital identity [such as] a merchant,
`
`service provider or an online site.” ‘432 at 2:10-26. The specification amplifies
`
`that the solution can be performed by a person and not a computer, thereby
`
`establishing that the claims are not directed to a technical solution. A person
`
`having ordinary skill in the art at the time that the ‘432 Patent was filed would not
`
`have considered the methods described and claimed by the ‘432 Patent to be
`
`technical.
`
` This subject matter was, at the effective filing date of the ‘432 Patent,
`
`already well known in the prior art. Indeed the references throughout this
`
`declaration provide robust descriptions of the very subject matter that the ‘432
`
`Patent claims.
`
`
`
`
`Page 15 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`V. Claim Construction1
`
`
`
`I understand that, for the purposes of my analysis in this matter, the
`
`claims of the ‘432 Patent must be given their broadest reasonable interpretation
`
`(BRI) consistent with the specification. Stated another way, it is contemplated that
`
`the claims are understood to have their broadest reasonable interpretation in view
`
`of the specification to one having ordinary skill in the art at the time of the
`
`invention, without importing limitations into the claims from the specification. I
`
`have followed these principles in my analysis. In a few instances, I have discussed
`
`my understanding of the claims in the relevant paragraphs below. I note, however,
`
`that I have been informed that the interpretation of claims used in the context of a
`
`Patent Office proceeding, such as this one, is governed by different legal rules than
`
`those used in the context of District Court litigation. As such, if I am ever asked to
`
`consider the interpretation of the claims of the ‘432 Patent in a District Court
`
`
`
`1 I understand that the specification of the ‘432 Patent explicitly defines several
`
`terms recited in the claims. It should be noted that my opinions account for such
`
`definitions even though, for brevity, those definitions are not repeated within this
`
`section.
`
`
`
`
`Page 16 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`litigation context, my opinions under those different rules of interpretation very
`
`well may differ.
`
`
`
`In my opinion, under the BRI standard that I understand is applicable
`
`to the claims subject to a post-grant proceeding, the “method for authenticating a
`
`user” includes a scenario in which the “central-entity” and the “external-entity” are
`
`the “same entity” as claimed in dependent claims 11, 46, 49, and 53.
`
` Under the BRI standard, the “first central-entity computer” and
`
`“second central-entity computer” as claimed in independent claims 25 and 52 can
`
`be construed to be logically, but not necessarily physically, separated components
`
`on a single computer because the “first central-entity computer” and “second
`
`central-entity computer” are recited as “the same” in dependent claim 36. The
`
`word “computer” only appears in the claims and with reference to a “public
`
`computer network such as the Internet” in a discussion of related prior art.
`
` Under the BRI standard, “transaction” as recited in independent
`
`claims 1, 25, 48, and 52 is construed as “where [a] user [] attempts to access a
`
`restricted web site or attempts or buy services or products . . . through a standard
`
`interface provided by [an] External-Entity . . . and selects digital identity as his
`
`identification and authorization or payment option” as stated by the specification of
`
`the ‘432 Patent. ‘432 Patent, 5:5-22.
`
`
`
`
`Page 17 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
` Under the BRI standard, “dynamic code” as recited by independent
`
`claims 1, 25, 48 and 51 is construed as “any dynamic, non-predictable and time
`
`dependent alphanumeric code, secret code, PIN or other code, which may be
`
`broadcast to the user over a communication network, and may be used as a part of
`
`a digital identity to identify a user as an authorized user” as stated by the
`
`specification of the ‘432 Patent. ‘432 Patent, 2:35-40.
`
`VI. Discussion of the Priority Application
`
` The ‘432 Patent allegedly claims priority to the ‘046 Application,
`
`which was filed September 30, 2005, and issued as the ‘676 Patent on October 28,
`
`2008. Counsel has advised me that, for this claim of priority to be proper, the
`
`specification of the ‘676 Patent must support the ‘432 Patent’s claims. I cannot
`
`find support for the claims of the ‘432 Patent in the ‘676 Patent, and one of
`
`ordinary skill in the art would conclude that the ‘676 Patent lacks written
`
`description support for the claims of the ‘432 Patent. Just by comparing the ‘432
`
`Patent with the ‘676 Patent reveals that the specifications are so different that the
`
`Patent Owner’s characterization of the ‘432 patent as a continuation of the Parent
`
`cannot be supported.
`
`
`
`In general, the ‘676 Patent describes a user (e.g., customer 20)
`
`initiating an electronic transaction from one entity (e.g., originating participating
`
`financial institution (OPFI) 25) to another entity (e.g., receiving participating
`
`Page 18 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`financial institution (RPFI)), and as an example, an interbank funds transfer
`
`between two different financial institutions. See, e.g., ‘676, 10:31-39; Figs. 1 and
`
`4.
`
`
`
` In one example, claim 1 of the ‘432 Patent recites “authenticating by
`
`the central-entity the user and providing a result of the authenticating to the
`
`external-entity during the transaction if the digital identity is valid.” ‘432, Claim
`
`1 (emphasis added); see also Claims 25, 48, and 52.
`
` This element of the independent claims clearly requires that the
`
`central-entity authenticate the user and provide a result of the authenticating to the
`
`external-entity if the digital identity is valid. However, in all diagrams and text of
`
`the ‘676 patent, the DID operator, which is the closest disclosed entity to the
`
`claimed “central-entity,” does not do so.
`
`
`
`In certain scenarios described by the ‘676 patent, there are actually
`
`five entities: (1) the originator and (2) the receiver, (3) the originating bank (OPFI),
`
`(4) the receiving bank (RPFI), and (5) the DID operator. In my opinion, either the
`
`receiver or the RPFI is the closest entity described in the ‘676 patent to the claimed
`
`“external-entity.”
`
` However, the DID operator does not send a validation response to
`
`either one. Rather, the DID operator sends a validation response to the OPFI, i.e.,
`
`the originator’s bank. This does not correspond to the requirements of the claims
`
`Page 19 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`of the ‘432 Patent and is not in accordance with the spirit of the concepts described
`
`in the ‘432 Patent. In particular, the ‘432 Patent describes the transaction taking
`
`place between a user and a website. The user does not receive a validation from
`
`the central-entity that the user then forwards on to the website, and in fact, the
`
`website would not trust the user to do so, based on the relationship between the
`
`website and the user. By contrast, a main premise of how the scenarios described
`
`in the ‘676 Patent work is that the financial institutions in the ‘676 Patent do
`
`generally trust each other or have a secure, trusting relationship.
`
`
`
`Importantly, the ‘676 Patent only speaks to sending a denial message
`
`to the RPFI and the customer if the digital identity is invalid, and that if the digital
`
`identity is valid, providing a result of authentication only to the OPFI. ‘676,
`
`11:12-18 (“[t]he DID Operator 30, upon receiving the Digital Identity Message
`
`from the RPFI 35, validates the customer’s digital identity 10 and identifies the
`
`customer (Originator) 20, 40, 155. Upon successful validation and identification,
`
`the DID Operator 30 may send a Digital Identity Message containing the
`
`customer’s digital identity 10 and possibly other transaction information to the
`
`OPFI 25 for processing 160.”); 11:24-26 (“An invalid digital identity 10 will cause
`
`a denial message to be sent to the RPFI and to the customer 20, 157, 181, 182.”)
`
`
`
`In my opinion, the OPFI 25 described in the specification of the ‘676
`
`patent cannot possibly correspond to the "external-entity," as claimed in the '432
`
`Page 20 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent. In particular, the independent claims describe an authentication request
`
`from the external-entity with “a user-specific information and the dynamic code
`
`as a digital identity,” where the “dynamic code was received by the user during the
`
`electronic transaction and was provided to the external-entity by the user during
`
`the transaction.” See ‘432, Independent Claims 1, 25, 48, and 52 (emphasis
`
`added).
`
` By contrast, the specification of the ‘676 patent describes that “[w]hen
`
`the OPFI 25 receives the customer’s digital identity 10 from the DID Operator 30,
`
`the OPFI 25 present [sic] that to the customer (Originator) 20 over the
`
`communication network 50,” and “[i]n addition to providing the digital identity 10
`
`to the customer 20 (Originator), the OPFI 25 may request the customer
`
`(Originator) 20 to provide the digital identity 10 to the second financial institution
`
`(ORFI) 35 to finalize and complete the funds transfer transaction 130.” ‘676,
`
`10:53-62. Then, “[t]he customer (Receiver) 20 authenticates him/herself to the
`
`RPFI 35 over a communication network 50, 140 and provides his/her digital
`
`identity 10 to the RPFI 35.” ‘676, 11:1-3 (emphasis added). Further, “[t]he RPFI
`
`35 may validate the information provided by the customer 20 and for validation of
`
`customer’s digital identity 10 and the transaction processing, the RPFI 35 may
`
`forward a Digital Identity Message 15 containing the customer’s digital identity 10
`
`to the DID Operator 150.” ‘676, 11:7-11. Thus, the Specification of the ‘676
`
`Page 21 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent describes an authentication request from the RPFI, not from the OPFI, and
`
`the user receiving the digital identity from the OPFI and providing the digital
`
`identity to the RPFI, not to the OPFI.
`
` Moreover, the security model described in the Specification of the
`
`‘676 Patent, and in particular the secure relationships between entities, precludes
`
`the OPFI 25 described in the Specification of the ‘676 Patent from corresponding
`
`to the claimed “external-entity,” from which an authentication request is received
`
`by the central-entity, and to which the dynamic code was provided by the user. See
`
`‘432, Independent Claims 1, 25, 48, and 52. For example, as described in the
`
`Specification of the ‘676 Patent, “the OPFI 25 present[s] that [digital identity] to
`
`the customer (Originator) 20.” ‘676, 10:53-56. Thus, there would be no reason for
`
`the customer to provide the digital identity back to the OPFI, as required by the
`
`independent claims if the OPFI is to be considered the claimed “external-entity,”
`
`because a trust relationship had already been established between the customer and
`
`the OPFI. See ‘676, 10:37-42.
`
` Therefore, the OPFI cannot possibly correspond to the claimed
`
`external-entity, from which an authentication request is received and to which the
`
`dynamic code is provided by the user, as set forth in the indep
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
