`
`
`Asghari-Kamrani, et al.
`In re Patent of:
`8,266,432 Attorney Docket No.: 36137-0007CP1
`U.S. Patent No.:
`September 11, 2012
`
`Issue Date:
`Appl. Serial No.: 12/210,926
`
`Filing Date:
`September 15, 2008
`
`Title:
`CENTRALIZED IDENTIFICATION AND
`AUTHENTICATION SYSTEM AND METHOD
`
`
`DECLARATION OF SETH NIELSON
`
`I.
`
`Personal Work Experience and Awards
`
` My name is Seth Nielson, Adjunct Associate Research Scientist at
`
`The Johns Hopkins University. I am also currently the Founder and Chief Scientist
`
`of Crimson Vista, Inc., an independent consulting firm. In addition to the below
`
`summary, a copy of my current curriculum vitae more fully setting forth my
`
`experience and qualifications is submitted herewith as Appendix A.
`
`
`
`I have more than 15 years of dual industrial and academic experience
`
`in Computer Science. I received a B.S. in Computer Science in 2000 and my M.S.
`
`in Computer Science in 2004, both from Brigham Young University in Provo, UT.
`
`I received my Ph.D. in Computer Science in 2009 from Rice University in
`
`Houston, TX. My doctoral dissertation concerned “Designing Incentives for Peer-
`
`to-Peer Systems.” I am the recipient of the Brown Fellowship and a Graduate
`
`Fellowship from the Rice University Computer Science Department. I was also a
`
`John and Eileen Tietze Fellow.
`
`
`
`Page 1 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`During my final undergraduate semester, I worked both as a teaching
`
`assistant for the Computer Networking course and as a researcher in the
`
`Networked Computing Lab. In these capacities, I assisted students in debugging
`
`and designing their TCP/IP protocol stacks, ARP protocol implementations, and
`
`RPC projects. I also collaborated in investigating statistical traffic engineering for
`
`bandwidth allocation which culminated in a published paper entitled, “Effective
`
`Bandwidth for Traffic Engineering.”
`
`
`
`Effective bandwidth relates to the concept of bandwidth reservation
`
`for quality of service guarantees. On data connections designed to carry large
`
`quantities of data for many users, some users may pay extra to guarantee a certain
`
`quality of service. Nevertheless, given enough users, at any given time some
`
`percentage of users with guarantees will not be utilizing their full capacity.
`
`Effective bandwidth is a statistical model that dictates how many users can be
`
`guaranteed service under these conditions.
`
`
`
`During my graduate work I have also published additional papers
`
`related to networking and computer security. In 2005, I published a paper entitled,
`
`“A Taxonomy of Rational Attacks.” This paper categorized and described the
`
`various types of attacks that one might see in a decentralized, peer-to-peer (p2p)
`
`network. When there is no centralized authority, users have to cooperate to obtain
`
`
`
`
`Page 2 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`service. The term “rational attacks” refers to the economic incentives to not
`
`cooperate while still exploiting the system for service.
`
` My thesis, “Designing Incentives for Peer-to-Peer Systems” built on
`
`this concept. Given a network where participants cannot be forced to cooperate,
`
`the operation of said network must induce cooperation by design of the outcomes.
`
`In other words, it must be in each participant’s best interest to contribute to the
`
`cooperative operation. Experiments included simulated extensions to the
`
`BitTorrent peer-to-peer protocol for long-term identities and mechanisms for
`
`cooperative anonymity. I constructed my own simulator of the BitTorrent
`
`protocol, and simulated thousands of hours of operations. For further accuracy and
`
`realism, I cooperated with researchers at other universities that provided me with
`
`real data traces of BitTorrent users that used long term identifiers such as a login
`
`name.
`
`
`
`From 2001 through 2003, I worked as a software engineer at
`
`Metrowerks (formerly Lineo, Inc.). There I gained substantial experience in
`
`software architecture, computer networking, and technical project management. In
`
`particular, I developed and maintained the GUI for the Embedix SDK, ported the
`
`Linx GUI of the Embedix SDK to Windows, created an automated system to
`
`forward Linux python scripts to a Windows GUI, and developed a packaging and
`
`automated updating system for client software.
`
`Page 3 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`During the 2004 fall semester of my Ph.D. program at Rice
`
`University, I identified a security vulnerability in the Google Desktop Search that
`
`could have allowed hackers to compromise users’ computers and obtain private
`
`information. After contacting Google and assisting them in closing the
`
`vulnerability, we published the details of our investigation.
`
`
`
`Later, in 2005, I completed an internship at Google, where I designed
`
`and implemented a solution to privacy loss in Google Web Accelerator. The
`
`Google Web Accelerator was designed to increase the speed of browsing the
`
`Internet. Once installed on a user’s computer, the browser would request all
`
`content through a Google Proxy. The proxy performed pre-fetching and extensive
`
`caching in order to provide fast and responsive service to the user. At the time of
`
`my internship, news reports had identified odd problems in which users of the
`
`Accelerator were accessing other individual’s private pages. During my internship,
`
`I designed and implemented a prototype solution for this issue.
`
` From 2005 through 2011, I worked as a Security Analyst and later a
`
`Senior Security Analyst for Independent Security Evaluators. There, I developed a
`
`parallel-processing based security tool, developed a FIPS-certified encryption
`
`library, developed hardware-accelerated encryption algorithms, developed
`
`encrypted file-system prototypes, developed an encryption library for an ISE
`
`client, performed port-scanning analyses, evaluated security protocols using formal
`
`Page 4 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`methods and hand analysis, and evaluated security failures. I also designed and
`
`managed the implementation of a secure communication technology that splits
`
`trust between multiple SSL Certificate Authorities (CA), so that if one CA is
`
`compromised, the communication stream can still be safely authenticated. My
`
`work on the secure communications technology project led to the issuance of
`
`multiple patents including U.S. 8,745,372 entitled ―Systems and Methods for
`
`Securing Data in Motion.
`
`
`
`In 2011, I began work as a Research Scientist at Harbor Labs and later
`
`was promoted to the position of Principal. I served a wide range of clients
`
`providing them with specialized consulting in network security, network
`
`communications, software architecture, and programming languages. I have
`
`analyzed an extensive collection of commercial software, including software
`
`related to secure email, cloud-based multimedia delivery, document signing, anti-
`
`virus and anti-intrusion, high-performance routing, networking protocol stacks in
`
`mobile devices, PBX telecommunications software, VoIP, and peer-to-peer
`
`communications. I have also analyzed security considerations for potential
`
`technology acquisitions, re-created heuristic signatures for 1995-era viruses, and
`
`re-created a 1995-era network for testing virus scanners of that time period in
`
`gateway virus scanning. I, and teams under my direction, also review technologies
`
`
`
`
`Page 5 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`for compliance with various standards such as HIPAA and also for security
`
`vulnerabilities.
`
`
`
`In particular, I have reviewed and analyzed the design and
`
`implementation of multiple security-related gateway products. This includes
`
`industrial-grade firewalls that employ anti-virus and anti-malware engines for
`
`processing network traffic. I have also reviewed other gateway products that
`
`provide secure storage to cloud devices.
`
`
`
`I have also assessed the security and privacy technologies and policies
`
`provided by a third-party vendor to the Center for Copyright Infringement (CCI).
`
`CCI represents content owners, such as the RIAA and the MPAA, in finding and
`
`reducing piracy online. Because this process necessarily involves collecting
`
`information about private individuals, I was asked to investigate and determine that
`
`the information collected from online computing devices was adequately
`
`safeguarded and protected.
`
` One of my final assignments with Harbor Labs was leading an
`
`engagement with a large biomedical device firm in a one-year analysis of the
`
`security of their products. In particular, medical devices were for some time not
`
`considered significant threats in terms of computer security. However, recent
`
`demonstrations by security researchers of the various ways in which a malicious
`
`individual might harm a person hooked up to a medical device has shifted the
`
`Page 6 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`thinking in the industry. Accordingly, I assisted this company in the analysis of
`
`their products, their process, and their future roadmap in order to ensure that
`
`patients are not harmed. These evaluations, under my direction, analyzed design
`
`documents, hardware, and a broad range of additional resources in order to expose
`
`as many potential problems as possible for remediation. The security of these
`
`systems depends, in part, on the architecture and deployment of the networks in
`
`which they operate.
`
`
`
`I have now formed my own consulting company, Crimson Vista, Inc.
`
`I am already serving a wide range of clients in similar capacities, providing
`
`specialized research and analysis on topics of computer security, networking, and
`
`programming languages.
`
`
`
`In 2014 I received an appointment as a Lecturer at Johns Hopkins
`
`University and in 2015 I advanced to an Adjunct Associate Research Scientist. My
`
`responsibilities at Johns Hopkins include teaching classes, mentoring students, and
`
`conducting research. More specifically, I currently teach the Network Security
`
`course for which I created the curriculum from scratch. As part of this curriculum,
`
`I designed a novel experimentation framework for allowing students to both build
`
`and attack security protocols. The course covered topics ranging from
`
`cryptography and access controls to network architecture and user psychology.
`
`
`
`
`Page 7 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
` One of the components of the students’ lab work is to create a
`
`protected sandbox for running untrusted code. The sandbox must provide access to
`
`the system in a manner that cannot be exploited. Conversely, the other half of their
`
`assignment is to design exploitative code that attempts to bypass and/or neutralize
`
`the protections of the sandbox environment. This experimental framework enables
`
`the students to learn about creating, identifying, and neutralizing malware such as
`
`viruses.
`
`
`
`In addition to my course instruction, I also mentor Masters students at
`
`Johns Hopkins in their capstone projects. These projects include networking
`
`security and privacy concerns across a wide range of technologies including iOS
`
`security, BitCoin, SSL vulnerabilities, and Twitter botnets. These are all
`
`contemporary issues in practical computer security.
`
` One group of students and I investigated the known Heartbleed
`
`vulnerability in certain versions of OpenSSL. Under my direction, the students
`
`created a vulnerable server to test. Once they were able to re-create the known
`
`vulnerability, they explored other ways of testing and finding vulnerabilities of the
`
`same sort using, for example, fuzzing.
`
` Another student performed an analysis on “bots” in social media such
`
`as Twitter. Twitter relies on advertising to make money as the individual users are
`
`not charged for their accounts. This advertising process is based, in part, on
`
`Page 8 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`identifying “influential” individuals (i.e., individuals with a large number of
`
`friends). Unfortunately, “bots” are computer programs that can act like a real
`
`person on social media sites. Individuals will sell buyers an arbitrary number of
`
`“friends” that are, in fact, just bots. My student and I created an approach for
`
`mapping out these so-called “botnets” in a novel way that may be useful in
`
`deterring such botnets. We are currently working on a draft of this research to be
`
`submitted for publication.
`
`
`
`I first served as an expert witness at the request of RMail in 2012.
`
`Since that time, I have been hired by numerous law firms to provide them and their
`
`clients with expert consultation and expert testimony, often in the areas of patent
`
`infringement litigation related to Computer Science.
`
` Based on my above-described 15 years of education, and dual
`
`industrial and academic experience in Computer Science, I have specialized
`
`knowledge in the field of computer security, network security, network
`
`communications, cryptography, and software architecture. I believe that I am
`
`considered to be an expert in the field of computer science generally, and more
`
`specifically in the fields of IT security and authentication.
`
`II. Materials Considered
`
`
`
`In writing this Declaration, I have considered the following: my own
`
`knowledge and experience, including my work experience in the fields of
`
`Page 9 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`computer science and IT security and authentication; my industry experience with
`
`those subjects; and my experience in working with others involved in those fields.
`
`I have also analyzed the following publications and materials, in addition to other
`
`materials I cite in my declaration:
`
` U.S. Patent No. 8,266,432 and its accompanying prosecution history
`
`(“the ‘432 Patent”, Ex. 1001, 1002)
`
` U.S. Patent No. 7,356,837 (“the ‘837 Patent” or “‘837”, Ex. 1005)
`
` U.S. Patent No. 7,444,676 (“the ‘676 Patent” or “’676”, Ex. 1015)
`
` U.S. Patent Application Publication 2006/0094403 to Norefors et al.
`
`(“Norefors”)
`
` Radius, IEEE RFC (Request for Comments) 2865 (incorporated by US
`
`2006/0094403 A1 to Norefors)
`
` U.S. Patent Application Publication No.: US 20030080183 to
`
`Rajasekaran et al (“Rajasekaran”)
`
` U.S. Patent No. 5,740,361 to Brown (“Brown”)
`
` Patent Owner Preliminary Response United Services Automobile
`
`Association v. NADER ASGHARI-KAMRANI and KAMRAN
`
`ASGHARI-KAMRANI, IPR2015-01842, Paper 7
`
`
`
`
`
`
`Page 10 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
` Although for the sake of brevity this Declaration refers to selected
`
`portions of the cited references, it should be understood that one of ordinary skill in
`
`the art would view the references cited herein in their entirety, and in combination
`
`with other references cited herein or cited within the references themselves. The
`
`references used in this Declaration, therefore, should be viewed as being
`
`incorporated herein in their entirety.
`
`
`
`I am not currently and have not at any time in the past been an
`
`employee of United Services Automobile Association, Inc. (“USAA”). I have
`
`been engaged in the present matter to provide my independent analysis of the
`
`issues raised in the petition for post-grant review of the ‘432 patent. I received no
`
`compensation for this declaration beyond my normal hourly compensation based
`
`on my time actually spent studying the matter, and I will not receive any added
`
`compensation based on the outcome of this post-grant review of the ‘432 patent.
`
`III. Person of Ordinary Skill in the Art
`
`
`
`I am familiar with the content of the ‘432 patent, and I have reviewed
`
`the other references cited above in this declaration. Counsel has informed me that
`
`I should consider these materials through the lens of one of ordinary skill in the art
`
`related to the ‘432 patent at the time of the invention. I believe that a person
`
`having ordinary skill in the art at the effective filing date of the ‘432 Patent
`
`Page 11 of 59
`
`
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`(“PHOSITA”) would have had a Bachelor of Science Degree in Electrical
`
`Engineering, Computer Engineering, or Computer Science with related work
`
`experience. Individuals with additional education or additional industry
`
`experience could still be of ordinary skill in the art if that additional aspect
`
`compensates for a deficit in one of the other aspects of the requirements stated
`
`above. I base my evaluation of a person of ordinary skill in this art on my own
`
`personal experience, including my knowledge of students, colleagues, and related
`
`professionals at the time of interest.
`
`IV. Overview of the ‘432 Patent
`
` The ‘432 Patent claims and describes systems and methods relating to
`
`financial activity; specifically for centralized processing of user financial
`
`information for electronic purchases. See ‘432 Patent at Abstract, 2:51-3:6, claims
`
`1, 25, 48, and 52. In the words of the Patent Owner, the claims of the ‘432 Patent
`
`are directed to “a Central-Entity for centralized identification and authentication of
`
`users and their transactions to increase security and e-commerce.” See ‘432 at
`
`2:51-3:6. In more detail, the subject matter of the claims is not tied, for example,
`
`to a specific machine, and fail to transform an article into a different state or thing.
`
`Id. The independent claims of the ‘432 Patent do recite computer-related terms
`
`such as “electronic transaction,” “computer,” “digital identity,” and “dynamic
`
`code,” but these are generic computer terms referring to concepts that were well
`
`Page 12 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`understood by the effective filing date of the ‘432 Patent. Indeed, as described in
`
`more detail below, in my opinion, the claims of the ’432 Patent altogether fail to
`
`recite a novel and unobvious technological feature, just as they fail to recite a
`
`technical problem solved by a technical solution.
`
` The specification of the ‘432 Patent confirms that the computer-
`
`related terms cited in the ‘432 Patent’s claims do in fact relate to technology that is
`
`merely, in the words of the Patent Owner, “standard.” See, e.g., ‘432 at 5:5-10
`
`(describing that “the user 10 attempts to access a restricted web site or attempts to
`
`buy services or products 110, as illustrated in FIG. 4, through a standard interface
`
`provided by the External-Entity 20, similar to what exists today and selects digital
`
`identity as his identification and authorization or payment option”) (emphasis
`
`added), 4:67-5:4 (“The user 10 registers at the Central-Entity 30, 100, 104 and
`
`receives his account and login information such as UserName and Password 108.
`
`User 10 can access his account at any time by accessing the Central-Entity’s
`
`system using a communication network 50 and logging into the system.”).
`
`Consequently, the claims of the ‘432 Patent are not transformed into a
`
`technological invention by mere recitation of generic computer-related terms.
`
` The ’432 Patent fails even to recite a technical problem, and instead
`
`addresses the non-technical tasks of allowing users “to participate in e-commerce
`
`without worrying about [] privacy and security” and “be[ing] simple for businesses
`
`Page 13 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`to adopt and also doesn’t require the financial institutions to change their existing
`
`systems.” ‘432 at 1:60-2:4. To “keep merchants, service providers, Internet sites
`
`and financial institutions satisfied by positively identifying and authenticating the
`
`users,” ‘432 at 3:47-49, the specification touts the use of “digital identity” as “a
`
`combination of [the] user’s ‘SecureCode’ and user’s information.” ‘432, 2:35-44.
`
`According to the specification, “The SecureCode is preferably implemented
`
`through the use of an indicator [which] has two states: ‘on’ for valid and ‘off’ for
`
`invalid.” ‘432, 5:62-64. This purported solution is trivial. Indeed, the solution
`
`proposed in the ‘432 Patent to this non-technical problem is nothing more
`
`application of well-known art to achieve a normal, expected, and predictable result:
`
`the use of user-provided personal and financial information to a financial
`
`institution for user identification and authentication. See e.g., ‘432 at Abstract,
`
`1:61-2:4.
`
`
`
`Insofar as claim 1 recites “A method for authenticating a user during
`
`an electronic transaction between the user and an external-entity” that includes
`
`“generating by the central-entity during the transaction a dynamic code for the user
`
`in response to the request,” ‘432:6:24-34, these various steps can be performed by
`
`an non-computer entity. Tellingly, the specification defines the “User” as “both a
`
`typical person consuming goods and services as well as a business consuming
`
`goods and services;” the “Central-Entity” as “any party that has user’s personal
`
`Page 14 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`and/or financial information, UserName, Password and generates dynamic, non-
`
`predictable and time dependable SecureCode for the user [such as] banks, credit
`
`card issuing companies or any intermediary service companies;” and the “External-
`
`Entity” as “any party offering goods or services that users utilize by directly
`
`providing their UserName and SecureCode as digital identity [such as] a merchant,
`
`service provider or an online site.” ‘432 at 2:10-26. The specification amplifies
`
`that the solution can be performed by a person and not a computer, thereby
`
`establishing that the claims are not directed to a technical solution. A person
`
`having ordinary skill in the art at the time that the ‘432 Patent was filed would not
`
`have considered the methods described and claimed by the ‘432 Patent to be
`
`technical.
`
` This subject matter was, at the effective filing date of the ‘432 Patent,
`
`already well known in the prior art. Indeed the references throughout this
`
`declaration provide robust descriptions of the very subject matter that the ‘432
`
`Patent claims.
`
`
`
`
`Page 15 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`V. Claim Construction1
`
`
`
`I understand that, for the purposes of my analysis in this matter, the
`
`claims of the ‘432 Patent must be given their broadest reasonable interpretation
`
`(BRI) consistent with the specification. Stated another way, it is contemplated that
`
`the claims are understood to have their broadest reasonable interpretation in view
`
`of the specification to one having ordinary skill in the art at the time of the
`
`invention, without importing limitations into the claims from the specification. I
`
`have followed these principles in my analysis. In a few instances, I have discussed
`
`my understanding of the claims in the relevant paragraphs below. I note, however,
`
`that I have been informed that the interpretation of claims used in the context of a
`
`Patent Office proceeding, such as this one, is governed by different legal rules than
`
`those used in the context of District Court litigation. As such, if I am ever asked to
`
`consider the interpretation of the claims of the ‘432 Patent in a District Court
`
`
`
`1 I understand that the specification of the ‘432 Patent explicitly defines several
`
`terms recited in the claims. It should be noted that my opinions account for such
`
`definitions even though, for brevity, those definitions are not repeated within this
`
`section.
`
`
`
`
`Page 16 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`litigation context, my opinions under those different rules of interpretation very
`
`well may differ.
`
`
`
`In my opinion, under the BRI standard that I understand is applicable
`
`to the claims subject to a post-grant proceeding, the “method for authenticating a
`
`user” includes a scenario in which the “central-entity” and the “external-entity” are
`
`the “same entity” as claimed in dependent claims 11, 46, 49, and 53.
`
` Under the BRI standard, the “first central-entity computer” and
`
`“second central-entity computer” as claimed in independent claims 25 and 52 can
`
`be construed to be logically, but not necessarily physically, separated components
`
`on a single computer because the “first central-entity computer” and “second
`
`central-entity computer” are recited as “the same” in dependent claim 36. The
`
`word “computer” only appears in the claims and with reference to a “public
`
`computer network such as the Internet” in a discussion of related prior art.
`
` Under the BRI standard, “transaction” as recited in independent
`
`claims 1, 25, 48, and 52 is construed as “where [a] user [] attempts to access a
`
`restricted web site or attempts or buy services or products . . . through a standard
`
`interface provided by [an] External-Entity . . . and selects digital identity as his
`
`identification and authorization or payment option” as stated by the specification of
`
`the ‘432 Patent. ‘432 Patent, 5:5-22.
`
`
`
`
`Page 17 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
` Under the BRI standard, “dynamic code” as recited by independent
`
`claims 1, 25, 48 and 51 is construed as “any dynamic, non-predictable and time
`
`dependent alphanumeric code, secret code, PIN or other code, which may be
`
`broadcast to the user over a communication network, and may be used as a part of
`
`a digital identity to identify a user as an authorized user” as stated by the
`
`specification of the ‘432 Patent. ‘432 Patent, 2:35-40.
`
`VI. Discussion of the Priority Application
`
` The ‘432 Patent allegedly claims priority to the ‘046 Application,
`
`which was filed September 30, 2005, and issued as the ‘676 Patent on October 28,
`
`2008. Counsel has advised me that, for this claim of priority to be proper, the
`
`specification of the ‘676 Patent must support the ‘432 Patent’s claims. I cannot
`
`find support for the claims of the ‘432 Patent in the ‘676 Patent, and one of
`
`ordinary skill in the art would conclude that the ‘676 Patent lacks written
`
`description support for the claims of the ‘432 Patent. Just by comparing the ‘432
`
`Patent with the ‘676 Patent reveals that the specifications are so different that the
`
`Patent Owner’s characterization of the ‘432 patent as a continuation of the Parent
`
`cannot be supported.
`
`
`
`In general, the ‘676 Patent describes a user (e.g., customer 20)
`
`initiating an electronic transaction from one entity (e.g., originating participating
`
`financial institution (OPFI) 25) to another entity (e.g., receiving participating
`
`Page 18 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`financial institution (RPFI)), and as an example, an interbank funds transfer
`
`between two different financial institutions. See, e.g., ‘676, 10:31-39; Figs. 1 and
`
`4.
`
`
`
` In one example, claim 1 of the ‘432 Patent recites “authenticating by
`
`the central-entity the user and providing a result of the authenticating to the
`
`external-entity during the transaction if the digital identity is valid.” ‘432, Claim
`
`1 (emphasis added); see also Claims 25, 48, and 52.
`
` This element of the independent claims clearly requires that the
`
`central-entity authenticate the user and provide a result of the authenticating to the
`
`external-entity if the digital identity is valid. However, in all diagrams and text of
`
`the ‘676 patent, the DID operator, which is the closest disclosed entity to the
`
`claimed “central-entity,” does not do so.
`
`
`
`In certain scenarios described by the ‘676 patent, there are actually
`
`five entities: (1) the originator and (2) the receiver, (3) the originating bank (OPFI),
`
`(4) the receiving bank (RPFI), and (5) the DID operator. In my opinion, either the
`
`receiver or the RPFI is the closest entity described in the ‘676 patent to the claimed
`
`“external-entity.”
`
` However, the DID operator does not send a validation response to
`
`either one. Rather, the DID operator sends a validation response to the OPFI, i.e.,
`
`the originator’s bank. This does not correspond to the requirements of the claims
`
`Page 19 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`of the ‘432 Patent and is not in accordance with the spirit of the concepts described
`
`in the ‘432 Patent. In particular, the ‘432 Patent describes the transaction taking
`
`place between a user and a website. The user does not receive a validation from
`
`the central-entity that the user then forwards on to the website, and in fact, the
`
`website would not trust the user to do so, based on the relationship between the
`
`website and the user. By contrast, a main premise of how the scenarios described
`
`in the ‘676 Patent work is that the financial institutions in the ‘676 Patent do
`
`generally trust each other or have a secure, trusting relationship.
`
`
`
`Importantly, the ‘676 Patent only speaks to sending a denial message
`
`to the RPFI and the customer if the digital identity is invalid, and that if the digital
`
`identity is valid, providing a result of authentication only to the OPFI. ‘676,
`
`11:12-18 (“[t]he DID Operator 30, upon receiving the Digital Identity Message
`
`from the RPFI 35, validates the customer’s digital identity 10 and identifies the
`
`customer (Originator) 20, 40, 155. Upon successful validation and identification,
`
`the DID Operator 30 may send a Digital Identity Message containing the
`
`customer’s digital identity 10 and possibly other transaction information to the
`
`OPFI 25 for processing 160.”); 11:24-26 (“An invalid digital identity 10 will cause
`
`a denial message to be sent to the RPFI and to the customer 20, 157, 181, 182.”)
`
`
`
`In my opinion, the OPFI 25 described in the specification of the ‘676
`
`patent cannot possibly correspond to the "external-entity," as claimed in the '432
`
`Page 20 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent. In particular, the independent claims describe an authentication request
`
`from the external-entity with “a user-specific information and the dynamic code
`
`as a digital identity,” where the “dynamic code was received by the user during the
`
`electronic transaction and was provided to the external-entity by the user during
`
`the transaction.” See ‘432, Independent Claims 1, 25, 48, and 52 (emphasis
`
`added).
`
` By contrast, the specification of the ‘676 patent describes that “[w]hen
`
`the OPFI 25 receives the customer’s digital identity 10 from the DID Operator 30,
`
`the OPFI 25 present [sic] that to the customer (Originator) 20 over the
`
`communication network 50,” and “[i]n addition to providing the digital identity 10
`
`to the customer 20 (Originator), the OPFI 25 may request the customer
`
`(Originator) 20 to provide the digital identity 10 to the second financial institution
`
`(ORFI) 35 to finalize and complete the funds transfer transaction 130.” ‘676,
`
`10:53-62. Then, “[t]he customer (Receiver) 20 authenticates him/herself to the
`
`RPFI 35 over a communication network 50, 140 and provides his/her digital
`
`identity 10 to the RPFI 35.” ‘676, 11:1-3 (emphasis added). Further, “[t]he RPFI
`
`35 may validate the information provided by the customer 20 and for validation of
`
`customer’s digital identity 10 and the transaction processing, the RPFI 35 may
`
`forward a Digital Identity Message 15 containing the customer’s digital identity 10
`
`to the DID Operator 150.” ‘676, 11:7-11. Thus, the Specification of the ‘676
`
`Page 21 of 59
`
`
`USAA-1003
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent describes an authentication request from the RPFI, not from the OPFI, and
`
`the user receiving the digital identity from the OPFI and providing the digital
`
`identity to the RPFI, not to the OPFI.
`
` Moreover, the security model described in the Specification of the
`
`‘676 Patent, and in particular the secure relationships between entities, precludes
`
`the OPFI 25 described in the Specification of the ‘676 Patent from corresponding
`
`to the claimed “external-entity,” from which an authentication request is received
`
`by the central-entity, and to which the dynamic code was provided by the user. See
`
`‘432, Independent Claims 1, 25, 48, and 52. For example, as described in the
`
`Specification of the ‘676 Patent, “the OPFI 25 present[s] that [digital identity] to
`
`the customer (Originator) 20.” ‘676, 10:53-56. Thus, there would be no reason for
`
`the customer to provide the digital identity back to the OPFI, as required by the
`
`independent claims if the OPFI is to be considered the claimed “external-entity,”
`
`because a trust relationship had already been established between the customer and
`
`the OPFI. See ‘676, 10:37-42.
`
` Therefore, the OPFI cannot possibly correspond to the claimed
`
`external-entity, from which an authentication request is received and to which the
`
`dynamic code is provided by the user, as set forth in the indep