`
`
`
`Paper No. 1
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`____________________
`
`
`APPLE INC.
`Petitioner,
`
`v.
`
`VIRNETX, INC. AND SCIENCE APPLICATION INTERNATIONAL
`CORPORATION,
`Patent Owner.
`
`Patent No. 8,458,341
`Issued: June 4, 2013
`Filed: December 23, 2011
`Inventors: Victor Larson, et al.
`Title: SYSTEM AND METHOD EMPLOYING AN AGILE NETWORK
`PROTOCOL FOR SECURE COMMUNICATIONS USING SECURE DOMAIN
`NAMES
`
`____________________
`
`Inter Partes Review No. IPR2015-00866
`__________________________________________________________________
`
`Petition for Inter Partes Review of
`U.S. Patent No. 8,458,341
`
`
`
`
`
`
`

`

`
`
`I.
`
`Table of Contents
`
`Introduction .................................................................................................... 1
`A. Certification the ’341 Patent May Be Contested by Petitioner ....... 1
`B.
`Fee for Inter Partes Review (§ 42.15(a)) ........................................... 1
`C. Mandatory Notices (37 CFR § 42.8(b)) ............................................. 1
`1.
`Real Party in Interest (§ 42.8(b)(1)) ............................................ 1
`2.
`Other Proceedings (§ 42.8(b)(2)) ................................................ 2
`3.
`Lead and Backup Lead Counsel (§ 42.8(b)(3)) .......................... 2
`4.
`Service Information (§ 42.8(b)(4)) ............................................. 2
`5.
`Proof of Service (§§ 42.6(e) and 42.105(a)) ............................... 2
`
`II.
`
`Identification of Claims Being Challenged (§ 42.104(b)) ........................... 2
`
`B.
`C.
`D.
`E.
`
`III. Relevant Information Concerning the Contested Patent .......................... 3
`A. Overview of the ’341 Patent ............................................................... 3
`1.
`The ’341 Patent Specification ..................................................... 3
`2.
`Representative Claims ................................................................ 5
`Patent Owner’s Assertion of Related Patents ................................... 6
`Effective Filing Date ............................................................................ 6
`The Person of Ordinary Skill in the Art ........................................... 8
`Claim Construction ............................................................................. 9
`1.
`“interception of the request” ....................................................... 9
`2.
`“provisioning information” ....................................................... 10
`3.
`“secure communications service” ............................................. 11
`4.
`“indication” ............................................................................... 13
`5.
`“virtual private network communication link” ......................... 14
`6.
`“domain name” ......................................................................... 15
`7.
`“modulation” ............................................................................. 16
`
`IV. Analysis of the Patentability of the ’341 Patent ........................................ 16
`
`i
`
`

`

`
`
`2.
`
`A. Overview of Beser (Ex. 1007) ........................................................... 17
`a)
`Request Containing a Unique Identifier ......................... 19
`b)
`Negotiation of Private IP Addresses ............................... 22
`B. Overview of RFC 2401 (Ex. 1008) ................................................... 24
`C.
`Beser (Ex. 1007) In View of RFC 2401 (Ex. 1008) Would Have
`Rendered Obvious Claims 1-11, 14-25 and 28 ................................ 26
`1.
`A Person of Ordinary Skill Would Have Found It Obvious to
`Encrypt IP Traffic in the Beser Scheme Based on the Teachings
`in Beser and RFC 2401 ............................................................. 29
`Independent Claims 1 and 15 Would Have Been Obvious ...... 33
`a)
`Claim 15 Preamble ......................................................... 33
`b)
`“send[ing]. . . a request to look up an internet protocol
`(IP) address . . . based on a domain name . . .” .............. 34
`The “receiving” step ....................................................... 36
`“connect[ing] . . . [over the virtual private network
`communication link,] using the received IP address . . .
`and the provisioning information . . .” ............................ 44
`“communicat[e/ing]. . . using the secure communications
`service via the virtual private network communication
`link.” ............................................................................... 46
`Additional System Elements of Claim 1 ........................ 47
`f)
`Claims 2 and 16 Would Have Been Obvious ........................... 48
`3.
`Claims 13 and 17 Would Have Been Obvious ......................... 49
`4.
`Claims 4, 5, 18 and 19 Would Have Been Obvious ................. 50
`5.
`Claims 6 and 20 Would Have Been Obvious ........................... 51
`6.
`Claims 7, 8, 21 and 22 Would Have Been Obvious ................. 52
`7.
`Claims 9 and 23 Would Have Been Obvious ........................... 53
`8.
`Claims 10 and 24 Would Have Been Obvious ......................... 53
`9.
`10. Claims 11 and 25 Would Have Been Obvious ......................... 54
`11. Claims 14 and 28 Would Have Been Obvious ......................... 56
`D. No Secondary Considerations Exist ................................................ 56
`
`c)
`d)
`
`e)
`
`
`
`ii
`
`

`

`
`
`V. Conclusion .................................................................................................... 57
`
`Conclusion .................................................................................................... 57
`
`V.
`
`
`
`iii
`
`iii
`
`

`

`Petition in IPR2015-00866
`
`I.
`
`Introduction
`A. Certification the ’341 Patent May Be Contested by Petitioner
`Petitioner certifies that U.S. Patent No. 8,458,341 (Ex. 1001) (the ’341
`
`patent) is available for inter partes review. Petitioner also certifies it is not barred
`
`or estopped from requesting inter partes review of the claims of the ’341 patent.
`
`Neither Petitioner, nor any party in privity with Petitioner, has filed a civil action
`
`challenging the validity of any claim of the ’341 patent. The ’341 patent has not
`
`been the subject of a prior inter partes review by Petitioner or a privy of Petitioner.
`
`Petitioner also certifies this petition for inter partes review is timely filed as
`
`it has never been asserted against Petitioner in litigation. Thus, because there is no
`
`patent owner’s action, this petition complies with 35 U.S.C. § 315(b). Petitioner
`
`also notes that the timing provisions of 35 U.S.C. § 311(c) and 37 C.F.R.
`
`§ 42.102(a) do not apply to the ’341 patent, as it pre-dates the first-to-file system.
`
`See Pub. L. 112-274 § 1(n), 126 Stat. 2456 (Jan. 14, 2013).
`
`Fee for Inter Partes Review (§ 42.15(a))
`
`B.
`The Director is authorized to charge the fee specified by 37 CFR § 42.15(a)
`
`to Deposit Account No. 50-1597.
`
`C. Mandatory Notices (37 CFR § 42.8(b))
`1.
`Real Party in Interest (§ 42.8(b)(1))
`The real party in interest of this petition pursuant to § 42.8(b)(1) is Apple
`
`Inc. (“Apple”) located at One Infinite Loop, Cupertino, CA 95014.
`
`1
`
`

`

`Petition in IPR2015-00866
`
`2. Other Proceedings (§ 42.8(b)(2))
`IPR2015-00867 filed concurrently also involves the ’341 patent. Each
`
`petition advances unique grounds and are based on different primary references.
`
`The present petition and IPR2015-00867 present unique correlations of the
`
`challenged ’341 claims to the prior art, and each warrants independent institution
`
`of trial. Petitioner respectfully requests the Board institute each petition, as each
`
`presents distinct and non-redundant grounds.
`
`Lead and Backup Lead Counsel (§ 42.8(b)(3))
`
`3.
`Lead Counsel is: Jeffrey P. Kushan (Reg. No. 43,401), jkushan@sidley.com,
`
`(202) 736-8914. Back-Up Lead Counsel are: Scott Border (pro hac to be
`
`requested), sborder@sidley.com, (202) 736-8818; and Thomas A. Broughan III
`
`(Reg. No. 66,001), tbroughan@sidley.com, (202) 736-8314.
`
`Service Information (§ 42.8(b)(4))
`
`4.
`Service on Petitioner may be made by e-mail (iprnotices@sidley.com), mail
`
`or hand delivery to: Sidley Austin LLP, 1501 K Street, N.W., Washington, D.C.
`
`20005. The fax number for lead and backup lead counsel is (202) 736-8711.
`
`5.
`Proof of Service (§§ 42.6(e) and 42.105(a))
`Proof of service of this petition is provided in Attachment A.
`
`II.
`
`Identification of Claims Being Challenged (§ 42.104(b))
`Claims 1-11, 14-25 and 28 of the ’341 patent are unpatentable for being
`
`obvious under 35 U.S.C. § 103 based on U.S. Patent No. 6,496,867 to Beser
`
`
`
`2
`
`

`

`Petition in IPR2015-00866
`
`(“Beser”) (Ex. 1007) in view of “RFC 2401, Security Architecture for the Internet
`
`Protocol,” (“RFC 2401”) (Ex. 1008) and the knowledge of a person of ordinary
`
`skill in the art. Attachment B lists the evidence relied upon in support of this
`
`petition.
`
`III. Relevant Information Concerning the Contested Patent
`A. Overview of the ’341 Patent
`1.
`The ’341 Patent Specification
`The ’341 patent is a member of a family of patents issued to Larson et al.,
`
`including, inter alia, U.S. Patent Nos. 6,502,135 (“ ’135 patent”), 7,188,180
`
`(“ ’180 patent”), 7,418,504 (“ ’504 patent”), 7,490,151 (“ ’151 patent”), 7,921,211
`
`(“ ’211 patent”), 7,987,274 (“ ’274 patent”), 8,051,181 (“ ’181 patent”), 8,504,697
`
`(“ ’697 patent”), 8,868,705 (“ ’8705 patent”), 8,850,009 (“’009 patent”), 8,516,131
`
`(“ ’131 patent”), and 8,560,705 (“ ’0705 patent).1
`
`The ’341 patent disclosure, like other members of this patent family, is
`
`largely focused on techniques for securely communicating over the Internet based
`
`on a protocol called the “Tunneled Agile Routing Protocol” or “TARP.” Ex. 1001
`
`at 3:16-19. According to the ’341 specification, TARP allows for secure and
`
`anonymous communications by using tunneling, an IP address hopping scheme
`
`
`1
`
`IPR2015-00868, -00869, -00870 and -00871 filed concurrently involve the
`
`’131 and ’0705 patents.
`
`
`
`3
`
`

`

`Petition in IPR2015-00866
`
`where the IP addresses of the end devices and routers participating in the system
`
`can change over time, and a variety of other security techniques. Ex. 1001 at 1:35-
`
`37, 3:16-6:9. Two short sections of the ’341 specification – spanning primarily
`
`columns 39 to 42 and 49 to 53 – are directed to a different concept, namely,
`
`techniques for establishing secure communications in response to DNS requests
`
`specifying a secure destination. See Ex. 1001 at 39:24–42:12, 49:20–53:30. This
`
`material was added in a continuation-in-part application filed in February 2000. In
`
`proceedings involving related patents, Patent Owner has asserted that these short
`
`passages provide written description support for claim terms involving domain
`
`names, DNS requests, requests to look up IP addresses, and DNS servers.
`
`These portions of the ’341 specification describe a “conventional DNS
`
`server” that purportedly is modified to include additional functionality that allows
`
`it to support the creation of virtual private networks. See Ex. 1001 at 40:16-44.
`
`According to the ’341 specification, the “modified DNS server” (id. at 40:20-21)
`
`receives a request to look up a network address associated with a domain name,
`
`determines whether a secure site has been requested (for example, by checking an
`
`internal table of sites), and then performs additional steps to support establishing a
`
`“virtual private network” with the secure site. See Ex. 1001 at 39:21-26, 39:66-
`
`40:15, 40:26-44, 41:17-35, 51:54-60. This process can include conventional
`
`devices such as personal computers running web browsers, proxy servers,
`
`
`
`4
`
`

`

`Petition in IPR2015-00866
`
`intermediate routers, and web servers. Ex. 1001 at 40:16-25, 49:34-44, 52:47-51.
`
`The ’341 specification describes several optional features of this system,
`
`such as using “IP hopblocks” to create a VPN or incorporating user authentication.
`
`Ex. 1001 at 40:5-9, 40:35-38, 41:28-35, 52:1-14. It also describes several optional
`
`configurations of the “modified DNS server,” including a standalone DNS server
`
`and a system incorporating a DNS server, a DNS proxy server, and a gatekeeper.
`
`Ex. 1001 at 40:16-25.
`
`Representative Claims
`
`2.
`Independent claims 1 and 15 of the ’341 patent define a network device and
`
`a method, respectively, but recite the same operative steps. See Ex. 1001 at 56:2-
`
`25, 57:4-25. Claim 15 is representative, specifying a method executed by a first
`
`network device for communicating with a second network device by: (1) sending a
`
`request to look up an internet protocol (IP) address of a second network device
`
`based on a domain name associated with the second network device; (2) following
`
`interception of the request and a determination that the second network device is
`
`available for the secure communication service, receiving (i) an indication that the
`
`second network device is available for a secure communications service, (ii) the
`
`requested IP address of the second network device, and (iii) provisioning
`
`information for a virtual private network communication link; (3) connecting to the
`
`second network device over the virtual private network communication link, using
`
`
`
`5
`
`

`

`Petition in IPR2015-00866
`
`the received IP address of the second network device and the provisioning
`
`information for the virtual private network communication link; and (4)
`
`communicating with the second network device using the secure communications
`
`service via the virtual private network communication link.
`
`Patent Owner’s Assertion of Related Patents
`
`B.
`Patent Owner has asserted varying sets of claims of its patents in this family
`
`against Petitioner and other entities in numerous lawsuits. In August of 2010,
`
`Patent Owner sued Petitioner and five other entities (the “2010 Litigation”)
`
`asserting claims from the ’135, ’151, ’504, and ’211 patents. In November 2011,
`
`Patent Owner filed a lawsuit accusing Petitioner of infringing claims of the ’181
`
`patent. In December 2012, Patent Owner served a new complaint on Petitioner
`
`asserting infringement of numerous claims of the ’135, ’151, ’504, and ’211
`
`patents (the “2012 Litigation”). In August 2013, Patent Owner served an amended
`
`complaint adding the ’697 patent to the 2012 Litigation. Patent Owner also
`
`asserted patents from this family against Microsoft and others in separate lawsuits
`
`filed in February 2007, March 2010, and April 2013, and against numerous other
`
`defendants in actions filed in 2010 and 2011.
`
`C. Effective Filing Date
`The ’341 patent issued from U.S. Appl. No. 13/336,790 (“the ’790
`
`application”). The ’790 application claims the benefit as a continuation of the
`
`
`
`6
`
`

`

`Petition in IPR2015-00866
`
`following applications: 13/049,552 (issued as U.S. Patent No. 8,572,247);
`
`11/840,560 (issued as the ’211 patent); 10/714,849 (issued as the ’504 patent); and
`
`09/558,210, filed April 26, 2000, and now abandoned. It also is designated a
`
`continuation-in-part of 09/504,783, filed on February 15, 2000 (“the ’783
`
`application”), which is a continuation-in-part of 09/429,643, filed on October 29,
`
`1999. The ’210, ’783 and ’643 applications also claim priority to 60/106,261, filed
`
`October 30, 1998 and 60/137,704, filed June 7, 1998.
`
`Claims 1 and 15 of the ’341 patent are independent claims. Claims 2-11 and
`
`14 depend directly or indirectly from claim 1, and claims 16-25 and 28 depend
`
`directly or indirectly from claim 15. Claims 2-11, 14, 16-25 and 28 cannot enjoy
`
`an effective filing date earlier than that of claims 1 and 15, respectively, from
`
`which they depend.
`
`Claims 1 and 15 of the ’341 patent rely on information found only in the
`
`’783 application. For example, claim 1 of the ’341 patent specifies a network
`
`device comprising at least one processor configured to execute an application
`
`program to enable the network device to “send a request to look up an internet
`
`protocol (IP) address . . . based on a domain name” (emphasis added). Claim 15
`
`specifies a method executed by a first network device comprising “sending a
`
`request to look up an internet protocol (IP) address . . . based on a domain name”
`
`(emphasis added). No application filed prior to the ’783 application mentions the
`
`
`
`7
`
`

`

`Petition in IPR2015-00866
`
`term “domain name” much less provide a written description of devices or
`
`methods corresponding to the ’341 patent claims. In proceedings involving the
`
`related ’135, ’504, ’151, ’211, ’274 and ’697 patents, Patent Owner has not
`
`disputed that claims reciting a “domain name” are not entitled to an effective filing
`
`date prior to February 15, 2000. See, e.g., Patent Owner Preliminary Oppositions
`
`in IPR2013-00348, -00349, -00354, -00375 to -00378, -00393, -00394, -00397,
`
`and -00398, as well as IPR2014-00237, -00238, -00403, -00404, and -00610; see
`
`also Inter Partes Reexamination Nos. 95/001,682, 95/001,679, 95/001,697,
`
`95/001,714, 95/001,788, and 95/001,789. Accordingly, the effective filing date of
`
`the ’341 patent claims is no earlier than February 15, 2000.
`
`D. The Person of Ordinary Skill in the Art
`A person of ordinary skill in the art in the field of the ’341 patent would
`
`have been someone with a good working knowledge of networking protocols,
`
`including those employing security techniques, as well as computer systems that
`
`support these protocols and techniques. The person also would be very familiar
`
`with Internet standards related to communications and security, and with a variety
`
`of client-server systems and technologies. The person would have gained this
`
`knowledge either through education and training, several years of practical
`
`working experience, or through a combination of these. Ex. 1005 ¶ 148.
`
`
`
`
`
`
`
`8
`
`

`

`Petition in IPR2015-00866
`
`E. Claim Construction
`In this proceeding, claims must be given their broadest reasonable
`
`construction in light of the specification. 37 CFR § 42.100(b). The ’341 patent
`
`shares a common disclosure and uses several of the same terms as the ’697, ’274,
`
`’180, ’151, ’504, and ’211 patents with respect to which Patent Owner has
`
`advanced constructions. Also, if Patent Owner contends terms in the claims should
`
`be read as having a special meaning, those contentions should be disregarded
`
`unless Patent Owner also amends the claims compliant with 35 U.S.C. § 112 to
`
`make them expressly correspond to those contentions. See 77 Fed. Reg. 48764 at
`
`II.B.6 (August 14, 2012); cf. In re Youman, 679 F.3d 1335, 1343 (Fed. Cir. 2012).
`
`In the constructions below, Petitioner identifies representative subject matter
`
`within the scope of the claims, read with their broadest reasonable interpretation.
`
`Petitioner expressly reserves its right to advance different constructions in any
`
`district court litigation, which employs a different claim construction standard.
`
`1.
`“interception of the request”
`Each independent claim requires “interception of the request.” In a related
`
`proceeding involving the ’697 patent, the Board interpreted the phrase
`
`“intercepting a request” as including “receiving a request pertaining to a first entity
`
`at another entity.” IPR2014-00237, Paper 15 at 13 (May 14, 2014). The Board
`
`further explained that “intercepting” a request involves “receiving and acting on” a
`
`
`
`9
`
`

`

`Petition in IPR2015-00866
`
`request, the request being “intended for” receipt at a destination other than the
`
`destination at which the request is intercepted. Id. at 12. The Board’s construction
`
`is consistent with the ’341 patent specification. Ex. 1005 at ¶ 72.
`
`The ’341 patent does not expressly define “interception” of a request, but
`
`uses the term “intercepting” as meaning receiving a request at a device other than
`
`the device specified in the request. Ex. 1005 at ¶ 73. For example, the
`
`specification explains that a DNS proxy 2610 “intercepts” all DNS lookup
`
`functions to examine whether access to a secure site has been requested. Ex. 1001
`
`at 40:26-32, Figs. 26 & 27. The specification also shows the requests are routed to
`
`the DNS proxy instead of a DNS server 2609, which ordinarily would receive and
`
`resolve the domain name in the request. Id. at 39:27-29. Because the DNS proxy
`
`and DNS server are described as separate entities, the ’341 patent uses the term
`
`“intercept” as meaning receipt of a message by a proxy server instead of the
`
`intended destination. Accordingly, the broadest reasonable interpretation of the
`
`term “interception of the request” includes “receiving a request pertaining to a
`
`first entity at another entity.” Ex. 1005 at ¶ 74.
`
`2.
`“provisioning information”
`Each independent claim recites the term “provisioning information.” The
`
`’341 patent does not define “provisioning information.” The only discussion in
`
`specification concerning “provisioning” states that “VPN gatekeeper 3314
`
`
`
`10
`
`

`

`Petition in IPR2015-00866
`
`provisions computer 3301 and secure web server computer 3320, or a secure edge
`
`router for server computer 3320, thereby creating the VPN.” Ex. 1001 at 51:57-60
`
`(emphasis added). The ’341 specification also explains that, after a DNS proxy
`
`determines that access to a secure site has been requested, it transmits a message to
`
`a gatekeeper requesting creation of a “virtual private network.” Id. at 40:32-35,
`
`41:25-28. The gatekeeper returns a resolved IP address and IP address
`
`“hopblocks” to be used by the client computer and the target site to communicate
`
`securely. Id. at 40:32-44; see also Ex. 1005 at ¶ 75.
`
`In IPR2014-00481 involving the ’180 patent, whose claims recite
`
`provisioning information for a “virtual private network,” the Board interpreted
`
`“provisioning information” as “information that is provided to enable or to aid in
`
`establishing communications to occur in the VPN.” Paper 11 at 11 (Sept. 3, 2014).
`
`Examples of “provisioning information” in the ’341 patent includes IP address
`
`hopblocks or other data that enables or aids in establishing communications in a
`
`VPN. Ex. 1001 at 40:32-44; Ex. 1005 at ¶ 75. Therefore, the broadest reasonable
`
`interpretation of the term “provisioning information” in the context of the ’341
`
`claims is “information that enables communication in a virtual private network.”
`
`Ex. 1005 at ¶¶ 76-77.
`
`3.
`“secure communications service”
`Each independent claim recites the term “secure communications service.”
`
`
`
`11
`
`

`

`Petition in IPR2015-00866
`
`The ’341 patent does not expressly define this term. In IPR2014-00237 involving
`
`the related ’697 patent, the Board interpreted the term “secure communications
`
`service” as the “functional configuration of a network device that enables it to
`
`participate in a secure communication link with another network device.” Paper 15
`
`at 10 (May 14, 2014). “Secure communication link” in turn has been interpreted
`
`by the Board to mean “a transmission path that restricts access to data, addresses,
`
`or other information on the path, generally using obfuscation methods to hide
`
`information on the path, including, but not limited to, one or more of
`
`authentication, encryption, or address hopping.” Id. This latter interpretation is
`
`supported by Patent Owner’s own expert, who admitted that techniques such as
`
`“[a]ddress hopping may hide who is talking to whom” and “provide[] some
`
`amount of security,” and that the specification had at best “opposing views” as to
`
`what secure communications means. Deposition of Fabien Newman Monrose,
`
`PhD., IPR2014-00237, Exhibit 1083 at 113:16-114:12, 74:12-14 (Ex. 1055)
`
`(October 23, 2014); but see VirnetX, Inc. v. Cisco Systems, Inc., 767 F.3d 1308,
`
`1319 (Fed. Cir. 2014) (construing “secure communication link” as recited in the
`
`’504 and ’211 patents to require data security and anonymity).
`
`The Board’s prior interpretation is consistent with the ’341 patent
`
`specification, which uses the phrase “secure communications service” in a manner
`
`that indicates the term simply refers to the capacity of two computers to participate
`
`
`
`12
`
`

`

`Petition in IPR2015-00866
`
`in a secure communications link. Ex. 1005 at ¶ 80. For example, the ’341 patent
`
`explains that a first network device “communicate[s] with the second network
`
`device using the virtual private network communications service via the secure
`
`communication link.” Ex. 1001 at 8:24-26, 8:41-43. Therefore, the broadest
`
`reasonable construction of the term “secure communications service” should
`
`encompass “the functional configuration of a network device that enables it to
`
`participate in a secure communications link with another computer or device.”
`
`Ex. 1005 at ¶ 81.
`
`4.
`“indication”
`Each independent claim requires the first network device to receive “an
`
`indication” that the second network device is available for the secure
`
`communications service. The ’341 specification does not define the term
`
`“indication.” In IPR2014-00614 involving the related ’504 patent, the Board
`
`interpreted the term “indication” to mean “something that shows the probable
`
`presence or existence or nature of.” Paper 9 at 12 (Oct. 15, 2014); see also
`
`IPR2014-00615, Paper 9 at 12 (Oct. 15, 2014) (involving the related ’211 patent).
`
`This is consistent with the ’341 specification, which explains that, after a
`
`DNS proxy determines access to a secure site has been requested and forwards the
`
`request to a gatekeeper, the client receives a “resolved” address and is provisioned
`
`information such as “hopblocks” to be used for secure communication with the
`
`
`
`13
`
`

`

`Petition in IPR2015-00866
`
`secure target site. Ex. 1001 at 40:26-44; Ex. 1005 at ¶ 84. In some scenarios, the
`
`DNS proxy may return a “host unknown” error message, such as if the user lacks
`
`appropriate credentials. Ex. 1001 at 40:49-52. Although a web browser may show
`
`an icon indicating a secure connection has been established (id. at 52:17-20), the
`
`’341 specification contains no discussion of a client receiving a message explicitly
`
`confirming that the secure target site is available for secure communications.
`
`Ex. 1005 at ¶ 85. Accordingly, the broadest reasonable interpretation of the term
`
`“indication” should encompass “something that shows the probable presence or
`
`existence or nature of.” Ex. 1005 at ¶ 86.
`
`5.
`“virtual private network communication link”
`Each independent claim requires a “virtual private network communication
`
`link.” The ’341 patent does not provide an explicit definition for “virtual private
`
`network communication link.” In IPR2014-00481 involving the related ’180
`
`patent, the Board interpreted “virtual private network communication link” to
`
`mean “a transmission path between two devices that restricts access to data,
`
`addresses, or other information on the path, generally using obfuscation methods to
`
`hide information on the path, including, but not limited to, one or more of
`
`authentication, encryption, or address hopping.” Paper 11 at 7 (Sept. 3, 2014).
`
`The Board also read the ’180 patent as employing various levels of security in a
`
`VPN that do not require encryption, such as authentication, or information or
`
`
`
`14
`
`

`

`Petition in IPR2015-00866
`
`address hopping. Id.
`
`This is consistent with the ’341 specification, which explains that “software
`
`module 3309 accesses secure server 3320 through VPN communication link 3321”
`
`and the communication link 3321 is shown as only the portion of the path between
`
`computer 3301 and server 3320 that is over network 3302. Ex. 1001 at 52:15-16,
`
`Fig. 33; Ex. 1005 at ¶ 89. Accordingly, the broadest reasonable interpretation of
`
`“virtual private network communication link” is “a transmission path between two
`
`devices that restricts access to data, addresses, or other information on the path,
`
`generally using obfuscation methods to hide information on the path, including,
`
`but not limited to, one or more of authentication, encryption, or address
`
`hopping.” Ex. 1005 at ¶ 90.
`
`6.
`“domain name”
`Each independent claim recites the term “domain name.” The ’341 patent
`
`does not define “domain name.” A “domain name” would be understood by a
`
`person of ordinary skill to be a hierarchical sequence of words in decreasing order
`
`of specificity that corresponds to a numerical IP address. Ex. 1005 at ¶ 91. A
`
`more general description of “domain name” has been advanced by Patent Owner in
`
`other proceedings; namely, “a name corresponding to an IP address.” See, e.g., Ex.
`
`1042 at 14-15. Both definitions are reasonable; thus the broadest reasonable
`
`interpretation of “domain name” is “a name corresponding to an IP address.”
`
`
`
`15
`
`

`

`Petition in IPR2015-00866
`
`Ex. 1005 at ¶ 91.
`
`7.
`“modulation”
`Dependent claims 7, 8, 21 and 22 recite the term “modulation.” The term
`
`“modulation” is not defined in the ’341 patent. In IPR2014-00237 involving the
`
`’697 patent, the Board interpreted “modulation” to include “the process of
`
`encoding data for transmission.” Paper 15 at 14 (May 14, 2014). This is
`
`consistent with the ’341 patent and the understanding of a person of ordinary skill
`
`in the art. Ex. 1005 at ¶¶ 93-94 . For example, the specification explains that
`
`transmission paths may comprise “logically separate paths contained within a
`
`broadband communication medium (e.g., separate channels in an FDM, TDM,
`
`CDMA, or other type of modulated or unmodulated transmission link).” Ex. 1001
`
`at 35:9-15. A person of skill would understand “unmodulated” and “modulated”
`
`to refer to whether data is encoded for transmission over a physical medium by
`
`varying or “modulating” a carrier signal. Ex. 1005 at ¶ 94. Any data transmitted
`
`via a modem (i.e., a “modulator-demodulator” device) is modulated. Id.
`
`Similarly, any data transmitted via a cellular network is modulated. Id.
`
`Accordingly, the broadest reasonable interpretation of “modulation” is “the
`
`process of encoding data for transmission over a medium by varying a carrier
`
`signal.” Ex. 1005 at ¶ 95.
`
`IV. Analysis of the Patentability of the ’341 Patent
`
`
`
`16
`
`

`

`Petition in IPR2015-00866
`
`The ’341 patent has two independent claims (claims 1 and 15), each of
`
`which specifies the same operative steps. See § III.A.2. Claim 15 is
`
`representative, and defines a process for establishing a secure communications
`
`service via a virtual private network communication link between a first network
`
`device and a second network device based on intercepting a request to look up an
`
`IP address of the second network device.
`
`A. Overview of Beser (Ex. 1007)
`Beser (Ex. 1007) was filed on August 27, 1999, and is prior art to the ’341
`
`claims under 35 U.S.C. § 102(e). Ex. 1007 at 1. The operation and features of the
`
`Beser system are explained in greater detail in Ex. 1005 at ¶¶ 312-383.
`
`Beser describes methods and systems for establishing an IP tunneling
`
`association between originating (24) and terminating (26) end devices, with the aid
`
`of a first network device (14), a second network device (16), and a trusted-third-
`
`party network device (30). Ex. 1007 at 2:46-67. Fig. 1 provides an illustrative
`
`embodiment for the invention disclosed in Beser:
`
`
`
`17
`
`

`

`Petition in IPR2015-00866
`
`
`
`Id. at Fig. 1.
`
`Beser explains that the originating and terminating end devices can be
`
`telephony devices (including portable “VoIP devices” and “personal computers
`
`running facsimile or audio applications”) or multimedia devices (such as “Web-TV
`
`sets [], interactive video game players, [and] personal computers running
`
`multimedia applications”). Id. at 4:43-52. The first and second network devices
`
`may be edge routers, “gateway” computers, cable modems, or other network
`
`devices. Id. at 4:7-42. Beser further explains that the trusted-third-party network
`
`device can be “a back-end service, a domain name server, or the owner/manager of
`
`database or directory services.” Id. at 4:9-11. As Beser explains, its system is
`
`
`
`18
`
`

`

`Petition in IPR2015-00866
`
`intended to be integrated into conventional network devices and configurations.
`
`Id. at 4:55-5:2; Ex. 1005 at ¶¶ 320-21, 323.
`
`a)
`
`Request Containing a Unique Identifier
`
`To establish an IP tunneling association in the Beser scheme, the originating
`
`end device sends a request containing a “unique identifier” specifying a destination
`
`(i.e., a terminating end device). Ex. 1007 at 7:63-8:3. This is illustrated in Fig. 6: