UNITED STATES PATENT AND TRADEMARK OFFICE
`
`____________
`
`TCL CORPORATION; TCL COMMUNICATION TECHNOLOGY HOLDINGS
`LTD.; TCT MOBILE LIMITED; TCT MOBILE INC.; and TCT MOBILE (US),
`INC.,
`
`Petitioners,
`
`v.
`
`TELEFONAKTIEBOLAGET LM ERICSSON
`
`Patent Owner.
`____________
`
`IPR2015-01628
`
`Patent 7,149,510
`
`____________
`
`DECLARATION OF SEAD MUFTIC, PH.D.
`
`
`
`
`
`
`
`Ericsson Ex. 2010, Page 1
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`TABLE OF CONTENTS
`
`I.
`
`Qualifications ................................................................................................... 1
`
`II. My Status as an Independent Expert Witness ................................................. 4
`
`III. Materials Considered ....................................................................................... 5
`
`IV. Understanding of the Law ............................................................................... 6
`
`A. A Person Having Ordinary Skill in the Relevant Field During the
`Relevant Timeframe ................................................................................... 6
`
`B. Claim Construction ..................................................................................... 8
`
`C. Anticipation ................................................................................................ 9
`
`D. Obviousness ................................................................................................ 9
`
`V. Description of the Relevant Field aT the Relevant Timeframe .................... 11
`
`VI. The ‘510 Patent .............................................................................................. 13
`
`VII. Prosecution History of the ‘510 Patent .......................................................... 24
`
`VIII. Claim Interpretation ....................................................................................... 24
`
`IX. Discussion of Relevant Prior Art ................................................................... 25
`
`E. Summary of Usui ...................................................................................... 28
`
`1. IT Environment ................................................................................. 28
`
`2. The Problem ...................................................................................... 29
`
`3. Approach/Solution ............................................................................ 30
`
`4. Type of Non-native Applications ..................................................... 31
`
`5. Invocation Mechanism ..................................................................... 31
`
`6. Decision Process ............................................................................... 31
`
`7. Parameters in Access Policies .......................................................... 31
`
`
`
`i
`
`Ericsson Ex. 2010, Page 2
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`8. Summary and Recapitulation of the Ideas from Usui ...................... 32
`
`F. Summary of Gong ...................................................................................... 32
`
`1. IT Environment ................................................................................. 32
`
`2. The Problem ...................................................................................... 35
`
`3. Approach/Solution ............................................................................ 36
`
`4. Type of Non-native Applications ..................................................... 37
`
`5. Invocation Mechanism ..................................................................... 38
`
`6. Decision Process ............................................................................... 40
`
`7. Parameters in Access Policies .......................................................... 40
`
`8. Summary and Recapitulation of the Ideas from Gong ..................... 41
`
`G. Summary of Ramamurthy ........................................................................ 42
`
`1. IT Environment ................................................................................. 43
`
`2. The Problem ...................................................................................... 44
`
`3. Approach/Solution ............................................................................ 45
`
`4. Type of Non-native Applications ..................................................... 46
`
`5. Invocation Mechanism ..................................................................... 46
`
`6. Decision Process ............................................................................... 47
`
`7. Parameters in Access Policies .......................................................... 48
`
`8. Summary and Recapitulation of the Ideas from Ramamurthy ......... 48
`
`H. Summary of Spencer ................................................................................ 50
`
`1. IT Environment ................................................................................. 50
`
`2. The Problem ...................................................................................... 51
`
`3. Approach/Solution ............................................................................ 52
`
`
`
`ii
`
`Ericsson Ex. 2010, Page 3
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`4. Type of Non-native Applications ..................................................... 53
`
`5. Invocation Mechanism ..................................................................... 54
`
`6. Decision Process ............................................................................... 55
`
`7. Parameters in Access Policies .......................................................... 55
`
`8. Summary and Recapitulation of the Ideas from Spencer ................. 56
`
`X. Hypothetical Attempted Derivations of Solutions by a Person of
`Ordinary Skill in the Art Based on Usui, Gong and Spencer ........................ 57
`
`A. The Process of A Person of Ordinary Skill .............................................. 57
`
`B. Summary of the Problem .......................................................................... 57
`
`C. Hypothetical Attempted Solution Based on Ideas from Usui .................. 58
`
`D. Hypothetical Attempted Solution Based on Ideas from Gong ................. 60
`
`E. Hypothetical Attempted Solution Based on Ideas from Ramamurthy ..... 65
`
`F. Hypothetical Attempted Solution Based on Ideas from Spencer .............. 66
`
`G. Hypothetical Attempted Solution Based on Combined Ideas
`From Usui, Gong, Ramamurthy, and Spencer ......................................... 69
`
`XI. General Comments on Differences Between the ‘510 Patent and
`the Prior Art ................................................................................................... 71
`
`XII. Patentability of the Challenged ‘510 Claims ................................................. 79
`
`A. Claim 11 Is Not Obvious Over Usui, Gong, and Ramamurthy ............... 79
`
`1. A Person of Ordinary Skill Would Not Have Been Motivated
`to Combine Usui, Gong, and Ramamurthy ...................................... 81
`
`1. Usui Does Not Disclose a “Software Services Component” ........... 92
`
`2. Usui’s “Access Controller” Does Not “Control Access to the
`Software Services Component” ........................................................ 93
`
`3. Gong Does Not Disclose a “Decision Entity” .................................. 96
`
`
`
`iii
`
`Ericsson Ex. 2010, Page 4
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`4. Ramamurthy Does Not Disclose an Interception Module
`that Includes a Cache With the Rules and Policies of the
`Decision Entity ................................................................................. 98
`
`B. Claim 11 Is Not Obvious Over Usui, Gong, Ramamurthy, and
`Spencer ...................................................................................................101
`
`XIII. Additional Comments on Dr. Malek’s Declaration .....................................102
`
`XIV. Conclusions ..................................................................................................149
`
`XIV. Availability for Cross-Examination ............................................................153
`
`XV. Right to Supplement ....................................................................................154
`
`XVI. Jurat ..............................................................................................................154
`
`
`
`iv
`
`Ericsson Ex. 2010, Page 5
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`I, Sead Muftic, Ph.D., declare as follows:
`
`I.
`
`QUALIFICATIONS
`1. My name is Sead Muftic. I have M.Sc. and Ph.D. degrees in the
`
`general area of IT security, with specialization in the area of cyber security. I have
`
`been actively working in this area for over 40 years and I am considered to be one
`
`of the world’s experts in the area of cyber security.
`
`2.
`
`I started my cyber security career in September 1973 when I enrolled
`
`into the M.Sc. program, and later continued with my Ph.D. studies, in the
`
`Department of Computer and Information Systems at the Ohio State University
`
`(Columbus, Ohio). I received my M.Sc. degree in December 1974 (after four
`
`quarters of studies) and subsequently I received my Ph.D. degree in June 1976
`
`(after an additional six quarters of studies). The title of my Ph.D. dissertation is
`
`“Design and Operations of the Secure Computer System.”
`
`3.
`
`Since receiving my Ph.D. degree in 1976, I have continued to work in
`
`the area of cyber security until today. Therefore, my professional career in the area
`
`of cyber security spans over 40 years.
`
`4.
`
`In these 40 years, I have been involved in three types of activities in
`
`the area of Internet and cyber security:
`
`5.
`
`Education and Research: I have been a full professor of computer
`
`security at four universities. Starting in 1978, I was associate professor at the
`
`
`
`1
`
`Ericsson Ex. 2010, Page 6
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`University of Sarajevo (Bosnia and Herzegovina). In 1990, I transferred to
`
`Stockholm University (Stockholm, Sweden) where I was elected as full professor
`
`of computer and Internet security. In 2004, I transferred to the Royal Institute of
`
`Technology – KTH (Stockholm, Sweden), again as the full / tenured professor.
`
`And finally, in the period of 2000 – 2006, I was a guest professor at The George
`
`Washington University – GWU (Washington, DC, USA). During my academic
`
`career of 38 years in Computer and Internet Security, I have taught advanced
`
`(M.Sc. and Ph.D.) courses, advising many M.Sc. and Ph.D. students and
`
`performing advanced research, resulting in many M.Sc. and Ph.D. dissertations and
`
`research publications in the area of Computer and Information Security. The
`
`details of all my courses, M.Sc. and Ph.D. theses, and research publications are
`
`given in Appendix A – Resume and Bibliography. I have published many research
`
`papers, project reports and three books by international publishers.
`
`6.
`
`Besides these four universities, I have often been invited in different
`
`roles to many other international universities, such as University College Dublin
`
`(Dublin, Ireland), University of Trento (Trento, Italy), University of Pireus
`
`(Athens, Greece), and Colombo University (Colombo, Sri Lanka).
`
`7.
`
`International Expertise and Consulting: My second type of
`
`professional activities in the area of Computer and Internet Security, which I
`
`pursued in parallel with my teaching activities, were my consulting, expertise and
`
`
`
`2
`
`Ericsson Ex. 2010, Page 7
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`project management activities. I have been actively involved in such activities for
`
`over 30 years.
`
`8.
`
`I have been engaged as an international expert and consultant by
`
`many international agencies and bodies, coordinating advanced research and
`
`development projects. I was engaged for many years by the EU as director of
`
`projects, coordinator of various promotion activities, evaluator of project
`
`proposals, and adviser to the EC/JRC. I was engaged by SIDA (Swedish
`
`International Development Agency) to coordinate a project in Sri Lanka, I was
`
`engaged by the IADB (Inter American Development Bank) to coordinate a project
`
`in Peru, I was consultant to the World Bank for their PKI project, and I was
`
`engaged in many U.S. government projects, cooperating with NIST, GSA, and
`
`several agencies of the U.S. federal government.
`
`9.
`
`Commercial Development / Deployment Activities: Since 1990,
`
`when I established my first commercial company in the area of computer security
`
`(Computer Security Technologies AB) in Sweden, I have been continuously and
`
`actively involved in the creation, distribution, and deployment of commercial
`
`products in the area of Computer and Internet Security. After COST AB in
`
`Sweden, I raised investment and incorporated my second company – Entegrity
`
`Solutions Corporation in Silicon Valley. After Entegrity, I created SETECS AB – a
`
`Swedish Company, which was later transferred to the USA as the still active
`
`
`
`3
`
`Ericsson Ex. 2010, Page 8
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`company SETECS, Inc. (based in Maryland). With all my companies, I have been
`
`actively involved in the commercial distribution of our security products. These
`
`products are very advanced and unique on the market, as our products are officially
`
`validated and certified by the U.S. government. We have NIST certificates, GSA
`
`approval, and validation for the U.S. government FedRAMP cloud security
`
`program.
`
`10. All my educational, research, consulting and commercial activities are
`
`strictly focused on the area of computer and Internet security and with all these
`
`activities, results, references and achievements, I feel that I am competent to
`
`provide this expert declaration about the issues in this matter.
`
`11. A copy of my latest CV is attached to this declaration as Appendix A.
`
`II. MY STATUS AS AN INDEPENDENT EXPERT WITNESS
`12.
`I have done no work (indirectly or directly) for either Petitioners or
`
`Patent Owner until Oblon hired me as an expert witness to work with it on this
`
`IPR.
`
`13.
`
`I am aware that the named inventors on U.S. Patent No. 7,149,510
`
`(“the ‘510 patent”) are Jonas Hansson and Björn Bjäre. I do not recognize these
`
`individuals’ names, and I believe that I have never met them.
`
`14.
`
`I have no financial interest in either Petitioners or Patent Owner.
`
`
`
`4
`
`Ericsson Ex. 2010, Page 9
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`15. Oblon hired me through an expert witness provider named Cahn
`
`Litigation Services (“Cahn”). Cahn is being compensated at the rate of $725/hr for
`
`my time in connection with this IPR proceeding. Cahn in turn pays me at the rate
`
`of $ 600/hr.
`
`III. MATERIALS CONSIDERED
`16.
`In forming my opinions expressed herein, I considered the following
`
`items, in addition to my own personal knowledge and experience:
`
`• The ‘510 patent and its prosecution history (Exhibits 1001 and
`
`1002);
`
`• The Petition filed by TCL and all exhibits cited therein, with
`
`particular focus on several listed below;
`
`• Kazutoshi Usui et al., Design and Implementation of Java
`
`Application Environment and Software Platform for Mobile
`
`Phones, 42 NEC Res. & Dev. 379 (“Usui”) (Exhibit 1010);
`
`• United States Patent No. 6,125,447 to Gong (“Gong”) (Exhibit
`
`1011);
`
`• United States Patent No. 7,080,077 to Ramamurthy
`
`(“Ramamurthy”) (Exhibit 1401);
`
`
`
`5
`
`Ericsson Ex. 2010, Page 10
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`• Ray Spencer et al., The Flask Security Architecture: System
`
`Support for Diverse Security Policies, Proceedings of the 8th
`
`USENIX Security Symposium (“Spencer”) (Exhibit 1019);
`
`• Nygard, “A Brief Look at Java 2 Micro Edition” (Exhibit
`
`2004);
`
`• Topley, “J2ME in a Nutshell” (Exhibit 2005);
`
`• SATSA: Security and Trust Services APIs for J2ME (JSR 177)
`
`(Exhibit 2007); and
`
`• 3GPP TS 22.057 document (Exhibit 2008).
`
`IV. UNDERSTANDING OF THE LAW
`17. For the purposes of this declaration, I have been informed about
`
`certain aspects of patent law that are relevant to my analysis and opinions, as set
`
`forth in this section of my declaration.
`
`A. A Person Having Ordinary Skill in the Relevant Field During the
`Relevant Timeframe
`18. Counsel has informed me that the disclosures of patents and prior art
`
`references are to be viewed from the perspective of a mythical person of ordinary
`
`skill in the relevant field (sometimes by lawyers referred to as “the relevant art”) at
`
`the relevant timeframe (a “POSITA”). Counsel has informed me that, for purposes
`
`of this IPR proceeding, I should interpret the term POSITA as referring to a
`
`mythical person to whom an expert in the relevant field could have assigned a
`6
`
`
`
`Ericsson Ex. 2010, Page 11
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`routine task with reasonable confidence that the task would be successfully carried
`
`out.
`
`19.
`
`I have been asked to provide my opinion regarding the “level of
`
`ordinary skill in the art” at the time of the invention, which I have been told is on
`
`or before September 23, 2002.
`
`20.
`
`I understand that the hypothetical POSITA is considered to have the
`
`normal skills and knowledge of a person in a certain technical field. I understand
`
`that factors that may be considered in determining the level of ordinary skill in the
`
`art include: (1) the education level of the inventor; (2) the types of problems
`
`encountered in the art; (3) the prior art solutions to those problems; (4) rapidity
`
`with which innovations are made; (5) the sophistication of the technology; and (6)
`
`the education level of active workers in the field. I also understand that “the
`
`person of ordinary skill” is a hypothetical person who is presumed to be aware of
`
`the universe of available prior art.
`
`21.
`
`I also understand the level of ordinary skill in the art can be evidenced
`
`by the prior art. Accordingly, I have also considered the prior art discussed herein
`
`in determining the level of ordinary skill in the art.
`
`22.
`
`In determining whom a POSITA would be, I considered the ‘510
`
`patent, the types of problems encountered in the relevant field, the prior art
`
`solutions to those problems, and the educational level of workers active in the
`
`
`
`7
`
`Ericsson Ex. 2010, Page 12
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`field. Based on these factors, I have concluded that a POSITA during the relevant
`
`timeframe would probably have had a Bachelor’s degree in computer science, with
`
`at least two years’ experience in the field of software security.
`
`23. Based on my experience, I have an understanding of the capabilities
`
`of a POSITA in the relevant field. I have supervised and directed many such
`
`persons over the course of my career. Further, I, myself, had at least those
`
`capabilities at the time the ‘510 patent was effectively filed. Indeed, given my
`
`education and extensive industry experience, I exceed the education and work
`
`experience levels of a POSITA, but I nonetheless provide my opinions herein from
`
`the viewpoint of a POSITA unless I state otherwise.
`
`B. Claim Construction
`24.
`I understand that “claim construction” is the process of determining a
`
`patent claim’s meaning. I also have been informed and understand that the proper
`
`construction of a claim term is the meaning that a POSITA would have given to
`
`that term during the relevant timeframe.
`
`25.
`
`I understand that claims in IPR proceedings are to be given their
`
`broadest reasonable interpretation in light of the specification, which is what I have
`
`done when performing my analysis in this declaration.
`
`
`
`8
`
`Ericsson Ex. 2010, Page 13
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`26. Counsel has also explained to me what the terms “claim” and
`
`“specification” mean in this context. While I am not a patent lawyer, I believe that
`
`I have a reasonable grasp of those concepts.
`
`C. Anticipation
`27.
`I understand that a patent claim is unpatentable as anticipated if a
`
`POSITA during the relevant timeframe would have understood a single prior art
`
`reference to teach every limitation contained in the claim. The disclosure in a
`
`reference does not have to be in the same words as the claim, but all of the
`
`requirements of the claim must be described in enough detail, or necessarily
`
`implied by or inherent in the reference, to enable a POSITA looking at the
`
`reference to make and use at least one embodiment of the claimed invention.
`
`D. Obviousness
`28.
`I understand that a patent claim is unpatentable as obvious if subject
`
`matter within the definition provided by the claim would have been obvious to a
`
`POSITA as of the time of the invention at issue. I understand that the following
`
`factors must be evaluated to determine whether the claimed subject matter was
`
`obvious: (1) the scope and content of the prior art; (2) the difference or differences,
`
`if any, between the subject matter defined by the claim of the patent under
`
`consideration and what is disclosed in the prior art; (3) the level of ordinary skill in
`
`
`
`9
`
`Ericsson Ex. 2010, Page 14
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`the relevant field at the time of the patent’s earliest priority date or, possibly, at an
`
`earlier time; and (4) so-called “objective evidence of non-obviousness.”
`
`29. Counsel has informed me that prior art references can be combined to
`
`support a finding that a claim is unpatentable for obviousness when there was an
`
`apparent reason for one of ordinary skill in the art, at the time of the invention, to
`
`combine the references and that such apparent reasons include, but are not limited
`
`to: (A) identifying a teaching, suggestion, or motivation to combine prior art
`
`references; (B) combining prior art methods according to known methods to yield
`
`predictable results; (C) substituting one known element for another to obtain
`
`predictable results; (D) using a known technique to improve a similar device in the
`
`same way; (E) applying a known technique to a known device ready for
`
`improvement to yield predictable results; (F) trying a small number of identified,
`
`predictable potential solutions, with a reasonable expectation of success; and (G)
`
`identifying that known work in one field of endeavor may prompt variations of it
`
`for use in either the same field or a different one based on design incentives or
`
`other market forces if the variations are predictable to one of ordinary skill in the
`
`relevant field.
`
`30. Moreover, I have been informed by counsel that so-called “objective
`
`indicia of non-obviousness” (also known as “secondary considerations”) like the
`
`following can be considered when assessing obviousness: (1) commercial success;
`
`
`
`10
`
`Ericsson Ex. 2010, Page 15
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`(2) long-felt but unresolved needs; (3) copying of the invention by others in the
`
`field; (4) initial expressions of disbelief by experts in the field; (5) failure of others
`
`to solve the problem that the inventor solved; and (6) unexpected results. I also
`
`understand that evidence of objective indicia of non-obviousness must be
`
`commensurate in scope with the claimed subject matter.
`
`V. DESCRIPTION OF THE RELEVANT FIELD AT THE RELEVANT
`TIMEFRAME
`31.
`
`I have carefully reviewed the ‘510 patent and the relevant materials
`
`listed above.
`
`32. Based on my review of these materials, I believe that the relevant field
`
`for purposes of the ‘510 patent is software security. I have been informed that the
`
`relevant timeframe is on or before September 23, 2002.
`
`33. As described above and as shown in my CV, I have extensive
`
`experience in the field of software security. Based on my experience, education,
`
`and training (both academic and professional), I am well versed in the relevant
`
`field in the relevant timeframe.
`
`34.
`
`I would like to emphasize that with my previous educational, research
`
`and development activities I have been actively and creatively involved in all of
`
`the specific areas addressed by Usui, Gong, Ramamurthy, and Spencer.
`
`35. For the last 25 years at the Royal Institute of Technology, GWU, and
`
`other universities, I have taught the following four M.Sc. level courses:
`
`
`
`11
`
`Ericsson Ex. 2010, Page 16
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`• Introduction to Computer Security;
`
`• Security for Java and e-Commerce Environments;
`
`• Security for Mobile and Wireless Networks; and
`
`• Advanced Aspects of Security in Open Distributed (ODP) Systems.
`
`36.
`
`I have covered basic concepts of access control in the Introduction
`
`course. In the Java and e-Commerce Security course I have covered all aspects of
`
`Java Security. In the course entitled Security for Mobile and Wireless Networks I
`
`have covered much more advanced aspects then those just briefly mentioned in the
`
`patent of Ramamurthy. The general area of Ramamurthy’s patent is a system for
`
`the protection of Web applications, which is something that I covered in my
`
`“Advanced Aspects” course. And finally, in the Advanced Security course I have
`
`covered OS security based on the concept of Security–Enhanced Linux, which is
`
`the overall project whose partial results have been described in the Spencer paper.
`
`Therefore, through my teaching activities (among other things), I have developed a
`
`deep and thorough knowledge and full understanding of all underlying issues,
`
`ideas, and solutions proposed in the four prior art documents.
`
`37.
`
`I was involved with several dissertations pursued in the same period
`
`when Ericsson’s ‘510 patent was filed, but none of them addressed the issues of
`
`access control on mobile devices. The reason is that, at that time, such issues
`
`required very sophisticated solutions, which were very complicated and very
`
`
`
`12
`
`Ericsson Ex. 2010, Page 17
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`dependent on knowledge and expertise regarding mobile communication platforms
`
`which, at that time, only telecom companies possessed. It is important to
`
`emphasize that, contrary to today’s mobile technologies and platforms, which are
`
`very open (iOS, iPhone Development Platform, Android Studio, etc.), at the time
`
`of Ericsson’s ‘510 patent mobile platforms were closed, proprietary to their
`
`vendors, and very specific. The information about technical features and properties
`
`of these platforms were industrial secrets, not publicly available. Knowledge of,
`
`for instance, the Nokia mobile platform, did not help at all to understand the
`
`Motorola platform or the BlackBerry platform. This means that innovations in
`
`those days needed advanced technical knowledge, proprietary information, and
`
`specific expertise that was only available within the teams of individual telecom
`
`equipment vendors, such as Ericsson.
`
`VI. THE ‘510 PATENT
`38. The ‘510 patent disclosed a revolutionary new invention in the field of
`
`software security. The patent addresses the problem of controlling access to the
`
`resources of a “mobile platform” by so-called non–native applications. It is
`
`important to emphasize that the ‘510 patent does not disclose as new and
`
`innovative the general idea of access control as a security service. Nor are its
`
`essential contributions its layered system structure or its modes of operation. The
`
`
`
`13
`
`Ericsson Ex. 2010, Page 18
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`problem addressed by the ‘510 patent was specific to mobile platforms and
`
`applications executed in them.
`
`39. The first important distinction between the mobile applications
`
`considered by the ‘510 patent, compared with applications executed in other IT
`
`environments, described in Gong and Spencer for example, was that these
`
`applications were non–native. To clarify, at the time of the filing, mobile
`
`platforms were closed platforms whose technical details were known only to
`
`platform and device vendors. Therefore, as is well known, at that time all
`
`applications and functions available for use in mobile phones were created by
`
`technology and device vendors. But, the trend was that such applications should be
`
`written by users and/or third parties in some circumstances and loaded into mobile
`
`devices after they were manufactured by their vendors. So, the challenging issue at
`
`that time was how to provide and enforce security (access control) of the
`
`underlying mobile platform against such applications.
`
`40. The issues were that, (1) at that time, mobile devices and platforms
`
`were vendor–specific, with fixed functionality of their mobile platforms (usually
`
`embedded in the SIM chip) so it was not known at that time how to provide
`
`security for different types of non–native applications; and (2) the authors and
`
`sources of such add–on applications, and their trust, qualifications, and roles, were
`
`not known during execution of non–native applications. Importantly, these issues
`
`
`
`14
`
`Ericsson Ex. 2010, Page 19
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`were not relevant for applications developed for the non-mobile environments
`
`considered by Usui and Gong.
`
`41. These two issues indicate that concepts, ideas and solutions suggested
`
`by the Petitioners’ proffered prior art could not have been used, directly or
`
`indirectly, as sources of ideas to arrive at the invention of Ericsson’s ‘510 patent.
`
`The reason is that the platforms that these prior art documents use and describe are
`
`completely different in their nature than mobile platforms of that time. They were
`
`open and all their features were known to application developers. Java—addressed
`
`in different forms in Usui and Gong—was an open platform. This means again that
`
`all applications that Usui and Gong consider as potential security threats are also
`
`native applications, relative to the platform. Spencer describes security of the
`
`UNIX / Linux platform, whose features and properties were known to developers,
`
`so applications for that platform are also native applications, regardless of who
`
`their authors are.
`
`42. Therefore, one of the very important and significant distinctions
`
`between the solutions from the ‘510 patent and solutions from all of Petitioners’
`
`proffered prior art documents is that Ericsson’s ‘510 patent solved the issues of
`
`access control for non–native applications, while the prior art documents only
`
`address the issues of security for native applications. For mobile environments, the
`
`characteristics, features, and components of the platform were not known to
`
`
`
`15
`
`Ericsson Ex. 2010, Page 20
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`application developers. Conversely, the skills and expertise of the application
`
`developers were not known to platform developers. In the case of platforms
`
`described by Usui and Gong (that is, Java) and Spencer (UNIX/Linux) everything
`
`was known in advance.
`
`43. The difference between the two approaches is significant. Security
`
`solutions that can be applied to well-known, native applications, with standard,
`
`open platforms are not even close to solutions required for closed, vendor-specific
`
`platforms.
`
`44. Some of the reasons for this are:
`
`• Mobile devices (especially those that were in use at the time when the
`
`‘510 patent was filed) had very limited resources and capabilities, so
`
`that solutions from servers (e.g., Gong and Spencer) could not be
`
`directly applied;
`
`• Mobile devices also had very limited functionalities, which
`
`prevented direct application of solutions from the prior art into the
`
`mobile environment. An example is Java 2 Micro Edition (J2ME).
`
`For instance, it is well–known that J2ME does not support any
`
`security within the Platform. In particular, it does not have a Secure
`
`Class Loader, which is required to activate a Security Manager and
`
`Access Controller, and it furthermore does not even have a Security
`
`
`
`16
`
`Ericsson Ex. 2010, Page 21
`TCL et al. v Ericsson
`IPR2015-01605
`
`

`
`Manager and/or Access Controller. This shows that ideas and
`
`suggestions from Usui could not have been used as a source of ideas
`
`for attempting to arrive at the invention of Ericsson’s ‘510 patent;
`
`• Security for J2ME (the mobile Java platform) is specified in Sun’s
`
`(now Oracle’s) specifications called SATSA: Security and Trust
`
`Services APIs for J2ME (JSR 177) (Ex. 2007). These specifications
`
`clearly indicate that J2ME does not have any security components of
`
`its own and SATSA simply specified the approach of using external
`
`components, namely Smart Cards. The