`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`APPLE INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-00812
`U.S. Patent No. 8,856,539
`________________
`
`PATENT OWNER’S EXHIBIT 2107
`DECLARATION OF MARKUS JAKOBSSON
`IN SUPPORT OF PATENT OWNER’S
`CONDITIONAL MOTION TO AMEND
`
`USR Exhibit 2107
`
`
`
`IPR2018-00812
`
`1.
`
`I have been retained on behalf of Universal Secure Registry LLC
`
`(“Patent Owner”) in connection with the above-captioned inter partes review
`
`(IPR). I have been retained to provide my opinions in support of USR’s
`
`Conditional Motion to Amend. I am being compensated for my time at the rate of
`
`$625 per hour. I have no interest in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2018-00812, U.S. Patent No. 8,856,539 (hereinafter “’539 patent”),
`
`and its file history, and all other materials cited and discussed in the Petition
`
`(including all prior art references cited therein) and all other materials cited and
`
`discussed in this Declaration.
`
`3.
`
`The statements made herein are based on my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that
`
`are necessary to form my opinions. I reserve the right to revise, supplement, or
`
`amend my opinions based on new information and on my continuing analysis.
`
`I.
`
`QUALIFICATIONS
`
`4.
`
`My qualifications can be found in my Curriculum Vitae, which
`
`includes my detailed employment background, professional experience, and list of
`
`technical publications and patents. Ex. 2102.
`
`A1
`
`
`
`IPR2018-00812
`
`5.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc., a cybersecurity company that develops home and office automation
`
`technology. At Amber, my research studies and addresses abuse, including social
`
`engineering, malware and privacy intrusions. My work primarily involves
`
`identifying risks, developing protocols and user experiences, and evaluating the
`
`security of proposed approaches.
`
`6.
`
`I received a Master of Science degree in Computer Engineering from
`
`the Lund Instituted of Technology in Sweden in 1993, a Master of Science degree
`
`in Computer Science from the University of California at San Diego in 1994, and a
`
`Ph.D. in Computer Science from the University of California at San Diego in 1997,
`
`specializing in Cryptography. During and after my Ph.D. studies, I was also a
`
`Researcher at the San Diego Supercomputer Center, where I did research on
`
`authentication and privacy.
`
`7.
`
`From 1997 to 2001, I was a Member of Technical Staff at Bell Labs,
`
`where I did research on authentication, privacy, multi-party computation, contract
`
`exchange, digital commerce including crypto payments, and fraud detection and
`
`prevention. From 2001 to 2004, I was a Principal Research Scientist at RSA Labs,
`
`where I worked on predicting future fraud scenarios in commerce and
`
`authentication and developed solutions to those problems. During that time I
`
`predicted the rise of what later became known as phishing. I was also an Adjunct
`
`A2
`
`
`
`IPR2018-00812
`
`Associate Professor in the Computer Science department at New York University
`
`from 2002 to 2004, where I taught cryptographic protocols.
`
`8.
`
`From 2004 to 2016, I held a faculty position at the Indiana University
`
`at Bloomington, first as an Associate Professor of Computer Science, Associate
`
`Professor of Informatics, Associate Professor of Cognitive Science, and Associate
`
`Director of the Center for Applied Cybersecurity Research (CACR) from 2004 to
`
`2008; and then as an Adjunct Associate Professor from 2008 to 2016. I was the
`
`most senior security researcher at Indiana University, where I built a research
`
`group focused on online fraud and countermeasures, resulting in over 50
`
`publications and two books.
`
`9. While a professor at Indiana University, I was also employed by
`
`Xerox PARC, PayPal, and Qualcomm to provide thought leadership to their
`
`security groups. I was a Principal Scientist at Xerox PARC from 2008 to 2010, a
`
`Director and Principal Scientist of Consumer Security at PayPal from 2010 to
`
`2013, a Senior Director at Qualcomm from 2013 to 2015, and Chief Scientist at
`
`Agari from 2016 to 2018. Agari is a cybersecurity company that develops and
`
`commercializes technology to protect enterprises, their partners and customers
`
`from advanced email phishing attacks. At Agari, my research studied and
`
`addressed trends in online fraud, especially as related to email, including problems
`
`such as Business Email Compromise, Ransomware, and other abuses based on
`
`A3
`
`
`
`IPR2018-00812
`
`social engineering and identity deception. My work primarily involved identifying
`
`trends in fraud and computing before they affected the market, and developing and
`
`testing countermeasures, including technological countermeasures, user interaction
`
`and education.
`
`10.
`
`I have founded or co-founded several successful computer security
`
`companies. In 2005 I founded RavenWhite Security, a provider of authentication
`
`solutions, and I am currently its Chief Technical Officer. In 2007 I founded
`
`Extricatus, one of the first companies to address consumer security education. In
`
`2009 I founded FatSkunk, a provider of mobile malware detection software; I
`
`served as Chief Technical Officer of FatSkunk from 2009 to 2013, when FatSkunk
`
`was acquired by Qualcomm and I became a Qualcomm employee. In 2013 I
`
`founded ZapFraud, a provider of anti-scam technology addressing Business Email
`
`Compromise, and I am currently its Chief Technical Officer. In 2014 I founded
`
`RightQuestion, a security consulting company.
`
`11.
`
`I have additionally served as a member of the fraud advisory board at
`
`LifeLock (an identity theft protection company); a member of the technical
`
`advisory board at CellFony (a mobile security company); a member of the
`
`technical advisory board at PopGiro (a user reputation company); a member of the
`
`technical advisory board at MobiSocial dba Omlet (a social networking company);
`
`and a member of the technical advisory board at Stealth Security (an anti-fraud
`
`A4
`
`
`
`IPR2018-00812
`
`company). I have provided anti-fraud consulting to KommuneData (a Danish
`
`government entity), J.P. Morgan Chase, PayPal, Boku, and Western Union.
`
`12.
`
`I have authored five books and over 100 peer-reviewed publications,
`
`and have been a named inventor on over 100 patents and patent applications.
`
`13. My work has included research in the area of applied security,
`
`privacy, cryptographic protocols, authentication, malware, social engineering,
`
`usability and fraud.
`
`II.
`
`LEGAL UNDERSTANDING
`
`A.
`
`14.
`
`The Person of Ordinary Skill in the Art
`
`I understand that a person of ordinary skill in the relevant art (also
`
`referred to herein as “POSITA”) is presumed to be aware of all pertinent art, thinks
`
`along conventional wisdom in the art, and is a person of ordinary creativity—not
`
`an automaton.
`
`15.
`
`I have been asked to consider the level of ordinary skill in the field
`
`that someone would have had at the time the claimed invention was made. In
`
`deciding the level of ordinary skill, I considered the following:
`
`• the levels of education and experience of persons working in the
`
`field;
`
`• the types of problems encountered in the field; and
`
`• the sophistication of the technology.
`
`A5
`
`
`
`IPR2018-00812
`
`16. A person of ordinary skill in the art relevant to the ’539 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and three years of work or research
`
`experience in the fields of secure transactions and encryption, or a Master’s degree
`
`in electrical engineering and/or computer science and two years of work or
`
`research experience in related fields.
`
`17.
`
`I am well-qualified to determine the level of ordinary skill in the art
`
`and am personally familiar with the technology of the ’539 patent. I was a person
`
`of at least ordinary skill in the art at the time of the priority date of the ’539 patent
`
`in 2001. Regardless if I do not explicitly state that my statements below are based
`
`on this timeframe, all of my statements are to be understood as a POSITA would
`
`have understood something as of the priority date of the ’539 patent.
`
`B.
`
`18.
`
`19.
`
`Legal Principles
`
`I am not a lawyer and will not provide any legal opinions.
`
`Though I am not a lawyer, I have been advised that certain legal
`
`standards are to be applied by technical experts in forming opinions regarding the
`
`meaning and validity of patent claims.
`
`20.
`
`I have been informed and understand that if the Board should accept
`
`Petitioner’s arguments and cancel any of the original issued claims of the ’539
`
`patent, Patent Owner has made a conditional motion to amend to substitute the
`
`A6
`
`
`
`IPR2018-00812
`
`canceled claim(s) with corresponding proposed amended claims 39-47, as set forth
`
`in Section III below.
`
`21.
`
`I have been informed and understand that to permit the proposed
`
`substitute claims to be entered, Patent Owner must show, among other things, that
`
`the substitute claims are supported by the written description of the original
`
`disclosure of the patent, as well as any patent application to which the claim seeks
`
`the benefit of priority in this proceeding.
`
`22.
`
`I have been informed by counsel and understand that to satisfy the
`
`written description requirement, the substitute claims must be disclosed in
`
`sufficient detail such that one skilled in the art can reasonably conclude that the
`
`inventor had possession of the claimed invention as of the filing date sought. I
`
`understand that the Patent Owner can show possession of the claimed invention by
`
`pointing to such descriptive means as words, structures, figures, diagrams, and
`
`formulas that fully set forth the claimed invention.
`
`23.
`
`I have been informed by counsel and understand that incorporation by
`
`reference is a method by which material from one or more documents may be
`
`integrated into a host document. I understand that material incorporated by
`
`reference is considered part of the written description of the patent that can be used
`
`to show possession of the claimed invention.
`
`A7
`
`
`
`IPR2018-00812
`
`24.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, that the substitute claims do not introduce new subject matter.
`
`25.
`
`I understand that new matter is any addition to the claims without
`
`support in the original disclosure.
`
`26.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, the substitute claims do not broaden the scope of the original claims.
`
`27.
`
`I understand that claims in dependent form are construed to include all
`
`the limitations of the claim incorporated by reference into the dependent claim and
`
`further limit the claim incorporated by reference.
`
`28.
`
`It has been explained to me by counsel for the Patent Owner that in
`
`proceedings before the USPTO, the claims of an unexpired patent are to be given
`
`their broadest reasonable interpretation in view of the specification from the
`
`perspective of one having ordinary skill in the relevant art at the time of the
`
`invention. I have considered each of the claim terms using the broadest reasonable
`
`interpretation standard.
`
`III.
`
`SUBSTITUTE CLAIMS 39-47
`
`29. My understanding is that proposed substitute claims 39-47 read as
`
`follows, wherein underlining (additions) and strike-through text and double
`
`A8
`
`
`
`IPR2018-00812
`
`brackets (deletions) show the Patent Owner’s proposed modifications to the
`
`original claim being made in the corresponding substitute claim:
`
`Claim 39. (Proposed Substitute for Claim 1) A secure registry system for providing
`information to a provider to enable transactions between the provider and entities
`with secure data stored in the secure registry system, the secure registry system
`comprising:
`a database including secure data for each entity, wherein each entity is
`associated with a time-varying multicharacter code for each entity having secure
`data in the secure registry system, respectively, each time-varying multicharacter
`code representing an identity of one of the respective entities; and
`a processor configured to
`receive from the provider a transaction request including at least the
`time-varying multicharacter code for the entity on whose behalf a
`transaction is to be performed and an indication of the provider requesting
`the transaction, [[to]]the transaction request including a time value
`representative of when the time-varying multicharacter code was generated;
`extract the time value from the transaction request;
`map the time-varying multicharacter code to the identity of the entity
`using the time-varying multicharacter code;[[, to]]
`validate an identity of the provider and then execute a restriction
`mechanism to determine compliance with any access restrictions for the
`provider to secure data of the entity for completing the transaction based at
`least in part on the indication of the provider and the time-varying
`multicharacter code of the transaction request; and[[, and to]]
`allow or not allow access to the secure data associated with the entity
`including information required to enable the transaction based on the
`determined compliance with any access restrictions for the provider, the
`information including account identifying information, wherein the account
`identifying information is not provided to the provider and the account
`identifying information is provided to a third party to enable or deny the
`transaction with the provider without providing the account identifying
`information to the provider; and
`wherein the identity of the entity is verified using a biometric.
`
`Claim 40. (Proposed Substitute for Claim 2) The system of claim 39[[1]], wherein
`the time-varying multicharacter code is provided to the system via a secure
`electronic transmission device.
`
`A9
`
`
`
`IPR2018-00812
`
`Claim 41. (Proposed Substitute for Claim 3) The system of claim 39[[1]], wherein
`the time-varying multicharacter code is encrypted and transmitted to the system,
`and wherein the system is configured to decrypt the time-varying multicharacter
`code with a public key of the entity.
`
`Claim 42. (Proposed Substitute for Claim 16) The system of claim 39[[1]], wherein
`the account identifying information includes an account number.
`
`Claim 43. (Proposed Substitute for Claim 21) The system of claim 39[[1]], wherein
`the identity of the entity is unknown until the time-varying code is mapped to the
`identity by the processor.
`
`Claim 44. (Proposed Substitute for Claim 22) A method for providing information
`to a provider to enable transactions between the provider and entities who have
`secure data stored in a secure registry in which each entity is identified by a time-
`varying multicharacter code, the method comprising:
`receiving from the provider a transaction request including at least the time-
`varying multicharacter code for an entity on whose behalf a transaction is to take
`place and an indication of the provider requesting the transaction, an identity of the
`entity on whose behalf the transaction is to take place having been verified using a
`biometric of the entity;
`mapping the time-varying multicharacter code to an identity of the entity
`using the time-varying multicharacter code;
`validating an identity of the provider;
`after validating the identity of the provider, determining compliance with
`any access restrictions for the provider to secure data of the entity for completing
`the transaction based at least in part on the indication of the provider and the time-
`varying multicharacter code of the transaction request;
`accessing information of the entity required to perform the transaction based
`on the determined compliance with any access restrictions for the provider, the
`information including account identifying information;
`providing the account identifying information to a third party without
`providing the account identifying information to the provider to enable or deny the
`transaction, the third party being a different entity from the secure registry; and
`enabling or denying the provider to perform the transaction without the
`provider's knowledge of the account identifying information.
`
`Claim 45. (Proposed Substitute for Claim 23) The method of claim 44[[22]],
`wherein the act of receiving the time-varying multicharacter code comprises
`
`A10
`
`
`
`IPR2018-00812
`
`receiving the time-varying multicharacter code transmitted via a secure electronic
`transmission device.
`
`Claim 46. (Proposed Substitute for Claim 24) The method of claim 44[[22]],
`wherein the act of receiving the time-varying multicharacter code comprises
`receiving an encrypted multicharacter code, and wherein the method further
`comprises decrypting the encrypted multicharacter code, and wherein the
`transaction request includes a time value representative of when the time-varying
`multicharacter code was generated, and the method further comprises:
`extracting the time value from the transaction request.
`
`Claim 47. (Proposed Substitute for Claim 38) A secure registry system for
`providing information to a provider to enable transactions between the provider
`and entities with secure data stored in the secure registry system, the secure
`registry system comprising:
`a database including secure data for each entity, wherein each entity is
`associated with a time-varying multicharacter code for each entity having secure
`data in the secure registry system, respectively, each time-varying multicharacter
`code representing an identity of one of the respective entities; and
`a processor configured to:
`receive from the provider the time-varying multicharacter code for the
`entity on whose behalf a transaction is to be performed, the entity having
`had its identity verified using a biometric;, configured to
`map the time-varying multicharacter code to the identity of the entity
`without requiring further information to identify the entity;, configured to
`access from the database secure data associated with the entity
`including information required to enable the transaction, the information
`including account identifying information that includes a public ID code that
`identifies a financial account number associated with the entity; and, and
`configured to
`provide the account identifying information to a third party that uses
`the public ID code to obtain the financial account number associated with
`the entity to enable or deny the transaction without providing the account
`identifying information to the provider, the third party being separate and
`apart from the secure registry;[[,]] and
`wherein enabling or denying the transaction without providing account
`identifying information to the provider includes limiting transaction information
`provided by the secure registry system to the provider to transaction approval
`information.
`
`A11
`
`
`
`IPR2018-00812
`
`IV. WRITTEN DESCRIPTION SUPPORT IN ORIGINALLY FILED
`APPLICATION AND PRIORITY DOCUMENT
`
`30.
`
`It is my understanding that the ’539 patent issued from originally-filed
`
`non-provisional Application No. 11/768,729 (“the ’729 application”) (Ex. 2105),
`
`filed on June 26, 2007, which claims priority as a continuation application to U.S.
`
`non-provisional application No. 09/810,703, filed on Mar. 16, 2001 (“the ’703
`
`application”) (Ex. 2106).
`
`31.
`
`I have reviewed the ’729 application and it is my opinion that a person
`
`of ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the inventions as
`
`recited in substitute claims 39-47. That is, it is my opinion that each limitation of
`
`proposed substitute claims 39-47 is disclosed in, and fully supported by, the ’729
`
`application, which is the originally-filed specification of the ’539 patent. It is my
`
`further opinion that because all of the limitations recited in substitute claims 39-47
`
`have sufficient written support in the ’729 application, as set forth below, the
`
`substitute claims do not introduce new subject matter.
`
`32.
`
`I have reviewed the ’703 application and it is my opinion that a person
`
`of ordinary skill in the art reading the ’703 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the inventions as
`
`recited in substitute claims 39-47. That is, it is my opinion that each limitation of
`
`USR Exhibit 2107, Page 1
`
`
`
`IPR2018-00812
`
`proposed substitute claims 39-47 is disclosed in, and fully supported by, the ’703
`
`application, to which the ’539 patent claims priority. It is my further opinion that
`
`because all of the limitations recited in the substitute claims 39-47 have sufficient
`
`written support in the ’703 application, as set forth below, the substitute claims
`
`have an effective priority date at least as early as Mar. 16, 2001.
`
`Observations on Some Proposed Claim Amendments and Limitations
`
`33. Regarding claim limitations 39[b], 44[a], and 47[b]1, I believe a
`
`person of ordinary skill in the art reading the ’729 application would have
`
`understood that the inventor of the ’539 patent would have been in possession of
`
`the subject matter of limitations 39[b], 44[a], and 47[b] because the ’729
`
`application discloses that a secure registry receives a request for a transaction from
`
`a merchant provider that may include a time-varying multicharacter code and an
`
`indication of the merchant provider. See, e.g., ’729 Application at 8:5-9:2, 9:25-
`
`10:11, 17:1-19:7, FIGS. 7-9. Similar support for these claim limitations can be
`
`found in the ’703 application.
`
`34. Regarding claim limitations 39[c] and 46[b], I believe a person of
`
`ordinary skill in the art reading the ’729 application would have understood that
`
`1 I adopt the claim limitation notation used in Appendix B of Patent
`
`Owner’s Conditional Motion to Amend. IPR2018-00812, Paper 21.
`
`USR Exhibit 2107, Page 2
`
`
`
`IPR2018-00812
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 39[c] and 46[b] because the ’729 Application describes how the
`
`transaction request can include a time value that represents when the time-varying
`
`multicharacter code was generated, and that the secure registry can then extract the
`
`time value from the request. See, e.g., ’729 Application at 19:17-20:2
`
`(“Alternatively, the electronic ID device may encode or encrypt the time with the
`
`number, the USR software being able to extract time when receiving the number
`
`from the merchant.”); see also id. at 17:7-13. Similar support for these claim
`
`limitations can be found in the ’703 application.
`
`35. Regarding claim limitations 39[e] and 44[d], I believe a person of
`
`ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 39[e] and 44[d] because the ’729 Application describes that “The
`
`process of determining the requestor's rights (602) typically involves validating the
`
`requestor's identity and correlating the identity, the requested information and the
`
`access information 34 provided by the person to the USR database during the
`
`training process.” ’729 Application at 15:15-18. Similar support for these claim
`
`limitations can be found in the ’703 application.
`
`36. Regarding claim limitations 39[h], 44[b], and 47[c], I believe a person
`
`of ordinary skill in the art reading the ’729 application would have understood that
`
`USR Exhibit 2107, Page 3
`
`
`
`IPR2018-00812
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 39[h], 44[b], and 47[c] because the ’729 Application discloses that
`
`the identity of the entity having secure data stored at the secure registry is verified
`
`using a biometric input of the entity. See, e.g., ’729 Application at 5:11-21, 12:20-
`
`28. Similar support for these claim limitations can be found in the ’703 application.
`
`37. Regarding claim limitations 44[f] and 47[g], I believe a person of
`
`ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 44[f] and 47[g] because the ’729 Application describes various
`
`examples where a credit card company or a bank receives account identifying
`
`information, such as an account number or a public ID code that are then used by
`
`the third party to obtain the account number, from the secure registry. See, e.g.,
`
`’729 Application at 17:11-22, 18:1-14, 19:1-7. In these examples, the credit card
`
`company and the bank are a third party that is a different entity and is separate and
`
`apart from the secure registry. For example, the ’729 Application states that
`
`“[w]hile the link between the USR system and the credit card system is a secure
`
`link, there is always a danger that the link may be penetrated and credit card
`
`numbers obtained.” ’729 Application at 17:13-15; see also id. at 19:8-10. If the
`
`secure registry and the credit card company were not different entities that were
`
`separate and apart from one another then discussions about safeguarding
`
`USR Exhibit 2107, Page 4
`
`
`
`communication channels between the two would be considerably less of a concern.
`
`The ’729 Application also states:
`
`IPR2018-00812
`
`The information in this embodiment transmitted to the credit card
`company is intended to be in a format recognizable to the credit card
`company. Accordingly, the invention is not limited to transferring from
`the USR system 10 to the credit card company the enumerated
`information, but rather encompasses any transfer of information that
`will enable the use of the USR system 10 to appear transparent to the
`credit card company.
`
`Id. at 18:4-9. In my opinion, issues concerning data formats being “recognizable” to
`
`the third party credit card company and the appearance of transparency of the USR
`
`system to the third party credit card company provide support for the claim limitation
`
`that the third party is a different entity and is separate and apart from the secure
`
`registry. Similar support for these claim limitations can be found in the ’703
`
`application.
`
`Independent Claim 39
`
`38.
`
`It is my opinion that proposed substitute claim 39 is supported by the
`
`’729 application, the originally-filed disclosure, and that a person of ordinary skill
`
`in the art reading the ’729 application would have understood that the inventor of
`
`the ’539 patent would have been in possession of the invention recited in substitute
`
`claim 39. It is my opinion further that proposed substitute claim 39 is supported by
`
`the ’703 application, and accordingly, claims priority to the ’703 application.
`USR Exhibit 2107, Page 5
`
`
`
`IPR2018-00812
`
`39.
`
`For example, claim 39 recites (39[pre]), “A secure registry system for
`
`providing information to a provider to enable transactions between the provider
`
`and entities with secure data stored in the secure registry system, the secure
`
`registry system comprising.” Support for this limitation can be found in at least:
`
`the ’729 application at 7:25-27, 8:5-16, 11:12-18, 11:25-12:11, 12:29-13:26,
`
`17:11-22, 18:1-14, 19:1-7, Cl. 1, FIGS. 1, 3, 7-9; and the ’703 application at 8:6-8,
`
`8:17-28, 11:27-12:3, 12:11-28, 13:17-14:16, 18:5-16, 18:27-19:10, 19:28-20:5,
`
`FIGS. 1, 3, 7-9.
`
`40. Claim 39 further recites (39[a]), “a database including secure data for
`
`each entity, wherein each entity is associated with a time-varying multicharacter
`
`code for each entity having secure data in the secure registry system, respectively,
`
`each time-varying multicharacter code representing an identity of one of the
`
`respective entities.” Support for this limitation can be found in at least: the ’729
`
`application at 8:5-16, 9:3-4, 11:1-12:11, 12:29-13:19, Cl. 1, FIGS. 1, 3; and the
`
`’703 application at 8:17-28, 9:14-15, 11:15-13:6, Cl. 1, FIGS. 1, 3.
`
`41. Claim 39 further recites (39[b]), “a processor configured to receive
`
`from the provider a transaction request including at least the time-varying
`
`multicharacter code for the entity on whose behalf a transaction is to be performed
`
`and an indication of the provider requesting the transaction, [[to]].” Support for
`
`this limitation can be found in at least: the ’729 application at 8:5-9:2, 9:25-10:11,
`
`USR Exhibit 2107, Page 6
`
`
`
`IPR2018-00812
`
`17:1-19:7, Cl. 1, FIGS. 1, 7-9; and the ’703 application at 8:17-9:13, 10:7-25,
`
`17:26-20:5, FIGS. 1, 7-9.
`
`42. Claim 39 further recites (39[c]), “the transaction request including a
`
`time value representative of when the time-varying multicharacter code was
`
`generated; extract the time value from the transaction request.” Support for this
`
`limitation can be found in at least: the ’729 application at 17:7-13, 19:17-20:2,
`
`FIGS. 7, 10; and the ’703 application at 18:1-8, 20:15-31, FIGS. 7, 10.
`
`43. Claim 39 further recites (39[d]), “map the time-varying multicharacter
`
`code to the identity of the entity using the time-varying multicharacter code;[[,
`
`to]].” Support for this limitation can be found in at least: the ’729 application at
`
`8:5-16, 11:1-12:22, 12:29-13:10, 17:9-13, 18:1-20, 23:9-24:15, Cl. 1, FIGS. 1, 3, 7,
`
`8, 13-15; and the ’703 application at 8:17-28, 11:15-13:15, 13:17-29, 18:5-8,
`
`18:27-19:16, 24:11-25:20, FIGS. 1, 3, 7, 8, 13-15.
`
`44. Claim 39 further recites (39[e]), “validate an identity of the provider
`
`and then.” Support for this limitation can be found in at least: the ’729 application
`
`at 11:25-29, 15:10-16:7, FIG. 6; and the ’703 application at 12:11-15, 16:1-30,
`
`FIG. 6.
`
`45. Claim 39 further recites (39[f]), “execute a restriction mechanism to
`
`determine compliance with any access restrictions for the provider to secure data
`
`of the entity for completing the transaction based at least in part on the indication
`
`USR Exhibit 2107, Page 7
`
`
`
`IPR2018-00812
`
`of the provider and the time-varying multicharacter code of the transaction request;
`
`and[[, and to]] allow or not allow access to the secure data associated with the
`
`entity including information required to enable the transaction based on the
`
`determined compliance with any access restrictions for the provider, the
`
`information including account identifying information.” Support for this limitation
`
`can be found in at least: the ’729 application at Abstract, 11:1-12:19, 12:29-13:10,
`
`14:1-15:2, 15:5-16:27, 17:1-18:9, FIGS. 1, 3, 5-8; and the ’703 application at
`
`Abstract, 11:15-13:14, 13:17-29, 14:22-15:25, 15:27-17:21, 17:26-19:5, FIGS. 1,
`
`3, 5-8.
`
`46. Claim 39 further recites (39[g]), “wherein the account identifying
`
`information is not provided to the provider and the account identifying information
`
`is provided to a third party to enable or deny the transaction with the provider
`
`without providing the account identifying information to the provider.” Support for
`
`this limitation can be found in at least: the ’729 application at 17:11-28, 18:1-20,
`
`19:1-13, 19:17-20:15, Cl. 1, Cl. 7, FIGS. 7-10; and the ’703 application at 18:5-23,
`
`18:27-19:16, 19:28-20:11, 20:15-21:13, FIGS. 7-10.
`
`47. Claim 39 further recites (39[h]), “wherein the identity of the entity is
`
`verified using a biometric.” Support for this limitation can be found in at least: the
`
`’729 application at 5:11-21, 12:20-28; and the ’703 application at 5:31-6:6, 13:7-
`
`16.
`
`USR Exhibit 2107, Page 8
`
`
`
`IPR2018-00812
`
`Dependent Claim 40
`
`48.
`
`It is my opinion that proposed substitute claim 40 is supported by the
`
`’729 application, the originally-filed disclosure, and that a person of ordinary skill
`
`in the art reading the ’729 application would have understood that the inventor of
`
`the ’539 patent would have been in possession of the invention recited in substitute
`
`claim 40. It is my opinion further that proposed substitute claim 40 is supported by
`
`the ’703 application, and accordingly, claims priority to the ’703 application.
`
`49.
`
`For example, claim 40 recites, “The sy