IPR2018-01350
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`VISA INC. AND VISA U.S.A. INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-01350
`U.S. Patent No. 8,856,539
`________________
`
`PATENT OWNER’S EXHIBIT 2010
`DECLARATION OF MARKUS JAKOBSSON
`IN SUPPORT OF PATENT OWNER’S
`CONDITIONAL MOTION TO AMEND
`
`USR Exhibit 2010
`
`

`

`IPR2018-01350
`
`1.
`
`I have been retained on behalf of Universal Secure Registry LLC
`
`(“Patent Owner”) in connection with the above-captioned inter partes review
`
`(IPR). I have been retained to provide my opinions in support of USR’s
`
`Conditional Motion to Amend. I am being compensated for my time at the rate of
`
`$625 per hour. I have no interest in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2018-01350, U.S. Patent No. 8,856,539 (hereinafter “’539 patent”),
`
`and its file history, and all other materials cited and discussed in the Petition
`
`(including all prior art references cited therein) and all other materials cited and
`
`discussed in this Declaration.
`
`3.
`
`The statements made herein are based on my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that
`
`are necessary to form my opinions. I reserve the right to revise, supplement, or
`
`amend my opinions based on new information and on my continuing analysis.
`
`I.
`
`QUALIFICATIONS
`
`4.
`
`My qualifications can be found in my Curriculum Vitae, which
`
`includes my detailed employment background, professional experience, and list of
`
`technical publications and patents. Ex. 2002.
`
`USR Exhibit 2010, Page 1
`
`

`

`IPR2018-01350
`
`5.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc., a cybersecurity company that develops home and office automation
`
`technology. At Amber, my research studies and addresses abuse, including social
`
`engineering, malware and privacy intrusions. My work primarily involves
`
`identifying risks, developing protocols and user experiences, and evaluating the
`
`security of proposed approaches.
`
`6.
`
`I received a Master of Science degree in Computer Engineering from
`
`the Lund Instituted of Technology in Sweden in 1993, a Master of Science degree
`
`in Computer Science from the University of California at San Diego in 1994, and a
`
`Ph.D. in Computer Science from the University of California at San Diego in 1997,
`
`specializing in Cryptography. During and after my Ph.D. studies, I was also a
`
`Researcher at the San Diego Supercomputer Center, where I did research on
`
`authentication and privacy.
`
`7.
`
`From 1997 to 2001, I was a Member of Technical Staff at Bell Labs,
`
`where I did research on authentication, privacy, multi-party computation, contract
`
`exchange, digital commerce including crypto payments, and fraud detection and
`
`prevention. From 2001 to 2004, I was a Principal Research Scientist at RSA Labs,
`
`where I worked on predicting future fraud scenarios in commerce and
`
`authentication and developed solutions to those problems. During that time I
`
`predicted the rise of what later became known as phishing. I was also an Adjunct
`
`USR Exhibit 2010, Page 2
`
`

`

`IPR2018-01350
`
`Associate Professor in the Computer Science department at New York University
`
`from 2002 to 2004, where I taught cryptographic protocols.
`
`8.
`
`From 2004 to 2016, I held a faculty position at the Indiana University
`
`at Bloomington, first as an Associate Professor of Computer Science, Associate
`
`Professor of Informatics, Associate Professor of Cognitive Science, and Associate
`
`Director of the Center for Applied Cybersecurity Research (CACR) from 2004 to
`
`2008; and then as an Adjunct Associate Professor from 2008 to 2016. I was the
`
`most senior security researcher at Indiana University, where I built a research
`
`group focused on online fraud and countermeasures, resulting in over 50
`
`publications and two books.
`
`9. While a professor at Indiana University, I was also employed by
`
`Xerox PARC, PayPal, and Qualcomm to provide thought leadership to their
`
`security groups. I was a Principal Scientist at Xerox PARC from 2008 to 2010, a
`
`Director and Principal Scientist of Consumer Security at PayPal from 2010 to
`
`2013, a Senior Director at Qualcomm from 2013 to 2015, and Chief Scientist at
`
`Agari from 2016 to 2018. Agari is a cybersecurity company that develops and
`
`commercializes technology to protect enterprises, their partners and customers
`
`from advanced email phishing attacks. At Agari, my research studied and
`
`addressed trends in online fraud, especially as related to email, including problems
`
`such as Business Email Compromise, Ransomware, and other abuses based on
`
`USR Exhibit 2010, Page 3
`
`

`

`IPR2018-01350
`
`social engineering and identity deception. My work primarily involved identifying
`
`trends in fraud and computing before they affected the market, and developing and
`
`testing countermeasures, including technological countermeasures, user interaction
`
`and education.
`
`10.
`
`I have founded or co-founded several successful computer security
`
`companies. In 2005 I founded RavenWhite Security, a provider of authentication
`
`solutions, and I am currently its Chief Technical Officer. In 2007 I founded
`
`Extricatus, one of the first companies to address consumer security education. In
`
`2009 I founded FatSkunk, a provider of mobile malware detection software; I
`
`served as Chief Technical Officer of FatSkunk from 2009 to 2013, when FatSkunk
`
`was acquired by Qualcomm and I became a Qualcomm employee. In 2013 I
`
`founded ZapFraud, a provider of anti-scam technology addressing Business Email
`
`Compromise, and I am currently its Chief Technical Officer. In 2014 I founded
`
`RightQuestion, a security consulting company.
`
`11.
`
`I have additionally served as a member of the fraud advisory board at
`
`LifeLock (an identity theft protection company); a member of the technical
`
`advisory board at CellFony (a mobile security company); a member of the
`
`technical advisory board at PopGiro (a user reputation company); a member of the
`
`technical advisory board at MobiSocial dba Omlet (a social networking company);
`
`and a member of the technical advisory board at Stealth Security (an anti-fraud
`
`USR Exhibit 2010, Page 4
`
`

`

`IPR2018-01350
`
`company). I have provided anti-fraud consulting to KommuneData (a Danish
`
`government entity), J.P. Morgan Chase, PayPal, Boku, and Western Union.
`
`12.
`
`I have authored five books and over 100 peer-reviewed publications,
`
`and have been a named inventor on over 100 patents and patent applications.
`
`13. My work has included research in the area of applied security,
`
`privacy, cryptographic protocols, authentication, malware, social engineering,
`
`usability and fraud.
`
`II.
`
`LEGAL UNDERSTANDING
`
`A.
`
`14.
`
`The Person of Ordinary Skill in the Art
`
`I understand that a person of ordinary skill in the relevant art (also
`
`referred to herein as “POSITA”) is presumed to be aware of all pertinent art, thinks
`
`along conventional wisdom in the art, and is a person of ordinary creativity—not
`
`an automaton.
`
`15.
`
`I have been asked to consider the level of ordinary skill in the field
`
`that someone would have had at the time the claimed invention was made. In
`
`deciding the level of ordinary skill, I considered the following:
`
`• the levels of education and experience of persons working in the
`
`field;
`
`• the types of problems encountered in the field; and
`
`• the sophistication of the technology.
`
`USR Exhibit 2010, Page 5
`
`

`

`IPR2018-01350
`
`16. A person of ordinary skill in the art relevant to the ’539 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and three years of work or research
`
`experience in the fields of secure transactions and encryption, or a Master’s degree
`
`in electrical engineering and/or computer science and two years of work or
`
`research experience in related fields.
`
`17.
`
`I am well-qualified to determine the level of ordinary skill in the art
`
`and am personally familiar with the technology of the ’539 patent. I was a person
`
`of at least ordinary skill in the art at the time of the priority date of the ’539 patent
`
`in 2001. Regardless if I do not explicitly state that my statements below are based
`
`on this timeframe, all of my statements are to be understood as a POSITA would
`
`have understood something as of the priority date of the ’539 patent.
`
`B.
`
`18.
`
`19.
`
`Legal Principles
`
`I am not a lawyer and will not provide any legal opinions.
`
`Though I am not a lawyer, I have been advised that certain legal
`
`standards are to be applied by technical experts in forming opinions regarding the
`
`meaning and validity of patent claims.
`
`20.
`
`I have been informed and understand that if the Board should accept
`
`Petitioner’s arguments and cancel any of the original issued claims of the ’539
`
`patent, Patent Owner has made a conditional motion to amend to substitute the
`
`USR Exhibit 2010, Page 6
`
`

`

`IPR2018-01350
`
`canceled claim(s) with corresponding proposed amended claims 39-52, as set forth
`
`in Section III below.
`
`21.
`
`I have been informed and understand that to permit the proposed
`
`substitute claims to be entered, Patent Owner must show, among other things, that
`
`the substitute claims are supported by the written description of the original
`
`disclosure of the patent, as well as any patent application to which the claim seeks
`
`the benefit of priority in this proceeding.
`
`22.
`
`I have been informed by counsel and understand that to satisfy the
`
`written description requirement, the substitute claims must be disclosed in
`
`sufficient detail such that one skilled in the art can reasonably conclude that the
`
`inventor had possession of the claimed invention as of the filing date sought. I
`
`understand that the Patent Owner can show possession of the claimed invention by
`
`pointing to such descriptive means as words, structures, figures, diagrams, and
`
`formulas that fully set forth the claimed invention.
`
`23.
`
`I have been informed by counsel and understand that incorporation by
`
`reference is a method by which material from one or more documents may be
`
`integrated into a host document. I understand that material incorporated by
`
`reference is considered part of the written description of the patent that can be used
`
`to show possession of the claimed invention.
`
`USR Exhibit 2010, Page 7
`
`

`

`IPR2018-01350
`
`24.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, that the substitute claims do not introduce new subject matter.
`
`25.
`
`I understand that new matter is any addition to the claims without
`
`support in the original disclosure.
`
`26.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, the substitute claims do not broaden the scope of the original claims.
`
`27.
`
`I understand that claims in dependent form are construed to include all
`
`the limitations of the claim incorporated by reference into the dependent claim and
`
`further limit the claim incorporated by reference.
`
`28.
`
`It has been explained to me by counsel for the Patent Owner that in
`
`proceedings before the USPTO, the claims of an unexpired patent are to be given
`
`their broadest reasonable interpretation in view of the specification from the
`
`perspective of one having ordinary skill in the relevant art at the time of the
`
`invention. I have considered each of the claim terms using the broadest reasonable
`
`interpretation standard.
`
`III.
`
`SUBSTITUTE CLAIMS 39-52
`
`29. My understanding is that proposed substitute claims 39-52 read as
`
`follows, wherein underlining (additions) and strike-through text and double
`
`USR Exhibit 2010, Page 8
`
`

`

`IPR2018-01350
`
`brackets (deletions) show the Patent Owner’s proposed modifications to the
`
`original claim being made in the corresponding substitute claim:
`
`Claim 39. (Proposed Substitute for Claim 1) A secure registry system for providing
`information to a provider to enable transactions between the provider and entities
`with secure data stored in the secure registry system, the secure registry system
`comprising:
`a database including secure data for each entity, wherein each entity is
`associated with a time-varying multicharacter code for each entity having secure
`data in the secure registry system, respectively, each time-varying multicharacter
`code representing an identity of one of the respective entities; and
`a processor configured to:
`receive from the provider a transaction request including at least the
`time-varying multicharacter code for the entity on whose behalf a
`transaction is to be performed and an indication of the provider requesting
`the transaction, [[to]]the transaction request received at the secure registry
`system without the secure registry system communicating with the entity on
`whose behalf a transaction is to be performed;
`map the time-varying multicharacter code to the identity of the entity
`using the time-varying multicharacter code;[[, to]]
`validate an identity of the provider and execute a restriction
`mechanism to determine compliance with any access restrictions for the
`provider to secure data of the entity for completing the transaction based at
`least in part on the indication of the provider and the time-varying
`multicharacter code of the transaction request; and[[, and to]]
`allow or not allow access to the secure data associated with the entity
`including information required to enable the transaction based on the
`determined compliance with any access restrictions for the provider, the
`information including account identifying information, wherein the account
`identifying information is not provided to the provider and the account
`identifying information is provided to a third party to enable or deny the
`transaction with the provider without providing the account identifying
`information to the provider; and
`wherein the identity of the entity is verified using a biometric.
`
`Claim 40. (Proposed Substitute for Claim 2) The system of claim 39[[1]], wherein
`the time-varying multicharacter code is provided to the system via a secure
`electronic transmission device, and the transaction request includes a time value
`
`USR Exhibit 2010, Page 9
`
`

`

`IPR2018-01350
`
`representative of when the time-varying multicharacter code was generated; and
`wherein the processor is further configured to:
`extract the time value from the transaction request;
`map the time-varying multicharacter code to the identity of the entity using
`the time-varying multicharacter code and the time value.
`
`Claim 41. (Proposed Substitute for Claim 3) The system of claim 39[[1]], wherein
`the time-varying multicharacter code is encrypted and transmitted to the system,
`and wherein the system is configured to decrypt the time-varying multicharacter
`code with a public key of the entity.
`
`Claim 42. (Proposed Substitute for Claim 4) The system as claimed in claim
`39[[1]], wherein the transaction includes a service provided by the provider,
`wherein said provider's service includes delivery, wherein the information is an
`address to which an item is to be delivered to the entity, wherein the system
`receives the time-varying multicharacter code, and wherein the system uses the
`time-varying multicharacter code to obtain the appropriate address for delivery of
`the item by the third party.
`
`Claim 43. (Proposed Substitute for Claim 9) The system as claimed in claim
`39[[1]], wherein the information includes personal identification information
`regarding the entity.
`
`Claim 44. (Proposed Substitute for Claim 16) The system of claim 39[[1]], wherein
`the account identifying information includes an account number.
`
`Claim 45. (Proposed Substitute for Claim 21) The system of claim 39[[1]], wherein
`the identity of the entity is unknown until the time-varying code is mapped to the
`identity by the processor.
`
`Claim 46. (Proposed Substitute for Claim 22) A method for providing information
`to a provider to enable transactions between the provider and entities who have
`secure data stored in a secure registry in which each entity is identified by a time-
`varying multicharacter code, the method comprising:
`receiving from the provider a transaction request including at least the time-
`varying multicharacter code for an entity on whose behalf a transaction is to take
`place and an indication of the provider requesting the transaction, an identity of the
`entity on whose behalf the transaction is to take place having been verified using a
`biometric of the entity, and the transaction request further including a time value
`representative of when the time-varying multicharacter code was generated;
`USR Exhibit 2010, Page 10
`
`

`

`IPR2018-01350
`
`extracting the time value from the transaction request;
`mapping the time-varying multicharacter code to an identity of the entity
`using the time-varying multicharacter code and the time value;
`determining compliance with any access restrictions for the provider to
`secure data of the entity for completing the transaction based at least in part on the
`indication of the provider and the time-varying multicharacter code of the
`transaction request;
`accessing information of the entity required to perform the transaction based
`on the determined compliance with any access restrictions for the provider, the
`information including account identifying information;
`providing the account identifying information to a third party without
`providing the account identifying information to the provider to enable or deny the
`transaction; and
`enabling or denying the provider to perform the transaction without the
`provider's knowledge of the account identifying information.
`
`Claim 47. (Proposed Substitute for Claim 23) The method of claim 44[[22]],
`wherein the act of receiving the time-varying multicharacter code comprises
`receiving the time-varying multicharacter code transmitted via a secure electronic
`transmission device, and the method further comprises:
`prior to determining compliance with any access restrictions for the
`provider, validating an identity of the provider.
`
`Claim 48. (Proposed Substitute for Claim 24) The method of claim 44[[22]],
`wherein the transaction request is received at the secure registry system without the
`secure registry system communicating with the entity on whose behalf a
`transaction is to be performed, and the act of receiving the time-varying
`multicharacter code comprises receiving an encrypted multicharacter code, and
`wherein the method further comprises decrypting the encrypted multicharacter
`code.
`
`Claim 49. (Proposed Substitute for Claim 25) The method as claimed in claim
`44[[22]], wherein the transaction includes a service provided by the provider,
`wherein the service includes delivery, wherein the account identifying information
`is associated with an address to which an item is to be delivered for the entity, and
`wherein the third party receives the address for delivery of an item provided by the
`provider.
`
`USR Exhibit 2010, Page 11
`
`

`

`IPR2018-01350
`
`Claim 50. (Proposed Substitute for Claim 31) The method as claimed in claim
`44[[22]], wherein the act of mapping the time-varying multicharacter code to
`information required by the provider comprises mapping the time-varying
`multicharacter code to personal identification information about the entity.
`
`Claim 51. (Proposed Substitute for Claim 37) A secure registry system for
`providing information to a provider to enable transactions between the provider
`and entities with secure data stored in the secure registry system, the secure
`registry system comprising:
`a database including secure data for each entity, wherein each entity is
`associated with a time-varying multicharacter code for each entity having secure
`data in the secure registry system, respectively, each time-varying multicharacter
`code representing an identity of one of the respective entities, wherein the database
`is configured to permit or deny access to information on the respective entity using
`the time-varying multicharacter code, the secure data stored at the database during
`a training process by establishing communications between the secure registry
`system and the entities; and
`a processor configured to:
`receive from the provider a transaction request including at least the
`time-varying multicharacter code for the entity on whose behalf a
`transaction is to be performed, the transaction request received at the secure
`registry system during a transaction process initiated after completion of the
`training process and termination of communications between the secure
`registry system and the entity on whose behalf the transaction is to be
`performed;, configured to
`map the time-varying multicharacter code to the identity of the entity
`to identify the entity;, configured to
`execute a restriction mechanism to determine compliance with any
`access restrictions for the provider to at least one portion of secure data for
`completing the transaction and to store an appropriate code with each such
`portion of secure data;, configured to
`obtain from the database the secure data associated with the entity
`including information required to enable the transaction, the information
`including account identifying information;, and configured to
`provide the account identifying information to a third party to enable
`or deny the transaction without providing the account identifying
`information to the provider.
`
`Claim 52. (Proposed Substitute for Claim 38) A secure registry system for
`providing information to a provider to enable transactions between the provider
`USR Exhibit 2010, Page 12
`
`

`

`IPR2018-01350
`
`and entities with secure data stored in the secure registry system without
`establishing and/or maintaining communications between the secure registry
`system and an entity on whose behalf a transaction is to be performed, the secure
`registry system comprising:
`a database including secure data for each entity, wherein each entity is
`associated with a time-varying multicharacter code for each entity having secure
`data in the secure registry system, respectively, each time-varying multicharacter
`code representing an identity of one of the respective entities; and
`a processor configured to:
`receive from the provider the time-varying multicharacter code for the
`entity on whose behalf a transaction is to be performed, the entity having
`had its identity verified using a biometric;, configured to
`map the time-varying multicharacter code to the identity of the entity
`without requiring further information to identify the entity;, configured to
`access from the database secure data associated with the entity
`including information required to enable the transaction, the information
`including account identifying information that includes a public ID code that
`identifies a financial account number associated with the entity; and, and
`configured to
`provide the account identifying information to a third party that uses
`the public ID code to obtain the financial account number associated with
`the entity to enable or deny the transaction without providing the account
`identifying information to the provider;[[,]] and
`wherein enabling or denying the transaction without providing account
`identifying information to the provider includes limiting transaction information
`provided by the secure registry system to the provider to transaction approval
`information.
`
`IV. WRITTEN DESCRIPTION SUPPORT IN ORIGINALLY FILED
`APPLICATION AND PRIORITY DOCUMENT
`
`30.
`
`It is my understanding that the ’539 patent issued from originally-filed
`
`non-provisional Application No. 11/768,729 (“the ’729 application”) (Ex. 2008),
`
`filed on June 26, 2007, which claims priority as a continuation application to U.S.
`
`USR Exhibit 2010, Page 13
`
`

`

`IPR2018-01350
`
`non-provisional application No. 09/810,703, filed on Mar. 16, 2001 (“the ’703
`
`application”) (Ex. 2009).
`
`31.
`
`I have reviewed the ’729 application and it is my opinion that a person
`
`of ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the inventions as
`
`recited in substitute claims 39-52. That is, it is my opinion that each limitation of
`
`proposed substitute claims 39-52 is disclosed in, and fully supported by, the ’729
`
`application, which is the originally-filed specification of the ’539 patent. It is my
`
`further opinion that because all of the limitations recited in substitute claims 39-52
`
`have sufficient written support in the ’729 application, as set forth below, the
`
`substitute claims do not introduce new subject matter.
`
`32.
`
`I have reviewed the ’703 application and it is my opinion that a person
`
`of ordinary skill in the art reading the ’703 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the inventions as
`
`recited in substitute claims 39-52. That is, it is my opinion that each limitation of
`
`proposed substitute claims 39-52 is disclosed in, and fully supported by, the ’703
`
`application, to which the ’539 patent claims priority. It is my further opinion that
`
`because all of the limitations recited in the substitute claims 39-52 have sufficient
`
`written support in the ’703 application, as set forth below, the substitute claims
`
`have an effective priority date at least as early as Mar. 16, 2001.
`
`USR Exhibit 2010, Page 14
`
`

`

`IPR2018-01350
`
`Observations on Some Proposed Claim Amendments and Limitations
`
`33. Regarding claim limitations 39[b], 46[a], 51[c], and 52[b]1, I believe a
`
`person of ordinary skill in the art reading the ’729 application would have
`
`understood that the inventor of the ’539 patent would have been in possession of
`
`the subject matter of limitations 39[b], 46[a], 51[c], and 52[b] because the ’729
`
`application discloses that a secure registry receives a request for a transaction from
`
`a merchant provider that may include a time-varying multicharacter code and an
`
`indication of the merchant provider. See, e.g., Ex. 2008, ’729 Application at 8:5-
`
`9:2, 9:25-10:11, 17:1-19:7, FIGS. 7-9. Similar support for these claim limitations
`
`can be found in the ’703 application.
`
`34. Regarding claim limitations 40[b] and 46[c], I believe a person of
`
`ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 40[b] and 46[c] because the ’729 Application describes how the
`
`transaction request can include a time value that represents when the time-varying
`
`multicharacter code was generated, and that the secure registry can then extract the
`
`time value from the request. See, e.g., Ex. 2008, ’729 Application at 19:17-20:2
`
`1 I adopt the claim limitation notation used in Appendix B of Patent
`
`Owner’s Conditional Motion to Amend. IPR2018-00812, Paper 21.
`
`USR Exhibit 2010, Page 15
`
`

`

`IPR2018-01350
`
`(“Alternatively, the electronic ID device may encode or encrypt the time with the
`
`number, the USR software being able to extract time when receiving the number
`
`from the merchant.”); see also id. at 17:7-13. Similar support for these claim
`
`limitations can be found in the ’703 application.
`
`35. Regarding claim limitations 39[e] and 47[b], I believe a person of
`
`ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 39[e] and 47[b] because the ’729 Application describes that “The
`
`process of determining the requestor's rights (602) typically involves validating the
`
`requestor's identity and correlating the identity, the requested information and the
`
`access information 34 provided by the person to the USR database during the
`
`training process.” Ex. 2008, ’729 Application at 15:15-18. Similar support for
`
`these claim limitations can be found in the ’703 application.
`
`36. Regarding claim limitations 39[h], 46[b], and 52[c], I believe a person
`
`of ordinary skill in the art reading the ’729 application would have understood that
`
`the inventor of the ’539 patent would have been in possession of the subject matter
`
`of limitations 39[h], 46[b], and 52[c] because the ’729 Application discloses that
`
`the identity of the entity having secure data stored at the secure registry is verified
`
`using a biometric input of the entity. See, e.g., Ex. 2008, ’729 Application at 5:11-
`
`USR Exhibit 2010, Page 16
`
`

`

`IPR2018-01350
`
`21, 12:20-28. Similar support for these claim limitations can be found in the ’703
`
`application.
`
`37. Regarding claim limitations 52[f] and 52[g], I believe a person of
`
`ordinary skill in the art reading the ’729 application would have understood that the
`
`inventor of the ’539 patent would have been in possession of the subject matter of
`
`limitations 52[f] and 52[g] because the ’729 Application describes various examples
`
`where a credit card company or a bank receives account identifying information,
`
`such as an account number or a public ID code that are then used by the third party
`
`to obtain the account number, from the secure registry. See, e.g., Ex. 2008, ’729
`
`Application at 17:11-22, 18:1-14, 19:1-7. Similar support for these claim limitations
`
`can be found in the ’703 application.
`
`38. Regarding claim limitations 39[c], 48[a], 51[b], 51[d], and 52[pre], I
`
`believe a person of ordinary skill in the art reading the ’729 application would have
`
`understood that the inventor of the ’539 patent would have been in possession of the
`
`subject matter of limitations 39[c], 48[a], 51[b], 51[d], and 52[pre] because the ’729
`
`Application describes a training process where a person, such as the entity for whom
`
`a transaction may later be performed, establishes communication with a universal
`
`secure registry database to enter basic information and other additional information,
`
`such as sensitive/secure data, into the secure registry database, and also specify
`
`access restrictions to the secure data. See, e.g., Ex. 2008, ’729 Application at 14:1-
`
`USR Exhibit 2010, Page 17
`
`

`

`IPR2018-01350
`
`15:9, FIG. 5. The ’729 Application also provides many examples where, after the
`
`training process has been completed, an entity may engage in a transaction by
`
`providing a time-varying multicharacter code to a merchant, which in turn
`
`communicates with the secure registry system either directly or indirectly through a
`
`third party, such as a credit card company. See, e.g., Ex. 2008, ’729 Application at
`
`16:28-20:15, FIGS. 7-10. During this transaction process, the secure registry system
`
`does not communicate with the entity on whose behalf a transaction is being
`
`performed; such communications were, for example, terminated after the training
`
`process. See id. Similar support for these claim limitations can be found in the ’703
`
`application.
`
`Independent Claim 39
`
`39.
`
`It is my opinion that proposed substitute claim 39 is supported by the
`
`’729 application, the originally-filed disclosure, and that a person of ordinary skill
`
`in the art reading the ’729 application would have understood that the inventor of
`
`the ’539 patent would have been in possession of the invention recited in substitute
`
`claim 39. It is my opinion further that proposed substitute claim 39 is supported by
`
`the ’703 application, and accordingly, claims priority to the ’703 application.
`
`40.
`
`For example, claim 39 recites (39[pre]), “A secure registry system for
`
`providing information to a provider to enable transactions between the provider
`
`and entities with secure data stored in the secure registry system, the secure
`
`USR Exhibit 2010, Page 18
`
`

`

`IPR2018-01350
`
`registry system comprising.” Support for this limitation can be found in at least:
`
`the ’729 application at 7:25-27, 8:5-16, 11:12-18, 11:25-12:11, 12:29-13:26,
`
`17:11-22, 18:1-14, 19:1-7, Cl. 1, FIGS. 1, 3, 7-9; and the ’703 application at 8:6-8,
`
`8:17-28, 11:27-12:3, 12:11-28, 13:17-14:16, 18:5-16, 18:27-19:10, 19:28-20:5,
`
`FIGS. 1, 3, 7-9.
`
`41. Claim 39 further recites (39[a]), “a