IPR2018-01350
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`VISA INC. and VISA U.S.A. INC.
`APPLE INC.,
`
`Petitioners,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`
`________________
`
`Case IPR2018-013501
`U.S. Patent No. 8,856,539
`________________
`
`PATENT OWNER’S EXHIBIT 2011
`DECLARATION OF MARKUS JAKOBSSON
`IN SUPPORT OF PATENT OWNER’S REPLY TO OPPOSITION OF
`CONDITIONAL MOTION TO AMEND
`
`
`
`
`
`
`1 Apple Inc., which filed a petition in IPR2019-00727, has been joined as a
`party to this proceeding.
`
`
`
`USR Exhibit 2011
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`VISA INC. and VISA U.S.A. INC.
`APPLE INC.,
`
`Petitioners,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`
`________________
`
`Case IPR2018-013501
`U.S. Patent No. 8,856,539
`________________
`
`PATENT OWNER’S EXHIBIT 2011
`DECLARATION OF MARKUS JAKOBSSON
`IN SUPPORT OF PATENT OWNER’S REPLY TO OPPOSITION OF
`CONDITIONAL MOTION TO AMEND
`
`
`
`
`
`
`1 Apple Inc., which filed a petition in IPR2019-00727, has been joined as a
`party to this proceeding.
`
`
`
`USR Exhibit 2011
`
`
`
`
`
`IPR2018-01350
`
`1.
`
`I have been retained on behalf of Universal Secure Registry LLC
`
`(“Patent Owner”) in connection with the above-captioned inter partes review
`
`(IPR). I have been retained to provide my opinions in support of USR’s Reply to
`
`Opposition of Conditional Motion to Amend. I am being compensated for my time
`
`at the rate of $625 per hour. I have no interest in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2018-01350, U.S. Patent No. 8,856,539 (hereinafter “’539 patent”),
`
`and its file history, and all other materials cited and discussed in the Petition
`
`(including all prior art references cited therein) and all other materials cited and
`
`discussed in this Declaration including the Conditional Motion to Amend, Paper 13
`
`(“Motion”) and Petitioner’s Opposition to the Conditional Motion to Amend, Paper
`
`17 (“Opp.”).
`
`3.
`
`The statements made herein are based on my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that
`
`are necessary to form my opinions. I reserve the right to revise, supplement, or
`
`amend my opinions based on new information and on my continuing analysis.
`
`
`
`
`USR Exhibit 2011, Page 1
`
`
`
`IPR2018-01350
`
`I.
`
`QUALIFICATIONS
`
`4. My qualifications can be found in my Curriculum Vitae, which
`
`includes my detailed employment background, professional experience, and list of
`
`technical publications and patents. Ex. 2002.
`
`5.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc., a cybersecurity company that develops home and office automation
`
`technology. At Amber, my research studies and addresses abuse, including social
`
`engineering, malware and privacy intrusions. My work primarily involves
`
`identifying risks, developing protocols and user experiences, and evaluating the
`
`security of proposed approaches.
`
`6.
`
`I received a Master of Science degree in Computer Engineering from
`
`the Lund Instituted of Technology in Sweden in 1993, a Master of Science degree
`
`in Computer Science from the University of California at San Diego in 1994, and a
`
`Ph.D. in Computer Science from the University of California at San Diego in 1997,
`
`specializing in Cryptography. During and after my Ph.D. studies, I was also a
`
`Researcher at the San Diego Supercomputer Center, where I did research on
`
`authentication and privacy.
`
`7.
`
`From 1997 to 2001, I was a Member of Technical Staff at Bell Labs,
`
`where I did research on authentication, privacy, multi-party computation, contract
`
`exchange, digital commerce including crypto payments, and fraud detection and
`
`
`
`
`USR Exhibit 2011, Page 2
`
`
`
`IPR2018-01350
`
`prevention. From 2001 to 2004, I was a Principal Research Scientist at RSA Labs,
`
`where I worked on predicting future fraud scenarios in commerce and
`
`authentication and developed solutions to those problems. During that time I
`
`predicted the rise of what later became known as phishing. I was also an Adjunct
`
`Associate Professor in the Computer Science department at New York University
`
`from 2002 to 2004, where I taught cryptographic protocols.
`
`8.
`
`From 2004 to 2016, I held a faculty position at the Indiana University
`
`at Bloomington, first as an Associate Professor of Computer Science, Associate
`
`Professor of Informatics, Associate Professor of Cognitive Science, and Associate
`
`Director of the Center for Applied Cybersecurity Research (CACR) from 2004 to
`
`2008; and then as an Adjunct Associate Professor from 2008 to 2016. I was the
`
`most senior security researcher at Indiana University, where I built a research
`
`group focused on online fraud and countermeasures, resulting in over 50
`
`publications and two books.
`
`9. While a professor at Indiana University, I was also employed by
`
`Xerox PARC, PayPal, and Qualcomm to provide thought leadership to their
`
`security groups. I was a Principal Scientist at Xerox PARC from 2008 to 2010, a
`
`Director and Principal Scientist of Consumer Security at PayPal from 2010 to
`
`2013, a Senior Director at Qualcomm from 2013 to 2015, and Chief Scientist at
`
`Agari from 2016 to 2018. Agari is a cybersecurity company that develops and
`
`
`
`
`USR Exhibit 2011, Page 3
`
`
`
`IPR2018-01350
`
`commercializes technology to protect enterprises, their partners and customers
`
`from advanced email phishing attacks. At Agari, my research studied and
`
`addressed trends in online fraud, especially as related to email, including problems
`
`such as Business Email Compromise, Ransomware, and other abuses based on
`
`social engineering and identity deception. My work primarily involved identifying
`
`trends in fraud and computing before they affected the market, and developing and
`
`testing countermeasures, including technological countermeasures, user interaction
`
`and education.
`
`10.
`
`I have founded or co-founded several successful computer security
`
`companies. In 2005 I founded RavenWhite Security, a provider of authentication
`
`solutions, and I am currently its Chief Technical Officer. In 2007 I founded
`
`Extricatus, one of the first companies to address consumer security education. In
`
`2009 I founded FatSkunk, a provider of mobile malware detection software; I
`
`served as Chief Technical Officer of FatSkunk from 2009 to 2013, when FatSkunk
`
`was acquired by Qualcomm and I became a Qualcomm employee. In 2013 I
`
`founded ZapFraud, a provider of anti-scam technology addressing Business Email
`
`Compromise, and I am currently its Chief Technical Officer. In 2014 I founded
`
`RightQuestion, a security consulting company.
`
`11.
`
`I have additionally served as a member of the fraud advisory board at
`
`LifeLock (an identity theft protection company); a member of the technical
`
`
`
`
`USR Exhibit 2011, Page 4
`
`
`
`IPR2018-01350
`
`advisory board at CellFony (a mobile security company); a member of the
`
`technical advisory board at PopGiro (a user reputation company); a member of the
`
`technical advisory board at MobiSocial dba Omlet (a social networking company);
`
`and a member of the technical advisory board at Stealth Security (an anti-fraud
`
`company). I have provided anti-fraud consulting to KommuneData (a Danish
`
`government entity), J.P. Morgan Chase, PayPal, Boku, and Western Union.
`
`12.
`
`I have authored five books and over 100 peer-reviewed publications,
`
`and have been a named inventor on over 100 patents and patent applications.
`
`13. My work has included research in the area of applied security,
`
`privacy, cryptographic protocols, authentication, malware, social engineering,
`
`usability and fraud.
`
`II. LEGAL UNDERSTANDING
`
`A. The Person of Ordinary Skill in the Art
`
`14.
`
`I understand that a person of ordinary skill in the relevant art (also
`
`referred to herein as “POSITA”) is presumed to be aware of all pertinent art, thinks
`
`along conventional wisdom in the art, and is a person of ordinary creativity—not
`
`an automaton.
`
`15.
`
`I have been asked to consider the level of ordinary skill in the field
`
`that someone would have had at the time the claimed invention was made. In
`
`deciding the level of ordinary skill, I considered the following:
`
`
`
`
`USR Exhibit 2011, Page 5
`
`
`
` the levels of education and experience of persons working in the
`
`IPR2018-01350
`
`field;
`
` the types of problems encountered in the field; and
`
` the sophistication of the technology.
`
`16. A person of ordinary skill in the art relevant to the ’539 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and three years of work or research
`
`experience in the fields of secure transactions and encryption, or a Master’s degree
`
`in electrical engineering and/or computer science and two years of work or
`
`research experience in related fields.
`
`17.
`
`I am well-qualified to determine the level of ordinary skill in the art
`
`and am personally familiar with the technology of the ’539 Patent. I was a person
`
`of at least ordinary skill in the art at the time of the priority date of the ’539 patent
`
`in 2001. Regardless if I do not explicitly state that my statements below are based
`
`on this timeframe, all of my statements are to be understood as a POSITA would
`
`have understood something as of the priority date of the ’539 patent.
`
`B.
`
`Legal Principles
`
`18.
`
`I am not a lawyer and will not provide any legal opinions.
`
`
`
`
`USR Exhibit 2011, Page 6
`
`
`
`IPR2018-01350
`
`19. Though I am not a lawyer, I have been advised that certain legal
`
`standards are to be applied by technical experts in forming opinions regarding the
`
`meaning and validity of patent claims.
`
`20.
`
`I have been informed and understand that if the Board should accept
`
`Petitioner’s arguments and cancel any of the original issued claims of the ’539
`
`patent, Patent Owner has made a conditional motion to amend to substitute the
`
`canceled claim(s) with corresponding proposed amended claims 39-52, as set forth
`
`in Section III of Ex. 2010 (my declaration in support of Patent Owner’s
`
`Conditional Motion to Amend).
`
`21.
`
`I have been informed and understand that to permit the proposed
`
`substitute claims to be entered, Patent Owner must show, among other things, that
`
`the substitute claims are supported by the written description of the original
`
`disclosure of the patent, as well as any patent application to which the claim seeks
`
`the benefit of priority in this proceeding.
`
`22.
`
`I have been informed by counsel and understand that to satisfy the
`
`written description requirement, the substitute claims must be disclosed in
`
`sufficient detail such that one skilled in the art can reasonably conclude that the
`
`inventor had possession of the claimed invention as of the filing date sought. I
`
`understand that the Patent Owner can show possession of the claimed invention by
`
`
`
`
`USR Exhibit 2011, Page 7
`
`
`
`IPR2018-01350
`
`pointing to such descriptive means as words, structures, figures, diagrams, and
`
`formulas that fully set forth the claimed invention.
`
`23.
`
`I have been informed by counsel and understand that incorporation by
`
`reference is a method by which material from one or more documents may be
`
`integrated into a host document. I understand that material incorporated by
`
`reference is considered part of the written description of the patent that can be used
`
`to show possession of the claimed invention.
`
`24.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, that the substitute claims do not introduce new subject matter.
`
`25.
`
`I understand that new matter is any addition to the claims without
`
`support in the original disclosure.
`
`26.
`
`I have been informed by counsel and understand that to permit the
`
`proposed substitute claims to be entered, Patent Owner must show, among other
`
`things, the substitute claims do not broaden the scope of the original claims.
`
`27.
`
`I understand that claims in dependent form are construed to include all
`
`the limitations of the claim incorporated by reference into the dependent claim and
`
`further limit the claim incorporated by reference.
`
`28.
`
`It has been explained to me by counsel for the Patent Owner that in
`
`proceedings before the USPTO, the claims of an unexpired patent are to be given
`
`
`
`
`USR Exhibit 2011, Page 8
`
`
`
`IPR2018-01350
`
`their broadest reasonable interpretation in view of the specification from the
`
`perspective of one having ordinary skill in the relevant art at the time of the
`
`invention. I have considered each of the claim terms using the broadest reasonable
`
`interpretation standard.
`
`III. SUBSTITUTE CLAIMS HAVE WRITTEN DESCRIPTION
`SUPPORT
`
`A. Limitations 39[c], 48[a], 51[d], 52[pre] Have Written Support
`
`29. Petitioner incorrectly alleges that the ’539 patent’s specification
`
`“do[es] not describe…a lack of communications between the USR system and the
`
`entity while receiving the transaction request or enabling the transaction.” Opp. at
`
`4. In my opinion, the specification clearly describes an embodiment where there
`
`are no communications between the secure registry and the entity during the
`
`transaction process. For example, application no. 11/768,729 (“’729 Application”)
`
`describes an embodiment “for facilitating purchase of goods or services” in
`
`connection with FIG. 8 where “the user initiates a purchase (800), enters a secret
`
`code in the electronic ID device (802) and presents the resultant code to the
`
`merchant.” ’729 Application at 17:27-30, FIG. 8. A POSITA would understand
`
`that from this point on, the merchant takes over the transaction. Specifically, the
`
`merchant generates its own message that includes a number of different things: a
`
`store number that identifies the merchant, an amount of the purchase, and the code.
`
`Id. at 17:30-18:1. I believe that a POSITA would understand that the merchant’s
`
`
`
`
`USR Exhibit 2011, Page 9
`
`
`
`IPR2018-01350
`
`generation of this new message, which includes additional substantive information
`
`provided by the merchant and not the entity (e.g., store number, sale amount, etc.),
`
`and subsequent transmission to the secure registry means that the merchant—not
`
`the entity—is communicating with the secure registry. This is true even if it’s
`
`assumed that the entity provides the merchant the time-varying code, which is not
`
`required by the claims. Furthermore, assuming for the sake of argument that the
`
`entity provides the time-varying code to the merchant and that doing so constitutes
`
`communication “between” the secure registry and the entity (e.g., claim 52[pre]
`
`reciting “between”), in my opinion this would not negate written description
`
`support for limitations 39[c], 48[a] that limit one-way communication from the
`
`secure registry with the entity. See claims 39, 48 (“without the secure registry
`
`system communicating with the entity”).
`
`30.
`
`I believe that Petitioner’s citation to the specification’s discussion of
`
`the “training process” (Opp. at 4) is also inapposite because communications
`
`between the entity and secure registry during the training process take place before
`
`a transaction is initiated and a provider makes a request to access secure data. See,
`
`e.g., ’729 Application at 14:1-16:27, FIGS. 5-6. And here the claims expressly
`
`specify that “the transaction request [is] received at the secure registry system
`
`without the secure registry system communicating with the entity” (39[c], 48[a])
`
`and the secure registry system is for “providing information to a provider to enable
`
`
`
`
`USR Exhibit 2011, Page 10
`
`
`
`IPR2018-01350
`
`transactions between the provider and entities…without establishing and/or
`
`maintaining communications between the secure registry system and an entity”
`
`(52[pre]). Claim 51 even expressly distinguishes the “training process”—where the
`
`secure registry and entity do communicate—from the “transaction process” where
`
`they do not.
`
`31.
`
`I understand that Petitioner also argues that these claim limitations are
`
`allegedly unsupported because “[t]he user’s device must communicate with the
`
`USR because the biometric verification information is stored in the USR
`
`database.” Opp. at 5. As an initial matter, I’d like to point out that claim 51 does
`
`not recite biometric verification of the entity, and thus Petitioner’s argument here
`
`must be rejected as to Claim 51. As to claims 39, 48, and 52, I believe Petitioner
`
`incorrectly presupposes that the entity must communicate with the USR to have the
`
`entity’s identity verified using the entity’s biometric. This is not true. First,
`
`Petitioner assumes that the biometric verification information must be “stored in
`
`the USR database.” Opp. at 5. While, the specification does describe how
`
`biometric information may be stored at the USR database (see, e.g., Ex. 2008,
`
`’729 Application at 12:20-28), in my opinion a POSITA would understand based
`
`on the claims’ plain language that the claims do not require such information to be
`
`stored at the USR database.
`
`32. Second, even if biometric verification information were stored at the
`
`
`
`
`USR Exhibit 2011, Page 11
`
`
`
`IPR2018-01350
`
`secure registry, I believe Petitioner improperly assumes that entity verification
`
`using such information stored at the secure registry necessarily requires
`
`communication between the entity and the secure registry. The claims should not
`
`be construed so narrowly. A POSITA would understand that the claims in light of
`
`the specification are broad enough such that verification of the entity’s identity
`
`using a biometric could occur without the entity communicating with the secure
`
`registry. For instance, a POSITA would understand that the provider (e.g., a
`
`merchant at a point of use) may generate and/or supply the entity’s biometric
`
`information that may be communicated to the secure registry. See, e.g., Ex. 2008,
`
`’729 Application at 5:16-17 (“The identity of the user possessing the identifying
`
`device may be verified at the point of use.”). As another non-limiting example, a
`
`POSITA would understand that verifying the user at the point of use may allow
`
`such biometric information to be communicated as part of the transaction request
`
`that includes other data generated by the provider, such as a store number and
`
`transaction amount. And, as I describe above, since such a message may be
`
`generated at the provider, a POSITA would understand that the provider is
`
`communicating with the secure registry and not the entity. As to the latter point,
`
`claims 39[c], 48[a] also specify that the secure registry does not communicate with
`
`the entity, which does not preclude communications from the entity to the secure
`
`registry.
`
`
`
`
`USR Exhibit 2011, Page 12
`
`
`
`IPR2018-01350
`
`33. Third, as discussed below, the claims do not imply any timing
`
`restrictions as to when the entity’s biometric is verified. See Section III.B. Thus,
`
`even if the claims were read so narrowly as to require that the entity must
`
`communicate with the secure registry to verify the entity’s identity, I believe the
`
`verification process could take place before the transaction request is received at
`
`the secure registry. Indeed, in some cases a POSITA may desire to verify the
`
`identity of the entity first before transaction request generation and receipt at the
`
`secure registry.
`
`B.
`
`Limitations 46[b] and 52[c] Have Written Description Support
`
`34.
`
`I understand that Petitioner argues that limitations 46[b] and 52[c],
`
`which recite the entity “having been verified” or “having had its identity verified,”
`
`lack written description support because “[n]either the cited priority documents nor
`
`the ’539 patent contemplate…using a biometric prior to the USR system receiving
`
`the transaction request.” Opp. at 5-6 (emphasis in original). In my opinion,
`
`Petitioner’s analysis is premised on the mistaken belief that the claim language
`
`“having been” and “having had” necessarily indicate timing of biometric
`
`verification relative to other steps recited in the claims, and in particular, require
`
`that biometric verification of the user take place before the transaction request is
`
`received. I disagree. A POSITA reading the language of the claims as a whole in
`
`light of the specification would understand that no timing requirement—before or
`
`
`
`
`USR Exhibit 2011, Page 13
`
`
`
`IPR2018-01350
`
`after—is implied for biometric verification of the user relative to other steps in the
`
`claim, including receipt of the transaction request at the secure registry. I believe
`
`that a POSITA would further understand that these claims have ample written
`
`description support and that the inventor was in possession of the claimed
`
`invention. See, e.g., Ex. 2008, ’729 Application at 5:11-21, 12:20-28; see also
`
`MTA at 7-8.
`
`C. Limitations 40[b] and 46[d] Have Written Description Support
`
`35.
`
`I believe that the ’729 Application provides unequivocal written
`
`description support for “map the time-varying multicharacter code to the identity
`
`of the entity using the time-varying multicharacter code and the time value.” The
`
`specification expressly states, “Where the number from the electronic ID device is
`
`a time varying number, the merchant may also need to input the time the
`
`number was received. Alternatively, the electronic ID device may encode or
`
`encrypt the time with the number, the USR software being able to extract time
`
`when receiving the number from the merchant.” Ex. 2008 at 19:27-31. The
`
`specification also states, “The merchant transmits to the credit card company (1)
`
`the code from the electronic ID device, (2) the store number, (3) the amount of the
`
`purchase (704), and the time of receipt of the code.” Id. at 17:7-11. In my opinion,
`
`a POSITA would understand that the purpose of this timing information is to allow
`
`the secure registry to make proper use of the received “time-varying”
`
`
`
`
`USR Exhibit 2011, Page 14
`
`
`
`IPR2018-01350
`
`number/code, which is time-dependent. Thus, to be able to map the time-varying
`
`code received, the secure registry and the ID device generating the time-varying
`
`code need timing synchronization, and one way to accomplish that is to receive the
`
`timing information along with the time-varying code. This is further evidenced by
`
`the specification’s express disclosure that “The USR software 18 determines if the
`
`code…was valid at the time offered.” Ex. 2008 at 17:11-12. I believe that this
`
`means that the secure registry uses the timing information received to determine
`
`whether the time-varying code’s value at that earlier time matches and is valid.
`
`Thus, the specification supports limitations 40[b], 46[d].
`
`D. Limitation 51[b] Has Written Description Support
`
`36. Although the specification expressly describes an entity storing secure
`
`data at a secure registry during a “training process” (see Ex. 2008 at 14:1-15:9,
`
`FIG. 5), I understand that Petitioner argues that limitation 51[b] allegedly lacks
`
`support because “[t]he specifications do not describe a training process involving
`
`multiple entities, rather they merely teach individual training by an individual
`
`entity.” Opp. at 7-8. But the disputed claim language recites the training of plural
`
`“entities” consistent with the preceding claim language: “entities with secure data
`
`stored in the secure registry system.” Having admitted ample support for a
`
`“training process” for a single entity, I believe Petitioner’s argument of no written
`
`support lacks any reasonable basis.
`
`
`
`
`USR Exhibit 2011, Page 15
`
`
`
`IPR2018-01350
`
`IV. SUBSTITUTE CLAIMS ARE PATENTABLE OVER PRIOR ART
`
`A. Brener Teaches Away From Limitations 39[c], 48[a], 51[d],
`52[pre] and Petitioner Further Fails to Explain Why A POSITA
`Would Be Motivated To Combine Brener with Desai
`
`37.
`
`I understand that Petitioner argues that limitations 39[c], 48[a] (“the
`
`transaction request is received at the secure registry system without the secure
`
`registry system communicating with the entity on whose behalf a transaction is to
`
`be performed”), 51[d] (“the transaction request received at the secure registry
`
`system during a transaction process initiated after completion of the training
`
`process and termination of communications between the secure registry system and
`
`the entity on whose behalf the transaction is to be performed”), and 52[pre]
`
`(“enable transactions between the provider and entities with secure data stored in
`
`the secure registry system without establishing and/or maintaining communications
`
`between the secure registry system and an entity on whose behalf a transaction is
`
`to be performed”) are obvious because “Brener discloses sending the transaction
`
`request information to the secure computer by the vendor, rather than the
`
`customer.” Opp. at 9 (citing Ex. 1005, Brener at 2:19-3:11). In my opinion,
`
`Petitioner overlooks a fundamental aspect of Brener’s system that inherently
`
`teaches away from these claim limitations: the customer computer 100 must first
`
`login and connect to the secure provider 110 (alleged secure registry) to
`
`anonymously access the vendor web sites 140 and initiate purchase transactions.
`
`
`
`
`USR Exhibit 2011, Page 16
`
`
`
`IPR2018-01350
`
`38.
`
`I believe that a POSITA would understand that the crux of Brener’s
`
`invention is to provide e-commerce customers “complete anonymity” while
`
`carrying out purchase transactions with online vendors. See, e.g., Ex. 1005, Brener
`
`at 2:12-15 (“what is needed is a secure Internet system that eliminates the need to
`
`provide vendors with both customers’ actual identities and shipping addresses, and
`
`accordingly provides customers with complete anonymity”), 2:15-17 (“It would
`
`also be desirable to provide such an e-commerce system whereby the customer
`
`can remain anonymous but still visit web sites as a character or persona such that
`
`he or she is recognized upon return to the vendor web site.”), 8:3-4 (“The present
`
`invention desirably allows a customer to shop on-line at vendor web sites in an
`
`anonymous fashion.”), 14:23-24 (“A key aspect of the present invention is the
`
`secure and anonymous shipping protocol used.”), 21:18-20 (“The present
`
`invention is applicable to the retail industry or elsewhere where vendors may wish
`
`to display their goods or services at a web site on the Internet and allow customers
`
`to browse and make purchases from a vendor web site anonymously.”), claims
`
`1 and 9 (“(c) anonymously connecting to the vendor web site by the customer
`
`computer using the identity of the customer object without revealing the identity
`
`and physical location of the customer”).
`
`39. A POSITA would further understand that the cornerstone of this
`
`customer anonymity is Brener’s secure provider 110 (alleged secure registry).
`
`
`
`
`USR Exhibit 2011, Page 17
`
`
`
`IPR2018-01350
`
`Brener explicitly teaches that its “invention desirably allows a customer to shop
`
`on-line at vendor web sites in an anonymous fashion,” and that “[t]o do so, a
`
`customer uses his customer computer 100…to connect the secure provider
`
`computer 110 and login with a certificate based ID and password.” Ex. 1005,
`
`Brener at 8:3-6. Brener further explains that “[o]nce the customer computer 100 is
`
`connected to the secure provider computer 110, a secure connection pipeline 120
`
`is provided between the customer computer 100 and the secure provider
`
`computer 110 in order to prevent transmissions between the customer computer
`
`100 and the secure provider computer 110 from being monitored.” Id. at 8:21-25.
`
`The secure provider 110 even sends the customer computer virtual private network
`
`(“VPN”) software “that enables the customer computer 100 to connect directly to
`
`the secure provider computer 100, along a known, fixed node-to-node route” in
`
`order to “protect the privacy of the user.” Id. at 8:25-9:3. The VPN allows the
`
`customer computer 100 to hide its address (e.g., IP address) from the vendor
`
`computers 140 and allows “the customer computer 100 [to] anonymously connect
`
`to the web sites of various vendor computers 140 using the Internet via the secure
`
`provider’s proxy servers.” Id. at 9:3-14. Annotated FIG. 1 of Brener below
`
`illustrates the secure connection pipeline 120. Notably, each and every customer
`
`computer 100 is shown to be connected to (i.e., in communication with) the secure
`
`provider 110 and uses the secure connection pipeline 120 of the secure provider
`
`
`
`
`USR Exhibit 2011, Page 18
`
`
`
`110 to access the vendor computers 140 and carry out purchase transactions.
`
`IPR2018-01350
`
`
`
`40. A POSITA would know that the customer computer’s 100 connection
`
`to the secure provider 110 is vital to Brener’s e-commerce system not only because
`
`of the anonymity provided by the secure provider’s proxy servers, but also because
`
`the connection is necessary to establish and use a customer object (e.g., GOLFO or
`
`certificate) that identifies the customer computer 100 to vendors 140 without
`
`revealing the customer computer’s 100 sensitive information (e.g., real name, real
`
`address). See, e.g., Ex. 1005, Brener at 10:25-27 (“When a customer signs up to
`
`use the secure provider web site and services, the customer is prompted to create a
`
`‘persona’ or customer object to be stored on a database 130 on the secure provider
`
`computer 110.”), 11:11-15 (“[T]he customer can create and modify his customer
`
`object via a personalized home page stored on the web site of the secure provider
`
`
`
`
`USR Exhibit 2011, Page 19
`
`
`
`IPR2018-01350
`
`computer 110. For example…the customer might create the persona or customer
`
`object named ‘GOLFO,’ which object can then be used to navigate anonymously
`
`on the Internet.”), 11:23-12:2 (Secure provider 110 stores the customer object and
`
`can use it to identify a returning user of the secure provider’s website), 12:3-6
`
`(“Once the customer computer 100 has been identified as a member of the web site
`
`of the secure provider computer 110, the customer computer 100 can then access
`
`the Internet through the web site of the secure provider computer 110 and
`
`begin to securely browse.”), 12:7-20.
`
`41. Consequently, a POSITA would understand that Brener’s system
`
`requires that the customer computer 100 and the secure provider 110 establish and
`
`maintain communications with each other in order for the customer 100 to initiate
`
`and conduct purchase transactions with vendors 140. As such, in my opinion
`
`Brener teaches away from the amended claims, which require that “the transaction
`
`request is received at the secure registry system without the secure registry system
`
`communicating with the entity on whose behalf a transaction is to be performed”
`
`(38[c], 48[a]) or that “the transaction request received at the secure registry system
`
`during a transaction process initiated after completion of the training process and
`
`termination of communications between the secure registry system and the entity
`
`on whose behalf the transaction is to be performed” (51[d]). See also Claim
`
`52[pre]. I also believe that Brener never discloses—nor does Petitioner argue—that
`
`
`
`
`USR Exhibit 2011, Page 20
`
`
`
`IPR2018-01350
`
`the customer computer 100 disconnects from Brener’s secure provider 110 at any
`
`point while the purchase transaction is carried out by Brener’s vendor 140, bank
`
`150, and secure provider 110. Indeed, doing so would be completely counter to
`
`Brener’s teachings of customer anonymity provided to the customer by the secure
`
`provider’s proxy servers and VPN (see Ex. 1005, Brener at 8:21-9:14, 12:3-6) and
`
`use of the customer object. See, e.g., id. at 11:23-25 (“Once the customer joins the
`
`web site of the secure provider computer 110, the customer is provided with a
`
`customer object identifier.”); see also id. at 10:25-27, 11:11-15, 11:25-12:20.
`
`Accordingly, in my opinion, Petitioner’s argument that Brener teaches limitations
`
`38[c], 48[a], 51[d], 52[pre] because “Brener discloses sending the transaction
`
`request information to the secure computer by the vendor, rather than the
`
`customer” is meritless and irrelevant since Brener’s customer computer 100 and
`
`secure provider 110 are continuously in communication with each other during the
`
`transaction process.
`
`42.
`
`I understand that Petitioner also argues that Desai purportedly
`
`describes—like Brener—that a transaction request is sent from the merchant to the
`
`secure registry. See Opp. at 9-10. Even if this is true, Petitioner provides absolutely
`
`no explanation of how Brener would be modified so that its customer computer
`
`100 did not remain communicatively connected to the secure provider 110 during
`
`the transaction process, or why a POSITA would be motivated to change such a
`
`
`
`
`USR Exhibit 2011, Page 21
`
`
`
`IPR2018-0135
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
