IPR2018-01350
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`VISA INC. and VISA U.S.A. INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-01350
`U.S. Patent No. 8,856,539
`________________
`
`
`
`
`
`
`PATENT OWNER’S EXHIBIT 2001
`
`DECLARATION OF MARKUS JAKOBSSON
`
`IN SUPPORT OF PATENT OWNER’S PRELIMINARY RESPONSE
`
`
`
`
`
`
`
`USR Exhibit 2001
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`VISA INC. and VISA U.S.A. INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-01350
`U.S. Patent No. 8,856,539
`________________
`
`
`
`
`
`
`PATENT OWNER’S EXHIBIT 2001
`
`DECLARATION OF MARKUS JAKOBSSON
`
`IN SUPPORT OF PATENT OWNER’S PRELIMINARY RESPONSE
`
`
`
`
`
`
`
`USR Exhibit 2001
`
`
`
`
`
`
`IPR2018-01350
`
`1.
`
`I have been retained on behalf of Universal Secure Registry LLC
`
`(“Patent Owner”) in connection with the above-captioned inter partes review
`
`(IPR). I have been retained to provide my opinions in support of USR’s
`
`Preliminary Response. I am being compensated for my time at the rate of $625 per
`
`hour. I have no interest in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2018-01350, U.S. Patent No. 8,856,539, and its file history, and all
`
`other materials cited and discussed in the Petition (including the declaration of
`
`Justin Douglas Tygar Ph.D) and cited and discussed in this Declaration. I
`
`understand the Petition asserts that claims 1-9, 16-31, 37, and 38 (together “the
`
`Challenged Claims”) are obvious under 35 U.S.C. Section 103 over WO 00/14648
`
`(“Brener”), U.S. Patent No. 4,885,778 (“Weiss”) and U.S. Patent No. 6,820,204 B1
`
`(“Desai”).
`
`3.
`
`The statements made herein are based on my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that
`
`are necessary to form my opinions. I reserve the right to revise, supplement, or
`
`amend my opinions based on new information and on my continuing analysis.
`
`
`
`
`USR Exhibit 2001, Page 1
`
`
`
`IPR2018-01350
`
`I.
`
`QUALIFICATIONS
`
`4. My qualifications can be found in my Curriculum Vitae, which
`
`includes my detailed employment background, professional experience, and list of
`
`technical publications and patents. Ex. 2002.
`
`5.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc., a cybersecurity company that develops home and office automation
`
`technology. At Amber, my research studies and addresses abuse, including social
`
`engineering, malware and privacy intrusions. My work primarily involves
`
`identifying risks, developing protocols and user experiences, and evaluating the
`
`security of proposed approaches.
`
`6.
`
`I received a Master of Science degree in Computer Engineering from
`
`the Lund Instituted of Technology in Sweden in 1993, a Master of Science degree
`
`in Computer Science from the University of California at San Diego in 1994, and a
`
`Ph.D. in Computer Science from the University of California at San Diego in 1997,
`
`specializing in Cryptography. During and after my Ph.D. studies, I was also a
`
`Researcher at the San Diego Supercomputer Center, where I did research on
`
`authentication and privacy.
`
`7.
`
`From 1997 to 2001, I was a Member of Technical Staff at Bell Labs,
`
`where I did research on authentication, privacy, multi-party computation, contract
`
`exchange, digital commerce including crypto payments, and fraud detection and
`
`
`
`
`USR Exhibit 2001, Page 2
`
`
`
`IPR2018-01350
`
`prevention. From 2001 to 2004, I was a Principal Research Scientist at RSA Labs,
`
`where I worked on predicting future fraud scenarios in commerce and
`
`authentication and developed solutions to those problems. During that time I
`
`predicted the rise of what later became known as phishing. I was also an Adjunct
`
`Associate Professor in the Computer Science department at New York University
`
`from 2002 to 2004, where I taught cryptographic protocols.
`
`8.
`
`From 2004 to 2016, I held a faculty position at the Indiana University
`
`at Bloomington, first as an Associate Professor of Computer Science, Associate
`
`Professor of Informatics, Associate Professor of Cognitive Science, and Associate
`
`Director of the Center for Applied Cybersecurity Research (CACR) from 2004 to
`
`2008; and then as an Adjunct Associate Professor from 2008 to 2016. I was the
`
`most senior security researcher at Indiana University, where I built a research
`
`group focused on online fraud and countermeasures, resulting in over 50
`
`publications and two books.
`
`9. While a professor at Indiana University, I was also employed by
`
`Xerox PARC, PayPal, and Qualcomm to provide thought leadership to their
`
`security groups. I was a Principal Scientist at Xerox PARC from 2008 to 2010, a
`
`Director and Principal Scientist of Consumer Security at PayPal from 2010 to
`
`2013, a Senior Director at Qualcomm from 2013 to 2015, and Chief Scientist at
`
`Agari from 2016 to 2018. Agari is a cybersecurity company that develops and
`
`
`
`
`USR Exhibit 2001, Page 3
`
`
`
`IPR2018-01350
`
`commercializes technology to protect enterprises, their partners and customers
`
`from advanced email phishing attacks. At Agari, my research studied and
`
`addressed trends in online fraud, especially as related to email, including problems
`
`such as Business Email Compromise, Ransomware, and other abuses based on
`
`social engineering and identity deception. My work primarily involved identifying
`
`trends in fraud and computing before they affected the market, and developing and
`
`testing countermeasures, including technological countermeasures, user interaction
`
`and education.
`
`10.
`
`I have founded or co-founded several successful computer security
`
`companies. In 2005 I founded RavenWhite Security, a provider of authentication
`
`solutions, and I am currently its Chief Technical Officer. In 2007 I founded
`
`Extricatus, one of the first companies to address consumer security education. In
`
`2009 I founded FatSkunk, a provider of mobile malware detection software; I
`
`served as Chief Technical Officer of FatSkunk from 2009 to 2013, when FatSkunk
`
`was acquired by Qualcomm and I became a Qualcomm employee. In 2013 I
`
`founded ZapFraud, a provider of anti-scam technology addressing Business Email
`
`Compromise, and I am currently its Chief Technical Officer. In 2014 I founded
`
`RightQuestion, a security consulting company.
`
`11.
`
`I have additionally served as a member of the fraud advisory board at
`
`LifeLock (an identity theft protection company); a member of the technical
`
`
`
`
`USR Exhibit 2001, Page 4
`
`
`
`IPR2018-01350
`
`advisory board at CellFony (a mobile security company); a member of the
`
`technical advisory board at PopGiro (a user reputation company); a member of the
`
`technical advisory board at MobiSocial dba Omlet (a social networking company);
`
`and a member of the technical advisory board at Stealth Security (an anti-fraud
`
`company). I have provided anti-fraud consulting to KommuneData (a Danish
`
`government entity), J.P. Morgan Chase, PayPal, Boku, and Western Union.
`
`12.
`
`I have authored five books and over 100 peer-reviewed publications,
`
`and have been a named inventor on over 100 patents and patent applications.
`
`13. My work has included research in the area of applied security,
`
`privacy, cryptographic protocols, authentication, malware, social engineering,
`
`usability and fraud.
`
`II. LEGAL UNDERSTANDING
`
`A. The Person of Ordinary Skill in the Art
`
`14.
`
`I understand that a person of ordinary skill in the relevant art (also
`
`referred to herein as “POSITA”) is presumed to be aware of all pertinent art, thinks
`
`along conventional wisdom in the art, and is a person of ordinary creativity—not
`
`an automaton.
`
`15.
`
`I have been asked to consider the level of ordinary skill in the field
`
`that someone would have had at the time the claimed invention was made. In
`
`deciding the level of ordinary skill, I considered the following:
`
`
`
`
`USR Exhibit 2001, Page 5
`
`
`
`• the levels of education and experience of persons working in the
`
`IPR2018-01350
`
`field;
`
`• the types of problems encountered in the field; and
`
`• the sophistication of the technology.
`
`16. A person of ordinary skill in the art relevant to the ’539 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and three years of work or research
`
`experience in the fields of secure transactions and encryption, or a Master’s degree
`
`in electrical engineering and/or computer science and two years of work or
`
`research experience in related fields.
`
`17.
`
`I have reviewed the declaration of Dr. Tygar, including his opinions
`
`regarding the Person of Ordinary Skill in the Art. Ex. 1002 at ¶¶ 41-46. My
`
`description of the level of ordinary skill in the art is essentially the same as that of
`
`the Dr. Tygar, except that Dr. Tygar’s description requires two years of work or
`
`research experience (as compared to three years). The opinions set forth in this
`
`Declaration response would be the same under either my or Dr. Tygar’s proposal.
`
`18.
`
`I am well-qualified to determine the level of ordinary skill in the art
`
`and am personally familiar with the technology of the ’539 Patent. I was a person
`
`of at least ordinary skill in the art at the time of the priority date of the ’539 patent
`
`in 2001. Regardless if I do not explicitly state that my statements below are based
`
`
`
`
`USR Exhibit 2001, Page 6
`
`
`
`IPR2018-01350
`
`on this timeframe, all of my statements are to be understood as a POSITA would
`
`have understood something as of the priority date of the ’539 patent.
`
`B.
`
`19.
`
`Legal Principles
`
`I am not a lawyer and will not provide any legal opinions. Though I
`
`am not a lawyer, I have been advised that certain legal standards are to be applied
`
`by technical experts in forming opinions regarding the meaning and validity of
`
`patent claims.
`
`1. Obviousness
`
`20.
`
`I understand that to obtain a patent, a claimed invention must have, as
`
`of the priority date, been nonobvious in view of prior art in the field. I understand
`
`that an invention is obvious when the differences between the subject matter
`
`sought to be patented and the prior art are such that the subject matter as a whole
`
`would have been obvious at the time the invention was made to a person having
`
`ordinary skill in the art.
`
`21.
`
`I understand that to prove that prior art, or a combination of prior art,
`
`renders a patent obvious, it is necessary to: (1) identify the particular references
`
`that singly, or in combination, make the patent obvious; (2) specifically identify
`
`which elements of the patent claim appear in each of the asserted references; and
`
`(3) explain how the prior art references could have been combined to create the
`
`inventions claimed in the asserted claim.
`
`
`
`
`USR Exhibit 2001, Page 7
`
`
`
`IPR2018-01350
`
`22.
`
`I understand that a patent composed of several elements is not proved
`
`obvious merely by demonstrating that each of its elements was, independently,
`
`known in the prior art, and that obviousness cannot be based on the hindsight
`
`combination of components selectively culled from the prior art to fit the
`
`parameters of the patented invention.
`
`23.
`
`I also understand that a reference may be said to teach away when a
`
`person of ordinary skill, upon reading the reference, would be discouraged from
`
`following the path set out in the reference, or would be led in a direction divergent
`
`from the path that was taken by the applicant. Even if a reference is not found to
`
`teach away, I understand its statements regarding preferences are relevant to a
`
`finding regarding whether a skilled artisan would be motivated to combine that
`
`reference with another reference.
`
`2. My Understanding of Claim Construction Law
`
`24.
`
`I understand that in this inter partes review the claims must be given
`
`their broadest reasonable interpretation, but that interpretation must be consistent
`
`with the patent specification. In this Declaration, I have used the broadest
`
`reasonable interpretation (“BRI”) standard when interpreting the claim terms.
`
`
`
`
`
`
`
`
`
`
`USR Exhibit 2001, Page 8
`
`
`
`IPR2018-01350
`
`III. OVERVIEW OF THE ’539 PATENT
`
`A. The ’539 Patent Specification
`
`25.
`
`I have reviewed the ’539 patent. The ’539 patent provides a unique
`
`and highly secure anonymous identification system that uses a time-varying
`
`multicharacter code for both verifying the identity of an entity and also enabling
`
`transactions between the entity and a provider without requiring the entity to share
`
`personal or otherwise sensitive information with the provider. See Ex. 1001 at
`
`2:64-3:1, 3:24-27, 12:19-54. The system allows a person to purchase goods from a
`
`brick and mortar or online merchant without publicly providing credit card
`
`information to the merchant for fear that the credit card information may be stolen
`
`or used fraudulently. See id. at 3:44-54. As another example, the system allows a
`
`person seeking medical treatment to identify themselves before a medical provider,
`
`and also have the system provide insurance data, medical history data, and other
`
`medical information to the medical provider once the medical provider has
`
`established itself as an authorized recipient. See id. at 3:55-60.
`
`26. Referring to FIGS. 1 and 3 of the ’539 patent, the system’s main unit
`
`12, which may be connected to a wide area network, includes a database 24 that
`
`stores data entries 30 related to different people or entities. Id. at 7:11-13, 7:40-41.
`
`Each entry 30 may contain different types of information such as, but not limited
`
`to, validation information, access information, publicly available information,
`
`
`
`
`USR Exhibit 2001, Page 9
`
`
`
`IPR2018-01350
`
`address information, credit card information, medical information, job application
`
`information, and/or tax information. Id. at 7:57-63. The validation information 32
`
`is information about the user and is used by the main unit’s software 18 to validate
`
`that the person attempting to access the information is authorized to receive it. Id.
`
`at 8:10-14. In particular, the validation information 32 contains information that
`
`enables the software 18 to validate a person that has presented the system with a
`
`one-time nonpredictable code uniquely associated with the user. See id. at 8:17-35.
`
`The access information 34 allows different levels of security to attach to different
`
`types of information stored in each entry 30 so that the user can specify which
`
`particular individuals or organizations can have access to what specific data (e.g.,
`
`credit card numbers, medical information, and tax information). See id. at 8:62-
`
`9:11.
`
`27. Referring to FIG. 8, one aspect of using the system includes the useful
`
`ability to purchase goods or services from a merchant without revealing to the
`
`merchant account information relating to the user’s credit card. Id. at 9:46-50.
`
`A user desiring to make a purchase at a merchant without providing their financial
`
`information, such as a credit or debit card number, may enter a secret code into
`
`their electronic ID device, which generates a one-time nonpredictable code that is
`
`provided to the merchant. Id. at 12:21-24. The merchant in turn may transmit the
`
`one-time nonpredictable code, a store number, and a purchase amount to the secure
`
`
`
`
`USR Exhibit 2001, Page 10
`
`
`
`IPR2018-01350
`
`registry. Id. at 12:24-26. The secure registry system may then determine whether
`
`the code received is valid, and if valid, accesses from the secure registry’s database
`
`24 the user’s actual credit card information. See id. at 12:27-29. The secure registry
`
`system next transmits to the credit card company the credit card number, the store
`
`number, and the purchase amount. Id. at 12:29-31. The credit card company then
`
`processes the transaction, such as by checking the credit worthiness of the person,
`
`and either declines the card or debits the user’s account and transfers money to the
`
`merchant’s account. Id. at 12:40-43. The credit card company notifies the secure
`
`registry system the transaction result and the secure registry system may in turn
`
`notify the merchant. Id. at 12:43-46.
`
`28. Thus, the ’539 patent’s USR system provides a secure anonymous
`
`identification system that uses a time-varying multicharacter code for both
`
`verifying the identity of an entity and also enabling transactions between the entity
`
`and a provider, such as a merchant, without requiring the entity to share personal
`
`or otherwise sensitive information with the provider. In one case, this allows a user
`
`to purchase goods or services from a merchant without providing the merchant the
`
`user’s credit card number. Advantageously, the system also allows such secure
`
`transactions to be transparent to the credit card company and thus requires no or
`
`minimal cooperation from the credit card company to implement.
`
`
`
`
`USR Exhibit 2001, Page 11
`
`
`
`IPR2018-01350
`
`29. Besides purchase transactions, the technology described in the ’539
`
`patent can be applied to a host of other applications that can benefit from secure
`
`identity verification systems and distributed secure data storage. As one example,
`
`such a system allows a patient to obtain medical treatment from a medical care
`
`provider without having to directly supply the medical care provider her medical
`
`history, which may not be with the patient herself. According to another example,
`
`the user may facilitate shipment of goods purchased from a merchant without
`
`having to provide the merchant their shipping address.
`
`B.
`
`The ’539 Patent Claims
`
`30. The ’539 patent includes 38 claims. Claims 1, 22, 37, and 38 are
`
`independent. I have reviewed the claims in detail.
`
`C.
`
`Prosecution History
`
`31. The ’539 patent issued on October 7, 2014 from U.S. Application
`
`No. 11/768,729 (“’729 Application”) filed on June 26, 2007. The ’729 Application
`
`is a continuation application of U.S. Application No. 09/810,703 filed on March
`
`16, 2001, now U.S. Patent No. 7,237,117.
`
`32. The Weiss reference raised by Petitioners was disclosed to the Patent
`
`Office during prosecution. Moreover, a related patent, U.S. Patent No. 5,657,388
`
`(“’388 patent”) claiming priority to Weiss, was the basis of a rejection. See Ex.
`
`1004 at 0669 (“Claims 1, 3-5, 9-16, 19-21, 24-30, 32-39 and 41-48 are rejected as
`
`
`
`
`USR Exhibit 2001, Page 12
`
`
`
`IPR2018-01350
`
`being unpatentable over Gioradano [sic] et al. US 7,571,139 B1 (hereinafter
`
`Gioradano [sic]) in view of Weiss US 5,657,388.”).
`
`33. Notably, the Patent Office relied upon the ’388 patent for the
`
`identical reason as Petitioner relies upon Weiss—to supplement a primary
`
`reference’s deficiency in teaching that a multicharacter code could be “time-
`
`varying.” Ex. 1004 at 0670 (“Gioradano [sic] does not explicitly teach a time-
`
`varying code. In the same field of endeavor, [the ’388 patent] teaches a time
`
`varying multi character code” . . . “It would have been obvious to one having
`
`ordinary skill in the art at the time of applicant’s invention to employ the teachings
`
`of [the ’388 patent] within the system of Gioradano [sic].”).
`
`34.
`
`In response to this rejection, Patent Owner amended the claims to add
`
`the limitation of “access restrictions” and argued that the prior art of record
`
`(Giordano in combination with the ’388 patent) did not disclose this feature. Ex.
`
`1004 at 0679 to 0691. See id. at 0688 (“Claim 1, as amended, now recites ‘a
`
`restriction mechanism configured to determine compliance with any access
`
`restrictions for the first party,’ which is not taught or suggested by Giordano or [the
`
`’388 patent]”). The Examiner found the amendments and arguments to be
`
`persuasive and subsequently dropped its reliance on the ’388 patent as teaching
`
`“time-varying.” Ex. 1004 at 0698 (“Examiner agreed the proposed amendment is
`
`not taught by the prior art”).
`
`
`
`
`USR Exhibit 2001, Page 13
`
`
`
`IPR2018-01350
`
`IV. OVERVIEW OF THE CITED ART
`
`A. Brener
`
`35. Brener is directed to a centralized system that generates and
`
`distributes static codes to a vendor that allow for anonymous shopping. Brener
`
`emphasizes that an object of its invention is “to provide such an e-commerce
`
`system whereby the customer can remain anonymous but still visit web sites as a
`
`character or persona such that he or she is recognized upon return to the vendor
`
`web site.” Brener at 2:15-17.
`
`36. To accomplish this goal, Brener touts that the “customer object” (i.e.,
`
`screen name persona like “GOLFO”) it uses to act as a proxy for the
`
`user/purchaser’s real identity can be remembered by the vendor (e.g., using
`
`cookies) so that the vendor may “develop a relationship with the customer through
`
`his persona” and promote goods/services that the vendor may believe the customer
`
`would be interested in based on prior purchases/site visits. Brener at 12:7-20.
`
`37.
`
`In particular, Brener teaches its’ customer object comprises a
`
`public/private key pairing, wherein the public key includes the user’s account
`
`number. Brener, 16:8-9 (“The public key will contain information such as a
`
`customer object and a customer bank account or credit card number.”). And,
`
`Brener further teaches that the public key is sent to the vendor 140. Brener at
`
`
`
`
`USR Exhibit 2001, Page 14
`
`
`
`IPR2018-01350
`
`16:15-16 (“When a customer computer 100 enters the web site of the vendor
`
`computer 140, the vendor computer 140 is provided with the public key.”).
`
`38. Brener also discloses that in a preferred embodiment the bank
`
`computer 150 keeps a blind eye to “the transactional information of the customer”
`
`and that “the bank need not know what is being purchased and from where, only
`
`that the customer has the money or credit to cover the transaction.” Brener, 13:26-
`
`14:4 (emphasis added).
`
`B. Weiss
`
`39. Weiss is directed to a co-generation system that synchronizes
`
`generation of separate, free running, time dependent equipment. Weiss at Title. In
`
`particular, Weiss discloses a distribution architecture that includes the capability of
`
`every system participant to generate the same authentication code at the same time.
`
`Weiss at Abstract. Most importantly, the invention uses a “predetermined
`
`algorithm [that] constantly generates new unique and verifiable non-predictable
`
`codes, which are derived from the fixed data and at least one dynamic variable,
`
`such as the time of day.” Weiss at 1:63-65. Moreover, Weiss requires the algorithm
`
`that generates the authentication code to be secret. Weiss at Abstract, line 3.
`
`C. Desai
`
`40. Desai discloses a system that “provid[es] users with granular control
`
`over arbitrary information that allows for selective, real-time information sharing
`
`
`
`
`USR Exhibit 2001, Page 15
`
`
`
`IPR2018-01350
`
`in a communications network.” Desai at Abstract, lines 1-3 (emphasis added).
`
`Specifically, Desai teaches providing user-by-user and element-by-element, or
`
`granular, restrictions to data. Desai at Abstract, lines 17-21 (“Each registered user
`
`may selectively control the granting and denying of access to each of its associated
`
`data elements by other respective user, on an element-by-element, and user-by-user
`
`basis.”); see id. at 3:38-40 (“Each user of the system and method has granular
`
`control over its own user profile information, and can control access to each stored
`
`data element”). Moreover, in Desai, the stored information is released directly to
`
`the vendor once the vendor establishes that it has the proper permissions. Desai at
`
`4:16-18 (“the vendors will not receive this information unless and until the
`
`registered user provides access to the vendor.”).
`
`V. CLAIM CONSTRUCTION
`
`A.
`
`41.
`
`“Based at least in part on the indication of the provider and the
`time-varying multicharacter code of the transaction request”
`
`I understand that Petitioner argues that the phrase “based at least in
`
`part on the indication of the provider and the time-varying multicharacter code of
`
`the transaction request” should be read to modify the phrase “completing the
`
`transaction” instead of “access restrictions for the provider.” See Petition at 17. I
`
`disagree.
`
`42.
`
`In my opinion the phrase “based at least in part on the indication of
`
`the provider and the time-varying multicharacter code of the transaction request”
`
`
`
`
`USR Exhibit 2001, Page 16
`
`
`
`IPR2018-01350
`
`should be construed to modify “determining compliance with any access
`
`restrictions for the provider to secure data of the entity.” This would be consistent
`
`with the plain language of the claims and in view of the specification.
`
`43. The specification of the ’539 patent explains that the USR system’s
`
`main unit 12, which may be connected to a wide area network, includes a database
`
`24 that stores data entries 30 related to different people or entities. Ex. 1001 at
`
`7:11-13; 7:40-41. Among other things, each database entry 30 may contain “access
`
`information 34” and certain pieces of data such as “Credit Card and Other
`
`Financial Information,” “Medical Information,” Job Application Information,” and
`
`“Tax Information.” Ex. 1001 at FIG. 3, 7:57-63. The access information 34 allows
`
`“different levels of security to attach to different types of information stored in the
`
`entry 30” so that the user can specify which particular individuals or companies
`
`can have access to what specific data such as credit card numbers, medical
`
`information, and tax information. See Ex. 1001 at 8:62-9:11.
`
`44. The specification further provides that during “training” of the USR
`
`database 24, the user “specif[ies] the type of access restrictions and/or whom
`
`should be allowed to access the advanced personal data.” Ex. 1001 at 10:23-25.
`
`Referring to FIG. 6 of the ’539 patent, once the database 24 has been trained,
`
`“USR software 18 queries whether the requester has the right to access the type of
`
`requested data,” and “determining the requestor’s rights (602) typically involves
`
`
`
`
`USR Exhibit 2001, Page 17
`
`
`
`IPR2018-01350
`
`validating the requestor’s identity and correlating the identity, the requested
`
`information and the access information 34 provided by the person to the USR
`
`database during the training process.” Ex. 1001 at 10:40-48. Thus, the context of
`
`“access rights” and compliance therewith is discussed in the specification and
`
`figures of the ’539 patent explicitly ties in the identity of the requestor (e.g.,
`
`provider).
`
`45. Therefore, a person of ordinary skill in the art would understand
`
`claims 1 and 22 to specify that compliance with any access restrictions for the
`
`provider to secure data of the entity for completing the transaction are based at
`
`least in part on the indication of the provider (i.e., who the requesting provider is)
`
`and the time-varying multicharacter code.
`
`46.
`
`I understand that Petitioner argues that the phrase at issue should only
`
`modify “completing the transaction” because some embodiments of the ’539 patent
`
`allegedly describe access to information “based solely on a determination whether
`
`‘the [electronic ID] code is valid.’” Petition at 17 (citing Ex. 1001, 11:49-65,
`
`12:19-31, 12:55-13:8, 13:35-57). First, each portion of the ’539 patent cited to by
`
`Petitioner explicitly recites that the provider’s request includes a store number (i.e.,
`
`one example of “indication of the provider”) before the transaction is approved or
`
`denied. Thus, Petitioner’s statement that these embodiments associated with FIGS.
`
`7-10 are “based solely on a determination whether the ‘the [electronic ID] code is
`
`
`
`
`USR Exhibit 2001, Page 18
`
`
`
`IPR2018-01350
`
`valid’” lacks merit in my opinion. Second, even if embodiments in the ’539 patent
`
`did not require an indication of the provider to be sent, the claims at issue recite
`
`and require that an indication of the provider is provided and that compliance with
`
`access restrictions is based on an indication of the provider and time-varying
`
`multicharacter code. In my view, Petitioner’s argument ignores the portion of the
`
`claim language that specifically make these recitations, and its limiting, improper
`
`interpretation and grammatical manipulations of the claim language runs counter to
`
`the ’539 patent’s specification.
`
`47. For these reasons, a person of ordinary skill in the art would
`
`understand that the phrase “based at least in part on the indication of the provider
`
`and the time-varying multicharacter code of the transaction request” should be
`
`construed to modify the terms “determining compliance with any access
`
`restrictions for the provider to secure data of the entity.”
`
`B.
`
`48.
`
`“Provider”
`
`I believe that a person of ordinary skill in the art would understand the
`
`term “provider” as used in the ’539 patent to mean “the party that engages in a
`
`transaction with an entity having secure data stored at a secure registry, the party
`
`providing a good or service to the entity and/or requesting information about the
`
`entity.”
`
`
`
`
`USR Exhibit 2001, Page 19
`
`
`
`IPR2018-01350
`
`49. This construction is consistent with the ’539 patent’s claims, which
`
`recite a “provider” and an “entity” engaging in a transaction. The claims state that
`
`the entity has “secure data stored in a secure registry” and that the provider
`
`“request[s] the transaction.”
`
`50. Turning to the specification and figures, various types of parties, such
`
`as merchants, service providers, medical personnel, potential employers, financial
`
`institutions, delivery service providers, law enforcement, tax agencies, and
`
`potential landlords, may be parties (i.e., providers) that engage in a transaction
`
`with the entity and provide a good (e.g., merchant selling goods), service (e.g.,
`
`merchant selling services, medical personnel rendering aid, etc.) to the entity,
`
`and/or request information (e.g., medical information, tax information, financial
`
`information, identification information, job application or rental application
`
`information, etc.) about the entity. See Ex. 1001 at 7:57-67, 8:62-9:13, FIGS. 3 and
`
`4 (describing various types of secure data of the entity that can be stored at the
`
`secure registry and the various types of provider parties that may request access to
`
`such stored secure data); see id. at 11:46-13:13, FIGS. 7-9 (describing transactions
`
`between merchant providers and entities having secure data stored at secure
`
`registry); see id. at 14:4-58, FIG. 11 (describing a delivery service provider
`
`engaging in a delivery transaction with the entity); see id. at 16:17-25, FIG. 14
`
`(describing law enforcement provider requesting identity information pertaining to
`
`
`
`
`USR Exhibit 2001, Page 20
`
`
`
`IPR2018-01350
`
`the entity); see id. at 16:26-51, FIG. 15 (describing medical service providers,
`
`among others, requesting information pertaining to the entity); see id. at 16:63-
`
`17:5, FIG. 16 (describing a potential employer or landlord that provides
`
`employment or housing requesting information (e.g., data associated with a
`
`job/rental application) from the entity); see id. at 17:6-28 (describing additional
`
`types of providers).
`
`51. Therefore, in my opinion the term “provider” in light of the
`
`specification and ordinary language of the claims should be construed to mean “the
`
`party that engages in a transaction with an entity having secure data stored at a
`
`secure registry, the party providing a good or service to the entity and/or requesting
`
`information about the entity.”
`
`C.
`
`52.
`
`“Access restrictions for the provider”
`
`In my opinion, under the broadest reasonable interpretation standard,
`
`a person of ordinary skill in the art would understand the claim limitation “access
`
`restrictions for the provider” as used in the ’539 patent to mean “access restrictions
`
`that are specific to the provider.” This construction is consistent with the plain and
`
`ordinary meaning of the language as found in the ’539 patent’s claims, which
`
`recite that a restriction mechanism is executed to determine compliance with any
`
`access restrictions for the provider to secure data of the entity for completing the
`
`transaction.
`
`
`
`
`USR Exhibit 2001, Page 21
`
`
`
`IPR2018-01350
`
`53. The ’539 patent explains that “access information 34” stored in each
`
`entry 30 of the secure registry’s database 24 allows “different levels of security to
`
`attach to different types of information stored in the entry 30” so that the user can
`
`specify which providers can have access to select, specific data such as credit card
`
`numbers, medical information, and tax information. See Ex. 1001 at 8:62-9:11;
`
`FIGS. 1, 3. The “universal ident
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
