`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`________________
`
`
`VISA INC. and VISA U.S.A. INC.,
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner
`________________
`
`Case IPR2018-01350
`U.S. Patent No. 8,856,539
`________________
`
`
`
`
`
`
`PATENT OWNER’S EXHIBIT 2001
`
`DECLARATION OF MARKUS JAKOBSSON
`
`IN SUPPORT OF PATENT OWNER’S PRELIMINARY RESPONSE
`
`
`
`
`
`
`
`USR Exhibit 2001
`
`
`
`
`
`
`IPR2018-01350
`
`1.
`
`I have been retained on behalf of Universal Secure Registry LLC
`
`(“Patent Owner”) in connection with the above-captioned inter partes review
`
`(IPR). I have been retained to provide my opinions in support of USR’s
`
`Preliminary Response. I am being compensated for my time at the rate of $625 per
`
`hour. I have no interest in the outcome of this proceeding.
`
`2.
`
`In preparing this declaration, I have reviewed and am familiar with the
`
`Petition for IPR2018-01350, U.S. Patent No. 8,856,539, and its file history, and all
`
`other materials cited and discussed in the Petition (including the declaration of
`
`Justin Douglas Tygar Ph.D) and cited and discussed in this Declaration. I
`
`understand the Petition asserts that claims 1-9, 16-31, 37, and 38 (together “the
`
`Challenged Claims”) are obvious under 35 U.S.C. Section 103 over WO 00/14648
`
`(“Brener”), U.S. Patent No. 4,885,778 (“Weiss”) and U.S. Patent No. 6,820,204 B1
`
`(“Desai”).
`
`3.
`
`The statements made herein are based on my own knowledge and
`
`opinion. This Declaration represents only the opinions I have formed to date. I may
`
`consider additional documents as they become available or other documents that
`
`are necessary to form my opinions. I reserve the right to revise, supplement, or
`
`amend my opinions based on new information and on my continuing analysis.
`
`
`
`
`USR Exhibit 2001, Page 1
`
`
`
`IPR2018-01350
`
`I.
`
`QUALIFICATIONS
`
`4. My qualifications can be found in my Curriculum Vitae, which
`
`includes my detailed employment background, professional experience, and list of
`
`technical publications and patents. Ex. 2002.
`
`5.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc., a cybersecurity company that develops home and office automation
`
`technology. At Amber, my research studies and addresses abuse, including social
`
`engineering, malware and privacy intrusions. My work primarily involves
`
`identifying risks, developing protocols and user experiences, and evaluating the
`
`security of proposed approaches.
`
`6.
`
`I received a Master of Science degree in Computer Engineering from
`
`the Lund Instituted of Technology in Sweden in 1993, a Master of Science degree
`
`in Computer Science from the University of California at San Diego in 1994, and a
`
`Ph.D. in Computer Science from the University of California at San Diego in 1997,
`
`specializing in Cryptography. During and after my Ph.D. studies, I was also a
`
`Researcher at the San Diego Supercomputer Center, where I did research on
`
`authentication and privacy.
`
`7.
`
`From 1997 to 2001, I was a Member of Technical Staff at Bell Labs,
`
`where I did research on authentication, privacy, multi-party computation, contract
`
`exchange, digital commerce including crypto payments, and fraud detection and
`
`
`
`
`USR Exhibit 2001, Page 2
`
`
`
`IPR2018-01350
`
`prevention. From 2001 to 2004, I was a Principal Research Scientist at RSA Labs,
`
`where I worked on predicting future fraud scenarios in commerce and
`
`authentication and developed solutions to those problems. During that time I
`
`predicted the rise of what later became known as phishing. I was also an Adjunct
`
`Associate Professor in the Computer Science department at New York University
`
`from 2002 to 2004, where I taught cryptographic protocols.
`
`8.
`
`From 2004 to 2016, I held a faculty position at the Indiana University
`
`at Bloomington, first as an Associate Professor of Computer Science, Associate
`
`Professor of Informatics, Associate Professor of Cognitive Science, and Associate
`
`Director of the Center for Applied Cybersecurity Research (CACR) from 2004 to
`
`2008; and then as an Adjunct Associate Professor from 2008 to 2016. I was the
`
`most senior security researcher at Indiana University, where I built a research
`
`group focused on online fraud and countermeasures, resulting in over 50
`
`publications and two books.
`
`9. While a professor at Indiana University, I was also employed by
`
`Xerox PARC, PayPal, and Qualcomm to provide thought leadership to their
`
`security groups. I was a Principal Scientist at Xerox PARC from 2008 to 2010, a
`
`Director and Principal Scientist of Consumer Security at PayPal from 2010 to
`
`2013, a Senior Director at Qualcomm from 2013 to 2015, and Chief Scientist at
`
`Agari from 2016 to 2018. Agari is a cybersecurity company that develops and
`
`
`
`
`USR Exhibit 2001, Page 3
`
`
`
`IPR2018-01350
`
`commercializes technology to protect enterprises, their partners and customers
`
`from advanced email phishing attacks. At Agari, my research studied and
`
`addressed trends in online fraud, especially as related to email, including problems
`
`such as Business Email Compromise, Ransomware, and other abuses based on
`
`social engineering and identity deception. My work primarily involved identifying
`
`trends in fraud and computing before they affected the market, and developing and
`
`testing countermeasures, including technological countermeasures, user interaction
`
`and education.
`
`10.
`
`I have founded or co-founded several successful computer security
`
`companies. In 2005 I founded RavenWhite Security, a provider of authentication
`
`solutions, and I am currently its Chief Technical Officer. In 2007 I founded
`
`Extricatus, one of the first companies to address consumer security education. In
`
`2009 I founded FatSkunk, a provider of mobile malware detection software; I
`
`served as Chief Technical Officer of FatSkunk from 2009 to 2013, when FatSkunk
`
`was acquired by Qualcomm and I became a Qualcomm employee. In 2013 I
`
`founded ZapFraud, a provider of anti-scam technology addressing Business Email
`
`Compromise, and I am currently its Chief Technical Officer. In 2014 I founded
`
`RightQuestion, a security consulting company.
`
`11.
`
`I have additionally served as a member of the fraud advisory board at
`
`LifeLock (an identity theft protection company); a member of the technical
`
`
`
`
`USR Exhibit 2001, Page 4
`
`
`
`IPR2018-01350
`
`advisory board at CellFony (a mobile security company); a member of the
`
`technical advisory board at PopGiro (a user reputation company); a member of the
`
`technical advisory board at MobiSocial dba Omlet (a social networking company);
`
`and a member of the technical advisory board at Stealth Security (an anti-fraud
`
`company). I have provided anti-fraud consulting to KommuneData (a Danish
`
`government entity), J.P. Morgan Chase, PayPal, Boku, and Western Union.
`
`12.
`
`I have authored five books and over 100 peer-reviewed publications,
`
`and have been a named inventor on over 100 patents and patent applications.
`
`13. My work has included research in the area of applied security,
`
`privacy, cryptographic protocols, authentication, malware, social engineering,
`
`usability and fraud.
`
`II. LEGAL UNDERSTANDING
`
`A. The Person of Ordinary Skill in the Art
`
`14.
`
`I understand that a person of ordinary skill in the relevant art (also
`
`referred to herein as “POSITA”) is presumed to be aware of all pertinent art, thinks
`
`along conventional wisdom in the art, and is a person of ordinary creativity—not
`
`an automaton.
`
`15.
`
`I have been asked to consider the level of ordinary skill in the field
`
`that someone would have had at the time the claimed invention was made. In
`
`deciding the level of ordinary skill, I considered the following:
`
`
`
`
`USR Exhibit 2001, Page 5
`
`
`
`• the levels of education and experience of persons working in the
`
`IPR2018-01350
`
`field;
`
`• the types of problems encountered in the field; and
`
`• the sophistication of the technology.
`
`16. A person of ordinary skill in the art relevant to the ’539 patent at the
`
`time of the invention would have a Bachelor of Science degree in electrical
`
`engineering and/or computer science, and three years of work or research
`
`experience in the fields of secure transactions and encryption, or a Master’s degree
`
`in electrical engineering and/or computer science and two years of work or
`
`research experience in related fields.
`
`17.
`
`I have reviewed the declaration of Dr. Tygar, including his opinions
`
`regarding the Person of Ordinary Skill in the Art. Ex. 1002 at ¶¶ 41-46. My
`
`description of the level of ordinary skill in the art is essentially the same as that of
`
`the Dr. Tygar, except that Dr. Tygar’s description requires two years of work or
`
`research experience (as compared to three years). The opinions set forth in this
`
`Declaration response would be the same under either my or Dr. Tygar’s proposal.
`
`18.
`
`I am well-qualified to determine the level of ordinary skill in the art
`
`and am personally familiar with the technology of the ’539 Patent. I was a person
`
`of at least ordinary skill in the art at the time of the priority date of the ’539 patent
`
`in 2001. Regardless if I do not explicitly state that my statements below are based
`
`
`
`
`USR Exhibit 2001, Page 6
`
`
`
`IPR2018-01350
`
`on this timeframe, all of my statements are to be understood as a POSITA would
`
`have understood something as of the priority date of the ’539 patent.
`
`B.
`
`19.
`
`Legal Principles
`
`I am not a lawyer and will not provide any legal opinions. Though I
`
`am not a lawyer, I have been advised that certain legal standards are to be applied
`
`by technical experts in forming opinions regarding the meaning and validity of
`
`patent claims.
`
`1. Obviousness
`
`20.
`
`I understand that to obtain a patent, a claimed invention must have, as
`
`of the priority date, been nonobvious in view of prior art in the field. I understand
`
`that an invention is obvious when the differences between the subject matter
`
`sought to be patented and the prior art are such that the subject matter as a whole
`
`would have been obvious at the time the invention was made to a person having
`
`ordinary skill in the art.
`
`21.
`
`I understand that to prove that prior art, or a combination of prior art,
`
`renders a patent obvious, it is necessary to: (1) identify the particular references
`
`that singly, or in combination, make the patent obvious; (2) specifically identify
`
`which elements of the patent claim appear in each of the asserted references; and
`
`(3) explain how the prior art references could have been combined to create the
`
`inventions claimed in the asserted claim.
`
`
`
`
`USR Exhibit 2001, Page 7
`
`
`
`IPR2018-01350
`
`22.
`
`I understand that a patent composed of several elements is not proved
`
`obvious merely by demonstrating that each of its elements was, independently,
`
`known in the prior art, and that obviousness cannot be based on the hindsight
`
`combination of components selectively culled from the prior art to fit the
`
`parameters of the patented invention.
`
`23.
`
`I also understand that a reference may be said to teach away when a
`
`person of ordinary skill, upon reading the reference, would be discouraged from
`
`following the path set out in the reference, or would be led in a direction divergent
`
`from the path that was taken by the applicant. Even if a reference is not found to
`
`teach away, I understand its statements regarding preferences are relevant to a
`
`finding regarding whether a skilled artisan would be motivated to combine that
`
`reference with another reference.
`
`2. My Understanding of Claim Construction Law
`
`24.
`
`I understand that in this inter partes review the claims must be given
`
`their broadest reasonable interpretation, but that interpretation must be consistent
`
`with the patent specification. In this Declaration, I have used the broadest
`
`reasonable interpretation (“BRI”) standard when interpreting the claim terms.
`
`
`
`
`
`
`
`
`
`
`USR Exhibit 2001, Page 8
`
`
`
`IPR2018-01350
`
`III. OVERVIEW OF THE ’539 PATENT
`
`A. The ’539 Patent Specification
`
`25.
`
`I have reviewed the ’539 patent. The ’539 patent provides a unique
`
`and highly secure anonymous identification system that uses a time-varying
`
`multicharacter code for both verifying the identity of an entity and also enabling
`
`transactions between the entity and a provider without requiring the entity to share
`
`personal or otherwise sensitive information with the provider. See Ex. 1001 at
`
`2:64-3:1, 3:24-27, 12:19-54. The system allows a person to purchase goods from a
`
`brick and mortar or online merchant without publicly providing credit card
`
`information to the merchant for fear that the credit card information may be stolen
`
`or used fraudulently. See id. at 3:44-54. As another example, the system allows a
`
`person seeking medical treatment to identify themselves before a medical provider,
`
`and also have the system provide insurance data, medical history data, and other
`
`medical information to the medical provider once the medical provider has
`
`established itself as an authorized recipient. See id. at 3:55-60.
`
`26. Referring to FIGS. 1 and 3 of the ’539 patent, the system’s main unit
`
`12, which may be connected to a wide area network, includes a database 24 that
`
`stores data entries 30 related to different people or entities. Id. at 7:11-13, 7:40-41.
`
`Each entry 30 may contain different types of information such as, but not limited
`
`to, validation information, access information, publicly available information,
`
`
`
`
`USR Exhibit 2001, Page 9
`
`
`
`IPR2018-01350
`
`address information, credit card information, medical information, job application
`
`information, and/or tax information. Id. at 7:57-63. The validation information 32
`
`is information about the user and is used by the main unit’s software 18 to validate
`
`that the person attempting to access the information is authorized to receive it. Id.
`
`at 8:10-14. In particular, the validation information 32 contains information that
`
`enables the software 18 to validate a person that has presented the system with a
`
`one-time nonpredictable code uniquely associated with the user. See id. at 8:17-35.
`
`The access information 34 allows different levels of security to attach to different
`
`types of information stored in each entry 30 so that the user can specify which
`
`particular individuals or organizations can have access to what specific data (e.g.,
`
`credit card numbers, medical information, and tax information). See id. at 8:62-
`
`9:11.
`
`27. Referring to FIG. 8, one aspect of using the system includes the useful
`
`ability to purchase goods or services from a merchant without revealing to the
`
`merchant account information relating to the user’s credit card. Id. at 9:46-50.
`
`A user desiring to make a purchase at a merchant without providing their financial
`
`information, such as a credit or debit card number, may enter a secret code into
`
`their electronic ID device, which generates a one-time nonpredictable code that is
`
`provided to the merchant. Id. at 12:21-24. The merchant in turn may transmit the
`
`one-time nonpredictable code, a store number, and a purchase amount to the secure
`
`
`
`
`USR Exhibit 2001, Page 10
`
`
`
`IPR2018-01350
`
`registry. Id. at 12:24-26. The secure registry system may then determine whether
`
`the code received is valid, and if valid, accesses from the secure registry’s database
`
`24 the user’s actual credit card information. See id. at 12:27-29. The secure registry
`
`system next transmits to the credit card company the credit card number, the store
`
`number, and the purchase amount. Id. at 12:29-31. The credit card company then
`
`processes the transaction, such as by checking the credit worthiness of the person,
`
`and either declines the card or debits the user’s account and transfers money to the
`
`merchant’s account. Id. at 12:40-43. The credit card company notifies the secure
`
`registry system the transaction result and the secure registry system may in turn
`
`notify the merchant. Id. at 12:43-46.
`
`28. Thus, the ’539 patent’s USR system provides a secure anonymous
`
`identification system that uses a time-varying multicharacter code for both
`
`verifying the identity of an entity and also enabling transactions between the entity
`
`and a provider, such as a merchant, without requiring the entity to share personal
`
`or otherwise sensitive information with the provider. In one case, this allows a user
`
`to purchase goods or services from a merchant without providing the merchant the
`
`user’s credit card number. Advantageously, the system also allows such secure
`
`transactions to be transparent to the credit card company and thus requires no or
`
`minimal cooperation from the credit card company to implement.
`
`
`
`
`USR Exhibit 2001, Page 11
`
`
`
`IPR2018-01350
`
`29. Besides purchase transactions, the technology described in the ’539
`
`patent can be applied to a host of other applications that can benefit from secure
`
`identity verification systems and distributed secure data storage. As one example,
`
`such a system allows a patient to obtain medical treatment from a medical care
`
`provider without having to directly supply the medical care provider her medical
`
`history, which may not be with the patient herself. According to another example,
`
`the user may facilitate shipment of goods purchased from a merchant without
`
`having to provide the merchant their shipping address.
`
`B.
`
`The ’539 Patent Claims
`
`30. The ’539 patent includes 38 claims. Claims 1, 22, 37, and 38 are
`
`independent. I have reviewed the claims in detail.
`
`C.
`
`Prosecution History
`
`31. The ’539 patent issued on October 7, 2014 from U.S. Application
`
`No. 11/768,729 (“’729 Application”) filed on June 26, 2007. The ’729 Application
`
`is a continuation application of U.S. Application No. 09/810,703 filed on March
`
`16, 2001, now U.S. Patent No. 7,237,117.
`
`32. The Weiss reference raised by Petitioners was disclosed to the Patent
`
`Office during prosecution. Moreover, a related patent, U.S. Patent No. 5,657,388
`
`(“’388 patent”) claiming priority to Weiss, was the basis of a rejection. See Ex.
`
`1004 at 0669 (“Claims 1, 3-5, 9-16, 19-21, 24-30, 32-39 and 41-48 are rejected as
`
`
`
`
`USR Exhibit 2001, Page 12
`
`
`
`IPR2018-01350
`
`being unpatentable over Gioradano [sic] et al. US 7,571,139 B1 (hereinafter
`
`Gioradano [sic]) in view of Weiss US 5,657,388.”).
`
`33. Notably, the Patent Office relied upon the ’388 patent for the
`
`identical reason as Petitioner relies upon Weiss—to supplement a primary
`
`reference’s deficiency in teaching that a multicharacter code could be “time-
`
`varying.” Ex. 1004 at 0670 (“Gioradano [sic] does not explicitly teach a time-
`
`varying code. In the same field of endeavor, [the ’388 patent] teaches a time
`
`varying multi character code” . . . “It would have been obvious to one having
`
`ordinary skill in the art at the time of applicant’s invention to employ the teachings
`
`of [the ’388 patent] within the system of Gioradano [sic].”).
`
`34.
`
`In response to this rejection, Patent Owner amended the claims to add
`
`the limitation of “access restrictions” and argued that the prior art of record
`
`(Giordano in combination with the ’388 patent) did not disclose this feature. Ex.
`
`1004 at 0679 to 0691. See id. at 0688 (“Claim 1, as amended, now recites ‘a
`
`restriction mechanism configured to determine compliance with any access
`
`restrictions for the first party,’ which is not taught or suggested by Giordano or [the
`
`’388 patent]”). The Examiner found the amendments and arguments to be
`
`persuasive and subsequently dropped its reliance on the ’388 patent as teaching
`
`“time-varying.” Ex. 1004 at 0698 (“Examiner agreed the proposed amendment is
`
`not taught by the prior art”).
`
`
`
`
`USR Exhibit 2001, Page 13
`
`
`
`IPR2018-01350
`
`IV. OVERVIEW OF THE CITED ART
`
`A. Brener
`
`35. Brener is directed to a centralized system that generates and
`
`distributes static codes to a vendor that allow for anonymous shopping. Brener
`
`emphasizes that an object of its invention is “to provide such an e-commerce
`
`system whereby the customer can remain anonymous but still visit web sites as a
`
`character or persona such that he or she is recognized upon return to the vendor
`
`web site.” Brener at 2:15-17.
`
`36. To accomplish this goal, Brener touts that the “customer object” (i.e.,
`
`screen name persona like “GOLFO”) it uses to act as a proxy for the
`
`user/purchaser’s real identity can be remembered by the vendor (e.g., using
`
`cookies) so that the vendor may “develop a relationship with the customer through
`
`his persona” and promote goods/services that the vendor may believe the customer
`
`would be interested in based on prior purchases/site visits. Brener at 12:7-20.
`
`37.
`
`In particular, Brener teaches its’ customer object comprises a
`
`public/private key pairing, wherein the public key includes the user’s account
`
`number. Brener, 16:8-9 (“The public key will contain information such as a
`
`customer object and a customer bank account or credit card number.”). And,
`
`Brener further teaches that the public key is sent to the vendor 140. Brener at
`
`
`
`
`USR Exhibit 2001, Page 14
`
`
`
`IPR2018-01350
`
`16:15-16 (“When a customer computer 100 enters the web site of the vendor
`
`computer 140, the vendor computer 140 is provided with the public key.”).
`
`38. Brener also discloses that in a preferred embodiment the bank
`
`computer 150 keeps a blind eye to “the transactional information of the customer”
`
`and that “the bank need not know what is being purchased and from where, only
`
`that the customer has the money or credit to cover the transaction.” Brener, 13:26-
`
`14:4 (emphasis added).
`
`B. Weiss
`
`39. Weiss is directed to a co-generation system that synchronizes
`
`generation of separate, free running, time dependent equipment. Weiss at Title. In
`
`particular, Weiss discloses a distribution architecture that includes the capability of
`
`every system participant to generate the same authentication code at the same time.
`
`Weiss at Abstract. Most importantly, the invention uses a “predetermined
`
`algorithm [that] constantly generates new unique and verifiable non-predictable
`
`codes, which are derived from the fixed data and at least one dynamic variable,
`
`such as the time of day.” Weiss at 1:63-65. Moreover, Weiss requires the algorithm
`
`that generates the authentication code to be secret. Weiss at Abstract, line 3.
`
`C. Desai
`
`40. Desai discloses a system that “provid[es] users with granular control
`
`over arbitrary information that allows for selective, real-time information sharing
`
`
`
`
`USR Exhibit 2001, Page 15
`
`
`
`IPR2018-01350
`
`in a communications network.” Desai at Abstract, lines 1-3 (emphasis added).
`
`Specifically, Desai teaches providing user-by-user and element-by-element, or
`
`granular, restrictions to data. Desai at Abstract, lines 17-21 (“Each registered user
`
`may selectively control the granting and denying of access to each of its associated
`
`data elements by other respective user, on an element-by-element, and user-by-user
`
`basis.”); see id. at 3:38-40 (“Each user of the system and method has granular
`
`control over its own user profile information, and can control access to each stored
`
`data element”). Moreover, in Desai, the stored information is released directly to
`
`the vendor once the vendor establishes that it has the proper permissions. Desai at
`
`4:16-18 (“the vendors will not receive this information unless and until the
`
`registered user provides access to the vendor.”).
`
`V. CLAIM CONSTRUCTION
`
`A.
`
`41.
`
`“Based at least in part on the indication of the provider and the
`time-varying multicharacter code of the transaction request”
`
`I understand that Petitioner argues that the phrase “based at least in
`
`part on the indication of the provider and the time-varying multicharacter code of
`
`the transaction request” should be read to modify the phrase “completing the
`
`transaction” instead of “access restrictions for the provider.” See Petition at 17. I
`
`disagree.
`
`42.
`
`In my opinion the phrase “based at least in part on the indication of
`
`the provider and the time-varying multicharacter code of the transaction request”
`
`
`
`
`USR Exhibit 2001, Page 16
`
`
`
`IPR2018-01350
`
`should be construed to modify “determining compliance with any access
`
`restrictions for the provider to secure data of the entity.” This would be consistent
`
`with the plain language of the claims and in view of the specification.
`
`43. The specification of the ’539 patent explains that the USR system’s
`
`main unit 12, which may be connected to a wide area network, includes a database
`
`24 that stores data entries 30 related to different people or entities. Ex. 1001 at
`
`7:11-13; 7:40-41. Among other things, each database entry 30 may contain “access
`
`information 34” and certain pieces of data such as “Credit Card and Other
`
`Financial Information,” “Medical Information,” Job Application Information,” and
`
`“Tax Information.” Ex. 1001 at FIG. 3, 7:57-63. The access information 34 allows
`
`“different levels of security to attach to different types of information stored in the
`
`entry 30” so that the user can specify which particular individuals or companies
`
`can have access to what specific data such as credit card numbers, medical
`
`information, and tax information. See Ex. 1001 at 8:62-9:11.
`
`44. The specification further provides that during “training” of the USR
`
`database 24, the user “specif[ies] the type of access restrictions and/or whom
`
`should be allowed to access the advanced personal data.” Ex. 1001 at 10:23-25.
`
`Referring to FIG. 6 of the ’539 patent, once the database 24 has been trained,
`
`“USR software 18 queries whether the requester has the right to access the type of
`
`requested data,” and “determining the requestor’s rights (602) typically involves
`
`
`
`
`USR Exhibit 2001, Page 17
`
`
`
`IPR2018-01350
`
`validating the requestor’s identity and correlating the identity, the requested
`
`information and the access information 34 provided by the person to the USR
`
`database during the training process.” Ex. 1001 at 10:40-48. Thus, the context of
`
`“access rights” and compliance therewith is discussed in the specification and
`
`figures of the ’539 patent explicitly ties in the identity of the requestor (e.g.,
`
`provider).
`
`45. Therefore, a person of ordinary skill in the art would understand
`
`claims 1 and 22 to specify that compliance with any access restrictions for the
`
`provider to secure data of the entity for completing the transaction are based at
`
`least in part on the indication of the provider (i.e., who the requesting provider is)
`
`and the time-varying multicharacter code.
`
`46.
`
`I understand that Petitioner argues that the phrase at issue should only
`
`modify “completing the transaction” because some embodiments of the ’539 patent
`
`allegedly describe access to information “based solely on a determination whether
`
`‘the [electronic ID] code is valid.’” Petition at 17 (citing Ex. 1001, 11:49-65,
`
`12:19-31, 12:55-13:8, 13:35-57). First, each portion of the ’539 patent cited to by
`
`Petitioner explicitly recites that the provider’s request includes a store number (i.e.,
`
`one example of “indication of the provider”) before the transaction is approved or
`
`denied. Thus, Petitioner’s statement that these embodiments associated with FIGS.
`
`7-10 are “based solely on a determination whether the ‘the [electronic ID] code is
`
`
`
`
`USR Exhibit 2001, Page 18
`
`
`
`IPR2018-01350
`
`valid’” lacks merit in my opinion. Second, even if embodiments in the ’539 patent
`
`did not require an indication of the provider to be sent, the claims at issue recite
`
`and require that an indication of the provider is provided and that compliance with
`
`access restrictions is based on an indication of the provider and time-varying
`
`multicharacter code. In my view, Petitioner’s argument ignores the portion of the
`
`claim language that specifically make these recitations, and its limiting, improper
`
`interpretation and grammatical manipulations of the claim language runs counter to
`
`the ’539 patent’s specification.
`
`47. For these reasons, a person of ordinary skill in the art would
`
`understand that the phrase “based at least in part on the indication of the provider
`
`and the time-varying multicharacter code of the transaction request” should be
`
`construed to modify the terms “determining compliance with any access
`
`restrictions for the provider to secure data of the entity.”
`
`B.
`
`48.
`
`“Provider”
`
`I believe that a person of ordinary skill in the art would understand the
`
`term “provider” as used in the ’539 patent to mean “the party that engages in a
`
`transaction with an entity having secure data stored at a secure registry, the party
`
`providing a good or service to the entity and/or requesting information about the
`
`entity.”
`
`
`
`
`USR Exhibit 2001, Page 19
`
`
`
`IPR2018-01350
`
`49. This construction is consistent with the ’539 patent’s claims, which
`
`recite a “provider” and an “entity” engaging in a transaction. The claims state that
`
`the entity has “secure data stored in a secure registry” and that the provider
`
`“request[s] the transaction.”
`
`50. Turning to the specification and figures, various types of parties, such
`
`as merchants, service providers, medical personnel, potential employers, financial
`
`institutions, delivery service providers, law enforcement, tax agencies, and
`
`potential landlords, may be parties (i.e., providers) that engage in a transaction
`
`with the entity and provide a good (e.g., merchant selling goods), service (e.g.,
`
`merchant selling services, medical personnel rendering aid, etc.) to the entity,
`
`and/or request information (e.g., medical information, tax information, financial
`
`information, identification information, job application or rental application
`
`information, etc.) about the entity. See Ex. 1001 at 7:57-67, 8:62-9:13, FIGS. 3 and
`
`4 (describing various types of secure data of the entity that can be stored at the
`
`secure registry and the various types of provider parties that may request access to
`
`such stored secure data); see id. at 11:46-13:13, FIGS. 7-9 (describing transactions
`
`between merchant providers and entities having secure data stored at secure
`
`registry); see id. at 14:4-58, FIG. 11 (describing a delivery service provider
`
`engaging in a delivery transaction with the entity); see id. at 16:17-25, FIG. 14
`
`(describing law enforcement provider requesting identity information pertaining to
`
`
`
`
`USR Exhibit 2001, Page 20
`
`
`
`IPR2018-01350
`
`the entity); see id. at 16:26-51, FIG. 15 (describing medical service providers,
`
`among others, requesting information pertaining to the entity); see id. at 16:63-
`
`17:5, FIG. 16 (describing a potential employer or landlord that provides
`
`employment or housing requesting information (e.g., data associated with a
`
`job/rental application) from the entity); see id. at 17:6-28 (describing additional
`
`types of providers).
`
`51. Therefore, in my opinion the term “provider” in light of the
`
`specification and ordinary language of the claims should be construed to mean “the
`
`party that engages in a transaction with an entity having secure data stored at a
`
`secure registry, the party providing a good or service to the entity and/or requesting
`
`information about the entity.”
`
`C.
`
`52.
`
`“Access restrictions for the provider”
`
`In my opinion, under the broadest reasonable interpretation standard,
`
`a person of ordinary skill in the art would understand the claim limitation “access
`
`restrictions for the provider” as used in the ’539 patent to mean “access restrictions
`
`that are specific to the provider.” This construction is consistent with the plain and
`
`ordinary meaning of the language as found in the ’539 patent’s claims, which
`
`recite that a restriction mechanism is executed to determine compliance with any
`
`access restrictions for the provider to secure data of the entity for completing the
`
`transaction.
`
`
`
`
`USR Exhibit 2001, Page 21
`
`
`
`IPR2018-01350
`
`53. The ’539 patent explains that “access information 34” stored in each
`
`entry 30 of the secure registry’s database 24 allows “different levels of security to
`
`attach to different types of information stored in the entry 30” so that the user can
`
`specify which providers can have access to select, specific data such as credit card
`
`numbers, medical information, and tax information. See Ex. 1001 at 8:62-9:11;
`
`FIGS. 1, 3. The “universal ident