UNITED STATES PATENT AND TRADEMARK OFFICE
`____________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________________
`
`PAYPAL INC.,
`PETITIONER,
`
`V.
`
`IOENGINE, LLC,
`PATENT OWNER.
`____________________
`
`IPR2019-00884
`IPR2019-00885
`
`PATENT 8,539,047
`____________________
`
`DECLARATION OF AVIEL D. RUBIN, PH.D.
`
`
`
`Exhibit 2003
`
`

`

`
`
`I.
`II.
`
`TABLE OF CONTENTS
`Introduction ..................................................................................................... 3
`Qualifications................................................................................................... 4
`A.
`Education & Career ............................................................................... 4
`B.
`Publications ........................................................................................... 7
`Person of Ordinary Skill in the Art................................................................... 8
`III.
`IV. Legal Framework ............................................................................................. 9
`A.
`Standard of Proof ................................................................................... 9
`B.
`Anticipation ........................................................................................... 9
`C.
`Obviousness ..........................................................................................10
`The ’047 Patent ...............................................................................................12
`V.
`VI. Asserted Grounds and References Relied On In Petitions ...............................14
`A. Abbott ...................................................................................................15
`B.
`Shmueli .................................................................................................18
`VII. Claim Construction .........................................................................................19
`“an interactive user interface” ...............................................................19
`A.
`“communicate through the terminal network interface with the
`B.
`communications network node” // “cause a communication to be sent through
`the terminal network interface to a communications network node” ...............25
`“[first/second/third] program code” ......................................................27
`C.
`VIII. Detailed Analysis ............................................................................................28
`A. No Motivation to Combine Abbott and Shmueli ...................................28
`B.
`Elements Neither Disclosed Nor Obvious .............................................33
`C.
`Dependent Claims .................................................................................48
`
`
`
`2
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`1.
`
`I, Aviel D. Rubin, make this declaration in connection with the
`
`proceedings identified above.
`
`I.
`
`INTRODUCTION
`2.
`
`I have been retained as an expert on behalf of IOENGINE, LLC
`
`(“IOENGINE”) in connection with the proceedings identified above. I submit this
`
`Declaration on behalf of IOENGINE in support of its Preliminary Response responding
`
`to the Petition for Inter Partes Review in Case IPR2019-00884 (the “’884 Petition”)
`
`filed by PayPal Inc. (“PayPal” or “Petitioner”) challenging claims 1−9, 12−16, and
`
`18−31 (the “Challenged Claims”) of U.S. Patent No. 8,539,047 to McNulty (“the ’047
`
`Patent”) (Ex. 1001), and also in support of its Preliminary Response responding to the
`
`Petition for Inter Partes Review in Case IPR2019-00885 (the “’885 Petition”) filed by
`
`Petitioner challenging claims 1, 7, 9-11, 14, 16, and 17, and focusing on claims 10, 11,
`
`and 17, of the ’047 Patent.
`
`3.
`
`The opinions in this Declaration are based on my professional training and
`
`experience and my review of the exhibits discussed herein.
`
`4.
`
`I am being compensated for my services in connection with the
`
`proceedings identified above at my regular rate of $775 per hour (plus reimbursement
`
`for expenses). My compensation is in no way contingent on the outcome of the
`
`proceedings identified above or on any of the opinions I provide below.
`
`3
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`II. QUALIFICATIONS
`5.
`I have summarized in this section my educational background, career
`
`history, publications, and other relevant qualifications. My curriculum vitae is
`
`submitted
`
`as
`
`Ex.
`
`2062,
`
`and
`
`can
`
`also
`
`be
`
`found
`
`at
`
`http://avirubin.com/Avi_Rubins_home_page/Vita.html.
`
`A. Education & Career
`6.
`I received my Ph.D. in Computer Science and Engineering from the
`
`University of Michigan, Ann Arbor, in 1994, with a specialty in computer security and
`
`cryptographic protocols. My thesis was titled “Nonmonotonic Cryptographic
`
`Protocols” and concerned authentication in long-running networking operations.
`
`7.
`
`I am currently employed as Professor of Computer Science at Johns
`
`Hopkins University, where I perform research, teach graduate courses in computer
`
`science and related subjects, and supervise the research of Ph.D. candidates and other
`
`students. Courses I have taught include Computer Network Fundamentals, Security
`
`and Privacy in Computing, Cryptography, and Advanced Topics in Computer Security.
`
`I am also the Technical Director of the Johns Hopkins University Information Security
`
`Institute, the University’s focal point for research and education in information
`
`security, assurance, and privacy. The University, through the Information Security
`
`Institute’s leadership, has been designated as a Center of Academic Excellence in
`
`Information Assurance by the National Security Agency and leading experts in the
`
`4
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`field. The focus of my work over my career has been computer security, and my current
`
`research concentrates on systems and networking security, with special attention to
`
`software and network security.
`
`8.
`
`After receiving my Ph.D., I began working at Bellcore in its Cryptography
`
`and Network Security Research Group from 1994 to 1996. During this period, I
`
`focused my work on internet and computer security. While at Bellcore, I published an
`
`article titled “Blocking Java Applets at the Firewall” about the security challenges of
`
`dealing with Java applets and firewalls, and a system that we built to overcome those
`
`challenges.
`
`9.
`
`In 1997, I moved to AT&T Labs, Secure Systems Research Department,
`
`where I continued to focus on internet and computer security. From 1995 through
`
`1999, in addition to my work in industry, I served as Adjunct Professor at New York
`
`University, where I taught undergraduate classes on computer, network, and internet
`
`security issues.
`
`10.
`
`I stayed at AT&T until 2003, when I left to accept a full-time academic
`
`position at Johns Hopkins University. I was promoted to full professor with tenure in
`
`April, 2004.
`
`11.
`
`I serve, or have served, on a number of technical and editorial advisory
`
`boards. For example, I served on the Editorial and Advisory Board for the International
`
`Journal of Information and Computer Security. I also served on the Editorial Board
`PayPal Inc. v. IOENGINE, LLC
`5
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`for the Journal of Privacy Technology. I have been Associate Editor of IEEE Security
`
`and Privacy Magazine and have served as Associate Editor of ACM Transactions on
`
`Internet Technology.
`
` I am currently an Associate Editor of
`
`the
`
`journal
`
`Communications of the ACM. I was an Advisory Board Member of Springer’s
`
`Information Security and Cryptography Book Series. I have served in the past as a
`
`member of the DARPA Information Science and Technology Study Group, a member
`
`of the Government Infosec Science and Technology Study Group of Malicious Code,
`
`a member of the AT&T Intellectual Property Review Team, Associate Editor of
`
`Electronic Commerce Research Journal, Co-editor of the Electronic Newsletter of the
`
`IEEE Technical Committee on Security and Privacy, a member of the board of directors
`
`of the USENIX Association (the leading academic computing systems society), and a
`
`member of the editorial board of the Bellcore Security Update Newsletter.
`
`12.
`
`I have spoken on information security and electronic privacy issues at
`
`more than 50 seminars and symposia. For example, I presented keynote addresses on
`
`the topics “Security of Electronic Voting” at Computer Security 2004 Mexico in
`
`Mexico City in May 2004; “Electronic Voting” to the Secure Trusted Systems
`
`Consortium 5th Annual Symposium in Washington DC in December 2003; “Security
`
`Problems on the Web” to the AT&T EUA Customer conference in March 2000; and
`
`“Security on the Internet” to the AT&T Security Workshop in June 1997. I also
`
`6
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`presented a talk about hacking devices at the TEDx conference in October 2011 and
`
`another TEDx talk on the same topic in September 2015.
`
`13.
`
`I was founder and President of Independent Security Evaluators (ISE), a
`
`computer security consulting firm, from 2005–2011. In that capacity, I guided ISE
`
`through the qualification as an independent testing lab for Consumer Union, which
`
`produces Consumer Reports magazine. As an independent testing lab for Consumer
`
`Union, I managed an annual project where we tested all of the popular anti-virus
`
`products. Our results were published in Consumer Reports each year for three
`
`consecutive years.
`
`14.
`
`I am currently the founder and managing partner of Harbor Labs, a
`
`software and networking consulting firm.
`
`B.
`15.
`
`16.
`
`Publications
`
`I am a named inventor on ten U.S. patents in the information security area.
`
`I have also testified before Congress regarding the security issues with
`
`electronic voting machines and in the U.S. Senate on the issue of censorship. I also
`
`testified in Congress on November 19, 2013 about security issues related to the
`
`government’s Healthcare.gov website.
`
`17.
`
`I am author or co-author of five books regarding information security
`
`issues: Brave New Ballot, Random House, 2006; Firewalls and Internet Security
`
`(second edition), Addison Wesley, 2003; White-Hat Security Arsenal, Addison
`
`7
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`Wesley, 2001; Peer-to-Peer, O’Reilly, 2001; and Web Security Sourcebook, John
`
`Wiley & Sons, 1997. I am also the author of numerous journal and conference
`
`publications, which are reflected in my CV.
`
`III. PERSON OF ORDINARY SKILL IN THE ART
`In my opinion, a person of ordinary skill in the art (“POSITA”) would be
`18.
`
`a person with a Bachelor of Science degree in Computer Science, or related discipline,
`
`and two to three years of experience in developing, implementing, or deploying
`
`systems for the encryption of data on a portable device.
`
`19. Such a level of skill would encompass a knowledge of computer hardware,
`
`software development, operating systems, networking, portable or embedded devices,
`
`data encryption, data storage, and peripherals, which would be sufficient for
`
`understanding the technology of the ’047 Patent.
`
`20. This definition of a POSITA characterizes the ordinary skill of persons
`
`involved with software research and development at AT&T Labs, where I worked in
`
`the Secure Systems Research Department from 1997 to 2003. It also characterizes the
`
`ordinary skill of persons within the Information Security Institute at Johns Hopkins
`
`University involved in research relating to portable device security. Furthermore, in
`
`my role as Professor of Computer Science where I train students to become persons of
`
`ordinary skill in the area of computer security, an understanding of how to develop,
`
`8
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`implement, or deploy systems for encrypting data on a portable device would require
`
`building the knowledge and skills outlined above.
`
`IV. LEGAL FRAMEWORK
`21.
`I am not a legal expert and I offer no opinions on the law. However, I
`
`have been advised by counsel about some of the legal principles relevant to an analysis
`
`of patentability of claims in a United States patent, as summarized below. I have
`
`conducted my analysis in accordance with these principles.
`
`22.
`
`I understand that, for an invention claimed in a patent to be found
`
`patentable, or to be valid, it must be, among other things, new and not obvious in light
`
`of what came before it such as “prior art.”
`
`A.
`23.
`
`Standard of Proof
`
`I understand that, in these proceedings, the burden is on the party asserting
`
`unpatentability to prove it by a preponderance of the evidence. I understand that “a
`
`preponderance of the evidence” is evidence sufficient to show that something is more
`
`likely than not.
`
`B. Anticipation
`24.
`I have been informed that a patent claim is invalid as anticipated only if
`
`each and every element and element of that claim is publicly disclosed, either explicitly
`
`or inherently, in a single prior art reference, already in practice in the industry in a
`
`single process or method, already in a single marketed product, or otherwise previously
`
`9
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`invented. I also understand that anticipation requires the presence in a single prior art
`
`disclosure of all elements of the claim arranged as in the claim. For a step or element
`
`to be inherent in a reference, I understand that the step or element must necessarily and
`
`inevitably occur or be present when one follows the teachings of the reference. I am
`
`informed that for a reference to be considered as anticipating, it must disclose the
`
`relevant technology in a manner such that a person of ordinary skill in the art would be
`
`able to carry out or utilize the technology that the reference describes without having
`
`to undertake considerable experimentation.
`
`C. Obviousness
`25.
`I have been informed that a patent claim is invalid as obvious only if it
`
`would have been obvious to a person of ordinary skill in the art at the time the patent
`
`was filed, in light of the prior art. The prior art may include one or more references
`
`that a person of ordinary skill in the art trying to solve the problem that the inventor
`
`addressed would likely have considered, as well as the body of knowledge that such a
`
`person would possess. As in the case of a single reference that anticipates a patent
`
`claim, when one or more references make a patent claim obvious, the reference or
`
`combined references relied upon must disclose each and every element of the
`
`challenged claim. If the reference or combined references relied upon fail to disclose
`
`any element in the challenged claim, then it is not obvious.
`
`10
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`26.
`
`I have been informed that, although a challenger may rely on a
`
`combination of separate prior art references to support an obviousness challenge, a
`
`person of ordinary skill in the art at the time of filing must have had some motivation
`
`to combine the references. That motivation can come from the problem the invention
`
`purports to solve, from other references, from the teachings of those references
`
`showing the invention is obvious, from other references, or from the common-sense
`
`knowledge of a person of ordinary skill in the art. However, obviousness findings
`
`grounded in common sense must contain explicit and clear reasoning providing some
`
`rational underpinning why common sense compels a finding of obviousness.
`
`27.
`
`I have been informed that assessing which prior art references to combine
`
`and how they may be combined to match the asserted claim may not be based on
`
`hindsight reconstruction or ex-post reasoning. That is, one must view the prior art
`
`forward from the perspective of the person of ordinary skill in the art at the time of
`
`invention, not backwards from the current time through the lens of hindsight. It is my
`
`understanding that it is improper to use a patent claim as a template and pick and choose
`
`among the prior art to meet the elements of that claim to show obviousness.
`
`28.
`
`I have been informed that a reference qualifies as prior art for determining
`
`obviousness when it is analogous to the claimed invention. I understand that prior art
`
`may be considered analogous if it is from the same field of endeavor, regardless of the
`
`problem addressed, as the claimed invention. I also understand that prior art may be
`PayPal Inc. v. IOENGINE, LLC
`11
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`considered analogous if it is “reasonably pertinent” to the particular problem with
`
`which the inventor is involved. I have been informed that a reference is “reasonably
`
`pertinent” if it is one which, because of the matter with which it deals, logically would
`
`have commended itself to an inventor’s attention in considering the inventor’s problem.
`
`29.
`
`I have been informed that the factual elements of the obviousness
`
`inquiry—the scope and content of the prior art, the differences between the prior art
`
`and the claims, and the level of ordinary skill in the art at the time of the invention—
`
`are primary to performing a proper obviousness analysis and drawing the appropriate
`
`conclusions from that analysis.
`
`V. THE ’047 PATENT
`30. The ’047 Patent describes a tunneling client access point (“TCAP”) that
`
`communicates with an access terminal (e.g., a cellular telephone, or computer), and
`
`communicates with a remote network node or network device (e.g., a server) by
`
`“tunneling” data through the terminal’s network interface. Ex. 1001, Abstract, 1:19-
`
`25, 2:39-51, 3:42-4:31, 18:12-14, Figs. 1, 5, 9, 10. In other words, the access terminal
`
`serves as a “conduit” or “bridge” through which the TCAP communicates with the
`
`server or other network devices. Id., 4:61-65, 9:6-8, 28:54-56.
`
`31. To prevent the terminal from having access to confidential information
`
`sent between the TCAP and the server, the TCAP secures the data such that “if data
`
`moving out of the TCAP and across the [access terminal] were captured at the [access
`
`12
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`terminal], such data would not be readable.” Id., 13:3-4, 27:28-28:15, Fig. 10. For
`
`example, the TCAP preferably includes a Cryptographic Server Module 1020, which
`
`can be used to “encrypt all data sent through the access terminal based on the TCAP’s
`
`unique ID and user’s authorization information.” Id. at 28:9-15. This concept is
`
`reflected in the Title and Abstract of the ’047 Patent and is discussed throughout. See
`
`’047 Patent title (“Apparatus, method and system for a tunneling client access point
`
`“), abstract (“The disclosure details the implementation of a tunneling client access
`
`point (TCAP) that is a highly secure, portable, power efficient storage and data
`
`processing device. The TCAP “tunnels” data through an access terminal’s (AT)
`
`input/output facilities.”), 2:39-51, 3:42-4:31.
`
`32. Users interact with the TCAP through an interactive user interface
`
`(“IUI”)—e.g., an interactive graphical user interface—that is presented by the access
`
`terminal, making use of the terminal’s input/output components. ’047 Patent at
`
`Abstract, 2:39-46, 3:58-61, 17:51-18:3. The TCAP includes a User Interface Module
`
`1017 that “provides a facility through which users may affect, interact, and/or operate
`
`a computer system,” and which causes the IUI to be presented to the user on the
`
`terminal’s output component. ’047 Patent at 26:19-20, 6:65-7:1, 7:13-15, 7:46-48,
`
`8:38-42, 9:6-10:47, 12:34-63, 26:7-14, Figs. 4, 5-8, 10. Further, the user engages with
`
`“interface elements” of the IUI to cause program code to be executed by the TCAP.
`
`See, e.g., id., 10:33 (“Should the user engage a user interface element…”); 10:38
`PayPal Inc. v. IOENGINE, LLC
`13
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`(“engaging the appropriate user interface element…”); 11:14-16 (“engaging a help
`
`facility user interface element”); 11:64-65 (“engaging an interface element to unfurl
`
`the interface”); 1:52-56 (providing examples of “[c]omputer interaction interface
`
`elements such as check boxes, cursors, menus, scrollers, and windows (collectively and
`
`commonly referred to as widgets)…”), 8:20-22 (“The user might simply click on a
`
`button and gain secure access to such data that may be decrypted by the TCAP.”), 9:38-
`
`49 (user engages interface by clicking on a button to access TCAP facilities; the
`
`interface “unfurls” to present more buttons); 10:20-24 (engaging the interface by
`
`dragging and dropping files), 36-39, 10:65-11:5 (drag and drop), 11:14-32, 62-67
`
`(unfurling interface by graphically opening can of soda), 26:7-27 (interface to access
`
`the TCAP functionality); Figs. 5-8 (showing user interface elements).
`
`33. Applications of the TCAP include, for example, improving the security of
`
`accessing remote data, encrypted communication, and secure purchasing, payment and
`
`billing. Id. at abstract, 2:49-51, 3:65-4:31, 5:11-12, 5:53-55, 7:10-8:44, 8:64-9:1,
`
`10:47-62, 12:56-13:28, 19:38-20:24, 27:28-28:15, figs. 2, 4, 9, 10.
`
`VI. ASSERTED GROUNDS AND REFERENCES RELIED ON
`PETITIONS
`I understand that the ’884 Petition asserts two grounds for invalidity as
`34.
`
`IN
`
`summarized on page 10 of the ’884 Petition. I understand that the ’885 Petition asserts
`
`three grounds for invalidity as summarized on pages 10 of the ’885 Petition. The art
`
`14
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`primarily relied on in the ’884 and ’885 Petitions, Abbott and Shmueli, is described in
`
`the following sections.
`
`A. Abbott
`35. Abbott describes a “USB-compliant personal key with integral input and
`
`output devices.” Abbott title. Abbott uses the term “token” to refer to its personal key.
`
`Abbott 4:65, 6:21-23, 23:3-8, 23:39. The integral user input and output devices on
`
`Abbott’s token “communicate with the [token] processor by communication paths
`
`which are independent from the USB-compliant interface, and thus allow the user to
`
`communicate with the processor without manifesting any private information external
`
`to the personal key.” Abbott abstract. This architecture is depicted in Figure 2, which
`
`shows input and output devices 218 and 222 on the token, as well as data transceiver
`
`252, all of which are able to communicate with processor 212 via communication paths
`
`that are separate from the USB communication path 202 between the token and
`
`computer 102. Abbott fig. 2, 6:65-7:4, 7:15-19, 9:43-49; see also id. figs. 7A−8C,
`
`18:8-19:30 (describing integral input and output devices). Abbott’s integral user input
`
`and output devices are central to achieving Abbott’s stated goal of providing “a
`
`personal key that allows the user to store and retrieve passwords and digital certificates
`
`without requiring the use of vulnerable external interfaces.” Abbott 3:59-62
`
`(emphasis added);
`
`15
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`36. Abbott expresses a security concern that the computer or a server may be
`
`compromised and running malicious software. Abbott 19:42-50, 20:51-59. Abbott
`
`explains that its integral user input and output devices can be used to guard against this
`
`security concern by allowing the user to communicate directly with the token, without
`
`making use of the computer or server. Id. at 19:35-50, 20:59-65, 22:6-18. Abbott
`
`discloses two embodiments that use the integral user input and output devices to
`
`provide added security. One is a “squeeze-to-sign” authorization procedure, depicted
`
`in Figure 9, in which the user is prompted to authorize a transaction by “direct user
`
`input via” the token’s integral user input. Id. fig. 9, 19:57-21:51. A second, depicted
`
`in Figure 10, is a PIN authentication procedure in which the user’s PIN is entered
`
`directly on the token’s integral user input. Id. fig. 10, 21:64-22:55. It is apparent from
`
`Abbott’s title, abstract, and written description that the integral user input and output
`
`devices are an important feature of Abbott’s approach to security.
`
`37. Abbott’s token is accessed through a series of specialized function calls
`
`that are part of API 260. Abbott fig. 2, 8:6-15, 12:45-14:36. This arrangement is
`
`important to the security features of Abbott, because this API-based mechanism is how
`
`the system is able to restrict access to functions on the token. Abbott 12:45-13:15
`
`(“The read and write access type controls govern the transfer of files in the personal
`
`key 200 to and from the application 110.”), 19:61-20:2 (token “requires direct user
`
`input…before honoring any request from the host computer”). Moreover, Abbott
`PayPal Inc. v. IOENGINE, LLC
`16
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`contemplates that the computer software, including at least API 260, application 110,
`
`and browser 262, is stored and executed on the computer, not the token. Abbott figs.
`
`1, 2, 6:13-21, 8:6-15. Abbott discloses installation media for the computer software,
`
`but not that the computer software could be stored on or originate from the token.
`
`Abbott 6:26-32.
`
`38. One important distinction between Abbott and the ’047 Patent is that
`
`Abbott does not disclose the concept of tunneling that is the subject of the ’047 Patent.
`
`For example, in Abbott no communications are tunneled between the token and the
`
`server. Rather the token is merely used to provide authentication and “to store and
`
`retrieve passwords and digital certificates without requiring the use of vulnerable
`
`external interfaces.” Abbott 3:60-62. Encryption and decryption are performed by
`
`computer 102, and in particular by the VIEWDOC program, a plug-in to web browser
`
`262. Abbott fig. 2, 15:59-67. Accordingly, Abbott’s computer has access to both
`
`encryption keys and decrypted documents, and Abbott does not disclose any
`
`communications that are “tunneled” between the token and a server or the ’047 Patent’s
`
`concept of tunneling data through the host computer, in which the portable device
`
`communicates through the terminal network interface without the terminal having
`
`access to the tunneled data.
`
`39. Petitioner quotes Abbott’s reference to “point to point tunneling.” ’884
`
`Petition 16. But Abbott actually references “point to point tunneling protocol (PPTP),”
`PayPal Inc. v. IOENGINE, LLC
`17
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`a protocol that was typically built into Microsoft Windows operating systems, within a
`
`long list of other protocols and with no discussion of how the token would be used in
`
`such an environment. Abbott 4:41 (emphasis added). Ex. 2080.
`
`B.
`Shmueli
`40. Shmueli describes a “portable memory device” with software that can
`
`execute on a host computer. Shmueli [0006]-[0007], [0022], [0025]. Shmueli’s
`
`memory device plugs into a host computer’s USB port, and “will emulate a file system
`
`on a solid state mass storage device.” Id. [0026] [0031]. The software on Shmueli’s
`
`memory device “is configured to readily execute on the host 12 upon interface.” Id.
`
`[0028]. Shmueli’s applications that are “stored on the key 10 and capable of executing
`
`on the host 12 are referred to in general as keylets.” Shmueli [0031]; see also id.
`
`[0022], [0028], [0092]. Shmueli thus describes a typical USB mass storage device
`
`having particular applications and data stored on it.
`
`41. Shmueli’s storage device has no on-board processor, and thus cannot
`
`execute any program code. For example, Shmueli’s Figure 1 depicts CPUs in the host
`
`and server, but not in the memory device. Shmueli fig. 1, [0024], [0027], [0030].
`
`Shmueli’s disclosure of “control circuitry” that “assist[s] in interaction with the host
`
`computing devices as well as organizing the data stored thereon” is not a reference to
`
`an onboard device processor, but instead refers to device functionality that would be
`
`found on any USB mass storage device. Shmueli [0006]. Shmueli’s “control circuitry”
`
`18
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`is responsible for implementing the device side of a USB mass storage device. This is
`
`distinct from the invention of the ’047 Patent, in which the portable device comprises
`
`a processor that executes program code.
`
`42. One critical distinction between Shmueli and the ’047 Patent is that,
`
`following Shmueli’s authentication routine, which “run[s] on the host,” the Shmueli
`
`device becomes incidental to the execution of program code on the host computer.
`
`Shmueli figs. 3A−3B, [0035]-[0037]. This architecture is stated explicitly in the
`
`summary of Shmueli, where it is stated that the device is “primarily a memory device”
`
`that may not include control circuitry, and, if it does include control circuitry, the role
`
`of the control circuitry is simply to “assist in interaction with the host computing
`
`device.” Shmueli [0006]. The ’047 Patent, on the other hand, describes and claims
`
`execution of program code on the portable device, and further that such execution is in
`
`response to a communication resulting from user interaction with the interactive user
`
`interface on the terminal. E.g., ’047 Patent 31:5-8, 32:5-10.
`
`VII. CLAIM CONSTRUCTION
`A.
`IUI
`43. As used in the claims, “an interactive user interface” means “a
`
`presentation containing interface elements with which a user may interact to result in
`
`the terminal taking action responsively by modifying what is presented.”
`
`19
`PayPal Inc. v. IOENGINE, LLC
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`44. An example of the commonly used definition of an interactive user
`
`interface comes from an influential paper published at the 1992 ACM Conference on
`
`Human Factors in Computing Systems. Dennis J. M. J. de Baar et al., Coupling
`
`Application Design and User Interface Design, Published in CHI ’92 Proceedings of
`
`the SIGCHI Conference on Human Factors in Computing Systems, ACM, New York,
`
`NY, USA (1992), available at https://dl.acm.org/citation.cfm?id=142806, Ex. 2004. In
`
`this paper, de Baar et al. write that “[b]uilding an interactive application involves the
`
`design of both a data model and a graphical user interface (GUI) to present that model
`
`to the user.” Id. at p. 1 (Abstract). Furthermore, “[e]xternal attributes and methods are
`
`represented in the user interface as standard interaction objects such as buttons,
`
`settings, or sliders (hereafter referred to as “controls”) or as data manipulated directly
`
`by the user.” Id. at p. 1 (Introduction). Therefore, it would have been understood that
`
`an interactive user interface for such an interactive application would have user
`
`interface elements represented within the user interface.
`
`45.
`
`de Baar et al. further explain that “[i]nteraction objects are controls such
`
`as buttons, sliders, or menus that can be manipulated directly by the user.” By reference
`
`to Figures 1 and 2, which appear below, de Baar et al. further explain that “[e]very
`
`interaction object in the user interface is associated with an action or attribute in the
`
`application data model (Figure 1). In Figure 2, for example, the attribute ‘volume
`
`Input’ in the application data model is linked to a slider that can be used to change its
`PayPal Inc. v. IOENGINE, LLC
`20
`IPR2019-00884, IPR2019-00885 (US 8,539,047)
`Exhibit 2003
`
`

`

`
`
`value.” Id. at p. 2; Figs. 1-2. These interaction objects are presented within the user
`
`interface and are responsive to user interaction.
`
`
`
`
`
`46. The types of interactive user interfaces described in de Baar serve as
`
`baseline points of reference when considering the interactive user interface (“IUI”)
`
`described in the ’047 Patent. To begin with, although the interactive user interface
`
`(“IUI”) described in the ’047 Patent may be used to cause the TCAP to take actions,
`PayPal Inc. v. IOENGINE, LLC
`21
`IPR2019-00884, IPR2019