`_________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`_________________
`
`APPLE INC.,
`Petitioner
`
`v.
`
`RFCYBER CORP.,
`Patent Owner
`_________________
`
`Inter Partes Review Case No. IPR2022-00413
`U.S. Patent No. 9,240,009
`
`_________________
`
`SUPPLEMENTAL DECLARATION OF GERALD W. SMITH
`
`IPR2022-00413
`Apple EX1046 Page 1
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`
`TABLE OF CONTENTS
`
`INTRODUCTION ............................................................................................. 3
`I.
`II. OPINIONS REGARDING RFCYBER’S PATENT OWNER RESPONSE .... 4
`A. Person of Ordinary Skill in the Art ................................................................. 4
`B. Patent Owner and its Expert Identify No New Criticisms of Petitioner’s
`Motivation to Combine That Would Compel a Different Result From Institution8
`1. The Combination Does Not “Discard” SIP ................................................. 9
`2. A POSITA Would Have Been Expressly Motivated to Combine Dua and
`GlobalPlatform ................................................................................................. 16
`C. The Combination Discloses a Secure Element/Interface to Receive Secure
`Element ................................................................................................................ 23
`III. CONCLUSION ............................................................................................ 29
`
`
`
`
`
`
`
`
`IPR2022-00413
`Apple EX1046 Page 2
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`
`I, Gerald Smith, hereby declare the following:
`
`I.
`
`INTRODUCTION
`1. My name is Gerald Smith and I am over 21 years of age and otherwise
`
`competent to make this Declaration. I make this Declaration based on facts and
`
`matters within my own knowledge and on information provided to me by others.
`
`2.
`
`I submitted an original declaration (Ex. 1003) in support of Petitioner’s
`
`Petition for Inter Partes Review of U.S. Patent No. 9,240,009 (the “’009 Patent”). I
`
`understand the PTAB instituted the requested review and that the proceeding
`
`involves the full scope of the proposed grounds addressed in my initial declaration.
`
`I have been asked to address a few additional issues raised by Patent Owner in Patent
`
`Owner’s Response dated November 18, 2022 and the accompanying expert
`
`declaration of Mr. Miguel Gomez (Ex. 2007). All of my opinions expressed in my
`
`original declaration (Ex. 1003) remain the same.
`
`3.
`
`As part of my work and in forming my opinions in connection with this
`
`proceeding, I have reviewed the following materials. For any prior art listed below,
`
`it is my opinion persons of ordinary skill in my field would reasonably rely upon
`
`such prior art in forming opinions regarding the subject matter of this proceeding:
`
`• Materials relied on for my previous Declaration;
`• Patent Owner’s Response (“POR”) (Paper 16)
`• Declaration of Miguel Gomez (Ex. 2007)
`• Transcript of Deposition of Miguel Gomez (Ex. 1045)
`• EMV Card Personalization Specification, Version 1.0, June 2003 (Ex.
`1047)
`
`
`
`IPR2022-00413
`Apple EX1046 Page 3
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`• GlobalPlatform CPSdemonstrator Specification, Version 2.0 May 2006
`(Ex. 1048)
`• Zhiqun Chen. Java Card™ Technology for Smart Cards. Sun
`Microsystems. 2000. (“Chen”) (Ex. 1049)
`
`
`II. OPINIONS REGARDING RFCYBER’S
`RESPONSE
`A.
`Person of Ordinary Skill in the Art
`4.
`I understand that the Board adopted at institution, the level of skill in
`
`PATENT OWNER
`
`the art outlined in my previous declaration. I note that Patent Owner and its expert,
`
`Mr. Gomez, now propose rewriting the required level of skill of a POSITA to not
`
`require experience with mobile payment technology. Patent Owner Response
`
`(“POR”) at 7 (“2 or more years of academic or industry experience in computer
`
`security, network security or mobile payment technology”) (emphasis added). As
`
`stated in my prior opinions, a POSITA at the time of the ’009 Patent would have
`
`“been knowledgeable regarding mobile payment methods and systems including
`
`smart cards, smart card applications, smart card operating systems, and standards
`
`concerning smart cards” and would have had at least “one year of professional
`
`experience relating to mobile payment technology” for numerous reasons. I discuss
`
`several reasons why mobile payment technology experience is required below.
`
`5.
`
`I understand that the definition of a POSITA can be informed by the
`
`technology at issue (e.g., the teachings as a whole and the patent’s purpose), my
`
`general knowledge as a POSITA, all of my prior educational and industry
`
`
`
`IPR2022-00413
`Apple EX1046 Page 4
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`experience, and several pertinent factors including, for example, the types of
`
`problems encountered in the art, the prior art solutions to those problems, and the
`
`sophistication of the technology.
`
`6.
`
`First, when considering the ’009 Patent’s teachings as a whole, the ’009
`
`Patent’s purpose is related to mobile payment technology. Indeed, the ’009 Patent
`
`itself describes its “Technical Field” as “[p]articularly, the present invention is
`
`related to techniques for personalizing a secure element and provisioning an
`
`application such as an electronic purse that can be advantageously used in portable
`
`devices configured for both electronic commerce (a.k.a., e-commerce) and mobile
`
`commerce (a.k.a., m-commerce).” ’009 Patent at 1:18-24. I note that Patent Owner,
`
`Patent Owner’s expert Mr. Gomez, and the Board have all agreed that the ’009 Patent
`
`relates to mobile payment technology, including systems and methods for
`
`performing e-commerce and m-commerce. POR (Paper 16) at 1-5 (citing ’009
`
`Patent, 1:18-24), id. (“The inventors of the ’009 Patent realized that … ‘there is a
`
`need to provide techniques to personalize a secure element in a contactless smart
`
`card or an NFC-enabled mobile device so that such a device is secured and
`
`personalized when it comes to financial applications or secure transactions.’”), id.
`
`(“To solve these problems, the inventors of the ’009 Patent developed ‘techniques
`
`for personalizing secure elements in NFC devices to enable various secure
`
`
`
`IPR2022-00413
`Apple EX1046 Page 5
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`transactions over a network.’”); Ex. 2007 (Gomez Declaration) at ¶¶34-37;
`
`Institution Decision (Paper 12) at 4-8, 12-13.
`
`7.
`
`Second, considering the factors listed above, in my prior opinions I
`
`outlined the types of problems encountered in the art, prior art solutions to those
`
`problems, and the sophisticated aspects of mobile payment technology, including
`
`the technology at the heart of the ’009 Patent and the prior art. Ex. 1003 at ¶¶30-37
`
`(overviewing ’009 Patent and problems related to securely funding an e-purse along
`
`with known solutions for security, such as GlobalPlatform), 43-63 (overviewing
`
`GlobalPlatform and the relevant functionalities), 65-76 (overviewing other related
`
`mobile payment technology concepts in the art), 77-96 (overviewing Dua, Smart
`
`Card Handbook and Thibadeau).
`
`8.
`
`For instance, the ’009 Patent itself describes problems, solutions, and
`
`articulates the sophisticated nature of mobile payment technology. In order to
`
`understand these problems, solutions, and sophisticated topics, a POSITA would
`
`have needed professional mobile payment technology experience. For example, the
`
`’009 Patent generally describes concepts related to mobile payment technology, such
`
`as e-purses, security including cryptographic keys, card manager security including
`
`“a Global Platform (GP),” emulators, and smart card communications involving
`
`application protocol data units (APDUs). Some problems noted in the ’009 Patent
`
`include providing security for e-purse funding techniques. The ’009 Patent describes
`
`
`
`IPR2022-00413
`Apple EX1046 Page 6
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`e-purse security involving a set of protocols enabling micro payment transactions
`
`and involving a set of cryptographic keys (“either symmetric or asymmetric”) stored
`
`on a smart card and wherein a set of keys is personalized into the purse. ’009 Patent
`
`at 10:3-9. The ’009 Patent provides known solutions to this “security problem”—
`
`such as a “secured element 529 contains a Global Platform (GP) card manager 526”
`
`where the global platform “provide[s] a security mechanism necessary to personalize
`
`e-purse applets designed therefor. In operation, a security domain is used for
`
`establishing a secured channel between a personalization application server and the
`
`e-purse applet.” ’009 Patent at 15:39-44, 18:19-20.
`
`9.
`
`The ’009 Patent further describes other sophisticated mobile payment
`
`technology concepts. For example, the ’009 patent describes a “Smart MX (SMX)
`
`module” including “[t]he SMX is pre-loaded with a Mifare emulator 288 (which is
`
`a single functional card) for storing values.” ’009 Patent at 14:44, 14:51-52.
`
`Additionally, “the SMX is a JavaCard that can run Java applets. According to one
`
`embodiment, an e-purse is built as an applet in SMX.” ’009 Patent at 14:54-56.
`
`Further, the ’009 Patent describes APDU commands, which were well known to be
`
`a standard messaging protocol for smart cards according to GlobalPlatform. ’009
`
`Patent at 14:40-45 (“The MIDlet strips and extracts the APDU commands from the
`
`response and forwards the commands the e-purse at 418. The e-purse applet verifies
`
`the commands at 420 and, provided they are authorized, send the commands to the
`
`
`
`IPR2022-00413
`Apple EX1046 Page 7
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`emulator at 420 and, meanwhile updating a transaction log.”), 17:62-67 (“The e-
`
`purse manager 434 verifies the authenticity (e.g., in APDU format) and sends
`
`commands to the emulator 438 and updates the transaction logs. By now, the e-purse
`
`applet 436 finishes the necessary steps and returns a response to the MIDlet 434 that
`
`forwards an (APDU) response in a network request[.]”).
`
`10. Thus, for the reasons I discussed above and in my prior declaration (Ex.
`
`1003, ¶¶28-29) including the ’009 Patent’s Technical Field and purpose and factors
`
`such as the type of problems encountered in the art, the prior art solutions to those
`
`problems, and the sophistication of the technology, the level of skill of a POSITA
`
`would have required at least “one year of professional experience relating to mobile
`
`payment technology” (where “[l]ack of professional experience could be remedied
`
`by additional education, and vice versa”) to understand these unique mobile payment
`
`technology concepts. Further, because the Challenged Claims are not directed to
`
`merely generic communication protocols, the level of skill of a POSITA would have
`
`required at least one year of experience with mobile payment technologies to
`
`understand the Challenged Claims and the prior art.
`
`B.
`Patent Owner and its Expert Identify No New Criticisms of
`Petitioner’s Motivation to Combine That Would Compel a Different
`Result From Institution
`11.
`In my original declaration, I discussed in detail the reasons a POSITA
`
`would be motivated to combine Dua and GlobalPlatform. See, e.g., Ex. 1003 at 98-
`
`
`
`IPR2022-00413
`Apple EX1046 Page 8
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`105.1 Based on my review of the POR, Mr. Gomez’s declaration, and Mr. Gomez’s
`
`deposition testimony, I understand Patent Owner and Mr. Gomez raise certain issues
`
`related to these motivations.
`
`1.
`The Combination Does Not “Discard” SIP
`Initially, I note that Patent Owner and Mr. Gomez have interpreted the
`
`12.
`
`proposed combination of Dua and GlobalPlatform as entirely replacing Dua’s use of
`
`the SIP protocol (such as the ability to construct an endpoint-to-endpoint connection)
`
`with GlobalPlatform’s personalization techniques. POR at 8-18. This position is
`
`inconsistent with Petitioner’s proposed combination and my opinions supporting this
`
`combination.
`
`13. Patent Owner is incorrect that the proposed combination “replaces”
`
`SIP’s endpoint connections with GlobalPlatform. Looking first at the claim language
`
`of the ’009 Patent, limitations [1di] and [1dii] (as described in the Petition) require
`
`an initial connection between the smart card and a server in order to: (1) download
`
`an application; and (2) send information identifying this application to the server.
`
`Petition, 22-23; Ex. 1001, 24:24-27 (“sending to a server via the network interface
`
`an identifier identifying the application together with device infor-mation of a secure
`
`element, wherein the application is downloaded from the network in the mobile
`
`device”). The Petition provides that Dua’s SIP connection establishes this initial
`
`
`1 All citations to Ex. 1003 and Ex. 2007 are to paragraph numbers.
`
`
`
`IPR2022-00413
`Apple EX1046 Page 9
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`connection between the smart card and the server for these claimed processes.
`
`Petition, 22 (“As modified by GlobalPlatform, after Dua’s smart card determines
`
`that it has installed an Application, the Issuer Security Domain (part of the Card
`
`Manager) generates the appropriate receipt, and would have transmitted the receipt,
`
`via the wireless SIP session provided by the wallet application, to the WCM”); id.
`
`(“This would have been done over the wireless interface through which the SIP
`
`session is established”), (“Extensions are sent from Dua’s WCM to the wallet
`
`application during a SIP session”); see also id., 18 (“Dua’s extensions are
`
`downloaded from a wireless credential manager (“WCM”) over a SIP
`
`communication channel formed between the wallet application and the WCM”).
`
`Thus, in my opinion PO is wrong that the combination “discards” SIP—the
`
`combination expressly maintains SIP for its intended purpose, to establish the initial
`
`link between Dua’s smart card and the server.
`
`14. Put simply, in the combination, Dua’s SIP protocol constructs the
`
`connection between endpoints, and GlobalPlatform establishes a secure channel
`
`within that connection for smart card specific communications. Petition, 24-26. In
`
`other words, the combination utilizes Dua’s SIP protocol to connect one endpoint to
`
`another and to utilize GlobalPlatform’s security on top of said SIP protocol to
`
`construct a secure channel.
`
`
`
`IPR2022-00413
`Apple EX1046 Page 10
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`In more detail, in the proposed combination, Dua teaches utilizing the
`
`15.
`
`SIP protocol to connect endpoints. Dua at [0093] (“SIP (Session Initiation Protocol,
`
`RFC 3261) is a text-based application protocol that allows two endpoints in the
`
`Internet to discover one another to exchange context information about a session
`
`they would like to share.”), [0095]-[0096] (“SIP supports five facets of establishing
`
`and terminating multimedia communications: 1. User Location: Determination of
`
`the end system to be used for communication[.]”). In my opinion, Dua’s SIP
`
`networking protocol for connecting endpoints functions like a “pipe” to connect the
`
`two endpoints (e.g., smart card and server or host such as Dua’s WCM) together
`
`over a network. Then, as detailed in the Petition and my prior opinions,
`
`GlobalPlatform establishes a “Secured Channel” over this initial connection.
`
`Petition, 24-26; Ex. 1003, 140-145.
`
`16. For the reasons I discuss below, it is my opinion that Dua and
`
`GlobalPlatform operate concomitantly to establish endpoint connections and a
`
`secure channel over that SIP connection. As also outlined below, a POSITA would
`
`have understood that in the combination, GlobalPlatform’s processes relying on the
`
`exchange of APDU messages would be sent over Dua’s SIP endpoint-to-endpoint
`
`connection (“pipe”) because, (1) SIP is derived from HTTP, (2) APDUs are the
`
`standard messaging protocol for smart cards, and (3) it was known to transmit
`
`APDUs over HTTP.
`
`
`
`IPR2022-00413
`Apple EX1046 Page 11
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`
`a)
`SIP is Derived from HTTP
`17. A POSITA would have understood from Dua that the SIP protocol is
`
`derived from HTTP. Dua teaches “SIP is based on an HTTP-like request/response
`
`transaction model.” Dua at [0102], id. (“SIP uses most of the header fields, encoding
`
`rules, and status codes of HTTP.”), [0132] (teaching the same), [201] (“The
`
`following discussion covers security mechanisms and procedures which may be used
`
`in a preferred embodiment of the system of the present invention. Since the SIP
`
`message structure is a straight derivation from the HTTP request/response model,
`
`all security mechanisms available for HTTP (RFC 2617) can also be applied to SIP
`
`sessions.”), [0494] (“The connection between the wallet application and the storage
`
`service could utilize an application protocol such as HTTP, SIP, or others.”).
`
`b) APDU’s are the Standard Messaging Protocols for
`Smart Cards
`18. GlobalPlatform teaches transmitting APDUs as one of the common
`
`formats for smart-card-based messaging. For example, GlobalPlatform teaches
`
`APDUs are the “[s]tandard communication messaging protocol between a card
`
`accepting device and a smart card[.]” GlobalPlatform at 18. Namely, GlobalPlatform
`
`teaches transmitting APDUs over Secure Channels via Secure Channel Protocols.
`
`GlobalPlatform at 30 (teaching the Security Domain “has a well-defined external
`
`APDU interface to ensure that all Security Domain implementations behave
`
`consistently and can be managed identically by the same off-card management
`
`
`
`IPR2022-00413
`Apple EX1046 Page 12
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`systems. As the majority of these services and APDU commands are related to Card
`
`Content management, the Security Domain is closely interacting with the OPEN.”),
`
`39 (“The state OP_READY indicates that the runtime environment shall be available
`
`and the Issuer Security Domain, acting as the selected Application, shall be ready to
`
`receive, execute and respond
`
`to APDU commands.”), 101-103 (teaching
`
`transmitting APDUs to initiate secure channels and perform secure messaging); see
`
`generally id., 213-234 (teaching Secure Channel Protocol functions including
`
`transmitting APDUs).
`
`19. Other known works in the mobile payment technologies field support
`
`that APDUs are a standard messaging protocol for smart cards. For example, Java
`
`Card Technology for Smart Cards, Architecture and Programmer’s Guide, by
`
`Zhiqun Chen (“Chen”) teaches “smart cards speak to other computers by using their
`
`own data packets – called APDUs (application protocol data units). An APDU
`
`contains either a command or a response message.” Chen (Ex. 1049) at 26. Chen
`
`discloses a smart card communication model where APDUs are transmitted between
`
`a host (e.g., computer, server) and a smart card:
`
`
`
`IPR2022-00413
`Apple EX1046 Page 13
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`
`
`
`Chen at 27.
`
`c)
`It was Known to Transmit APDUs Over HTTP
`20. At the outset, a POSITA would have understood that APDUs, which
`
`are the standard messaging protocol for smart card communications as explained
`
`above, would have been transmitted over a network for performing various smart
`
`card functions including security and transactions. See, e.g., GlobalPlatform at 101-
`
`103, 213-234. For example, APDU commands are utilized for performing functions
`
`such as DELETE, INSTALL, and PUT KEY. GlobalPlatform at 105. Additionally,
`
`GlobalPlatform teaches APDUs are involved in setting up a Secure Channel, as
`
`depicted in Figure E-1 below:
`
`
`
`IPR2022-00413
`Apple EX1046 Page 14
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`
`GlobalPlatform at 215 (“Figure E-1” annotated), 214-216 (teaching Secure Channel
`
`Protocol SCP02 utilizes APDUs for Secure Channel initiation and message
`
`
`
`integrity).
`
`21. One common type of network protocol over which APDU’s are
`
`transmitted for smart card communications was HTTP. One example is taught by
`
`Thibadeau (Ex. 1041). Thibadeau teaches an “Issuance Server 170, located in a
`
`computer server 172 provides APDUs over HTTP to a local computer 174. The local
`
`computer includes an Issuance Client 176 that transmits the APDUs over ATA to
`
`the trusted drive 178.” Thibadeau at [0123], [0126] (“The APDU exchange between
`
`the Issuance server and the Issuance Client occurs over the hypertext transfer
`
`protocol (http), using a lightweight wrapper protocol.”). Below I have provided an
`
`
`
`IPR2022-00413
`Apple EX1046 Page 15
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`annotated version of Fig. 10 of Thibadeau illustrating APDUs transmitted over
`
`HTTP:
`
`
`
`Thibadeau at Fig. 10 (annotated). A POSITA would have understood that HTTP is
`
`thus one network protocol for transmitting APDUs over a network between
`
`endpoints. As I opined above, Dua expressly teaches SIP is derived from HTTP and
`
`uses HTTP security. See ¶17 above. A POSITA would have understood that
`
`transmitting APDUs between endpoints using a network protocol such as SIP would
`
`have functioned the same way as transmitting APDUs between endpoints over a
`
`network protocol such as HTTP, as taught by Thibadeau. Thus, in the proposed
`
`combination, Dua’s SIP protocol would have been used
`
`to
`
`transport
`
`GlobalPlatform’s APDUs over a network between said endpoints.
`
`2.
`
`A POSITA Would Have Been Expressly Motivated to
`Combine Dua and GlobalPlatform
`22. First, Patent Owner argues that Dua’s express interoperability goal that
`
`its “wallet application should meet standards defined by card organizations” does
`
`not motivate a POSITA to combine Dua and GlobalPlatform. POR at 15-17. In
`
`support of this position, Patent Owner suggests that a “POSITA would understand
`
`
`
`IPR2022-00413
`Apple EX1046 Page 16
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`that GlobalPlatform is not related to interoperability between chip cards and
`
`terminals; it purports to provide a ‘card management architecture.’” POR at 15; Ex.
`
`2007 at 59-62. In my opinion, Patent Owner is mistaken. A POSITA would have
`
`understood that GlobalPlatform is related to interoperability between chip cards and
`
`terminals as well as other components. Indeed, GlobalPlatform itself teaches its
`
`architecture includes numerous components such as cards, card acceptance devices,
`
`terminal management systems, card management systems, and other components, as
`
`illustrated in the figure below:
`
`
`
`
`
`IPR2022-00413
`Apple EX1046 Page 17
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`Ex. 1006 at 27, 16; Ex. 1003 at 46, 177. Specifically, GlobalPlatform teaches that
`
`“GlobalPlatform cards are intended to be functional in the widest range of
`
`environments (i.e., Card Acceptance Devices).” GlobalPlatform at 161. A POSITA
`
`would therefore have understood that GlobalPlatform is related to interoperability
`
`between chip cards and terminals. Further on the issue of interoperability,
`
`GlobalPlatform also teaches that Application Protocol Data Units (APDUs) are
`
`“[s]tandard communication messaging protocol between a card accepting device and
`
`a smart card[,]” further supporting interoperability with payment terminals (e.g.,
`
`card acceptance devices). Ex. 1006 at 18; Ex. 1003 at 49, 57, 61. Additionally,
`
`interoperability was a key concern in the smart card industry and a POSITA would
`
`have understood that the smart card industry encouraged interoperability in many
`
`respects and across many complementary standards.” For example, I discuss two
`
`examples involving EMV and GlobalPlatform at ¶¶25-26 below.
`
`23. Second, Patent Owner argues that “unlike EMV, GlobalPlatform is not
`
`a card organization” and is “not payment-related[.]” POR at 16-17; Ex. 2007 at 63.
`
`In my opinion, Patent Owner is mistaken. Initially, Patent Owner appears to
`
`narrowly interpret Dua’s disclosures at [0525], limiting Dua’s compatibility to
`
`“payment-related” standards while ignoring all other card organization standards.
`
`But nothing in Dua requires a “payment-related” standard. However, even if Dua
`
`only suggested compatibility with payment-related standards, a POSITA would have
`
`
`
`IPR2022-00413
`Apple EX1046 Page 18
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`understood that GlobalPlatform is “payment-related.” GlobalPlatform, which “has
`
`been established by leading companies from the payments and communications
`
`industries” is a standard defined by a card organization (GlobalPlatform Inc.) and
`
`is related to the use of smart cards for performing transactions. “[T]he cards can be
`
`used with mobile phones to make purchases over the Internet as well as to securely
`
`access a PC.” Ex. 1006 at 16. Additionally, GlobalPlatform teaches card acceptance
`
`devices and servers as part of its architecture. Ex. 1006 at 27; Ex. 1003 at 46, 177.
`
`As I opined above, GlobalPlatform is related to security for performing transactions
`
`and interoperability between smart cards and off-card entities including card
`
`terminal devices and remote servers. Thus, a POSITA would have understood that
`
`GlobalPlatform is “payment-related” and is thus a standard defined by a card
`
`organization even under Patent Owner’s overly narrow interpretation of Dua.
`
`24. Third, Patent Owner also interprets Dua’s disclosures at [0014] and
`
`[0525] narrowly to suggest only that its “wallet application should meet the EMV
`
`standard,” not other known standards. POR at 14-17. In support, Patent Owner relies
`
`on Ex. 2003, which is an EMVCo Guide to EMV chip technology. However, Patent
`
`Owner’s Exhibit 2003 teaches that EMVCo collaborates with other standards
`
`organizations and industry bodies, including GlobalPlatform. Specifically, I note
`
`that Patent Owner’s Exhibit 2003 states the “EMV Chip Specifications cannot be
`
`considered in isolation, and to this end, EMVCo collaborates with other industry
`
`
`
`IPR2022-00413
`Apple EX1046 Page 19
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`bodies and standards organisations. Examples of this collaboration are given below”
`
`and include Global Platform. Ex. 2003 at 16:
`
`GlobalPlatform – Part of EMVCo’s activities is to review the
`functionality and security of platforms on which an EMV chip
`payment application will reside. Alignment with standards bodies
`such as GlobalPlatform are important as EMV chip payment
`applications are increasingly implemented on shared chip platforms
`that support multiple applications, each from a different application
`owner.
`Therefore, in my opinion, a POSITA would have understood that Dua’s teaching of
`
`card organizations and an EMV-Compliant wallet application would have motivated
`
`a POSITA to look to a card organization such as GlobalPlatform (Inc.) for assisting
`
`with management of applications on Dua’s smart card because the GlobalPlatform
`
`specification provides well-known security and implementation details for those
`
`very purposes. Ex. 1003 at ¶¶99-105.
`
`25.
`
`Indeed, it was well-known that the smart card industry encouraged
`
`interoperability across various complementary standards. For example, EMV
`
`technologies incorporated many details from GlobalPlatform and vice versa. For
`
`example, the EMV Card Personalization Specification incorporated aspects of
`
`GlobalPlatform. Ex. 1047. The EMV Card Personalization specification teaches
`
`“[t]he data preparation system must protect the completed personalization data file
`
`for integrity and authenticity (e.g., MAC or signed hash). For examples of
`
`implementation,
`
`see GlobalPlatform Load and Personalization
`
`Interface
`
`
`
`IPR2022-00413
`Apple EX1046 Page 20
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`Specification.” Ex. 1047 at 17. In another example, several data elements such as
`
`CRN (Card and Application Management System (CAMS) Reference Number),
`
`STATUSCOLL, NUMBERPID, and IDVC1 also refer to GlobalPlatform specifications.
`
`Ex. 1047 at 34, 10. In yet another example, the EMV Card Personalization
`
`Specification teaches an “example of the complete structure of the log file including
`
`a header record is specified in GlobalPlatform Load and Personalization Interface
`
`Specification.” Ex. 1047 at 53. Thus, a POSITA would have understood that EMV
`
`technologies and standards both suggested compatibility with GlobalPlatform and
`
`incorporated GlobalPlatform functionalities.
`
`26. Additionally, I provide a research example below detailing an EMV
`
`compliant device that uses GlobalPlatform personalization techniques. Namely, the
`
`GlobalPlatform CPSdemonstrator Specification teaches a “Sample Applet to
`
`exercise EMV CPS.” Ex. 1048 at 1. Ex. 1048 teaches that the document “provides
`
`the specifications for the CPSdemonstrator application. The application’s design is
`
`based on the EMV Card Personalization Specification, a common approach to
`
`personalization for all IC card applications.” Ex. 1048 at 6. Indeed, Ex. 1048
`
`references the EMV Card Personalization Specification v1.0 and GlobalPlatform
`
`Card Specification v2.2 as well as EMV Integrated Circuit Card Specifications for
`
`Payment Systems v4.1. Ex. 1048 at 8.
`
`
`
`IPR2022-00413
`Apple EX1046 Page 21
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`27. Finally, in my opinion, Patent Owner is also incorrect in suggesting
`
`that Dua does not reference Java Card. POR at 17. I note that Dua expressly teaches
`
`“Java applets running in a mobile phone,” which a POSITA would have understood
`
`is a reference to Java Card, which was a well-known smart card for running Java
`
`applets in mobile devices. Dua at [0216]; Ex. 1003 at 102-105, 120, 205;
`
`GlobalPlatform at 16 (“By the mid-1990s, a number of very significant
`
`breakthroughs occurred in the chip card industry with the introduction of open
`
`systems specifications for Application development. The three leading technologies
`
`in this area are Java Card™ …”). Further, a POSITA would have been motivated to
`
`combine Dua with GlobalPlatform because GlobalPlatform was the “de facto
`
`standard for loading and managing Java-based applications with the Java Card
`
`operating system.” Ex. 1003 at 102-105 (including citing Ex. 1008 at 290, which
`
`discloses “GlobalPlatform ‘has primarily become the de facto standard for loading
`
`and managing Java-based applications with the Java Card operating system.’”).
`
`Indeed, a POSITA would have known that Java Card was one of the most important
`
`and dominant smart card options at that time. GlobalPlatform at 16 (“Beginning in
`
`the mid-1990s, a number of very significant breakthroughs occurred in the chip card
`
`industry with the introduction of open systems specifications for Application
`
`development. The three leading technologies in this area are Java Card™ … These
`
`technology specifications provide an important contribution to the solution towards
`
`
`
`IPR2022-00413
`Apple EX1046 Page 22
`
`
`
`Inter Partes Review No. IPR2022-00413
`U.S. Patent No. 9,240,009
`the multi-Application chip card vision[.]”), Therefore, a POSITA would also have
`
`been “separately motivate[d]” to combine Dua with GlobalPlatform.
`
`C. The Combination Discloses a Secure Element/Interface to Receive
`Secure Element
`28.
`I previously opined that Dua in view of GlobalPlatform teaches a
`
`GlobalPlatform-complaint smart card, which satisfies the claimed “secure element.”
`
`Ex. 1003 at 100, 112-125, 131-136, 140-145, 149-155. In its POR, Patent Owner
`
`argues now that the “secured element” must be “tamper resistant.” POR at 19-20;
`
`Ex. 2007 at 72-75. To the extent it is determined the “secured element” must be
`
`“tamper-resistant,” in my opinion, Dua in view of GlobalPlatform teaches a “tamper-
`
`resistant” smart card, which is a “secure element” according to Patent Owner’s own
`
`definition.
`
`29.
`
`I understand that Patent Owner and Mr. Gomez rely on the ’009
`
`Patent’s specification to support an interpretation that a “secure element” must be
`
`“tamper resistant.” POR at 19. Namely, Patent Owner relies on Ex. 1001 at 6:62-64,
`
`which I reproduce below:
`
`In one embodiment, the SE 102 is a tamper proof Smart Card chip capable
`
`to embed smart card-grade applications (e.g., payment, transport