Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 1 of 712
`
`EXHIBIT 14
`Public Version
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 2 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE WESTERN DISTRICT OF TEXAS
`AUSTIN DIVISION
`
`CARBYNE BIOMETRICS, LLC,
`
`Plaintiff,
`
`Civil Action No. 1:23-cv-00324
`
`vs.
`
`APPLE INC.,
`
`Defendant.
`
`JURY TRIAL
`
`EXPERT REPORT OF SETH NIELSON, PH.D., B.E., REGARDING INVALIDITY OF
`U.S. PATENT NOS. 10,929,512; 11,514,138; AND 11,475,105.
`
`Executed on August 21, 2024
`in Houston, TX
`
`Signed:
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 3 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`Table of Contents
`I.
`II.
`III.
`IV.
`V.
`
`i.
`ii.
`iii.
`iv.
`v.
`
`A.
`
`B.
`C.
`
`E.
`
`INTRODUCTION, QUALIFICATION, AND ASSIGNMENT............................................................................ 1
`FOUNDATIONAL INFORMATION ....................................................................................................................... 10
`MATERIALS CONSIDERED .............................................................................................................................. 11
`SUMMARY OF OPINIONS .................................................................................................................................. 12
`LEGAL PRINCIPLES ................................................................................................................................................. 12
`PERSON OF ORDINARY SKILL IN THE ART .............................................................................................................................. 13
`the educational level of the inventor(s) and active workers in the field; ......................................................... 13
`the type of problems encountered in the art;............................................................................................................... 13
`any prior art solutions to those problems;.................................................................................................................... 13
`the rapidity with which innovations are made; and ................................................................................................. 13
`the sophistication of the technology. .............................................................................................................................. 13
`PRIORITY DATE & DATE OF INVENTION ................................................................................................................................. 13
`CLAIM CONSTRUCTION ................................................................................................................................................................ 15
`D. ANTICIPATION AND OBVIOUSNESS ........................................................................................................................................... 17
`OBVIOUSNESS .................................................................................................................................................................................. 20
`F. WRITTEN DESCRIPTION ................................................................................................................................................................ 24
`PATENTABLE SUBJECT MATTER ................................................................................................................................................ 24
`STANDING ........................................................................................................................................................................................... 25
`THE ASSERTED CLAIMS ................................................................................................................................... 25
`’512 PATENT .................................................................................................................................................................................... 26
`’138 PATENT .................................................................................................................................................................................... 28
`’105 PATENT .................................................................................................................................................................................... 30
`TECHNICAL OVERVIEW OF THE AUTHENTICATION PATENTS .............................................................. 32
`STATE OF THE ART ................................................................................................................................................ 38
`A. AUTHENTICATION .......................................................................................................................................................................... 38
`BIOMETRIC AUTHENTICATION .................................................................................................................................................... 40
`AUTHENTICATION WITH CRYPTOGRAPHIC KEYS .......................................................................................................................... 45
`TRUSTED EXECUTION ENVIRONMENTS AND TPM .................................................................................................................... 53
`RESTRICTED INTERFACE .............................................................................................................................................................. 57
`SECURE BACKUPS .......................................................................................................................................................................... 63
`G. WIPING RECORDS ........................................................................................................................................................................... 69
`H. AUTOFILL .......................................................................................................................................................................................... 72
`SECURE CONNECTION USING HTTPS ..................................................................................................................................... 73
`BACKGROUND OF THE ’512 PATENT ......................................................................................................... 75
`TECHNICAL OVERVIEW OF THE ’512 PATENT ....................................................................................................................... 75
`PROSECUTION HISTORY OF THE ’512 PATENT ...................................................................................................................... 76
`PRIORITY DATE OF THE ’512 PATENT ...................................................................................................................................... 77
`BACKGROUND OF THE ’138 PATENT ............................................................................................................... 77
`TECHNICAL OVERVIEW OF THE ’138 PATENT ....................................................................................................................... 77
`PROSECUTION HISTORY OF THE ’138 PATENT ...................................................................................................................... 77
`
`G.
`H.
`VI.
`A.
`B.
`C.
`VII.
`VIII.
`
`B.
`C.
`D.
`E.
`F.
`
`I.
`IX.
`A.
`B.
`C.
`
`X.
`
`A.
`B.
`
`ii
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 4 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`PATENT, CLAIMS 1, 7, 8, 10, 12, AND 25 OF THE ’138 PATENT, AND CLAIMS 1, 9, 14, AND 35 OF THE ’105 PATENT
`
`PRIORITY DATE OF THE ’138 PATENT ...................................................................................................................................... 80
`C.
`BACKGROUND OF THE ’105 PATENT ......................................................................................................... 80
`XI.
`A. TECHNICAL OVERVIEW OF THE ’105 PATENT ....................................................................................................................... 80
`B.
`PROSECUTION HISTORY OF THE ’105 PATENT ...................................................................................................................... 81
`C.
`PRIORITY DATE OF THE ’105 PATENT ...................................................................................................................................... 81
`XII.
`LEVEL OF SKILL IN THE ART ........................................................................................................................ 93
`XIII. OVERVIEW OF THE PRIOR ART ................................................................................................................... 95
`A. UPEK EIKON TO GO WITH A LAPTOP RUNNING WINDOWS 7 ULTIMATE UPEK PROTECTOR SUITE QL 5.8
`(“EIKON TO GO SYSTEM”) ...................................................................................................................................................................... 95
`B. APRICORN AEGIS BIO BIOMETRICALLY SECURE PORTABLE HARD DRIVE WITH UPEK PROTECTION SUITE
`AND WINDOW HOST MACHINE (“AEGIS BIO SYSTEM”) ............................................................................................................... 99
`C. U.S. PATENT NO. 10,360,351 (“JAKOBSSON ’351”) .......................................................................................................... 103
`D. EUROPEAN PATENT APPLICATION PUBLICATION NO. 2079023 A2 (“HITACHI ’023”) ........................................ 104
`E. U.S. PATENT PUBLICATION NO. 2011/0138450 (“KESANUPALLI”) ........................................................................... 106
`F. U.S. PATENT PUBLICATION NO. 2004/0117636 (“CHENG”) ......................................................................................... 108
`G. LENOVO THINKPAD T410 WITH SECURE COPROCESSOR USING WINDOWS 7 ULTIMATE, LENOVO’S CLIENT
`SECURITY SOLUTION, AND LENOVO’S THINKVANTAGE FINGERPRINT SOFTWARE (“THINKPAD SYSTEM”) ........... 110
`H. DROPBOX ....................................................................................................................................................................................... 112
`I.
`REMOTE DESKTOP ......................................................................................................................................................................... 115
`J.
`RSA SECURID .............................................................................................................................................................................. 116
`K. U.S. PATENT PUBLICATION NO. 2015/0339495 (“BLACKBERRY ’495”).................................................................. 117
`L. U.S. PATENT NO. 8,996,885 (“BROADCOM ’885”) .......................................................................................................... 120
`XIV. GROUNDS OF INVALIDITY BASED ON PRIOR ART .......................................................................... 122
`A. GROUND 1 – EIKON TO GO SYSTEM ANTICIPATES OR RENDERS OBVIOUS CLAIMS 1, 2, 4, AND 10 OF THE ’512
`122
`
`1.
`Combination of Eikon To Go System and Dropbox ................................................................................................. 122
`2.
`Combination of Eikon To Go System and RSA SecurID ......................................................................................... 125
`3.
`Combination of Eikon To Go System and Remote Desktop.................................................................................. 130
`4.
`Combination of Eikon To Go System, RSA SecurID and Remote Desktop ...................................................... 132
`5.
`Combination of Eikon To Go and BlackBerry ’495 ................................................................................................. 133
`Combination of Eikon To Go, RSA SecurID and BlackBerry ’495 ...................................................................... 135
`6.
`Combination of Eikon To Go plus RSA SecurID plus Hitachi ’023 ..................................................................... 136
`7.
`8.
`’512 Patent ............................................................................................................................................................................. 141
`9.
`’138 Patent ............................................................................................................................................................................. 201
`10.
`’105 Patent ............................................................................................................................................................................. 237
`B. GROUND 2 – KESANUPALLI IN VIEW OF HITACHI ’023 AND/OR KESANUPALLI IN VIEW OF HITACHI ’023 AND
`CHENG RENDERS OBVIOUS CLAIMS 1, 9, 14, AND 35 OF THE ’105 PATENT.......................................................................... 254
`1.
`Combination of Kesanupalli and Hitachi ’023 .......................................................................................................... 255
`2.
`Combination of Kesanupalli, Cheng, and Hitachi ’023 .......................................................................................... 257
`3.
`’105 Patent ............................................................................................................................................................................. 260
`C. GROUND 3 –JAKOBSSON 351 RENDERS OBVIOUS CLAIMS 1, 9, 14, AND 35 OF THE ’105 PATENT .................... 306
`1.
`Combination of Jakobsson ’351 and Hitachi ’023 ................................................................................................... 306
`2.
`’105 Patent ............................................................................................................................................................................. 309
`D. GROUND 4 – AEGIS BIO SYSTEM ANTICIPATES OR RENDERS OBVIOUS CLAIMS 1, 2, 4, AND 10 OF THE ’512
`328
`
`1.
`Combination of the Aegis Bio System and Cheng .................................................................................................... 328
`2.
`Combination of the Aegis Bio System and BlackBerry ’495 ................................................................................ 330
`3.
`Combination of the Aegis Bio System and Hitachi ’023 ........................................................................................ 332
`4.
`’512 Patent ............................................................................................................................................................................. 335
`
`PATENT, CLAIMS 1, 7, 8, 10, 12, AND 25 OF THE ’138 PATENT, AND CLAIMS 1, 9, 14, AND 35 OF THE ’105 PATENT
`
`
`
`iii
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 5 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`’512 PATENT, CLAIMS 1, 7, 8, 10, 12, AND 25 OF THE ’138 PATENT, AND CLAIMS 1, 9, 14, AND 35 OF THE ’105
`
`’138 Patent ............................................................................................................................................................................. 396
`5.
`’105 Patent ............................................................................................................................................................................. 423
`6.
`E.
`GROUND 5 – BROADCOM ’885 ANTICIPATES OR RENDERS OBVIOUS CLAIMS 1, 9, 14, AND 35 OF THE ’105 PATENT
`434
`
`Combination of Broadcom ’885 and Hitachi ’023 ................................................................................................... 434
`1.
`’105 Patent ............................................................................................................................................................................. 436
`2.
`F. GROUND 6 – THE THINKPAD SYSTEM ANTICIPATES OR RENDERS OBVIOUS CLAIMS 1, 2, 4, AND 10 OF THE
`PATENT ....................................................................................................................................................................................................... 478
`Combination of ThinkPad System and Dropbox ...................................................................................................... 479
`1.
`Combination of ThinkPad System and RSA SecurID .............................................................................................. 481
`2.
`3.
`Combination of ThinkPad System and Remote Desktop ...................................................................................... 484
`4.
`Combination of ThinkPad System, RSA SecurID and Remote Desktop ........................................................... 486
`5.
`Combination of ThinkPad System and BlackBerry ’495 ....................................................................................... 487
`6.
`Combination of ThinkPad System, RSA SecurID and BlackBerry ’495 ........................................................... 489
`7.
`Combination of ThinkPad System plus RSA SecurID plus Hitachi ’023 .......................................................... 490
`8.
`’512 Patent ............................................................................................................................................................................. 496
`9.
`’138 Patent ............................................................................................................................................................................. 580
`10.
`’105 Patent ............................................................................................................................................................................. 622
`XV.
`INVALIDITY BASED ON LACK OF WRITTEN DESCRIPTION ....................................................... 639
`A. CLAIMS 1, 2, 4, AND 10 OF THE ’512 PATENT LACK SUFFICIENT WRITTEN DESCRIPTION SUPPORT FOR THE
`TERM “RESTRICTED INTERFACE” ........................................................................................................................................................ 639
`XVI. ALLEGED SECONDARY CONSIDERATIONS ......................................................................................... 641
`XVII. ALL ASSERTED CLAIMS OF THE AUTHENTICATION PATENTS ARE INVALID UNDER
`SECTION 101......................................................................................................................................................................... 643
`A. THE ASSERTED CLAIMS OF THE AUTHENTICATION PATENTS ARE DIRECTED TO AN ABSTRACT IDEA ............... 643
`B.
`THE ASSERTED CLAIMS OF THE AUTHENTICATION PATENTS LACK AN INVENTIVE CONCEPT .............................. 645
`XVIII.
`PAYPAL INTELLECTUAL PROPERTY ................................................................................................ 648
`A.
`PAYPAL PATENTS........................................................................................................................................................................ 650
`1.
`Patent Application 2009/0307140 ............................................................................................................................... 651
`2.
`U.S. Patent Nos. 8,108,318 and 8,417,643 .................................................................................................................. 657
`3.
`U.S. Patent Nos. 8,150,772, 8,554,689, and 9,858,566 ........................................................................................... 662
`U.S. Patent Nos. 9,135,424 and 10,120,993 ............................................................................................................... 667
`4.
`5.
`U.S. Patent No. 9,230,089 .................................................................................................................................................. 673
`6.
`U.S. Patent No. 9,203,835 .................................................................................................................................................. 676
`7.
`U.S. Patent No. 9,311,641 .................................................................................................................................................. 678
`8.
`U.S. Patent No. 9,286,449 .................................................................................................................................................. 682
`9.
`U.S. Patent No. 9,160,729 .................................................................................................................................................. 684
`10. AU Patent Application No. 2013/324,127 ................................................................................................................. 685
`11. U.S. Patent No. 9,867,048 .................................................................................................................................................. 686
`12. U.S. Patent No. 11,922,485 ............................................................................................................................................... 687
`B.
`PAYPAL’S BUSINESS .................................................................................................................................................................. 688
`1.
`Hardware ................................................................................................................................................................................ 688
`2.
`OpenID and OAuth ............................................................................................................................................................... 696
`XIX. CONCLUSION ...................................................................................................................................................... 706
`
`
`
`
`
`iv
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 6 of 712
`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 6 of 712
`
`TABLE OF EXHIBITS
`
` a
`
`2|List ofDocuments Reviewed and ReliedUpon
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 7 of 712
`
`I, Seth James Nielson submit the following expert report:
`INTRODUCTION, QUALIFICATION, AND ASSIGNMENT
`
`I.
`
`1. I have been retained as an expert in this investigation by counsel for Apple Inc. (“Apple”)
`
`to provide my opinions in connection with U.S. Patent Nos. 10,929,512 (“the ’512 Patent”);
`
`11,475,105 (“the ’105 Patent”); 11,514,138 (“the ’138 Patent”) (collectively the “Authentication
`
`Patents” or “Asserted AT Patents”) and more particularly, the following claims of each patent:
`
`a. ’512 patent - Claims 1, 2, 4 and 10
`b. ’105 patent - Claims 1, 9, 14, and 35
`c. ’138 patent - Claims 1, 7, 8, 10, 12, and 25
`(Collectively, “Asserted Claims”).
`
`2. I am qualified by education and experience to testify as an expert in the fields of
`
`cybersecurity, network security, authentication techniques, and secure computing systems.
`
`Attached as Exhibit 1 to this declaration is a copy of my curriculum vitae detailing my education
`
`and experience. In the following paragraphs I also provide highlights of my professional
`
`experiences.
`
`3. I am the Founder and Chief Scientist of Crimson Vista, a computer security research and
`
`engineering company. Furthermore, I hold appointments at the University of Texas at Austin as
`
`an Adjunct Associate Professor in the department of Computer Science and as a Cybersecurity
`
`Fellow in the Robert Strauss Center for International Security and Law. The following
`
`paragraphs summarize my professional experience.
`
`4. I hold a Ph.D. in Computer Science from Rice University, awarded in 2009. I also
`
`received B.S. and M.S. degrees in Computer Science from Brigham Young University in 2000
`
`and 2004 respectively. In addition to my academic degrees, I hold a CISSP certification.
`
`5. I am also a co-inventor on U.S. Patent 8,745,372 (the ’372 patent) entitled “Systems and
`
`methods for security data in motion.” This patent was filed in November of 2010 and was
`
`
`
`1
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 8 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`granted June 3, 2014. This patent pertains to “[s]ystems and methods are provided for
`
`distributing trust among a set of certificate authorities. One approach provides methods and
`
`systems in which the secure data parser is used to distribute trust in a set of certificate authorities
`
`during initial negotiation of a connection between two devices.”1 The ’372 patent further pertains
`
`to using “biometric data … such as … iris scan, retinal scan, … [or] a fingerprint” for
`
`“enrollment or authentication purposes.”2 Specifically, the ’372 patent taught using a “biometric
`
`device” to “advantageously produces an electronic pattern” of the “biometric data” and
`
`transferring that pattern “to the trust engine,” which “stores cryptographic keys and user
`
`authentication data.”3
`
`6. I am also a co-inventor on several patents pertaining to data security and authentication
`
`that have been granted worldwide.4 One such patent is U.S. Patent 8,745,372 (the ’372 patent)
`
`entitled “Systems and methods for security data in motion.” This patent was filed in November
`
`of 2010 and was granted June 3, 2014. This patent pertains to “[s]ystems and methods are
`
`provided for distributing trust among a set of certificate authorities. One approach provides
`
`methods and systems in which the secure data parser is used to distribute trust in a set of
`
`certificate authorities during initial negotiation of a connection between two devices.”5 The ’372
`
`patent further pertains to using “biometric data … such as … iris scan, retinal scan, … [or] a
`
`fingerprint” for “enrollment or authentication purposes.”6 Specifically, the ’372 patent taught
`
`using a “biometric device” to “advantageously produces an electronic pattern” of the “biometric
`
`
`
`1 U.S. Patent 8,745,372, Abstract.
`2 ’372, 7:51-58.
`3 ’372, 7:51-58; see also 6:3-6.
`4 US Patent No. 11,032,252; US Patent No. 9,516,002; US Patent No. 8,745,379; US Patent No. 8,677,148; US
`Patent No. 8,745,372, AU Patent No. 2015/204396; AU2015202657; AU Patent No. 2012/211129; AU Patent No.
`2010326248; CN Patent No. 103563325; EP Patent No. 2,504,973.
`5 U.S. Patent 8,745,372, Abstract.
`6 ’372, 7:51-58.
`
`
`
`2
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 9 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`data” and transferring that pattern “to the trust engine,” which “stores cryptographic keys and
`
`user authentication data.”7
`
`7. In terms of industry practice, I worked professionally in various engineering positions
`
`from 2000 to 2011. Employers and clients include Microsoft, Google, Metrowerks, and various
`
`smaller entities. The engineering projects included testing systems, software development kits,
`
`engineering applications, networking components, security systems, file systems, cryptography
`
`components, web components, package management, and virtual-machine-based infrastructure. I
`
`also worked with software development infrastructure such as testing systems, source code
`
`repositories, code reviews, network security components, remote access systems, virtual private
`
`networks, routing, firewalls, webmail components, web servers, embedded devices, embedded
`
`deployment, and cross-architecture toolchains. Throughout my engineering years I wrote
`
`hundreds of thousands of lines of computer code in C++, C, Python, Perl, Java, and other
`
`languages.
`
`8. Moreover, I have also led teams of software engineers such as during my employment at
`
`Independent Security Evaluators (ISE). At ISE, I was the technical lead for the development of
`
`an advanced, secure-communications technology. I worked with the client to design the system
`
`and prototype an implementation, then guided the development team in the production
`
`development of the system. The final product provided improved communication systems for
`
`secure channels on the Internet. Its design offered new benefits for distributing trust in
`
`Certificate Authorities, which are often the weak link in TLS security. I also led other
`
`development efforts including a project for automated, distributed testing of software coverage.
`
`7 ’372, 7:51-58; see also 6:3-6.
`
`
`
`
`
`3
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 10 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`9. In addition to the development of secure systems, I worked on a wide range of security
`
`projects. This included, for example, projects where I tested, evaluated, and built network
`
`gateways, firewalls, VPNs, and secure proxies. At Lineo/Metworks, I evaluated and tested
`
`gateway/firewall devices included in appliances for use in small-business and home
`
`environments running embedded Linux. These devices used IPTables and related components to
`
`provide filtering and NAT capabilities. I also built an experimental VPN system linking two sites
`
`together through two firewalls and using SSH. Another project used virtual machines to create an
`
`isolated execution environment.
`
`10. During my internship at Google, I worked with a product built around an HTTP proxy
`
`used for improving browsing performance. This system used pre-fetching and other techniques
`
`to improve web activities for consumers with slower Internet connections. My work focused on
`
`ensuring that security worked as expected through the proxy even if HTTP servers were not
`
`following the necessary HTTP protocol requirements that enabled proxies to correctly process
`
`traffic.
`
`11. Later, I created security solutions for clients while employed at ISE. These projects
`
`included a software encryption library providing secure data splitting and recovery, a GPU
`
`hardware-accelerated AES encryption, and distributed (encrypted) file-system prototypes. I also
`
`worked on the necessary tests and procedures for Federal Information Processing Standards
`
`(“FIPS”) certification.
`
`12. I have provided consulting services in a wide range of computer science areas from 2009
`
`to the present. The clients of these services have included companies of all sizes including
`
`Fortune 50 entities, Tier-1 banks, security companies, medical companies, heavy industry,
`
`
`
`4
`
`

`

`Case 1:23-cv-00324-ADA Document 133 Filed 09/13/24 Page 11 of 712
`
`CONFIDENTIAL – ATTORNEYS’ EYES ONLY
`
`insurance companies, software companies, and start-ups. I was also invited to provide some
`
`analysis for United States Department of Justice in an antitrust investigation.
`
`13. Forensic source code review is one of the most common services I have provided as a
`
`consultant. I have analyzed an extensive collection of commercial software, including software
`
`related to secure email, cloud-based multimedia delivery, document signing, anti-virus and anti-
`
`intrusion, high-performance routing, networking protocol stacks in mobile devices, PBX
`
`telecommunications software, VoIP, high-frequency trading, e-commerce, antivirus, cloud
`
`systems, digital radios, mobile devices, video games, industrial controls, deep learning systems,
`
`medical software, and peer-to-peer communications.
`
`14. I have also guided companies on matters related to security and privacy, including
`
`adequately protecting personal data during data acquisition, data storage, and data usage. In other
`
`engagements, I have evaluated devices, including medical devices, for security vulnerabilities
`
`and flaws. I also analyzed security considerations for potential technology acquisitions. In
`
`addition to these kinds of evaluations, I have provided VCISO services to companies that need
`
`help getting their security programs off the ground. In another engagement, I provided guidance
`
`to a start-up on matters related to Blockchain, smart contracts, and distributed ledgers.
`
`15. In the nearly twenty years that I have worked as a cybersecurity analyst at ISE, Harbor
`
`Labs, and Crimson Vista, I have reviewed and evaluated numerous commercial systems and
`
`products for security reasons. My clients have included Fortune-100 companies, including banks
`
`and other fintech entities, medical device manufacturers, hospitals, cyber-insurance companies,
`
`and start-up companies.
`
`16. One significant engagement was an investigation into the security of the data of a major