United States District Court, D. Delaware
REPORT AND RECOMMENDATION
MARY PAT THYNGE, Magistrate Judge.
This is a patent suit. On March 28, 2013, StrikeForce Technologies, Inc. ("StrikeForce" or "plaintiff") filed suit against PhoneFactor, Inc. ("PhoneFactor" or "defendant"), Fiserv, Inc. ("Fiserv"), and First Midwest Bancorp, Inc. ("First Midwest") alleging those entities infringe U.S. Patent No. 7, 870, 599 ("the 599 patent"). On June 11, 2013, StrikeForce filed a "Notice of Dismissal of Fiserv, Inc. Without Prejudice." On June 25, 2013, StrikeForce filed an amended complaint removing Fiserv as a defendant and adding additional allegations with respect to First Midwest. On July 8, 2014, StrikeForce filed a second amended complaint adding allegations that PhoneFactor and First Midwest also infringe U.S. Patent Nos. 8, 484, 698 ("the 698 patent") and 8, 713, 701 ("the 701 patent"). On December 4, 2014, StrikeForce and First Midwest filed a "Stipulation and Order of Dismissal" by which all claims between those two parties were dismissed with prejudice.
On November 19, 2014, the court held a Markman hearing regarding contested claim terms. This Report and Recommendation sets for the court's suggested constructions of those terms.
II. BACKGROUND OF THE INVENTION
The patents-in-suit are titled "Multichannel Device Utilizing a Centralized Out-Of-Band Authentication System (COBAS)." The patents are directed to multichannel security systems and methods for authenticating a user seeking to gain access to, for example, Internet websites and VPN networks such as those used for conducting banking, social networking, business activities, and other online services. Such technology is sometimes known as "out-of-band" authentication. When coupled with more traditional processes, they are more commonly known as two factor authentication. The Abstract recites:
A multichannel security system is disclosed, which system is for granting and denying access to a host computer in response to a demand from an access-seeking individual and computer. The access-seeker has a peripheral device operative within an authentication channel to communicate with the security system. The access-seeker initially presents identification and password data over an access channel which is intercepted and transmitted to the security computer. The security computer then communicates with the access-seeker. A biometric analyzer-a voice or fingerprint recognition device-operates upon instructions from the authentication program to analyze the monitored parameter of the individual. In the security computer, a comparator matches the biometric sample with stored data, and, upon obtaining a match, provides authentication. The security computer instructs the host computer to grant access and communicates the same to the access-seeker, whereupon access is initiated over the access channel.
III. LEGAL STANDARD
"The words of a claim are generally given their ordinary and customary meaning as understood by a person of ordinary skill in the art when read in the context of the specification and prosecution history." The Federal Circuit has stated "[t]here are only two exceptions to this general rule: 1) when a patentee sets out a definition and acts as his own lexicographer, or 2) when the patentee disavows the full scope of a claim term either in the specification or during prosecution."
"To act as its own lexicographer, a patentee must clearly set forth a definition of the disputed claim term' other than its plain and ordinary meaning." "It is not enough for a patentee to simply disclose a single embodiment or use a word in the same manner in all embodiments, the patentee must clearly express an intent' to redefine the term."
The standard for disavowal of claim scope is similarly exacting. "Where the specification makes clear that the invention does not include a particular feature, that feature is deemed to be outside the reach of the claims of the patent, even though the language of the claims, read without reference to the specification, might be considered broad enough to encompass the feature in question." SciMed Life Sys., Inc. v. Advanced Cardiovascular Sys., Inc., 242 F.3d 1337, 1341 (Fed. Cir. 2001). "The patentee may demonstrate intent to deviate from the ordinary and accustomed meaning of a claim term by including in the specification expressions of manifest exclusion or restriction, representing a clear disavowal of claim scope." Teleflex, Inc. v. Ficosa N. Am. Corp., 299 F.3d 1313, 1325 (Fed. Cir. 2002).
As with its explanation of a patentee acting as its own lexicographer, the Federal Circuit stated "[i]t is likewise not enough that the only embodiments, or all of the embodiments contain a particular limitation." The court concluded: "[w]e do not read limitations from the specification into claims; we do not redefine words. Only the patentee can do that. To constitute disclaimer, there must be a clear and unmistakable disclaimer."
When construing claim terms, a court considers the intrinsic record, i.e., the claim language, the patent specification, and the prosecution history. In particular, the patent specification "is highly relevant to the claim construction analysis. Usually, it is dispositive; it is the single best guide to the meaning of a disputed term.'" In addition to considering the intrinsic record, the Federal Circuit has "also authorized district courts to rely on extrinsic evidence, which consists of all evidence external to the patent and prosecution history, including expert and inventor testimony, dictionaries, and learned treatises.'" For instance:
extrinsic evidence in the form of expert testimony can be useful to a court... to provide background on the technology at issue, to explain how an invention works, to ensure that the court's understanding of the technical aspects of the patent is consistent with that of a person of skill in the art, or to establish that a particular term in the patent or the prior art has a particular meaning in the pertinent field.
Extrinsic evidence, however, is viewed "as less reliable than the patent and its prosecution history in determining how to read claim terms...."
When construing mean-plus-function terms, additional principles are implicated. "A claim element that contains the word means' and recites a function is presumed to be drafted in means-plus-function format under 35 U.S.C. § 112 ¶ 6[, now § 112(f)]." "The presumption is rebutted, however, if the claim itself recites sufficient structure to perform the claimed function.'"
To construe a means-plus-function term, courts employ a two-part test. First, the court determines the claimed function. Next, the court "identif[ies] the corresponding structure in the written description of the patent that performs that function." The identified structure "must permit one of ordinary skill in the art to know and understand what structure corresponds to the means limitation.'"
When the corresponding structure is a computer, the specification must disclose an algorithm to perform the claimed function.
Because general purpose computers can be programmed to perform very different tasks in very different ways, simply disclosing a computer as the structure designated to perform a particular function does not limit the scope of the claim to "the corresponding structure, material, or acts" that perform the function as required by section 112 paragraph 6.
"[A] general purpose computer programmed to carry out a particular algorithm creates a new machine' because a general purpose computer in effect becomes a special purpose computer once it is programmed to perform particular functions pursuant to instructions from program software.'" "The instructions of the software program in effect create a special purpose machine for carrying out the particular algorithm.'" "Thus, in a means-plus-function claim in which the disclosed structure is a computer, or microprocessor, programmed to carry out an algorithm, the disclosed structure is not the general purpose computer, but rather the special purpose computer programmed to perform the disclosed algorithm.'"
There is an exception to the rule that the specification must disclose an algorithm. Where the claimed "functions can be achieved by any general purpose computer without special programming... it [is] not necessary to disclose more structure than the general purpose processor that performs those functions." The Federal Circuit explained the exception identified in In re Katz is a "narrow" one:
If special programming is required for a general-purpose computer to perform the corresponding claimed function, then the default rule requiring disclosure of an algorithm applies. It is only in the rare circumstances where any general-purpose computer without any special programming can perform the function that an algorithm need not be disclosed.
The court in In re Katz listed "processing, " "receiving, " and "storing" as examples of functions that a general-purpose computer may be able to achieve without special programing. This court has determined the function of displaying an icon could likewise be accomplished by a general-purpose computer without special programming.
When disclosure of an algorithm is required, it may be expressed "in any understandable terms including as a mathematical formula, in prose, or as a flow chart, or in any other manner that provides sufficient structure."
Defendant contends several of the disputed terms are invalid as indefinite pursuant to 35 U.S.C. § 112, ¶ 2 which requires the specification to "conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as [the] invention." The Federal Circuit had long held "[o]nly claims not amenable to construction' or insolubly ambiguous' are indefinite." The Federal Circuit determined:
the definiteness of claim terms depends on whether those terms can be given any reasonable meaning.... "If the meaning of the claim term is discernible, even though the task may be formidable and the conclusion may be one over which reasonable persons will disagree, we have held the claim sufficiently clear to avoid invalidity on indefiniteness grounds."
The Supreme Court recently changed the definiteness standard concluding:
[T]he Federal Circuit's formulation, which tolerates some ambiguous claims but not others, does not satisfy the statute's definiteness requirement. In place of the insolubly ambiguous' standard, we hold a patent is invalid for indefiniteness if its claims, read in light of the specification delineating the patent, and the prosecution history, fail to inform, with reasonable certainty, those skilled in the art about the scope of the invention.
The Court stated the Federal Circuit's "amenable to construction" or "insolubly ambiguous" formulations:
can breed lower court confusion, for they lack the precision § 112, ¶ 2 demands. It cannot be sufficient that a court can ascribe some meaning to a patent's claims; the definiteness inquiry trains on the understanding of a skilled artisan at the time of the patent application, not that of a court viewing matters post hoc. To tolerate imprecision just short of that rendering a claim insolubly ambiguous' would diminish the definiteness requirement's public-notice function and foster the innovation-discouraging "zone of uncertainty, " against which this Court has warned.
The Court explained it "read[s] § 112, ¶ 2 to require that a patent's claims, viewed in light of the specification and prosecution history, inform those skilled in the art about the scope of the invention with reasonable certainty. The definiteness requirement, so understood, mandates clarity, while recognizing that absolute precision is unattainable."
Despite the Court's newly enunciated standard for determining indefiniteness, it remains the case that "[t]he party alleging that the specification fails to disclose sufficient corresponding structure must make that showing by clear and convincing evidence." The Federal Circuit has "noted that typically expert testimony will be necessary in cases involving complex technology.'" Although the Elcommerce.com court stated "[w]e do not of course hold that expert testimony will always be needed for every situation, " it observed "[w]ithout evidence, ordinarily neither the district court nor this court can decided whether, for a specific function, the description in the specification is adequate from the viewpoint of a person of ordinary skill in the field of the invention."
IV. CLAIM CONSTRUCTION
The parties have several overarching disputes regarding the claimed inventions that implicate the meaning of a number of disputed claim terms which must be resolved prior to discussion of the individual terms. Defendant argues certain disclosed embodiments are either not claimed and/or were disclaimed during prosecution in distinguishing prior art.
The patent discloses four specific embodiments at Figures 1A, 10, 11, and 13. Figure 1A discloses "a schematic diagram of the of the security system of the present invention as applied to the internet in which an external accessor in a wide area network seeks entry into a host system." Figure 10 discloses "a schematic diagram of a second embodiment of the security system of the present invention as applied to the intranet in which an internal accessor in a local area network seeks entry into a restricted portion of the host system." Figure 11 discloses "a schematic diagram of the third embodiment of the security system using as peripheral devices a cellular telephone and a fingerprint module verification device." Figure 13 discloses "a detailed schematic diagram of the fourth embodiment of the security system using as peripheral devices a personal digital assistant (PDA) and the associated fingerprint verification device."
Each of the patents-in-suit incorporate by reference an earlier, now abandoned, application. Plaintiff bases its priority date for the patents-in-suit on the filing date of that abandoned application. Because Figures 11 and 13, and associated descriptions, were not included in the abandoned application, but added later in a continuation-in-part application, defendant argued at the Markman hearing that those figures and descriptions should be ignored for purposes of determining the meaning of the disputed claim terms. The court disagrees. The applicable priority date goes to issues of validity with respect to what may be considered prior art. For the issue of claim construction, the court examines the intrinsic record. Because those figures and associated descriptions are part of the intrinsic record, the court rejects defendant's priority date argument as the reason they should be ignored.
The parties also disagree as to whether a user attempting to access a host computer can have contact with the host computer prior to the user's login verification and authentication by the security computer. According to plaintiff, the claimed invention discloses different embodiments for verifying and authenticating users attempting to access the host computer, using what is called two-factor authentication. Plaintiff states two different forms of user-entered information are required, and two different communication pathways (or "channels") separate the attempt to access from the authentication process. Summarizing the invention, in general terms, the patent states:
The first step in controlling the incoming access flow is a user authentication provided in response to prompts for a user identification and password. After verification at the security system, the system operating in an out-of-band mode, uses telephone dialup for location authentication and user authentication via a password entered using a telephone keypad.
Defendant maintains the claimed invention isolates a host computer from unauthorized access by intercepting a user's demand to access the host computer by using a separate security computer which performs the login identification verification and user authentication. Defendant argues that only after both steps are completed by the security computer is the user permitted to have any contact with the host computer. Defendant asserts the host computer does not even receive the user's initial demand for access or login identification. Plaintiff disagrees, arguing the claims require preventing the user from gaining access to protected data on (not contacting) the host computer until a separate out-of-band security computer authenticates the user through an authentication channel. Plaintiff contends in all embodiments, the user's computer must, of necessity, initially contact the host computer when trying to access it. After that contact, the host computer sends back a prompt (web) page requesting the user's entry of ID and password. Next, an interception device or control module sends the request for access to the security computer for out-of-band authentication before access is granted to protected data on the host computer. Plaintiff insists the interception device or control module can be on the host computer and that the host computer may perform login identification and password verification, although separate out-of-band authentication of the user must occur before access is granted to protected data on the host computer. According to plaintiff, the separate, out-of-band authentication of the user is the essence of the invention.
The specification indicates the possibility of user contact with the host computer prior to the out-of-band security computer verifying the login identification and authenticating the user via an authentication-channel telephone call, by stating:
The user requesting access to the host computer from the remote computer is immediately prompted to login at the LOGIN SCREEN PRESENTED BLOCK 152. While the login procedure here comprises the entry of the user identification and password and is requested by the host computer 34, such information request is optionally a function of the security computer.
Plaintiff also points to Figure 10 as an example of initial access to the host computer, and the host computer verifying login information:
The access network 230 is constructed in such a manner that, when user 224 requests access to a high security database 232 located at a host computer 234 through computer 222, the request-for-access is diverted by a router 236 internal to the corporate network 238 to out-of-band security network 240. Here the emphasis is upon right-to-know classifications within an organization rather than on avoiding entry by hackers.
Thus, the accessor is already within the system, the first level of verification of login identification and password at the host computer is the least significant and the authentication of the person seeking access is the most significant. Authentication occurs in the out-of-band security network 240....
Despite those disclosures, the asserted claims may not cover such instances of initial contact and verification at the host computer.
Turning to the wide area network of Figure 1A, the specification recites:
The access network 30 is construed in such a manner that, when user 24 requests access to a web page 32 located at host computer or web server 34 through computer 22, the request-for-access is diverted by a router 36 internal to the corporate network 38 to an out-of-band security network 40. Authentication occurs in the out-of-band security network 40.... This is in contradistinction to present authentication processes as the out-of-band security network 40 is isolated from the corporate network 38 and does not depend thereon for validating data.
Thus, the login identification and demand for access is diverted to the security computer. Moreover, the patentee, acting as his own lexicographer told the PTO "[a]n out-of-band' operation is defined herein as one conducted without reference to the host computer or any database in the host network. "
Defendant raises persuasive arguments as to why plaintiff's positions are incorrect. First, in the local area network embodiment of Figure 10, the user is already on the host computer's network and is attempting to access a high security database. The asserted claims are directed to accessing the host computer itself, not "protected data" on the host computer as plaintiff suggests:
A method for accessing a host computer ...
... demand for access to a host computer ...
... demand to access a host computer ...
... receiving a demand to access a host computer ...
A software method... to control access to a host computer ...
... demand to access a host computer ...
A security system for accessing a host computer ...
Plaintiff acknowledges Figure 10 "is different from the Figure 1A embodiment because the accessor... is trying to gain access to protected data on the host computer while already on the host computer's network. " The specification specifically distinguishes between "seek[ing] entry into a host system " and "seek[ing] entry into a restricted portion of the host system." Thus the court determines the relevant asserted claims cover only the Figure 1A embodiment where the user login identification verification and authentication are diverted to the security computer prior to contact with the host computer.
The parties also dispute whether the user's login verification can occur in the access channel. Because the court determined the relevant asserted claims cover only the Figure 1A embodiment, and there is no dispute that in that embodiment such verification occurs in the authentication channel, it follows that verification cannot occur in the access channel.
Finally, the parties disagree over whether the host computer and the security computer must be physically separate, as defendant contends, or the host computer and the security computer may reside on the same hardware, as plaintiff maintains. Plaintiff argues they may reside on the same hardware, while being separated simply through logic or encryption protocols, so long as the security computer's out-of-band authentication occurs through a separate communication channel. As support, plaintiff cites Figure 7 and related description. Figure 7 is "a detailed schematic diagram of the software program required for the client/server module of the security system shown in FIG. 3." The court agrees with defendant that the specification's discussion of Figure 7 describes internal protocols used between system modules and does not support the argument that the security computer and the host computer may reside on the same hardware. More importantly, the inventor defined an "out-of-band" system as "one having an authentication channel that is separated from the information channel and therefore is nonintrusive as it is carried over separate facilities than those used for actual information transfer." Also, in attempting to overcome an obviousness rejection, the patentee portrayed his patented invention as having a "completely separate authentication channel." Therefore, court again agrees with defendant that the separate devices are in the separate channels.
1. intercepting (as a general concept);
intercepted (599 patent, claims 21, 30, 32);
an interception device/a device (698 patent, claims 1, 2, 46, 54);
an interception device for receiving a login identification originating from an accessor for access to said host computer (701 patent, claim 1)
A. intercepting (as a general concept)
Plaintiff's proposed construction is: "receiving before access is granted to the host computer."
Defendant's proposed construction is: "preventing the host computer from receiving."
The court's determination that the asserted claims cover only the Figure 1A embodiment supports defendant's proposed construction in that the user login information is verified and authenticated before the user can contact the host computer. Intrinsic evidence also supports that construction. Describing Figure 1A, the specification states "the request-for-access [to the host computer] is diverted by a router 36 internal to the corporate network 38 to an out-of-band security network 40."
Consequently, the court adopts defendant's proposal and construes "interception" to mean: "preventing the host computer from receiving."
Plaintiff's proposed construction is: "received before access is granted ...