Trials@uspto.gov Paper No. 42 571-272-7822 Entered: August 15, 2017

UNITED STATES PATENT AND TRADEMARK OFFICE ____________

BEFORE THE PATENT TRIAL AND APPEAL BOARD

____________

UNITED SERVICES AUTOMOBILE ASSOCIATION, Petitioner,

v. NADER ASGHARI-KAMRANI and KAMRAN ASGHARI-KAMRANI,

Patent Owner. ____________

Case CBM2016-00063

Patent 8,266,432 B2 ____________

Before JONI Y. CHANG, JUSTIN T. ARBES, and FRANCES L. IPPOLITO, Administrative Patent Judges.

CHANG, Administrative Patent Judge.

FINAL WRITTEN DECISION 35 U.S.C. § 328(a); 37 C.F.R. § 42.73

CBM2016-00063 Patent 8,266,432 B2

2

I. INTRODUCTION United Services Automobile Association (“Petitioner”) filed a Petition

requesting a review of claims 1–55 of U.S. Patent No. 8,266,432 B2

(Ex. 1001, “the ’432 patent”) under the transitional program for covered

business method patents.1 Paper 2 (“Pet.”). Nader Asghari-Kamrani and

Kamran Asghari-Kamrani (collectively, “Patent Owner”) filed a Preliminary

Response to the Petition and a statutory disclaimer of claims 4 and 29.

Paper 11 (“Prelim. Resp.”); Ex. 2001. Petitioner filed a Reply to the

Preliminary Response. Paper 13. Pursuant to 35 U.S.C. § 324 and § 18(a)

of the AIA, we instituted this covered business method patent review, only

as to claims 1–3, 5–28, and 30–55 of the ’432 patent. Paper 14 (“Dec.”).

During the course of trial, Patent Owner filed a Response to the

Petition (Paper 22, “PO Resp.”) and a statutory disclaimer of claims 11, 46,

49, and 53 (Ex. 2007), and Petitioner filed a Reply (Paper 26, “Reply”) to

the Patent Owner Response. In addition, pursuant to our authorization,

Patent Owner filed an additional brief (Paper 29) on the issue of whether the

’432 patent is eligible for covered business method patent review in light of

the decision issued by the U.S. Court of Appeals for the Federal Circuit in

Secure Axcess, LLC v. PNC Bank Nat’l Ass’n, 848 F.3d 1370 (Fed. Cir.

2017). Petitioner filed a Reply (Paper 30) to Patent Owner’s additional

brief. Petitioner also filed a Motion to Exclude Evidence (Paper 32), and

1 See § 18(a) of the Leahy-Smith America Invents Act, Pub. L. No. 112-29, 125 Stat. 284, 329 (2011) (“AIA”).

CBM2016-00063 Patent 8,266,432 B2

3

Patent Owner filed an Opposition (Paper 37) to Petitioner’s Motion.

Petitioner filed a Reply (Paper 39) in support of its Motion. No oral hearing

was held. Paper 41, 3. Patent Owner filed a Motion for Observation

(Paper 31) on certain cross-examination testimony of Petitioner’s declarant,

and Petitioner filed a Response (Paper 36). Petitioner also filed a Motion for

Observation (Paper 33) on the cross-examination testimony, and Patent

Owner filed a Response (Paper 38).

We have jurisdiction under 35 U.S.C. § 6. This Final Written

Decision is issued pursuant to 35 U.S.C. § 328(a) and 37 C.F.R. § 42.73.

For the reasons that follow, we determine that Petitioner has shown by a

preponderance of the evidence that claims 1–3, 5–10, 12–28, 30–45, 47, 48,

50–52, 54, and 55 (“the challenged claims”) of the ’432 patent are

unpatentable.

A. Related Matters

The parties indicate that the ’432 patent is involved in

Asghari-Kamrani et al. v. United Services Auto. Ass’n, Case No. 2:15-cv-

00478-RGD-LRL (E.D. Va.), and Case IPR2015-01842, which has been

denied institution. Pet. 2; Paper 5, 2. The ’432 patent also is subject to a

covered business method patent review in CBM2016-00064. A final written

decision in CBM2016-00064 is entered concurrently with this Decision.

B. The ’432 Patent

The ’432 patent relates to “a system and method provided by a

Central-Entity for centralized identification and authentication of users and

CBM2016-00063 Patent 8,266,432 B2

4

their transactions to increase security in e-commerce.” Ex. 1001, 2:52–55.

A central-entity is said to allow a user to purchase goods and services from

an external-entity (e.g., a merchant) using the user’s digital identity without

revealing confidential personal or financial information, by generating a

dynamic, non-predictable and time-dependable secure code for the user per

the user’s request. Id. at 3:35–40. Examples of central-entities include

banks and credit card issuing companies. Id. at 2:16–18. In a transaction

between the user and the external-entity, the user presents his user name and

secure code as a digital identity to the external-entity for identification. Id.

at Abstract, 2:19–21, 3:19–21, 4:55–58. The external-entity depends on the

central-entity to identify and authenticate the user and transaction. Id.

C. Illustrative Claim

Of the challenged claims, claims 1, 25, 48, and 52 are independent.

Claims 2, 3, 5–10, and 12–24 depend ultimately from claim 1; claims 26–28,

30–45, and 47 depend either directly or indirectly from claim 25; claim 50

depends directly from claim 48; and claims 54 and 55 depend directly from

claim 52. Claim 1, reproduced below, is illustrative:

1. A method for authenticating a user during an electronic transaction between the user and an external-entity, the method comprising: receiving electronically a request for a dynamic code for the user by a computer associated with a central-entity during the transaction between the user and the external-entity; generating by the central-entity during the transaction a dynamic code for the user in response to the request, wherein the dynamic

CBM2016-00063 Patent 8,266,432 B2

5

code is valid for a predefined time and becomes invalid after being used; providing by the computer associated with the central-entity said generated dynamic code to the user during the transaction; receiving electronically by the central-entity a request for authenticating the user from a computer associated with the external-entity based on a user-specific information and the dynamic code as a digital identity included in the request which said dynamic code was received by the user during the transaction and was provided to the external-entity by the user during the transaction; and authenticating by the central-entity the user and providing a result of the authenticating to the external-entity during the transaction if the digital identity is valid.

Ex. 1001, 6:24–47.

D. Prior Art Relied Upon

Petitioner relies upon the following prior art references:

Norefors US 2006/0094403 A1 May 4, 2006 (Ex. 1032) (filed Dec. 12, 2005; continuation of application filed June 18, 2003) Brown US 5,740,361 Apr. 14, 1998 (Ex. 1035)

CBM2016-00063 Patent 8,266,432 B2

7

specification with reasonable clarity, deliberateness, and precision. In re

Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994).

Here, the Specification of the ’432 patent sets forth the definitions for

certain claim terms. Ex. 1001, 2:10–12, 2:19–26, 2:35–45, 3:4–6. We

adopted those lexicographical definitions as our preliminary claim

constructions in the Decision on Institution. Dec. 15–16. Petitioner does not

challenge those claim constructions. See generally Reply. However, Patent

Owner proposes different constructions for certain terms. PO Resp. 3–10.

We note that only those terms which are in controversy need to be

construed, and only to the extent necessary to resolve the controversy. Vivid

Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999).

Here, we find it necessary to address only the claim terms below.

“user”

Claim 1 recites “authenticating a user during an electronic transaction

between the user and an external-entity.” Ex. 1001, 6:24–25. Independent

claims 25, 48, and 52 include similar language. The Specification expressly

defines the term “user”:

For convenience, the term “user” is used throughout to represent both a typical person consuming goods and services as well as a business consuming goods and services.

Id. at 2:10–12 (emphasis added).

In the Decision on Institution (Dec. 15), we adopted the definition set

forth in the Specification, construing the claim term “user” as “a person or

business consuming goods and services.” Neither party challenges this

CBM2016-00063 Patent 8,266,432 B2

8

construction. PO Resp. 2−3; see generally Reply. We discern no reason to

modify our claim construction set forth in the Decision on Institution with

respect to this claim term. Therefore, for purposes of this Final Written

Decision, we maintain our claim construction.

“external-entity”

As noted above, claim 1 recites “authenticating a user during an

electronic transaction between the user and an external-entity,” and the

remaining independent claims include similar language. The Specification

expressly defines the claim term “external-entity” in the “Background of the

Invention” Section:

As also used herein, an “External-Entity” is any party offering goods or services that users utilize by directly providing their UserName and SecureCode as digital identity. Such entity could be a merchant, service provider or an online site. An “External-Entity” could also be an entity that receives the user’s digital identity indirectly from the user through another External-Entity, in order to authenticate the user, such entity could be a bank or a credit card issuing company.

Ex. 1001, 2:19–26 (emphasis added).

The Specification further defines this term in the “Summary of the

Invention” Section by providing the following:

A plurality of the External-Entities: An External-Entity is any party offering goods or services in e-commerce and needs to authenticate the users based on digital identity.

Id. at 3:4–6 (emphasis added).

CBM2016-00063 Patent 8,266,432 B2

9

Petitioner adopts only the portion of the definition in the “Background

of the Invention” Section as its proposed claim construction. Pet. 6–7 (citing

Ex. 1001, 2:19–21). In its Preliminary Response, Patent Owner did not

propose any claim construction. Prelim. Resp. 36−37. In the Decision on

Institution, we adopted Petitioner’s proposed claim construction. Dec. 15.

After institution, however, Patent Owner adopts only the portion of the

definition in the “Summary of the Invention” Section as its proposed claim

construction. PO Resp. 6 (citing Ex. 1001, 3:4–6).

We agree with Patent Owner in part. Both cited sections of the

Specification set forth what an external-entity “is,” indicating an intent to

define the term. See Ex. 1001, 2:19–26, 3:4–6. In view of the Specification

as a whole, we construe the claim term “external-entity” in accordance with

the aforementioned definitions—“any party offering goods or services in

e-commerce that users utilize by directly providing their UserName and

SecureCode as digital identity, and that needs to authenticate the users based

on digital identity.”

“central-entity”

Each independent claim (and thus each challenged claim) requires a

“central-entity” to authenticate a user during an electronic transaction

between the user and the external-entity. For example, claim 1 recites

“authenticating by the central-entity the user and providing a result of the

authenticating to the external-entity during the transaction if the digital

CBM2016-00063 Patent 8,266,432 B2

10

identity is valid.” Ex. 1001, 6:45–47. The Specification expressly defines

the term “central-entity”:

As used herein, a “Central-Entity” is any party that has user’s personal and/or financial information, UserName, Password and generates [a] dynamic, non-predictable and time dependable SecureCode for the user. Example of Central-Entity are: banks, credit card issuing companies or any intermediary service companies.

Ex. 1001, 2:13–18. The Specification also defines the term “SecureCode”:

The term “SecureCode” is used herein to denote any dynamic, non-predictable and time dependent alphanumeric code, secret code, PIN or other code, which may be broadcast to the user over a communication network, and may be used as part of a digital identity to identify a user as an authorized user.

Id. at 2:35–40.

In its Petition, Petitioner adopts the above definition of a

“central-entity” as its proposed claim construction. Pet. 6−7. In its

Preliminary Response, Patent Owner did not propose any claim construction.

Prelim. Resp. 36−37. In the Decision on Institution, we adopted the

definitions of “central-entity” and “SecureCode” set forth in the

Specification. Dec. 16.

After institution, Patent Owner proposes to construe the claim term

“central-entity” as follows:

a party comprising one or more computing devices that has user’s personal, financial, identification information, UserName, and/or Password and provides dynamic, non-predictable and time dependable code for the user.

CBM2016-00063 Patent 8,266,432 B2

11

PO Resp. 5. Patent Owner seems to adopt the definition in the Specification,

with modifications, as its proposed claim construction. Id. at 3–5.

We decline to adopt Patent Owner’s proposed construction because it

would not be consistent with the Specification, and the modifications

improperly import an extraneous limitation into the claims and substantively

broaden the claim scope. Specifically, Patent Owner’s proposed

construction would import an extraneous limitation—“one or more

computing devices.” Each claim at issue already expressly requires one or

more computers associated with a central-entity. Id. at 6:28, 7:57–8:7, 9:7,

10:7–25. Adopting Patent Owner’s proposed construction would conflict

with the broader term “party” used in the lexicographical definition above

and potentially render the “computer” limitations superfluous.

Additionally, Patent Owner’s proposed construction would introduce

the following modifications to the lexicographical definition: (1) moving

“and/or” to a different location in the list of information possessed by the

central-entity, (2) changing “generates” to “provides,” (3) changing

“SecureCode” to “code,” and (4) adding “identification information.” These

modifications would substantively broaden the claim scope. For example,

under Patent Owner’s proposed claim construction, possessing the

UserName, Password, and SecureCode would be optional. These

substantive modifications are not supported by the Specification.

We are not persuaded by Patent Owner’s argument that “the

‘central-entity’ does not necessarily possess or use personal and/or financial

information, a UserName, and a Password,” such that “the Central-Entity

CBM2016-00063 Patent 8,266,432 B2

12

has some or all of such user information described in the Background.” PO

Resp. 3–5. The portions of the Specification cited by Patent Owner do not

support Patent Owner’s proposed construction because they address the

items of information that are used for performing a transaction and

authenticating a user, not the items of information possessed by the

central-entity. Id. at 4 (citing Ex. 1001, 2:27–34, 2:41–43, 5:5–58, Fig. 2,

Steps D–L). Patent Owner’s argument conflates the information that is

possessed by the central-entity with the information that is used for

performing a transaction and authenticating a user. Id. The lexicographical

definition expressly listed the information that is possessed by the

central-entity—namely, “any party that has user’s personal and/or financial

information, UserName, Password and generates [a] dynamic . . .

SecureCode for the user.” Ex. 1001, 2:13–16 (emphases added). Patent

Owner also does not articulate, nor can we discern, a sufficient reason for

changing “generates” to “provides” and changing “SecureCode” to “code.”

For these reasons, we decline to adopt Patent Owner’s proposed

construction. Rather, as in the Decision on Institution (Dec. 16), we

adopt the definition in the Specification here as our claim

construction, and interpret “central-entity” to mean “any party that has

a user’s personal and/or financial information, UserName, and

Password, and generates a dynamic, non-predictable and time

dependable SecureCode for the user,” where a “SecureCode” is “any

dynamic, non-predictable and time dependent alphanumeric code,

secret code, PIN or other code, which may be broadcast to the user

CBM2016-00063 Patent 8,266,432 B2

13

over a communication network, and may be used as part of a digital

identity to identify a user as an authorized user.”

“digital identity”

Each independent claim requires an authentication request based on

“a user-specific information and the dynamic code as a digital identity.”

See, e.g., Ex. 1001, 6:38–44. The Specification expressly defines the claim

term “digital identity”:

The term “digital identity” is used herein to denote a combination of user’s “SecureCode” and user’s information such as “UserName,” which may result in a dynamic, non-predictable and time dependable digital identity that could be used to identify a user as an authorized user.

Id. at 2:41–45 (emphasis added).

Neither party proposes a claim construction for this term. In the

Decision on Institution, we adopted the express definition as our

construction. Dec. 16. The parties do not provide, nor do we discern, a

reason to modify that construction. Therefore, for purposes of this Final

Written Decision, we maintain our claim construction set forth in the

Institution Decision, in accordance with the Specification’s definition,

construing “digital identity” as “a combination of a user’s SecureCode and

the user’s information such as UserName, which may result in a dynamic,

non-predictable and time dependable digital identity that could be used to

identify a user as an authorized user.”

CBM2016-00063 Patent 8,266,432 B2

14

“dynamic code”

The claim term “dynamic code” appears in each independent claim.

For instance, claim 1 recites “receiving electronically a request for a

dynamic code for the user by a computer associated with a central-entity

during the transaction between the user and the external-entity.” Ex. 1001,

6:27–30. The Specification does not define the term “dynamic code,” but

rather defines the term “SecureCode” as follows:

The term “SecureCode” is used herein to denote any dynamic, non-predictable and time dependent alphanumeric code, secret code, PIN or other code, which may be broadcast to the user over a communication network, and may be used as part of a digital identity to identify a user as an authorized user.

Id. at 2:35–40 (emphasis added).

Petitioner proposes to construe the claim term “dynamic code” to

include a “dynamic, non-predictable and time dependent alphanumeric code,

secret code, PIN or other code, which may be broadcast to the user over a

communication network, and may be used as a part of a digital identity to

identify a user as an authorized user.” Pet. 9. In its Preliminary Response,

Patent Owner did not propose any claim construction. Prelim. Resp. 36−37.

In the Decision on Institution, we construed the claim term “dynamic code”

to encompass an “alphanumeric code that is non-predictable and time

dependent, which may be broadcast to the user over a communication

network, and may be used as a part of a digital identity to identify a user as

an authorized user,” in light of the Specification including the claim

language. Dec. 17−18 (emphases added).

CBM2016-00063 Patent 8,266,432 B2

15

Subsequent to institution, Patent Owner argues that the claimed

“dynamic code” corresponds to the disclosed “SecureCode,” citing the

above-reproduced definition for support. PO Resp. 10 (citing Ex. 1001,

2:35-40). We recognize that although the claims do not use the term

“SecureCode,” the written description appears to use the terms

“SecureCode” and “dynamic code” interchangeably in certain contexts.

For example, claim 1 also recites receiving a request for authenticating a

user based on “a user-specific information and the dynamic code as a digital

identity.” Ex. 1001, 6:38–42. The Specification defines the term “digital

identity” as “a combination of user’s ‘SecureCode’ and user’s information

such as ‘UserName,’” and explains that the central-entity “generates [a]

dynamic, non-predictable and time dependent SecureCode for the user.” Id.

at 2:41−43, 3:14–24. Nevertheless, because the above definition of

“SecureCode” itself includes the word “dynamic” (id. at 2:35–40), we do not

construe the claim term “dynamic code” to be interchangeable with

“SecureCode” for all situations. For example, construing “dynamic code” to

include “other code,” without more, would render the word “dynamic”

superfluous. See Cat Tech LLC v. TubeMaster, Inc., 528 F.3d 871, 885

(Fed. Cir. 2008) (noting that “[c]laims are interpreted with an eye toward

giving effect to all terms in the claim”) (quotation omitted); see also

Aristocrat Techs. Australia Pty Ltd. v. Int’l Game Tech., 709 F.3d 1348,

1356–57 (Fed. Cir. 2013) (declining to adopt the appellants’ proposed

construction because it would render another limitation “superfluous”).

CBM2016-00063 Patent 8,266,432 B2

16

Patent Owner also argues that the ’432 patent “does not require that

the SecureCode be alphanumeric.” PO Resp. 10 (citing Ex. 2010 ¶¶ 39–40).

In light of the Specification and surrounding claim language, we agree with

Patent Owner that the claim term “dynamic code” encompasses

alphanumeric and non-alphanumeric codes that are non-predictable and

time dependent. Indeed, as Petitioner notes (Reply 19), claims 1 and 25

recite a “dynamic code,” whereas claims 48 and 52 recite the “dynamic code

is alphanumeric.” Based on claim differentiation, the full scope of “dynamic

code” includes non-alphanumeric codes that are non-predictable and time

dependent. Accordingly, we construe the claim term “dynamic code” to

encompass “alphanumeric and non-alphanumeric codes that are

non-predictable and time dependent, which may be broadcast to the user

over a communication network, and may be used as a part of a digital

identity to identify a user as an authorized user.” No further construction as

to this term is necessary for purposes of this Decision. See Vivid Techs., 200

F.3d at 803.

“transaction”

As noted above, claim 1 recites “authenticating a user during an

electronic transaction between the user and an external-entity,” and the

remaining independent claims include similar language. Petitioner argues

that the claim term “transaction” should be construed to include “attempts

[by a user] to access a restricted web site or attempts to buy services or

products . . . through a standard interface provided by [an] External-Entity

CBM2016-00063 Patent 8,266,432 B2

17

. . . and selects digital identity as his identification and authorization or

payment option,” as described in the Specification of the ’432 patent.

Pet. 8–9 (citing Ex. 1001, 5:5–22). Patent Owner appears to agree with

Petitioner’s argument because Patent Owner argues that the disclosure of

accessing a restricted website of an external-entity by a user provides written

description support for the claimed transaction. PO Resp. 17; see also id.

at 9. Patent Owner also contends that the claim term “transaction” should

not be construed as a single transaction. Id. at 6−7.

Figures 4 and 5 of the ’432 patent are reproduced below.

CBM2016-00063 Patent 8,266,432 B2

18

Figure 4 shows the steps of the transaction phase, whereas Figure 5

illustrates the steps of the identification and authorization phase that involve

utilizing a centralized identification and authentication system and method.

Ex. 1001, 5:5–43. The steps in the transaction phase, as illustrated in

Figure 4, and the steps in the identification and authorization phase, as

illustrated in Figure 5, are performed during the same transaction between

the user and external-entity. Id. at 5:5–43, Figs. 4, 5.

In light of the Specification and drawings, we agree with Petitioner’s

interpretation of the term “transaction” insofar as it includes the user’s

attempt to get access to the external-entity’s restricted website, or to

purchase goods or services from the external-entity. Id. at 5:5–10, Fig. 4,

step 110. Further, we observe that the transaction is not completed until the

central-entity sends an approval or a denial to the external-entity. Id. at

5:35–43, Fig. 5, steps 140, 150.

However, we are not persuaded by Patent Owner’s argument that the

claim term “transaction” should not be construed as a single transaction. PO

Resp. 6–7. This argument squarely contradicts (1) Patent Owner’s claim

construction submitted in Case IPR2015-01842 that involves the same patent

and claims as those in the instant proceeding (Ex. 1027, 21–23), and (2)

Patent Owner’s other arguments presented in the instant proceeding (PO

Resp. 8–9). Notably, Patent Owner argued in Case IPR2015-01842 that the

steps described in Figure 4 of the ’432 patent are performed during the same

transaction because the dynamic code is for one-time use; whenever the user

starts a new transaction and needs an authentication process, the user needs

CBM2016-00063 Patent 8,266,432 B2

19

to restart those steps again. Ex. 1027, 22–23 (citing Ex. 1001, 4:12–14, 5:5–

22, Fig. 4).

Patent Owner’s argument (PO Resp. 6–7) also contradicts its other

argument, in the instant proceeding, that the claim term “during the

transaction” includes the steps or functions performed during the transaction

phase and the authorization phase involved in using the centralized

identification and authentication system (id. at 8–9).4 In fact, Patent Owner

acknowledges that each independent claim requires the recited steps or

functions to be performed during the same transaction between the user and

external-entity. Id. at 17−19.

For these reasons, we construe “the transaction,” as recited in each

step or function of each independent claim, to refer back to the same

“electronic transaction between the user and an external-entity” recited in

the preamble. See NTP, Inc. v. Research in Motion, Ltd., 418 F.3d 1282,

1306 (Fed. Cir. 2005); Warner-Lambert Co. v. Apotex Corp., 316 F.3d 1348,

1356 (Fed. Cir. 2003) (noting that the definite article “the” is a word of

limitation, particularizing the subject which it precedes). No further

construction is necessary for purposes of this Decision. See Vivid Techs.,

200 F.3d at 803.

4 Patent Owner proposes construing “during the transaction” to mean “a period after the initiation of the transaction between a user and an external-entity and before the transaction is completed.” PO Resp. 8–9.

CBM2016-00063 Patent 8,266,432 B2

20

B. Whether the ’432 Patent is a Covered Business Method Patent

1. Financial Product or Service

A covered business method (“CBM”) patent is “a patent that claims a

method or corresponding apparatus for performing data processing or other

operations used in the practice, administration, or management of a financial

product or service, except that the term does not include patents for

technological inventions.” AIA § 18(d)(1); 37 C.F.R. § 42.301(a). A patent

is eligible for review if it has at least one claim directed to a covered

business method. See Transitional Program for Covered Business Method

Patents—Definitions of Covered Business Method Patent and Technological

Invention, 77 Fed. Reg. 48,734, 48,736 (Response to Comment 8).

Our reviewing court has explained that Ҥ 18(d)(1) directs us to

examine the claims when deciding whether a patent is a CBM patent.” Blue

Calypso, LLC v. Groupon, Inc., 815 F.3d 1331, 1340 (Fed. Cir. 2016)

(finding that the challenged patent was eligible for review because the

claims recited “an express financial component in the form of a subsidy”

that was “central to the operation of the claimed invention”). “CBM patents

are limited to those with claims that are directed to methods and apparatuses

of particular types and with particular uses ‘in the practice, administration,

or management of a financial produce or service.’” Unwired Planet, LLC v.

Google Inc., 841 F.3d 1376, 1382 (Fed. Cir. 2016). “Necessarily, the

statutory definition of a CBM patent requires that the patent have a claim

that contains, however phrased, a financial activity element.” Secure

Axcess, 848 F.3d at 1381. Furthermore, “the definition of ‘covered business

CBM2016-00063 Patent 8,266,432 B2

21

method patent’ is not limited to products and services of only the financial

industry” and “on its face covers a wide range of finance-related activities.”

Versata Dev. Grp., Inc. v. SAP Am., Inc., 793 F.3d 1306, 1326–27 (Fed. Cir.

2015).

Here, Petitioner takes the position that the ’432 patent is a covered

business method patent, arguing that the “method for authenticating a user of

claim 1 is used for data processing in the practice, administration, and

management of financial products and services; specifically, for processing

user financial information for electronic purchases.” Pet. 9–12. According

to Petitioner, the claims at issue are directed to “a Central-Entity for

centralized identification and authentication of users and their transactions

to increase security and e-commerce.” Id. at 10–11 (citing Ex. 1001, 2:51–

3:6). Petitioner explains that claim 1 is directed to a method for

authenticating a user during a transaction between the user and an external

entity, and dependent claim 4 (subsequently disclaimed) requires that the

transaction be a financial transaction. Id.; Ex. 1001, 6:24–47, 6:61–62.

Patent Owner counters that the challenged claims “literally do not

recite any commercial or financial transactions,” and “lack any recitation of

financial terminology or activity.” PO Resp. 28; Paper 29, 2–4. In Patent

Owner’s view, the claimed authentication method and system do not involve

a financial product or service, but rather are, at most, merely incidental or

complementary to a financial activity. Paper 29, 4–5. Although Patent

Owner confirms that the ’432 patent describes commercial and financial

transactions, Patent Owner argues that “others are not (e.g., accessing a

CBM2016-00063 Patent 8,266,432 B2

22

restricted website)” and any sales or financial transactions are not part of the

claimed authentication. PO Resp. 28–29 (emphasis omitted). Patent Owner

contends that “the term ‘external entity’ is not recited as a financial product

or service in the claims but as a party for example having a restricted

website that requires user authentication before allowing access or offering

its product or service.” Paper 29, 3–4.

Upon consideration of the parties’ contentions and supporting

evidence, we determine that Petitioner has established that claim 1, when

properly construed, recites a method for performing data processing or other

operations used in the practice, administration, or management of a financial

product or service. See Secure Axcess, 848 F.3d at 1381 (“[T]he phrasing of

a qualifying claim does not require particular talismanic words. When

properly construed in light of the written description, the claim need only

require one of a ‘wide range of finance-related activities’” . . . . (citations

omitted)).

Claim 1 recites a method “for authenticating a user during an

electronic transaction between the user and an external-entity”5 and

requires, in the body of the claim, a central-entity to perform each recited

step “during the transaction.” Ex. 1001, 6:24–26 (emphases added). As

5 In this proceeding, the parties do not dispute that the preamble of each independent claim is a claim limitation. For purposes of this Decision, we proceed on the assumption that it is. Regardless, though, the terms we analyze herein (e.g., “transaction,” “user,” “external-entity,” and “central-entity”) also appear in the body of the claim.

CBM2016-00063 Patent 8,266,432 B2

23

discussed in the claim construction section of this Decision (Section II.A),

the Specification expressly sets forth the definitions for the claim terms

“user,” “external-entity,” and “central-entity.” Applying those

lexicographical definitions, claim 1 requires authenticating a “user” (a

person or business consuming goods and services) during an electronic

transaction between such a person or business and an “external-entity” (any

party offering goods or services in e-commerce that users utilize by directly

providing their UserName and SecureCode as digital identity, and that needs

to authenticate the users based on digital identity”). Id. at 2:10–26, 3:4–6,

6:24–47. Claim 1 also requires a “central-entity” (any party that has a user’s

personal and/or financial information, UserName, and Password, and

generates a dynamic, non-predictable and time dependable SecureCode for

the user) to perform the authentication.

We are not persuaded by Patent Owner’s arguments, as they

improperly ignore the lexicographical definitions of the claim terms and fail

to account for the financial nature of those definitions. See In re Paulsen,

30 F.3d 1475, 1480 (Fed. Cir. 1994) (a patentee may act as his or her own

lexicographer and clearly set forth a definition of the claim term in the

specification); Phillips v. AWH Corp., 415 F.3d 1303, 1316 (Fed. Cir. 2005)

(en banc) (explaining that “our cases recognize that the specification may

reveal a special definition given to a claim term by the patentee that differs

from the meaning it would otherwise possess[; i]n such cases, the inventor’s

lexicography governs”) (citing CCS Fitness, Inc. v. Brunswick Corp., 288

F.3d 1359, 1366 (Fed. Cir. 2002)). Indeed, as noted above (Section II.A),

CBM2016-00063 Patent 8,266,432 B2

24

Patent Owner urges us to interpret the claim term “external-entity” to be a

“party offering goods or services in e-commerce and [that] needs to

authenticate the users based on digital identity.” PO Resp. 6 (emphasis

added). By Patent Owner’s own admission, therefore, claim 1 involves a

transaction taking place in e-commerce. As Petitioner notes (Paper 30, 2–3),

Patent Owner’s declarant, Alfred C. Weaver, Ph.D., confirms the financial

nature of the claim, testifying that “e-commerce” refers to “[t]ransfer of

information over a network in the context of buying and selling products and

services.” Ex. 1068, 77:10–78:6 (emphasis added).

Patent Owner’s arguments also narrowly focus on the “restricted

website” embodiment disclosed in the Specification, improperly

characterizing that embodiment as non-financial. Notably, that embodiment

involves accessing a “restricted website” that is provided by a business

offering goods or services in e-commerce for its customers to access.

Ex. 1001, 1:30–2:9, 4:12–14 (attempts to get access to a restricted website,

or to buy goods or services, are part of “the transaction of a customer”).

The Specification explicitly explains that “the increase of businesses

utilizing e-commerce ha[s] [led] to a dramatic increase in customers

releasing confidential personal and financial information, in the form of

social security numbers, names, addresses, credit card numbers and bank

account numbers, to identify themselves.” Id. at 1:30–37 (emphasis added).

According to the Specification, there was a need at the time of the invention

for secured e-commerce transactions between a business offering goods or

services and its customers. Id. at 1:30–2:9. The Specification discloses that

CBM2016-00063 Patent 8,266,432 B2

25

the invention is related to a system and method provided by a central-entity

for centralized identification and authentication of persons or businesses

consuming goods and services, and their transactions to increase security in

e-commerce, allowing the persons or businesses “to purchase goods and

services from an External-Entity using their digital identity, preferably

without revealing confidential personal or financial information.” Id. at

2:52–55, 3:35–40.

In light of the Specification, claim 1, when construed properly, is

directed to a method for authenticating a customer during a transaction

between a seller and the customer in e-commerce. That transaction in

e-commerce includes the customer accessing the seller’s restricted website,

or purchasing goods or services from the seller. In fact, Patent Owner

admits, and Dr. Weaver testifies, that one of ordinary skill in the art would

have understood that “intrabank funds transfer transactions would be within

the scope of the claimed invention.” PO Resp. 7, 26 (asserting that an

electronic transfer of funds between a customer and business provides

written description support for the claimed “transaction”); Ex. 2010 ¶ 37.

Funds transfers, accessing bank accounts electronically, and buying

and selling goods or services in e-commerce are activities that are financial

in nature; and allowing secured electronic sales transactions, funds transfers

between two financial institutions, or access to a financial institution’s

system for banking services amount to providing a financial service. We are

persuaded that claim 1, as properly construed, contains a financial activity

element.

CBM2016-00063 Patent 8,266,432 B2

26

For these reasons, we determine that Petitioner has demonstrated that

claim 1 of the ’432 patent is directed to a method for performing data

processing used in the practice, administration, or management of a financial

product or service. Consequently, the ’432 patent satisfies the “financial

product or service” component of the definition for a covered business

method patent under § 18(d)(1) of the AIA.

2. Technological Invention Exception

The definition of “covered business method patent” in § 18(d)(1) of

the AIA excludes patents for “technological inventions.” When determining

whether a patent is excluded under this exception, we consider “whether the

claimed subject matter as a whole recites a technological feature that is

novel and unobvious over the prior art; and solves a technical problem using

a technical solution.” 37 C.F.R. § 42.301(b). Both prongs must be satisfied

in order for the patent to be excluded as a technological invention. See

Apple Inc. v. Ameranth, Inc., 842 F.3d 1229, 1240 (Fed. Cir. 2016) (“We

need not address this argument regarding whether the first prong of 37

C.F.R. § 42.301(b) was met, as we affirm the Board’s determination on the

second prong of the regulation. . . .”); see also 157 CONG. REC. S1364 (daily

ed. Mar. 8, 2011) (Sen. Schumer stated the “‘technological invention’

exception only excludes those patents whose novelty turns on a

technological innovation over the prior art and are concerned with a

technical problem which is solved with a technical solution”) (emphases

CBM2016-00063 Patent 8,266,432 B2

27

added). Therefore, a patent would not be excluded as a technological

invention if one of the prongs is deficient.

The following claim drafting techniques, for example, typically do not

render a patent a technological invention:

(a) Mere recitation of known technologies, such as computer hardware, communication or computer networks, software, memory, computer-readable storage medium, scanners, display devices or databases, or specialized machines, such as an ATM or point of sale device.

(b) Reciting the use of known prior art technology to accomplish a process or method, even if that process or method is novel and non-obvious.

(c) Combining prior art structures to achieve the normal, expected, or predictable result of that combination.

Office Patent Trial Practice Guide, 77 Fed. Reg. 48,756, 48,763–64

(Aug. 14, 2012).

Here, Petitioner asserts that the ’432 patent is not directed to a

technological invention, and, thus, should not be excluded from the

definition of a covered business method patent. Pet. 12–16. In Petitioner’s

view, the Specification confirms that the computer-related limitations recited

in the claims are merely standard computer features. Id. at 14 (citing

Ex. 1001, 5:5–10, 4:67–5:4).

In our Institution Decision (Dec. 12–13), we determined that the claim

elements that were allegedly novel technological features—a centralized

authentication system (central-entity), the digital identity (user specific

information and dynamic code), and the communication between the

centralized system, external-entity, and user during a transaction—appear to

CBM2016-00063 Patent 8,266,432 B2

28

have been known in the art, in light of the prior art in this record. See, e.g.,

Ex. 1032. Subsequent to institution, neither party disagrees with our

analysis as to the “technological invention” exception under § 18(d) of AIA.

See generally PO Resp.; Reply.

Indeed, those claim elements merely utilize generic computers. See,

e.g., Ex. 1001, 6:27–30 (“a computer associated with a central-entity”).

And, using user-specific information (e.g., a user name) and a dynamic code

(e.g., a one-time password) for authenticating a user was known in the art at

the time of the invention. See, e.g., Ex. 1032 ¶¶ 9, 48. Reciting the use of

known prior art features to perform a method does not render a patent a

technological invention. Moreover, Petitioner explains sufficiently why

claim 1, as a whole, does not recite a technological feature that is novel and

non-obvious over the prior art of record. Pet. 28–56 (explaining how

claim 1, as a whole, is anticipated by Norefors). Claim 1 is merely the

recitation of known technologies to perform a method, which indicates that

it is not a patent for a technological invention. See Office Patent Trial

Practice Guide, 77 Fed. Reg. at 48,764 (examples (a) and (b), which are

reproduced above).

In view of the foregoing, we maintain our determination that claim 1,

as a whole, does not recite a technological feature that is novel and

non-obvious over the prior art. Because one of the prongs set forth in 37

C.F.R. § 42.301(b), for determining whether a patent is a technological

invention, is deficient, it is not necessary for us to address Petitioner’s

arguments regarding whether the claimed subject matter solves a technical

CBM2016-00063 Patent 8,266,432 B2

29

problem using a technical solution. Pet. 14–16. Accordingly, the ’432

patent is not excluded as a technological invention.

3. Conclusion

For the foregoing reasons, we conclude that the ’432 patent is a

covered business method patent under AIA § 18(d)(1) and is eligible for

review using the transitional covered business method patent program.

C. Principles of Law

To establish anticipation, each and every element in a claim, arranged

as recited in the claim, must be found in a single prior art reference. Net

MoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1369 (Fed. Cir. 2008). It is

well settled that “the reference need not satisfy an ipsissimis verbis test.” In

re Gleave, 560 F.3d 1331, 1334 (Fed. Cir. 2009); In re Bond, 910 F.2d 831,

832–33 (Fed. Cir. 1990). In an anticipation analysis, “it is proper to take

into account not only specific teachings of the reference but also the

inferences which one skilled in the art would reasonably be expected to draw

therefrom.” In re Preda, 401 F.2d 825, 826 (CCPA 1968); In re Graves, 69

F.3d 1147, 1152 (Fed. Cir. 1995) (“A reference anticipates a claim if it

discloses the claimed invention ‘such that a skilled artisan could take its

teachings in combination with his own knowledge of the particular art and

be in possession of the invention.’” (citation and emphasis omitted)). Prior

art references must be “considered together with the knowledge of one of

ordinary skill in the pertinent art.” Paulsen, 30 F.3d at 1480 (quoting In re

Samour, 571 F.2d 559, 562 (CCPA 1978)).

CBM2016-00063 Patent 8,266,432 B2

30

A patent claim is unpatentable under 35 U.S.C. § 103(a) if the

differences between the claimed subject matter and the prior art are such that

the subject matter, as a whole, would have been obvious at the time the

invention was made to a person having ordinary skill in the art to which said

subject matter pertains. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406

(2007). The question of obviousness is resolved on the basis of underlying

factual determinations including: (1) the scope and content of the prior art;

(2) any differences between the claimed subject matter and the prior art;

(3) the level of ordinary skill in the art; and (4) objective evidence of

nonobviousness. Graham v. John Deere Co., 383 U.S. 1, 17–18 (1966).

D. Level of Ordinary Skill

In determining the level of ordinary skill in the art, various factors

may be considered, including the “type of problems encountered in the art;

prior art solutions to those problems; rapidity with which innovations are

made; sophistication of the technology; and educational level of active

workers in the field.” In re GPAC Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995)

(citation omitted). Petitioner’s declarant, Seth Nielson, Ph.D., testifies that a

person with ordinary skill in the art “would have had a Bachelor of Science

Degree in Electrical Engineering, Computer Engineering, or Computer

Science with related work experience.” Ex. 1003 ¶ 26. Patent Owner’s

declarant, Dr. Weaver, testifies similarly that such an artisan would have had

a Bachelor of Science Degree in these technical fields “or a related technical

degree, possibly with some additional post-degree work experience with

CBM2016-00063 Patent 8,266,432 B2

31

system engineering (or equivalent).” Ex. 2010 ¶ 28. We do not discern any

meaningful differences between the parties’ assessments of the level of

ordinary skill in the art, particularly given Dr. Weaver’s assessment of what

experience an ordinarily skilled artisan “possibly” would have had.

Therefore, we adopt Dr. Nielson’s assessment of a person with ordinary skill

in the art. We further note that the prior art of record in the instant

proceeding reflects the appropriate level of ordinary skill in the art. See

Okajima v. Bourdeau, 261 F.3d 1350, 1354–55 (Fed. Cir. 2001) (“the prior

art itself reflects an appropriate level” of ordinary skill in the art).

E. Whether the ’432 Patent is Entitled to the Benefit of a Prior Filing Date

Under 35 U.S.C. § 120, a patent claim is entitled to the benefit of the

filing date of a prior-filed application only if the original disclosure of the

prior-filed application provides written description support for the patent

claim as required by 35 U.S.C. § 112, first paragraph. In re NTP, Inc., 654

F.3d 1268, 1276–77 (Fed. Cir. 2011); see also Augustine Med., Inc. v.

Gaymar Indus., Inc., 181 F.3d 1291, 1302–03 (Fed. Cir. 1999) (noting that

different claims of a continuation-in-part application may receive different

effective filing dates because subject matter that arises for the first time in a

continuation-in-part application does not receive the benefit of the filing date

of the parent application). The test for determining compliance with the

written description requirement is whether the original disclosure of the

prior-filed application reasonably would have conveyed to a person having

ordinary skill in the art that the inventor had possession of the claimed

CBM2016-00063 Patent 8,266,432 B2

32

subject matter at the time of the prior-filed application’s filing date. Ariad

Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010) (en

banc); Vas-Cath Inc. v. Mahurkar, 935 F.2d 1555, 1563–64 (Fed. Cir. 1991).

Here, the application that issued as the ’432 patent has an actual filing

date of September 15, 2008. Ex. 1001, [22]. The ’432 patent claims, as a

continuation-in-part application, the benefit of the filing dates of the

following prior-filed, non-provisional applications (Ex. 2008):

(1) U.S. Patent Application No. 09/940,635 (Ex. 1016, “the ’635

application”), which was filed on August 29, 2001, and issued as U.S.

Patent No. 7,356,837 B2 (Ex. 1005, [21], [22], [10], “the ’837 patent”);

(2) U.S. Patent Application No. 11/239,0466 (Ex. 1014, “the ’046

application”), which was filed on September 30, 2005, and issued as U.S.

Patent No. 7,444,676 B1 (Ex. 1015, [21], [22], [10], “the ’676 patent”); and

(3) U.S. Patent Application No. 11/333,400 (Ex. 2009, “the ’400

application”), which was filed on January 18, 2006, and issued as U.S.

Patent No. 8,281,129 B1 (Ex. 2004, [21], [22], [10], “the ’129 patent”).

It is undisputed that there can be no copendency between the ’635

application, which issued as a patent on April 8, 2008, and the application

that issued as the ’432 patent, which was filed on September 15, 2008,

6 There appears to be a typographical error in the Certificate of Correction issued on October 25, 2016. Although the correction to the Specification of the ’432 patent correctly lists “Ser. No. 11/239,046,” the correction to the title page lists “No. 11/239,048.” Ex. 2008; see also Ex. 2006, 3 (correctly listing “11/239,046”).

CBM2016-00063 Patent 8,266,432 B2

33

unless there is an intermediate application that meets the requirements of

§ 120. Compare Ex. 1001, [22], with Ex. 1005, [45]. Patent Owner takes

the position that each of the ’400 application and the ’046 application

qualifies as such an intermediate application. PO Resp. 11–27.

Patent Owner’s chart (reproduced below with annotations) shows the

’432 patent’s benefit claims (Prelim. Resp. 38).

Similar to Patent Owner’s chart above, the Certificate of Correction, which

was issued on October 25, 2016, after we instituted this trial, also shows that

the ’432 patent claims the benefit of the filing date of the ’635 application,

through either the ’400 application or the ’046 application. Ex. 2008, 1–2.

The parties’ dispute centers on whether either of these intermediate

applications, as originally filed, provides adequate written description

support for the challenged claims. Petitioner argues that, because neither

intermediate application provides the required written description support,

Norefors, which published on May 4, 2006, prior to the actual filing date

CBM2016-00063 Patent 8,266,432 B2

34

(September 15, 2008) of the ’432 patent, is prior art under § 102(b). Pet. 4,

16–28; Reply 12–35. Patent Owner disagrees, arguing that the claims at

issue are entitled to the benefit of the filing date (August 29, 2001) of the

’635 application, thereby antedating Norefors, because the original

disclosure each of the ’400 application and the ’046 application provides

adequate written description support for the challenged claims. PO Resp.

12–28.

1. Burden of Proof

As an initial matter, we note that Petitioner has the burden of

persuasion to prove unpatentability by a preponderance of the evidence and

also has the initial burden of production. See Dynamic Drinkware, LLC v.

Nat’l Graphics, Inc., 800 F.3d 1375, 1380 (Fed. Cir. 2015). As discussed in

the Institution Decision, we determined that Petitioner satisfied its initial

burden of production by presenting sufficient explanations with supporting

evidence that the claims of the ’432 patent are not entitled to the benefit of

the filing dates of the ’635 application and the ’046 application—the benefit

claims presented in the ’432 patent at the time of filing the Petition.

Dec. 20–29; Pet. 16–28; Ex. 1003 ¶¶ 37–64; Exs. 1005, 1014, 1016.

At the preliminary stage of this proceeding, Patent Owner did not

challenge Petitioner’s assertions that Norefors either anticipates or, in

combination with Brown, renders obvious the challenged claims. Prelim.

Resp. 76–78. Instead, Patent Owner argued that Norefors is not prior art.

Id. We noted in our Institution Decision that the burden of production

CBM2016-00063 Patent 8,266,432 B2

35

shifted to Patent Owner to show that the challenged claims are entitled to the

benefit of an earlier effective filing date that is before the relevant date of

Norefors. Dec. 20–29, citing Dynamic Drinkware, 800 F.3d at 1380

(“The burden of production then shifted to [Patent Owner] to argue or

produce evidence that either [the reference] does not actually anticipate, or,

as was argued in this case, that [the reference] is not prior art because the

asserted claims in the [involved] patent are entitled to the benefit of a filing

date (constructive or otherwise) prior to the filing date of [the reference].”);

PowerOasis, Inc. v. T-Mobile USA, Inc., 522 F.3d 1299, 1305 (Fed. Cir.

2008) (“When neither the PTO nor the board has previously considered

priority, there is simply no reason to presume that claims in a

[continuation-in-part] application are entitled to the effective filing date of

an earlier filed application.”).

After institution, Patent Owner submitted a copy of the Decision

granting Patent Owner’s Petition to Accept an Unintentionally Delayed

Benefit Claim (Ex. 2006) and the Certificate of Correction for correcting the

benefit claims of the ’432 patent (Ex. 2008). Patent Owner alleges that the

correction establishes another chain of benefit claims to the filing date of the

’635 application through the ’400 application. PO Resp. 10–11.

However, this merely shows that Patent Owner has corrected the ’432

patent to add a specific reference for the ’400 application. See Ex. 2006, 1

(petition decision stating that “[t]his acceptance should not be construed as

meaning that any claim in this patent is entitled to the benefit of the

prior-filed applications”). Patent Owner still has the burden to show

CBM2016-00063 Patent 8,266,432 B2

36

sufficiently that the original disclosure of at least one of the intermediate

applications—the ’400 application or the ’046 application—provides

adequate written description support for the challenged claims. See Tech.

Licensing Corp. v. Videotek, Inc., 545 F.3d 1316, 1327 (Fed. Cir. 2008)

(explaining that the patentee’s burden of production for showing an asserted

reference is not prior art includes “not only the existence of the earlier

application, but why the written description in the earlier application

supports the claim”); see also Research Corp. Techs., Inc. v. Microsoft

Corp., 627 F.3d 859, 870–71 (Fed. Cir. 2010) (holding that the patentee

carries the burden to show entitlement to a priority date when the patentee

relies on that priority date to overcome an anticipation or obviousness

argument). We will address below each of the intermediate applications in

turn.

2. Whether the ’400 application supports the challenged claims

Patent Owner alleges that the ’129 patent7 provides adequate written

description support for the challenged claims of the ’432 patent. PO Resp.

13–20. As support, Patent Owner proffers detailed explanations (id.), claim

charts (id., App’x 1), and Dr. Weaver’s testimony (Ex. 2010 ¶¶ 42–53).

7 Patent Owner asserts that the specification and drawings of the ’129 patent “are substantially identical to those of the originally-filed application 11/333,400 (Ex. 2009).” PO Resp. 13. Petitioner does not challenge this assertion. Both parties cite to the ’129 patent, rather than the ’400 application’s original disclosure. For efficiency, we cite to the ’129 patent as well.

CBM2016-00063 Patent 8,266,432 B2

37

Petitioner counters that the ’129 patent fails to provide adequate written

description support for certain claim elements, citing Dr. Nielson’s

testimony for support. Reply 15–26 (citing Ex. 1054 ¶¶ 42−67).

For the reasons that follow, we determine that Patent Owner fails to

demonstrate sufficiently that the ’129 patent provides adequate written

description support for the claim elements addressed below.

Dynamic code

Independent claims 1 and 25 of the ’432 patent each require a

central-entity to generate a dynamic code for a user. Ex. 1001, 6:24–57,

7:54–8:7. As discussed above in the claim construction section of this

Decision (Section II.A), we agree with Patent Owner that the claim term

“dynamic code” encompasses alphanumeric and non-alphanumeric codes

that are non-predictable and time dependent. PO Resp. 10.

In its Response, Patent Owner contends that an ordinarily skilled

artisan would have reasonably concluded that the “dynamic key” disclosed

in the ’129 patent “provides sufficient written description support for the

claimed ‘dynamic code’ of the ’432 Patent, as construed,” citing

Dr. Weaver’s testimony for support. Id. at 19–20 (citing Ex. 2004, 8:13–22;

Ex. 2008 ¶ 53). However, the portion of the ’129 patent relied upon by

Patent Owner and Dr. Weaver merely discloses that the “dynamic key is an

alphanumeric code,” but it does not describe a non-alphanumeric code.

Ex. 2004, 8:13–22 (emphasis added). Dr. Weaver’s testimony merely

repeats Patent Owner’s contention. Ex. 2010 ¶ 53. In fact, there is no

explanation as to why a person of ordinary skill in the art would have

CBM2016-00063 Patent 8,266,432 B2

38

understood the inventor of the ’129 patent to have possession of a

non-alphanumeric dynamic code. PO Resp. 20; Ex. 2010 ¶ 53.

Although the prior-filed application need not describe the claimed

subject matter in precisely the same terms as found in the claims at issue, the

prior-filed application must convey with reasonable clarity to a person with

ordinary skill in the art that, as of the filing date sought, the patentee was in

possession of the full scope of the claims, as construed. X2Y Attenuators,

LLC v. ITC, 757 F.3d 1358, 1365 (Fed. Cir. 2014). “[I]t is well settled that a

written description analysis depends on a proper claim construction because,

among other reasons, a claim is entitled to the priority date of an earlier

application only if the earlier specification provides sufficient written

support for the full scope of the claim.” Id.; Tech. Licensing, 545 F.3d at

1331–32; see also LizardTech, Inc. v. Earth Resource Mapping, Inc., 424

F.3d 1336, 1345 (Fed. Cir. 2005) (explaining that “[w]hether the flaw in the

specification is regarded as a failure to demonstrate that the patentee

possessed the full scope of the invention recited in [the claim] or a failure to

enable the full breadth of that claim, the specification provides inadequate

support for the claim under section 112, paragraph one”).

For the reasons stated above, we determine that Patent Owner fails to

establish sufficiently that the original disclosure of the ’400 application

(or the ’129 patent) provides adequate written description support for the

aforementioned “dynamic code” claim element, as required by independent

claims 1 and 25, and dependent claims 2, 3, 5–10, 12–24, 26–28, 30–45,

and 47.

CBM2016-00063 Patent 8,266,432 B2

39

Authenticating a user during an electronic transaction

Each independent claim (and thus each challenged claim) of the ’432

patent requires authenticating a user during an electronic transaction

between the user and an external-entity. Ex. 1001, 6:24–10:32. As Patent

Owner acknowledges, the steps or functions recited in each independent

claim are required to be performed during the transaction between the user

and external-entity. PO Resp. 17−19. For example, claim 1 recites

“authenticating by the central-entity the user and providing a result of the

authenticating to the external-entity during the transaction if the digital

identity is valid.” Ex. 1001, 6:45−47.

Patent Owner confirms that the ’129 patent “does not expressly state

that certain functions are performed ‘during a transaction,’ as recited in the

claims” of the ’432 patent. PO Resp. 17. Nevertheless, Patent Owner

argues that an ordinarily skilled artisan would have reasonably concluded

that the ’129 patent discloses that the recited steps or functions are

performed during a transaction between the user and external-entity, as

required by the claims. Id. As support, Patent Owner cites to both Figure 2

of the ’432 patent and Figure 2a of the ’129 patent, arguing that both patents

disclose a process in which an entity authenticates a user during a period

after an electronic transaction between a user and external-entity is initiated,

and before such a transaction is permitted to be completed. Id. at 17–19

(citing Ex. 2004, 9:15–49, Fig. 2a; Ex. 2010 ¶¶ 49–52).

Patent Owner’s argument and Dr. Weaver’s testimony are conclusory,

and use the disclosure of the ’432 patent to fill in the gaps of the ’129 patent.

CBM2016-00063 Patent 8,266,432 B2

40

Notably, a discussion that combines both Figure 2 of the ’432 patent and

Figure 2a of the ’129 patent does not address whether the ’129 patent itself

has sufficient written description support for the challenged claims of the

’432 patent.

As our reviewing court has recognized, “the issue is whether a person

skilled in the art would understand from the earlier application alone,

without consulting the new matter in the [later] patent, that the inventor had

possession of the claimed [subject matter]” when the earlier application was

filed. Tech. Licensing, 545 F.3d at 1333–34 (emphasis added). In

Lockwood, the court held:

While the meaning of terms, phrases, or diagrams in a disclosure is to be explained or interpreted from the vantage point of one skilled in the art, all the limitations must appear in the specification. The question is not whether a claimed invention is an obvious variant of that which is disclosed in the specification. Rather, a prior application itself must describe an invention, and do so in sufficient detail that one skilled in the art can clearly conclude that the inventor invented the claimed invention as of the filing date sought.

Lockwood v. Am. Airlines, Inc., 107 F.3d 1565, 1571–72 (Fed. Cir. 1997)

(emphases added).

As noted above, the claims require authenticating a user by the

central-entity and providing a result of the authentication to the

external-entity during the transaction between the user and external-entity if

the digital identity is valid. Ex. 1001, 6:45−47. To be clear, the

authentication by the central-entity is not the transaction between the user

CBM2016-00063 Patent 8,266,432 B2

41

and external-entity because the authentication must be completed before the

transaction is completed.

Notably, the ’432 patent describes a customer’s attempt to access a

seller’s restricted website, or to purchase goods or services from a seller, as a

transaction between the seller and its customer. Ex. 1001, 4:12–14, 5:5–43,

Fig. 4, claims 6, 31. In contrast, the portion of the ’129 patent (Ex. 2004,

9:15–49, Fig. 2a.) relied upon by Patent Owner (PO Resp. 17–19) and

Dr. Weaver (Ex. 2010 ¶¶ 49–52) discloses merely an authentication process,

not a transaction between a user and an external-entity, as required by the

claims of the ’432 patent.

Patent Owner’s explanation uses the ’432 patent’s disclosure,

regarding accessing a restricted website, to fill in the gaps of the ’129 patent.

PO Resp. 17–19. In addition, Patent Owner’s explanation of “an example

embodiment” of the ’129 patent referring to a generic transaction (id. at 18–

19) is not supported by the cited portions of the ’129 patent. Dr. Weaver’s

testimony that Figure 2 of the ’129 patent “discloses that the

trusted-authenticator 30 authenticates an individual 10 before a transaction

can be completed between the individual 10 and the business 20” also is not

supported by the ’129 patent itself. Ex. 2010 ¶¶ 49–52.

At best, the ’129 patent describes an interaction between business 20

and individual 10 when business 20 requests static and dynamic keys from

individual 10 (step 110) and individual 10 provides the keys to business 20

(step 112). Ex. 2004, 9:15−49, Fig. 2a. However, this interaction occurs

prior to the following steps of authentication: (1) sending the authentication

CBM2016-00063 Patent 8,266,432 B2

42

message by business 20 to trusted-authenticator 30 (step 120);

(2) authenticating the user by trusted-authenticator 30; and (3) sending the

result of the authentication by trusted-authenticator 30 to business 20

(step 126). Id. In short, authenticating the user and sending the

authentication result by trusted-authenticator 30 are performed after the

interaction between business 20 and individual 10, not during a transaction

between business 20 and individual 10, as required by the claims. Id. As

such, we are not persuaded by Patent Owner’s contentions (PO Resp.

17−19) and Dr. Weaver’s testimony (Ex. 2010 ¶¶ 49–52). See Rohm and

Haas Co. v. Brotech Corp., 127 F.3d 1089, 1092 (Fed. Cir. 1997) (nothing

requires a fact finder to credit the inadequately explained testimony of an

expert).

For the reasons stated above, we determine that Patent Owner fails to

demonstrate sufficiently that the original disclosure of the ’400 application

(or the ’129 patent) provides adequate written description support for the

claimed transaction and “authenticating by the central-entity the user and

providing a result of the authenticating to the external-entity during the

transaction” between the user and external-entity, as required by the

challenged claims.

Two central-entity computers

Each of independent claims 25, 48, and 52 of the ’432 patent requires

two central-entity computers. Ex. 1001, 7:54–8:7, 9:3–30, 10:5–25. For

example, claim 25 recites “a first central-entity computer adapted to:

generate a dynamic code for the user” and “a second central-entity computer

CBM2016-00063 Patent 8,266,432 B2

43

adapted to validate a digital identity in response to an authentication

request.” Id. at 7:57–65. Each of dependent claims 26–28, 30–45, 47, 50,

51, 54, and 55, by virtue of their dependence, also requires two central-entity

computers.

In this regard, Patent Owner argues that “[a]s construed, the trusted

authenticator 30 of FIG. 2a can comprise two computing devices, including

a first computing device that generates dynamic codes (e.g., a random

number generator unit) and provides such codes to users,” and “a second

computing device that authenticates keys (e.g., an authentication unit).” PO

Resp., App’x 1, pp. 13, 15, 22, 24, 25 (emphasis added).

However, as Petitioner and Dr. Nielson note (Reply 24–26; Ex. 1054

¶¶ 57, 62, 67), trusted authenticator 30, as shown in Figure 2a of the ’129

patent, does not have two computing devices. Ex. 2004, Fig. 2a.

Significantly, Patent Owner does not cite, nor can we discern, any other

portion of the ’129 patent that discloses two computing devices associated

with the trusted authenticator, much less “a random number generator unit”

and “an authentication unit.” Patent Owner’s attorney argument is entitled

to little probative value, as it is conclusory and unsupported by credible

factual evidence. In re Geisler, 116 F.3d 1465, 1470 (Fed. Cir. 1997)

(attorney arguments and conclusory statements that are unsupported by

factual evidence are entitled to little probative value); see also Estee Lauder

Inc. v. L’Oreal, S.A., 129 F.3d 588, 595 (Fed. Cir. 1997) (arguments of

counsel cannot take the place of evidence lacking in the record).

CBM2016-00063 Patent 8,266,432 B2

44

It is well settled that “[e]ntitlement to a filing date does not extend to

subject matter which is not disclosed, but would be obvious over what is

expressly disclosed.” Lockwood, 107 F.3d at 1571–72. “It is not sufficient

for purposes of the written description requirement of § 112 that the

disclosure, when combined with the knowledge in the art, would lead one to

speculate as to modifications that the inventor might have envisioned, but

failed to disclose.” Id. at 1572. Nor does the fact that the claimed subject

matter could have been “envisioned” from the earlier disclosure establish

adequate written description support. Goeddel v. Sugano, 617 F.3d 1350,

1356 (Fed. Cir. 2010).

For the foregoing reasons, we determine that Patent Owner has not

established sufficiently that the original disclosure of the ’400 application

(or the ’129 patent) provides adequate written description support for the

invention recited in any of the challenged claims of the ’432 patent.

3. Whether the ’046 application supports the challenged claims

Patent Owner alleges that the ’676 patent8 provides adequate written

description support for the challenged claims of the ’432 patent. PO Resp.

21–28. As support, Patent Owner proffers detailed explanations (id.), claim

8 Patent Owner asserts that the specification and drawings of the ’676 patent “are substantially identical to those of the originally-filed application 11/239,046 (Ex. 1014).” PO Resp. 21. Petitioner does not challenge this assertion. Both parties cite to the ’676 patent, rather than the ’046 application’s original disclosure. For efficiency, we cite to the ’676 patent as well.

CBM2016-00063 Patent 8,266,432 B2

45

charts (id., App’x 2) and Dr. Weaver’s testimony (Ex. 2010 ¶¶ 63–76).

Petitioner counters that the ’046 application fails to provide adequate written

description support for certain claim elements, citing Dr. Nielson’s

testimony for support. Reply 26–35 (citing Ex. 1054 ¶¶ 84−111).

For the reasons that follow, we determine that Patent Owner fails to

demonstrate sufficiently that the ’676 patent provides adequate written

description support for the claim elements addressed below.

Dynamic code and Digital identity

Each independent claim requires the central-entity to generate

“a dynamic code for the user,” and an authentication request based on

“a user-specific information and the dynamic code as the digital identity.”

See, e.g., Ex. 1001, 6:31−32, 38–44 (emphases added). As discussed above

in the claim construction section (Section II.A), we construe the claim term

“dynamic code” to encompass alphanumeric and non-alphanumeric codes

that are non-predictable and time dependent. Consistent with the definition

in the Specification, we also construe the claim term “digital identity” as “a

combination of a user’s SecureCode and the user’s information such as

UserName, which may result in a dynamic, non-predictable and time

dependable digital identity that could be used to identify a user as an

authorized user.” Id. at 2:41–43, 3:22–23. More importantly, the claim

language itself requires the claimed “digital identity” to include both a

user-specific information and a dynamic code.

Patent Owner argues that the “digital identity” disclosed in the ’676

patent (“the ’676 digital identity”) provides sufficient written description

CBM2016-00063 Patent 8,266,432 B2

46

support for the claimed “dynamic code” in the ’432 patent. PO Resp. 27,

App’x 2, pp. 2, 12–13, 19, 23−24; Ex. 2010 ¶ 76. We agree that the

definition of the ’676 digital identity—“a dynamic, non-predictable and time

dependent alphanumeric code” (Ex. 1015, 4:43–50)—describes an

alphanumeric “dynamic code,” as required by certain challenged claims in

the ’432 patent. Compare Ex. 1015, 4:43–54 (’676 patent definition of

“digital identity”), with Ex. 1001, 2:35–40 (’432 patent definition of

“SecureCode”).

However, as Petitioner correctly notes (Reply 30–31), Patent Owner

in its claim chart attempts to map the ’676 digital identity to both the

claimed “dynamic code” and the claimed “digital identity.” PO Resp.,

App’x 2, pp. 2−4, 12–15, 19−21, 23−25. As discussed above, the claimed

“dynamic code” and the claimed “digital identity” are different. See Section

II.A. supra (construing these terms).

Patent Owner’s showing ignores that the claimed “digital identity”

requires a combination of a user-specific information and a dynamic code,

not merely a dynamic code. See id. Patent Owner’s argument also conflates

the ’676 digital identity with the ’432 patent’s digital identity, using the

disclosure of the ’432 patent to fill in the gaps of the ’676 patent. Id. As we

discuss above, to satisfy the written description support requirement, the

“prior application itself must describe” the challenged claims in sufficient

detail. Lockwood, 107 F.3d at 1571−72; Tech. Licensing, 545 F.3d at 1333–

34.

CBM2016-00063 Patent 8,266,432 B2

47

Dr. Weaver’s testimony (Ex. 2010 ¶ 76) merely repeats Patent

Owner’s argument (PO Resp. 27). Neither Patent Owner nor Dr. Weaver

proffers any explanation as to where the ’676 patent discloses a digital

identity that includes a combination of a user-specific information and a

dynamic code, as required by each challenged claim. PO Resp. 27, App’x 2,

pp. 2−4, 12–15, 19−21, 23−25; Ex. 2010 ¶ 76.

For the reasons stated above, we determine that Patent Owner fails to

establish sufficiently that the original disclosure of the ’046 application

(or the ’676 patent) provides adequate written description support for the

aforementioned “digital identity” claim element, as required by each

challenged claim.

Authenticating a user during an electronic transaction

Each challenged claim requires the following steps or functions to be

performed by a central-entity during a transaction between a user and an

external-entity: (1) the central-entity providing a dynamic code to the user;

(2) the central-entity receiving an authentication request from the

external-entity; and (3) the central-entity providing a result of the

authentication to the external-entity if the digital identity is valid. Ex. 1001,

6:24–10:32.

Patent Owner argues that an electronic funds transfer between an

originator and a receiver, as disclosed in the ’676 patent, provides written

description support for the claimed “transaction.” PO Resp. 25–27.

CBM2016-00063 Patent 8,266,432 B2

48

Figure 8 of the ’676 patent is reproduced below.

Figure 8 above illustrates the online payment transaction between

originator 20 and receiver 40, relied upon by Patent Owner (PO Resp. 25–

27) and Dr. Weaver (Ex. 2010 ¶¶ 73–75). Patent Owner avers that the ’676

patent provides support for the claimed user (originator 20), external-entity

(receiver 40), and central-entity (Digital Identity Operator or DID Operator

30). PO Resp. 21–25, App’x 2, page 1.

Petitioner counters that Patent Owner has not shown sufficiently that

the ’676 patent provides adequate written description support for the

aforementioned steps, as required by each challenged claim. Reply 31–34;

Ex. 1054 ¶¶ 72–86. We agree with Petitioner.

CBM2016-00063 Patent 8,266,432 B2

49

As to the first aforementioned step or function, which requires a

central-entity providing the dynamic code to the user, Patent Owner asserts

that DID Operator 30 (the alleged central-entity), in the ’676 patent,

forwards a digital identity to OPFI (Originating Participating Financial

Institution) 25, and then OPFI 25 presents it to originator 20 (the alleged

user). PO Resp., App’x 2, pp. 2–3, 12–13, 19–20, 24–25. However, as

Dr. Nielson correctly explains, “in the ’676 patent, the OPFI 25, not the DID

Operator 30, provides the digital identity 10 to the user.” Ex. 1054 ¶ 86.

Dr. Nielson testifies that this difference between the challenged claims and

the ’676 patent is significant because the ’676 patent discloses a relationship

between the originator and the OPFI, and a relationship between the various

PFIs and the DID Operator, but not between the originator and the DID

Operator. Id. Dr. Nielson further testifies that there is no existing trusted

relationship between the originator and DID Operator in the ’676 patent. Id.

Dr. Nielson’s testimony is consistent with the disclosure of the ’676 patent

and is persuasive.

Indeed, in the ’432 patent, the central-entity centralizes the user’s

personal and financial information and the authentication of the user.

Ex. 1001, 2:52–59, 3:30–40, 4:3–17. In contrast, DID Operator 30, in the

’676 patent, is merely “the digital identity authority that provides digital

identity-based authentication and authorization services to the Participating

Financial Institutions (PFIs).” Ex. 1015, 9:57–10:6 (emphasis added). In

fact, as the ’676 patent describes, originator 20 must authenticate himself or

CBM2016-00063 Patent 8,266,432 B2

50

herself first to OPFI 25, and then OPFI 25 starts the payment process by

requesting a digital identity from DID Operator 30. Id. at 11:50–56.

For these reasons, we are not persuaded that Patent Owner has shown

sufficiently that the ’676 patent provides adequate written description

support for the claimed step or function that requires a central-entity

providing a dynamic code to the user.

With respect to the second aforementioned claimed step or function,

which requires the central-entity to receive an authentication request from

the external-entity, Patent Owner asserts that RPFI (Receiving Participating

Financial Institution) 35 sends a Digital Identity Message to DID Operator

30. PO Resp., App’x 2, pp. 3–4, 14–15, 20–21, 25. Importantly, as

Petitioner notes (Reply 31), DID Operator 30 (the alleged central-entity)

receives the message from RPFI 35, not receiver 40 (the alleged external-

entity). Dr. Nielson testifies that this difference is significant because

communicating through an additional party increases “opportunity for the

digital identity to be intercepted or compromised, decreasing security.”

Ex. 1054 ¶ 85. Neither Patent Owner, nor Dr. Weaver, explains this

deficiency in their analysis. PO Resp., App’x 2, page 3; Ex. 2010 ¶¶ 70–75.

Based on the evidence before us, we are not persuaded that Patent Owner

has shown sufficiently that the ’676 patent provides adequate written

description support for the claimed step or function that requires the

central-entity to receive an authentication request from the external-entity.

With respect to the third aforementioned claimed step or function,

which requires the central-entity to provide a result of the authentication to

CBM2016-00063 Patent 8,266,432 B2

51

the external-entity, Patent Owner contends DID Operator 30 sends a

message to OPFI 25 upon successful validation and identification, and RPFI

35 transfers the funds to receiver’s account and notifies receiver 40

accordingly. PO Resp., App’x 2, pp. 4–5, 15–16, 21–23, 26–27. Again,

Petitioner’s arguments to the contrary, supported by the disclosure of the

’676 patent and the testimony of Dr. Nielson, are persuasive. As Petitioner

points out (Reply 33–34), the DID Operator’s message is sent to OPFI 25,

not receiver 40 (the alleged external-entity), and the subsequent funds

transfer and notification is sent by RPFI 35, not the DID Operator (the

alleged central-entity). Ex. 1015, 12:31–51. Moreover, Dr. Nielson testifies

that the subsequent transfer of funds and notification “are not provided to the

receiver by the DID Operator and are not the result of the authentication

made by the DID Operator.” Ex. 1054 ¶ 78 (citing Ex. 1015, Fig. 6, steps

158, 160, Fig. 7, steps 182, 195, Fig. 10, steps 265, 268, Fig. 11, steps 288,

298). Based on the evidence before us, we are not persuaded that Patent

Owner has shown sufficiently that the ’676 patent provides adequate written

description support for the claimed step or function that requires the

central-entity to provide a result of the authentication to the external-entity.

For the foregoing reasons, we determine that Patent Owner has not

shown sufficiently that the original disclosure of the ’046 application (or the

’676 patent) provides adequate written description support for the

aforementioned steps or functions to be performed by a central-entity during

a transaction between a user and an external-entity, as required by each

challenged claim.

CBM2016-00063 Patent 8,266,432 B2

52

Two central-entity computers

Each of independent claims 25, 48, and 52 of the ’432 patent requires

two central-entity computers. Ex. 1001, 7:54–8:7, 9:3–30, 10:5–25. In this

regard, Patent Owner argues that “[a]s construed, the DID Operator 30 can

comprise two computing devices, including a first computing device that

generates digital identities (e.g., using a random number generator unit) and

provides such codes to originators 20 via OPFI 25,” and “a second

computing device that authenticates keys (e.g., an authentication unit).” PO

Resp., App’x 2, pp. 12, 14, 21, 23, 25 (emphasis added).

However, as Petitioner and Dr. Nielson note (Reply 34–35; Ex. 1054

¶¶ 95, 103, 111), DID Operator 30, as shown in Figure 8 of the ’676 patent,

does not have two computing devices. Ex. 1015, Fig. 8. Significantly,

Patent Owner does not cite, nor can we discern, any other portion of the ’676

patent that discloses two computing devices associated with DID Operator

30, much less “a random number generator unit” and “an authentication

unit.” See Lockwood, 107 F.3d at 1572. Patent Owner’s attorney argument

is entitled to little probative value, as it is conclusory and unsupported by

credible factual evidence. See Geisler, 116 F.3d at 1470; Estee Lauder, 129

F.3d at 595.

Based on the evidence in this record, we determine that Patent Owner

has not established sufficiently that the original disclosure of the ’046

application (or the ’676 patent) provides adequate written description

support for the invention recited in any of the challenged claims of the ’432

patent.

CBM2016-00063 Patent 8,266,432 B2

53

4. Conclusion on the Benefit Claims

For the foregoing reasons, we conclude that Patent Owner fails to

establish sufficiently that the original disclosure of either the ’400

application or the ’046 application provides adequate written description

support for the challenged claims. Consequently, the challenged claims of

the ’432 patent are not entitled to the benefit of the prior filing dates of the

’400 application, the ’046 application, and the ’635 application. As a result,

Norefors—published on May 4, 2006, before the actual filing date of the

’432 patent (September 15, 2008)—is prior art under 35 U.S.C. § 102(b) as

to the challenged claims.

F. Anticipation Ground Based on Norefors

Petitioner asserts that claims 1, 3, 5–8, 12, 13, 15–27, 30–42, 44, 45,

47, 48, 50–52, 54, and 55 are unpatentable under § 102(b) as anticipated by

Norefors. Pet. 28–56. In support of its assertion, Petitioner provides

detailed explanations as to how Norefors describes each claim limitation. Id.

Petitioner also directs us to relevant portions of Dr. Nielson’s Declaration

for support. Ex. 1003.

Patent Owner does not challenge Petitioner’s anticipation analysis

substantively, but instead maintains that Norefors is not prior art relative to

the challenged claims because the claims are entitled to a priority date of

August 29, 2001, which is prior to the filing date of Norefors. PO Resp. 27–

28. As discussed above, however, Patent Owner has not established such an

CBM2016-00063 Patent 8,266,432 B2

54

entitlement, and, consequently, Norefors is prior art as to the challenged

claims.

Upon review of Petitioner’s contentions and supporting evidence, and

based on the full trial record, we agree with and adopt as our findings

Dr. Nielson’s unrebutted testimony regarding Norefors (Ex. 1003 ¶¶ 65–87)

and determine that Petitioner has demonstrated by a preponderance of the

evidence that Norefors describes the subject matter of claims 1, 3, 5–8, 12,

13, 15–27, 30–42, 44, 45, 47–48, 50–52, 54, and 55. In our discussion

below, we provide a brief summary of Norefors, and then we address certain

claim limitations as examples.

Norefors describes “an arrangement and a method for providing an

end user with access to an IP network.” Ex. 1032 ¶ 1. Figure 1 of Norefors

is reproduced below.

Figure 1 of Norefors depicts an arrangement through which access to

an IP network login can be provided. Id. ¶¶ 4, 48–55. The arrangement

includes user station 2, access server 3, web server 4, authentication

server 5, and mobile telephone system 6. Id. According to Norefors, access

CBM2016-00063 Patent 8,266,432 B2

55

server 3 is run by an Internet Service Provider (“ISP”) or a Wireless ISP, and

authentication server 5 may be a Radius Remote Access Dial-in server or a

Diameter server. Id. The organization running the access server can be a

different organization from the operator that controls the web and

authentication nodes, and has a commercial relationship with the user. Id.

Based on the evidence before us, we are persuaded by Petitioner’s

analysis, supported by Dr. Nielson’s unrebutted testimony, that Norefors

describes a method and apparatus for authenticating a user during an

electronic transaction (an access to the IP network) with an external-entity

(access server), in which a central-entity (operator controlling web server

and authentication server) generates a dynamic code (a one-time password

(“OTP”)) for the user and authenticates the user based on a user-specific

information (user name) and the dynamic code (OTP) as a digital identity, as

required by independent claims 1, 25, 48, and 52. Pet. 28–56; Ex. 1032

¶¶ 48–57, Figs. 1–3; Ex. 1003 ¶¶ 65–70.

CBM2016-00063 Patent 8,266,432 B2

56

Petitioner’s first annotated Figure 3 of Norefors is reproduced below

(Pet. 36).

Notably, Petitioner’s first annotated Figure 3 (steps 1–7) above

illustrates that, during the access transaction between the user and

external-entity (access server), the central-entity (operator controlling the

web server and authentication server) electronically receives a request for a

dynamic code (an OTP), generates a dynamic code (an OTP) for the user,

and provides the dynamic code (the OTP) to the user. Pet. 36–37; Ex. 1003

¶¶ 71–74; Ex. 1032 ¶ 56 (authentication server provides and forwards an

OTP to SMS-C of a mobile communications system, which transfers the

OTP to the user), Fig. 3.

CBM2016-00063 Patent 8,266,432 B2

57

Petitioner’s second annotated Figure 3 is reproduced below (Pet. 43).

Petitioner’s second annotated Figure 3 (steps 16–18) above illustrates

that the central-entity (the operator controlling the authentication server)

electronically receives an authentication request from the external-entity (the

access server) based on a user name and the dynamic code (the OTP) as

digital identity, and then authenticates the user and provides a result of the

authentication to the external-entity (the access server) during the access

transaction if the digital identity is valid. Pet. 41–44; Ex. 1003 ¶ 75;

Ex. 1032 ¶ 57 (the login message is sent to the access server (step 16); an

authentication request is subsequently sent to the Radius authentication

CBM2016-00063 Patent 8,266,432 B2

58

server (step 17); and the Radius authentication server responds with an

access accept message to the access server and the access server opens the

communication (step 18)), Fig. 3. Having considered the evidence in the full

trial record, we are persuaded that Norefors describes the subject matter of

independent claims 1, 25, 48, and 52.

As to dependent claims 3, 5–8, 12, 13, 15–24, 26, 27, 30–42, 44, 45,

47, 50, 51, 54, and 55, we also are persuaded by Petitioner’s analysis, which

is supported by Dr. Nielson’s unrebutted testimony, that Norefors describes

the additional limitations recited in these dependent claims. Pet. 44–56;

Ex. 1003 ¶¶ 65–87. For example, Petitioner explains how Norefors

describes that the user name and OTP are used in a non-financial transaction

for logging into a restricted IP network over a communication network that

is coupled with the user workstation, access server, web server, and

authentication server, as required by claims 3, 5–8, 15–17, 24, 30–35, 44,

47, 50, 51, 54, and 55. Id. at 44–45, 55–56; Ex. 1032 ¶¶ 2–7, 10–43, 49–60,

Figs. 1–3. As another example, Petitioner explains how Norefors describes

that if the OTP is invalid, the digital identity is invalid, and if the OTP is

valid, the digital identity is valid, as required by claims 20, 21, 38, and 39.

Pet. 48–49; Ex. 1032 ¶¶ 9 (“the second login phase only is performed if the

OTP is valid”), 11 (in the second phase, the user name and the OTP are used

as password), 33 (“checking the validity/authenticity of the user credentials,

e.g., password, user name, in authentication server”), 55 (“An authentication

request is then sent from the access server to the authentication server, which

checks the user credentials, 114, to verify if they are valid.”).

CBM2016-00063 Patent 8,266,432 B2

59

The explanations and supporting evidence provided by Petitioner as to

how each element of claims 1, 3, 5–8, 12, 13, 15–27, 30–42, 44, 45, 47, 48,

50–52, 54, and 55 is disclosed by Norefors have merit and are unrebutted by

Patent Owner. Based on the full trial record, we determine that Petitioner

has demonstrated by a preponderance of the evidence that these claims are

unpatentable under § 102(b) as anticipated by Norefors.

G. Obviousness of Claims over Norefors and Brown

Petitioner asserts that claims 2, 9, 10, 14, 28, and 43 are unpatentable

under 35 U.S.C. § 103(a) as obvious over the combination of Norefors and

Brown. Pet. 56–62, 64–66. Patent Owner does not challenge Petitioner’s

analysis substantively, but instead maintains that Norefors is not prior art

relative to the challenged claims because the claims are entitled to a priority

date of August 29, 2001, prior to the filing date of Norefors. PO Resp. 27–

28. As we discuss above, however, Patent Owner has not established such

an entitlement, and, consequently, Norefors is prior art as to the challenged

claims.

Upon review of Petitioner’s contentions and supporting evidence, and

based on the full trial record, we agree with and adopt as our findings

Dr. Nielson’s unrebutted testimony regarding Norefors and Brown (Ex. 1003

¶¶ 65–98) and determine that Petitioner has demonstrated by a

preponderance of the evidence that the combination of Norefors and Brown

renders obvious claims 2, 9, 10, 14, 28, and 43. Pet. 58–62, 64–66. To

support its arguments regarding this obviousness ground, Petitioner relies on

CBM2016-00063 Patent 8,266,432 B2

60

its anticipation analysis based on Norefors for the limitations recited in

independent claims 1 and 25 (Pet. 28–56; Ex. 1003 ¶¶ 65–87), and explains

how the combination of Norefors and Brown teaches the additional

limitations expressly recited in dependent claims 2, 9, 10, 14, 28, and 43. Id.

at 56–62, 64–66. Citing to Dr. Nielson’s testimony, Petitioner also

articulates reasons to combine the teachings of Norefors and Brown. Id. at

57–62, 64–66. For the reasons discussed above, we are persuaded that

Petitioner has demonstrated by a preponderance of the evidence that the

independent claims are anticipated by Norefors.9 We focus below on

Petitioner’s showing as to the additional limitations of the dependent claims.

Brown describes a system and method for authenticating users and

services during an on-line transaction over a network. Ex. 1035, Abstract,

1:6–40. Figure 1 of Brown is reproduced below.

9 A brief overview of Norefors has been provided in our anticipation analysis above.

CBM2016-00063 Patent 8,266,432 B2

61

Figure 1 of Brown illustrates an authentication process involving three

entities: (1) users 12, 14, (2) services 20, 22, and (3) authentication deity 16,

18. Id. at 5:16–21, 6:19–25. The entities communicate with one another via

computer network 10 (e.g., Internet). Id. at 6:26–27.

To provide a secured transmission of a session key between the

entities, Brown describes a technique for encrypting or algorithmically

combining a session key with user-specific information (e.g., the user name

and pass-phrase) using a hash function. Id. at 7:10–35, 9:26–32, 9:42–47,

9:55–56, 18:4–11. In particular, Brown’s authentication deity generates

obscured copies of the session key by combining the session key with the

user-specific information, using an “MD5 hash algorithm” on the

user-specific information and then performing an XOR of the hash with the

session key. Id. Claim 2 recites “combining said generated dynamic code with the

user-specific information using a predetermined algorithm to form a

combined dynamic code and user specific information.” Ex. 1001, 6:48–52

(emphasis added). Claim 28 recites a similar limitation. Id. at 8:12–16. In

this regard, Petitioner explains that the login message of Norefors includes

both an OTP (a dynamic code) and the user name. Pet. 58 (citing Ex. 1032

¶ 57, Fig. 3). As Petitioner notes, Brown describes a technique for

encrypting or algorithmically combining a session key (a dynamic code)

with user-specific information (e.g., the user name and pass-phrase), using

an MD5 hash algorithm to provide additional security. Id. at 58–59 (citing

Ex. 1035, 7:10–35, 9:42–47; 18:4–11). Dr. Nielson testifies that, in view of

CBM2016-00063 Patent 8,266,432 B2

62

both Norefors and Brown sharing the same goal of improving transaction

security over a communication network, an ordinarily skilled artisan would

have had reason to “supplement the login message of Norefors with

additional details from Brown’s authentication message to include a

combined user name and OTP using, for example, an MD5 hash algorithm

on the user specific information (such as username) and then XOR the hash

with the dynamic code (such as the OTP),” to avoid exposure of the login

information in an unsecure manner. Ex. 1003 ¶ 89.

As to the limitation of claim 2 that requires maintaining the combined

information at the central-entity, Dr. Nielson explains that the combined

information would have been stored at the authentication server of Norefors,

as modified by Brown, because Norefors discloses that the user credentials

are stored at the authentication server (a central-entity). Id. ¶ 90 (citing

Ex. 1032 ¶¶ 55, 57, 58, Fig. 3).

Claim 2 also requires comparing the combined information with a

received combined dynamic code and user-specific information to validate

the user. Ex. 1001, 6:55–57. For this limitation, Petitioner notes that

Norefors discloses checking the stored user credentials to verify if they are

valid when an authentication request is sent from the access server to the

authentication server. Pet. 60 (citing Ex. 1032 ¶¶ 55, 57). According to

Dr. Nielson, an ordinarily skilled artisan would have understood in light of

that disclosure that Norefors, as modified by Brown, would check the stored

user credentials by comparing the stored combined information with a

CBM2016-00063 Patent 8,266,432 B2

63

received combined information to verify that the user credentials are correct.

Ex. 1003 ¶ 91.

Claims 9 and 10 depend from claim 2, and further require the

central-entity to use the combined information for authenticating a user’s

identity. Ex. 1001, 7:9–11. As to these claims, Petitioner explains that the

authentication server of Norefors, as modified by Brown, would use the

combined information to authenticate the user’s identity, because Norefors

expressly discloses that the authentication server (a central-entity) checks the

user credentials to verify if they are valid. Pet. 61 (citing Ex. 1003 ¶ 92,

Ex. 1032 ¶¶ 55, 57).

Claim 14, which depends from claim 1, requires the central-entity to

generate the dynamic code with dependence on the user information.

Ex. 1001, 7:23–25. Claim 43 requires a similar limitation. Id. at 8:56–58.

As Petitioner explains, Brown teaches generating the session key (a dynamic

code) with dependence on the user name so that the session key is more

user-specific. Pet. 64–65 (citing Ex. 1035, 9:3–9, 9:12–20). Dr. Nielson

testifies that an ordinarily skilled artisan would have had reason to modify

the authentication server of Norefors to generate the OTP (a dynamic code)

with dependence on the user name, as taught by Brown, providing

incremental authentication options to “Norefors’ already robust disclosure of

generating the OTP without altering any operating principle.” Ex. 1003

¶ 98.

The explanations and supporting evidence provided by Petitioner as to

how each element of claims 2, 9, 10, 14, 28, and 43 is taught by the

CBM2016-00063 Patent 8,266,432 B2

64

combined teachings of Norefors and Brown have merit and are unrebutted

by Patent Owner. Based on the full trial record, we determine that Petitioner

has demonstrated by a preponderance of the evidence that these claims are

unpatentable under § 103(a) as obvious over the combination of Norefors

and Brown.

H. Petitioner’s Motion to Exclude

Petitioner filed a Motion to Exclude Evidence (Paper 32, “Mot.”),

seeking to exclude: (1) Patent Owner’s Exhibit 2008, which includes the

Certification of Correction of the ’432 patent (id. at 2–12); and (2) Exhibit

2010, Section VII, Paragraphs 41–61, a portion of the Declaration of

Dr. Weaver (id. at 12–15). Patent Owner filed an Opposition to Petitioner’s

Motion to Exclude Evidence. Paper 37. Petitioner filed a Reply to Patent

Owner’s Opposition to Petitioner’s Motion to Exclude Evidence. Paper 39.

Under the particular circumstances in this case, we need not assess the

merits of Petitioner’s Motion to Exclude Evidence. As discussed above,

even without excluding Patent Owner’s supporting evidence, we have

determined that Norefors is prior art under 35 U.S.C. § 102(b) as to the

challenged claims, and Petitioner has demonstrated by a preponderance of

the evidence that the challenged claims are unpatentable. Accordingly,

Petitioner’s Motion to Exclude Evidence is dismissed as moot.

I. Motions for Observation

Patent Owner’s observations are directed to the cross-examination

testimony of Petitioner’s declarant, Dr. Nielson, who submitted a declaration

CBM2016-00063 Patent 8,266,432 B2

65

with Petitioner’s Reply (Ex. 1054) and subsequently was cross-examined

after Petitioner filed its Reply (Ex. 2014). We have considered Patent

Owner’s observations (Paper 31) and Petitioner’s responses (Paper 36) in

rendering this Decision, and have accorded the testimony the appropriate

weight as explained above.

Petitioner’s observations (Paper 33), however, have not been

considered. The Office Patent Trial Practice Guide describes the use of

observations on cross-examination as follows:

In the event that cross-examination occurs after a party has filed its last substantive paper on an issue, such cross-examination may result in testimony that should be called to the Board’s attention, but the party does not believe a motion to exclude the testimony is warranted. The Board may authorize the filing of observations to identify such testimony and responses to observations, as defined below.

The party taking the cross-examination files the observations. The opposing party may file a response to an observation. The opposing party may not file observations without express prior authorization.

77 Fed. Reg. 48,756, 48,767–68 (Aug. 14, 2012) (emphasis added). Thus, it

is the party taking the cross-examination that typically files observations,

and the reason for permitting observations is that the cross-examination

takes place after the party has filed its last substantive paper, such that the

party has no way to bring relevant testimony to the Board’s attention. The

rationale for observations does not apply to Petitioner’s observations here, as

Petitioner seeks to file separate observations on the cross-examination

testimony of its own witness. Accordingly, we have not considered

CBM2016-00063 Patent 8,266,432 B2

67

For PETITIONER: W. Karl Renner Thomas Rozylowicz Timothy Riffe FISH & RICHARDSON P.C. CBM36137-0007CP1@fr.com ptabInbound@fr.com riffe@fr.com

For PATENT OWNER: Jae Youn Kim Harold L. Novick Sang Ho Lee Steven Ashburn NOVICK, KIM & LEE, PLLC skim@nkllaw.com hnovick@nkllaw.com slee@nkllaw.com sashburn@mh2law.com