It is time to review why SecureAuth is about to ge

It is time to review why SecureAuth is about to get blown out of the water in the next week or so. Below is a timeline of court entry's in the 4 other current cases pending the outcome of the SecureAuth case as well as Ropes & Gray and SA Appeal arguments. There are also several recent posts by ZPaul for you to review on several recent overturned cases involving the Alice 35/101 early dismissal 2014 Supreme Court ruling.


Strikeforce/Duo & Centrify December 13, 2017 request for Stay pending the outcome of the SecureAuth case

CONSENT ORDER STAYING ACTIONS THIS MATTER having come before the Court by way of letter dated December 6, 2017,
on behalf of Defendant Duo Security, Inc., Defendant Centrify Corporation, and Plaintiff Strikeforce Technologies, Inc., requesting that the above-captioned actions [b]be stayed pending entry of final judgment and the conclusion of all appeals in Strikeforce Technologies v. SecureAuth Corporation[/b], Case No. LA CV 17-043 14 JAK (SKx) (C.D. Cal.); the Court having considered the status ofthe case; and for good cause shown;
IT IS on this ____ day of December 2017, ORDERED that the parties’ application to stay the above-captioned actions is GRANTED; and it is further Case 2:16-cv-03571-JMV-MF Document 125 Filed 12/13/17 Page 1 of 2 PageID: 4225

ORDERED that the above-captioned actions are hereby stayed pending entry of final judgment and the conclusion of all appeals in StrikeForce Technologies v. SecureAuth Corporation, Case No. LA CV 17-04314 JAK (SKx) (C.D. CaL) (“SecureAuth Case”); and it is further

ORDERED that, [b]within 30 days after the conclusion of all appeals in the SecureAuth Case, the parties shall jointly advise the Court of the outcome; and it is further ORDERED that the pending Motion to Dismiss or Transfer for Improper Venue (D.I.77) is dismissed[/b] without prejudice.
United States Magistrate Judge

[b]Strikeforce/Gemalto & Vasco December 20, 2017 request for Stay pending the outcome of the SecureAuth case[/b]

On [b]December 11, 2017[/b], the Court ordered Plaintiff StrikeForce Technologies, Inc. (“StrikeForce”) and Defendants Gemalto, Inc., Gemalto, NV., and SafeNet, Inc., (collectively, “Gemalto”), and VASCO Data Security Inc. (“VASCO”) (collectively, “Defendants”) to inform the court by December 20, 2017 how they intend to proceed in these two litigations in light of the decision in StrikeForce Technologies, Inc. v. SecureAuth Corp., Case No. LA CV17-04314 JAK (SKx) (C.D. Cal.) that the asserted claims in that case are invalid under 35 U.S.C. § 101. See 17-cv-10422, Dkt. No. 61; 17-cv-10423, Dkt. No. 56. [b]The parties have conferred and agree that it would be appropriate for the Court to stay these two cases pending resolution of StrikeForce’s appeal in the SecureAuth case[/b]. Accordingly, the parties hereby jointly move to stay these cases pending final determination of the forthcoming appeal in StrikeForce Technologies, Inc. v. SecureAuth Corp., Case No. LA CV17-04314 JAK (SKx) (C.D. Cal.). There is good cause for such a stay. StrikeForce sued SecureAuth Corporation for infringement of U.S. Patent Nos. 7,870,599, 8,484,698, and 8,713,701. See StrikeForce Technologies, Inc. v. SecureAuth Corp., Case No. LA CV17-04314 JAK (SKx) (C.D. Cal.). The ’698 patent and ’701 patent are the two patents-in-suit in StrikeForce’s cases against VASCO and Gemalto; the ’599 patent is the parent to those two patents. On July 21, 2017, SecureAuth moved to dismiss StrikeForce’s Complaint on the ground that the asserted claims of the ’599, ’698, and ’701 patents are invalid under 35 U.S.C. § 101. On December 1, 2017, Judge Kronstadt in the Central District of California granted SecureAuth’s motion, finding that the asserted claims are invalid. The claims found invalid include all but one of the claims asserted in these cases. StrikeForce intends to appeal Judge Kronstadt’s decision to the Federal Circuit. The Federal Circuit’s decision on appeal could prevent StrikeForce from continuing these cases. [b]A stay will preserve the current status of these cases, in which the parties have already[/b]

Case 1:17-cv-10422-RGS Document 62 Filed 12/20/17 Page 2 of 5
2

[b]engaged in discovery and in which the Court has already held early claim construction proceedings and issued an early claim construction order regarding several terms of the patents-in-suit.[/b] Accordingly, a stay in these circumstances is warranted. See, e.g., Exergen Corp. v. Microlife Corp., No. 1:15-cv-13387, Dkt. No. 30 (D. Mass. July 22, 2016); Momenta Pharms., Inc. v. Teva Pharms. USA, Inc., No. 1:10-cv-12079-NMG, Dkt. No. 115 (D. Mass. Aug. 14, 2012). The parties further propose that they file a joint status report to the Court every 120 days, and [b]inform the Court about the outcome of the Federal Circuit’s decision on the appeal in the SecureAuth case within 30 days of issuance of mandate in that appeal, at which time the parties will also inform the Court about how they propose to proceed[/b].

[b]December 8, 2017 Strikeforce 'Strongly Disagrees' with Court's decision[/b]

EDISON, N.J., Dec. 08, 2017 (GLOBE NEWSWIRE) -- StrikeForce Technologies, Inc. (OTC PINK:SFOR). On December 1, 2017, The United States District Court for the Central District of California issued an opinion in the StrikeForce Technologies, Inc. v. SecureAuth Corp. case, which invalidated claims of U.S. Patent Nos. 7,870,599, 8,484,698 and 8,713,701 under 35 U.S.C. §101. StrikeForce strongly disagrees with the court’s decision and intends to immediately appeal the ruling to the United States Court of Appeals for the Federal Circuit once the court enters final judgment. StrikeForce has agreed to stay its patent litigations in the District of New Jersey against Centrify Corp. and Duo Security Inc. pending the appeal. StrikeForce believes that the litigations currently pending in the District of Massachusetts should also be stayed pending appeal and is discussing such a motion with the defendants in that case.

March 26, 2018 Ropes & Gray files Scathing Appeal Brief

United States Court of Appeals for the Federal CircuitSTRIKEFORCE TECHNOLOGIES, INC., Plaintiff - Appellant, v. SECUREAUTH CORPORATION, Defendant - Appellee. Appeal from the United States District Court for the Central District of California in Proceeding No. 2:17-cv-04314-JAK-SK, Hon. John A. Kronstadt BRIEF OF APPELLANTDouglas H. Hallward-Driemeier ROPES & GRAY LLP 2099 Pennsylvania Avenue, N.W. Washington, DC 20006-6807 (202) 508-4600 Richard T. McCaulley, Jr. ROPES & GRAY LLP 191 North Wacker Dr., 32nd Floor Chicago, IL 60606 (312) 845-1200 Steven Pepe Kevin J. Post Josef B. Schenker ROPES & GRAY LLP 1211 Avenue of the Americas New York, NY 10036-8704 (212) 596-9000 Samuel L. Brenner ROPES & GRAY LLP Prudential Tower, 800 Boylston St. Boston, MA 02199-3600 (212) 951-7000 Counsel for Plaintiff-Appellant StrikeForce Technologies, Inc.Case: 18-1470
Document: 17 Page: 1 Filed: 03/26/2018
-i- Claim 1 of U.S. Patent No. 7,870,599 Claim 1 of U.S. Patent No. 8,713,701Claim 1 of U.S. Patent No. 8,484,698Claim 48 of U.S. Patent No. 8,484,698Case: 18-1470 Document: 17 Page: 2 Filed: 03/26/2018
-ii- Claim 53 of U.S. Patent No. 8,484,698Case: 18-1470 Document: 17 Page: 3 Filed: 03/26/2018
FORM 9. Certificate of Interest Form 9 Rev. 10/17 UNITED STATES COURT OF APPEALS FOR THE FEDERAL CIRCUIT v. Case No. CERTIFICATE OF INTEREST Counsel for the: … (petitioner) … (appellant) … (respondent) … (appellee) … (amicus) … (name of party) certifies the following (use “None” if applicable; use extra sheets if necessary): 1. Full Name of Party Represented by me 2. Name of Real Party in interest (Please only include any real partyin interest NOT identified in Question 3) represented by me is: 3. Parent corporations and publicly held companies that own 10% or more of stock in the party 4. The names of all law firms and the partners or associates that appeared for the party or amicus now represented by me in the trial court or agency or are expected to appear in this court (and who have not or will not enter an appearance in this case) are: StrikeForce Technologies, Inc.SecureAuth Corporation18-1470StrikeForce Technologies, Inc.StrikeForce Technologies, Inc.NoneNoneROPES & GRAY LLP: Matthew J. Rizzolo, Rebecca R. Carrizosa, Andrew T. RadschKAUFMAN & CANOLES, P.C.: Stephen E. NoonaDYKEMA GOSSETT PLLC: Abirami Gnanadesigan, Allan Gabriel, Craig N. Hentschel* (asteriskindicates former Dykema Gossett PLLC attorney)Case: 18-1470
Document: 17 Page: 4 Filed: 03/26/2018
FORM 9. Certificate of Interest Form 9 Rev. 10/17 5. The title and number of any case known to counsel to be pending in this or any other court or agency that will directly affect or be directly affected by this court’s decision in the pending appeal. See Fed. Cir. R. 47. 4(a)(5) and 47.5(b). (The parties should attach continuation pages as necessary). Date Signature of counsel Please Note: All questions must be answered Printed name of counsel cc: StrikeForce Technologies, Inc. v. Centrify Corp., No 2:16-cv-03574-JMV-MF (D. NJ)StrikeForce Technologies, Inc. v. Duo Security, Inc., No. 2:16-cv-03571-JMV-MF (D. NJ)StrikeForce Technologies, Inc. v. Gemalto, Inc. et al., No. 1:17-cv-10422-RGS (D. Mass)StrikeForce Technologies, Inc. v. VASCO Data Security International, Inc. et al., No.1:17-cv10423-RGS (D. Mass.)3/26/2018/s/ Douglas Hallward-DriemeierDouglas Hallward-DriemeierCounsel of RecordResetFieldsCase: 18-1470 Document: 17
Page: 5 Filed: 03/26/2018
-v- TABLE OF CONTENTS STATEMENT WITH RESPECT TO ORAL ARGUMENT ................................... XSTATEMENT OF RELATED CASES .................................................................. XISTATEMENT OF JURISDICTION.......................................................................... 1STATEMENT OF THE ISSUES............................................................................... 1STATEMENT OF THE CASE .................................................................................. 2I.Overview .......................................................................................................... 2II.The Parties ....................................................................................................... 7III.The Asserted Patents........................................................................................ 7A.The Technical Problem: “The Hacker is in a Self-Authenticating Environment” ........................................................................................ 7B.The Inventive Solution: A Particular Way of Performing Completely Out-Of-Band Authentication ............................................. 8IV.United States Patent and Trademark Office Proceedings ............................. 16V.District Court Proceedings ............................................................................. 17A.StrikeForce’s Patent Infringement Suit Against SecureAuth ............. 17B.Claim Construction ............................................................................. 19SUMMARY OF THE ARGUMENT ...................................................................... 21STANDARD OF REVIEW ..................................................................................... 25ARGUMENT ........................................................................................................... 26I.Step 1: The Asserted Claims Are Directed to a Patent-Eligible Invention, Not an Abstract Idea ..................................................................... 26A.The Asserted Claims Are Not Abstract Because They Claim a Particular Way of Performing Completely Out-Of-Band Authentication ..................................................................................... 29Case: 18-1470 Document: 17 Page: 6 Filed: 03/26/2018
-vi- B.The District Court Mischaracterized and Overgeneralized the Claims at a High Level of Abstraction and Ignored the Claimed Advance Over Prior Art Systems ........................................................ 33C.The District Court Erred by Treating Claim 53 as Representative ..... 35D.The District Court’s Reliance on Prism, Which Addressed the Kind of Single-Channel Authentication System Distinguished in the Asserted Patents and During Prosecution, Reflects the Court’s Failure to Appreciate the Inventive Character of the Asserted Patents .................................................................................. 38II.Step 2: The Asserted Claims Recite Additional Elements Beyond the Abstract Idea Reflecting an Inventive Concepts and Therefore Are Patent-Eligible ........................................................................................ 40A.The Asserted Claims Embody An Inventive Concept ........................ 42B.The District Court Erred by Describing the Claim Scope Differently in the Context of the Two Alice Steps .............................. 44C.The Factual Record Belies the Conclusion That the Ordered Combination of Elements in the Asserted Claims is “Logical and Conventional” ............................................................................... 46D.The District Court Failed to Consider Important Constructions, Including the Parties’ Agreed-To Constructions, for Key Terms that Help Define the Invention ................................................. 49III.At the Least, This Case Should Be Remanded For Determination ofDisputed Issues of Fact Relating to the Inventive Concept ........................... 52CONCLUSION ........................................................................................................ 57ADDENDUM CERTIFICATE OF SERVICE CERTIFICATE OF COMPLIANCE Case: 18-1470 Document: 17 Page: 7 Filed: 03/26/2018
-vii- TABLE OF AUTHORITIES Page(s) Cases Aatrix Software, Inc. v. Green Shades Software, Inc., 882 F.3d 1121 (Fed. Cir. 2018) ...................................................................passimAlice Corp. Pty. Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014) .................................................................................passimAmdocs (Israel) Ltd. V. Openet Telecom, Inc., 841 F.3d 1288 (Fed. Cir. 2016) .......................................................................... 52 BASCOM Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341 (Fed. Cir. 2016) ........................................................ 24, 37, 41, 49 Berkheimer v. HP, Inc., 881 F.3d 1360 (Fed. Cir. 2018) ...................................................................passimIn re Bill of Lading Transmission & Processing Sys. Patent Litig., 681 F.3d 1323 (Fed. Cir. 2012) .......................................................................... 25 Core Wireless Licensing S.A.R.L. v. LG Elecs., Inc., 880 F.3d 1356 (Fed. Cir. 2018) .............................................................. 29, 30, 34 DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245 (Fed. Cir. 2014) .............................................................. 25, 30, 52 Duo Sec., Inc. v. StrikeForce Techs., Inc., IPR2017-01041, Paper 7 (P.T.A.B. Oct. 16, 2017) .......................... 16, 17, 32, 43 Duo Sec., Inc. v. StrikeForce Techs., Inc., IPR2017-01064, Paper 7 (P.T.A.B. Oct. 16, 2017) .......................... 16, 17, 32, 43 Enfish LLC v. Microsoft Corp., 822 F.3d 1327 (Fed. Cir. 2016) ...................................................................passimFinjan, Inc. v. Blue Coat Sys., Inc., 879 F.3d 1299 (Fed. Cir. 2018) ...................................................................passimIntellectual Ventures I LLC v. Erie Indem. Co., 850 F.3d 1315 (Fed. Cir. 2017) .......................................................................... 44 Case: 18-1470 Document: 17 Page: 8 Filed: 03/26/2018
-viii- Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343 (Fed. Cir. 2015) .......................................................................... 33 Livid Holdings Ltd. v. Salomon Smith Barney, Inc., 416 F.3d 940 (9th Cir. 2005) ........................................................................ 25, 54 Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66 (2012) ........................................................................................ 41, 44 McRO, Inc. v. Bandai Namco Games America Inc., 837 F.3d 1299 (Fed. Cir. 2016) ........................................................ 26, 27, 30, 34 Microsoft Corp. v. i4i Ltd. P’ship, 564 U.S. 91 (2011) .............................................................................................. 54 Prism Techs. LLC v. T-Mobile USA, Inc., 696 F. App’x 1014 (Fed. Cir. 2017), cert. denied, 138 S. Ct. 689 (2018) ........................................................................ 28, 38, 39, 40 Rapid Litig. Mgmt. Ltd. v. CellzDirect, Inc., 827 F.3d 1042 (Fed. Cir. 2016) .......................................................................... 31 Ruckus Wireless, Inc. v. Innovative Wireless Solutions, 824 F.3d 999 (Fed. Cir. 2016) ............................................................................ 52 SmithKline Diagnostics, Inc. v. Helena Labs. Corp., 859 F.2d 878 (Fed. Cir. 1988) ............................................................................ 44 Standard Havens Prods., Inc. v. Gencor Indus., Inc., 897 F.2d 511 (Fed. Cir. 1990) ............................................................................ 46 Sterner Lighting, Inc. v. Allied Elec. Supply, Inc., 431 F.2d 539 (5th Cir. 1970) .............................................................................. 44 Thales Visionix Inc. v. United States, 850 F.3d 1343 (Fed. Cir. 2017) .................................................................... 32, 43 In re TLI Commc’ns LLC Patent Litig., 823 F.3d 607 (Fed. Cir. 2016) ............................................................................ 31 United States v. 14.02 Acres of Land More or Less in Fresno Cty., 547 F.3d 943 (9th Cir. 2008) .............................................................................. 46 Case: 18-1470 Document: 17 Page: 9 Filed: 03/26/2018
-ix- Statutes 28 U.S.C. § 1295(a)(1) ............................................................................................... 1 28 U.S.C. § 1331 ........................................................................................................ 1 28 U.S.C. § 1338(a) ................................................................................................... 1 35 U.S.C. § 101 .................................................................................................passim35 U.S.C. § 282 ........................................................................................................ 54 Other Authorities Fed. R. Civ. P. 12(b)(6) ...................................................................................... 25, 53 Case: 18-1470
Document: 17 Page: 10 Filed: 03/26/2018
-x- STATEMENT WITH RESPECT TO ORAL ARGUMENT Pursuant to Federal Rule of Appellate Procedure 34(a), [b]Plaintiff-Appellant StrikeForce Technologies, Inc. (“StrikeForce”) respectfully requests oral argument in this matter. This matter meets the standards of Rule 34(a)(2) for oral argument, and StrikeForce believes that oral argument would significantly aid the Court’s decisional process[/b].
Case: 18-1470 Document: 17 Page: 11 Filed: 03/26/2018
-xi- STATEMENT OF RELATED CASES Pursuant to Federal Circuit Rule 47.5(a), counsel for StrikeForce is unaware of any appeal in or from the same proceeding before this or any other appellate court. The cases known to counsel to be pending in this or any other court that will directly affect or be directly affected by this Court’s decision are: [b]1. StrikeForce Techs., Inc. v. Duo Sec[/b]., Inc., No. 2:16-cv-03571-JMV-MF (D.N.J.) (filed June 20, 2016). [b]2. StrikeForce Techs., Inc. v. Centrify Corp[/b]., No. 2:16-cv-03574-JMV-MF (D.N.J.) (filed June 20, 2016). [b]3. StrikeForce Techs., Inc. v. Gemalto Inc.[/b], No. 1:17-cv-10422-RGS (D. Mass.) (filed Mar. 14, 2017). [b]4. StrikeForce Techs., Inc. v. Vasco Data Sec. Int’l[/b], Inc.,No. 1:17-cv-10423-RGS (D. Mass.) (filed Mar. 14, 2017).

Case: 18-1470 Document: 17 Page: 12 Filed: 03/26/2018
-1- STATEMENT OF JURISDICTION [b]This is an appeal from a final judgment entered on December 28, 2017, in a patent case following the district court’s December 1, 2017 order granting defendant SecureAuth Corporation’s motion to dismiss based on 35 U.S.C. § 101[/b]. The district court had jurisdiction under 28 U.S.C. §§ 1331 and 1338(a). StrikeForce’s notice of appeal was timely filed on January 16, 2018. This Court has jurisdiction under 28 U.S.C. § 1295(a)(1). [b]STATEMENT OF THE ISSUES 1.Whether, at Alice step one, the district court erred in finding that all of the Asserted Claims are directed to an abstract idea by characterizing the claims too broadly as merely “providing restricted access to resources”; 2.Whether, at Alice step two, the district court erred by assessing the “additional elements” of the Challenged Claims not against the abstract idea identified at step one, but against a narrower idea that subsumed the inventive “out-of-band” feature, in finding that the claims’ ordered combination of elements was not sufficient to make the claims patent-eligible; and 3.Whether the district court erred by finding the Asserted Claims invalid under 35 U.S.C. § 101, even though the fact issues, allegations, the patent specifications, and other supporting materials, when viewed in the light most favorable to non-movant StrikeForce as required for a motion to dismiss, supports[/b]
Case: 18-1470 Document: 17 Page: 13 Filed: 03/26/2018
-2- [b]StrikeForce’s assertion that the ordered combination of claimed elements is not well-understood, routine, and conventional at the time of the invention[/b]. [b]STATEMENT OF THE CASE I. Overview The Asserted Claims 1 of U.S. Patent Nos. 7,870,599 (“’599 Patent”), 8,484,698 (“’698 Patent”), and 8,713,701 (“’701 Patent”) (together, the “Asserted Patents”) are directed to a unique technical architecture and invention—a particular system and method of completely “out-of-band” authentication—designed to protect and secure online systems. In finding these claims not patent-eligible under 35 U.S.C. § 101 at the pleadings stage, the district court over-generalized and mischaracterized the invention and misapplied the Supreme Court’s two-step Alice framework. This Court should reverse that improper dismissal. In 1999, Ram Pemmaraju, the inventor of the Asserted Patents and long-time Chief Technology Officer at StrikeForce, recognized the distinctive security risks of the commercial Internet environment and created a novel solution that was superior to existing authentication systems. Understanding that existing authentication methods, such as simple password-based systems that used a single communication 1 StrikeForce asserted the following claims (“Asserted Claims”) against SecureAuth: Claims 1, 7, 11, 17-19, 21, 22, 28, 31, 37, and 38 of the ’599 Patent; Claims 1-6, 8, 10-16, 20-22, 46-48, and 50-54 of the ’698 Patent; and Claims 1, 7, 11, and 17-19 of the ’701 Patent. See Appx38-41; Appx43; Appx70-73; Appx102-104. Case: 18-1470 Document: 17 Page: 14 Filed: 03/26/2018
-3- channel, ran the significant risk of being intercepted and corrupted by hackers (a so-called “man-in-the-middle” attack), Mr. Pemmaraju conceived of a particular security system utilizing an architecture that includes two completely separate communication channels to verify a person’s identification. Here is an example of how it works: Jane wants to log into her bank account. Using her personal computer, she goes to her bank’s website, which asks her to enter her user name and password. The website communicates with Jane along the “in-band” (or “access”) channel via the Internet. In prior art systems, Jane would send her user name and password directly to the website on the “access channel” and the website would make the decision about whether to give Jane access to her account. The problem, which Mr. Pemmaraju foresaw nearly two decades ago, is that a hacker might be listening in on the access channel, hoping to see Jane’s user name and password as she enters them. The hacker could then, from his own computer, go to the bank’s website at a later time, use Jane’s user name and password, and get access to her account. In Mr. Pemmaraju’s invention, in contrast, Jane’s user name and password do not reach the bank’s website, but are instead intercepted and diverted to a separate “security computer” isolated from the bank’s website. In this way, the bank website is shielded and protected by the interception device from the hacker’s attempt to access Jane’s bank account. The security computer looks up Jane’s contact information and then contacts her[/b] (e.g., by sending her phone a text message)

Case: 18-1470 Document: 17 Page: 15 Filed: 03/26/2018
-4- [b]using a separate (or “out-of-band”) “authentication” channel to ask Jane to provide some additional authentication information. Based on Jane’s response to this second authentication request, which is sent back to the security computer using this same authentication channel, the security computer then instructs the bank website to grant or deny access. Put another way, any hacker camped out on the access channel might learn Jane’s user name and password—but that would not be enough to allow him to break into her account, because he would not separately see the text message sent to Jane (or her response) on the authentication channel. Even if he tried to access Jane’s account by entering her user name and password, this information never reaches the bank’s website. Instead, this information is intercepted and diverted to the security computer, which then contacts Jane along the authentication channel. If Jane does not provide authentication via the authentication channel, the security computer will deny access to her account. Mr. Pemmaraju’s unique, completely “out-of-band” architecture—in a configuration requiring a first channel to access a website and diversion to a separate and distinct channel to authenticate the user—is novel, inventive, and patent-eligible. Indeed, [color=red]the Patent Office has repeatedly confirmed the inventiveness of the claims—first during reexamination of the ’599 Patent several years ago and then just last year[/color] by rejecting two separate petitions for inter partes review challenging the[/b]
Case: 18-1470 Document: 17 Page: 16 Filed: 03/26/2018
-5- [b]’698 Patent. Notably, for every asserted ground, the petitioners presented combinations of no less than three separate prior art references to approximate the unique architecture and functionality of the challenged claims, but were still unable to make a showing sufficient to institute review. In finding these claims abstract and patent-ineligible, the district court erred in several critical ways. For example, without considering the claimed advances over the prior art and the specific arrangement of elements recited in the Asserted Claims, the district court mischaracterized and oversimplified these claims by finding that they are directed merely to “providing restricted access to resources.” Compounding this error, the district court applied a claim construction that is contrary to the parties’ agreed-to constructions (and the findings of two separate district courts) in concluding that the claims contain no inventive concepts. 2 Moreover, the court improperly relied on a single claim (’698 Patent, claim 53) in one patent to invalidate 43 claims across three patents, despite StrikeForce’s demonstration that, as interpreted by the district court, claim 53 does not expressly include limitations important to other challenged claims. Finally, the court failed to view fact issues—including those relating to whether the ordered combination of 2 Because this appeal relates to the court’s dismissal of the Complaint, and because the parties had agreed-to constructions of certain terms, StrikeForce has not provided briefing relating to any claim construction issue. If the Court believes such briefing is necessary or would be helpful, the parties can provide such briefing in a supplemental submission[/b]. Case: 18-1470 Document: 17 Page: 17 Filed: 03/26/2018
-6- claimed elements is well-understood, routine, and conventional—in StrikeForce’s favor, as it was required to do on a motion to dismiss. An overriding purpose of the § 101 analysis is to prevent patentees from preempting “the basic tools of scientific and technological work” and “thereby thwarting the primary object of the patent laws.” See Alice Corp. Pty. Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347, 2354 (2014) (quotation omitted). StrikeForce’s claims, which are directed to specific computer architectural configurations, do not preempt all methods of authentication—or even all methods of out-of-band authentication. In fact, among the more than twenty-five methods of authentication SecureAuth promotes on its website (of which StrikeForce has accused only three) are several that use forms of out-of-band authentication not precluded by StrikeForce’s claims. See Appx505-506; Appx513.3Nearly two decades ago, Mr. Pemmaraju realized that with the potential of the Internet to conduct business also came the need for a robust security system that addressed the deficiencies of existing security systems, such as susceptibility to man-3 For example, in SecureAuth’s current “SMS OTP” solution, a one-time password is transmitted to the user on the out-of-band channel, and the user then transmits that one-time password back on the in-bandchannel to access the system. See Appx506; Appx666; Appx686-687. This is a type of partial out-of-band authentication that differs from the completely out-of-band authentication claimed by the Asserted Patents, and in fact suffers many of the drawbacks of the prior art. Case: 18-1470 Document: 17 Page: 18 Filed: 03/26/2018
-7- in-the-middle attacks. His solution is patent-eligible, and the district court’s decision to the contrary should be reversed. II.The PartiesStrikeForce is a cybersecurity company that provides computer security products to businesses and consumers. One of those products is ProtectID®, an out-of-band authentication solution that practices the claimed invention of the Asserted Patents. See Appx504. SecureAuth is a software company and StrikeForce competitor that provides, among other products, “25+ Authentication Methods” for accessing protected computer resources, many of which use some type of out-of-band authentication. See Appx506. Only three of those 25+ methods are accused of infringing StrikeForce’s claims. See Appx505-513. III.The Asserted PatentsA.The Technical Problem: “The Hacker is in a Self-Authenticating Environment” In 1999, Mr. Pemmaraju recognized that contemporary security solutions were inadequate to prevent hackers from penetrating secured online systems—a significant problem for the developing commercial potential of the Internet. SeeAppx32 (2:8-13).4 In particular, Mr. Pemmaraju realized that hackers could easily 4 The Asserted Patents share a common specification. For ease of reference, citations are to the ’599 Patent specification. Case: 18-1470 Document: 17 Page: 19 Filed: 03/26/2018
-8- compromise “ubiquitous” security systems, such as simple password systems, random password systems, and biometric systems, because there the password and biometric information was often transmitted on the same channel as the information the user wanted to access (i.e., on the in-band channel). Appx32 (1:46-67, 2:14-22). As the Asserted Patents explain, the use of a single channel for both access and authentication created a “technical problem” whereby “the hacker is in a self-authenticating environment.” Appx32 (2:14-22). In other words, by breaching the sole, in-band channel, the hacker could intercept user authentication information (e.g., a user name and password) passed along that channel and could then use this information at a later time to fool the system into believing that he is a legitimate user. See, e.g., Appx34 (5:52-55) (“Both the USER ID and the voice password are sent along the same pathway and any improper accessor into this channel has the opportunity to monitor and/or enter both identifiers.”). Moreover, once a hacker had penetrated the sole channel and stolen credentials, he could remain undetected for extended periods, collecting additional sensitive data. See, e.g., Appx1275. B.The Inventive Solution: A Particular Way of Performing Completely Out-Of-Band Authentication To compensate for the deficiencies of existing authentication methods, Mr. Pemmaraju conceived of a novel computer security architecture that instead used two separate and particularly configured communication channels—an “in-band” channel for access and a second “out-of-band” channel for authentication—to allow Case: 18-1470 Document: 17 Page: 20 Filed: 03/26/2018
-9- legitimate users to access secured data. His invention overcame the fundamental flaw in prior art systems described above—namely, the hacker’s ability to “trick” the system by using stolen user names and passwords—by intercepting user name and password information and diverting it to a second channel for authentication. Without access to this second channel, known as the “out-of-band” or “authentication” channel, the hacker could not provide the secondary authentication information necessary to authenticate a legitimate user. See Appx4325. Fig. 1A illustrates one embodiment of the invention, “in which an external accessor in a wide area network seeks entry into a host system”: Case: 18-1470 Document: 17 Page: 21 Filed: 03/26/2018
-10- Appx15 (Fig. 1A). As the specification explains: Here the accessor is the computer equipment 22 ... and the person or user 24 whose voice is transmittable by the telephone 26 over telephone lines 28. The access network 30 is constructed in such a manner that, when user 24 requests access to a web page 32 located at a hostcomputer or web server 34 through computer 22, the request-for-access is diverted by a router 36 internal to the corporate network 38 to an out-of-band security network 40. Authentication occurs in the out-of-band security network 40[.] Appx34 (6:6-19). In other words, in this example, the request for access to the host computer and the login identification (e.g., a user name and password) is sent over the access channel on the access network, but is intercepted and diverted by the interception device5 (here, a router within the corporate network) and forwarded tothe security computer. The interception device and use of a separate security computer thus protects and shields the host computer from the hacker. The security computer then contacts the accessor via a second channel (in this example, on voice network 42) and requests additional authentication information from the user. Appx36-37 (10:1-22, 12:57-63). Once the accessor has been authenticated using that information, the security computer instructs the host computer to grant access to the accessor. Appx37 (11:61-12:2, 12:63-67). Thus, even if a hacker has gained 5 The parties agreed that “interception device,” a term used in many of the Asserted Claims, is “a device that prevents the host computer from receiving [what the interception device received instead].” Appx1421 (brackets in original). Similarly, the parties agreed that “an intercepted login identification” is “a login identification that was prevented from reaching the host computer.” Id. Case: 18-1470 Document: 17 Page: 22 Filed: 03/26/2018
-11- entry into the access network and has a user’s login information, the hacker cannot gain access to the host computer because user authentication takes place on a completely separate, out-of-band channel. Illustrative claim 1 of the ’599 Patent recites: 1. A multichannel security system for accessing a host computercomprising: an access channel comprising: interception means for receiving and verifying a login identification originating from a demand from an accessor for access to said host computer; and an authentication channel comprising: a security computer for receiving from said interception means said demand for access together with said login identification and for communicating access information to said host computer and for communicating with a peripheral device of said accessor; a database having at least one peripheral address record corresponding to said login identification; prompt means for instructing said accessor to re-enter predetermined data at and retransmit predetermined data from said peripheral device; and comparator means for authenticating access demands in response to the retransmission of said predetermined data by verifying a match between said predetermined data and said re-entered and retransmitted data, wherein said security computer outputs an instruction to the host computer to either grant access thereto using said access channel or to deny access thereto. Appx38 (14:5-29); see also Appx70 (’698 Patent, 14:30-46); Appx102 (’701 Patent, 14:7-31). Case: 18-1470 Document: 17 Page: 23 Filed: 03/26/2018
-12- In other words, claim 1 of the ’599 Patent (which is similar, for example, to claim 1 of each of the ’698 Patent and ’701 Patent) requires specific and particularly configured components and certain actions to be performed by those components: “an access channel” (or “first channel”), a separate “authentication channel” (or “second channel”), “an interception means,” and “asecurity computer,” Appx38 (14:8-17); see also Appx70 (’698 Patent, 14:33-38); Appx102 (’701 Patent, 14:10-15); “receiving and verifying a login identification originating from a demand from an accessor for access to said host computer,” Appx38 (14:9-11); see also Appx70 (’698 Patent, 14:33-36); Appx102 (’701 Patent, 14:11-13); “instructing said accessor to re-enter predetermined data at and retransmit predetermined data from [a] peripheral device” that is in communication with a security computer in the authentication channel, Appx38 (14:20-22); see also Appx70 (’698 Patent, 14:39-40); Appx102 (’701 Patent, 14:22-24); “authenticating access demands in response to the retransmission of said predetermined data by verifying a match between said predetermined data and said re-entered and retransmitted data,”Appx38 (14:23-26); see also Appx70 (’698 Patent, 14:41-42); Appx102 (’701 Patent, 14:25-28); and “output[ting] an instruction to the host computer to either grant access thereto using said access channel or to deny access thereto.” Appx38 (14:27-29); see also Appx70 (’698 Patent, 14:43-46); Appx102 (’701 Patent, 14:29-31). In this way, the ordered elements of the Asserted Claims reflect Mr. Pemmaraju’s novel configuration for a completely out-of-band authentication system. Case: 18-1470 Document: 17 Page: 24 Filed: 03/26/2018
-13- All the Asserted Claims contain similar elements.6 Other claims recite additional elements that further describe the invention. For example, claim 48 of the ’698 Patent further requires a configuration with “a first software module on an Internet-connected web server in an access channel,” Appx72 (’698 Patent, 18:5-6), a “second software module on a security computer different than the web server, wherein the security computer is in an authentication channel,” Appx72 (’698 Patent, 18:11-13), and further specifies how each of the recited components interacts with one another, Appx72 (’698 Patent, 18:1-26). Similarly, claim 11 of the ’701 Patent further requires that the claimed security computer includes both “an access-channel mode” and “an authentication channel mode,” Appx103 (’701 Patent, 15:50-55), as well as a biometric device for authenticating a user with, for example, a voice password or a fingerprint sensor, Appx103 (’701 Patent, 16:8-15). Mr. Pemmaraju’s invention was not the first “out-of-band” authentication solution. But, unlike prior art solutions discussed in the patents, the Asserted Patents shield and protect the host computer from an attack by intercepting and diverting login information from the access channel to a security computer in an authentication channel. The Asserted Patents then require authentication of the user by both 6See Appx38-41 (15:1-11, 15:37-16:16, 16:64-17:49, 17:59-18:16, 18:42-52, 18:66-67); Appx43 (2:5-10); Appx70-73 (’698 Patent, 14:47-61, 14:65-67, 15:6-26, 15:41-48, 17:46-18:26, 18:31-19:11); Appx102-104 (’701 Patent, 15:1-11, 15:37-16:15, 16:62-18:13). Case: 18-1470 Document: 17 Page: 25 Filed: 03/26/2018
-14- sending and receiving authentication information on the authentication channel. In this way, the login information is never received by the host computer and authentication takes place entirely in the out-of-band channel. See, e.g., Appx32 (1:18-20) (invention directed to user authentication in “an out-of-band system that is entirely outside the host computer network being accessed”). By contrast, in prior art systems, the website was not completely shielded from an attack as authentication information was sent at least in part on the same channel used to communicate with the website the user was trying to access. For example, a security computer might have contacted the user on an out-of-band channel, but the user responded by sending the secondary authentication information on the in-band (“access”) channel. See, e.g., Appx32 (2:56-58) (noting that prior art patents “all show a portion of the authentication protocol and the data transferred in the same channel or ‘in-band’”). As one example, U.S. Pat. No. 5,898,830 (“Wesinger”), a system distinguished in the Asserted Patents, used an out-of-band channel to transmit an access key, but did not require an authenticating response from the user back along that out-of-band channel. Appx33 (3:4-24). Thus, Mr. Pemmaraju’s invention stands “in contradistinction to present authentication processes as the out-of-band security network 40 is isolated from the corporate network 38 and does not depend thereon for validating data.” Appx34 (6:20-23). Case: 18-1470 Document: 17 Page: 26 Filed: 03/26/2018
-15- Mr. Pemmaraju’s particular solution for performing completely out-of-band authentication was a significant advance. The problem with a system like Wesinger, which was only partiallyout-of-band, is that, if the hacker has already penetrated the access channel and collected the user name and password, he needs only to wait awhile to collect the secondary authentication information. He could then use the user name, password, and secondary authentication information together to break into the account. Such systems were thus not much more secure than pure in-band authentication. Indeed, as the Asserted Patents explain, such prior art systems were vulnerable to attack because authentication information was “sent along the same pathway” as the website and “any improper accessor into this channel has the opportunity to monitor and/or enter both identifiers.” Appx34 (5:52-55). Mr. Pemmaraju envisioned the very real security threats posed by in-band or partial out-of-band authentication. See, e.g., Appx32 (2:14-22); Appx34 (5:52-55). As the popularity and speed of the Internet continued to increase, so did the use of online banking, online shopping, and other activities that depended upon secure access. See, e.g., Appx4618. With this growth came a significant increase in cybersecurity threats. See, e.g., Appx691 (SecureAuth document noting that “breaches increased 40%” in 2016). Indeed, as SecureAuth’s own marketing materials recognized, “[t]raditional perimeter security is failing due in large part to the use of valid yet stolen user credentials .... Network and endpoint security tools Case: 18-1470 Document: 17 Page: 27 Filed: 03/26/2018
-16- cannot identify or prevent this stolen credential problem.” See Appx1275. But Mr. Pemmaraju’s invention provided the solution to precisely this problem. IV.United States Patent and Trademark Office ProceedingsThe rigorous review of the Asserted Claims by the U.S. Patent & Trademark Office both during initial prosecution and after the patents were granted confirms that the Asserted Patents are inventive. See, e.g., Appx32 (2:36-3:60). The original prosecution of the Asserted Patents was extensive. The patents each claim priority to U.S. Appl. No. 09/655,297, first filed September 5, 2000. SeeAppx13; Appx45; Appx76. Prosecution of that application and the Asserted Patents collectively included a total of 22 office actions and responses, including a PTO Appeal Brief. In post-issuance challenges, the USPTO has repeatedly confirmed the inventiveness of the Asserted Patents. For example, in 2011, the ’599 Patent underwent ex parte reexamination, emerging with every claim found patentable and seven additional claims added. See Appx43 (1:1-2:22). Then, last year, defendants in a parallel litigation in New Jersey filed two petitions for inter partes review, challenging 30 claims of the ’698 Patent on three separate grounds. SeeDuo Sec., Inc. v. StrikeForce Techs., Inc., IPR2017-01041, Paper 7 at 6 (P.T.A.B. Oct. 16, 2017) (denying institution); Duo Sec., Inc. v. StrikeForce Techs., Inc., IPR2017-01064, Paper 7 at 6 (P.T.A.B. Oct. 16, 2017) (denying institution). Petitioners did Case: 18-1470 Document: 17 Page: 28 Filed: 03/26/2018
-17- not arguethat any claim was anticipated. Rather, petitioners presented obviousness combinations using three or more references to try to approximate the structure and functionality of each the ’698 Patent claims. SeeDuo, IPR2017-01041, Paper 7 at 6; Duo, IPR2017-01064, Paper 7 at 6. In two detailed decisions, the Patent Trial and Appeal Board (“PTAB”) denied institution, finding petitioners had not established even a reasonable likelihood that they would prevail in showing any challenged claim unpatentable. SeeDuo, IPR2017-01041, Paper 7 at 2; Duo, IPR2017-01064, Paper 7 at 2. V.District Court ProceedingsA.StrikeForce’s Patent Infringement Suit Against SecureAuth On March 16, 2017, StrikeForce sued SecureAuth in the Eastern District of Virginia for willfully infringing the Asserted Patents. On April 28, 2017, SecureAuth moved to dismiss, arguing only that the Complaint contained insufficient detail regarding StrikeForce’s infringement contentions and willful infringement claims, and also moved to transfer to the Central District of California. Appx125; Appx129.7 SecureAuth’s motion to transfer was granted on June 9, 2017. 7 The Asserted Patents have been asserted in both past and ongoing patent infringement lawsuits, involving nine sets of defendants, in Delaware, New Jersey, Massachusetts, and the Eastern District of Virginia. A number of these defendants have already reached settlements with StrikeForce. No defendant other than SecureAuth filed a motion to dismiss on Section 101 grounds. Case: 18-1470 Document: 17 Page: 29 Filed: 03/26/2018
-18- On July 17, 2017, by stipulation of the parties, StrikeForce filed an Amended Complaint, reflecting the detailed infringement contentions that StrikeForce, under the local rules of the Eastern District of Virginia, had already served. As detailed in that Amended Complaint, StrikeForce accused only three of SecureAuth’s twenty-five-plus authentication methods of infringing the Asserted Claims. See Appx505-506; Appx513. StrikeForce’s Amended Complaint mooted SecureAuth’s initial motion to dismiss, and, on July 21, 2017, SecureAuth filed a new motion to dismiss, this time arguing for the first time that the Asserted Claims did not cover patent-eligible subject matter under 35 U.S.C. § 101. Appx747-748. SecureAuth’s motion focused solely on claim 53 of the ’698 patent, which it alleged was representative of all 43 asserted claims. Appx765-773. StrikeForce repeatedly explained that claim 53 is not representative. Appx1283; Appx1354-1355; Appx1372-1373. On December 1, 2017, about a week before the Markman hearing and without having explicitly construed any claim, the district court granted SecureAuth’s motion to dismiss with prejudice, finding all Asserted Claims invalid under 35 U.S.C. § 101. See Appx4-9. The district court entered final judgment on December 28, 2017. See Appx11. This timely appeal followed. Case: 18-1470 Document: 17 Page: 30 Filed: 03/26/2018
-19- B.Claim Construction While the parties were briefing SecureAuth’s motion to dismiss, the parties were also engaged in claim construction proceedings. As StrikeForce explained to the district court, the constructions of “interception device,” “security computer,” “host computer,” “first/access channel,” “second/authentication channel,” and “multichannel security system” were relevant to SecureAuth’s motion to dismiss. See Appx1294; Appx1371-1373. While the district court dismissed the case just before the Markman hearing, these patents have also been the subject of prior claim construction proceedings. See, e.g., Appx1744-1745. In 2014, in a case that settled before trial, the district court in Delaware construed sixteen claim terms, including (among others) “security computer,” “host computer,” “access (or first) channel,” and “authentication (or second) channel. Appx1744; Appx1913-1917. More recently, in August 2017, in a related case involving many of the same claims, the district court in Massachusetts construed three groups of claim terms—the “channel” terms, “host computer,” and the claimed preambles—finding that the Delaware court had erred in its construction for two of these groups. Appx1744-1745; Appx1933-1934. In particular, the Massachusetts court adopted the Delaware court’s construction for the “channel” terms, construing “access channel” (or “first channel”) to mean “an information channel that is separate from and does not share any facilities with the authentication Case: 18-1470 Document: 17 Page: 31 Filed: 03/26/2018
-20- channel” and construing “authentication channel” (or “second channel”) to mean “a channel for performing authentication that is separate from and does not share any facilities with the access channel.” Appx1948. The Massachusetts court also adopted StrikeForce’s construction for “host computer,” and agreed with StrikeForce that construction of the preambles is unnecessary because, the court concluded, the completely out-of-band nature of the invention used to distinguish the prior art was embodied in the recitation of a first and second channel. Appx1941-1942; Appx1949-1950. Here, the parties expected to address seven disputed terms at the Markman hearing. See Appx1738-1739; Appx1451-1470. In addition, the parties stipulated to the construction of over a dozen terms, including the “channel” terms (for which they agreed to the construction adopted by the Delaware and Massachusetts courts) and “host computer” (for which they agreed to the construction adopted by the Massachusetts court). Appx1420; Appx1738. The parties also agreed that “interception device”/“interception means” is “a device that prevents the host computer from receiving [what the interception device received instead].” Thus, the parties agreed that the claimed interception device shields the host computer from access information, such as misappropriated user credentials, that would have otherwise been received by the host computer. Case: 18-1470 Document: 17 Page: 32 Filed: 03/26/2018
-21- The parties further agreed that a “security computer” is “a computer in the authentication channel that can grant authenticated users access to, but is isolated from, the host computer,” though they disputed the degree to which the “security computer” must be “isolated” from the “host computer,” and whether the claimed system must be arranged to “operate[] without reference to a host computer or any database in a network that includes the host computer.” Appx1423; Appx1429-1432; Appx1745-1746. The district court’s decision did not discuss any of the agreed-to constructions.SUMMARY OF THE ARGUMENT The district court erred in finding that the Asserted Claims are patent-ineligible under 35 U.S.C. § 101. Had the court properly considered the claims under the two-step Alice framework, in light of this Court’s guidance, it would have concluded that the Asserted Claims—which claim a unique system and particular method for performing completely out-of-band authentication—are directed to patent-eligible subject matter and recite inventive, non-conventional concepts that do not in any way preempt the use of any alleged abstract idea.Instead, the court applied inconsistent interpretations of the claims. At Alice step one, the court overgeneralized the scope of the claims in determining that they are directed to an abstract idea. Then, at step two, in comparing the claims to the abstract idea to determine if the claims added “additional elements” reflecting an Case: 18-1470 Document: 17 Page: 33 Filed: 03/26/2018
-22- “inventive concept,” the court changed its understanding of the abstract idea to be essentially the same as that inventive concept. No claim could survive being whipsawed between two competing abstract ideas in this fashion.With respect to the first step of the Alice analysis, the Asserted Claims are not directed to an abstract idea, but are instead directed to a specific system and method using components in a particular configuration to perform completely out-of-band authentication in a way that solves the “technical problem” that daunted prior art computer security systems. In particular, the Asserted Claims: (1) are directed to a system with a unique configuration for diverting login information away from a host computer and implementing out-of-band authentication using a bi-directional authentication channel that is separate from an access channel; and (2) improve the security of secured transactions and the functionality of computer architectures by expressly overcoming the problems plaguing prior art authentication systems, which instead passed access data and authentication data along the same channel and were therefore more susceptible to hacking. Here, instead of applying a “stage-one filter to [the] claims, considered in light of the specification, based on whether their character as a whole is directed to excluded subject matter,” Enfish LLC v. Microsoft Corp., 822 F.3d 1327, 1335 (Fed. Cir. 2016) (internal quotations omitted), the district court oversimplified and overgeneralized the Asserted Claims on the basis of a single, non representative Case: 18-1470 Document: 17 Page: 34 Filed: 03/26/2018
-23- claim, mischaracterizing them as addressing merely the “abstract idea of providing restricted access to resources.” Appx7. In doing so, as in Enfish, the district court analyzed the claims at such a high level of abstraction that they could not possibly pass muster. Not surprisingly, having impermissibly oversimplified the claims to eliminate the specifically claimed concept of complete out-of-band authentication, the district court found the claims similar to those at issue in this Court’s nonprecedential decision in Prism Technologies LLC v. T-Mobile USA, Inc., which addressed a single-channel system of the type that is expressly criticized by, andlacks the distinctive and beneficial features of, the Asserted Patents. See Appx6-7 (citing Prism Techs. LLC v. T-Mobile USA, Inc., 696 F. App’x 1014 (Fed. Cir. 2017), cert. denied, 138 S. Ct. 689 (2018)). At the second Alice step, the court shifted course, and, instead of asking whether the elements of the claims add more to the abstract idea of “providing restricted access to resources,” it asked whether the elements of the claims add more to an out-of-band authentication process—a much narrower idea. In other words, through its approach, the district court attributed the key out-of-band authentication aspect of the invention to the narrowed and redefined “abstract idea” itself. For example, in its step two analysis of the ordered combination of recited elements, the district court stated that the claimed method requires “separation of the access and authentication channels” as “a necessary starting point.” Appx8. As a consequence, Case: 18-1470 Document: 17 Page: 35 Filed: 03/26/2018
-24- the court’s step two analysis—which also failed to consider the parties’ agreed-to claim constructions—disregarded much of what is inventive in the claims. It ignored that the claimed security system requires a specific and novel ordered combination of elements that is not seen in (and has distinct advantages over) the prior art, including: separate authentication and access channels; an “interception” means or device for preventing the host computer from receiving login information; a security computer isolated from the host computer being accessed;8 authentication taking place entirely on a bi-directional authentication channel; and an instruction from the security computer to the host computer to grant or deny access.Finally, the district court’s order cannot be squared with the evidence in the record showing that the claims are not “well-understood, routine, [and] conventional.” See, e.g., Aatrix Software, Inc. v. Green Shades Software, Inc., 882 F.3d 1121, 1128-29 (Fed. Cir. 2018) (internal citations omitted); BASCOM Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1350 (Fed. Cir. 2016). Indeed, the district court failed to view this evidence in the light most favorable to StrikeForce, as it must when considering a motion to dismiss. Put simply, the Asserted Claims are not abstract and do not preempt all methods of out-of-band authentication (much less all methods of “restricting 8 As explained below, this “interception means” or “interception device” is expressly recited in most of the challenged claims, but not in the one claim that the district court found without explanation is representative. Case: 18-1470 Document: 17 Page: 36 Filed: 03/26/2018
-25- access”). Rather, the Asserted Claims are directed to a specific improvement in computer network security architecture, providing secure authentication to a computer environment in a manner that thwarts the man-in-the-middle hacking attacks (the lurking hacker, listening in on the access channel) to which prior art systems were vulnerable. The Asserted Claims, accordingly, claim patent-eligible subject matter under 35 U.S.C. § 101. Accordingly, the judgment of the district court should be reversed. STANDARD OF REVIEW This Court reviews dismissal for failure to state a claim under the law of the regional circuit, in this case the Ninth Circuit. In re Bill of Lading Transmission & Processing Sys. Patent Litig., 681 F.3d 1323, 1331 (Fed. Cir. 2012). The Ninth Circuit reviews challenges to a dismissal for failure to state a claim under Rule 12(b)(6) de novo. Livid Holdings Ltd. v. Salomon Smith Barney, Inc., 416 F.3d 940, 946 (9th Cir. 2005). When deciding a motion to dismiss, the Ninth Circuit “generally limit[s] consideration to the complaint and construe[s] all allegations of material fact in the light most favorable to the nonmoving party.” Id. This Court reviews de novo the district court’s determination of patent eligibility under 35 U.S.C. § 101. DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1255 (Fed. Cir. 2014). However, the question of patent eligibility may be premised on underlying issues of fact, such as “whether a claim element or Case: 18-1470 Document: 17 Page: 37 Filed: 03/26/2018
-26- combination of elements is well-understood, routine and conventional to a skilled artisan in the relevant field.” Berkheimer v. HP, Inc., 881 F.3d 1360, 1368 (Fed. Cir. 2018). Moreover, “[a]ny fact ... that is pertinent to the invalidity conclusion must be proven by clear and convincing evidence.” Id. (citing Microsoft Corp. v. i4i Ltd. P’ship, 564 U.S. 91, 95 (2011)). ARGUMENT The Asserted Claims are not directed to an abstract idea, but instead claim a specific, novel security system for performing completely out-of-band authentication in a particular way. The district court erred in finding otherwise. I.Step 1: The Asserted Claims Are Directed to a Patent-Eligible Invention, Not an Abstract Idea At Alice step one, courts “must first determine whether the claims at issue are directed to a patent-ineligible concept.” Enfish, 822 F.3d at 1335. In doing so, courts “cannot simply ask whether the claims involve a patent-ineligible concept ... [r]ather, the ‘directed to’ inquiry applies a stage-one filter to claims, considered in light of the specification, based on whether ‘their character as a whole is directed to excluded subject matter.” Id. This analysis requires looking at the “patent’s ‘claimed advance’ to determine whether the claims are directed to an abstract idea.” Finjan, Inc. v. Blue Coat Sys., Inc., 879 F.3d 1299, 1303 (Fed. Cir. 2018). Critically, in determining whether the claims are “directed to a result or effect that itself is the abstract idea,” McRO, Inc. v. Bandai Namco Games America Inc., 837 F.3d 1299, Case: 18-1470 Document: 17 Page: 38 Filed: 03/26/2018
-27- 1314 (Fed. Cir. 2016), “courts ‘must be careful to avoid oversimplifying the claims’ by looking at them generally and failing to account for the specific requirements of the claims.” Id. at 1313 (quoting In re TLI Commc’ns LLC Patent Litig., 823 F.3d 607, 611 (Fed. Cir. 2016)). As this Court noted in Enfish, “describing [] claims at such a high level of abstraction and untethered from the language of the claims all but ensures that the exceptions to § 101 swallow the rule.” 822 F.3d at 1337. There, the district court erred by concluding that the claims were directed to merely “the concept of organizing information using tabular formats.” But, as this Court recognized, the claims there were not simply directed to any implementation of the concept, but to a particular “self-referential table for a computer database” that “functions differently than conventional database structures.” Enfish, 822 F.3d at 1337. Here, the district court erred in the same way, by omitting the out-of-band details in the claims and concluding that the Asserted Claims merely “address an abstract idea of providing restricted access to resources.” Appx7. The Asserted Claims are not directed to the general idea of restricting access to resources but are, instead, directed to a specific system and particular method for performing completely out-of-band authentication that expressly solves a critical technical problem facing prior art computer security systems. These claims are not directed to an abstract idea. Case: 18-1470 Document: 17 Page: 39 Filed: 03/26/2018
-28- The district court erred in additional ways as well. First, while mischaracterizing the claims at a very high level of abstraction, the court never addressed how Mr. Pemmaraju’s claimed invention expressly improved upon the prior art systems. Second, the court improperly analyzed claim 53 of the ’698 patent as representative of all the Asserted Claims while reading that claim in a fashion that omitted key novel features, including the completely out-of-band nature of the claimed system. And third, because it mischaracterized the scope of the claims and overgeneralized the nature of the invention, the court relied too heavily on this Court’s nonprecedential decision in Prism, which addressed a single-channel authentication approach of the type that is expressly criticized by, and that lacks the claimed benefits of, the Asserted Patents. SeePrism, 696 F. App’x at 1016. While—like every security system—the Asserted Claims involve at a very high level of generality the idea of providing restricted access to resources, they are directed to something much more specific and beneficial, and are therefore patent-eligible. Because the district court ignored both the essence of the claimed invention, and the prior art problems overcome by that claimed invention, in concluding that the claims are directed to nothing more than “providing restricted access to resources,” the district court’s Alice step one analysis was fundamentally flawed. Case: 18-1470 Document: 17 Page: 40 Filed: 03/26/2018
-29- A.The Asserted Claims Are Not Abstract Because They Claim a Particular Way of Performing Completely Out-Of-Band Authentication The Asserted Claims are directed to a particular way of performing completely out-of-band authentication in which, among other things, all authentication communication takes place along a second, out-of-band “authentication” channel. As described above, supra pp. 8-16, this method and system of authentication: (1) improves security of access networks and the functionality of computer architectures and overcomes deficiencies in the prior art, which consisted only of in-band or partially out-of-band systems, by requiring that authentication take place completely in the out-of-band channel; (2) diverts login information so that it is not received by the host computer and uses a bi-directional authentication channel (i.e., for both sending and receiving authentication information) that is separate from the access channel; and (3) recites a unique, non-conventional architecture for implementing completely out-of-band authentication. Thus, properly understood, the Asserted Claims here are not abstract for the same reasons this Court has identified in other cases: First, as in Finjan and Core Wireless Licensing S.A.R.L. v. LG Elecs., Inc., 880 F.3d 1356 (Fed. Cir. 2018), the Asserted Claims here “enable[] a computer security system to do things it could not do before”—namely, provide an authentication system that protects against man-in-the-middle attacks that plagued Case: 18-1470 Document: 17 Page: 41 Filed: 03/26/2018
-30- prior-art systems by diverting login information away from the host computer and using a security computer and a second, separate channel for both sending and receiving authentication information. Finjan, 879 F.3d at 1305. As described above, this is a significant advance over prior art authentication systems that were either completely in-band or only partially out-of-band. See supra pp. 13-16. Moreover, the claims: (1) are directed to “a specific manner” of arranging and configuring the components in the claimed security system; (2) “specify[] a particular manner by which” this arrangement of components is used to authenticate a user; and (3) “recite a specific improvement over prior systems, resulting in an improved” security system. Core Wireless, 880 F.3d at 1363. And just as in DDR Holdings, 773 F.3d at 1257, here “the claimed solution is necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks.” Second, like the claims in Finjan, the Asserted Claims here “recite more than a mere result. Instead, they recite specific steps” necessary to achieve that result. Finjan, 879 F.3d at 1305. And like the claims in McRO, the Asserted Claims go “beyond merely organizing [existing] information into a new form or carrying out a fundamental economic process.” McRO, 837 F.3d at 1315 (internal quotations omitted). For example, the Asserted Claims require a specific arrangement and configuration of certain elements and steps—described in detail above—to better Case: 18-1470 Document: 17 Page: 42 Filed: 03/26/2018
-31- secure computer networks against hackers. See supra pp. 12-14; Appx38 (14:6-29); see also Appx72 (’698 Patent, 18:1-26), Appx102 (’701 Patent, 14:8-31). Such a “new and improved technique, for producing a tangible and useful result, falls squarely outside those categories of inventions that are ‘directed to’ patent-ineligible concepts.” Rapid Litig. Mgmt. Ltd. v. CellzDirect, Inc., 827 F.3d 1042, 1050 (Fed. Cir. 2016). Third, unlike in In re TLI Commc’ns LLC Patent Litig., 823 F.3d 607, 611 (Fed. Cir. 2016), which the district court cited, the claimed architecture of the Asserted Claims (including, for example, an “interception device,” and “security computer,” as well as separate “access” and “authentication” channels) is not a “generic environment in which to carry out [an] abstract idea.”9 Indeed, as demonstrated in the two failed attempts to invalidate the ’698 Patent via inter partes review, petitioners’ best obviousness arguments required cobbling together various components from at least three different prior art references. Even then, the PTAB confirmed that petitioners could not duplicate (or even approximate) the unique 9 In TLI, 823 F.3d at 611, the Court noted that, while the representative claim “require[d] concrete, tangible components[,] ... the specification [made] clear that the recited physical components merely provide a generic environment in which to carry out the abstract idea of classifying and storing digital images in an organized manner.” In contrast, here the physical components required by the Asserted Claims in fact define the claimed particular way to perform complete out-of-band authentication, which constitutes the invention that distinguishes the Asserted Claims from any abstract idea. Case: 18-1470 Document: 17 Page: 43 Filed: 03/26/2018
-32- architecture, structure, and beneficial functionality of the Asserted Patents. SeeDuo, IPR2017-01041, Paper 7 at 32, 37; Duo, IPR2017-01064, Paper 7 at 34. Petitioners’ reliance on multiple three-reference combinations—and the PTAB’s rejection of those arguments at the institution stage—belies the district court’s conclusion here that the Asserted Claims “merely invoke generic processes and machinery” using “an obvious and logical structure.” Appx7 (internal alterations omitted). Fourth, as in Thales Visionix Inc. v. United States, 850 F.3d 1343, 1345 (Fed. Cir. 2017), here the Asserted Claims are directed to systems and methods that, even if they use known computer system hardware and components, use those components in a novel and non-conventional manner. In Thales, the Court held that claims reciting a unique configuration of inertial sensors and the use of a mathematical equation for calculating the location and orientation of an object were patent-eligible despite the fact that the sensors were known in the prior art. Id. The Court upheld the eligibility of those claims because they were directed to systems and methods that use the known inertial sensors in a unique, non-conventional manner. Id. Here, the Asserted Claims employ known communications channels and computer hardware systems in a novel configuration and nonconventional way, to shield the host computer from a hacker attack implementing a particular kind of completely out-of-band authentication system that differs in important ways from and improves upon the prior art. Case: 18-1470 Document: 17 Page: 44 Filed: 03/26/2018
-33- B.The District Court Mischaracterized and Overgeneralized the Claims at a High Level of Abstraction and Ignored the Claimed Advance Over Prior Art Systems This Court has explained that “describing [] claims at ... a high level of abstraction and untethered from the language of the claims all but ensures that the exceptions to § 101 swallow the rule.” Enfish, 822 F.3d at 1337. But that is exactly what the court did here—and why its step one analysis was flawed from the outset. Under Alice step one, the court is required to look at the character of the claims as a whole, in light of the specification. See Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343, 1346 (Fed. Cir. 2015). But, here, the district court ignored the plain language of the claims and teachings of the specification, and instead summarily concluded “that the Asserted Patents ... address an abstract idea of providing restricted access to resources.” Appx7. As is apparent from the plain reading of the claims, this is a gross oversimplification. As the bulleted list above demonstrates, supra p. 12, the claims require an ordered combination of elements that combine to form a particular way of performing completely out-of-band authentication. The specification explains that the separation of channels solves the “technical problem” in prior art systems (including those that “provid[e] restricted access to resources”) where “the hacker is in a self-authenticating environment.” Appx32 (2:20-22). In the prior art, both user name and authentication information were “sent along the same pathway and any improper accessor into this channel has Case: 18-1470 Document: 17 Page: 45 Filed: 03/26/2018
-34- the opportunity to monitor and/or enter both identifiers.” Appx34 (5:52-55). In contrast, the claimed invention prevents the host computer from receiving user name and login information and requires that “authentication occurs in the out-of-band security network.” Appx34 (6:18-19). The invention thus stands “in contradistinction to present authentication processes as the out-of-band security network [] is isolated from the corporate network [] and does not depend thereon for validating data.” Appx34 (6:20-23). In settling on its overgeneralized description, moreover, the district court further erred by ignoring (among other things) the “claimed advance” over prior art systems to “determine whether the claims are directed to an abstract idea.” See Finjan, 879 F.3d at 1303; see alsoCore Wireless, 880 F.3d at 1361-62.10 Here, the Asserted Patents expressly describe in their specification and explicitly claim advances over multiple prior art patents and systems, all of which “show a portion of the authentication protocol and the data transferred in the same channel or ‘in-band’.” Appx32 (2:55-57). 10 The district court also summarily concluded that the Asserted Claims “are also directed to a result or effect that ... merely invoke[s] generic processes and machinery” and “concern a long-established means of transmitting sensitive information.” Appx7. But the court’s opinion contains no analysis explaining how the Asserted Claims—all of which recite a particular way to perform completely out-of-band authentication and access using interception and separate channels—“monopolize ‘the basic tools of scientific and technological work’” so as to improperly preempt any abstract idea of providing restricted access to resources. McRO, 837 F.3d at 1314 (quoting Alice, 134 S. Ct. at 2354). They do not. Case: 18-1470 Document: 17 Page: 46 Filed: 03/26/2018
-35- C.The District Court Erred by Treating Claim 53 as RepresentativeThe district court also erred in treating ’698 claim 53 as representative of all the Asserted Claims, Appx4-5; Appx765-773, while simultaneously reading that claim as not reciting the very claim elements—including even the completely out-of-band nature of the authentication system—that most clearly make the Asserted Claims not abstract. In treating claim 53 as representative, the district court made two errors. First, and most critically, based on its reading of that claim, the court did not appreciate or address arguably the most important inventive aspect of the Asserted Claims: the completely out-of-band nature of the authentication system, which protects against “man-in-the-middle” hacker attacks. See, e.g., Appx7. Like the other Asserted Claims, claim 53 when properly understood embodies the inventive concept of completely out-of-band authentication. For example, claim 53 requires “receiving in a first channel11 a login identification,” “receiving at a security computer in a second channel the demand for access and the login identification,” “outputting from the security computer” a prompt for authentication data, and “receiving the transmitted [authentication] data at the security computer.” See Appx72 (’698 Patent, 18:47-62). As the District of Massachusetts observed in its claim 11 The parties agree that “first channel” refers to the “access channel” and “second channel” refers to the “authentication channel.” Appx1420.Case: 18-1470 Document: 17 Page: 47 Filed: 03/26/2018
-36- construction order, “[t]hat the claimed systems or methods are ‘out-of-band’ is already captured by the incorporation of that requirement in the construction of the access and authentication channels,” which require the access channel to be separate from the authentication channel. Appx1950. But critically, to the extent that the district court did not read claim 53 as requiring completely out-of-band authentication using separate channels, then claim 53 cannot possibly be representative of the other Asserted Claims (which unquestionably do). Other claims, for example, explicitly require that the accessor, who received a prompt on his or her “peripheral device” from the security computer on the authentication channel, “retransmit[s] predetermined data from said peripheral device” back to the security computer, i.e., using that authentication channel, rather than the access channel. See Appx38 (14:8-31). Second, even if the court did interpret claim 53 as being directed to completely out-of-band authentication, as StrikeForce explained in its Response and at oral argument, claim 53 does not explicitly recite the “interception device” or “interception means” limitations (which are expressly recited in numerous other claims) that shields the host computer and diverts the access information (e.g., the user name and password) to the security computer in the authentication channel. See, e.g., Appx1283; see also Appx1371-1373; Appx1354-1355 (proposing claim 1 of the ’599 Patent, claim 1 of the ’698 Patent, and claim 1 of the ’701 Patent as Case: 18-1470 Document: 17 Page: 48 Filed: 03/26/2018
-37- representative of the claims in each respective patent). The interception device plays the important role of protecting the host computer from an attack by diverting a user’s stolen credentials (which would otherwise have been received by the host computer) to the security computer for complete out-of-band authentication. By relying solely on one of the very few claims that lacks an “interception device” or “interception means,” the district court failed to appreciate the significance of the interception means to determining whether the elements of each claim, as an ordered combination, embody an inventive concept that transforms the nature of the claim. See, e.g., Alice, 134 S. Ct. at 2355; BASCOM, 827 F.3d at 1350. The concept of interception is important, as it contributes to the invention’s unique architecture by both shielding the host computer and facilitating the out-of-band authentication. Indeed, as even the defendants in the prior Delaware action recognized, “[n]o aspect of the invention is more critical to understand than the fact that the interception device diverts the login identification and the demand for access to the security computer.” Parties’ Joint Claim Construction Brief at 4, StrikeForce Techs., Inc. v. PhoneFactor, Inc., No. 1:13-cv-00490-RGA-MPT, 2014 WL 12690048 (D. Del. filed Nov. 6, 2014). Indeed, the District of Massachusetts relied upon claim 1 of the ’698 Patent, which expressly includes this limitation, as “emblematic.” Appx1932. Case: 18-1470 Document: 17 Page: 49 Filed: 03/26/2018
-38- At the very least, it was erroneous for the district court to invalidate all 43 of the Asserted Claims without assessing any claim that expressly included those elements (for example, an interception device and re-transmittal of authentication information on the authentication channel) that further implement, in specific fashion, the claimed unique out-of-band solutions to the problem of man-in-the-middle hackers. Given the differences in the various Asserted Claims across these patents, it was inappropriate for the district court to treat claim 53 as representative. SeeBerkheimer, 881 F.3d at 1365-66 (holding it is inappropriate to treat one claim as representative where patentee advanced meaningful arguments regarding limitations found in other claims). By doing so, the district court factually oversimplified all of the Asserted Claims, setting up its failure at both steps of the Alice framework. D.The District Court’s Reliance on Prism, Which Addressed the Kind of Single-Channel Authentication System Distinguished in the Asserted Patents and During Prosecution, Reflects the Court’s Failure to Appreciate the Inventive Character of the Asserted Patents The district court’s error in its step one analysis is further reflected in its mistaken reliance on Prism, a nonprecedential 2017 decision addressing different technology. Appx6-7 (citing Prism, 696 F. App’x at 1016-17). The court used Prism to define what it saw as the “abstract idea” here, reasoning that the Asserted Case: 18-1470 Document: 17 Page: 50 Filed: 03/26/2018
-39- Claims, “like those at issue in Prism, address an ‘abstract idea of providing restricted access to resources.’” Id. That analogy is fatally flawed. Prism is different from this case in ways that go to the very heart of the Alice framework. As discussed above, the Asserted Claims are directed to a particular two-channel, completely out-of-band authentication system, in which all of the authentication communication occurs over the authentication channel, and none occurs over the access channel. In contrast, the claims at issue in Prism were directed to a single-channel system for both access and authentication—the type of system that Mr. Pemmaraju’s invention distinguished and improved upon. SeeAppx1356 (demonstrating that the Prism claims recite a single-channel authentication system); Appx32 (2:56-58); Appx34 (5:52-55) (criticizing such single-channel systems in the prior art). Put another way, by analogizing the Asserted Claims to those at issue in Prism, the district court improperly ignored the very limitations that define the “claimed advance” of the Asserted Patents over the prior art. See Finjan, 879 F.3d at 1303. While this Court found that the purely in-band claims in Prism were directed to an abstract idea, Prism, 696 F. App’x at 1017, the Asserted Claims here are instead limited to a particular and unique computer architecture for performing complete out-of-band authentication in a specific way. And, unlike the claims in Prism, which arguably would preempt any use of single-factor authentication, the Asserted Claims Case: 18-1470 Document: 17 Page: 51 Filed: 03/26/2018
-40- here are directed to completely out-of-band systems having particular architectures and functionalities. These claims do not preempt the use of single-channel systems like those disclosed in Prism, or even partially out-of-band systems—like the Wesinger system distinguished in the specification of the Asserted Patents—where some authentication data is received out-of-band by an accessor but then transmitted back through the in-band channel. Appx33 (3:4-24). Nor do these claims preempt all complete out-of-band authentication, as they are directed to a particular configuration of components and specific method of complete out-of-band communication. Put simply, the claims at issue in Prism and the Asserted Claims here are different. In concluding that they are not, the district court ignored the key inventive concept of the Asserted Patents and demonstrated that it was viewing the Asserted Claims at such a high level of abstraction as to entirely swallow the Alice step one analysis. See Enfish, 822 F.3d at 1337. II.Step 2: The Asserted Claims Recite Additional Elements Beyond the Abstract Idea Reflecting An Inventive Concept and Therefore ArePatent-Eligible Even if the Court were to conclude that the claims are directed to an abstract idea, the Court should still reverse the district court’s order atstep two of the Aliceframework. Under that step, claims directed to abstract ideas are nonetheless patent-eligible when they recite “additional elements” that, “as an ordered combination ... Case: 18-1470 Document: 17 Page: 52 Filed: 03/26/2018
-41- transform the nature of the claim into a patent-eligible application” and embody an inventive concept. Alice, 134 S. Ct. at 2355; see alsoMayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 78 (2012); BASCOM, 827 F.3d at 1350. The Court’s inquiry under Alice step two “requires more than recognizing that each claim element, by itself, was known in the art” since “an inventive concept can be found in the non-conventional and non-generic arrangement of known, conventional pieces.” BASCOM, 827 F.3d at 1350. Such is the case here. In concluding otherwise, the district court made several critical errors. First, whereas it had overgeneralized the scope of the claims for the purposes of Alice step one, at step two it improperly changed and narrowed the alleged abstract idea to be effectively coextensive with what is arguably the most inventive concept of the Asserted Claims. Second, it ignored the evidence of an inventive concept as set forth in the specification and embodied in the claims (as confirmed by the reexamination and IPR proceedings) and in the Complaint, and concluded, based on mere attorney argument, and without supporting evidence, that “the ordered combination of the Asserted Claims is logical and conventional.” Appx8. And third, it applied a claim construction for a key claim limitation (“channel”) that differed from the construction ultimately agreed to by the parties. Case: 18-1470 Document: 17 Page: 53 Filed: 03/26/2018
-42- A.The Asserted Claims Embody An Inventive Concept As explained in detail in Section III.B, the Asserted Claims require a specific combination and arrangement of particular elements and steps to better secure and protect computer networks against hackers. See supra pp. 12-14; Appx38 (14:6-29); see also Appx72 (’698 Patent, 18:1-26), Appx102 (’701 Patent, 14:8-31).Although some of these elements, taken in isolation, were known in the prior art, their particular configuration and ordered combination in the claims embodies an inventive concept—a particular application of completely out-of-band authentication system, with an interception device that prevents misappropriated user credentials from reaching the host computer and a second channel, separate from the channel with the host computer, that handles all authentication communications. Indeed, as the Asserted Patents themselves explained, prior art systems “all show a portion of the authentication protocol and the data transferred in the same channel or ‘in-band.’” Appx32 (2:56-58). In contrast, Mr. Pemmaraju’s invention is directed to authentication in “an out-of-band system that is entirelyoutside the host computer network being accessed.” Appx32 (1:18-20). The PTAB’s denial of institution on obviousness grounds in two separate petitions for inter partes review further demonstrates that the ordered combination of elements in the Asserted Claims embodies an inventive concept beyond the mere “logical” arrangement of “conventional” elements, as the district court held. Appx8. Case: 18-1470 Document: 17 Page: 54 Filed: 03/26/2018
-43- In the IPR proceedings, the Petitioners were forced to combine at least three different references to try to cobble together a system that approximates the structure and functionality of the Asserted Claims. SeeDuo, IPR2017-01041, Paper 7 at 6; Duo, IPR2017-01064, Paper 7 at 6. Even then, and under the PTAB’s “preponderance of the evidence” standard, the petitioners still could not demonstrate that there was a reasonable likelihood that their complicated combinations mirror the unique and novel architecture of the Asserted Patents and invalidate the challenged claims. SeeDuo, IPR2017-01041, Paper 7 at 32, 37; Duo, IPR2017-01064, Paper 7 at 32. As was apparent to the PTAB, the ordered combination of elements in the Asserted Claims is not so “conventional” as the district court assumed. The reexamination proceedings for the ’599 Patent also confirm that the Asserted Patents embody an inventive concept. During those proceedings, the Examiner found all claims patentable and allowed seven new claims, concluding that “[t]he prior art cited by the Requesters fails to teach or suggest” all the limitations of the ’599 Patent claims. Appx5654. In particular, the Examiner contrasted the architecture of one prior art system, Walker, with that of the ’599 Patent claims, finding the arrangement and functionality of the ’599 Patent claims to be patentable. See id. In other words, just as in Thales, 850 F.3d at 1345, even if the claimed elements are considered generic or conventional in isolation, the specific combination of elements is unique and patent-eligible. Case: 18-1470 Document: 17 Page: 55 Filed: 03/26/2018
-44- B.The District Court Erred by Describing the Claim Scope Differently in the Context of the Two Alice Steps As discussed, supra pp. 33-34, in the context of Alice step one, the district court overgeneralized the claims, concluding that they are directed to the abstract idea of “providing restricted access to resources.” Appx7. But then, in considering Alice step two, the district court changed course, recharacterizing the claims as directed to a narrower concept—“out-of-band authentication.” Appx7-8. That was error. Just as a patent claim must be accorded the same scope when analyzing both infringement and invalidity, seeSmithKline Diagnostics, Inc. v. Helena Labs. Corp., 859 F.2d 878, 882 (Fed. Cir. 1988), so too must the abstract idea identified in Alicestep 1 be used as the starting point for Alice step 2.12 As this Court has explained, “[f]or [step two] we must look with more specificity at what the claim elements add, in order to determine whether they identify an inventive concept in the application of the ineligible subject matter to which the claim is directed.” Intellectual Ventures I LLC v. Erie Indem. Co., 850 F.3d 1315, 1325 (Fed. Cir. 2017) (internal quotations omitted); see also Mayo, 566 U.S. at 77-78. Here, the district court’s step two analysis therefore should have focused on what the elements in the claims add to the abstract idea identified in step one. Instead, by re-characterizing the abstract idea for purposes of step two as already including the very elements (such as two entirely 12See alsoSterner Lighting, Inc. v. Allied Elec. Supply, Inc., 431 F.2d 539, 544 (5th Cir. 1970) (citing White v. Dunbar, 119 U.S. 47, 51-52 (1886)). Case: 18-1470 Document: 17 Page: 56 Filed: 03/26/2018
-45- separate channels, with the authorization communications occurring on the second channel) that define completely out-of-band authentication, the district court started its “what do the claims add” analysis having already subsumed into the abstract idea itself what are arguably the claims’ most inventive elements. For example, in its step 2 analysis of the ordered combination of recited elements, the district court stated that “Step 1 (separation of the access and authentication channels) is a necessary starting point.” Appx8. But separation of channels is not a necessary starting point under the court’s broader step one abstract idea of “providing restricted access to resources”—restricting access can be done in a myriad of ways that do not involve separate channels (e.g., the simple passwords systems described in the background of the invention). See Appx32 (1:46-53). Indeed, separation of channels is a “necessary” starting point only if one assumes that the purported abstract idea itself is the narrow concept of out-of-band communication using separate channels. The district court cannot have it both ways. If the abstract idea for purposes of Alice step one is “providing restricted access to resources,” then the abstract idea for purposes of Alice step two must be the same. And in that case, the ordered combination of elements recited by the Asserted Claims—a particular arrangement of elements into a unique, patentable out-of-band authentication system—transforms what would be an abstract idea into patent-eligible subject matter. Case: 18-1470 Document: 17 Page: 57 Filed: 03/26/2018
-46- C.The Factual Record Belies the Conclusion That the Ordered Combination of Elements in the Asserted Claims is “Logical and Conventional” The district court found that the claims do not embody an inventive concept because “the ordered combination of the Asserted Claims is logical and conventional.” Appx8. But in doing so, the court relied on unsupported and unexplained conclusions that fly in the face of the evidence before the court and that should have been construed in StrikeForce’s favor as the nonmovant. As set forth above, that evidence—as set forth in the Amended Complaint in this case, as well as in the claims, specification, file histories,13 parties’ proposed and agreed-to constructions, prior claim constructions of two other district courts, and patent office’s findings in prior reexamination and inter partes review proceedings—demonstrates that the claimed ordered combination of elements was not conventional. For example, in summarily concluding that the ordered combination of the Asserted Claims is “logical and conventional,” the court stated that “separation of the access and authentication channels” is “a necessary starting point.” Id. But, as the evidence makes clear, the separation of the access and authentication channels is 13 The Court may take judicial notice of the file histories for the Asserted Patents as a matter of public record. See, e.g., Standard Havens Prods., Inc. v. Gencor Indus., Inc., 897 F.2d 511, 514 n.3 (Fed. Cir. 1990); see alsoUnited States v. 14.02 Acres of Land More or Less in Fresno Cty., 547 F.3d 943, 955 (9th Cir. 2008). Case: 18-1470 Document: 17 Page: 58 Filed: 03/26/2018
-47- a key part of the inventive concept of the Asserted Claims—and, as explained above, supra p. 45, it cannot be true that separation of access and authentication channels is a “necessary starting point” in authentication systems, especially in a single-channel system. See Appx32 (2:56-58); Appx33 (3:4-24). Having summarily dismissed a key part of the inventive concept of the Asserted Patents, the district court continued to sweep aside additional key elements of the Asserted Claims with unsupported and conclusory statements. For example, in addressing “interception of the login identification and demand for access,” the court stated that this step “must also occur at the beginning of the process because there must be some triggering event.” Appx8. Once again, the district court failed to consider or acknowledge all the prior art systems that addressed the allegedly abstract idea of “providing restricted access to resources,” but failed to include any interception as claimed in the Asserted Patents. See, e.g., Appx32 (2:56-58); Appx33 (3:4-24). As discussed above, and as demonstrated by the evidence, complete separation of channels, such that the host computer being accessed is isolated14 from the security computer handling authentication, is at the heart of the inventive concept 14 As noted in the Statement of Facts, the parties agree that the construction of “security computer” requires “a computer in the authentication channel that can grant authenticated users access to but is isolated from the host computer.” Appx1746. Case: 18-1470 Document: 17 Page: 59 Filed: 03/26/2018
-48- in the Asserted Claims. The district court failed to appreciate this, merely concluding that “contacting the user through the authentication channel[] must precede ... receiving a response from the computer through the authentication channel.” Appx8. It is certainly true that a response must be preceded by a prior communication, but these elements are non-conventional not merely because one precedes the other. Rather, they are non-conventional because they rely on the inventive concept of using, in an unconventional combination, the following steps to prevent man-in-the-middle attacks that plagued prior-art systems: an interception device to shield the host computer from a hacker; a separate security computer to do the authentication; a completely separate channel, the authentication channel, to communicate to the accessor a request for additional authentication information (only after the verification of first factor authentication has been completed); and employment of the same completely separate authentication channel for the accessor to communicate the second factor authentication back to the security computer. Even if some of those elements (or some variation of them) were conventional in some prior systems, the use of that particular combination of elements was non-conventional, as confirmed by the PTO’s repeated determinations. And sending the authentication information from the user to the security computer over the authentication channel is not inevitable—as noted above, supra pp. 14-15, prior art Case: 18-1470 Document: 17 Page: 60 Filed: 03/26/2018
-49- systems like Wesinger were configured to send authentication information back to the user over the in-band access channel. As this Court explained in BASCOM, “[t]he inventive concept inquiry requires more than recognizing that each claim element, by itself, was known in the art.” BASCOM, 827 F.3d at 1350. There, the court found that the claims did not merely recite an abstract idea of filtering content, but specifically improved on prior art filters that were susceptible to hacking. Id. The BASCOM court distinguished prior cases finding claims unpatentable where they “claim an abstract idea implemented on generic computer components, without providing a specific technical solution beyond simply using generic computer concepts in a conventional way.” Id. at 1352. Just as in BASCOM, the Asserted Claims do not merely recite the abstract idea of“providing restricted access to resources” using generic computer components, but instead improve on prior art systems by providing completely out-of-band authentication through the specific arrangements of, and functions performed by, isolated channels and devices. D.The District Court Failed to Consider Important Constructions, Including the Parties’ Agreed-To Constructions, for Key Terms that Help Define the Invention In concluding that the Asserted Claims do not embody an inventive concept, the court improperly ignored key limitations (relating to “channels” or the “isolated” security computer) or interpreted them differently from how the parties and two Case: 18-1470 Document: 17 Page: 61 Filed: 03/26/2018
-50- other district courts had construed them and, in doing so, read the inventive concept out of the Asserted Claims. Worse yet, the district court ruled on the motion to dismiss just days before a scheduled Markman hearing, at which these claim construction issues were to be addressed. In prior claim construction proceedings, judges in both the District of Delaware and the District of Massachusetts construed “access channel” (and “first channel”) to mean “an information channel that is separate from and does not share any facilities with the authentication channel.” Appx1883; Appx1924; Appx1948. Similarly, these judges construed “authentication channel” (and “second channel”) to mean “a channel for performing authentication that is separate from and does not share any facilities with the access channel.” Appx1883; Appx1924; Appx1948.15StrikeForce and SecureAuth stipulated to the narrower constructions for “access channel” and “authentication channel” found by the Delaware andMassachusetts, and submitted these agreed to constructions to the court on October 23, 2017, more than one month prior to the court’s dismissal. Appx1420. These constructions should have led the district court here to deny the motion to dismiss. In its opinion, the district court, relying on StrikeForce’s outdated 15 Notably, in construing the “channel” terms as requiring “separate facilities,” the Massachusetts district court expressly rejected a proposal that the channels could be separated by “frequency channels” or “time slots” (which would allow the signals to be on the same channel as long as they were separated by frequency or time slot). Appx1948. Case: 18-1470 Document: 17 Page: 62 Filed: 03/26/2018
-51- description of “out-of-band” system,16 acknowledged that “structuring an authentication so that it has a bi-directional second channel for information transmission could reflect some inventiveness” depending on how those channels are structured. Appx9. In other words, the court acknowledged that having out-of-band authentication conducted completely on a separate bi-directional channel (as opposed to a system that achieved out-of-band authentication by using separate time slots or frequencies on a channel) could embody an inventive concept under Alice step two. The parties’ agreed-to “channel” constructions embody this very concept—entirely separate access and authentication channels (e.g., not sharing facilities), thus providing for completely out-of-band authentication. In dismissing the Complaint, the district court here failed to considerthese agreed-to constructions. Instead, without conducting a separate claim construction analysis, the district court applied a different, broader construction of “channel” that the District of Massachusetts had expressly rejected (Appx1943; Appx1948)—concluding that separate “channels” could be satisfied by separate frequencies or time slots on a channel. Appx9. At the very least, the Court should have considered the parties’ agreed-to constructions, 16 In its motion to dismiss briefing, before the Massachusetts court issued its claim construction order, StrikeForce described an “out-of-band” system as using an authentication channel “carried over separate facilities, frequency channels, or time slots than those used for actual information transfer.” Appx1294. Following that order, however, the parties agreed to the Massachusetts “channel” constructions. Case: 18-1470 Document: 17 Page: 63 Filed: 03/26/2018
-52- submitted over a month earlier, in determining whether the claims embody an inventive concept. See Ruckus Wireless, Inc. v. Innovative Wireless Solutions, 824 F.3d 999, 1004 (Fed. Cir. 2016) (holding that an ambiguous claim “should be construed to preserve its validity” (citing Phillips v. AWH Corp., 415 F.3d 1303, 1327 (Fed. Cir. 2005))). Applying the agreed-to construction of these “channel” terms, the Asserted Claims include the very concept that the district court itself acknowledged could embody an inventive concept. This concept is, in fact, inventive and is an improvement over the prior art, namely, the separation of authentication into a separate bi-directional authentication channel. SeeAmdocs (Israel) Ltd. v. Openet Telecom, Inc., 841 F.3d 1288, 1300 (Fed. Cir. 2016) (finding an inventive concept where the proper claim construction embodies the invention’s “critical advancement over the prior art”); see also DDR Holdings, 773 F.3d at 1258-59 (finding claims taken “as an ordered combination” are patent eligible when they “override[] [a] routine and conventional sequence of events”). III.At the Least, This Case Should Be Remanded For Determination ofDisputed Issues of Fact Relating to the Inventive Concept The current record conclusively establishes that the Asserted Claims are patent-eligible under 35 U.S.C. § 101. Even if it did not, this Court’s recent decisions in cases such as Aatrix and Berkheimer would require remand to the district Case: 18-1470 Document: 17 Page: 64 Filed: 03/26/2018
-53- court so that the fact-finder may determine whether the claimed combination of elements is well-understood, routine and conventional. In Aatrix, this Courtvacated the district court’s dismissal order under § 101 and remanded, concluding that patent eligibility can be determined at the Rule 12(b)(6) stage only “when there are no factual allegations that, taken as true, prevent resolving the eligibility question as a matter of law.” Aatrix, 882 F.3d at 1125. As the Court explained, “plausible factual allegations may preclude dismissing a case under § 101 where, for example, nothing on th[e] record ... refutes those allegations as a matter of law or justifies dismissal under Rule 12(b)(6).”Id. (quoting FairWarning IP, LLC v. Iatric Sys., Inc., 839 F.3d 1089, 1097 (Fed. Cir. 2016)) (internal quotations omitted). In Berkheimer, this Court applied similar reasoning in reversing a grant of summary judgment, holding that, “[w]hile patent eligibility is ultimately a question of law, the district court erred in concluding there are no underlying factual questions to the § 101 inquiry.” Berkheimer, 881 F.3d at 1369. In particular, the Court explained, “[w]hether something is well-understood, routine, and conventional to a skilled artisan at the time of the patent is a factual determination,” as is the question “[w]hether a particular technology is well-understood, routine, and conventional goes beyond what was simply known in the prior art.” Id. Accordingly, the Court remanded for specific factual findings relevant to Alice step two. Id. at 1370-71. Case: 18-1470 Document: 17 Page: 65 Filed: 03/26/2018
-54- Moreover, in determining whether the “factual allegations that, taken as true, prevent resolving the eligibility question as a matter of law,” Aatrix, 882 F.3d at 1125, the court must consider the standard of proof that the moving party would need to carry at trial. Of course, “a defendant raising an invalidity defense [bears] ‘a heavy burden of persuasion,’ requiring proof of the defense by clear and convincing evidence.”Microsoft, 564 U.S. at 102. In order for the district court to rule the claims patent-ineligible on a motion to dismiss, SecureAuth was required to establish that, even under the facts as alleged in the Complaint and after resolving all factual issues in StrikeForce’s favor, as a matter of law, any jury would have had to conclude SecureAuth had demonstrated by clear and convincing evidence that the elements of the Asserted Claims, as an “ordered combination” are well-understood, routine, and conventional. 35 U.S.C. § 282; Berkheimer, 881 F.3d at 1367-68.17 But SecureAuth did not do that. If anything, the actual factual record demonstrates exactly the opposite. At the very least, a jury would be able to conclude that SecureAuth had failed to satisfy its heavy burden of persuasion. For example, StrikeForce offered evidence—as set forth in the Complaint and specification of the Asserted Patents—that the combinations of elements set forth in 17 Furthermore, given the stage of the proceedings, the evidence must be viewed in a light most favorable to StrikeForce. SeeLivid Holdings, 416 F.3d at 946. Case: 18-1470 Document: 17 Page: 66 Filed: 03/26/2018
-55- the Asserted Claims recite novel and unique improvements over the prior art. See, e.g., Appx503-504; Appx32 (2:56-58); Appx33 (4:1-2, 4:6-10). Here, the court was required to view at least the following facts as true: Prior art systems that utilized a single channel for access and authentication information were susceptible to hacking. See,e.g., Appx32 (2:14-58). The Patents’ specification disparages known prior systems, including those that utilized a single channel for access control. See,e.g., Appx32-33 (2:56-3:24, 3:57-60). For example, as the Asserted Patents explain, in prior art systems “[b]oth the USER ID and the voice password are sent along the same pathway and any improper accessor into this channel has the opportunity to monitor and/or enter both identifiers.” Appx34 (5:52-55). The Asserted Patents address this problem in the prior art by utilizing “a unique combination of user and host authentication” that includes a separate channel to both send and receive data used to authenticate the user, making it much more difficult to hack. See,e.g., Appx33 (4:6-16). “The inventions of the ’599, ’698, and ’701 patents are directed to improved multichannel security systems and methods for authenticating a user seeking to gain access to, for example, Internet websites and VPN networks, such as those used for conducting banking, social networking, business activities, and other online services.” See,e.g., Appx503-504. StrikeForce’s “specific invention, as claimed in the ’599, ’698, and ’701 patents, provides a specific solution to problems caused by the proliferation of data across the Internet by enhancing the functionality of computer systems compared to prior art authentication systems through improved security of the channels used for authentication and access.” See,e.g., Appx503-504. In deciding, in the face of the actual and available evidence, that the claimed combination of elements in the Asserted Claims was well-understood, routine, and conventional, the district court simply announced—without evidence or analysis, or even acknowledging the requisite clear-and-convincing standard—that the ordered Case: 18-1470 Document: 17 Page: 67 Filed: 03/26/2018
-56- combination of elements is “logical and conventional.” Appx8. But, under Berkheimer and Aatrix, that is not sufficient.The district court also erred by concluding, without evidence, that “[a] consideration of the existing in-band and out-of-band authentication systems and long-established non-computer-based methods for transmitting, processing and authenticating sensitive data shows that the Asserted Claims are not specifically directed to an improvement in computer functionality.” Appx7. In fact, the district court never analyzed these existing systems against the Asserted Claims to support its conclusions. Had the court done so, it would have recognized that the Asserted Claims are directed to more than simply “transmitting sensitive information.” Id. As Mr. Pemmaraju recognized, the technical problem with prior art methods of protecting computer networks is that “the hacker is in a self-authenticating environment.” Appx32 (2:20-22). Mr. Pemmaraju solved this technical problem through a unique arrangement of components that improves how computer networks authenticate users—namely, by (1) employing an interception device between the accessor and the host computer to prevent the host computer from receiving what it would have otherwise received under routine, conventional operation of the prior art security systems; (2) forwarding that intercepted information to a security computer that is isolated from the host computer; and (3) using a second, separate bi-directional authentication channel to authenticate the accessor. Case: 18-1470 Document: 17 Page: 68 Filed: 03/26/2018
-57- At the[b] very least, StrikeForce is entitled to remand[/b]—both because the district court failed to view the evidence in the light most favorable to StrikeForce and, more fundamentally, because whether there is an inventive concept in this case is a question for the factfinder. CONCLUSION WHEREFORE, for the foregoing reasons, [b]StrikeForce respectfully requests that this Court: [color=red] reverse the decision[/color][color=red][/color] dismissing StrikeForce’s Complaint with prejudice[/b]; find that the Asserted Claims are in fact patent-eligible under 35 U.S.C. § 101; and remand for trial. At the very least, this Court should vacate the district court’s ruling and remand for further factual findings as to whether the claimed combination of elements was well-understood, routine, and conventional. Case: 18-1470 Document: 17 Page: 69 Filed: 03/26/2018
-58- Respectfully submitted, /s/ Douglas H. Hallward-DriemeierDouglas H. Hallward-Driemeier ROPES & GRAY LLP 2099 Pennsylvania Avenue, N.W. Washington, DC 20006-6807 (202) 508-4600 Richard T. McCaulley, Jr. ROPES & GRAY LLP 191 North Wacker Dr., 32nd Floor Chicago, IL 60606 (312) 845-1200 Steven Pepe Kevin J. Post Josef B. Schenker ROPES & GRAY LLP 1211 Avenue of the Americas New York, NY 10036-8704 (212) 596-9000 Samuel L. Brenner ROPES & GRAY LLP Prudential Tower, 800 Boylston St. Boston, MA 02199-3600 (212) 951-7000 Counsel for Plaintiff-Appellant StrikeForce Technologies, Inc.Dated: March 26, 2018

[b]April 24, 2018 Supreme Court Validates the Constitutionality of PTAB decisions[/b]
High Court Rules AIA Reviews Are Constitutional
By Ryan Davis

Law360 (April 24, 2018, 10:13 AM EDT) -- The U.S. Supreme Court ruled Tuesday that [b]America Invents Act reviews do not violate the U.S. Constitution[/b] and that [b]the Patent Trial and Appeal Board (PTAB) has the authority to invalidate patents, leaving intact a system that has been used to challenge thousands of patents[/b].

The U.S. Supreme Court has [b]rejected an argument that only federal courts can find patents invalid, [color=red]upholding the authority of the Patent Trial and Appeal Board[/color][/b] and the constitutionality of America Invents Act reviews.

SecureAuth's Resonse on May 7, 2018

United States Court of Appeals FOR THE FEDERAL CIRCUIT STRIKEFORCE TECHNOLOGIES, INC., Plaintiff - Appellant, v. SECUREAUTH CORPORATION, Defendant - Appellee. APPEAL FROM THE U.S. DISTRICT COURT FOR THE CENTRAL DISTRICT OF CALIFORNIA IN PROCEEDING NO. 2:17-CV-04314-JAK-SK, HON. JOHN A. KRONSTADT BRIEF OF APPELLEE SECUREAUTH CORPORATION GABRIEL K.BELLLATHAM &WATKINS LLP 555 Eleventh Street, NW Suite 1000 Washington, D.C. 20004-1304 (202) 637-2200 JON W.GURKACounsel of Record STEPHEN W.LARSONJEREMY A.ANAPOLKNOBBE,MARTENS,OLSON &BEAR,LLP2040 Main Street, 14th Floor Irvine, CA 92614 (949) 760-0404 Attorneys for Appellee SECUREAUTH CORPORATION May 7, 2018 Case: 18-1470 Document: 22 Page: 1 Filed: 05/07/2018
-i- CERTIFICATE OF INTEREST Counsel for Appellee SecureAuth Corporation hereby certifies the following: 1.The full name of every party represented by me is: SecureAuth Corporation 2.The name of the real party in interest represented by me is: N/A 3.All parent corporations and publicly held companies that own 10% or more of the stock of the party represented by me are: Core Security SDI Corp. Courion Intermediate Holdings, Inc. Courion Holding, LLC State Street Corporation 4.The names of all law firms and the partners or associates that have appeared for the party represented by me in the trial court (and who have not or will not enter an appearance in this case) are: Andrea L. Cheek, Knobbe, Martens, Olson & Bear LLP; Jeffry H. Nelson, Robert A. Rowan, Nixon & Vanderhye P.C. 5.The title and number of any case known to counsel to be pending in this or any other court or agency that will directly affect or be directly affected by this court’s decision in the pending appeal: StrikeForce Technologies, Inc. v. Gemalto Inc. et al., 1-17-cv-10422 (D.Mass.) StrikeForce Technologies, Inc. v. Vasco Data Security Int'l et al., 1-17-cv-10423 (D.Mass.) Case: 18-1470 Document: 22 Page: 2 Filed: 05/07/2018
-ii- StrikeForce Technologies, Inc. v. Duo Security, Inc., 2-16-cv-03571 (D.N.J.) StrikeForce Technologies, Inc. v. Centrify Corp., 2-16-cv-03574 (D.N.J.) KNOBBE, MARTENS, OLSON & BEAR, LLPMay 7, 2018 By: /s/ Jon W. Gurka Jon W. Gurka Attorney for Appellee SECUREAUTH CORPORATION Case: 18-1470 Document: 22 Page: 3 Filed: 05/07/2018
TABLE OF CONTENTS Page No. -iii- INTRODUCTION ....................................................................................... 3COUNTER-STATEMENT OF THE CASE ............................................... 6A.The Patents ........................................................................................ 61.The Specification Describes Out-of-Band Authentication And Admits It Was Well-Known .................. 62.The Specification Describes Host Or Location Authentication As A Key Part Of The Alleged Invention ................................................................................. 73.The Claims Are Not Directed To The Alleged Improvement Of Location Authentication .............................. 94.The Specification Does Not Purport To Solve The Problem Of Partially Out-of-Band Authentication ............... 10B.StrikeForce’s Litigation Campaign Against Out-of-Band Authentication ................................................................................. 12C.The Present Case ............................................................................. 131.StrikeForce’s Amended Complaint ...................................... 142.SecureAuth’s Motion To Dismiss ......................................... 14a.StrikeForce Failed to Identify Any Alternative to Representative Claim 53 ..................... 15b.StrikeForce Relied on Limitations Not Recited in All Asserted Claims .................................. 16i.Completely Out-of-Band Authentication .................................................. 17Case: 18-1470 Document: 22 Page: 4 Filed: 05/07/2018
TABLE OF CONTENTS (Cont’d) Page No. -iv- ii.Interception ....................................................... 18c.StrikeForce Relied on an Unclaimed Ordered Combination ................................................. 19d.StrikeForce Failed to Explain How Any Claim Construction Could Affect the Motion’s Outcome ...................................................... 20e.StrikeForce Admitted That “Out-of-Band” and “Completely Out-of-Band” Refer to the Same Idea.................................................................... 233.The District Court’s Decision ............................................... 23SUMMARY OF THE ARGUMENT ........................................................ 26STANDARD OF REVIEW ....................................................................... 29ARGUMENT ............................................................................................. 30A.StrikeForce’s Claims Are Directed To The Abstract Idea Of Out-of-Band Authentication ...................................................... 321.StrikeForce’s Claims Admittedly Focus On Out-of-Band Authentication ......................................................... 322.Out-of-Band Authentication Is An Age-Old Abstract Idea That Is Not Specific To Computers Or Any Other Technology .................................................... 343.StrikeForce’s Claims Are Indistinguishable From The Abstract Claims In Secured Mail, Prism, And Similar Cases ........................................................................ 39 Case: 18-1470 Document: 22 Page: 5 Filed: 05/07/2018
TABLE OF CONTENTS (Cont’d) Page No. -v- 4.StrikeForce’s Contrary Arguments Are Unavailing ............. 42a.The District Court Did Not Overgeneralize The Claims .................................................................. 42b.StrikeForce’s Reliance On “Completely” Out-of-Band Authentication Is Misplaced ................. 43c.StrikeForce’s Claims Provide No Improvement Specific To Computers, So The Cases It Cites Are Inapposite .............................. 45B.StrikeForce’s Claims Recite No Inventive Concept ....................... 481.The District Court Did Not Change Its Understanding Of The Abstract Idea Between Alice Steps One And Two ..................................................... 492.StrikeForce Concedes That Each Limitation In Its Claims Is Conventional ......................................................... 503.Interception Is Not Inventive ................................................ 514.StrikeForce Fails To Show That Its Shifting Ordered Combination Provides Any Computer-Specific Improvement ........................................................... 535.Merely Distinguishing Prior Art Does Not Make StrikeForce’s Claims Patent-Eligible ................................... 56C.StrikeForce’s Procedural Challenges Are Meritless ....................... 581.The District Court Properly Treated Claim 53 As Representative ....................................................................... 58Case: 18-1470 Document: 22 Page: 6 Filed: 05/07/2018
TABLE OF CONTENTS (Cont’d) Page No. -vi- 2.No Claim Construction Would Provide An Inventive Concept ................................................................. 613.StrikeForce Identifies No Disputed Fact Issue Material To Patent Eligibility ............................................... 63CONCLUSION ......................................................................................... 70Case: 18-1470 Document: 22 Page: 7 Filed: 05/07/2018
TABLE OF AUTHORITIES Page No(s). -vii- Aatrix Software, Inc. v. Green Shades Software, Inc., 882 F.3d 1121 (Fed. Cir. 2018) ...................................................................... 65 Affinity Labs of Texas, LLC v. Amazon.com Inc., 838 F.3d 1266 (Fed. Cir. 2016) ...................................................................... 38 Affinity Labs of Texas, LLC v. DIRECTV, LLC, 838 F.3d 1253 (Fed. Cir. 2016) ................................................................ 57, 58 Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014) ............................................................................ passimAshcroft v. Iqbal, 556 U.S. 662 (2009) ............................................................................ 29, 30, 67 Automated Tracking Sols., LLC v. Coca-Cola Co., --- F. App’x ----, 2018 WL 935455 (Fed. Cir. Feb. 16, 2018) ....................... 69 Bascom Global Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341 (Fed. Cir. 2016) ................................................................ 54, 65 Berkheimer v. HP, Inc., 881 F.3d 1360 (Fed. Cir. 2018) ................................................................ 68, 69 Bilski v. Kappos, 561 U.S. 593 (2010) ........................................................................................ 30 buySAFE, Inc. v. Google, Inc., 765 F.3d 1350 (Fed. Cir. 2014) ...................................................................... 57 Cleveland Clinic Foundation v. True Health Diagnostics LLC, 859 F.3d 1352 (Fed. Cir. 2017) ...................................................................... 59 Content Extraction and Transmission LLC v. Wells Fargo Bank, N.A., 776 F.3d 1343 (Fed. Cir. 2014) ...................................................................... 59 Case: 18-1470 Document: 22 Page: 8 Filed: 05/07/2018
TABLE OF AUTHORITIES (Cont’d) Page No(s). -viii- Core Wireless Licensing S.A.R.L. v. LG Electronics, Inc.880 F.3d 1356 (Fed. Cir. 2018) ...................................................................... 47 DDR Holdings, LLC v. Hotels.com, L.P.773 F.3d 1245, 1257 (Fed. Cir. 2014) ............................................................ 47 EasyWeb Innovations, LLC v. Twitter, Inc., 689 F. App’x 969 (Fed. Cir. 2017) ................................................................. 41 Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350 (Fed. Cir. 2016) .......................................................... 31, 42, 46 FairWarning IP, LLC v. Iatric Systems, Inc., 839 F.3d 1089 (Fed. Cir. 2016) ...................................................................... 41 Finjan, Inc. v. Blue Coat Systems, Inc.879 F.3d 1299 (Fed. Cir. 2018) ...................................................................... 46 Fresenius USA, Inc. v. Baxter Intern., Inc., 582 F.3d 1288 (Fed. Cir. 2009) ...................................................................... 61 Intellectual Ventures I LLC v. Capital One Bank (USA), 792 F.3d 1363 (Fed. Cir. 2015) ................................................................ 48, 54 IntellectualVentures I LLC v. Capital One Fin. Corp., 850 F.3d 1332 (Fed. Cir. 2017) ................................................................ 31, 42 Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307 (Fed. Cir. 2016) .............................................................. passimInternet Patents Corp. v. Active Network, Inc., 790 F.3d 1343 (Fed. Cir. 2015) ...................................................................... 31 McRO, Inc. v. Bandai Namco Games America, Inc.837 F.3d at 1316 ............................................................................................. 47 Case: 18-1470 Document: 22 Page: 9 Filed: 05/07/2018
TABLE OF AUTHORITIES (Cont’d) Page No(s). -ix- Maxon, LLC v. Funai Corp., --- F. App’x ----, 2018 WL 1719101 (Fed. Cir. Apr. 9, 2018) ....................... 69 Mayo Collaborative Svcs. v. Prometheus Labs., Inc., 132 S.Ct. 1289 (2012) ..................................................................................... 56 Microsoft Corp. v. i4i Ltd. P’ship, 564 U.S. 91 (2011) .......................................................................................... 67 Parker v. Flook, 437 U.S. 584 (1978) .................................................................................. 28, 56 Prism Technologies LLC v. T-Mobile USA, Inc., 696 F. App’x 1014 (Fed. Cir. 2017) ....................................................... passimRecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322 (Fed. Cir. 2017) ...................................................................... 38 Return Mail, Inc. v. United States Postal Service, 868 F.3d 1350 (Fed. Cir. 2017) ................................................................ 54, 57 In re Salwan, 681 F. App’x 938 (Fed. Cir. 2017) ................................................................. 41 Secure Mail Solutions LLC v. Universal Wilde, Inc., 169 F. Supp. 3d 1039 (C.D. Cal. 2016), aff’d 873 F.3d 905 (Fed. Cir. 2017) ............................................................................................... 17 Secured Mail Sols. LLC v. Universal Wilde, Inc., 873 F.3d 905 (Fed. Cir. 2017) ................................................................ passimSmart Sys. Innovations, LLC v. Chicago Transit Auth., 873 F.3d 1364 (Fed. Cir. 2017) ...................................................................... 41 SmartFlash, LLC v. Apple Inc., 680 F. App’x 977 (Fed. Cir. 2017) ........................................................... 41, 45 Case: 18-1470 Document: 22 Page: 10 Filed: 05/07/2018
TABLE OF AUTHORITIES (Cont’d) Page No(s). -x- SmithKline Beecham Corp. v. Apotex Corp., 439 F.3d 1312 (Fed. Cir. 2006) ...................................................................... 61 Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138 (Fed. Cir. 2016) .............................................................. passimIn re TLI Commc’ns LLC Patent Litig., 823 F.3d 607 (Fed. Cir. 2016) .................................................................. 31, 46 Thales Visionix Inc. v. United States850 F.3d 1343 (Fed. Cir. 2017) ...................................................................... 47 Two-Way Media Ltd. v. Comcast Cable Commc’ns, LLC, 874 F.3d 1329 (Fed. Cir. 2017) ................................................... 28, 32, 52, 56 Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709 (Fed. Cir. 2014) ........................................................................ 58 Voter Verified, Inc. v. Election Sys. & Software, Inc., --- F.3d ----, 2018 WL 1882917 (Fed. Cir. Apr. 20, 2018) ............................ 69 OTHER AUTHORITIES 35 U.S.C. § 101 .................................................................................................... 30 Case: 18-1470 Document: 22 Page: 11 Filed: 05/07/2018
-1- STATEMENT OF RELATED CASES Pursuant to Federal Circuit Rule 47.5, SecureAuth states that there have been no other appeals from the same civil action in this or any other appellate court. Counsel is aware of the following pending cases that will directly affect or be directly affected by this Court’s decision in the pending appeal: StrikeForce Technologies, Inc. v. Gemalto Inc. et al., 1-17-cv-10422 (D.Mass.) StrikeForce Technologies, Inc. v. Vasco Data Security Int'l et al., 1-17-cv-10423 (D.Mass.) StrikeForce Technologies, Inc. v. Duo Security, Inc., 2-16-cv-03571 (D.N.J.) StrikeForce Technologies, Inc. v. Centrify Corp., 2-16-cv-03574 (D.N.J.) Case: 18-1470 Document: 22 Page: 12 Filed: 05/07/2018
-2- COUNTER-STATEMENT OF THE ISSUES Whether the district court correctly held that StrikeForce’s claims are ineligible under the familiar two-step Alice framework because they (1) are directed to the concededly abstract and long-practiced idea of “out-of-band authentication” (i.e., using a second communication channel to authenticate information communicated over a first channel) and (2) add nothing inventive, instead merely implementing the abstract idea with generic computer components. Case: 18-1470 Document: 22 Page: 13 Filed: 05/07/2018
-3- INTRODUCTION The patent claims in this appeal are directed to “out-of-band authentication,” an idea StrikeForce describes as using “two completely separate communication channels to verify a person’s identification.” Br. at 3. This idea is not specific to computers; it also applies to non-computer communication channels such as paper mail, telephone calls, and human messengers. For example, a parent may ask a relative to pick up a child from preschool. The relative may go to the school on behalf of the parent and convey the parent’s request. To confirm whether the information from the relative is authentic, i.e., whether the parent truly asked the relative to pick up the child, an administrator may call the parent. Thus, the preschool performs out-of-band authentication. In StrikeForce’s claims, the child’s classroom is replaced with a “host computer” and the administrator’s office is replaced with a “security computer.” The relative’s request is a “demand for access,” and the parent’s confirmation is “transmitted data.” These substitutions provide superficial ties to computers, but do not change the underlying idea or make it less abstract. This Court previously invalidated the claims of several patents directed to out-of-band authentication. SeeSecured Mail Sols. LLC v. Universal Wilde, Case: 18-1470 Document: 22 Page: 14 Filed: 05/07/2018
-4- Inc., 873 F.3d 905 (Fed. Cir. 2017). Although the Court did not use the term “out-of-band,” it explained that three of the patents at issue were directed to “verifying the authenticity of a mail object (e.g., envelope or package)” using “[c]omputers and networks.” The claims of those patents recited out-of-band authentication because they verified information received via one channel (postal mail) using a separate channel (a computer network). StrikeForce’s claims are even more abstract than those invalidated in Secured Mail. Moreover, StrikeForce has repeatedly admitted that out-of-band authentication is the focus of its claims. For example, StrikeForce told the Delaware district court that “separate, out-of-band authentication” is “the essence of the invention” in all three patents at issue here. Appx798-799 (emphasis added). When opposing SecureAuth’s § 101 motion, StrikeForce argued for the first time that its claims were “directed to more than simply ‘out-of-band authentication.’” Appx1286. StrikeForce began to argue that the claims were directed to “completely” out-of-band authentication, in which the second channel is used to send a prompt and receive a response. Appx1276; Appx1286. But that fails to show StrikeForce’s claims are not directed to out-of-band authentication. If anything, it shows the opposite: that StrikeForce’s claims are Case: 18-1470 Document: 22 Page: 15 Filed: 05/07/2018
-5- completely directed to that abstract idea. Moreover, StrikeForce conceded below that “out-of-band” and “completely out-of-band” are both accurate descriptions of its alleged invention, and that both refer to the same basic idea. Appx1393-1394. The key feature of that idea is the use of an authentication channel separated from an access channel. Authentication is no less abstract when conducted completely out-of-band. In the preschool analogy above, the authentication is completely out-of-band because the administrator prompts the parent for information over the out-of-band channel (the telephone line) and the parent responds over the same channel. Similarly, the authentication in Secured Mail was completely out-of-band because it required bidirectional communication in the out-of-band channel (the computer network). Apart from out-of-band authentication, StrikeForce’s claims recite only undisputedly conventional components, such as routers, databases and web servers, which provide no inventive concept under Alice. StrikeForce argues that combining these conventional components with (abstract) out-of-band authentication was novel and non-obvious. However, it is beyond dispute that novelty and non-obviousness are immaterial to a § 101 analysis. Under the Case: 18-1470 Document: 22 Page: 16 Filed: 05/07/2018
-6- proper legal standards set forth in Alice, the claims here fail to satisfy § 101, precisely as the district court held. This Court should affirm the decision below. COUNTER-STATEMENT OF THE CASE A.The Patents StrikeForce accused SecureAuth of infringing 43 claims across three patents, all of which share the same specification.11.The Specification Describes Out-of-Band Authentication And Admits It Was Well-Known The specification’s background section identifies the following alleged problem with certain previously existing authentication systems: Typically, access-control security products ... are in-band authentication systems [in which] all information exchanged is on the same network or in-band. The technical problem created thereby is that the hacker is in a self-authenticating environment. Appx32 at 2:14-22. The alternative to this allegedly problematic in-band approach is “an out-of-band system that is entirely outside the host computer network being accessed.” Id. at 1:16-20. The specification explains that out-of-band authentication occurs when “a communication channel, or medium, other than 1 The asserted patents were U.S. Patent Nos. 7,870,599 (the ’599 Patent), 8,484,698 (the ’698 Patent), and 8,713,701 (the ’701 Patent). Case: 18-1470 Document: 22 Page: 17 Filed: 05/07/2018
-7- the one over which the network communication takes place, is used to transmit or convey an access key.” Appx33 at 3:5-10. The specification concedes that out-of-band authentication was well-known. See id. at 3:4-35 (identifying two prior patents that described (1) “out-of-band authentication” and (2) “an out-of-band channel ... to verify the authenticity of [a] message”). Moreover, StrikeForce admits on appeal that its “invention was not the first ‘out-of-band’ authentication solution.” Br. at 13. Thus, StrikeForce cannot take credit for any security improvement provided by out-of-band authentication relative to in-band authentication. 2.The Specification Describes Host Or Location Authentication As A Key Part Of The Alleged Invention Besides the in-band/out-of-band distinction, the specification discusses a “dichotomy between user authentication and host authentication.” Appx32 at 1:44-46. User authentication identifies a person seeking access, while host authentication identifies the device (and sometimes the location) from which access is sought. See id. at 1:46-53, 2:1-13. One of the most common examples of host authentication was a “‘callback’ system.” Id. Callback systems “work by calling a computer back at a predetermined telephone number. These systems authenticate the location of a computer and are suitable for dial-up Case: 18-1470 Document: 22 Page: 18 Filed: 05/07/2018
-8- (modem) networks ....” Id. However, the specification identifies the following problem with callbacks: Now, as virtually all computer networks are accessible by modem-independent internet connection, location authentication by callback is no longer secure. The lack of security arises as there is no necessary connection between the internet address and a location, and, in fact, an internet address most often changes from connection to connection. Id. at 2:25-33. Without a modem, the Internet connection itself cannot be used to verify a location. Thus, the patents propose that after the user’s identity is verified, a separate phone call should verify the user’s location. Appx33 at 4:10-16. The specification identifies this combination of user authentication and out-of-band location authentication as a key part of the alleged invention. Id. at 4:6-22 (“the system operating in an out-of-band mode, uses telephone dialup for location authentication”); 4:43-45 (“the present invention ... restricts authentication to a given instrument thereby enabling restriction to a fixed location”).22 Emphasis in quotes is added unless otherwise noted. Case: 18-1470 Document: 22 Page: 19 Filed: 05/07/2018
-9- 3.The Claims Are Not Directed To The Alleged Improvement Of Location Authentication Consistent with the specification’s telephone-based solution for location authentication without a modem, all of StrikeForce’s originally filed claims required a security computer to call an accessor using a “telephonic device.” Appx3378-3384.3 But the claims that StrikeForce obtained more than a decade later—the ones at issue in this appeal—are untethered from that purported solution. They do not require landline telephones or any other devices with fixed locations; rather, they cover Internet-connected devices that are subject to the same problem the specification seeks to solve. See Appx32at 2:30-32 (“[A] lack of security arises as there is no necessary connection between the internet address and a location....”). StrikeForce’s claims are directed to out-of-band authentication that is entirely generic. For example, claim 53 of the ’698 patent recites (1) receiving login information for a computer in a first channel, (2) verifying the login information, (3) requesting data via a separate computer in a second channel, and (4) deciding whether to grant access to the first computer based on the data. 3 Those original claims appeared in U.S. Pat. App. No. 09/655,297, to which all three patents at issue here claim priority. Case: 18-1470 Document: 22 Page: 20 Filed: 05/07/2018
-10- Appx72 at 18:47-62. The other claims focus on this same concept, adding only conventional components and communication steps. Indeed, StrikeForce does not dispute that each individual component of the claims was conventional. Br. at 32 (admitting that “the Asserted Claims employ known communications channels and computer hardware systems”). 4.The Specification Does Not Purport To Solve The Problem Of Partially Out-of-Band Authentication StrikeForce’s opening brief asserts that “completely” out-of-band authentication solved a problem with “partially” out-of-band authentication. To criticize partially out-of-band authentication, StrikeForce disparages a reference called “Wesinger,” which is discussed in the specification. StrikeForce’s brief cites the specification to argue as follows: The problem with a system like Wesinger, which was only partially out-of-band, is that, if the hacker has already penetrated the access channel and collected the user name and password, he needs only to wait awhile to collect thesecondary authentication information. He could then use the user name, password, and secondary authentication information together to break into the account. Br. at 15. The specification refers to the above “secondary authentication information” as a “key.” Appx33 at 3:4-24 (discussing Wesinger). Although StrikeForce argues that a hacker could collect the key from the access channel and use it to “break into the account,” the specification says the opposite. Case: 18-1470 Document: 22 Page: 21 Filed: 05/07/2018
-11- According to the specification, the key in Wesinger “is unique to each transmission, such that even if a hacker is able to obtain it, it cannot be used at other times or places or with respect to any other connection.”Id. at 3:22-24. Thus, the specification contradicts StrikeForce’s assertion that capturing the key would allow a hacker to “break into the account.” Attempting to support its baseless argument, StrikeForce misleadingly quotes an entirely different part of the specification that does not even address Wesinger. Br. at 15 (citing Appx34 at 5:52-55). That part of the specification describes only an “in-band arrangement” exemplified by a reference called “Tuai,” not the partially out-of-band arrangement from Wesinger. Appx34 at 5:39-55. StrikeForce quotes Tuai as discussing the problem of information in a channel being captured by “any improper accessor into this channel.” Id. at 5:52-55. But the “channel” being discussed is a “single communication channel” in an “in-band” system. Id. at 5:39-55. The specification never suggests that Tuai’s in-band vulnerability would apply to Wesinger’s out-of-band system. In fact, the specification says the opposite, as explained above. Thus, the specification does not support StrikeForce’s attempt to recast its invention as solving the problem of partially out-of-band authentication. Case: 18-1470 Document: 22 Page: 22 Filed: 05/07/2018
-12- B.StrikeForce’s Litigation Campaign Against Out-of-Band Authentication Before SecureAuth’s § 101 challenge, StrikeForce claimed to own the “Out-of-Band Patents,” Appx502, and to “aggressively” enforce them against “Out of Band Authentication,” which StrikeForce views as a “standard for authenticating consumers in the financial market.” Appx152-153 (SEC filing discussing StrikeForce’s “Business” of prosecuting and asserting “Out of Band Authentication” patents); see also Appx1252-1253 (press release announcing that “StrikeForce Continues its Patent Litigation Strategy Against ‘Out-of-Band’ Authentication Infringers”). Touting broad ownership over out-of-band authentication, StrikeForce has asserted one or more of the present patents against seventeen defendants in Delaware, Massachusetts, New Jersey, and Virginia.4 In these litigations, StrikeForce has repeatedly characterized its invention as “out-of-band authentication.” Indeed, StrikeForce told the District 4See StrikeForce Techs., Inc. (“StrikeForce”) v. PhoneFactor, Inc., No. 1:13-cv-00490 (D. Del.); StrikeForce v. Authentify, Inc., No. 1:14-cv-01074 (D. Del.); StrikeForce v. Microsoft Corp., No. 1:15-cv-00465 (D. Del.); StrikeForce v. Duo Sec., Inc., No. 2:16-cv-03571 (D.N.J.); StrikeForce v. Centrify Corp., No. 2:16-cv-03574 (D.N.J.); StrikeForce v. Trustwave Holdings, Inc., No. 2:16-cv-03573 (D.N.J.); StrikeForce v. Gemalto Inc., No. 1:17-cv-10422 (D. Mass.); StrikeForce v. Vasco Data Sec. Int’l, Inc., No. 1:17-cv-10423 (D. Mass.); StrikeForce v. Entrust, Inc., No. 1:17-cv-309 (E.D.Va.). Case: 18-1470 Document: 22 Page: 23 Filed: 05/07/2018
-13- of Delaware that “separate, out-of-band authentication” is “theessence of the invention” in all three patents. Appx798-799. C.The Present Case StrikeForce filed its initial complaint against SecureAuth in the Eastern District of Virginia on March 16, 2017. The complaint referred to the asserted patents as “Out-of-Band Patents.” Appx444. Among other defects, the complaint failed to identify the asserted claims and accused products. Thus, SecureAuth moved to dismiss it. Appx125. Separately, SecureAuth moved to transfer the case to the Central District of California. Appx129. In its oppositions to SecureAuth’s motions, StrikeForce again confirmed: “the patented inventions are directed to multichannel security systems and methods for authenticating a user through ‘out-of-band’ authentication ....” Appx164; Appx186. After the parties briefed the initial motion to dismiss, StrikeForce asked SecureAuth to stipulate to the filing of an amended complaint. Appx1239-1241. SecureAuth agreed but informed StrikeForce that it would challenge the amended complaint under § 101. Appx781-782, ¶ 10. Case: 18-1470 Document: 22 Page: 24 Filed: 05/07/2018
-14- 1.StrikeForce’s Amended Complaint StrikeForce filed its First Amended Complaint on July 17, 2017, and continued to describe its patents as “Out-of-Band Patents.” Appx500, Appx502. Anticipating a § 101 challenge, StrikeForce added an allegation that the “specific invention, as claimed in the ’599, ’698, and ’701 patents, provides a specific solution to problems caused by the proliferation of data across the Internet by enhancing the functionality of computer systems compared to prior art authentication systems through improved security of the channels used for authentication and access.” Appx503-504, ¶ 13. Despite having notice of SecureAuth’s § 101 challenge, however, StrikeForce failed to identify the “specific solution” referenced in the above allegation or the problems it allegedly solved—leaving the allegation wholly conclusory. Id. The complaint merely identified an alleged result—i.e., “improved security of the channels used for authentication and access”—that is not specific to the Internet or any other technology. Id.2.SecureAuth’s Motion To Dismiss Consistent with StrikeForce’s numerous admissions in this case and others, SecureAuth’s § 101 motion argued that the asserted claims are directed to the abstract idea of out-of-band authentication and recite no inventive Case: 18-1470 Document: 22 Page: 25 Filed: 05/07/2018
-15- concept. Appx747-748. SecureAuth explained that the limitations added to the abstract idea were purely functional and generic, or required only well-known and conventional computer components. Id. SecureAuth also showed how the claims were analogous to patent claims this Court had invalidated under § 101, including in Prism Technologies LLC v. T-Mobile USA, Inc., 696 F. App’x 1014 (Fed. Cir. 2017). Appx755; see also Appx767-768 (detailed analogy to Prism). a.StrikeForce Failed to Identify Any Alternative to Representative Claim 53 In the proceedings below, SecureAuth identified claim 53 of the ’698 patent as representative. Appx773, n.11. SecureAuth identified a single representative claim for all of the patents because the claims of the patents were all directed to the same idea. Id. Indeed, the complaint acknowledged that all three patents claimed a singular “specific invention” that allegedly provided a singular “specific solution.” Id. (citing Appx503). On appeal, StrikeForce continues to assert that all of the claims are directed to a single invention. See, e.g., Br. at 2, 3, 7, 9, 13, 14, 16, 23. StrikeForce argued below that claim 53 was not representative. Appx1283, n.3. But StrikeForce failed to identify any other claim as an Case: 18-1470 Document: 22 Page: 26 Filed: 05/07/2018
-16- alternative.5Id. StrikeForce’s only argument against claim 53 was that, unlikesome other claims, it did not recite an “interception device.” Id.SecureAuth explained that the case law did not preclude use of a representative claim simply because other claims recited additional limitations. Appx1306. SecureAuth properly used claim 53 as representative of the subject matter shared by all the claims and, to ensure a complete analysis, explained why various additional limitations, including the “interception device,” do not change the eligibility analysis. Appx775-776. b.StrikeForce Relied on Limitations Not Recited in All Asserted Claims In response to SecureAuth’s motion, StrikeForce alleged for the first time that its claims are directed to completely out-of-band authentication. Further, StrikeForce argued that certain claims require interception. StrikeForce continues to emphasize both of those concepts on appeal. But the claims do not consistently require them. 5 StrikeForce incorrectly asserts on appeal that it proposed claim 1 of each patent as representative. Br. at 36-37. StrikeForce cites nothing except for its demonstrative slides from the oral argument below. Those slides do not propose any representative claim; they merely compare claim 53 to several other claims. Appx1354-1355. Moreover, when StrikeForce presented the slides, it never stated that any claim on the slides was representative. Appx1372-1374. Case: 18-1470 Document: 22 Page: 27 Filed: 05/07/2018
-17- i.Completely Out-of-Band Authentication According to StrikeForce, “completely” out-of-band authentication occurs when a system “sends a prompt for data using the out-of-band channel and receives the user’s response through that same channel.” Appx1286 (emphasis in original). As SecureAuth explained below, however, the asserted claims do not require both a prompt and response in the same channel. Appx1305-1306. For example, claim 46 of the ’698 patent recites no prompt. Id. Claim 53 (like many others) requires a prompt but does not specify the channel through which it is transmitted. Id. SecureAuth also explained that even if StrikeForce’s claims required an out-of-band prompt and response, that concept would not make the claims patent-eligible. That concept fails to distinguish SecureAuth’s preschool analogy because the prompt and response in the analogy are both transmitted over the out-of-band telephone line. Appx1306; see also Appx1310 (charting analogy). Further, Secure Mail, a case that StrikeForce itself raised below, invalidated claims employing bidirectional out-of-band communication. Appx1306, citing Secure Mail Solutions LLC v. Universal Wilde, Inc., 169 F. Supp. 3d 1039, 1048, 1055 (C.D. Cal. 2016), aff’d 873 F.3d 905 (Fed. Cir. 2017). Case: 18-1470 Document: 22 Page: 28 Filed: 05/07/2018
-18- ii.Interception The second concept StrikeForce focused on below was interception, which appears in elements like the “interception device” from ’698 patent claim 1. See, e.g., Appx1284. StrikeForce argued this element was important to itsinvention, yet admitted that several claims do not recite it. Appx1283, n.3. SecureAuth explained that interception did not save StrikeForce’s claims. First, under a construction StrikeForce agreed to, the interception device was merely “a device that prevents the host computer from receiving what the interception device received instead.” Appx775. The interception device was thus defined by its intended function, rather than any technology used to implement it. Second, SecureAuth explained that the receptionist in the preschool analogy performed the same steps as StrikeForce’s interception device. Appx775-776. Third, SecureAuth explained that, according to StrikeForce’s dependent claims, the interception device may just be “a router.” Appx776 (citing Appx71, 15:44-45). A router is a “purely functional and generic” component. Id. Fourth, SecureAuth explained that the interception device is analogous to limitations in the invalid Prism claims. Appx1304-1305. StrikeForce had Case: 18-1470 Document: 22 Page: 29 Filed: 05/07/2018
-19- argued that “interception ‘requires diversion of the login information and demand for access from the access channel to the security computer in the authentication channel.’” Appx1304 (quoting Appx1284, n.5). Similarly, the Prism claims recited that “identity data” is sent to an “access server,” then re-routed to a separate “authentication server.” Appx1305.c.StrikeForce Relied on an Unclaimed Ordered Combination StrikeForce did not dispute that its individual claim limitations are conventional. Instead, StrikeForce argued that the “arrangement” of its claim elements was “novel” over the prior art. Appx1284, Appx1291. StrikeForce also identified a six-part “ordered combination” that allegedly captured this novelty. Id.StrikeForce argued that its combination rendered its claims non-abstract at Alice step one or at least provided an inventive concept at step two. Appx1284-1285, Appx1291. However, StrikeForce’s claims do not recite StrikeForce’s identified combination—as SecureAuth noted below and StrikeForce never disputed. Appx1386-1387. Further, StrikeForce’s unclaimed combination fails to supply any technology-specific solution, e.g., because it is no different from out-of-band authentication at a preschool. Appx1309-1310. On appeal, StrikeForce has abandoned the unclaimed combination it relied on below in Case: 18-1470 Document: 22 Page: 30 Filed: 05/07/2018
-20- favor of a new combination that is no more technology-specific than the previous one. Compare Appx1291 with Br. at 12. d.StrikeForce Failed to Explain How Any Claim Construction Could Affect the Motion’s Outcome When SecureAuth filed its motion, the parties had not yet exchanged claim construction proposals. However, StrikeForce had proposed constructions in its other cases asserting the same patents. SecureAuth submitted StrikeForce’s proposed constructions from those cases and explained that none of them would change the § 101 analysis. Appx760; Appx781, ¶¶ 2-6. A key dispute in the other cases concerned the terms “access channel” and “authentication channel” (or the equivalent “first” and “second” channel). These two separate channels are what make the claimed authentication scheme out-of-band rather than in-band. The parties in those cases had disputed the extent to which the two channels must be separated. The defendants had proposed that the channels must use physically separate “facilities,” while StrikeForce had proposed a broader construction in which the channels could use separate “facilities, frequency channels, or time slots.” Appx815-817, Appx1138-1147, Appx1193-1196. Thus, StrikeForce had argued to multiple courts that the second, out-of-band channel recited in its claims could be carried on the same physical link as the first channel. Case: 18-1470 Document: 22 Page: 31 Filed: 05/07/2018
-21- StrikeForce took this position in New Jersey and Massachusetts even though the Delaware court had already rejected it. Appx906-907; Appx1193-1194. SecureAuth addressed StrikeForce’s channel constructions in its opening brief below. For example, SecureAuth explained that if those constructions were adopted, they would only strengthen the analogy to Prism. Appx767. SecureAuth also explained that the Delaware court had already rejected StrikeForce’s proposed constructions. Appx768-769. Most importantly, SecureAuth explained that the claims would be invalid regardless of how the channel terms were construed. Id.When StrikeForce filed its brief opposing SecureAuth’s § 101 motion, it repeatedly referred to channels separated by “frequency” or “time slots,” consistent with its proposed constructions. Appx1292, Appx1294. Several weeks later, the Massachusetts court issued an order agreeing with the Delaware court’s channel constructions and rejecting StrikeForce’s proposal. Appx1942-1948. As a result, StrikeForce abandoned that proposal in the case below. Appx1420. StrikeForce never argued, however, that its capitulation on the channel constructions would affect the outcome of the § 101 analysis. For example, more than a month after the Massachusetts decision, at oral argument on Case: 18-1470 Document: 22 Page: 32 Filed: 05/07/2018
-22- SecureAuth’s motion to dismiss under § 101, the district court asked StrikeForce to identify “a claim construction potential dispute whose resolution would affect the analysis here.” Appx1371-1374 at 11:25-14:7. Despite this clear directive, StrikeForce did not raise the channel constructions. Id. Even if it had raised them, no construction would make the claims patent-eligible, as SecureAuth had already explained. Appx767-769. Rather than explain how any construction would impact the § 101analysis, StrikeForce merely stated that the constructions of certain terms were disputed, suggesting that the mere existence of such alleged disputes precluded a § 101 decision. Appx1294; Appx1371-1373. StrikeForce pointed to several terms in a conclusory manner, but those terms were different from the terms StrikeForce had referenced in its brief. Id. Moreover, both in its brief and at oral argument, StrikeForce failed to explain how any specific construction would affect the Alice analysis. Id. SecureAuth explained that StrikeForce’s conclusory references to claim construction did not require the court to delay its § 101 decision. Appx1304. SecureAuth also explained that the proposed constructions StrikeForce mentioned at oral argument could not make the claims patent-eligible because they required only conventional, generic components. Appx1376.Case: 18-1470 Document: 22 Page: 33 Filed: 05/07/2018
-23- e.StrikeForce Admitted That “Out-of-Band” and “Completely Out-of-Band” Refer to the Same Idea As discussed above, in response to SecureAuth’s motion to dismiss, StrikeForce took the position for the first time that its claims are directed to “completely out-of-band” authentication. Appx1385-1386. At oral argument, however, StrikeForce reverted to its previous description and characterized its claims as directed to simply “out-of-band authentication.” E.g., Appx1367-1368. StrikeForce maintained that its description has not been “morphing over time.” Appx1393. Instead, StrikeForce argued, it had “consistently maintainedthat the invention goes to the idea of out-of-band authentication.” Id. According to StrikeForce, its discussion of “complete” out-of-band authentication was simply a more “clear way of describing” the same concept. Appx1394. Thus, StrikeForce conceded that “out-of-band” and “completely out-of-band” authentication are the same idea. 3.The District Court’s Decision The district court began its analysis by explaining that SecureAuth had identified claim 53 as representative and that StrikeForce had failed to identify any proposed alternative. Appx4-5. Accordingly, the court used claim 53 “to frame the Alice inquiry.” Appx5. The court acknowledged that claim 53 lacked the “interception element” recited in some other claims, but found that this Case: 18-1470 Document: 22 Page: 34 Filed: 05/07/2018
-24- element could be “considered in conjunction with the other components” that claim 53 recited. Id. At Alice step one, the court thoroughly summarized StrikeForce’s arguments, including its reliance on (1) a prompt and response in the out-of-band channel, (2) the interception element, and (3) StrikeForce’s unclaimed six-part ordered combination. Appx5. The court also summarized SecureAuth’s arguments, including (1) that the claims were directed to “out-of-band authentication,” which “was used to transmit sensitive information well before the advent of the internet and computers,” (2) that the claims were invalid by analogy to Prism, and (3) that limitations StrikeForce relied on were not recited in all of the asserted claims. Appx6. The court noted StrikeForce’s repeated admissions regarding the focus of its claims, including StrikeForce’s admission that “separate, out-of-band authentication” is the “essence” of its invention. Id., n.1. In addition, the court cited parts of SecureAuth’s opening brief analogizing StrikeForce’s claims to “an ‘out-of-band’ system” for “verifying identity of visitors at preschool.” Id.(citing Appx755, Appx769-770).66 The court cited page numbers from the ECF headers of the briefs. Case: 18-1470 Document: 22 Page: 35 Filed: 05/07/2018
-25- The district court also summarized this Court’s Prism decision. Specifically, it noted that the Prism claims were directed to the abstract idea of “providing restricted access to resources,” which included four abstract steps. Appx6-7. The patentee in Prism argued that its claims covered “a concrete, specific solution to a real-world problem,” but as the district court noted, this Court disagreed. Appx7. The district court explained that StrikeForce’s claims are analogous to the Prism claims, in that both “address an ‘abstract idea of providing restricted access to resources.’” Id. Further, the court held that StrikeForce’s claims are directed to an abstract idea because they reflect a “long-established means of transmitting sensitive information” that is no different from “any out-of-bandauthentication process.” Id. The court also rejected StrikeForce’s argument that the claims are “specifically directed to an improvement in computer functionality,” finding instead that the claims merely apply “familiar processes in the context of the use of computers that are connected to the internet.” Id. Turning to Alice step two, the court rejected StrikeForce’s argument that the claims contained an inventive concept simply because they recited an “ordered combination” that was allegedly “unconventional.” Appx7. The court addressed StrikeForce’s case law—Amdocs and Bascom—and found it Case: 18-1470 Document: 22 Page: 36 Filed: 05/07/2018
-26- inapposite. Appx8. In contrast to those cases, the court found that StrikeForce’s claims implement an abstract idea with a “logical and conventional” ordering of steps. Id.The district court also addressed the “interception device” specifically. Id. The court found that the interception device is not inventive because it is defined solely by “an abstract functional description,” and it performs “the ‘purely functional and generic’ role of a router.” Id.The district court further explained that StrikeForce’s claims, like those in Prism, recite “indisputably generic computer components” that merely perform “abstract functions routine to the process of restricting access.” Appx9. Regarding interception, the court found that it is “similar to the process for diverting identity data from the access server to the authentication server that was addressed and rejected in Prism.” Id. Thus, the court found that StrikeForce’s claims recite no inventive concept and are invalid under § 101. Id.SUMMARY OF THE ARGUMENT The district court properly applied both steps of the Alice framework. 1. At Alice step one, StrikeForce’s claims are directed to the abstract idea of “out-of-band authentication,” as the district court found. Appx7. Out-of-band authentication is the admitted and undeniable “essence” of the claims, is Case: 18-1470 Document: 22 Page: 37 Filed: 05/07/2018
-27- undisputedly abstract, and is not specific to computers. Indeed, it is commonly used in contexts from banks to the military to preschools, and stretches back to ancient times. Moreover, the claims—including their abstract out-of-band authentication concept—are indistinguishable from those that this Court has repeatedly found abstract, in cases such as Secured Mail, Prism, and others. StrikeForce’s principal argument—and the dominant theme runningthroughout its brief—is that the district court overgeneralized the claims as nothing more than “providing restricted access to resources” and did not recognize that the claims are directed to a more specific type of security: out-of-band authentication. That is simply incorrect. In its step one analysis, and again at step two, the district court expressly and correctly held that the claims were directed to the abstract concept of “out-of-band authentication.” StrikeForce also argues that its claims are not abstract because they are “completely” out-of-band and use interception. But those features are not even required by all of the claims and, in any event, do not make the claims any less abstract or different from the out-of-band authentication that humans have long performed. Nor do the claims include anything like the computer-specific technological improvements that made claims patent-eligible in the handful of cases that StrikeForce cites. Here, the claims merely implement a longstanding Case: 18-1470 Document: 22 Page: 38 Filed: 05/07/2018
-28- abstract concept using computers as a tool—the hallmark of claims that are abstract at Alice step one. 2. At Alice step two, StrikeForce’s claims recite no inventive concept because the claims merely break the out-of-band authentication idea into its basic steps as implemented using conventional computer components and generic computer functions. Indeed, StrikeForce does not contend that any individual element is unconventional and instead makes several arguments based on an “ordered combination” of elements. Those arguments fail. StrikeForce contends that the ordered combination is novel and non-obvious over the prior art and that it does not preempt all out-of-band authentication. But the law has been clear for decades: distinguishing prior art is not enough to satisfy § 101 and complete preemption is not the test for ineligibility under § 101. See, e.g., Parker v. Flook, 437 U.S. 584, 589-90 (1978). Indeed, this Court routinely invalidates claims despite their novelty or non-obviousness and without complete preemption. See, e.g., Two-Way Media Ltd. v. Comcast Cable Commc’ns, LLC, 874 F.3d 1329, 1339-40 (Fed. Cir. 2017); Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1321 (Fed. Cir. 2016). Here, StrikeForce’s claims are ineligible—regardless of novelty, non-obviousness, or preemption—because the claims’ additional Case: 18-1470 Document: 22 Page: 39 Filed: 05/07/2018
-29- features add nothing inventive under Alice. And StrikeForce’s preemption argument rings especially hollow given its stated goal of asserting its “out-of-band” patents against an entire industry. 3. Finally, StrikeForce’s last-ditch effort to manufacture a “fact” issue fails. As the Supreme Court and this Court have held in many other cases, the intrinsic record here is dispositive. The claims are directed to an abstract idea and add no inventive concept as a matter of law. Nothing in the complaint—in the single paragraph StrikeForce identifies or elsewhere—changes that conclusion. At most, the complaint makes conclusory or legal assertions that are entitled to no weight. Moreover, unlike in Aatrix, StrikeForce did not seek to amend its complaint to add allegations and does not contend that additional allegations would bolster its claims’ eligibility—nor could it. The district court correctly held the claims ineligible as a matter of law. This Court should affirm the district court’s judgment. STANDARD OF REVIEW This Court, like the Ninth Circuit, reviews the grant of a motion to dismiss de novo. Secured Mail, 873 F.3d at 909. “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. Case: 18-1470 Document: 22 Page: 40 Filed: 05/07/2018
-30- 662, 678 (2009), quotingBell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). This standard is not satisfied by pleading that recites mere “labels and conclusions” or “naked assertions devoid of further factual enhancement.” Id. Further, when ruling on a motion to dismiss, “a court need not ‘accept as true allegations that contradict matters properly subject to judicial notice or by exhibit,’ such as the claims and the patent specification.” Secured Mail, 873 F.3d at 913. This Court routinely “determine[s] claims to be patent-ineligible at the motion to dismiss stage based on intrinsic evidence from the specification without need for ‘extraneous fact finding outside the record.’”Id. at 912. ARGUMENT Section 101 of the Patent Act states that “[w]hoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.” 35 U.S.C. § 101. However, § 101 “contains an important implicit exception” for abstract ideas. Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 2347, 2354 (2014). Such ideas are not patent-eligible, as a matter of law, because they are basic tools in the “storehouse of knowledge” that are “free to all ... and reserved exclusively to none.” Bilski v. Kappos, 561 U.S. 593, 602 (2010). To determine whether computer-based Case: 18-1470 Document: 22 Page: 41 Filed: 05/07/2018
-31- claims are impermissibly abstract, the Supreme Court established a now-familiar two-step framework. Alice, 134 S. Ct. at 2355, 2360. At step one, the Court asks whether the claims are directed to an abstract idea. Id. at 2355. That is, the Court must determine whether the claims’ “focus” and “character as a whole”—their “most important aspect”—is an abstract idea. Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1353 (Fed. Cir. 2016); Internet Patents Corp. v. Active Network, Inc., 790 F.3d 1343, 1348 (Fed. Cir. 2015). Abstract ideas include “collecting, displaying, and manipulating data,” regardless of whether the data relates to a specific “technological environment.” IntellectualVentures I LLC v. Capital One Fin. Corp., 850 F.3d 1332, 1340 (Fed. Cir. 2017). Claims that use computers as simply “a conduit for [an] abstract idea” and fail to provide “a specific improvement to computer functionality” are “directed to” that abstract idea at Alice step one. In re TLI Commc’ns LLC Patent Litig., 823 F.3d 607, 612 (Fed. Cir. 2016). At step two, the Court determines whether the other claim elements, individually or collectively, add “‘significantly more’” to the abstract idea—something “‘inventive’”—that is “sufficient to ‘transform’ the claimed abstract idea into a patent-eligible application.” Alice, 134 S. Ct. at 2357. Taking an abstract idea and adding “well-understood,” “routine,” or “conventional” Case: 18-1470 Document: 22 Page: 42 Filed: 05/07/2018
-32- activities—or limiting the idea to a particular technological environment or field of use—contributes nothing inventive. Id. at 2359. Further, patent claims cannot simply recite “‘generic functional language to achieve [the] purported solutions’” without claiming “‘how the desired result is achieved.’” Two-Way Media, 874 F.3d at 1339 (quoting Electric Power, 830 F.3d at 1355). StrikeForce’s claims are ineligible under § 101 because they are directed to out-of-band authentication and, beyond that abstract idea, recite only non-inventive elements (conventional components and generic computer functions) that do not make the claims patent-eligible. A.StrikeForce’s Claims Are Directed To The Abstract Idea Of Out-of-Band Authentication 1.StrikeForce’s Claims Admittedly Focus On Out-of-Band Authentication The clear focus of StrikeForce’s claims is the idea of “out-of-band authentication.” All of the claims recite the distinguishing feature of that idea—two separate channels. Moreover, StrikeForce itself has repeatedly admitted that “out-of-band authentication” is the essence of the claims:StrikeForce’s SEC filings and press releases tout its “out-of-band” patents and promises to assert them widely against users of “out-of-band authentication.” Supra, II.B. StrikeForce told the district court in Delaware that “separate, out-of-band authentication” is “the essence of the invention.” Appx798-799; Case: 18-1470 Document: 22 Page: 43 Filed: 05/07/2018
-33- Before the present case was transferred, StrikeForce twice told the Eastern District of Virginia, “the patented inventions are directed to multichannel security systems and methods for authenticating a user through ‘out-of-band’ authentication ....” Appx164; Appx186; After StrikeForce was on notice of SecureAuth’s § 101 challenge, StrikeForce filed an amended complaint that continued to describe its patents as “Out-of-Band Patents.” Appx502. Even at the oral argument below, StrikeForce admitted that “theinvention goes to the idea of out-of-band authentication.” Appx1393. StrikeForce’s admissions accurately identified the focus of the claims, as the district court explained in finding that the claims were directed to an “out-of-band authentication process.” Appx7; see Appx6, n.1 (quoting admissions). StrikeForce’s opening brief in this Court confirms as much. StrikeForce asserts the claims recite a “particular way” of performing out-of-band authentication, using a bulleted list of five steps. Br. at 29.7 But that bulleted list at most reiterates and elaborates on the basic steps for performing out-of-band authentication—i.e., using separate channels for access and authentication. See Br. at 12, 33. StrikeForce’s inclusion of additional features in the bulleted list (such as an “interception” element that does not even appear in all claims) 7 StrikeForce’s description of its “particular way” before this Court differs from the description it presented to the district court. Compare Br. at 12 with Appx1284-1285. Case: 18-1470 Document: 22 Page: 44 Filed: 05/07/2018
-34- does not change the central focus of the claims, all of which recite separate authentication and access channels. Likewise, StrikeForce describes the existing problem as the “use of a single channel” (Br. at 8), which allows “man-in-the-middle” attacks (“the lurking hacker, listening in on the access channel”). Br. at 2-3, 25, 29-30, 35, 38, 48. To avoid this problem, all that is needed is two separate channels. See, e.g., Br. at 10-11 (“the hacker cannot gain access” because “authentication takes place on a completely separate, out-of-band channel”). Thus, even by StrikeForce’s description, the claims are directed to out-of-band authentication. 2.Out-of-Band Authentication Is An Age-Old Abstract Idea That Is Not Specific To Computers Or Any Other Technology StrikeForce does not dispute that out-of-band authentication is an abstract idea. Nor could it. Out-of-band authentication is a “long-established” idea that is not confined to the computer realm or any specific technology, as the district court found. Appx7. For example, when a banking customer seeks access to account information over the phone, banks routinely authenticate using information (such as a PIN) communicated through a separate channel (such as the mail). More dramatically, the film Crimson Tide depicts a scenario in which short alphabetic codes printed on paper and stored in a safe onboard a submarine are used to authenticate a radio transmission ordering the launch of nuclear Case: 18-1470 Document: 22 Page: 45 Filed: 05/07/2018
-35- missiles. Similarly, in ancient history, the Greeks decoded messages using wooden staffs carried separately from the messages. SecureAuth presented many of these examples to the district court below, and StrikeForce did not dispute, or even address, any of them. Appx757; Appx1307. Moreover, the out-of-band authentication in StrikeForce’s claims is commonly performed in preschools, as shown below with respect to claim 53 of the ’698 patent. See Prism,696 F. App’x at 1017 (citing “pre-computer-age corollaries for which humans similarly restrict and provide access to resources”). StrikeForce Claim Preschool Security 53. A software method for employing a multichannel security system to control access to a computer, comprising the steps of: A preschool employs multichannel security to control access to a child when a parent sends a relative to pick up the child. receiving in a first channel a login identification demand to access a host computer also in the first channel; A receptionist at a desk in the preschool’s main office receives, in person, an identification (e.g., name) of the relative and a request to access the child in the classroom. verifying the login identification; The relative’s name is verified, e.g., by checking the relative’s driver’s license.receiving at a security computer in a second channel the demand for access and the login identification; A preschool administrator with a telephone receives the relative’s request to access the child and the relative’s name. outputting from the security computer a prompt requesting a transmission of data; The administrator calls the parent and asks whether the relative is authorized to pick up the child. Case: 18-1470 Document: 22 Page: 46 Filed: 05/07/2018
-36- receiving the transmitted data at the security computer; The administrator receives the parent’s response to the question. comparing the transmitted data to predetermined data; and The administrator compares the parent’s response to what the relative said. depending on the comparison of the transmitted and the predetermined data, outputting an instruction from the security computer to the host computer to grant access to the host computer or deny access thereto. If the information provided by the parent matches the information from the relative, the administrator issues an instruction to the teacher in the classroom to let the relative pick up the child. The preschool also performs authentication “completely” out-of-band because the administrator’s call to the parent and the parent’s response are both carried on the same out-of-band channel, i.e., the telephone line. StrikeForce attempted to distinguish SecureAuth’s preschool analogy below, but failed. Appx1308-1309 (rebutting StrikeForce’s arguments at Appx1289-1290). As SecureAuth explained, StrikeForce’s alleged distinctions were not distinctions at all because they were consistent with the preschool analogy. Id. (explaining how a criminal at a preschool would perform actions that StrikeForce alleged a hacker would perform). Moreover, StrikeForce’s alleged distinctions were irrelevant because they were based on limitations that the claims do not require. Id.; seeSynopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1149 (Fed. Cir. 2016) (“The § 101 inquiry must focus on the language of the Asserted Claims themselves.”). Case: 18-1470 Document: 22 Page: 47 Filed: 05/07/2018
-37- StrikeForce argued, for example, that the parent and relative in the preschool analogy are separate, and not a single “accessor.” Appx1290. But StrikeForce’s distinction is not in the claims. Indeed, many claims do not even recite the “accessor,” so they certainly do not require the communications in both channels to come from that accessor. Regardless, the specification explicitly states that the “accessor” may include two separate entities. Appx66 at 6:27-29 (“the person desiring access and the equipment used thereby”). Moreover, in the analogy the parent is a single accessor who communicates in two channels—(1) through the relative and (2) over the phone. StrikeForce may attempt to distinguish the preschool analogy on reply by arguing that “man-in-the-middle” attacks (with a “lurking hacker, listening in on the access channel”) do not occur in preschools. See, e.g., Br. at 25, 35, 48 (repeatedly relying on “man-in-the-middle” attacks). However, the claims say nothing about stopping “man-in-the-middle attacks,” as opposed to other unauthorized access, so this argument would be irrelevant. Regardless, like the lurking hacker, a criminal may listen in on the relative’s in-person interactions at a poorly secured preschool to gather pertinent information—e.g., names of the child and the child’s parent—and later use that information to abduct the child. But the preschool’s out-of-band call to the parent would prevent such Case: 18-1470 Document: 22 Page: 48 Filed: 05/07/2018
-38- unauthorized access, just like the out-of-band communication in StrikeForce’s claims.8This Court has repeatedly used analogies to non-computer activities, like those presented above, to show that an idea is not computer-specific. See, e.g., Symantec, 838 F.3d at 1314 (holding email filtering claims ineligible by analogy to practices performed by “people receiving paper mail”); Affinity Labs of Texas, LLC v. Amazon.com Inc., 838 F.3d 1266, 1270 (Fed. Cir. 2016) (holding claims to “delivery of media content” ineligible by analogy to “dial-a-joke” services, “which were available long before the invention of cellular telephones or the Internet”); RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1326 (Fed. Cir. 2017) (holding data-encoding claims ineligible by analogy to “Paul Revere’s ‘one if by land, two if by sea’ signaling system”). Thus, SecureAuth’s analogies demonstrate that out-of-band authentication is abstract and longstanding, not computer-specific. 8 Even if StrikeForce could identify some claim limitation that the preschool analogy does not address, the limitation would need to be considered at step two to see if it adds an inventive concept. Alice, 134 S.Ct. at 2355. Case: 18-1470 Document: 22 Page: 49 Filed: 05/07/2018
-39- 3.StrikeForce’s Claims Are Indistinguishable From The Abstract Claims In Secured Mail, Prism, And Similar Cases This Court’s decisions—most notably Prism and Secured Mail—further demonstrate the abstractness of StrikeForce’s claims. Indeed, the representative claim in Prism is nearly identical to StrikeForce’s claim 53. See 696 F. App’x at 1016; see also Appx767-768 (comparison chart). Both the Prism claims and StrikeForce’s claims are directed to similar ways of “controlling access to resources,” as the district court noted. Appx7. The only substantive difference is that StrikeForce’s claims require separate “access” and “authentication” channels, while the Prism claims require separate “access” and “authentication” servers. Compare Appx72 at 18:47-62 with 696 F. App’x at 1016. Below, StrikeForce attempted to cast the Prism claims as “simply us[ing] a computer to implement the age-old process of checking ID.” Appx1272. StrikeForce also argued that “the communications in Prism occur in the same communication pathway.” Appx1284. But communications to the access server in Prism cannot use the same pathway as communications to the authentication server, because theyhave two different endpoints (i.e., the two different servers). Further, these two servers, and the allocation of steps between them, shows that the Prism claims required more than just “checking ID.” Case: 18-1470 Document: 22 Page: 50 Filed: 05/07/2018
-40- On appeal, StrikeForce absurdly suggests that the claims in Prism “would preempt any use of single-factor authentication.” Br. at 39. But the Prismclaims did not preempt that broadly, at least because their scope excluded uses where data was not diverted from an “access server” to an “authentication server.” Thus, StrikeForce’s criticism of Prism is baseless. Moreover, the difference between the separate “servers” in Prism and StrikeForce’s separate “channels” does not dictate a different outcome under § 101. Indeed, this Court considered claims using two separate channels in Secured Mail, and found them abstract. Specifically, three of the patents in Secured Mail claimed a method for “verifying the authenticity” of information. 873 F.3d 907. The method used out-of-band authentication because it verified information (such as sender data) received via one communication channel (postal mail) using a separate authentication channel (a computer network). See id. at 908 (representative claim). Further, the authentication in Secured Mail was completely out-of-band because it required (1) “receiving” an “authenticating portion” of data “via a network,” (2) determining that “said authenticating portion . . . corresponds with [a] verifying portion” of data, and (3) “providing . . . verification data” over the same computer “network.” 873 F.3d at 907-08. But this Court held that the Case: 18-1470 Document: 22 Page: 51 Filed: 05/07/2018
-41- claims were directed to an abstract idea. Id. at 907. Thus, Secured Mail also shows that StrikeForce cannot rely on “completely out-of-band authentication” to avoid abstractness. When SecureAuth explained below that Secured Mail addressed out-of-band authentication, StrikeForce argued that this Court “did not describe the Secured Mail system in this manner.” Appx1416. Thus, StrikeForce pointed to the case’s phraseology, but failed to challenge SecureAuth’s substantive point. It is undisputed that Secured Mail addressed patent claims involving out-of-band authentication, and held they were directed to an abstract idea. StrikeForce’s claims are no different. This Court has also held ineligible numerous other information-security claims reciting countless data-processing steps and computer components, in cases such as FairWarning IP, LLC v. Iatric Systems, Inc., 839 F.3d 1089, 1093 (Fed. Cir. 2016) (protecting security of computer records), SmartFlash, LLC v. Apple Inc., 680 F. App’x 977, 978-982 (Fed. Cir. 2017) (“conditioning andcontrolling access to data”), EasyWeb Innovations, LLC v. Twitter, Inc., 689 F. App’x 969, 970 (Fed. Cir. 2017) (verifying that “message was sent by an authorized sender”), and In re Salwan, 681 F. App’x 938, 939-40 (Fed. Cir. 2017) (“device for providing user authorization”); see alsoSmart Sys. Case: 18-1470 Document: 22 Page: 52 Filed: 05/07/2018
-42- Innovations, LLC v. Chicago Transit Auth., 873 F.3d 1364, 1369 (Fed. Cir. 2017) (“bankcard verification system” for granting access). Here, as in such cases, StrikeForce’s claims are directed to an abstract idea. More generally, StrikeForce’s claims are directed to an abstract idea because they recite the same type of information-based steps that this Court recognized as abstract in numerouscases. For example, in Electric Power, this Court found that “lengthy” claims for processing computer data—by collecting, analyzing, and displaying it in specific ways—were directed to abstract ideas because they fundamentally recited the type of data manipulation that humans have long performed. 830 F.3d at 1352-54. The same is true here: the claims recite data manipulation such as collecting login information, analyzing it to determine whether access is authorized, and outputting a result. See also, e.g., Capital One Fin., 850 F.3d at 1340 (collecting cases that held data manipulation steps abstract). Electric Power and similar cases therefore confirm that StrikeForce’s claims are directed to an abstract idea. 4.StrikeForce’s Contrary Arguments Are Unavailing a.The District Court Did Not Overgeneralize The Claims StrikeForce’s principal argument, repeated throughout its brief, is that the district court relied on a “gross oversimplification” of the claims at Alice step Case: 18-1470 Document: 22 Page: 53 Filed: 05/07/2018
-43- one. Br. at 33. According to StrikeForce, the district court viewed the claims as merely “providing restricted access to resources,” without recognizing that the claims focused more specifically on “completely out-of-band authentication.” Id. That is a blatant mischaracterization. At Alice step one, the district court expressly held that StrikeForce’sclaims were directed to the abstract idea of “out-of-band authentication,” Appx7, as SecureAuth argued, Appx6. The court also observed that the claims “address an ‘abstract idea of providing restricted access to resources,’” like the claims in Prism. Appx7. But the district court never stated that the claims here are directed to the exact same abstract idea as the Prism claims. To the contrary, the court emphasized that the idea here is abstract because it is no different from “any out-of-band authentication process.” Appx7. And the court used out-of-band authentication as the starting point for its step-two analysis, as StrikeForce admits. Br. at 44. Thus, the district court expressly and correctly held that StrikeForce’s claims are directed to out-of-band authentication at Alice step one. b.StrikeForce’s Reliance On “Completely” Out-of-Band Authentication Is Misplaced StrikeForce also argues that its claims are directed more specifically to “completely” out-of-band authentication that requires both “sending andreceiving authentication information on the authentication channel.” Br. at 13-Case: 18-1470 Document: 22 Page: 54 Filed: 05/07/2018
-44- 14. However, out-of-band authentication is no less abstract when performed completely, rather than partially, out-of-band. Supra, V.A.2 (completely out-of-band authentication is used in preschool and was held abstract in Secured Mail). Moreover, many of StrikeForce’s claims—such claim 46 and 53 of the ’698 patent—do not require completely out-of-band authentication. Claim 46 of the ’698 patent recites only a one-way transfer of information along the authentication channel; it is agnostic about what channel might be used for any transfer in the opposite direction. See Appx72 at 17:46-62; Appx1305-1306. Claim 53 recites a prompt and a response but does not specify what channel or channels they are carried over. Appx72 at 18:47-62; Appx1306. According to StrikeForce, claim 53 implicitlyrequires the out-of-band channel to carry both a prompt and a response because both are transmitted to or from the “security computer” attached to the “second channel” (i.e., the authentication channel). Br. at 35. However, StrikeForce admitted in Delaware that the security computer must be “connected to both the access and authentication channels.” Appx828. Thus, nothing in claim 53 requires the authentication channel alone to carry both transmissions. Accordingly, claim 53 (like many others) does not require “completely” out-of-band authentication. Case: 18-1470 Document: 22 Page: 55 Filed: 05/07/2018
-45- If StrikeForce had intended to limit its claims to completely out-of-band authentication, it could have specified which channel carries each transmission. Indeed, StrikeForce partially did so in one claim, which recites “receiving at a security computer predetermined data sent via an authentication channel.” Appx72 at 17:49-50. But instead of limiting its claims to a prompt and response in the out-of-band channel, StrikeForce claimed out-of-band authentication more broadly. StrikeForce then touted the breadth of its “out-of-band” patents in court papers, SEC filings, and press releases. Supra, II.B. It cannot avoid those admissions now. c.StrikeForce’s Claims Provide No Improvement Specific To Computers, So The Cases It Cites Are Inapposite Finally, StrikeForce argues that the claims are directed to a patent-eligible improvement in computer technology because they can prevent “hackers” from accessing data without authorization. Br. at 29-32. That argument fails. Out-of-band authentication is a longstanding idea that is not rooted in computer technology. Supra, V.A.2. And this Court has repeatedly held ineligible claims that recited particular ways of providing computer security—as in Secured Mail, Prism, FairWarning, SmartFlash, and other cases. Supra, V.A.3. Here, as in those computer-security cases, StrikeForce’s claims are ineligible because they “are not directed to a specific improvement to computer Case: 18-1470 Document: 22 Page: 56 Filed: 05/07/2018
-46- functionality” and merely use a computer network as “a conduit for the abstract idea.” In re TLI, 823 F.3d at 612. At most, the claims recite generic computertechnology and functionally defined components for performing out-of-band authentication—which is insufficient to confer patent-eligibility. See, e.g., id. at 613 (ineligible claims that recited “generic computer functions” were “not directed to a solution to a technological problem”); Elec.Power, 830 F.3d at 1354 (ineligible claims were “essentially result-focused” and couched in “functional” terms). The cases StrikeForce relies on are not to the contrary because the claims in those cases, unlike StrikeForce’s claims, recited specific improvements that were unique to the technology at issue in each case. For example, in Finjan, Inc. v. Blue Coat Systems, Inc., the claims required a “‘behavior-based’ approach to virus scanning” that improved on the conventional “code-matching” approach, which was “limited to recognizing the presence of previously identified viruses.” 879 F.3d 1299, 1303-1304 (Fed. Cir. 2018). The claimed approach relied on a “security profile” that detailed “all potentially hostile or suspicious code operations that may be attempted” by an “executable application program.” Id. at 1303. Thus, the Finjan claims Case: 18-1470 Document: 22 Page: 57 Filed: 05/07/2018
-47- provided a computer-specific improvement by analyzing a class of code operations performed by a certain type of computer software. In Core Wireless Licensing S.A.R.L. v. LG Electronics, Inc., the claims were “directed to an improved user interface” that reduced the number of steps required to navigate through functionality distributed between multiple applications. 880 F.3d 1356, 1362-63 (Fed. Cir. 2018). The Court found that the claimed user interface provided “an improvement in the functioning of computers, specifically those with small screens.” Id.In Thales Visionix Inc. v. United States, the claims recited a technological solution for “tracking inertial motion of an object on a moving platform” using “particular configuration of inertial sensors” and an “unconventional choice of reference frame.” 850 F.3d 1343, 1345, 1350 (Fed. Cir. 2017). There was no assertion in Thales that the claimed solution had any application outside of inertial motion-tracking technology. In DDR Holdings, LLC v. Hotels.com, L.P., “the claimed solution [was] necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks,” as StrikeForce acknowledges. 773 F.3d 1245, 1257 (Fed. Cir. 2014); see Br. at 30. And in McRO, Inc. v. Bandai Namco Games America, Inc., the claims recited a Case: 18-1470 Document: 22 Page: 58 Filed: 05/07/2018
-48- “process specifically designed to achieve an improved technological result in conventional industry practice.” 837 F.3d at 1316. This improvement was specific to “computer animation,” and was fundamentally different from the process that animators had performed manually. Id. at 1314. In all of the foregoing cases, the claims were patent-eligible because they provided solutions that were specific to the technology at issue in the case. In contrast, StrikeForce’s claims are not directed to any technology-specific solution; they are directed to the abstract idea of out-of-band authentication implemented in a conventional computer environment. Supra, V.A.2. B.StrikeForce’s Claims Recite No Inventive Concept StrikeForce’s claims fail at Alice step two because they add nothing inventive to the abstract idea of out-of-band authentication. The additional limitations in the claims are the epitome of “generic computer components” and “well-understood, routine, conventional activities” that cannot supply an inventive concept. Alice, 134 S. Ct. at 2357-60; see also Intellectual Ventures I LLC v. Capital One Bank (USA), 792 F.3d 1363, 1371 (Fed. Cir. 2015) (“Steps that do nothing more than spell out what it means to ‘apply it on a computer’ cannot confer patent-eligibility.”). Case: 18-1470 Document: 22 Page: 59 Filed: 05/07/2018
-49- 1.The District Court Did Not Change Its Understanding Of The Abstract Idea Between Alice Steps One And Two StrikeForce attempts to bolster its position at step two by alleging that the district court changed its understanding of the abstract idea between steps one and two of the Alice framework. Br. at 41. But StrikeForce attacks a straw man. The district court understood and explicitly stated at both steps that the claims were focused on out-of-band authentication. StrikeForce contends that the court first regarded the abstract idea as “providing restricted access to resources,” but changed it to “out-of-band authentication” at step two. Br. at 44. As discussed above, this accusation is demonstrably false: the district court expressly held that the claims are directed to the abstract idea of “out-of-band authentication” at step one. Supra, V.A.4.a; Appx7.9StrikeForce claims that it was prejudiced by the district court’s alleged error because it caused the court to overlook what was “arguably the most inventive concept” in the claims. Br. at 41. But the allegedly disregarded concept was simply “out-of-band authentication using separate channels.” Id. at 9 Regardless of how the district court described the idea, this Court may use a different description. See, e.g., Synopsys, 839 F.3d at 1150 (affirming ineligibility where “the district court did not define the abstract idea”). Case: 18-1470 Document: 22 Page: 60 Filed: 05/07/2018
-50- 45. It is absurd to suggest that the court disregarded this concept given that it used the term “out-of-band” more than twenty times in its decision. Appx1-9. But even if the court somehow failed to account for out-of-band authentication, there is nothing inventive about it. It is not computer-specific because it is commonly performed with non-computer communication channels. Supra, V.A.2. Moreover, it is no different from the idea held abstract in Secured Mail. Supra, V.A.3. There can be no prejudice to StrikeForce from disregarding anaspect of the claims that is unquestionably abstract. 2.StrikeForce Concedes That Each Limitation In Its Claims Is Conventional There is no dispute that the individual claim limitations here are conventional. StrikeForce admitted below that its claims recite an “arrangement of known, conventional pieces.” Appx1292. On appeal, it does the same—relying only on a supposedly inventive “ordered combination” and conceding that each piece in the combination is conventional. Br. at 32 (admitting that “the Asserted Claims employ known communications channels and computer hardware systems”); Br. at 41 (arguing that “an inventive concept can be found in the ... arrangement of known, conventional pieces,” as “is the case here”). Case: 18-1470 Document: 22 Page: 61 Filed: 05/07/2018
-51- 3.Interception Is Not Inventive StrikeForce argues that the “interception device” or “interception means” recited in some of its claims is essential to understanding why the combination in “each claim” recites an “inventive concept.” Br. at 36-37. But StrikeForce admits that several claims recite no interception element. Id. For those claims, the alleged inventiveness of interception is irrelevant.10Synopsys, 839 F.3d at 1149. As to other claims, interception fails to provide an inventive concept for several reasons. First, StrikeForce agrees that the constructions for “interception device” and “interception means” are the same—i.e., “a device that prevents the host computer from receiving what the device received instead.” Appx1421, Appx1422. As the district court recognized, that construction provides only an “abstract functional description,” defining interception solely by its intended purpose of controlling access to a computer. Appx8(quoting In re TLI, 823 F.3d at 613-15). Such a “purely functional and generic” limitation cannot supply an inventive concept. Alice, 134 S. Ct. at 2360. Further, courts have repeatedly held that using a computer as an intermediary does not make claims 10E.g., claims 48, 49, 50, 51, 52, and 53 of the ’698 patent. Case: 18-1470 Document: 22 Page: 62 Filed: 05/07/2018
-52- patent eligible. See, e.g., id.; Two-Way Media, 874 F.3d at 1349; Symantec, 838 F.3d at 1319-21. Second, a dependent claim reveals that the interception device may be just a “router.” Appx71 at 15:44-45 (’698 patent, claim 21); see also Br. at 10 (identifying a “router” as an example of an interception device). As SecureAuth explained below and StrikeForce did not dispute, routers are conventional computer components that have been well-known for decades. Appx776. They are no different from the “communications controller” recited in the Alice claims, which the Supreme Court held to be non-inventive. 134 S. Ct. at 2360. Third, the interception device is also non-inventive because it performs the same functions as the receptionist in SecureAuth’s preschool analogy. For example, in claim 1 of the ’698 patent, the interception device receives a “login identification” and “demand to access” in a “first channel.” Appx70 at 14:33-35. Likewise, the receptionist receives a login identification (e.g., the relative’s name) and demand to access (e.g., request to pick up the child) in a first channel (e.g., in-person). Claim 2 further requires that “the security computer receives the demand and login identification from the interception device.” Id. at 14:47-49. The preschool administrator likewise receives the relative’s name and request from the receptionist. Further, just as the interception device controls Case: 18-1470 Document: 22 Page: 63 Filed: 05/07/2018
-53- access to the host computer, the receptionist controls access to the classroom by ensuring that individuals requesting access have the necessary permission. As this analogy shows, the interception device is not inventive. It merely initiates out-of-band authentication. 4.StrikeForce Fails To Show That Its Shifting Ordered Combination Provides Any Computer-Specific Improvement StrikeForce argues that an “ordered combination” in its claims supplies an inventive concept. Br. at 46. But StrikeForce has yet to even settle on what the combination is or how many steps it includes. In the district court at Alice step one, StrikeForce identified a six-part combination. Appx1284-1285. On appeal at Alice step one, StrikeForce now points to a different, five-part combination. Br. at 12. Further, in the district court at Alice step two, StrikeForce again relied on a six-part combination. Appx1291. On appeal at Alice step two, StrikeForce relies on not one but two new combinations asserted for the first time on appeal: first a four-part and then a three-part combination. Br. at 48, 56. StrikeForce cannot keep its story straight, and its shifting combinations merely reflect an attempt to use “the draftman’s art” to obfuscate the meager substance of the claims. See Alice, 134 S.Ct. at 2360. Case: 18-1470 Document: 22 Page: 64 Filed: 05/07/2018
-54- None of StrikeForce’s shifting combinations add any inventive concept to the abstract idea. Instead, they merely “spell out what it means to ‘apply it on a computer.’” Capital One Bank, 792 F.3d at 1371.11An ordered combination provides an inventive concept when it recites a technology-specific solution to a technology-specific problem. For example, this Court has held an ordered combination inventive where it recited “a technology-based solution ... that overcomes existing problems” specific to the computer technology at issue. Bascom Global Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1351 (Fed. Cir. 2016). Conversely, this Court has found no inventive concept in claims that “do not improve the function of the computer” itself. Return Mail, Inc. v. United States Postal Service, 868 F.3d 1350, 1369 (Fed. Cir. 2017). StrikeForce’s ordered combinations do not recite a computer-specific solution, so they contain no inventive concept. Consider StrikeForce’s five-part combination, which is the most extensive combination that StrikeForce presents on appeal. This combination largely overlaps with claim 53, which is addressed above at page 35. The only 11 None of the proposed combinations is recited in every claim. And each combination is irrelevant to claims that do not recite it. Case: 18-1470 Document: 22 Page: 65 Filed: 05/07/2018
-55- substantive difference between claim 53 and the five-part combination is that the latter includes an “interception device” and a “peripheral device.” Compare Br. at 12 with Appx72, 18:47-62. But the entire combination is still consistent with the preschool analogy, so it is not computer-specific. As SecureAuth explained below, the interception device is analogous to the receptionist at the preschool. Appx775-776; supra, V.B.3. As for the peripheral device, it merely transmits data from the accessor to the security computer. Br. at 12. It is no different from the parent’s telephone in the preschool analogy—as SecureAuth also explained below. Appx774-775. Thus, the steps in StrikeForce’s five-part combination provide no computer-specific solution, and “add nothing that is not already present when the steps are considered separately.” See Alice, 134 S.Ct. at 2359; id. (steps did not “improve the functioning of the computer itself”). Ultimately, the alleged inventiveness of StrikeForce’s combination rests on the abstract idea of out-of-band authentication, not on how the additional elements are combined. Indeed, StrikeForce identifies “complete separation of channels”—an inherent part of out-of-band authentication—as “the heartof the inventive concept.” Br. at 47; see also id. at 1 (relying on “the inventive ‘out-of-band’ feature” to explain the district court’s alleged error at step two). But an abstract idea itself cannot provide an “inventive concept.” See Alice, 134 S. Ct. Case: 18-1470 Document: 22 Page: 66 Filed: 05/07/2018
-56- at 2355 (any inventive concept must come from “additional elements”beyond the abstract idea). Thus, StrikeForce’s combination does not satisfy § 101. 5.Merely Distinguishing Prior Art Does Not Make StrikeForce’s Claims Patent-Eligible StrikeForce argues that its claims contain an inventive concept because they are allegedly novel and non-obvious. Specifically, StrikeForce relies on the PTO’s findings in a reexamination of the ’599 patent and two inter partes review proceedings against the ’698 patent (none of which involved SecureAuth). Br. at 4-5, 16-17, 31-32, 41-43, 46. But StrikeForce’s approach has been repeatedly rejected by the Supreme Court and this Court. For example, in Parker v. Flook, the Supreme Court found computer claims ineligible even assuming they were “novel and useful” under § 102 and § 103. 437 U.S. 584, 588, 591 (1978). In Mayo, the Supreme Court expressly declined to “substitute §§ 102, 103, and 112 inquiries for the better established inquiry under § 101.” Mayo Collaborative Svcs. v. Prometheus Labs., Inc., 132 S.Ct. 1289, 1304 (2012). And in Two-Way Media, this Court rejected the patentee’s attempt to show eligibility by relying evidence of novelty and non-obviousness from PTO proceedings. 874 F.3d at 1339-40. This Court has even held claims ineligible as a matter of law despite a jury’s specific finding of novelty because “‘[t]he novelty of any element or steps in a process, or even of Case: 18-1470 Document: 22 Page: 67 Filed: 05/07/2018
-57- the process itself, is of no relevance in determining’” eligibility. Symantec, 838 F.3d at 1315 (quoting Diamond v. Diehr, 450 U.S. 175, 188-89 (1981)). 12 The same is true here: even assuming StrikeForce’s claims are novel or non-obvious, they are still ineligible under § 101. Moreover, when contrasting its claims with the prior art, StrikeForce focuses on out-of-band authentication. For example, StrikeForce argues that its claims overcame “the problems plaguing prior art authentication systems” that “passed access data and authentication data along the same channel and were therefore more susceptible to hacking.” Br. at 22. StrikeForce further argues that out-of-band authentication may be the “most inventive” concept in its claims. Id. at 44-45. But out-of-band authentication is abstract, so even if it were novel it could not satisfy § 101. Synopsys, 839 F.3d at 1151; see also buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1352 (Fed. Cir. 2014) (abstract ideas are ineligible “no matter how groundbreaking, innovative, or even brilliant”). 12See also, e.g., Return Mail, 868 F.3d at 1370 (claims ineligible under § 101 even if novel or non-obvious); Affinity Labs of Texas, LLC v. DIRECTV, LLC, 838 F.3d 1253, 1263 n.3 (Fed. Cir. 2016) (“[T]here was no error in the district court’s not relying on [the patentee’s] expert’s testimony that [a claim element] was a novel feature”). Case: 18-1470 Document: 22 Page: 68 Filed: 05/07/2018
-58- In reality, out-of-band authentication is an old idea that was used long before computers. Supra, V.A.2. That StrikeForce was purportedly the first to describe the idea in combination with the computer components recited in its claims is not inventive; it is merely “generic computer implementation.” Alice, 134 S. Ct. at 2357. Indeed, combining an abstract idea with conventional computer components does not satisfy § 101, even if the resulting combination is new. See Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709, 716 (Fed. Cir. 2014) (“That some of the [claimed] steps were not previously employed in this art is not enough” to satisfy § 101); DIRECTV, 838 F.3d at 1263 (holding that an allegedly novel combination of abstract idea and conventional components “does not avoid the problem of abstractness”). Thus, StrikeForce’s alleged distinctions over the prior art fail to establish an inventive concept. As a result, StrikeForce’s claims are invalid under § 101. C.StrikeForce’s Procedural Challenges Are Meritless StrikeForce raises several procedural challenges, but none shows any error in the district court’s judgment. 1.The District Court Properly Treated Claim 53 As Representative StrikeForce argues that the district court improperly treated claim 53 as representative. Br. at 35. However, StrikeForce admits that all of the asserted Case: 18-1470 Document: 22 Page: 69 Filed: 05/07/2018
-59- claims are directed to the same single invention. Supra, II.C.2.a. It is unclear how any claim could fail to adequately represent the invention if all of the claims are directed to it. Moreover, this Court has held that it is appropriate to hold claims ineligible based on representative claims where, as here, all of the claims are directed to the same abstract idea. See, e.g., Content Extraction and Transmission LLC v. Wells Fargo Bank, N.A., 776 F.3d 1343, 1348-49 (Fed. Cir. 2014) (finding 242 claims ineligible based on two representative claims). StrikeForce points to two limitations omitted from claim 53 to show that the claim is not representative. Br. at 36. However, this Court routinely uses representative claims that lack limitations recited in other claims. Indeed, this occurs whenever an independent claim is treated as representative of dependent claims. See, e.g., Content Extraction, 776 F.3d at 1349 (approving use of representative claims even though other claims “may have a narrower scope”). If a patentee contends that the added limitations of narrower claims are material to the § 101 analysis, the Court can consider those limitations in addition to the representative claims. See Cleveland Clinic Foundation v. True Health Diagnostics LLC, 859 F.3d 1352, 1359-60 (Fed. Cir. 2017) (analyzing added limitations that allegedly provided “inventive concepts over the representative claims”). Case: 18-1470 Document: 22 Page: 70 Filed: 05/07/2018
-60- That is exactly what the district court did here. The only limitation that StrikeForce identified below as missing from the representative claim was the “‘interception’ element.” Appx1283, n.3. The district court properly decided that “the interception element can be considered in conjunction with the other components of the representative claim.” Appx5. Ultimately, the court found that the interception element failed to change the outcome of the § 101 analysis. Appx8; see also supra, V.B.3 (interception is not inventive). On appeal, StrikeForce also argues that the district court misread claim 53 to conclude that it did not require “completely out-of-band authentication.” Br. at 35. To the extent the court adopted such a reading, it was correct because claim 53 does not specify what channel carries the recited “prompt” or the response to that prompt. Supra, V.A.4.b. But regardless of how it read claim 53, the court clearly addressed the alleged requirement for completely out-of-band authentication. See Appx5 (“Plaintiff claims that its invention sends a prompt for data using the out-of-band channel and receives the user’s response through that same channel.”). The court held that the alleged requirement did not make the claims any less abstract. Appx7. That holding was correct, as explained above. Thus, StrikeForce shows no error in the district court’s use of claim 53. Case: 18-1470 Document: 22 Page: 71 Filed: 05/07/2018
-61- 2. No Claim Construction Would Provide An Inventive Concept StrikeForce also argues that the district court erred by not considering the parties’ agreed claim constructions for “access channel” and “authentication channel.” Br. at 49-50. But StrikeForce never raised these constructions during the § 101 proceedings below, despite ample opportunity. Supra, II.C.2.d. To the contrary, StrikeForce provided a different definition for the channel terms in its briefing, and never suggested that the constructions the parties later agreed to would change the § 101 analysis. Id.After the parties submitted their agreed constructions, the district court asked StrikeForce to identify claim constructions that could affect the outcome of the § 101 motion, but StrikeForce never mentioned the channel terms. Appx1371-1374 at 11:25-14:7. Instead, StrikeForce referred to other terms, none of which it pursues on appeal. Id. Thus, all of StrikeForce’s claim construction arguments are waived. Fresenius USA, Inc. v. Baxter Intern., Inc., 582 F.3d 1288, 1296 (Fed. Cir. 2009); SmithKline Beecham Corp. v. Apotex Corp., 439 F.3d 1312, 1319 (Fed. Cir. 2006). Regardless, the channel constructions would not change the outcome. The constructions require physically separate channels, rather than channels carried on separate “frequency channels” or “time slots.” Br. at 50-51; id. at Case: 18-1470 Document: 22 Page: 72 Filed: 05/07/2018
-62- 50, n.15. But physically separate channels are not computer-specific. They may be implemented using telephone lines, paper mail, and other non-computer approaches. Indeed, SecureAuth’s preschool analogy uses two physically separate channels. Moreover, the claims invalidated in Secured Mail used physically separate channels. 873 F.3d at 907-908 (computer network and postal mail). Thus, physically separating the channels is not inventive. StrikeForce asserts that the district court regarded physically separate channels as an inventive concept under Alice step two. Br. at 51. Not so. The district court stated that “a bi-directional second channel . . . could reflect some inventiveness,” but it added in the same sentence that “the Asserted Patents do not meet the standard described in Alice.” Appx9. Thus, the district court contrastedthe type of “inventiveness” allegedly reflected in the claims with the inventive concept Alice requires. In the next sentence, the district court referred to “separate ‘frequency channels’ or ‘time slots’” because StrikeForce’s brief had used that language when arguing that the claims provided an “advancement” over certain prior art. See Appx1292 (StrikeForce brief below). The court held that the channels described in StrikeForce’s brief were not inventive, and never stated that limiting the channels to physically separate facilities would make a difference. Case: 18-1470 Document: 22 Page: 73 Filed: 05/07/2018
-63- Appx9. Moreover, controlling authority shows that physically separate channels are not inventive. See Secured Mail, 873 F.3d at 907-908 (invalidating claims with physically separate channels). In addition to the channel constructions, StrikeForce also repeatedly mentions a construction of “security computer” that requires it to be “isolated” from the host computer. E.g., Br. at 21. But StrikeForce never argued below that isolating the security computer somehow made its claims patent-eligible. Even on appeal, StrikeForce never explains how such isolation would distinguish its claims from the abstract idea of out-of-band authentication. To the contrary, StrikeForce suggests that the security computer’s isolation merely results from “complete separation of channels,” which is part of out-of-band authentication. Br. at 47. Regardless, isolation provides no computer-specific improvement. For example, the administrator’s office in the preschool is isolated from the child’s classroom. Thus, any construction requiring the security computer to be isolated from the host computer would not supply an inventive concept. 3.StrikeForce Identifies No Disputed Fact Issue Material To Patent Eligibility As a last resort, StrikeForce argues that fact issues should have prevented the district court from concluding that the “ordered combination of the Asserted Case: 18-1470 Document: 22 Page: 74 Filed: 05/07/2018
-64- Claims is logical and conventional.” Br. at 46 (quoting Appx8). However, the alleged fact issues StrikeForce identifies are immaterial. StrikeForce contends that the district court erred by disregarding the allegedly inventive nature of separate access and authentication channels. Br. at 46-47. But separate channels are part and parcel of out-of-band authentication, which is the abstract idea. Any dispute over the alleged novelty of that idea is irrelevant. Synopsys, 839 F.3d at 1151. StrikeForce also challenges the court’s statement that “interception” must occur at the beginning of the authentication process. Br. at 47. However, the court’s analysis of interception was not limited to this statement. The court separately explained that the interception device was not inventive because it was defined solely by its abstract function, and it could simply be a generic router. Appx8. The court’s purpose in stating that interception must occur “at the beginning of the process” was to explain why the order of the interception step relative to the rest of the ordered combination was not inventive. As the court found, that “ordered combination” was “logical and conventional.” Id. StrikeForce does not contend that choosing to perform interception before the authentication steps is somehow unique to computers, or otherwise provides a technology-specific solution. Nor could it, as the preschool analogy shows. Case: 18-1470 Document: 22 Page: 75 Filed: 05/07/2018
-65- Instead, StrikeForce asserts that out-of-band authentication was itself inventive. Br. at 48. But under the correct legal standards, out-of-band authentication cannot supply an inventive concept because it is an abstract idea. Alice, 134 S. Ct. at 2355. StrikeForce also asserts that an ordered combination of elements (which includes the abstract idea) was novel. Br. at 48. But any such novelty is immaterial here. Synopsys, 839 F.3d at 1151. StrikeForce cites Bascom, but that case relied on “a technology-based solution,” not the mere novelty of the claimed combination. 827 F.3d at 1351. StrikeForce’s claims contain no such solution, so Bascom is inapposite. See Synopsys, 839 F.3d at 1152 (finding no inventive concept and distinguishing Bascom where claims contained “no such technical solution”). StrikeForce also relies on Aatrix Software, Inc. v. Green Shades Software, Inc., 882 F.3d 1121 (Fed. Cir. 2018). Br. at 52. In Aatrix, this Court held that a district court erred by denying the patentee’s motion to amend its complaint because the proposed amendments were material to patent eligibility. 882 F.3d at 1126-28. Here, however, StrikeForce did amend its complaint. Specifically, SecureAuth informed StrikeForce that it intended to raise a § 101 challenge. Appx781-782, ¶ 10. StrikeForce then received permission from the court to amend its complaint. Appx498. Despite having notice of Case: 18-1470 Document: 22 Page: 76 Filed: 05/07/2018
-66- SecureAuth’s § 101 challenge, StrikeForce failed to include any factual allegations material to eligibility in its amended complaint. Supra, II.C.1. Further, StrikeForce never requested permission to file another amended complaint and even now does not suggest that another amendment would salvage its claims under § 101. Thus, Aatrix is inapposite. StrikeForce lists five statements from its specification and complaint that allegedly should have been taken as true, but fails to explain how any of them would change the eligibility outcome. Br. at 55. The first three statements are from the specification, and none of them contradicts the conclusion that the claims are invalid. They describe various alleged distinctions over the prior art, but they are all premised on the use of two separate channels, which is part of the abstract idea.13 Thus, they are immaterial. Synopsys, 839 F.3d at 1151. The fourth statement in the list is that “[t]he inventions of the ’599, ’698, and ’701 patents are directed to improved multichannel security systems and methods for authenticating a user....” Br. at 55. To the extent this statement 13 The last of these three statements also references “a unique combination of host and location authentication,” but when SecureAuth pointed to the same statement below, StrikeForce argued that location or host authentication was notpart of its invention. Appx766, Appx774 (SecureAuth’s argument); Appx1295 (StrikeForce disavowing location or host authentication). Case: 18-1470 Document: 22 Page: 77 Filed: 05/07/2018
-67- merely identifies the subject matter of the claims, it is immaterial. See supra, V.A.3 (computer security claims may fail to satisfy § 101). If it instead purports to declare what the claims are “directed to” at Alice step one, it proffers a legal conclusion that the court was not required to accept. Iqbal, 556 U.S. at 678. The last statement in the list asserts that the claims provided “a specific solution to problems caused by the proliferation of data across the Internet by enhancing the functionality of computer systems compared to prior art authentication systems through improved security of the channels used for authentication and access.” Br. at 55. This statement is conclusory and entitled to no weight because it is not supported by any factual allegations describing howthe security of the channels is purportedly improved—in sharp contrast to the detailed factual allegations that this Court found relevant in Aatrix. Appx503-504; see Iqbal, 556 U.S. at 678 (courts must disregard conclusory assertions). StrikeForce’s statement referenced an unspecified advance over the prior art, but merely distinguishing the art does not satisfy § 101. Supra, V.B.5. Thus, StrikeForce’s five statements fail to identify any material fact issue.1414 StrikeForce refers to the burden of proof discussed in Microsoft Corp. v. i4i Ltd. P’ship, 564 U.S. 91, 95 (2011). But the burden of proof is irrelevant because StrikeForce identifies no material fact issues.Case: 18-1470 Document: 22 Page: 78 Filed: 05/07/2018
-68- StrikeForce also cites Berkheimer v. HP, Inc., 881 F.3d 1360 (Fed. Cir. 2018). Br. at 54. According to StrikeForce, Berkheimer requires SecureAuth to prove that “the elements of the Asserted Claims, as an ‘ordered combination’ are well-understood, routine, and conventional.” Id. StrikeForce argues that it was not possible to do so because the claims recited “novel” advances. Id. at 54-55. StrikeForce’s reliance on novelty exposes its misreading of Berkheimer and misapplication of Alice step two. If StrikeForce were correct, any novel claim would satisfy § 101 because no challenger could show that the entire “ordered combination” of elements in such a claim was disclosed in the prior art. But novelty is not enough to satisfy § 101. Symantec, 838 F.3d at 1316 (holding that novel and non-obvious claims lacked an inventive concept as a matter of law because they failed to recite any “improved computer technology”). Berkheimer itself shows that a claim may be invalidated under § 101 without proof that the entire ordered combination of claim elements was conventional. Indeed, Berkheimer invalidated several claims as a matter of law without requiring such proof. In claim 1, for example, the combination included certain undisputedly “conventional limitations” that were “combined with” other limitations not identified as conventional. 881 F.3d at 1370. The Court never required the entire combination to be found in the prior art, but held the claim Case: 18-1470 Document: 22 Page: 79 Filed: 05/07/2018
-69- invalid because it failed to “transform the abstract idea into a patent-eligible invention.” Id.The outcome for each claim in Berkheimer turned on whether the claim recited an inventive “improvement in computer functionality.” Id. The invalid claims provided no such improvement as a matter of law. Id. The remaining claims arguably recited such an improvement because they required data to be stored in a “reconciled object structure” that allowed a computer system to operate more efficiently. Id. For those remaining claims only, whether the claimed combination was conventional presented a material question of fact. Id.Like the ineligible claims in Berkheimer, StrikeForce’s claims provide no computer-specific improvement. Supra, V.A.2, V.A.4.c. This Court has held such claims ineligible at the pleading stage in numerous cases before and after Berkheimer. See, e.g., Voter Verified, Inc. v. Election Sys. & Software, Inc., --- F.3d ----, 2018 WL 1882917 (Fed. Cir. Apr. 20, 2018) (affirming ineligibility at the pleading stage after Berkheimer and Aatrix); Maxon, LLC v. Funai Corp., --- F. App’x ----, 2018 WL 1719101 (Fed. Cir. Apr. 9, 2018) (same);Automated Tracking Sols., LLC v. Coca-Cola Co., --- F. App’x ----, 2018 WL 935455 (Fed. Cir. Feb. 16, 2018) (same). Thus, StrikeForce’s claims fail under § 101 as a matter of law. Case: 18-1470 Document: 22 Page: 80 Filed: 05/07/2018
-70- CONCLUSION This Court should affirm the district court’s judgment./
Respectfully submitted, KNOBBE, MARTENS, OLSON & BEAR, LLPMay 7, 2018 By: /s/ Jon W. Gurka Jon W. Gurka Counsel of Record Stephen W. Larson Jeremy A. Anapol Attorneys for Appellee SECUREAUTH CORPORATION