Summary
finding claims directed to limiting access to information based on specified criteria are directed to an abstract idea
Summary of this case from Evicam Int'l, Inc. v. Enforcement Video, LLCOpinion
Case No. 15-cv-02515-YGR
10-19-2015
ORDER GRANTING MOTION FOR JUDGMENT ON THE PLEADINGS
Re: Dkt. No. 43
Defendant Netskope, Inc. moves for judgment on the pleadings, arguing the asserted claims of the patent-in-suit—which broadly cover methods for limiting access to database information on a per-user basis—are invalid as embodying an unpatentable "abstract idea" under Section 101 of the Patent Act. (Dkt. No. 43.) Plaintiffs Protegrity Corporation (the patent's owner) and Protegrity USA, Inc. (the patent's exclusive licensee) oppose the motion. (Dkt. No. 47.) Having carefully considered the papers submitted, the patent-in-suit, the record in this case, and the arguments of counsel at the September 22, 2015 hearing, and good cause shown, the Court GRANTS the motion.
I. BACKGROUND
The plaintiffs accuse defendant of infringing U.S. Patent Number 7,305,707 (the "'707 Patent" or the "patent-in-suit"). The patent is entitled "Method for Intrusion Detection in a Database System." The patent addresses the problem of preventing a user who has access to a particular database from exceeding the scope of a defined policy—for instance, one limiting the amount of information the user is permitted to access in a given period of time—in real time. '707 Patent at 1:20-2:12.
The '707 Patent is attached to the complaint as Exhibit D. (Dkt. No. 1-4.)
According to the '707 Patent's specification, the prior art included a number of methods for detecting improper or suspicious activity by an individual with authorized login credentials to access a server. The methods referenced include: (1) network-based detection (e.g., "packet sniff[ing] to detect suspicious behavior on a network as [it] occur[s]"), (2) server-based detection (i.e., analyzing "log, configuration and data files from individual servers as attacks occur"), (3) security query and reporting tools (that "do not operate in real-time"), and, critically, (4) inference detection ("detection of specific patterns of information access, deemed to signify that an intrusion is taking place, even though the user is authorized to access the information"). '707 Patent at 1:27-2:12.
The patent-in-suit includes twenty-two method claims, two of which are independent. Generally, the patent covers methods for creating access policies for authorized users and limiting their access if they exceed the terms of the applicable access policy, such as by downloading a large amount of data in a short period of time, accessing suspicious combinations of data, or the like. The plaintiffs apparently accuse defendant's "Active Platform" of infringement. (See Dkt. No. 1-1 at 1.)
Claim 1 of the '707 Patent, one of the two independent claims, reads as follows:
A method for detecting intrusion in a database, comprising:
'707 Patent at 6:2-12. The other independent claim, claim 12, mirrors the limitations of claim 1 but contemplates multiple users and multiple "intrusion detection" policies. See id. at 6:52-65.defining at least one intrusion detection policy for the database;
associating each user with one of the defined policies;
receiving a database query from a user;
determining if the results of the query violate the intrusion detection policy;
and altering the user's authorization if the intrusion detection policy has been violated.
II. LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(c), judgment on the pleadings may be granted when, accepting as true all material allegations contained in the nonmoving party's pleadings, the moving party is entitled to judgment as a matter of law. Chavez v. United States, 683 F.3d 1102, 1108 (9th Cir. 2012). The applicable standard is essentially identical to the standard for a motion to dismiss under Rule 12(b)(6). United States ex rel. Cafasso v. Gen. Dynamics C4 Sys., Inc., 637 F.3d 1047, 1054 n.4 (9th Cir. 2011). Thus, although the Court must accept well-pleaded facts as true, it is not required to accept mere conclusory allegations or conclusions of law. See Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009).
In ruling on a motion for judgment on the pleadings, the Court "need not . . . accept as true allegations that contradict matters properly subject to judicial notice or by exhibit" attached to the complaint. Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001) (citation omitted). A challenge under Section 101 of the Patent Act may be brought as a motion for judgment on the pleadings. See Open Text S.A. v. Box, Inc., 78 F. Supp. 3d 1043, 1045 (N.D. Cal. 2015) (citing buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1352 (Fed. Cir. 2014)). A court may decide such a motion prior to claim construction. See Bancorp Servs., L.L.C. v. Sun Life Assur. Co. of Canada (U.S.), 687 F.3d 1266, 1273-74 (Fed. Cir. 2012) ("[C]laim construction is not an inviolable prerequisite to a validity determination under § 101. We note, however, that it will ordinarily be desirable—and often necessary—to resolve claim construction disputes prior to a § 101 analysis, for the determination of patent eligibility requires a full understanding of the basic character of the claimed subject matter.").
III. DISCUSSION
A. Claim Construction
In its opposition brief, plaintiffs argue claim construction is needed prior to resolution of defendant's motion, pointing to pending claim construction involving the same patent in the District of Connecticut in Protegrity Corporation et al. v. Gazzang, Inc., Case No. 14-cv-00825. Defendant stipulated to the adoption of those constructions proposed by plaintiffs in Gazzang solely for purposes of resolving the instant motion. (Dkt. No. 48 at 4.) The constructions follow:
Term | Claims | Construction |
---|---|---|
Associating each user with oneof the defined policies | 1, 2, 8, 9, 10, 12, 13,19, 20, 21 | Assigning one of the definedintrusion detection policies to auser |
Authorization | 1, 9, 11, 12, 20, 22 | Level of access to the database |
Intrusion detection policy | 1, 2, 8, 9, 10, 12, 13, 19, 20, 21 | A policy that specifies at leastone item access rate orinference pattern to discover auser who is authorized toaccess certain items but abusesthis authority |
Item access rates | 2, 3, 4, 5, 6, 7, 13, 14, 15, 16,17, 18 | Defines the number of rows inthe database that a user mayaccess from an item (e.g. acolumn of a table) at one timeor over a certain period of time |
User | 1, 9, 11, 12, 20, 22 | An entity including but notlimited to a user, role,program, process, applicationor server |
Inference pattern | 8, 10, 11, 19, 21, 22 | A policy that sets forth aplurality of items that whenaccessed in combination mayexpose unauthorizedinformation |
At the hearing, plaintiffs pointed—for the first time—to several additional terms they believe require construction prior to the Court ruling on the instant motion; however, they provided a proposed construction as to only one of those terms: "altering . . . authorization." Plaintiffs argued that an appropriate construction of that term would state that the altering process must occur in "real time," a construction more limited than the scope of the term's plain and ordinary meaning. Plaintiffs' decision to spring these un-briefed issues on defendant and the Court at the hearing suggests gamesmanship.
Notably, plaintiffs did not offer this proposed construction in the Gazzang case, explaining their reasoning at the hearing: the defendant in Gazzang did not raise a Section 101 challenge, so plaintiffs presumably felt no need to propose a construction calculated to overcome a § 101 challenge that would also limit the scope of the patent's claims.
As to the terms identified but for which no constructions were proposed or analyses offered, the Court notes that where a patentee fails to "explain which terms require construction or how the analysis would change" were those constructions adopted, the Court may rule on the validity challenge prior to construing claims. See Cyberfone Sys., LLC v. CNN Interactive Grp., Inc., 558 F. App'x 988, 991 n.1 (Fed. Cir. 2014); see also Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709, 719 (Fed. Cir. 2014) ("No formal claim construction was required because the asserted claims disclosed no more than 'an abstract idea garnished with accessories' and there was no 'reasonable construction that would bring [them] within patentable subject matter.'") (alteration in original); Boar's Head Corp. v. DirectApps, Inc., No. 2:14-CV-01927-KJM, 2015 WL 4530596, at *7 (E.D. Cal. July 28, 2015) ("Although it is defendants' burden to show ineligibility, a court should look to the plaintiff to show some factual dispute requiring claim construction.").
As to the term for which a construction was offered at the hearing, the Court need not consider this untimely argument. See Finjan, Inc. v. Sophos, Inc., No. 14-CV-01197-WHO, 2015 WL 890621, at *8 (N.D. Cal. Mar. 2, 2015) (finding arguments raised for the first time at Markman hearing, but not included in briefing, were waived). It appears that plaintiffs' failure to include the additional proposed construction in their opposition brief was a calculated attempt to prevent defendant from providing a fulsome response thereto. Nevertheless, even adopting for purposes of this order the additional construction proposed at the hearing, the patent is invalid for the reasons discussed below. Moreover, no other reasonable constructions save the claims from invalidity.
B. Section 101
The scope of subject matter eligible for patent protection is defined in Section 101 of the Patent Act: "Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title." 35 U.S.C. § 101. The Supreme Court has "long held that this provision contains an important implicit exception: Laws of nature, natural phenomena, and abstract ideas are not patentable." Alice Corp. Pty. v. CLS Bank Int'l, 134 S. Ct. 2347, 2354 (2014) ("Alice") (quoting Ass'n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107, 2116 (2013)). In applying this exception, courts "must distinguish between patents that claim the building blocks of human ingenuity and those that integrate the building blocks into something more." Alice, 134 S. Ct. at 2354 (internal quotations and alterations omitted); see also Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1301 (2012).
Thus, in determining whether claims are patent-ineligible, a court must first determine whether they are directed to a patent-ineligible concept, such as an abstract idea. See Diamond v. Chakrabarty, 447 U.S. 303, 309 (1980). "A principle, in the abstract, is a fundamental truth . . . [which] cannot be patented." Gottschalk v. Benson, 409 U.S. 63, 67 (1972) (internal citations and quotations omitted). "Phenomena of nature, though just discovered, mental processes, and abstract intellectual concepts are not patentable, as they are the basic tools of scientific and technological work." Id.; see also CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1371 (Fed. Cir. 2011) ("[M]ental processes are not patent-eligible subject matter because the 'application of [only] human intelligence to the solution of practical problems is no more than a claim to a fundamental principle.'"). To determine whether patent claims are directed to an abstract idea, the Court must "distill[] the gist of the claim[s]." Open Text S.A, 78 F. Supp. 3d at 1046 (citing Bilski v. Kappos, 561 U.S. 593, 611-12 (2010)).
If the claims are directed to an abstract idea, a court must then consider whether they nevertheless involve an "inventive concept" such that "the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself." Alice, 134 S. Ct. at 2355 (quoting Mayo, 132 S. Ct. at 1294); see also DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1255 (Fed. Cir. 2014) ("Distinguishing between claims that recite a patent-eligible invention and claims that add too little to a patent-ineligible abstract concept can be difficult, as the line separating the two is not always clear."). "For the role of a computer in a computer-implemented invention to be deemed meaningful in the context of this analysis, it must involve more than performance of 'well-understood, routine, [and] conventional activities previously known to the industry.'" Content Extraction & Transmission LLC v. Wells Fargo Bank, Nat. Ass'n, 776 F.3d 1343, 1347-48 (Fed. Cir. 2014) (alteration in original); see also buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1354 (Fed. Cir. 2014) ("The Court in Alice made clear that a claim directed to an abstract idea does not move into section 101 eligibility territory by 'merely requir[ing] generic computer implementation.'") (alteration in original).
The burden of establishing invalidity rests on the movant. See Microsoft Corp. v. i4i Ltd. P'ship, 131 S. Ct. 2238, 2245 (2011) (citing 35 U.S.C.A. § 282). However, on a motion for judgment on the pleadings for invalidity, where no extrinsic evidence is considered, the "clear and convincing" standard for weighing evidence in determining a patent's validity is inapplicable. See Shortridge v. Found. Constr. Payroll Serv., LLC, No. 14-CV-04850-JCS, 2015 WL 1739256, at *7 (N.D. Cal. Apr. 14, 2015) (citing Modern Telecom Sys. LLC v. Earthlink, Inc., No. 14-CV-0347-DOC, 2015 WL 1239992, at *7-8 (C.D. Cal. Mar. 17, 2015)).
After Alice, the Federal Circuit has held a number of patent claims directed to abstract ideas to be invalid. A sampling follows:
• "[D]igital image processing" claims were directed to "an abstract idea because [they described] a process of organizing information through mathematical correlations and [were] not tied to a specific structure or machine." Digitech Image Technologies, LLC v. Electronics for Imaging, Inc., 758 F.3d 1344, 1347, 1350 (Fed. Cir. 2014).
• Claims covering "methods and machine-readable media encoded to perform steps for guaranteeing a party's performance of its online transaction" were merely "directed to creating familiar commercial arrangements by use of computers and networks." buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1351 (Fed. Cir. 2014).
• Patent "directed to a method for distributing copyrighted media products over the Internet where the consumer receives a copyrighted media product at no cost in exchange for viewing an advertisement" was directed to an abstract idea, and "routine additional steps such as updating an activity log, requiring a request from the consumer to view the ad, restrictions on public access, and use of the Internet [did] not transform [the] otherwise abstract idea into patent-eligible subject matter." Ultramercial, Inc. v. Hulu, LLC, 772 F.3d 709, 709, 716 (Fed. Cir. 2014).
• Patents covering a method for optical character recognition in connection with
scanning hard copy documents were directed to an abstract idea and, even if limited "to a particular technological environment," were invalid because "[s]uch a limitation has been held insufficient to save a claim in this context." Content Extraction & Transmission LLC v. Wells Fargo Bank, Nat. Ass'n, 776 F.3d 1343, 1348 (Fed. Cir. 2014).
• Patent relating to a "method of price optimization in an e-commerce environment . . . claims no more than an abstract idea coupled with routine data-gathering steps and conventional computer activity . . . ." OIP Technologies, Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1360 (Fed. Cir. 2015).
• Claims directed to "tracking financial transactions to determine whether they exceed a pre-set spending limit (i.e., budgeting)" covered "an abstract idea and [did] not otherwise claim an inventive concept." Intellectual Ventures I LLC v. Capital One Bank (USA), 792 F.3d 1363, 1367, 1370 (Fed. Cir. 2015).
Notably, however, in DDR Holdings, LLC v. Hotels.com, L.P., the Federal Circuit upheld a finding of validity as to a patent with claims "directed to systems and methods of generating a composite web page that combines certain visual elements of a 'host' website with content of a third-party merchant." 773 F.3d 1245, 1248 (Fed. Cir. 2014) ("For example, the generated composite web page may combine the logo, background color, and fonts of the host website with product information from the merchant."). The Federal Circuit found the patent "address[es] a business challenge (retaining website visitors) . . . particular to the Internet," but cautioned "that not all claims purporting to address Internet-centric challenges are eligible for patent." Id. at 1257-59.
i. Abstract Idea
As a threshold matter, the Court must determine whether the asserted claims are directed to an abstract idea. The Court finds that the claims at issue are generally directed to the abstract concept of limiting access to information based on specified criteria. See Cogent Med., Inc. v. Elsevier Inc., 70 F. Supp. 3d 1058, 1063-65 (N.D. Cal. 2014) (holding claims covering cataloging a database of information and culling information that may be particularly relevant to a certain user constitute "the abstract idea of maintaining and searching a library of information").
The two independent claims, as noted, are essentially the same, except that claim 1 applies to a single-user environment while claim 12 involves more than one user and more than one access policy. The method described is essentially as follows: define intrusion detection policies; associate each user with a policy; receive a database query from a user; and determine if the results of the query violate the applicable policy. If the query would result in a policy violation, alter the user's authorization (in "real time") such that they cannot access the results.
Dependent claims add further limitations, detailing the types of access limitations that may be employed on a user- or group-specific basis (e.g., limiting the number of database rows that may be accessed in a period of time, or detecting patterns of suspicious activity such as by "accumulating" results from a number of queries). The core abstract idea remains essentially the same in all instances, with the addition in the latter cases that the access limitation is based on detection of suspicious activity. This same concept, in its essential form, has long been implemented by various individuals and organizations.
Claims 2-8, 13-19.
Claims 3, 5, 6, 14, 17, 18.
Claims 8, 10, 11, 19, 21, 22.
Claims 9, 11, 20. --------
Indeed, such methods—absent the generic reference to a "database"—substantially predate modern computers, arising in contexts such as physical security and access policies regarding a variety of sensitive information housed in filing rooms or warehouses. Different individuals within an organization might have permission to "check out" a certain number or type of files, with attempts to exceed those limitations, or other suspicious activity, restricted. Thus, all claims of the '707 Patent are directed to abstract ideas and will only survive the present challenge if they include an inventive concept.
ii. Inventive Concept
As noted, the claims are directed to abstract ideas—namely, limiting access to information based on access policies or suspicious requests. Where claims are directed to abstract ideas, they may still be valid so long as the claims put forth an "inventive concept." However, the mere inclusion of well-understood, routine, and conventional activities—such as those present in the prior art—does not save a claim. See Content Extraction & Transmission LLC, 776 F.3d at 1347-48.
Here, the independent claims merely describe, in broad strokes, the implementation of an abstract idea in a general purpose computer environment. References to a "database" or "database queries" do not save the claims. See DietGoal Innovations LLC v. Bravo Media LLC, 33 F. Supp. 3d 271, 287 (S.D.N.Y. 2014) (describing "a stored database" as "one of the most basic functions of the generic computer"). While the specification also contemplates the use of "a number of clients," "a server," "encrypted data," "a proxy server," "an access control system" and an "intrusion detection module," the claims are not limited to that particular embodiment. See Phillips v. AWH Corp., 415 F.3d 1303, 1323 (Fed. Cir. 2005) (noting that "although the specification often describes very specific embodiments of the invention, we have repeatedly warned against confining the claims to those embodiments"). Moreover, that embodiment also fails to constitute an inventive concept. Indeed, most of the elements discussed are merely generic computer components or processes. See Accenture Global Servs., GmbH v. Guidewire Software, Inc., 728 F.3d 1336, 1344 (Fed. Cir. 2013) (invalidating claims involving "a combination of computer components including an insurance transaction database, a task library database, a client component, and a server component, which includes an event processor, a task engine, and a task assistant"); Intellectual Ventures II LLC v. JP Morgan Chase & Co., No. 13-CV-3777 AKH, 2015 WL 1941331, at *14 (S.D.N.Y. Apr. 28, 2015) (finding features such as encryption and access rules to be no more than "'well-understood, routine, conventional activity'"). The "access control system" and the "intrusion detection module" are apparently no more than shorthand terms for systems—potentially "software" systems—that implement the steps discussed in the claims in a general purpose computer environment. See Bascom Research, LLC v. LinkedIn, Inc., 77 F. Supp. 3d 940, 951 (N.D. Cal. 2015) (invaliding "claims [that] amount to instructions to apply an abstract idea—i.e., the concept of establishing relationships between documents and making those relationships accessible to other users").
The additional limitations of the independent claims, summarized in the preceding section, also fail to save those claims from invalidity. The Court addresses each category of limitation in turn.
As to the first category, "item access rates," the stipulated construction for purposes of this motion is as follows: "Defines the number of rows in the database that a user may access from an item (e.g. a column of a table) at one time or over a certain period of time." The concept of limiting the amount of data a user can access is obvious and subsumed in the "inference detection" category of prior art disclosed by the specification. Under that approach, restricting item access rates would constitute a basic method for detecting suspicious requests. See '707 Patent at 2:1-8; see also Enfish, LLC v. Microsoft Corp., 56 F. Supp. 3d 1167, 1175 (C.D. Cal. 2014) ("A conventional element may be one that is ubiquitous in the field, insignificant or obvious.") (citing Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1298, (2012)). Thus, the claims that merely add this basic limitation do not embody an inventive concept. Tracking access rates over time also fails to save the claims. See Alice, 134 S. Ct. at 2359 (mere "use of a computer to create electronic records, track multiple transactions, and issue simultaneous instructions" does not constitute an inventive concept); Ultramercial, Inc., 772 F.3d at 712, 715 (characterizing a step of "recording [a] transaction event to [an] activity log, . . . including updating the total number of times" the event has occurred, as "routine, conventional activity"). The inference pattern approach—detecting suspicious activity—along with other specific approaches encompassing "item access rates" are disclosed in the specification as derived from prior art. See '707 Patent at 1:27-2:12.
As to the second category, restricting access based on detected suspicious activity—including, for example, by aggregating attempts over time and running the analysis thereon—similarly does not constitute an inventive concept. As noted, the specification discloses "inference detection" prior art which subsumes these limitations.
Plaintiffs argue the patent-in-suit departs substantially from the prior art by undertaking the analysis and response in "real time," as opposed to reviewing logs after-the-fact, once the data in question has already been retrieved. However, despite its later assertion that "[n]one of these [prior art] solutions are . . . entirely satisfactory [because] they all concentrate on already effected queries," '707 Patent at 2:9-12, the specification plainly discloses certain prior art methods also functioning contemporaneously with the requests at issue, id. at 1:29, 1:43, 2:4. The specification suggests the patent-in-suit improves upon the prior art because it permits access to be restricted before information is transmitted to a user where an impermissible request is detected. Id. at 2:9-12. The straightforward idea of immediately restricting access when an impermissible retrieval is attempted, rather than merely logging the activity for future consideration, does not constitute an inventive concept sufficient to save the claims.
Finally, while the machine-or-transformation test is not the conclusive test for determining whether a process is patent-eligible, it may be a "useful and important clue." Bilski, 561 U.S. at 604. The methods at issue are not tied to a particular machine. "[T]o confer patent eligibility on a claim, the computer 'must play a significant part in permitting the claimed method to be performed, rather than function solely as an obvious mechanism for permitting a solution to be achieved more quickly . . . ." Cogent Med., 70 F. Supp. 3d at 1066 (quoting SiRF Tech., Inc. v. Int'l Trade Comm'n, 601 F.3d 1319, 1333 (Fed. Cir. 2010)). Here, each step claimed could be mentally performed by a human intermediary or tracked on pen and paper. See Planet Bingo, LLC v. VKGS LLC, 576 Fed. App'x 1005, 1008 (Fed. Cir. 2014) (finding claims lacked an "inventive concept," despite being limited to computer-aided methods and systems, where the steps at issue could be "carried out in existing computers long in use" and "done mentally") (quoting Gottschalk, 409 U.S. at 67). Moreover, nothing in the claims—which merely address controlling access to data and otherwise have no physical manifestation or tangible result—constitutes a transformation under the test. See, e.g., CyberSource, 654 F.3d at 1370 ("The mere collection and organization of data . . . is insufficient to meet the transformation prong of the test."); Bancorp Servs., L.L.C., 687 F.3d at 1273, 1278 (upholding district court finding that claims that "'do not transform the raw data into anything other than more data and are not representations of any physically existing objects' . . . do not effect a transformation" under the machine-or-transformation test).
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS the defendant's motion for judgment on the pleadings, finding all claims of the patent-in-suit to be invalid. In light of this ruling, the Case Management Conference set for October 26, 2015 is VACATED. Defendant shall file a proposed form of judgment, approved as to form by plaintiffs, by October 23, 2015.
This Order terminates Docket Number 43.
IT IS SO ORDERED. Dated: October 19, 2015
/s/ _________
YVONNE GONZALEZ ROGERS
UNITED STATES DISTRICT COURT JUDGE