Unified Patents Inc. v. Uniloc Luxembourg, S.A., IPR2017-01850 (PTAB Jul. 25, 2017)

IPR2017-01850 Petition
U.S. Patent 8,838,976

UNITED STATES PATENT AND TRADEMARK OFFICE
BEFORE THE PATENT TRIAL AND APPEAL BOARD
UNIFIED PATENTS INC.,
Petitioner
v.
UNILOC LUXEMBOURG, S.A.
Patent Owner
IPR2017-01850
U.S. Patent 8,838,976
PETITION FOR INTER PARTES REVIEW OF

U.S. PATENT 8,838,976
CHALLENGING CLAIMS 12, 56, and 13
UNDER 35 U.S.C. 312 AND 37 C.F.R. 42.104
U.S. Patent 8,838,976
TABLE OF CONTENTS
I. MANDATORY NOTICES UNDER 37 C.F.R. 42.8 .....................................1
A. Real Party-in-Interest.................................................................................1
B. Related Matters ..........................................................................................1
C. Lead and Back-up Counsel and Service Information ...............................1
II. CERTIFICATION OF GROUNDS FOR STANDING ....................................2
III. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED ......................2
A. Prior Art Patents and Printed Publications ................................................3
B. Statutory Grounds for Challenges .............................................................3
IV. U.S. Patent 8,838,976 ........................................................................................4
A. Summary....................................................................................................4
B. Level of Ordinary Skill in the Art .............................................................5
C. Prosecution History ...................................................................................6
D. Priority DateNo Earlier than February 10, 2010 ...................................8
V. CLAIM CONSTRUCTION.............................................................................11
A. data regarding an online profile (claims 1 and 5) ................................11
B. user-configurable parameter and physical non-user-configurable

property (claims 1, 5, and 13) ................................................................11
C. registered user signal (claims 2 and 6) ................................................12
VI. CLAIMS 1-2, 5-6, and 13 ARE UNPATENTABLE ......................................13
A. Challenge 1: Claims 1-2, and 5-6 are obvious under 35 U.S.C. 103
in view of Varghese, Donlin, and Risan..................................................13
ii
U.S. Patent 8,838,976
1. Overview of Varghese.....................................................................13
2. Overview of Donlin.........................................................................15
3. Overview of Risan...........................................................................16
4. Reasons to Combine Varghese, Donlin, and Risan ........................17
5. Analysis ...........................................................................................23
Claim 1 ............................................................................................ 23
Claim 2 ............................................................................................ 48
Claim 5 ............................................................................................ 52
Claim 6 ............................................................................................ 54
B. Challenge 2: Claim 13 is obvious under 35 U.S.C. 103 in view of

Varghese and Donlin ...............................................................................54
1. Overview of Varghese and Donlin..................................................54
2. Reasons to Combine Varghese and Donlin ....................................55
3. Analysis ...........................................................................................55
Claim 13 .......................................................................................... 55
VII. CONCLUSION................................................................................................59
VIII.CERTIFICATE OF WORD COUNT..............................................................61
iii
U.S. Patent 8,838,976
PETITIONERS EXHIBIT LIST
EX1001 U.S. Patent 8,838,976
EX1002 Prosecution File History of U.S. Patent 8,838,976
EX1003 Prosecution File History of U.S. Provisional Appl. 61/151,449
EX1004 Declaration of Dr. Tewfik Under 37 C.F.R. 1.68
EX1005 Curriculum Vitae of Dr. Tewfik
EX1006 U.S. Patent 8,739,278 to Varghese et al. (Varghese)
EX1007 U.S. Patent 7,183,799 to Donlin et al. (Donlin)
EX1008 U.S. Patent 7,426,637 to Risan et al. (Risan)
iv
U.S. Patent 8,838,976
I. MANDATORY NOTICES UNDER 37 C.F.R. 42.8
A. Real Party-in-Interest
The real party-in-interest is Unified Patents Inc. (Unified or Petitioner).
B. Related Matters
According to assignment records, U.S. Patent 8,838,976 (the 976 Patent
(EX1001)) is owned by Uniloc Luxembourg, S.A. of Luxembourg (Uniloc or
Patent Owner).
As of the filing date of this Petition, and to the best knowledge of Petitioner,
the 976 Patent is or has been involved in this matter: Uniloc USA, Inc. et al v.
Apple, Inc., Case No. 2:17-cv-00258 (United States District Court for the Eastern
District of Texas) (pending).
C. Lead and Back-up Counsel and Service Information
Lead Counsel
David OBrien Phone: 512-867-8457
HAYNES AND BOONE, LLP Fax: 214-200-0853
2323 Victory Ave. Suite 700 david.obrien.ipr@haynesboone.com
Dallas, TX 75219 USPTO Reg. No. 40,107
Back-up Counsel
Ashraf Fawzy Phone: 202-871-0110
Unified Patents Inc.
1875 Connecticut Ave NW, afawzy@unifiedpatents.com
Floor 10 USPTO Reg. No. 67,914
Washington, DC 20009
1
U.S. Patent 8,838,976
David L. McCombs Phone: 214-651-5533
2323 Victory Ave. Suite 700 david.mccombs.ipr@haynesboone.com
Hong Shi Phone: 512-867-8440

2323 Victory Ave. Suite 700 hong.shi.ipr@haynesboone.com
Jonathan Stroud Phone: 650-999-0455

Unified Patents Inc.
1875 Connecticut Ave NW, jonathan@unifiedpatents.com
Floor 10 USPTO Reg. No. 72,518
Washington, DC 20009
Please address all correspondence to lead and back-up counsel. Petitioner
consents to electronic service by eMail to Lead Counsel and each of the Back-up
Counsels.
II. CERTIFICATION OF GROUNDS FOR STANDING
Petitioner certifies pursuant to Rule 42.104(a) that the patent for which
review is sought is available for inter partes review and that Petitioner is not
barred or estopped from requesting an inter partes review challenging the patent
claims on the grounds identified in this Petition.
III. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED
Pursuant to Rules 42.22(a)(1) and 42.104(b)(1)(2), Petitioner challenges
claims 1-2, 5-6, and 13 of the 976 Patent.
2
U.S. Patent 8,838,976
A. Prior Art Patents and Printed Publications
The following references are pertinent to the grounds:
1. US Patent 8,739,278 (filed on October 29, 2008; claiming priority to
an application filed on April 28, 2006; published on April 2, 2009;
issued on May 27, 2014) (Varghese (EX1006)), which is prior art
under at least 35 U.S.C. 102(a) and 102(e).1
2. US Patent 7,183,799 (filed on February 25, 2005; published on
February 27, 2007) (Donlin (EX1007)), which is prior art under at
least 35 U.S.C. 102(b).
3. US Patent 7,426,637 (filed on May 21, 2003; published on November
25, 2004) (Risan (EX1008)), which is prior art under at least 35
U.S.C. 102(b).
B. Statutory Grounds for Challenges
This Petition, supported by the declaration of Dr. Tewfik (Tewfik
Declaration or Tewfik (EX1004)), requests cancellation of claims 1-2, 5-6, and
13 under the Challenges listed below:
Challenge #1: Claims 1-2 and 5-6 of the 976 Patent are obvious under 35
U.S.C. 103(a) over Varghese in view of Donlin and Risan.
1
The 976 Patent issued from an application filed prior to the enactment of the
America Invents Act (AIA). Thus, the pre-AIA statutory framework applies.
3
U.S. Patent 8,838,976
Challenge #2: Claim 13 of the 976 Patent is obvious under 35 U.S.C.
103(a) over Varghese in view of Donlin.
IV. U.S. PATENT 8,838,976
A. Summary
The 976 Patent is generally directed to systems for authenticating the
identify [sic] of web site users via utilization of parameters of the users respective
client hardware. (EX1001, 9:6-8). The 976 Patent acknowledges that there are
known approaches to authenticate online users of services and content, such as
social networking sites, auction sites, shopping sites, etc. (Id., 1:22-24). The
976 Patent alleges that existing systems, including systems that use personally
identifiable information for authentication, may be inconvenient for users, and that
there was a need for an authentication service that provides reliable identification
of users, without being unduly burdensome. (Id., 1:33-36). The 976 Patent
purports to solve these issues by measur[ing] the client systems hardware
configuration and thereby generat[ing] a device identifier that can be used to
authenticate the user. (Id., 1:17-20).
Figure 1 of the 976 Patent illustrates a system 100 with an authentication
server 110 that is in operative communication with online service server 120 and a
user computer 130:
4
U.S. Patent 8,838,976
EX1001, FIG. 1
The 976 Patent explains that the user computer 130 includes an application
132 that collects machine information of the user computer 130. (Id., 4:34-37). A
device identifier is generated based on the collected machine information. (See id.,
1:52-54). More specifically, the claims of the 976 Patent require that such a
device identifier is generated from both a user configurable parameter and a
non-user-configurable machine property. (See id., 13:34-42, 14:25-28, 14:52-55,
15:11-19). The generated device identifier may be transmitted to an authentication
server for authenticating the user. (Id., 1:55-58).
But the system presented in the 976 Patentauthenticating an online
service user based on parameters and properties of the users computerwas well-
known in the art well before the 976 Patent was filed.
B. Level of Ordinary Skill in the Art
A person of ordinary skill in the art (POSITA) for the 976 Patent would
have a bachelors degree in computer science, computer engineering, electrical
5
U.S. Patent 8,838,976
engineering, or a related subject, and at least two years of experience working with
in network transaction systems, circuit design, computer hardware design, network
communications, and website design including the design of Internet applications
(which is closely related to both network communications system design and also
website design). (Tewfik, 57 (EX1004)).
C. Prosecution History
The 976 Patent issued on September 16, 2014 from Application No.
12/703,470 (the 470 Application), filed on February 10, 2010. The 470
Application claims priority2 to Provisional Application No. 61/151,449 (the 449
Provisional), which was filed on February 10, 2009.
The prosecution history of the 976 Patent includes multiple Office Actions.
In a last Action prior to allowance of the 470 Application, the Examiner indicated
that a feature describing non-user configurable machine properties relative to
carbon and/or silicon degradation was recited only in certain dependent claims,
but that those dependent claims would be allowable if rewritten in independent
form. (EX1002 at 1186, 1193). Specifically, the Examiner withdrew the previous
2
As explained more completed below, the 976 Patent is not entitled to priority
of the 479 Provisional as the 479 Provisional fails to provide written
description for a limitation appearing in each independent claim requiring use
of a carbon and/or silicon degradation characteristic.
6
U.S. Patent 8,838,976
rejection over prior art disclosing physical unclonable functions (PUFs) after
finding persuasive Applicants argument that carbon and silicon degradation
characteristics accrue with usage over time and is a different class of physical
variation than the initial manufacturing differences upon PUFs. (See Id., 1186).
Each of the independent claims, including the claims that ultimately issued
as claims 1 and 5 of the 976 Patent, was amended to include the requirement that
the physical non-user-configurable property collected as machine information must
include a carbon and/or silicon degradation characteristic of the user device.
(Id., 1210-1211). Further, the independent claim that ultimately issued as claim 13
of the 976 Patent was added by the applicant as new claim 21. The new claim 21
included the recited carbon and/or silicon degradation characteristic limitation,
and according to the prosecution history, was applicants attempt to focus the
invention most efficiently on subject matter that Examiner [] deemed allowable.
(Id., 1214-1215).
However, using a carbon and/or silicon degradation characteristic in
performing the functions recited in the challenged claims of the 976 Patent was
known in the art at the time that the 976 Patent was filed as evidenced by, for
example, the Varghese and Donlin-based grounds detailed below. (Tewfik, 121
(EX1004)). As demonstrated below, the prior art renders obvious each of the
limitations of challenged claims 1-2, 5-6, and 13.
7
U.S. Patent 8,838,976
D. Priority DateNo Earlier than February 10, 2010
The challenged claims are entitled to priority no earlier than February 10,
2010, the filing date of the 470 Application, which is the first document in the
Applicants priority chain that describes or even mentions a carbon and/or silicon
degradation characteristic. The challenged claims are not entitled to priority of
the 449 Provisional because the 449 Provisional does not provide written
description support for the carbon and/or silicon degradation characteristic
limitations recited in each independent claim of the 976 Patent.
For a patent to benefit from priority of the filing date of a prior provisional
application, it must satisfy 35 U.S.C. 119(e)(1), which provides that:
An application for patent filed under section 111(a) or section 363 of

this title for an invention disclosed in the manner provided by the first
paragraph of section 112 of this title in a provisional application filed
under section 111(b) of this title, by an inventor or inventors named in
the provisional application, shall have the same effect, as to such
invention, as though filed on the date of the provisional application
filed under section 111(b) of this title.
See Dynamic Drinkware, LLC v. National Graphics, Inc., 800 F.3d 1375, 1378
(Fed. Cir. 2015). In other words, the specification of the provisional must
contain a written description of the invention and the manner and process of
making and using it, in such full, clear, concise, and exact terms, to enable an
ordinarily skilled artisan to practice the invention claimed in the non-provisional

8
U.S. Patent 8,838,976
application." Id. (quoting New Railhead Mfg., L.L.C. v. Vermeer Mfg. Co., 298
F.3d 1290, 1294 (Fed. Cir. 2002) (internal citations omitted).
The written description requirement provides that a patentee must clearly
allow persons of ordinary skill in the art to recognize that [he] invented what is
claimed. Ariad Pharm., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir.
2010) (en banc) (quoting Vas-Cath Inc. v. Mahurkar, 935 F.2d 1555, 1563 (Fed.
Cir. 1991)). [T]he test for sufficiency is whether the disclosure of the application
relied upon reasonably conveys to those skilled in the art that the inventor had
possession of the claimed subject matter as of the filing date. Id. The analysis for
adequate written description is an objective inquiry into the four corners of the
specification. Ariad, 598 F.3d at 1351. Although the exact terms need not be used
in haec verba, the prior application must contain an equivalent description of the
claimed subject matter. See Lockwood v. American Airlines, Inc., 107 F.3d 1565,
1572 (Fed. Cir. 1997).
Each of the challenged independent claims of the 976 Patent (claims 1, 5,
and 13) recites that the at least one physical non-user-configurable property
comprises a carbon and/or silicon degradation characteristic of a network device
component. (EX1001, 13:37-40, 13:67-14:3, 15:14-17). As discussed above, this
limitation was relied upon by the examiner to allow the claims. But the 449
Provisional does not provide written description support for this limitation.
9
U.S. Patent 8,838,976
Indeed, the 449 Provisional nowhere even mentions a carbon and/or silicon
degradation characteristic.
Dr. Tewfik confirms that the 449 Provisional does not expressly or
inherently describe the use of a carbon and/or silicon degradation characteristic.
(Tewfik, 46-52 (EX1004)). The 449 Provisional describes that a device
identifier may be generated using a combination of user-configurable and non-
user-configurable machine parameters. (EX1003, 10). It finds that a machine
parameter is data determined by a hardware component, software component, or
data component specific to the device that the unique identifier pertains to, and
provides examples of machine parameters including, for example, machine model
and machine serial number. (Id., 10-12). However, the 449 Provisional does not
describe that machine parameters (or properties) include any carbon and/or silicon
degradation characteristic. (Tewfik, 47 (EX1004)).
Because of the written description failure, none of the claims of the 976
Patent, and certainly, none of the claims here challenged (claims 1-2, 5-6, and 13)
are entitled to priority of the 449 Provisional. Accordingly, the effective filing
date of all challenged claims of the 976 Patent is no earlier than February 10,
2010. For avoidance of doubt, even if the Board were to find otherwise, the prior
art relied upon by Petitioner still predates the filing date of the 449 Provisional by
more than three months.
10
U.S. Patent 8,838,976
V. CLAIM CONSTRUCTION
In this proceeding, claim language is given its broadest reasonable
construction in light of the specification of the patent in which it appears. 37
C.F.R. 42.100(b); Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 2131, 2142
(2016). Terms not specifically construed below are given their plain and ordinary
meaning under the broadest reasonable interpretation. See id.
A. data regarding an online profile (claims 1 and 5)
The 976 Patent does not provide an explicit definition for this term.
However, the 976 patent provides user identification (ID) as an example of the
basic online account profile information (EX1001, 7:56-58), suggests that a
users name, picture, sex, age, location, social network connections and even blog
postings may be included in the information displayed for an online profile
(EX1001, 3:32-34, FIG. 4), and indicates that online profile information may be
updated to include the users registration status. (EX1001, 9:30-34).
Accordingly, a POSITA would understand the broadest reasonable interpretation
of the term data regarding an online profile to be any data relating to an online
user. (Tewfik, 62 (EX1004)).
B. user-configurable parameter and physical non-user-

configurable property (claims 1, 5, and 13)
The 976 Patent does not provide an explicit definition for these terms, but
provides examples of physical, non-user-configurable properties or parameters,
11
U.S. Patent 8,838,976
including unique manufacturer characteristics, carbon and silicone [sic]
degradation and small device failures and values for damaged sectors and data
storage failures of disk drives and solid state memory devices. (EX1001, 5:48-
49, 5:64-6:5).
During the prosecution of the 470 Application, the applicant explained the
difference between user-configurable and non-user-configurable:
[T]he conventional understanding of user-configurable generally

denotes parameters commonly supplied by end users of client devices
e.g. user password, user ID, machine name, phone number, credit card
number, etc., whereas non-user-configurable denotes parameters that
end users cannot establish nor change and which are fixed to
(uniquely associated with) either hardware or software.
(EX1003, 1173).
Accordingly, a POSITA would understand the broadest reasonable
interpretation of the term user-configurable parameter to be parameter of a
network device that may be configured by a user. (Tewfik, 68 (EX1004)).
Conversely, a POSITA would understand the broadest reasonable interpretation of
the term physical non-user-configurable property to be physical property of a
network device that may not be configured by a user. (Tewfik, 69 (EX1004)).
C. registered user signal (claims 2 and 6)
The 976 Patent does not provide an explicit definition for this term.
12
U.S. Patent 8,838,976
However, the 976 Patent describes the signal as follows, [w]hen the second
device identifier matches the first device identifier, a registered user signal may be
transmitted to a server hosting the online service. (EX1001, 9:47-49). The 976
Patent contemplates a number of servers involved in the provision of online
services, including a host server 120 and an authentication server 110. (EX1001,
9:22-38). Accordingly, a POSITA would understand the broadest reasonable
interpretation of the term registered user signal to be information indicating a
network device has been registered with an online service server or an
authentication server. (Tewfik, 71 (EX1004)).
VI. CLAIMS 1-2, 5-6, AND 13 ARE UNPATENTABLE3
A. Challenge 1: Claims 1-2, and 5-6 are obvious under 35 U.S.C.

103 in view of Varghese, Donlin, and Risan
1. Overview of Varghese
Varghese describes a system for determining whether requests (e.g.,
authentication requests, transaction requests, etc.) submitted by users of a software
application (e.g., online shopping application, online banking application, etc.) are
fraudulent. (EX1006, 11:24-28). Vargheses system uses a device fingerprint
identifying a device from which the request was submitted in fraud detection,
3
Unless otherwise specified, we have added bold for emphasis below. Quoted text
in italics is used to signify claim language; reference names are also italicized.
13
U.S. Patent 8,838,976
real-time authentication, authentication updating, and the like. (Id., 11:1-2, 11:38-
40).
Varghese describes a fingerprint process that gathers identifying
information describing the device from which the user request originated. (Id.,
8:57-58). Such device-identifying information may be captured by a client
program already resident on the user device. (Id., 24:28-29). The identity
information gathered is selected to identify the user device as uniquely as
possible, and may include hardware characteristics of the user device and/or
of the user devices network connections. (Id., 24:1, 24:35-37, 25:15-16). A
data token, referred to as a Device ID, may be generated based on [s]ome or all
of the device identityinformation. (Id., 24:44-47). And Varghese describes an
authentication server implementing a fraud analyzer and alert system process,
which is invoked with the Device ID and uses the Device ID to identify an
authorized user. (Id., 7:19-24, 8:65, 9:18-20).
Although Varghese was cited in an information disclosure statement (IDS)
during prosecution, it was never substantively discussed, and thus inter partes
review in light of Varghese-based grounds is appropriate. (EX1002, 1077). See
Limelight Networks, Inc. v. Mass. Inst. of Tech., IPR2017-00249, Paper 9, at 7
(May 18, 2017) (instituting despite a 325(d) challenge where reference was never
substantively discussed by Examiner). Furthermore, Varghese is combined with
14
U.S. Patent 8,838,976
Donlin and Risan; neither Donlin nor Risan was cited during prosecution. Thus,
the primary reference, Varghese, was never substantively discussed, and
Petitioners specific grounds, based on proposed combinations of Varghese, Donlin
and Risan (Challenge #1) and Varghese and Donlin (Challenge #2), have not yet
been considered by the Office. Additionally, Petitioners expert declaration, which
provides evidence as to how a POSITA would understand the teachings of
Varghese, has not yet been considered by the Office. In short, institution of trial is
warranted based on Petitioners challenges, and 325(d) does not provide a basis
for discretionary denial.
2. Overview of Donlin
Donlin is directed to enforcing a time-limited license to an IP core based
on silicon degradation characteristics, including electrical properties of a silicon
die that may degrade with use and over time. (EX1007, 2:59, 3:41-42).
Donlin teaches a programmable logic device including an IP core having a
predetermined license duration. (Id., 12:60-61). Donlin teaches that to enforce the
license, the programmable logic device may operate a metric circuit of a first
degradation rate. (Id., 12:53-54).
Donlin further teaches that a controller conditionally operates the licensed IP
core based on the level of degradation of the metric circuit. For example, the
controller may determine the level of degradation of the metric circuit. (Id., 10:55-
15
U.S. Patent 8,838,976
56). The level of degradation may be measured via the reduced drain/source
current, higher resistance and/or slower performance. (Id., 7:24-26). The
controller may then disable the licensed IP core after determining that the
measured level of degradation exceeds a given threshold. (Id., 10:61-64).
Donlin is not of record in the 976 Patent.
3. Overview of Risan
Risan is directed to controlling media sharing among nodes in a network
using cookies in a hidden file. (EX1008, Abstract). For instance, Risan teaches a
copyright compliance mechanism that may enable copyright compliance of media
files. (Id., 8:52-58). In Risans copyright compliance mechanism, a cookie can
be stored in a hidden directory within one or more non-volatile memory devices
within computer system to prevent user access and/or manipulation of that
information. (Id., 31:4-7). The cookie may contain information regarding the
users computer system, including, for example a unique identifier associated
with computer system, e.g., a MAC (machine address code) address, an IP
address, and/or the serial number of the central processing unit (CPU) operable on
computer system. (Id., 10:37-43). Such a cookie may be used by a webserver to
prevent unauthorized access to copyrighted media content because the
username, password, and the users computer system are closed associated. (Id.,
10:62-65).
16
U.S. Patent 8,838,976
Risan is not of record in the 976 Patent.
4. Reasons to Combine Varghese, Donlin, and Risan
a. Reasons to Combine Varghese and Donlin
A POSITA would have been motivated to combine Varghese and Donlin for
several reasons. (Tewfik, 88 (EX1004)).
First, Varghese and Donlin are analogous prior art and in the same field of
endeavor (resource access control). Both Varghese and Donlin discuss controlling
access to resources (determining whether requests . . . are fraudulent, enforcing
a time-limited license to an IP core) according to assigned access rights.
(EX1006, 11:24-27; EX1007, 2:59; Tewfik, 89 (EX1004)). Also, both Varghese
and Donlin describe methods in which the access to resources is controlled based
on hardware characteristics (hardware characteristics for device identifying
purposes, electrical properties of a silicon die [that] may degrade with use and
over time) that are unique to a particular device. (EX1006, 11:1-2, 11:38-40,
25:15-17; EX1007, 3:41-42; Tewfik, 89 (EX100)). [A]ny need or problem
known in the field of endeavor at the time of the invention and addressed by the
patent can provide a reason for combining the elements in the manner claimed.
KSR Intl Co. v. Teleflex Inc., 550 U.S. 398, 420 (2007). Here, improving control
of access to resources using hardware characteristics unique to a device is a need
or problem shared by Varghese and Donlin and provides at least one reason to
17
U.S. Patent 8,838,976
combine the respective teachings.
Second, Varghese provides express motivations to use Donlins teachings in
the system of Varghese. (Tewfik, 90 (EX1004). Varghese teaches selecting
device identity information to identify the user device as uniquely as possible.
(EX1006, 24:36). A POSITA would have recognized that Donlins silicon
degradation characteristics can uniquely identify a device. (Tewfik, 90 (EX1004).
Specifically, Donlins silicon degradation characteristics change with the devices
usage over time, which results in the uniqueness for identifying the device.
(Tewfik, 90 (EX1004).
Varghese also discusses techniques to secure the device identifier against
modification. (EX1006, 24:52). Donlins silicon degradation characteristics are
hardware based characteristics, and are measured based on device performance
including the reduced drain/ source current, higher resistance and/or slower
performance. (Dolin at 7:24-26 (EX1007)). As such, Donlins measurement of
silicon degradation characteristics is reliable and may not be configured by a user.
(Tewfik, 91 (EX1004). This would provide a POSITA with an additional express
motivation to use Donlins measurement of silicon degradation characteristics in
Vargheses system, namely, to obtain a more secure system that provides a unique
device identifier including hardware characteristics of the user device that may not
be configured by a user. (Tewfik, 91 (EX1004).
18
U.S. Patent 8,838,976
Varghese itself teaches using [m]any types of hardware characteristics
for device identifying purposes, including IP addresses, adapter MAC addresses,
local time and/or time zone, network connection speed such as download and/or
upload times, microprocessor type and/or processing and/or serial number, and the
like. (EX1006, 24:16-21). To meet Vargheses expressed goals of providing a
unique device identifier with a high level of security, a POSITA would have
looked to extend the [m]any types of hardware characteristics for device
identification that were explicitly described in Varghese to include additional
hardware characteristic that would uniquely identify a device and that would not be
configured by a user. (Tewfik, 92 (EX1004)).
Accordingly, a POSITA would have looked to Donlin for its teaching that
electrical properties of a silicon integrated circuit that degrade with use and over
time in a manner that is unique to a particular instance of the integrated circuit.
(Tewfik, 93 (EX1004)). Indeed, a POSITA would have recognized that Donlins
use of degrading electrical properties of a silicon integrated circuit (e.g., in the
form of a degrading metric circuit) could uniquely identify a device and would not
be configured by a user. (Tewfik, 93 (EX1004)). Based on that recognition, a
POSITA would have been motivated to extend Vargheses device identification
process for gathering hardware characteristics to include in the set of hardware
19
U.S. Patent 8,838,976
characteristics gathered for device identification Donlins measurement of
electrical properties of a silicon die that degrade with use and over time. (Tewfik,
93 (EX1004)). It would be nothing more than a simple substitution of a
demonstrably known alternative hardware characteristic (Donlins silicon
degradation characteristics) to the disclosed hardware characteristics in Varghese.
In re ICON Health & Fitness, Inc., 496 F.3d 1374 (Fed. Cir. 2007).
Finally, combining the teachings of Varghese and Donlin would produce
operable results that are predictable. Specifically, combining the functionality of
Vargheses device identification process and Donlins measurement of electrical
properties of a silicon integrated circuit that degrade with use and over time would
have been no more than the combination of known elements according to known
methods (e.g., incorporation of hardware and software functionality of two devices
into one), and would have been obvious to a POSITA at the time of the 976 Patent
to achieve the benefits of a device-based authentication system described by
Varghese. (Tewfik, 94 (EX1004)). The operation of Varghese would essentially
be unchanged, except for implementing Donlins teaching of measuring a
degradation level of a component of a device. (Tewfik, 94 (EX1004)). Donlins
measurement circuit, when incorporated into Varghese, would operate in a similar
manner to that described in Donlin. (Tewfik, 94 (EX1004)). The combination of
familiar elements according to known methods is likely to be obvious when it does
20
U.S. Patent 8,838,976
no more than yield predictable results. KSR at 415-16.
b. Reasons to Further Combine Risan with Varghese and

Donlin
A POSITA would likewise have been motivated to combine Risan with the
system taught by Varghese and Donlin (in combination). (Tewfik, 95 (EX1004)).
First, the references are analogous prior art and are in the same field of endeavor
(resource access control). (Tewfik, 96 (EX1004)). Like the system taught by
Varghese and Donlin, Risan discusses controlling access to resources according to
assigned access rightsdisclosing, amongst other things, methods in which access
to resources is controlled based on hardware characteristics. (EX1008, 10:62-65,
Tewfik, 96 (EX1004)). Risan discusses that a webserver may use a unique
identifier associated with a computer system to prevent unauthorized access to
copyrighted media content. (EX1008, 10:62-65). Such a unique identifier may
include hardware characteristics including, for example, the serial number of the
central processing unit (CPU) operable on computer system. (Id., 10:37-43).
[A]ny need or problem known in the field of endeavor at the time of the invention
and addressed by the patent can provide a reason for combining the elements in the
manner claimed. KSR, 550 U.S. at 420. As with the Varghese and Donlin
combination, improving control of access to resources is a need or problem also
shared by Risan, and that need or problem provides at least one reason to combine
the respective teachings.

21
U.S. Patent 8,838,976
Second, Varghese itself suggests the combination. (Tewfik, 97 (EX1004)).
A POSITA, having reviewed Varghese and Donlin would bring with them an
understanding of controlling access to resources based on hardware characteristics,
and would have recognized the benefits of Risans ability to store a unique
computer system identifier in a hidden directory to prevent modification of the
information. (EX1008, 31:4-7, Tewfik, 97 (EX1004)). Varghese already
considers protecting information against fraudsters/hackers, and stores data,
including its Device ID, that are encrypted, signed, or otherwise secured against
modification. (EX1006, 1:66, 24:51-52). A POSITA would have looked to use
routine additional security measures for protecting the Device ID stored in the
network device against access by fraudsters/hackers and modification. (Tewfik,
97 (EX1004)). Accordingly, a POSITA would have looked to Risan for its
teaching of using a cookie in a hidden directory to store information including a
unique computer system identifier, and would have used that hidden directory with
the system of Varghese and Donlin to store the Device ID and further improve its
security. (Tewfik, 97 (EX1004)). Storing of an encrypted Device ID in a hidden
directory would have provided multiple layers of protection.
Finally, combining the teachings of Risan with the system taught by
Varghese and Donlin would produce operable results that are predictable. (Tewfik,
98 (EX1004)). Incorporating the arrangement of a hidden directory within one
22
U.S. Patent 8,838,976
or more non-volatile memory devices within computer system of Risan in the user
computing system of Varghesewhich stores the encrypted Device IDwould
have been no more than incorporation of known storage functionality into a
computing device to further enhance security. (Tewfik, 98 (EX1004)). Thus,
incorporating the teachings of Risan into the system taught by Varghese and
Donlin would have been no more than the combination of known elements
according to known methods, and would have been obvious to a POSITA at the
time of the 976 Patent.
5. Analysis
Claim 1
[1.1] A computer-implemented method for authenticating a user of an

online service, comprising:
To the extent the preamble is deemed limiting, Varghese teaches a
computer-implemented method for authenticating a user of an online service.
(Tewfik, 99 (EX1004)). As shown in FIG. 13A (annotated below), Varghese
describes user computing devices 720 used by end-users to submit various
requests (e.g., login requests, transaction requests, etc.) to service provider
applications including online shopping application[s and] online banking
application[s], each of which constitute an online service as recited in the claim.
(EX1006, 6:46-52, 11:26-27, Tewfik, 100 (EX1004)).
23
U.S. Patent 8,838,976
EX1006, FIG. 13A (annotated)

Therefore, Varghese teaches a computer-implemented method for
authenticating a user of an online service.
[1.2] retrieving, by a network device, data regarding an online profile of

the user for the online service, the network device being used by the
user to access the online service;
Varghese describes retrieving, by a network device used by the user to
access the online service, data regarding an online profile of the user for the online
service. (Tewfik, 104 (EX1004)). As explained above, data regarding an online
profile is properly construed as any data relating to an online user. (See supra,
at 11).
First, as shown in Figure 1 annotated below, Varghese describes that a user
computer device 14 (network device) is used by a user to enter[] authentication
information (e.g., a user ID and password) for submitting user requests to a

24
U.S. Patent 8,838,976
service provider application. (EX1007, 1:42-45, Tewfik, 105 (EX1004)). A
user computer device, especially one that is used to access an online service, is a
network device. (Tewfik, 105 (EX1004)).
EX1006, FIG. 1 (annotated)
Second, a POSITA would have understood that retrieving data, whether
locally (from the network device) or remotely (from another device, e.g., an online
service server or an authentication server, through a network) teaches the claimed
retrieving data. (Tewfik, 106 (EX1004)). In fact, Varghese teaches retrieving
25
U.S. Patent 8,838,976
data regarding an online profile of the user both locally from the network device
and remotely from an authentication server through a network. (Tewfik, 107
(EX1004)).
For example, the Remember my ID function illustrated in FIG. 1 of
Varghese teaches that data regarding an online profile of the user for the online
service (e.g., the users ID) is to be retrieved by the network device (e.g., the
illustrated laptop computer) that accesses the online service. (Tewfik, 108
(EX1004)). A POSITA would have understood that Varghese teaches that when
the Remember my ID function is selected as illustrated in Figure 1, the network
device retrieves a user ID that has been previously stored on the network device.
(Tewfik, 108 (EX1004)). Such a retrieved user ID constitutes retrieved data
regarding an online profile of the user for the online service as recited and
properly construed, because the retrieved user ID is data relating to an online
user. (See supra, at 11; Tewfik, 108 (EX1004)).
Further, Varghese also teaches retrieving data relating to an online user from
a remote authentication server, when it describes retrieval by a network device of
personal questions and personal information (data regarding an online profile) of
the user for the online service, so that the user may provide additional security
information before being allowed access. (EX1006, 9:21-27; Tewfik, 109
(EX1004)). As described with reference to Figure 13B below, Vargheses
26
U.S. Patent 8,838,976
authenticator receives interface selection criteria from the authentication server,
and sends an authentication interface that should be displayed to the user at the
current user device in order to authenticate the current access request. (EX1006,
27:32-41). The authentication interface involves seeking responses to detailed
authentication questions including personal questions. (EX1006, 9:21-27, 9:37-
51; Tewfik, 109 (EX1004)).
Because the questions are personal questions that can be used at the current
user device to authenticate the user, a POSITA would have understood Vargheses
disclosure to teach retrieving at least the personal questions from the online
service. (Tewfik, 110 (EX1004)). The retrieved personal questions constitute
data regarding an online profile of the user for the online service as recited and
properly construed, because they are data relating to an online user. (See supra,
at 11; Tewfik, 110 (EX1004)).
27
U.S. Patent 8,838,976
EX1006, FIG. 13B (annotated)
Therefore, whether the retrieval is local or remote, Varghese teaches
retrieving, by a network device, data regarding an online profile of the user for
the online service, the network device being used by the user to access the online
service. (Tewfik, 111 (EX1004)).
[1.3] collecting, by the network device, machine information regarding

the network device,
Varghese describes a fingerprint process 400 collecting, by a user device
(network device), device-identifying information (machine information) regarding
the user device. (Tewfik, 112 (EX1004)).
Varghese discusses a fingerprint process 400, which refers not to a human
28
U.S. Patent 8,838,976
fingerprint, but rather to an authentication process invoked with input data
describing the user request. (EX1006, 8:56-57). The fingerprint process 400
gathers identifying information describing the device from which the user request
originated. (EX1006, 8:55-60).
First, in Varghese, the device-identifying information characterizes the
originating device itself, such as its hardware and software components.
(EX1006, 13:13-15). Vargheses device-identifying information describing the
network device corresponds to machine information regarding the network
device in the claim. (Tewfik, 114 (EX1004)).
Table 4 of Varghese below provides examples of hardware and software
characteristics that can be extracted from a device by a browser-hosted process
for characterize[ing] the originating device. (EX1006, 13:13-16; Tewfik, 115
(EX1004)).
29
U.S. Patent 8,838,976
EX1006, TABLE 4
For example, Varghese and Table 4 describe software characteristics
including operating system information, browser information, and audio/video
related software information. (EX1006, Table 4; Tewfik, 115 (EX1004)).
Further, Varghese and Table 4 describes that the device-identifying information
may include various device hardware characteristics extracted from a device.
(EX1006, Table 4; Tewfik, 115 (EX1004)). In particular, as shown in Table 4,
the hardware characteristics of the device include computer monitor characteristics
such as screen dots per inch (DPI), screen resolution, and screen color, and
30
U.S. Patent 8,838,976
peripheral device information indicating whether the user device has a microphone,
has printer support, or has an audio card. (EX1006, Table 4; Tewfik, 115
(EX1004)).
Additionally, Varghese describes that [m]any types of hardware
characteristics can be gathered for device identifying purposes including IP
addresses, adapter MAC addresses, local time and/or time zone, network
connection speed such as download and/or upload times, microprocessor type
and/or processing and/or serial number, and the like. (EX1006, 25:18-21).
Second, Vargheses fingerprint process gathers device identifying
information and teaches a process that includes collecting machine information
regarding the network device, as recited in the claim. Varghese teaches that the
fingerprint process device may capture the device identifying information by a
client program that may be a web browser or a software module. (EX1006,
24:27-32). Varghese describes that for Internet applications, the software module
can be a plugin, a script, or an applet (e.g., a Java applet) downloaded by the web
browser and executed. (EX1006, 24:33-37). Accordingly, Vargheses fingerprint
process collects the device-identifying information. (Tewfik, 118 (EX1004)).
Third, Varghese teaches that the fingerprint process 400 is performed by the
user device (a network device). (Tewfik, 119 (EX1004)). Varghese teaches
that the fingerprint process 400 may be performed by a client program already
31
U.S. Patent 8,838,976
resident on the user device. (EX1006, 24:27-37; Tewfik, 119 (EX1004)).
Vargheses client program may include a web browser or a software module
that was downloaded to the user device and executed to gather identifying
information. (EX1006, 24:31-35). Accordingly, Vargheses fingerprint process
executes on the network device and collects the device-identifying information.
(Tewfik, 119 (EX1004)).
Thus, Vargheses fingerprint process that gathers identifying information
describing the network device teaches collecting, by the network device, machine
information regarding the network device. (Tewfik, 120 (EX1004)).
[1.4] the collected machine information comprising at least one user-

configurable parameter and at least one physical non-user-
configurable property of the network device, wherein the at least one
physical non-user-configurable property comprises a carbon and/or
silicon degradation characteristic of a network device component;
The combination of Varghese and Donlin together disclose and suggest the
collected machine information comprising at least one user-configurable
parameter and at least one physical non-user-configurable property of the network
device, wherein the at least one physical non-user-configurable property
comprises a carbon and/or silicon degradation characteristic of a network device
component. (Tewfik, 121 (EX1004)).
First, Varghese teaches that the collected machine information includes at
least one user-configurable parameter of the network device. (Tewfik, 122
32
U.S. Patent 8,838,976
(EX1004)). As explained above, a user-configurable parameter is properly
construed as a parameter of a network device that may be configured by a user.
(See supra, at 11).
As discussed above with reference to limitation [1.3], Varghese teaches that
various hardware and software characteristics of the network device can be
gathered for device identifying purposes. (EX1006, Table 4, 25:17; Tewfik,
124 (EX1004). The device information listed in Table 4 of Varghese includes
many types of parameters including, for example, parameters associated with
operating system information, browser information, hardware information,
software information, and location information of the network device. (EX1006,
Table 4, 25:17; Tewfik, 124 (EX1004). Specifically, those listed parameters of
device information including for example, location and language, could, at the time
of the 976 Patent, be configured by a user (e.g., by using the Region and
Language item in a control panel of a computer device that used a Windows
operating system). (EX1006, Table 4, 25:17; Tewfik, 124 (EX1004). As such,
those listed parameters of device information of Table 4 of Varghese including
location and language correspond to at least one user-configurable parameter of
the network device as recited and properly construed, as they are examples of a
parameter of a network device that may be configured by a user. (See supra, at
11; Tewfik, 124 (EX1004)).
33
U.S. Patent 8,838,976
As an additional example of the recited user-configurable parameter,
Varghese teaches that the fingerprint process may collect [m]any types of
hardware characteristics, including local time and/or time zone. (EX1006,
25:14-21). A POSITA would understand that the local time and/or time zone of
that user computer device may be configured by a user (e.g., by the users edit to
time settings of that user computer device). (Tewfik, 125 (EX1004)).
Accordingly, the local time and time zone parameters also correspond to user-
configurable parameter of the network device as recited and properly construed,
as they are examples of a parameter of a network device that may be configured
by a user. (Tewfik, 125 (EX1004)).
Second, Dolin teaches collecting machine information including at least
one physical non-user-configurable property, wherein the at least one physical
non-user-configurable property comprises a carbon and/or silicon degradation
characteristic of a network device component. (Tewfik, 126 (EX1004)).
Donlin teaches that electrical properties of a silicon die that may
degrade with use and over time may be used to enforce a time-limited license
to an IP core. (EX1007, 2:59, 3:41-42; Tewfik, 127 (EX1004)). Donlins
electrical properties of a silicon die are physical properties of a device that may not
be configured by a user. (Tewfik, 127 (EX1004). Such electrical properties of
the silicon die include a hot electron degradation characteristic. (EX1007,
34
U.S. Patent 8,838,976
6:56; Tewfik, 128 (EX1004)). Using an n-channel metal-oxide-semiconductor
field-effect-transistor (NMOSFET) as an example, Donlin teaches that trapped
carriers in the silicon may establish a fixed charge which, over time, may
accumulate to further degrade the performance of the NMOSFET. (EX1007, 7:19-
7:21; Tewfik, 128 (EX1004)). The degraded performance may be measured via
the reduced drain/ source current, higher resistance and/or slower performance.
(EX1007, 7:22-7:26; Tewfik, 132 (EX1004)).
As such, Donlins disclosures of electrical properties of a silicon die that
degrade with use and over time are a silicon degradation characteristic as
recited in element [1.4] of the 976 Patent. (Tewfik, 134 (EX1004)). Further,
because the 976 Patent itself (both definitionally in the language of element [1.4]
and in its description) defines physical non-user-configurable properties to
include carbon and silicone [sic] degradation, Donlins disclosed electrical
properties of a silicon die that degrade with use and over time also correspond to
the recited physical non-user-configurable property. (EX1001, 2:41-63, Tewfik,
135 (EX1004)). As explained above, physical non-user-configurable property
is properly construed as a physical property of a network device that may not be
configured by a user. (See supra, at 11).
A POSITA would have been motivated to combine Donlins teaching that
the degradation of a silicon integrated circuit is a device characteristic that can be
35
U.S. Patent 8,838,976
collected to uniquely identify a particular device with Vargheses device
identification process for gathering device identifying information for a particular
device. (Tewfik, 136 (EX1004)).
several reasons. (Tewfik, 88 (EX1004)).
First, Varghese and Donlin are analogous prior art and in the same field of
endeavor (resource access control). Both Varghese and Donlin discuss controlling
access to resources (determining whether requests . . . are fraudulent, enforcing
a time-limited license to an IP core) according to assigned access rights.
(EX1006, 11:24-27; EX1007, 2:59; Tewfik, 89 (EX1004)). Also, both Varghese
and Donlin describe methods in which the access to resources is controlled based
on hardware characteristics (hardware characteristics for device identifying
purposes, electrical properties of a silicon die [that] may degrade with use and
over time) that are unique to a particular device. (EX1006, 11:1-2, 11:38-40,
25:15-17; EX1007, 3:41-42; Tewfik, 89 (EX100)). [A]ny need or problem
known in the field of endeavor at the time of the invention and addressed by the
patent can provide a reason for combining the elements in the manner claimed.
KSR Intl Co. v. Teleflex Inc., 550 U.S. 398, 420 (2007). Here, improving control
of access to resources using hardware characteristics unique to a device is a need
or problem shared by Varghese and Donlin and provides at least one reason to
36
U.S. Patent 8,838,976
combine the respective teachings.
Second, Varghese provides express motivations to use Donlins teachings in
the system of Varghese. (Tewfik, 90 (EX1004). Varghese teaches selecting
device identity information to identify the user device as uniquely as possible.
(EX1006, 24:36). A POSITA would have recognized that Donlins silicon
degradation characteristics can uniquely identify a device. (Tewfik, 90 (EX1004).
Specifically, Donlins silicon degradation characteristics change with the devices
usage over time, which results in the uniqueness for identifying the device.
(Tewfik, 90 (EX1004).
Varghese also discusses techniques to secure the device identifier against
modification. (EX1006, 24:52). Donlins silicon degradation characteristics are
hardware based characteristics, and are measured based on device performance
including the reduced drain/ source current, higher resistance and/or slower
performance. (Dolin at 7:24-26 (EX1007)). As such, Donlins measurement of
silicon degradation characteristics is reliable and may not be configured by a user.
(Tewfik, 91 (EX1004). This reliability and non-configurability would have
provided a POSITA with an additional express motivation to use Donlins
measurement of silicon degradation characteristics in Vargheses system, namely,
to obtain a more secure system that provides a unique device identifier including
hardware characteristics of the user device that may not be configured by a user.
37
U.S. Patent 8,838,976
(Tewfik, 91 (EX1004).
Varghese itself teaches using [m]any types of hardware characteristics
for device identifying purposes, including IP addresses, adapter MAC addresses,
local time and/or time zone, network connection speed such as download and/or
upload times, microprocessor type and/or processing and/or serial number, and the
like. (EX1006, 24:16-21). To meet Vargheses expressed goals of providing a
unique device identifier with a high level of security, a POSITA would have
looked to extend the [m]any types of hardware characteristics for device
identification that were explicitly described in Varghese to include additional
hardware characteristic that would uniquely identify a device and that would not be
configured by a user. (Tewfik, 92 (EX1004)).
Accordingly, a POSITA would have looked to Donlin for its teaching that
electrical properties of a silicon integrated circuit that degrade with use and over
time in a manner that is unique to a particular instance of the integrated circuit.
(Tewfik, 93 (EX1004)). Indeed, a POSITA would have recognized that Donlins
use of degrading electrical properties of a silicon integrated circuit (e.g., in the
form of a degrading metric circuit) could uniquely identify a device and would not
be configured by a user. (Tewfik, 93 (EX1004)). Based on that recognition, a
POSITA would have been motivated to extend Vargheses device identification
process for gathering hardware characteristics to include in the set of hardware
38
U.S. Patent 8,838,976
characteristics gathered for device identification Donlins measurement of
electrical properties of a silicon die that degrade with use and over time. (Tewfik,
93 (EX1004)). It would be nothing more than a simple substitution of a
demonstrably known alternative hardware characteristic (Donlins silicon
degradation characteristics) to the disclosed hardware characteristics in Varghese.
In re ICON Health & Fitness, Inc., 496 F.3d 1374 (Fed. Cir. 2007).
Finally, combining the teachings of Varghese and Donlin would have
produced operable results that were predictable. Specifically, combining the
functionality of Vargheses device identification process and Donlins
measurement of electrical properties of a silicon integrated circuit that degrade
with use and over time would have been no more than the combination of known
elements according to known methods (e.g., incorporation of hardware and
software functionality of two devices into one), and would have been obvious to a
POSITA at the time of the 976 Patent to achieve the benefits of a device-based
authentication system described by Varghese. (Tewfik, 94 (EX1004)). The
operation of Varghese would essentially be unchanged, except for implementing
Donlins teaching of measuring a degradation level of a component of a device.
(Tewfik, 94 (EX1004)). Donlins measurement circuit, when incorporated into
Varghese, would operate in a similar manner to that described in Donlin. (Tewfik,
94 (EX1004)). The combination of familiar elements according to known
39
U.S. Patent 8,838,976
methods is likely to be obvious when it does no more than yield predictable
results. KSR at 415-16.
Thus, Vargheses fingerprint process for collecting device identifier
information regarding the network device, in view of Donlins teachings to use
electrical properties of a silicon die that degrade with use and over time, renders
obvious the collected machine information comprising at least one user-
configurable parameter and at least one physical non-user-configurable property
of the network device, wherein the at least one physical non-user-configurable
property comprises a carbon and/or silicon degradation characteristic of a
network device component. (Tewfik, 121 (EX1004)).
[1.5] generating a device identifier based at least in part on the collected

machine information;
Varghese discloses generating a device identifier based at least in part on the
collected machine information. (Tewfik, 143 (EX1004)).
Varghese teaches that the fingerprint process 400 creates a device identifier
( a Device ID) after gathering identifying information describing the device
from the network device. (EX1006, 9:55-64). Varghese further describes that
[s]ome or all of the device identity (along with identifying information
generated by the fingerprint process) information is stored in a data token
referred to as a Device ID. (EX1006, 24:44-47). The Device ID corresponds to
the recited device identifier of the 976 Patent, and Varghese teaches generating
40
U.S. Patent 8,838,976
the Device ID based on the collected machine information by generating a data
token (Device ID) that stores some or all of the device identity information.
(Tewfik, 145 (EX1004)).
Thus, Varghese teaches generating a device identifier based at least in part
on the collected machine information. (Tewfik, 148 (EX1004)).
[1.6] storing the generated device identifier in a hidden file directory of

the network device; and
First, Varghese teaches that the Device ID (the generated device identifier)
is stored on the user computing device from which it can be retrieved and form
part of the device identifying information to be used during a subsequent
fingerprint. (EX1006, 8:61-64). To wit, Varghese describes that the Device ID
may be stored in a protected form that is encrypted, signed, or otherwise secured
against modification, and that remain[s] resident on the user device even when it is
not accessing a service provider application. (Id., 24:48-60). Such a Device ID
may also have been stored by the fingerprint processes of the present invention
during the course of a prior identification of this device. (Id., 24:48-60). Hidden
folders and file directories are common features available in most operating
systems (e.g., Windows, Linux, and Macintosh operating systems) available at the
time of the 976 Patent. In those operating systems, hidden Files and folders can
be hidden from view in file systems in order to reduce chances of users
accidentally damaging or deleting critical system and configuration files, or to

41
U.S. Patent 8,838,976
make the files and folders invisible to casual snoopers and thereby improving
security. (Tewfik, 150 (EX1004)). It would have been obvious to a POSITA to
use a hidden file directory in Varghese to store the Device ID, such that the stored
Device ID would be further secured against modification and protected from
fraudsters and hackers. (Tewfik, 150 (EX1004)).
Second, to the extent that Varghese does not itself disclose or suggest using
a hidden file directory of the network device to store the generated device
identifier, Risan teaches storing a device identifier in a hidden file directory of a
network device as a technique for protecting the device identifier. (Tewfik, 151
(EX1004)). Risan is directed to common means of controlling media-sharing
among nodes in a network using cookies (EX1008, Abstract) and teaches a
copyright compliance mechanism for media files. (Id., 8:52-58). In Risans
copyright compliance mechanism, a cookie can be stored in a hidden directory
within one or more non-volatile memory devices within computer system to
prevent user access and/or manipulation of that information. (Id., 31:4-7). The
cookie may contain information regarding the users computer system, including
for example a unique identifier associated with computer system, e.g., a MAC
address, an IP address, and/or the serial number of the central processing unit
(CPU) operable on [a] computer system. (Id., 10:37-43). Such a cookie may be
used by a web server to prevent unauthorized access to copyrighted media
42
U.S. Patent 8,838,976
content because the username, password, and the users computer system are
closed associated. (Id., 10:62-65).
A POSITA would have found it obvious to look to and incorporate the
teachings of Risans protected cookie method into the system of Varghese and
Donlin by using Risans hidden directory to store Vargheses Device ID in the
network device such that the stored Device ID in Varghese would be further
secured against modification and protected from fraudsters and hackers. (Tewfik,
153 (EX1004)).
First, the references are analogous prior art and are in the same field of
endeavor (resource access control). (Tewfik, 154 (EX1004)). Like Varghese and
Donlin, Risan discusses controlling access to resources according to assigned
access rights, and implementations in which the access to resources is controlled
based on hardware characteristics. (EX1008, 10:62-65; Tewfik, 154 (EX1004)).
Risan discusses that a web server may use a unique identifier associated with a
computer system to prevent unauthorized access to copyrighted media content.
(EX1008, 10:62-65). Such a unique identifier may include hardware
characteristics such as the serial number of the central processing unit (CPU)
operable on computer system. (Id., 10:37-43). [A]ny need or problem known in
the field of endeavor at the time of the invention and addressed by the patent can
provide a reason for combining the elements in the manner claimed. KSR, 550
43
U.S. Patent 8,838,976
U.S. at 420. As with the Varghese and Donlin combination, improving control of
access to resources is a need or problem also shared by Risan, and that need or
problem provides at least one reason to combine the respective teachings.
Second, Vargheses explicit consideration of encryption, digital signature,
and other protective methods to secure its Device ID against modification suggests
the combination. (Tewfik, 155 (EX1004)). A POSITA, having reviewed
Varghese and Donlin would bring with them an understanding of access control to
resources based on hardware characteristics, and would have recognized the
additional benefits of Risans ability to store a unique computer system identifier
in a hidden directory to further protect the Device ID from unauthorized access to
and/or modification of the information. (EX1008, 31:4-7; Tewfik, 155 (EX1004)).
Varghese already considers protection information against fraudsters/hackers,
and stores data including its Device ID that are encrypted, signed, or otherwise
secured against modification. (EX1006, 1:66, 24:51-52). A POSITA would
have looked to use additional security measures for protecting the Device ID stored
in the network device against access by fraudsters/hackers and modification.
(Tewfik, 155 (EX1004)). Accordingly, a POSITA would have looked to Risan
for its teaching of utilizing a hidden directory to store information including a
unique computer system identifier, and use that hidden directory in the system of
Varghese and Donlin to store the Device ID and achieve improved security.
44
U.S. Patent 8,838,976
(Tewfik, 155 (EX1004)).
Finally, combining the teachings of Risan with the system taught by
Varghese and Donlin would produce operable results that are predictable. (Tewfik,
156 (EX1004)). Incorporating the arrangement of a hidden directory within one
or more non-volatile memory devices within computer system of Risan in the user
computing system of Varghese, which stores the encrypted Device ID would have
been no more than the incorporation of known storage functionality into a
computing device. Incorporating the teachings of Risan into the system taught by
Varghese and Donlin would have been no more than the combination of known
elements according to known methods, and would have been obvious to a POSITA
at the time of the 976 Patent. (Tewfik, 156 (EX1004)).
Thus, Vargheses fingerprint process for storing the generated device
identifier in the network device, in view of Risans further teaching to employ
hidden directories, renders obvious storing the generated device identifier in a
hidden file directory of the network device. (Tewfik, 157 (EX1004)).
[1.7] transmitting the generated device identifier and the retrieved online
profile data to an authentication server.
First, Varghese teaches transmitting the generated device identifier to the
authentication server. (Tewfik, 158 (EX1004)). As discussed above relative to
limitations [1.5] and [1.6], Varghese teaches that the fingerprint process uses the
network device to generate a Device ID (device identifier) and store the Device ID
45
U.S. Patent 8,838,976
on the network device. (Tewfik, 158 (EX1004)). As shown in FIG. 13B below,
Varghese teaches that the Device ID (device identifier) is transmitted from a
network device implementing the fingerprint process to the authentication server
implementing the FAAS process. (Tewfik, 158 (EX1004)). Varghese also
teaches that the FAAS process in the authentication server is invoked with the
Device ID. (EX1006, 8:65-9:4). As such, the device identifier is transmitted
from where it is generated (the network device) to where it is received (the FAAS
process in the authentication server). (Tewfik, 158 (EX1004)).
EX1006, FIG. 13B, annotated

46
U.S. Patent 8,838,976
Second, Varghese teaches transmitting the retrieved online profile data to
the authentication server. (Tewfik, 159 (EX1004)). As discussed above relative
to limitation [1.2], Varghese teaches that the network device retrieves data
regarding an online profile of a user for an online service. (Tewfik, 159
(EX1004)). As explained above, data regarding an online profile is properly
construed as any data relating to an online user, and examples of such retrieved
data include a stored user ID retrieved based on the Remember my ID function
and personal questions retrieved as part of an authentication interface, which are
presented to a user at the current user device to authenticate the user. (Tewfik,
159 (EX1004)).
Varghese describes that the FAAS process in the authentication server is
invoked with user identifying information. (EX1006, 8:66-67). A POSITA
would have understood that the user identifying information received by the
authentication server includes the user ID retrieved by the network device based on
the Remember my ID function. (Tewfik, 160 (EX1004)).
Further, Varghese discloses that in response to receiving the authentication
interface including the personal questions and personal information, a user may
enter requested authentication information. (EX1006, 27:39-52; Tewfik, 161
(EX1004)). Varghese teaches that the entered information (known as user
authentication information) is returned to the FAAS in the authentication server.
47
U.S. Patent 8,838,976
(EX1006, 27:39-52; Tewfik, 161 (EX1004)). A POSITA would have understood
Varghese to teach transmitting user authentication information, including the
personal questions and personal information responses or selections, from the
network device to the authentication server so that the authentication server could
determine the personal question(s) to which the user was responding. (Tewfik,
161 (EX1004)).
Thus, Varghese teaches transmitting the generated device identifier and the
retrieved online profile data to an authentication server. (Tewfik, 162
(EX1004)).
Claim 2
[2.1] The method of claim 1, further comprising, in response to the

generated device identifier matching a known identifier, receiving a
registered user signal from the authentication server.
Varghese teaches that in response to the generated device identifier
matching a known identifier, a registered user signal is received from the
authentication server. (Tewfik, 163 (EX1004)). As explained above, a
registered user signal is properly construed as information indicating a network
device has been registered with an online service server or an authentication
server. (See supra, at 12).
First, as shown in Figure 6 below, Varghese teaches determining that the
generated device identifier matches a known identifier. (Tewfik, 164 (EX1004)).
48
U.S. Patent 8,838,976
In Varghese, the FAAS process implemented by the authentication server receives
the Device ID (generated device identifier) from the fingerprint process
implemented by the user device (network device). (EX1006, 26:22-34). The
FAAS process uses the Device ID to cross reference the device/profile history
database 610 in order to determine if the current device has previously accessed the
service provider application/system. (Id., 26:22-34). A POSITA would have
understood that Vargheses usage of the Device ID to cross reference the
device/profile history database teaches matching the Device ID (generated device
identifier) with a known identifier stored in the device/profile history database by
using the Device ID to cross reference the device/profile history database.
(Tewfik, 164 (EX1004)).
49
U.S. Patent 8,838,976
EX1006, FIG. 6 (annotated)
Second, Varghese teaches that in response to the generated device identifier
matching a known identifier, a service provider application/system may receive,
from the authentication server, a registered user signal. (Tewfik, 165 (EX1004)).
As shown in Figure 6 above, Varghese teaches that in response to the generated
device identifier matching a known identifier, it is determined that the current
device has previously accessed the service provider application/system.
(EX1006, 26:28-31). Varghese then teaches that in response to such a

50
U.S. Patent 8,838,976
determination, information stored therein and associated with the current device
(e.g., risk information) is retrieved. (Id., 26:31-32).
As shown in Figure 13B below, Varghese teaches that the authentication
server may provide a signal including the information associated with the current
device (e.g., risk information) to a service provider application/system, which can
then perform, for example, more thorough checking of authentication data or
request the authentication services of the present invention to re-authenticate the
user or request. (Id., 9:43-47; Tewfik, 166 (EX1004)).
A POSITA would have recognized that a signal including the information
associated with the current device received a service provider application/system
51
U.S. Patent 8,838,976
from the authentication server constitutes a registered user signal as recited and
properly construed, because it includes information indicating a network device
has been registered with an online service server or an authentication server.
(Tewfik, 167 (EX1004)).
Accordingly, Varghese teaches limitation [2.1]. (Tewfik, 168 (EX1004)).
Claim 5
[5.1] A non-transitory computer readable medium comprising executable

code for a Java Virtual Machine (JVM) to:
To the extent the preamble is deemed limiting, Varghese teaches that a
network device includes a non-transitory computer readable medium including
executable code for a Java Virtual Machine (JVM). (Tewfik, 169 (EX1004).
First, Varghese teaches a machine-readable medium having stored thereon a
series of instructions (executable code) which, when executed by a processing
component, cause the processing component to detect anomalous data submitted to
a software application. (EX1006, 4:64-5:2; Tewfik, 170 (EX1004)).
Second, Varghese teaches that such executable code is for a Java Virtual
Machine (JVM). As discussed above with reference to limitation [1.3], Varghese
teaches that the machine information may be captured by a client program already
resident on the user device. Varghese then describes that the client program may
include a software module that may an applet (e.g., a Java applet) downloaded by
the web browser. (EX1006, 24:27-37). Further, Varghese describes that user
52
U.S. Patent 8,838,976
interfaces are sent to the user device using suitable software, including Java. (Id.,
29:7-19). Java applets and code are executed by a JVM. (Tewfik, 171
(EX1004)).
Thus, Varghese teaches the preamble. (Tewfik, 172 (EX1004)).
[5.2] retrieve data regarding an online profile of a user for an online

service;
Varghese teaches this limitation for the reasons discussed supra regarding
limitation [1.2].
[5.3] collect machine information regarding a network device being used

by the user to access the online service,
limitation [1.3].
[5.4] the collected machine information comprising at least one user-

configurable parameter and at least one physical non-user-
configurable property of the network device, wherein the at least one
physical non-user-configurable property comprises a carbon and/or
silicon degradation characteristic of a network device component;
The combination of Varghese and Donlin renders this limitation obvious for
the reasons discussed supra regarding limitation [1.4].
[5.5] generate a device identifier based at least in part on the collected

machine information;
limitation [1.5].
53
U.S. Patent 8,838,976
[5.6] store the generated device identifier in a hidden file directory of the
network device; and
The combination of Varghese and Risan renders this limitation obvious for
the reasons discussed supra regarding limitation [1.6].
[5.7] transmit the generated device identifier and the retrieved online
profile data to an authentication server.
limitation [1.7]. Thus, claim 5 is unpatentable over the combination of Varghese,
Donlin, and Risan as applied to claim 1. (See supra, at 23)
Claim 6
[6.1] The non-transitory computer readable medium of claim 5, further

comprising executable code for the JVM to, in response to the
generated device identifier matching a known identifier, receive a
registered user signal from the authentication server.
limitations [2.1] and [5.1]. Thus, claim 6 is unpatentable over the combination of
Varghese, Donlin, and Risan, as applied to claims 2 and 5. (See supra, at 48, 52).
B. Challenge 2: Claim 13 is obvious under 35 U.S.C. 103 in view of

Varghese and Donlin
1. Overview of Varghese and Donlin
An overview of Varghese and Donlin is provided in VI.A.1 and 2, supra
at 13, 15.
54
U.S. Patent 8,838,976
2. Reasons to Combine Varghese and Donlin
the reasons detailed above in VI.A.4.a, supra at 17.
3. Analysis
Claim 13
[13.1] A computer-implemented method for authenticating a user of an

online service, comprising:
Varghese teaches this limitation for the reasons discussed supra relative to
limitation [1.1].
[13.2] retrieving, by a network device, machine information regarding the

network device,
Varghese teaches retrieving, by a network device, machine information
regarding the network device. (Tewfik, 184 (EX1004)).
As discussed above relative to limitation [1.3], a POSITA would have
understood that Vargheses device-identifying information describing the network
device corresponds to machine information regarding the network device as
recited in the claim, and that Varghese teaches a fingerprint process for gathering
the machine information. (Tewfik, 185 (EX1004)).
Varghese teaches that its fingerprint stores the gathered device-identifying
information on the user computing device (network device), and the stored device-
identifying information can be retrieved and form part of the device-identifying
55
U.S. Patent 8,838,976
information to be used during a subsequent fingerprint. (EX1006, 8:55-64).
Further, Varghese discloses that during a subsequent fingerprinting, the device-
identifying information captured by the fingerprint process includes a secure,
persistent data token that has been previously stored on the user device, which
may have been stored during the course of a prior identification of this device.
(EX1006, 24:48-60). Therefore, a POSITA would have understood that
Vargheses capture of device-identifying information teaches retrieving, by a
network device, machine information regarding the network device. (Tewfik,
186 (EX1004)).
Thus, Varghese teaches this limitation. (Tewfik, 187 (EX1004)).
[13.3] the machine information comprising at least one user-configurable

parameter and at least one physical non-user-configurable property
of the network device, wherein the at least one physical non-user-
configurable property comprises a carbon and/or silicon
degradation characteristic of a network device component;
The combination of Varghese and Donlin renders this limitation obvious for
the reasons discussed supra relative to limitation [1.4].
[13.4] generating a device identifier based at least in part on the retrieved

machine information; and
limitation [1.5].
56
U.S. Patent 8,838,976
[13.5] transmitting the generated device identifier to an authentication
server.
Varghese discloses transmitting the generated device identifier to an
authentication server. (Tewfik, 190 (EX1004)).
First, as shown in Figure 13A below, Varghese teaches an authentication
server. (Tewfik, 191 (EX1004)). Varghese describes a system including an
authentication server providing device-based authentication services. (Tewfik,
191 (EX1004)). The authentication server may host the actual fraud monitoring,
detection, and authentication processes. (EX1006, 7:19-21). As such, the
authentication server implements the Fraud Analysis and Alert Service (FAAS)
process and the authenticator. (EX1006, 7:19-21; Tewfik, 191 (EX1004)). A
POSITA would have recognized that Vargheses authentication server corresponds
to the claimed authentication server. (Tewfik, 191 (EX1004)).
57
U.S. Patent 8,838,976
EX1006, FIG. 13A (annotated)
Second, Varghese teaches transmitting the generated device identifier to the
authentication server. (Tewfik, 192 (EX1004)). As discussed above relative to
limitations [1.5] and [1.6], Varghese teaches that the fingerprint process uses the
network device to generate a Device ID (device identifier) and store the Device ID
on the network device. (Tewfik, 192 (EX1004)). As shown in Figure 13B below,
Varghese teaches that the Device ID (device identifier) is transmitted from a
network device implementing the fingerprint process to the authentication server
implementing the FAAS process. (Tewfik, 192 (EX1004)). Varghese also
teaches that the FAAS process in the authentication server is invoked with the
Device ID. (EX1006, 8:65-9:4). As such, a POSITA would have understood that
58
U.S. Patent 8,838,976
the device identifier is transmitted from where it is generated (the network device)
to where it is received (the FAAS process in the authentication server). (Tewfik,
192 (EX1004)).
Thus, Varghese teaches this limitation, and claim 13 is unpatentable over the
combination of Varghese and Donlin. (Tewfik, 193, 194 (EX1004)).
VII. CONCLUSION
For the reasons above, Petitioner asks that the Patent Office order an inter
partes review trial for claims 1-2, 5-6, and 13 and then cancel these claims as
unpatentable.
59
U.S. Patent 8,838,976
Respectfully submitted,
July 25, 2017 /David W. OBrien/

David W. OBrien
Counsel for Petitioner
Registration No. 40,107
60
U.S. Patent 8,838,976
VIII. CERTIFICATE OF WORD COUNT
Pursuant to 37 C.F.R. 42.24, the undersigned attorney for the Petitioner,
Unified Patents Inc., declares that the argument section of this Petition has 10,718
words, according to the word count tool in Microsoft Word.
/David W. OBrien/
David W. OBrien
61
U.S. Patent 8,838,976
IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
Unified Patents Inc. Petition for Inter Partes Review

Petitioner
U.S. Patent 8,838,976

CERTIFICATE OF SERVICE
The undersigned certifies, in accordance with 37 C.F.R. 42.105 and 42.6,

that service was made on the Patent Owner as detailed below.
Date of service July 25, 2017
Manner of service FEDERAL EXPRESS
Documents served Petition for Inter Partes Review, including Exhibit List;
Exhibits 1001 through 1008
Persons served Sean Burdick

Dianoosh Salehi
Uniloc USA Inc.
Legacy Town Center
7160 Dallas Parkway
Suite 380
Plano TX 75024
/David W. OBrien/
David W. OBrien
62

Unified Patents Inc. v. Uniloc Luxembourg, S.A., IPR2017-01850 (PTAB Jul. 25, 2017)

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Unified Patents Inc. v. Uniloc Luxembourg, S.A., IPR2017-01850 (PTAB Jul. 25, 2017)

Transféré par

Droits d'auteur :

Formats disponibles

IPR2017-01850 Petition

U.S. Patent 8,838,976

BEFORE THE PATENT TRIAL AND APPEAL BOARD

UNIFIED PATENTS INC.,

UNILOC LUXEMBOURG, S.A.

PETITION FOR INTER PARTES REVIEW OF

I. MANDATORY NOTICES UNDER 37 C.F.R. 42.8 .....................................1

B. Related Matters ..........................................................................................1

C. Lead and Back-up Counsel and Service Information ...............................1

II. CERTIFICATION OF GROUNDS FOR STANDING ....................................2

III. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED ......................2

A. Prior Art Patents and Printed Publications ................................................3

B. Statutory Grounds for Challenges .............................................................3

IV. U.S. Patent 8,838,976 ........................................................................................4

B. Level of Ordinary Skill in the Art .............................................................5

C. Prosecution History ...................................................................................6

D. Priority DateNo Earlier than February 10, 2010 ...................................8

A. data regarding an online profile (claims 1 and 5) ................................11

B. user-configurable parameter and physical non-user-configurable

C. registered user signal (claims 2 and 6) ................................................12

VI. CLAIMS 1-2, 5-6, and 13 ARE UNPATENTABLE ......................................13

4. Reasons to Combine Varghese, Donlin, and Risan ........................17

B. Challenge 2: Claim 13 is obvious under 35 U.S.C. 103 in view of

1. Overview of Varghese and Donlin..................................................54

2. Reasons to Combine Varghese and Donlin ....................................55

VIII.CERTIFICATE OF WORD COUNT..............................................................61

PETITIONERS EXHIBIT LIST

EX1001 U.S. Patent 8,838,976

EX1002 Prosecution File History of U.S. Patent 8,838,976

EX1003 Prosecution File History of U.S. Provisional Appl. 61/151,449

EX1004 Declaration of Dr. Tewfik Under 37 C.F.R. 1.68

EX1005 Curriculum Vitae of Dr. Tewfik

EX1006 U.S. Patent 8,739,278 to Varghese et al. (Varghese)

EX1007 U.S. Patent 7,183,799 to Donlin et al. (Donlin)

EX1008 U.S. Patent 7,426,637 to Risan et al. (Risan)

The real party-in-interest is Unified Patents Inc. (Unified or Petitioner).

According to assignment records, U.S. Patent 8,838,976 (the 976 Patent

(EX1001)) is owned by Uniloc Luxembourg, S.A. of Luxembourg (Uniloc or

District of Texas) (pending).

C. Lead and Back-up Counsel and Service Information

Hong Shi Phone: 512-867-8440

Jonathan Stroud Phone: 650-999-0455

Please address all correspondence to lead and back-up counsel. Petitioner

II. CERTIFICATION OF GROUNDS FOR STANDING

claims on the grounds identified in this Petition.

III. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED

Pursuant to Rules 42.22(a)(1) and 42.104(b)(1)(2), Petitioner challenges

claims 1-2, 5-6, and 13 of the 976 Patent.

The following references are pertinent to the grounds:

1. US Patent 8,739,278 (filed on October 29, 2008; claiming priority to

an application filed on April 28, 2006; published on April 2, 2009;

issued on May 27, 2014) (Varghese (EX1006)), which is prior art

under at least 35 U.S.C. 102(a) and 102(e).1

2. US Patent 7,183,799 (filed on February 25, 2005; published on

February 27, 2007) (Donlin (EX1007)), which is prior art under at

least 35 U.S.C. 102(b).

3. US Patent 7,426,637 (filed on May 21, 2003; published on November

25, 2004) (Risan (EX1008)), which is prior art under at least 35

B. Statutory Grounds for Challenges

This Petition, supported by the declaration of Dr. Tewfik (Tewfik

Declaration or Tewfik (EX1004)), requests cancellation of claims 1-2, 5-6, and

13 under the Challenges listed below:

U.S.C. 103(a) over Varghese in view of Donlin and Risan.

103(a) over Varghese in view of Donlin.