DCT
8:19-cv-00158
Uniloc 2017 LLC v. Microsoft Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Uniloc 2017 LLC (Delaware)
- Defendant: Microsoft Corporation (Washington)
- Plaintiff’s Counsel: Feinberg Day Alberti Lim & Belloli LLP
- Case Identification: 8:19-cv-00158, C.D. Cal., 01/28/2019
- Venue Allegations: Venue is alleged to be proper because Defendant has committed acts of infringement in the Central District of California and maintains a regular and established place of business within the district.
- Core Dispute: Plaintiff alleges that Defendant’s Microsoft PlayReady digital rights management (DRM) technology infringes a patent related to managing the trustworthiness and reputation of networked devices.
- Technical Context: The technology addresses the need for networked systems to identify and defend against malicious devices by creating a centralized reputation system based on a device's historical behavior.
- Key Procedural History: The patent-in-suit is a continuation of a prior application that issued as U.S. Patent No. 8,881,273. The complaint alleges that Defendant was put on notice of its infringement by a letter from Plaintiff dated January 2019, forming the basis for a willfulness claim.
Case Timeline
| Date | Event |
|---|---|
| 2011-12-02 | ’485 Patent Priority Date |
| 2016-04-12 | ’485 Patent Issue Date |
| 2019-01-XX | Alleged notice letter sent from Uniloc to Microsoft |
| 2019-01-28 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 9,311,485 - “Device Reputation Management”
The Invention Explained
- Problem Addressed: The patent addresses the security challenge posed by a small minority of malicious users who perpetrate a large number of attacks on networked computers, often using a single modified device to obscure their identity. (’485 Patent, col. 1:35-45; col. 2:21-29). The goal is to create a more effective way to stop these unauthorized intrusions. (’485 Patent, col. 1:43-45).
- The Patented Solution: The invention describes a "device reputation server" that acts as a central clearinghouse for attack data. When a server is attacked, it reports the incident along with the "digital fingerprint" of the offending device to the reputation server. The reputation server aggregates these reports from many different sources to assess the trustworthiness of any given device based on its history (e.g., the number, frequency, and severity of attacks). (’485 Patent, Abstract; col. 2:3-9). Other servers can then query this reputation server to decide whether to grant or deny service to a connecting device, thereby proactively preventing attacks based on a device's known malicious history. (’485 Patent, col. 2:9-14).
- Technical Importance: This system creates a distributed defense network where an attack on one server can inform and protect a large number of other servers that have never previously interacted with the malicious device. (’485 Patent, col. 2:9-14).
Key Claims at a Glance
- The complaint asserts infringement of independent claim 1. (Compl. ¶13).
- The essential elements of independent claim 1 (a method claim) are:
- receiving data representing one or more attacks by one or more perpetrating devices;
- receiving a request for a reputation of the subject device through a computer network;
- determining whether the subject device is one of the perpetrating devices;
- retrieving data representing one or more of the attacks that are associated with the subject device;
- quantifying a measure of trustworthiness of the subject device from the data representing one or more of the attacks that are associated with the subject device; and
- sending data representing the measure of trustworthiness of the subject device in response to the request.
- The complaint's prayer for relief seeks a judgment that Microsoft has infringed "one or more claims" of the ’485 patent. (Compl. p. 23 ¶a).
III. The Accused Instrumentality
Product Identification
- The accused instrumentality is Microsoft PlayReady, identified as a content access and protection technology. (Compl. ¶12).
Functionality and Market Context
- Microsoft PlayReady is a digital rights management (DRM) platform used to distribute and protect audio/video content. (Compl. ¶14). The system involves client devices that request content and back-end servers that manage and issue licenses. (Compl. p. 8).
- The complaint alleges that specific security features within PlayReady perform the infringing method. These include "SecureStop," where clients send messages to a "Secure Stop Service" upon playback termination, and "PlayReady Revocation," a process to identify and block clients that have compromised security from receiving new licenses. (Compl. ¶¶14-15, 21). A central "Service Logic" component is alleged to receive license requests and make determinations about whether and how to issue a license based on the device's status. (Compl. ¶17).
- The complaint presents a diagram from Microsoft's documentation illustrating the flow of "Secure Stop Data" from client devices to a "Secure Stop Service," which interacts with a "Service Logic" component. (Compl. p. 5). This diagram depicts a system architecture where client devices report events to a centralized server infrastructure.
IV. Analysis of Infringement Allegations
’485 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving data representing one or more attacks by one or more perpetrating devices; | The "Secure Stop Server" receives "malicious Secure Stop messages (e.g., SecureStop2 messages)" from PlayReady clients, which are alleged to represent attacks. | ¶15 | col. 9:16-19 |
| receiving a request for a reputation of the subject device through a computer network; | The system's "server receives a License Request from the subject device through a computer network." | ¶16 | col. 9:20-22 |
| determining whether the subject device is one of the perpetrating devices; | The "Service Logic" determines if the subject device is a perpetrating device, for example by checking against a revocation list or identifying it via its security history. | ¶19, ¶21 | col. 9:23-25 |
| retrieving data representing one or more of the attacks that are associated with the subject device; | The "Service Logic retrieves data representing one or more attacks by one or more perpetrating devices in the form of malicious Secure Stop ... messages, from the Secure Stop Service server." | ¶22 | col. 9:26-28 |
| quantifying a measure of trustworthiness of the subject device from the data representing one or more of the attacks that are associated with the subject device; | The system quantifiably measures trustworthiness by assessing the "robustness" of SecureStop messages (e.g., "high" or "medium") and considering "the extent to which content is at risk." A table in the complaint shows that a "malicious SecureStop2 message" corresponds to a "High" robustness level. | ¶23-24; p. 19 | col. 9:29-33 |
| sending data representing the measure of trustworthiness of the subject device in response to the request. | Data representing the trustworthiness measure is sent from the License Server to the subject device, resulting in a full, partial, or declined license. The complaint includes a diagram showing a "License response" sent from a server to a client. | ¶25; p. 9 | col. 9:33-36 |
Identified Points of Contention
- Scope Questions: The complaint equates a "License Request" from a client device with the claimed "request for a reputation." (Compl. ¶16). A potential issue is whether a standard service request constitutes the specific reputation query described in the patent, which teaches a system where a server explicitly asks a reputation server about a device's history. (’485 Patent, col. 4:50-53).
- Technical Questions: The complaint characterizes "Secure Stop messages" as "data representing one or more attacks." (Compl. ¶15). However, the cited Microsoft documentation describes these messages as being sent when "media playback stops either at the end," is stopped by the user, or when a session "ends unexpectedly (for example, due to a system or app crash)." (Compl. p. 5). A central question will be whether these events, particularly routine ones like stopping a video, meet the patent's description of an "attack," which the background frames as an "unauthorized intrusion" by a "person with malicious intent." (’485 Patent, col. 1:40-45).
- Technical Questions: The complaint alleges the system "quantifiably measure[s] the trustworthiness" by, for example, assessing the "robustness" of an incoming message as "high" or "medium." (Compl. ¶24). It is an open question whether classifying a single, present event's risk level is the same as the claimed step of quantifying trustworthiness based on a history of past attacks, as the ’485 patent specification describes. (’485 Patent, col. 2:5-9).
V. Key Claim Terms for Construction
The Term: "data representing one or more attacks"
Context and Importance
- The infringement theory hinges on construing "Secure Stop messages" as "attacks." The definition of "attack" will be critical. If an "attack" is limited to malicious, intentional intrusions, the infringement case may be weakened, as the accused feature is also triggered by routine user actions and system crashes.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The patent does not provide an explicit definition of "attack," which a party might argue leaves its meaning open to a broader interpretation that includes any anomalous event or system compromise that puts data at risk.
- Evidence for a Narrower Interpretation: The Background of the Invention repeatedly frames the problem in terms of "security failures" where a "person with malicious intent gains access to resources," suggesting "attack" implies a deliberate, unauthorized intrusion rather than a software bug or normal operation. (’485 Patent, col. 1:40-45).
The Term: "quantifying a measure of trustworthiness"
Context and Importance
- The claim requires a specific action of "quantifying" trustworthiness from historical attack data. Practitioners may focus on this term because the accused system's alleged "quantification" (classifying a message's "robustness" level) may not align with the process described in the patent.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The term "quantifying" is not explicitly defined. A party could argue it encompasses any non-binary assessment, such as assigning a categorical risk level like "high," "medium," or "low," as alleged in the complaint. (Compl. ¶24).
- Evidence for a Narrower Interpretation: The specification suggests a more complex, data-driven calculation: "the device reputation server assesses trustworthiness of a given device based on the number, recency, frequency, and severity, for example, of attacks that have been perpetrated by the given device." (’485 Patent, col. 2:5-9). This language may support a narrower construction requiring a numerical score derived from aggregated historical data, rather than a simple classification of a current event.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement, stating that Microsoft "intentionally instructs its customers to infringe through training videos, demonstrations, brochures, installation and user guides" available on its websites. (Compl. ¶27). Contributory infringement is also alleged on the basis that the accused devices are "especially made or especially adapted for use in infringement." (Compl. ¶28).
- Willful Infringement: Willfulness is alleged based on Microsoft’s continued infringement after receiving a notice letter from Uniloc in January 2019. (Compl. ¶29).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "data representing one or more attacks," described in the patent's context of malicious intrusions, be construed to cover the "SecureStop" messages of the accused system, which are also triggered by routine user actions and application crashes?
- A key evidentiary question will be one of functional operation: does Microsoft PlayReady's alleged process of assessing a client's security level or an incoming message's "robustness" perform the specific claimed step of "quantifying a measure of trustworthiness" based on aggregated historical attack data, as described in the patent, or is there a fundamental mismatch in the technical operation?
- A third question concerns the system architecture: does the accused system, where a license server makes a decision based on a client's characteristics, map onto the claimed method, which describes a system where a service provider explicitly queries a separate "device reputation server" to obtain a trustworthiness score?