Trusted Knight Corp v. IBM Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Trusted Knight Corporation (Delaware)
  • Defendant: International Business Machines Corporation (New York) and Trusteer, Inc. (Delaware)
  • Plaintiff’s Counsel: DLA Piper US (LLP)
• Case Identification: 1:14-cv-01063, D. Del., 08/18/2014
• Venue Allegations: Venue is asserted based on Defendants' alleged continuous and systematic contacts with the District of Delaware, their subjection to personal jurisdiction in the state, and their residency in the district for venue purposes. Trusteer, Inc. is a Delaware corporation.
• Core Dispute: Plaintiff alleges that Defendants’ Trusteer Rapport anti-malware software infringes a patent related to methods for protecting against keyloggers that steal user data from web forms.
• Technical Context: The technology operates in the cybersecurity domain, specifically addressing the theft of sensitive credentials (e.g., passwords, financial data) by malware that targets web browser form submission events.
• Key Procedural History: The complaint notes that Defendant IBM acquired Defendant Trusteer in September 2013.

Case Timeline

Date	Event
2008-04-23	’445 Patent Priority Date
2012-11-20	’445 Patent Issue Date
2013-09-01	IBM acquires Trusteer (approximate date)
2014-08-18	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,316,445 - “System and Method for Protecting Against Malware Utilizing Key Loggers”

• Patent Identification: U.S. Patent No. 8,316,445, “System and Method for Protecting Against Malware Utilizing Key Loggers,” issued November 20, 2012.

The Invention Explained

• Problem Addressed: The patent describes the threat posed by sophisticated malware, particularly "form-grabbing key loggers," which insert themselves into a web browser's processes to capture sensitive user information like passwords and credit card numbers at the moment of submission. These methods can defeat traditional anti-virus software by hooking directly into the browser's Application Programming Interface (API) stack. (’445 Patent, col. 2:30-51).
• The Patented Solution: The invention proposes a software method that intervenes during a web form submission. It operates by detecting the submission event, allowing the user's data to be sent to its intended destination, and then immediately "clearing" the sensitive data from the form fields. This sequence is designed to prevent the form-grabbing malware from capturing the now-cleared data, even if the malware is already active on the system. (’445 Patent, Abstract; col. 8:1-12).
• Technical Importance: The described approach seeks to neutralize the threat without necessarily detecting or removing the malware itself, acting on the assumption that a user's computer may already be compromised. (’445 Patent, col. 4:45-49).

Key Claims at a Glance

• The complaint asserts independent claims 1 and 22, as well as dependent claim 23 (Compl. ¶15).
• Independent Claim 1 recites a software program with a module that includes the following processes:
  • inserting and executing processes at a "zero-ring level" in a browser's API stack;
  • detecting a "browser form submission initiation call event" at the zero-ring level;
  • intercepting data inputs keyed by a user at the zero-ring level; and
  • submitting the keyed-in data to a designated entity while simultaneously "clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission."
• Independent Claim 22 recites a software program that includes processes for:
  • inserting an initial hook at the "0-Ring level" that prevents other hooks from inserting there;
  • detecting a browser form submission event;
  • intercepting and encrypting data inputs at the zero-ring level;
  • passing the encrypted data to a "3-ring level";
  • decrypting the data; and
  • submitting the decrypted data to a designated entity.
• The complaint reserves the right to assert additional claims by stating infringement of "at least" the identified claims (Compl. ¶15).

III. The Accused Instrumentality

Product Identification

• The accused instrumentality is the "Trusteer Rapport" product(s) (Compl. ¶9).

Functionality and Market Context

• The complaint describes Trusteer Rapport as "anti-key-logging software that protects against malware in a variety of applications" and notes it can be installed on platforms including Windows, Mac OS, and Virtual Desktops (Compl. ¶9).
• The complaint alleges that Defendants compete with the Plaintiff in the "anti-crimeware and advanced fraud solutions industry" (Compl. ¶11). The complaint does not provide further technical detail on the specific operational mechanism of the accused software.
• No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

The complaint provides a general allegation of infringement without a detailed claim chart or element-by-element analysis. The following table summarizes the infringement theory for the lead independent claim as implied by the complaint's allegations.

’445 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a software module that inserts and executes predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser	The complaint alleges that the Trusteer Rapport product is a software module that embodies the claimed invention.	¶9, ¶15	col. 11:36-41
a process of detecting a browser form submission initiation call event at the zero-ring level	The complaint alleges that the Trusteer Rapport product performs the functions of the claimed invention.	¶9, ¶15	col. 11:65-67
a process of intercepting data inputs keyed in by a user at the zero-ring level	The complaint alleges that the Trusteer Rapport product performs the functions of the claimed invention.	¶9, ¶15	col. 12:2-3
a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level	The complaint alleges that the Trusteer Rapport product performs the functions of the claimed invention.	¶9, ¶15	col. 12:6-12

• Identified Points of Contention:
  • Technical Questions: A primary question for the court will be an evidentiary one: what is the precise mechanism by which Trusteer Rapport protects user data? The complaint does not specify whether the accused product operates at the "zero-ring level" or if it performs the specific "clearing" step as required by Claim 1. The infringement analysis will depend on evidence demonstrating how the accused product actually functions.
  • Scope Questions: The dispute may raise the question of whether Trusteer Rapport's method of protection, whatever it may be, falls within the scope of the patent's claims. For example, does the accused product's method of rendering data inaccessible to malware meet the specific "clearing" limitation of Claim 1?

V. Key Claim Terms for Construction

• The Term: "zero-ring level"

  • Context and Importance: This term appears in both asserted independent claims and defines the software's operational privilege within the computer's architecture. Infringement will depend on whether the accused Trusteer Rapport software is shown to operate at this specific kernel level.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification describes the "Ring 0 API" as "the level with the most privileges" that "interacts most directly with the physical hardware," which could support an interpretation covering any kernel-level operation (col. 13:38-41).
    • Evidence for a Narrower Interpretation: Claim 22 requires "inserting an initial hook which works within the 0-Ring level," and figures illustrate this level as the "Hardware Driver" layer, which might support a narrower construction limited to a specific type of kernel hook or driver-level interaction (’445 Patent, Fig. 3; col. 14:64-67).

• The Term: "clearing confidential data"

  • Context and Importance: This limitation from Claim 1 describes the core protective action. The outcome of the case may turn on whether this term is construed to require a literal deletion of data or if it can encompass other protective techniques.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: A party could argue the term should be understood functionally to mean any process that renders the data inaccessible to malware after submission.
    • Evidence for a Narrower Interpretation: The detailed description provides specific examples, such as a process that "clears all password fields" and "clears the elements with the tag='INPUT' and type='PASSWORD'," suggesting a specific action of removing the character data from the web form's input fields (col. 8:17-19, 8:26-28).

VI. Other Allegations

• Indirect Infringement: The complaint alleges both induced and contributory infringement. Inducement is based on allegations that Defendants distribute Trusteer Rapport with infringing features enabled by default and provide instructions to customers and end-users on how to operate the software in an infringing manner (Compl. ¶18). Contributory infringement is based on allegations that Trusteer Rapport is especially made for infringement and is not a staple article of commerce suitable for substantial noninfringing use (Compl. ¶16, ¶19).
• Willful Infringement: The complaint alleges that Defendants had knowledge of the ’445 patent at least as of the date of the complaint's filing (Compl. ¶17). This allegation, coupled with the request for enhanced damages under 35 U.S.C. § 284, forms a basis for a claim of post-filing willful infringement (Compl. p. 6, ¶E).

VII. Analyst’s Conclusion: Key Questions for the Case

• A central issue will be one of operational mapping: does the accused Trusteer Rapport software, which is broadly categorized as "anti-key-logging software," implement the specific, sequential method recited in the ’445 patent? The resolution will depend on factual evidence detailing whether the product operates at the "zero-ring level" and performs the claimed "clearing" or "encrypt/decrypt" steps.
• The case will also likely turn on a question of definitional scope during claim construction. Specifically, can the term "clearing confidential data" be construed broadly to cover various methods of data protection, or is it limited to the specific embodiment of deleting data from web form fields, as described in the patent's specification? The answer will determine whether alternative security mechanisms potentially used by the accused product can fall within the claim's reach.