DCT
1:20-cv-00371
Finjan LLC v. Trustwave Holdings Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Finjan, Inc. (Delaware)
- Defendant: Trustwave Holdings, Inc. (Delaware) and Singapore Telecommunications Limited (Singapore)
- Plaintiff’s Counsel: Shaw Keller LLP; White & Case LLP (Of Counsel)
- Case Identification: 1:20-cv-00371, D. Del., 03/16/2020
- Venue Allegations: Venue is alleged to be proper in Delaware based on Defendant Trustwave’s incorporation in the state and Defendant Singtel’s alleged business activities and control over its Delaware-based subsidiaries.
- Core Dispute: Plaintiff alleges that Defendants’ cybersecurity products, including their Secure Web and Email Gateways, infringe a patent related to methods for inspecting dynamically generated malicious code.
- Technical Context: The lawsuit concerns network security technology designed to protect client computers from malicious code, particularly threats that are generated at run-time (e.g., by scripts in a web page) after initial content has been delivered.
- Key Procedural History: The complaint notes that the asserted patent has a significant litigation history. It alleges the patent has successfully survived seven Inter Partes Review (IPR) petitions at the USPTO, with four resulting in upheld claims. The complaint also references a prior district court case (N.D. Cal.) where Claim 1 was found not invalid and directly infringed, and a pending case in Delaware where a claim construction order has been issued. This history suggests that certain validity and claim construction issues may have been previously litigated.
Case Timeline
| Date | Event |
|---|---|
| 2005-12-12 | ’154 Patent Priority Date |
| 2009-01-01 | M86 Security and Finjan enter into a license agreement (approximate) |
| 2012-01-01 | Trustwave acquires M86 Security (approximate) |
| 2012-01-01 | Trustwave and Finjan amend license agreement (approximate) |
| 2012-03-20 | ’154 Patent Issue Date |
| 2013-12-01 | ’154 Patent posted on Finjan's website |
| 2015-06-01 | Finjan Mobile releases first Secure Browser product (approximate) |
| 2015-08-31 | Singtel purchases Trustwave (approximate) |
| 2015-11-01 | Finjan allegedly notifies Trustwave of the ’154 Patent |
| 2016-10-01 | Finjan Mobile releases Gen3 VitalSecurity™ Browser (approximate) |
| 2019-12-23 | Finjan allegedly provides Trustwave with an infringement proof chart |
| 2020-03-16 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,141,154 - SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE
- Patent Identification: U.S. Patent No. 8,141,154, "SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED EXECUTABLE CODE," issued March 20, 2012.
The Invention Explained
- Problem Addressed: The patent describes a vulnerability in computer security where malicious code is not present in the initially delivered content but is instead generated "on the fly at runtime" by other scripts (e.g., JavaScript). This "dynamically generated" malicious code could evade conventional gateway-level security scanners that only inspect content as it is first downloaded. (’154 Patent, col. 3:28-4:27).
- The Patented Solution: The invention proposes a system where, before content is sent to a client computer, calls to certain functions (e.g., "document.write()") are replaced with "substitute functions." When the client's browser later executes the content and encounters one of these substitute functions, it does not immediately perform the original action. Instead, the substitute function transmits the input for the original function (which may now contain the dynamically generated malicious code) to a separate "security computer" for inspection. The client computer suspends processing and waits for an "indicator" from the security computer. Only if the indicator signals that the input is safe will the client computer invoke the original function. (’154 Patent, Abstract; col. 10:5-11:13).
- Technical Importance: This architecture allows for the security analysis of run-time generated content to be offloaded to a remote, managed security computer, avoiding the need to install and maintain complex security software on the end-user's machine and protecting against threats that conventional static analysis would miss. (’154 Patent, col. 5:1-3).
Key Claims at a Glance
- The complaint asserts independent Claim 1. (Compl. ¶34).
- The essential elements of Claim 1 (a system claim) are:
- A "content processor" for (i) processing content that includes a call to a "first function" with an "input", and (ii) for invoking a "second function" with the "input" only if a security computer indicates it is safe.
- A "transmitter" for sending the "input" to the security computer for inspection when the "first function" is invoked.
- A "receiver" for getting an indicator from the security computer about whether it is safe to invoke the "second function".
- The complaint reserves the right to assert other patent claims. (Compl. ¶30).
III. The Accused Instrumentality
Product Identification
- The Trustwave Secure Web Gateway and Trustwave Secure Email Gateway ("Accused Products"). (Compl. ¶30).
Functionality and Market Context
- The complaint alleges the Accused Products function as a security layer for corporate networks. The Trustwave Secure Email Gateway, for example, is described as scanning inbound email messages and rewriting URL links within them before delivery to the user. (Compl. ¶41; Exhibit H). When a user clicks a rewritten link, their request is first directed to a Trustwave "Link Validator" cloud service. (Compl. ¶41; Exhibit H). This service performs a real-time analysis to determine if the destination URL is safe or malicious. (Compl. ¶40; Exhibit G). Based on this validation, the user is either redirected to the original website or shown a warning page. (Compl. ¶42; Exhibit H).
- The complaint alleges these products are central to Defendants' cybersecurity offerings, which were consolidated under the Trustwave brand following Singtel's acquisition. (Compl. ¶¶22-23).
IV. Analysis of Infringement Allegations
’154 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a content processor (i) for processing content received over a network, the content including a call to a first function, and the call including an input, and (ii) for invoking a second function with the input, only if a security computer indicates that such invocation is safe | The complaint alleges the Accused Products process content (e.g., an email) containing a URL. Clicking this rewritten URL is alleged to be the "call to a first function." The system later invokes a "second function" (redirecting to the original URL) only if the Trustwave Link Validator indicates it is safe. | ¶40, ¶42 | col. 7:21-27 |
| a transmitter for transmitting the input to the security computer for inspection, when the first function is invoked | When a user clicks the rewritten link (invoking the alleged "first function"), the browser transmits the original URL (the "input") to the Trustwave Link Validator cloud service (the "security computer") for validation. This process is illustrated in a workflow diagram provided in the complaint. (Compl. p. 11). | ¶41 | col. 7:27-30 |
| a receiver for receiving an indicator from the security computer whether it is safe to invoke the second function with the input | The Accused Products are alleged to receive an indicator from the Link Validator. The complaint provides screenshots showing the system displaying a "safe" result before redirecting the user, or an "unsafe" result via a block page, which function as the indicator. (Compl. p. 12-13). | ¶42 | col. 7:30-33 |
Identified Points of Contention
- Scope Questions: A primary question may be whether the term "call to a first function", as used in the patent, can be construed to cover a user clicking on a rewritten URL hyperlink. The patent's specification primarily discusses the replacement of executable function calls within scripts (e.g., JavaScript), raising the question of whether the claim scope extends to rewriting static hyperlinks. (’154 Patent, col. 3:51-4:14).
- Technical Questions: The infringement theory maps distinct user and system actions (clicking a link, server-side validation, browser redirection) to the elements of the claimed system. A technical question will be whether this distributed process, involving a gateway, a cloud service, and a client browser, constitutes the integrated "content processor" contemplated by the claim, which is required to perform both the initial content processing and the subsequent conditional invocation of the second function.
V. Key Claim Terms for Construction
The Term: "a call to a first function"
Context and Importance: The viability of the infringement case hinges on this term's scope. The accused product rewrites URLs in content like emails; infringement is alleged to occur when a user clicks the rewritten link. Practitioners may focus on this term because its construction will determine whether this user action maps to the claimed "function call," which the patent specification exemplifies with executable script commands.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: Claim 1 itself does not limit the "function" to any particular programming language or type. The term is general, and a party could argue it encompasses any action that triggers a defined process with a given input, such as a hyperlink click initiating a web request.
- Evidence for a Narrower Interpretation: The patent’s background and detailed description consistently frame the problem and solution around "executable code such as scripts within Internet browsers" and provide examples like "document.write()". (’154 Patent, col. 3:33-35, Table II). This context may support a narrower construction limited to programmatic function calls within executable content.
The Term: "content processor"
Context and Importance: This is the central component of the claimed system, and it is required to perform two distinct sub-functions. Practitioners may focus on this term because the infringement allegation requires mapping this single claim element to multiple, distributed components of the accused system (e.g., the Trustwave gateway and the end-user's browser).
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The term is not explicitly defined as a single, co-located unit. A party may argue that a "processor" can be a distributed system of components working in concert to achieve the claimed functions, consistent with modern cloud-based architectures.
- Evidence for a Narrower Interpretation: The patent figures depict the "content processor" as a distinct block within the "client computer". (e.g., ’154 Patent, Fig. 4, element 470). This could support an interpretation that the processor must be a single component or a set of components residing on the client machine, rather than a system distributed between a gateway server and a client.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement based on Defendants allegedly providing customers with instructions, datasheets, whitepapers, and other documentation that encourage and direct the use of the Accused Products in an infringing manner. (Compl. ¶¶50-51).
- Willful Infringement: Willfulness is alleged based on pre-suit knowledge of the ’154 Patent. The complaint specifically alleges that Finjan notified Trustwave of the patent as early as November 1, 2015, and later provided a detailed infringement analysis in a proof chart on December 23, 2019. (Compl. ¶¶31-32, 45).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "call to a first function", which the patent describes in the context of substituting executable script commands, be construed broadly enough to read on a user clicking a rewritten URL hyperlink in the accused system? The outcome of this construction will be pivotal for the infringement analysis.
- A second key issue will be one of architectural mapping: does the accused system's distributed architecture—where a gateway rewrites a link, a separate cloud service validates it, and a client browser acts on the result—satisfy the limitations of the claimed "content processor", which is recited as a single element responsible for actions at different stages of the process? The court will need to determine if these disparate parts can collectively be what the patent claims.
- An evidentiary question will center on the history of the patent: how will the extensive IPR proceedings and prior court findings on the ’154 Patent's validity and infringement in a different case influence the current litigation, particularly with respect to claim construction and validity challenges?