Arkose Labs Holdings Inc v. DataDome

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Arkose Labs Holdings, Inc. and Arkose Labs, Inc. (Delaware)
  • Defendant: DataDome (France) and DataDome Solutions, Inc. (Delaware)
  • Plaintiff’s Counsel: Womble Bond Dickinson (US) LLP
• Case Identification: Arkose Labs Holdings, Inc. v. DataDome, 1:23-cv-01467, D. Del., 03/14/2024
• Venue Allegations: Plaintiff alleges venue is proper in the District of Delaware because Defendant DataDome Solutions, Inc. is a Delaware corporation and has allegedly committed acts of infringement in the district.
• Core Dispute: Plaintiff alleges that Defendant’s suite of bot detection, fraud prevention, and CAPTCHA products infringes six U.S. patents related to user verification, behavioral analysis, and machine learning-based anomaly detection.
• Technical Context: The technology at issue addresses methods for distinguishing legitimate human users from automated bots online, a critical function for preventing fraud, securing user accounts, and maintaining website integrity.
• Key Procedural History: The complaint alleges that Defendant was on notice of the asserted patents prior to the lawsuit, with notice dates ranging from October 2022 to August 2023. These allegations of pre-suit knowledge form the basis for the claim of willful infringement.

Case Timeline

Date	Event
2001-07-09	Earliest Priority Date for ’510 and ’427 Patents
2008-05-13	’510 Patent Issued
2015-08-31	Earliest Priority Date for ’049 and ’232 Patents
2015-09-04	Earliest Priority Date for ’954 and ’330 Patents
2015-09-29	’427 Patent Issued
2018-09-25	’954 Patent Issued
2018-12-04	’049 Patent Issued
2020-03-23	’330 Patent Issued
2022-01-18	’232 Patent Issued
2022-10-06	Alleged Notice of ’954 and ’330 Patents to Defendant
2023-03-01	Alleged Notice of ’427 Patent to Defendant
2023-08-08	Alleged Notice of ’510, ’049, and ’232 Patents to Defendant
2024-03-14	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,373,510 - "System and Method for Implementing a Robot Proof Web Site," Issued May 13, 2008

• The Invention Explained:
  • Problem Addressed: The patent describes the technical challenge of deterring automated bots from accessing websites without simultaneously deterring legitimate human users by forcing them to complete a cumbersome registration process (Compl. ¶49; ’510 Patent, col. 1:16-2:20).
  • The Patented Solution: The invention proposes a method where a website, upon receiving an initial request from an unknown user (an "undefined originator"), responds with a welcome page containing a challenge. Based on the user's response to the challenge, the system determines whether the user is human or a bot and accordingly grants or denies further access, avoiding the need for pre-registration (Compl. ¶49; ’510 Patent, col. 2:24-32). The patent also details specific follow-on steps for handling failed challenges, such as logging the user's IP address and starting a timer to temporarily block subsequent requests from that address.
  • Technical Importance: This approach provided a technical solution to reduce website friction for human users while maintaining a barrier against automated scripts at a time when bot activity was a growing concern.
• Key Claims at a Glance:
  • The complaint asserts independent method Claim 1 and independent computer process Claim 20 (Compl. ¶47).
  • Claim 1 recites the essential elements of:
    • Receiving an initial request from an "undefined originator" and responding with a challenge.
    • Receiving a response and checking if the challenge is fulfilled.
    • If fulfilled, processing further requests.
    • If not fulfilled, stopping further requests, which includes the further specific steps of: dropping or redirecting the TCP connection, logging the source IP address, starting a timer, and upon a new request from that IP, checking if the timer has expired before proceeding.
  • The complaint alleges infringement of "one or more claims," reserving the right to assert others (Compl. ¶47).

U.S. Patent No. 9,148,427 - "System and Method for Implementing a Robot Proof Web Site," Issued September 29, 2015

• The Invention Explained:
  • Problem Addressed: Similar to its parent '510 Patent, the ’427 Patent addresses the problem of preventing bot access while not deterring legitimate human users with registration requirements (Compl. ¶61; ’427 Patent, col. 1:23-2:25).
  • The Patented Solution: The invention claims a specific type of challenge-response method. The challenge must include a "plurality of graphical forms" and an "accompanying textual expression describing one of the plurality of graphical forms." The user's response must include an "identification of a location" corresponding to the described graphical form (Compl. ¶60; ’427 Patent, col. 2:46-57). The complaint provides an example of a modern challenge-response test, instructing a user to "Use the arrows to rotate the animal to face in the direction of the hand" (Compl., p. 9).
  • Technical Importance: This patent claims a more specific and potentially more robust form of CAPTCHA technology that relies on a user's ability to connect textual descriptions to graphical elements, a task historically difficult for automated systems.
• Key Claims at a Glance:
  • The complaint asserts independent Claims 1 and 11 (Compl. ¶59).
  • Claim 1 recites the essential elements of:
    • Receiving an initial request from an undefined originator.
    • Responding with a challenge that includes multiple graphical forms and a textual description of one of them.
    • Receiving a response that identifies the location of the described graphical form.
  • The complaint alleges infringement of "one or more claims," reserving the right to assert others (Compl. ¶59).

Multi-Patent Capsule: U.S. Patent No. 10,082,954 - "Challenge Generation for Verifying Users of Computing Devices," Issued September 25, 2018

• Technology Synopsis: The patent addresses the problem that presenting correct login credentials is not sufficient to verify a user, as credentials can be stolen (Compl. ¶73). The solution is a system that verifies a user by measuring unique characteristics of their physical actions (e.g., mouse movements, touch gestures) and comparing them to a stored profile for that user (Compl. ¶73).
• Asserted Claims: Independent Claim 1 (Compl. ¶72).
• Accused Features: DataDome's products are accused of infringing by allegedly analyzing "behavioral biometrics" to differentiate human users from bots (Compl. ¶35).

Multi-Patent Capsule: U.S. Patent No. 10,147,049 - "Automatic Generation of Training Data for Anomaly Detection Using Other User's Data Samples," Issued December 4, 2018

• Technology Synopsis: The patent addresses the difficulty of training machine learning (ML) models for anomaly detection when there is a lack of "abnormal" data (Compl. ¶85). The invention provides a method to generate training data by using a target user's own data samples to define a "normal" data set, and using data samples from other users to derive an "abnormal" data set (Compl. ¶84).
• Asserted Claims: Independent Claims 1 and 18 (Compl. ¶83).
• Accused Features: DataDome's products are accused of infringing by allegedly using AI and ML models for bot and fraud detection, which requires the generation and use of training data (Compl. ¶35).

Multi-Patent Capsule: U.S. Patent No. 10,599,330 - "Challenge Generation for Verifying Users of Computing Devices," Issued March 23, 2020

• Technology Synopsis: As a continuation of the ’954 Patent, this patent further details a method for verifying a user by measuring the characteristics of their actions. It involves recording a set of unique "challenge actions" for an authorized user and later prompting a current user to perform one of those actions, measuring the characteristics, and checking for similarity (Compl. ¶96).
• Asserted Claims: Independent Claim 1 (Compl. ¶96).
• Accused Features: DataDome's products are accused of infringing by allegedly using behavioral biometrics and challenge-response systems that rely on user actions (Compl. ¶35, ¶36).

Multi-Patent Capsule: U.S. Patent No. 11,227,232 - "Automatic Generation of Training Data for Anomaly Detection Using Other User's Data Samples," Issued January 18, 2022

• Technology Synopsis: This patent refines the invention of its parent ’049 Patent. It specifies using a "local outlier factor (LOF) function" as the mechanism to generate the "abnormal sample data set" from other users' data for the purpose of training an anomaly detection model for a target user (Compl. ¶108).
• Asserted Claims: Independent Claims 1 and 17 (Compl. ¶107).
• Accused Features: DataDome's AI-powered platform is accused of infringement, which allegedly involves analyzing threats in real-time using ML models that would be trained on such data sets (Compl. ¶35, ¶36).

III. The Accused Instrumentality

• Product Identification: The complaint identifies the "DataDome Accused Products" as DataDome's "suite of online authentication, bot detection, API protection, fraud detection, and CAPTCHA products and services" (Compl. ¶5). A specific service named "Device Check" is also identified as a challenge-response system (Compl. ¶36).
• Functionality and Market Context: The complaint alleges that the Accused Products offer protection from bot and online fraud attacks by "mirror[ing] Arkose" features (Compl. ¶35). This allegedly includes utilizing CAPTCHA technology, monitoring IP addresses, analyzing behavioral biometrics, and employing Artificial Intelligence (AI) (Compl. ¶35). The complaint positions the Accused Products as direct competitors in the cybersecurity and fraud prevention market.

IV. Analysis of Infringement Allegations

The complaint references Exhibits G through L as containing claim charts illustrating how the Accused Products meet the elements of the asserted claims (e.g., Compl. ¶50, ¶62). As these exhibits were not publicly filed with the complaint, a claim chart summary cannot be constructed. The narrative infringement theory is summarized below.

• ’510 Patent Infringement Allegations: The complaint alleges that the Accused Products perform the claimed method by presenting a challenge to an unauthenticated user and then deciding whether to grant or deny access based on the response. The complaint suggests that DataDome's system, when a challenge is failed, implements the claimed steps of stopping requests, which includes logging an IP address and temporarily blocking that address for a set time (Compl. ¶48).
• ’427 Patent Infringement Allegations: The complaint alleges that DataDome's CAPTCHA products directly practice the claimed method by presenting a challenge that includes graphical forms along with a textual instruction (e.g., "select all images with a bus"), and then receiving a response from the user indicating a location on those graphical forms (Compl. ¶60).
• Identified Points of Contention:
  • Scope Questions: A primary question for the older ’510 and ’427 Patents (priority date 2001) may be whether their claim terms can be construed to read on modern technologies. For instance, does an "undefined originator" encompass a user for whom a device fingerprint has already been collected, or does it require complete anonymity? Further, for the ’510 Patent, a dispute may arise over whether DataDome’s system performs the highly specific sequence of "logging a source IP address," "starting a timer," and checking the timer on a subsequent request, as strictly required by Claim 1.
  • Technical Questions: For the later patents (’954, ’049, ’330, and ’232), the dispute may center on the specific technical implementation of DataDome's AI and behavioral biometrics systems. A key question will be whether the complaint provides sufficient evidence that DataDome's systems practice the specific claimed methods, such as using a "local outlier factor (LOF) function" (’232 Patent) to generate training data from other users' samples, as opposed to other known ML techniques.

V. Key Claim Terms for Construction

• For the ’510 Patent:

  • The Term: "undefined originator" (from Claim 1)
  • Context and Importance: The scope of this term is fundamental to determining when the claimed method is triggered. Its construction will determine whether the method applies only to first-time, anonymous visitors or more broadly to any unauthenticated user session, which is critical in the context of modern web traffic where cookies and device fingerprints are pervasive.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent's background contrasts its method with systems requiring user "registration" (e.g., ’510 Patent, col. 1:16-2:20), which may suggest "undefined" means "not formally registered or logged in."
    • Evidence for a Narrower Interpretation: A defendant may argue that in an environment of pervasive data collection (IP address, browser headers), no originator is truly "undefined," potentially limiting the claim's applicability.

• For the ’427 Patent:

  • The Term: "an accompanying textual expression describing one of the plurality of graphical forms" (from Claim 1)
  • Context and Importance: This term defines the specific nature of the CAPTCHA challenge. Practitioners may focus on this term because its interpretation will distinguish the claimed invention from generic CAPTCHAs that might simply say "Prove you are human." Infringement will depend on whether the accused CAPTCHA provides a textual instruction that describes the content of a graphical form.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification's Figure 1 shows the simple instruction "To Enter This Site Please, Click on Cross," which may support a broad reading where a simple identification instruction suffices.
    • Evidence for a Narrower Interpretation: The specification also includes an example asking a user to identify the "tallest" person in an image (Fig. 5-a), which requires semantic understanding of the image content. This could support a narrower construction requiring the text to relate to the substance of the graphic, not just its identity.

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement of infringement for all asserted patents, stating that DataDome configures the Accused Products for its customers and encourages them to use the products in a manner that DataDome knows would infringe (e.g., Compl. ¶51, ¶63).
• Willful Infringement: Willfulness is alleged for all asserted patents. The complaint bases this on alleged pre-suit knowledge, citing specific dates on which Arkose allegedly notified DataDome of the patents, as well as on continued infringement after the filing of the complaint (Compl. ¶37, ¶54, ¶66).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of temporal scope: can claim terms drafted for the web of the early 2000s, such as "undefined originator" and a specific, timed IP-blocking sequence, be construed to cover modern, data-rich security platforms that employ persistent tracking, device fingerprinting, and dynamic threat response?
• A second central conflict will likely be one of technical proof: in the absence of public claim charts, a key evidentiary question is what discovery will reveal about the inner workings of DataDome's AI platform. Does it, as alleged, use the specific patented methods of generating ML training data by employing a "local outlier factor" function on other users' data, or does it rely on different, non-infringing machine learning architectures?
• Finally, the case presents a significant question of willful conduct: given the complaint’s specific allegations of pre-suit notice, the dispute may focus heavily on whether Defendant’s actions after being notified were objectively reckless. This will be a critical factor in determining the potential for enhanced damages if infringement is found.