Guyzar LLC v. Nike Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Guyzar LLC (Texas)
  • Defendant: Nike, Inc. (Oregon)
  • Plaintiff’s Counsel: Rabicoff Law LLC
• Case Identification: 1:18-cv-05599, N.D. Ill., 08/16/2018
• Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a physical location in the district, regularly conducts business there, and certain alleged acts of infringement occurred in the district.
• Core Dispute: Plaintiff alleges that Defendant’s website and mobile app login system, which utilizes the OAuth protocol for third-party authentication (e.g., "Log in with Facebook"), infringes a patent related to methods for securely authenticating users and consummating online transactions.
• Technical Context: The technology concerns secure user authentication for e-commerce, a foundational aspect of the digital marketplace aimed at protecting confidential user data during online interactions.
• Key Procedural History: The complaint does not mention any prior litigation involving the patent-in-suit, any post-grant proceedings before the USPTO, or any prior licensing history.

Case Timeline

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 5,845,070 - "Security System for Internet Provider Transaction," Issued December 1, 1998

The Invention Explained

• Problem Addressed: The patent describes the risk of exposing a user's "Confidential Information," such as credit card details and personal identifiers, to misappropriation when conducting transactions with various entities over the Internet (’070 Patent, col. 1:19-28).
• The Patented Solution: The invention proposes a centralized "tracking and authentication module" to act as an intermediary, shielding a user's sensitive data from the vendor ("Internet Entity"). A user logs in with a "first data set" (e.g., ID and password), and the system issues a temporary "second data set" (described as a "framed IP address") valid only for that session. To complete a purchase, the Internet Entity uses this second data set to query the module, which validates the transaction without ever transmitting the underlying Confidential Information to the vendor (’070 Patent, Abstract; col. 2:1-10; Fig. 3).
• Technical Importance: The described method sought to provide a layer of security by centralizing authentication and decoupling the act of transaction authorization from the exposure of a user's core financial data (’070 Patent, col. 2:56-65).

Key Claims at a Glance

• The complaint asserts infringement of at least Claim 1 (’070 Patent, Compl. ¶14).
• The essential elements of independent Claim 1, a method claim, include:
  • accessing the Internet by a user entering a "first data set" into a computer controller;
  • establishing a database containing confidential information authenticated with the first data set;
  • submitting the first data set to a "tracking and authentication control module" which includes a database, an "authentication server," and a "certification server";
  • comparing the user's first data set to the ID and password in the database for a validating match;
  • issuing a "second data set" in real time from the authentication server for the instant transaction;
  • submitting the second data set to the certification server to initiate a transaction;
  • consummating the transaction based on validation of the second data set, which ties the confidential information to the user while keeping it undisclosed from the transaction partner.

III. The Accused Instrumentality

Product Identification

• The "Accused Instrumentality" is identified as the "Sign In" feature on Nike's website and mobile applications (Compl. ¶14).

Functionality and Market Context

• The complaint focuses on the functionality that allows a user to log into Nike's platform using third-party credentials via the OAuth open standard, such as the "LOG IN WITH FACEBOOK" option (Compl. ¶14). The complaint alleges that this system involves a user (the "resource owner") granting Nike's website (the "client") permission to access protected resources (e.g., profile information) stored on a third-party service like Facebook (the "resource server") without sharing the user's Facebook password with Nike (Compl. ¶14; Figs. 1-2). Instead, an "authorization server" issues an "access token" that Nike uses to request the user's data (Compl. ¶19; Fig. 4). A screenshot of Nike's login page shows a standard email/password form alongside the option to "LOG IN WITH FACEBOOK" (Compl. p. 5, Fig. 3).

IV. Analysis of Infringement Allegations

’070 Patent Infringement Allegations

• Identified Points of Contention:
  • Scope Questions: The complaint's theory appears to equate the "second data set" from the patent with an "Access Token" from the OAuth protocol. A central dispute may arise over whether the patent’s claims, which describe the second data set as a "framed-IP-address" in a dependent claim and the abstract, can be construed broadly enough to read on a modern OAuth access token, which serves a function of delegated authorization rather than network addressing (’070 Patent, Claim 2; Compl. ¶19).
  • Technical Questions: Claim 1 recites a "tracking and authentication control module" comprising three components: a "data base", an "authentication server", and a "certification server". The complaint maps the OAuth architecture onto this structure by alleging the "Resource Server" serves the "certification" function (Compl. ¶¶17, 20). A technical question is whether the function of an OAuth Resource Server (serving protected data upon request with a valid token) is equivalent to the claimed function of a "certification server" (containing "validation data for authenticating and internet entity approved for conducting internet transaction") (’070 Patent, col. 2:45-49). The complaint uses a diagram of the OAuth 2.0 protocol flow to illustrate the interaction between the client, resource owner, authorization server, and resource server (Compl. p. 7, Fig. 5).

V. Key Claim Terms for Construction

• The Term: "tracking and authentication control module"

  • Context and Importance: This term defines the core architecture of the invention. The infringement case depends on whether the distributed, multi-entity architecture of the accused OAuth system can be mapped onto this single, integrated module as claimed. Practitioners may focus on this term because the patent appears to describe a unified system under the control of one party (the Internet Service Provider), whereas the accused OAuth system involves distinct entities (e.g., Nike as the client, Facebook as the authorization/resource server).
  • Intrinsic Evidence for a Broader Interpretation: The patent describes the module's components by their function. Plaintiff may argue that any collection of software or hardware components that collectively perform the functions of authentication and certification, regardless of their physical location or ownership, falls within the scope of the term (’070 Patent, col. 2:5-10).
  • Intrinsic Evidence for a Narrower Interpretation: The patent’s Figure 3 depicts the database (52), authentication server (53), and certification server (54) as components of a single, overarching module (50), which could suggest a requirement for a more tightly integrated system than the one alleged to infringe (’070 Patent, Fig. 3).

• The Term: "certification server"

  • Context and Importance: The complaint maps the OAuth "Resource Server" to this claim element. The definition is critical because the primary role of a Resource Server in OAuth is to host protected data, while the patent defines the "certification server" as "containing validation data for authenticating an internet entity" (’070 Patent, col. 2:25-27).
  • Intrinsic Evidence for a Broader Interpretation: A party could argue that by validating the access token presented by the client (Nike), the Resource Server is implicitly "authenticating" the "internet entity" as authorized for that specific transaction, thus meeting the functional requirement of the claim.
  • Intrinsic Evidence for a Narrower Interpretation: The patent specifies that the certification server's purpose is to authenticate the entity itself as "approved for conducting internet transaction," suggesting a pre-approval or registration function, which may differ from the per-transaction token validation performed by an OAuth Resource Server (’070 Patent, col. 2:45-49).

VI. Other Allegations

• Indirect Infringement: The complaint alleges that Nike "conditions end-users' use" of the login feature on the performance of the claimed method steps and "establishes the manner or timing" of that performance (Compl. ¶¶23-24). These allegations appear to form the basis for a claim of induced infringement, asserting that Nike provides the means (its website) and instructs users to perform the infringing method.
• Willful Infringement: The complaint alleges that Defendant has had knowledge of its infringement "at least as of the service of the present complaint" (Compl. ¶27). This allegation supports a claim for post-filing willfulness but does not plead facts suggesting pre-suit knowledge of the patent or the alleged infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of technological translation and scope: Can the claim terms of a 1996-filed patent, written in the context of dial-up "Points of Presence" and session-specific "framed IP addresses," be properly construed to cover the modern, standardized OAuth 2.0 protocol, which uses "access tokens" for delegated authorization between distinct internet services?
• A key question of component mapping will likely arise: Does the distributed architecture of the accused OAuth system—involving a client application (Nike), an authorization server (Facebook), and a resource server (Facebook)—satisfy the patent's requirement for a single "tracking and authentication control module" that contains both an "authentication server" and a distinct "certification server" whose recited function is to authenticate the vendor entity itself?