DCT

1:19-cv-10735

Kaspersky Lab Inc v. Greater Boston Authentication Solutions LLC

I. Executive Summary and Procedural Information

Parties & Counsel:
- Plaintiff: Kaspersky Lab, Inc. (Massachusetts)
- Defendant: Greater Boston Authentication Solutions, LLC (Massachusetts)
- Plaintiff’s Counsel: MARKUN ZUSMAN FRENIERE COMPTON LLP
Case Identification: 1:19-cv-10735, D. Mass., 04/16/2019
Venue Allegations: Venue is based on both parties having their principal place of business in the District of Massachusetts.
Core Dispute: Plaintiff seeks a declaratory judgment that its software activation systems do not infringe three of Defendant’s expired patents for cryptographic software authorization, preempting a threatened infringement suit.
Technical Context: The technology concerns systems and methods for controlling unauthorized software use post-installation via cryptographic keys tied to user or group information, a foundational concept in Digital Rights Management (DRM).
Key Procedural History: This declaratory judgment action was filed by Kaspersky Lab after GBAS filed, but did not serve, a patent infringement complaint against Kaspersky Lab, which GBAS later voluntarily dismissed. The complaint alleges that all three patents-in-suit expired on December 22, 2017, due to terminal disclaimers filed during prosecution, meaning the dispute is confined to past damages. The complaint also highlights arguments made during the prosecution of the parent patent to narrow claim scope, specifically equating a "user key" with a "digital signature itself."

Case Timeline

Date	Event
1997-12-22	Earliest Priority Date for ’892, ’793, and ’583 Patents
1999-11-09	U.S. Patent No. 5,982,892 Issues
2003-05-20	U.S. Patent No. 6,567,793 Issues
2008-03-18	U.S. Patent No. 7,346,583 Issues
2017-01-01	GBAS allegedly acquired the patents-in-suit (approximated from "in 2017")
2017-12-22	’892, ’583, and ’793 Patents Expire
2018-10-01	GBAS files original complaint against Kaspersky Lab
2018-12-31	GBAS dismisses original complaint without prejudice
2019-04-16	Kaspersky Lab files Complaint for Declaratory Judgment

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 5,982,892 - "SYSTEM AND METHOD FOR REMOTE AUTHORIZATION FOR UNLOCKING ELECTRONIC DATA," issued November 9, 1999

The Invention Explained

Problem Addressed: The patent’s background section describes the vulnerability of distributed software to unauthorized sharing, noting that even unique decryption keys for each user do not protect the software from being copied once it is installed and decrypted on a machine ('892 Patent, col. 1:11-28).
The Patented Solution: The invention proposes a system that provides persistent protection by verifying authorization each time the software is run. A user provides "user identifying information" to a remote "user key generator," which uses a digital signature algorithm to create a "user key" tied to that specific information. An embedded "user key verifier" then validates the relationship between this user key and the user's information to grant access, thereby controlling the software's use mode post-installation ('892 Patent, Abstract; col. 2:32-48). The general process is illustrated in Figure 2A, showing the exchange of information between the user and the software vendor to generate the key.
Technical Importance: The technology provided a model for run-time software license enforcement tied to a specific user, an improvement over one-time installation keys that were insufficient to prevent post-installation piracy.

Key Claims at a Glance

The complaint seeks a declaration of non-infringement of all claims but does not identify specific ones. Representative independent method claim 1 and system claim 8 are central to the technology.

Independent Claim 1 (Method):
- Generating a verification key with a digital signature algorithm.
- Combining the software and verification key into distributable software.
- Inputting user identifying information to a user key generator.
- Converting the user identifying information to a numeric representation.
- Generating a user key using the numeric representation and a digital signature algorithm.
- Verifying a relationship between the user key and the user identifying information to determine an access level.
Independent Claim 8 (System):
- A product key generator for creating a verification key.
- A user key generator that generates a unique user key based on a numeric representation of user identifying information.
- A user key verifier that validates a relationship between the user key and the numeric representation of the user identifying information.
  The complaint does not explicitly reserve the right to address dependent claims.

U.S. Patent No. 6,567,793 - "REMOTE AUTHORIZATION FOR UNLOCKING ELECTRONIC DATA SYSTEM AND METHOD," issued May 20, 2003

The Invention Explained

Problem Addressed: The patent addresses the same software piracy problem as its parent, the ’892 Patent ('793 Patent, col. 1:14-31).
The Patented Solution: This continuation-in-part patent extends the core invention to accommodate licensing for groups of users. It introduces the concept of "group-identifying information" (e.g., a company name) which can be used to generate user keys, allowing the system to manage licenses for an entire organization rather than just a single user ('793 Patent, col. 3:51-64).
Technical Importance: This adaptation broadened the applicability of the run-time verification technology from individual consumer software to the enterprise and site-license market.

Key Claims at a Glance

Representative independent method claim 1 and system claim 8 parallel those in the ’892 patent.

Independent Claim 1 (Method):
- Generating a verification key.
- Combining software and the verification key.
- Inputting group-identifying information to a user key generator.
- Converting the group-identifying information to a numeric representation.
- Generating a user key from the numeric representation.
- Verifying a relationship between the user key and the group-identifying information.
Independent Claim 8 (System):
- A product key generator.
- A user key generator responsive to group-identifying information.
- A user key verifier for validating a relationship between the user key and the group-identifying information.
  The complaint does not explicitly reserve the right to address dependent claims.

Multi-Patent Capsule: U.S. Patent No. 7,346,583

Patent Identification: U.S. Patent No. 7,346,583, "REMOTE AUTHORIZATION FOR UNLOCKING ELECTRONIC DATA SYSTEM AND METHOD," issued March 18, 2008.
Technology Synopsis: As a continuation of the application for the ’793 patent, this patent further refines the software authorization system. It explicitly recites more granular types of identifying information that can be used for verification, such as "batch number, user token, date, or time," enabling more flexible licensing models like time-limited trials or batch-based distribution ('583 Patent, Claim 1).
Asserted Claims: The complaint seeks a declaration against all claims; representative independent claims are 1, 10, 19, and 28.
Accused Features: The complaint alleges that Kaspersky's software activation system does not practice the patented methods for remote authorization (Compl. ¶¶75-78).

III. The Accused Instrumentality

Product Identification

The complaint refers broadly to "Kaspersky Lab's software" and its "software activation" functionality (Compl. ¶¶67, 75).

Functionality and Market Context

The complaint describes the relevant functionality as a system that "uses a root certificate on a customer's computer to verify a digital signature received from Kaspersky Lab" (Compl. ¶76). This process is characterized as a way to verify the authenticity of the software publisher (Kaspersky Lab) itself, rather than to verify the identity of the end-user.
The complaint alleges that this verification of Kaspersky Lab's own signature "does not verify a relationship between the digital signature and user identifying information" (Compl. ¶77). Kaspersky Lab is a major global vendor of cybersecurity software.

IV. Analysis of Infringement Allegations

No probative visual evidence provided in complaint. The following charts summarize Kaspersky Lab's declaratory judgment claims of non-infringement.

’892 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Non-Infringing Functionality	Complaint Citation	Patent Citation
inputting user identifying information to a user key generator	Plaintiff alleges its software activation does not involve inputting user-identifying information to a key generator; instead, it verifies a pre-existing signature from the publisher.	¶¶76-77	col. 13:59-61
generating, using the numeric representation, a user key, with the digital signature algorithm	Plaintiff alleges its system does not generate a user-specific key based on user information, but rather verifies a static, publisher-generated digital signature.	¶76	col. 13:65-67
verifying, with the verification key, a relationship between the user key and the user identifying information	Plaintiff alleges its system verifies the authenticity of its own digital signature via a root certificate, a process that does not verify a relationship with any specific end-user's information.	¶¶75, 77	col. 14:1-5

’793 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Non-Infringing Functionality	Complaint Citation	Patent Citation
inputting group-identifying information to a user key generator	As described in Section III, Plaintiff alleges its system does not use user- or group-identifying information as an input for its verification process.	¶¶76-77	col. 13:49-51
verifying, with the verification key, a relationship between the user key and the group-identifying information	Plaintiff alleges its publisher signature verification is unrelated to confirming a relationship with group-identifying information as required by the claim.	¶¶75, 77	col. 14:1-5

Identified Points of Contention:
- Scope Questions: Does the claimed step of "verifying... a relationship between the user key and the user identifying information" read on a process where a software publisher uses a root certificate to validate its own digital signature? Kaspersky's position is that it does not.
- Technical Questions: What evidence exists to show that Kaspersky's system links its signature verification to user-specific or group-specific data in the manner described by the patents? The complaint alleges there is a fundamental mismatch in the technical operation being performed.

V. Key Claim Terms for Construction

The Term: "user key"
- Context and Importance: The definition of this term is central to the dispute. Kaspersky alleges that arguments made during prosecution narrowed its meaning, a position that, if accepted, could be dispositive of non-infringement (Compl. ¶¶21, 74). Practitioners may focus on this term because of the explicit allegation of prosecution history estoppel.
- Intrinsic Evidence for a Broader Interpretation: The specification describes the user key as being generated "using a numeric representation(s) of identifying information" and signing keys ('892 Patent, col. 2:35-39). A party could argue it is the unique output of this process, not limited to just the signature component.
- Intrinsic Evidence for a Narrower Interpretation: The complaint alleges that in an amendment and argument filed during prosecution, "the applicant equated the claimed 'user key' with the 'digital signature itself'" (Compl. ¶21). If this is an accurate characterization of the prosecution history, it could represent a clear and unmistakable disavowal of broader claim scope.
The Term: "user identifying information"
- Context and Importance: Kaspersky’s core non-infringement theory rests on its assertion that its system does not use this element (Compl. ¶77). The scope of this term is therefore critical to evaluating the alleged technical mismatch.
- Intrinsic Evidence for a Broader Interpretation: The specification provides non-limiting examples such as a user's name or machine ID but also states that such information "optionally may include licensing information containing terms of permitted use" ('892 Patent, col. 2:38-41). A patentee might argue this covers any data related to the license, even if not personally identifying.
- Intrinsic Evidence for a Narrower Interpretation: The claims and specification consistently link this information to the "user" to generate a "unique user key" ('892 Patent, Claim 8). This may support an interpretation that the information must be specific to the end-user, their computer, or their group, which Kaspersky alleges its publisher-centric verification system does not use (Compl. ¶77).

VI. Other Allegations

The complaint does not contain allegations of indirect or willful infringement. However, it makes several allegations in support of its request for a finding that the case is "exceptional" under 35 U.S.C. § 285, which would entitle Kaspersky Lab to attorney's fees. These include allegations that GBAS has engaged in a "Patent-Monetization Campaign" targeting numerous companies with nuisance-value demands (Compl. ¶¶28-29), and that GBAS sued Kaspersky Lab despite knowing its products do not infringe the patents (Compl. ¶78).

VII. Analyst’s Conclusion: Key Questions for the Case

A core issue will be one of claim construction and estoppel: will the court find that statements made during the prosecution of the parent ’892 patent constitute a clear disavowal of claim scope, thereby limiting the term "user key" to mean the "digital signature itself" as Plaintiff alleges? The resolution of this question may significantly impact the infringement analysis for all three related patents.
A key evidentiary question will be one of technical mechanism: does Plaintiff's software activation process—which it characterizes as using a root certificate to verify its own publisher's signature—perform the same function as the patented method of "verifying a relationship between the user key and the user identifying information"? The case will likely turn on whether these are found to be fundamentally different technical operations or merely different embodiments of the same claimed concept.