DCT
1:17-cv-06016
Guyzar LLC v. Nikon Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Guyzar LLC (Texas)
- Defendant: Nikon Inc. (New York)
- Plaintiff’s Counsel: Zimmerman Law Group
- Case Identification: 1:17-cv-06016, E.D.N.Y., 10/16/2017
- Venue Allegations: Venue is alleged to be proper because Defendant is subject to personal jurisdiction in the district, has conducted regular business in the district, and certain acts complained of occurred there.
- Core Dispute: Plaintiff alleges that Defendant’s website "Sign In" feature infringes a patent related to a security system for authenticating users and protecting confidential information during internet transactions.
- Technical Context: The technology concerns methods for securing online transactions by separating a user's persistent confidential data from the transient session data used to authorize a purchase, a foundational concern for e-commerce and online account management.
- Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 1996-12-18 | U.S. Patent No. 5,845,070 Priority Date (Application Filing) |
| 1998-12-01 | U.S. Patent No. 5,845,070 Issued |
| 2016-10-17 | Date of Archived Accused "Sign In" Webpage |
| 2017-10-16 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 5,845,070 - "Security System for Internet Provider Transaction"
The Invention Explained
- Problem Addressed: The patent addresses the risk of a user’s confidential information (e.g., credit card details, social security numbers) being misappropriated during online transactions in the early commercial internet era. The patent notes that simply accessing a system with a personal ID and password exposes this sensitive data to potential theft. (’070 Patent, col. 1:18-30).
- The Patented Solution: The invention proposes a multi-component "tracking and authentication module" to solve this problem. A user logs in with a "first data set" (ID/password), which is validated by an "authentication server." Upon validation, the system issues a temporary "second data set" (described as a "framed IP address") valid only for that session. When a transaction is initiated with an online merchant ("Internet Entity"), this second data set is submitted to a "certification server" to authorize the transaction. This process allows the system to tie the transaction to the user's confidential financial data stored in a secure database without ever exposing that confidential data outside the secure module. (’070 Patent, Abstract; col. 2:1-59). The system's architecture is depicted in Figure 3.
- Technical Importance: This method provided a framework for isolating persistent, high-value confidential data from the transient data used to authorize a single online session, aiming to enhance security for the then-nascent field of e-commerce. (’070 Patent, col. 1:5-11).
Key Claims at a Glance
- The complaint asserts infringement of at least Claim 1. (Compl. ¶11, ¶21).
- Independent Claim 1 requires a method comprising the following essential elements:
- Accessing the internet by a user entering a "first data set" into a controller.
- Establishing a "data base" with confidential information authenticated by the first data set.
- Submitting the first data set to a "tracking and authentication control module" which includes the database, an "authentication server," and a "certification server."
- "Comparing" the first data set with the ID and password in the database via the authentication server.
- "Issuing a second data set" in real time from the authentication server after a successful match.
- "Submitting the second data set to the certification server" to initiate a transaction.
- "Consummating the transaction" based on validation of the second data set, which ties the confidential information in the database to the user without disclosing it.
III. The Accused Instrumentality
Product Identification
The accused instrumentality is the "Sign In" feature on Defendant's website, located at secure.nikonsso.com. (Compl. ¶13).
Functionality and Market Context
The complaint alleges this feature authenticates a user's confidential information to enable internet transactions between a log-in and log-out session. (Compl. ¶13). It is alleged to utilize the "OAuth open standard" to perform this authentication. (Compl. ¶13). The complaint includes a screenshot of the sign-in page, which shows options for a user to log in via email and password or by using third-party credentials from Facebook or Google. (Compl. p. 4). This feature is presented as being essential for users to access their accounts or make purchases on Defendant's website. (Compl. ¶27).
IV. Analysis of Infringement Allegations
’070 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| accessing the Internet by the user entering a first data set into a computer based controller to control modems and communication protocols; | A user accesses the internet by entering a "first data set," such as third-party log-in credentials, into a controller. | ¶14 | col. 21:12-15 |
| establishing a data base containing confidential information subject to authentication with a user's first data set; | The OAuth standard is used to establish a database containing a user's confidential information (e.g., address, email, profile) subject to authentication with the first data set. | ¶15 | col. 21:16-18 |
| submitting said first data set to a tracking and authentication control module requesting authentication of the user, said tracking and authentication control module including a data base... an authentication server... and a certification server... approved for conducting internet transaction; | The OAuth standard is implemented to submit the first data set to a module including a dedicated "Authorization Server" (the authentication server), a "Resource Server" (containing the database), and a certification server. | ¶16 | col. 21:19-28 |
| comparing the user's first data set input to the authentication server incident to accessing the internet with the I.D. and password in the data base and subject to a validating match; | The OAuth standard is implemented to compare the user's first data set input with the I.D. and password in the database to find a validating match. | ¶17 | col. 21:29-33 |
| issuing a second data set in real time by the authentication server subject to a validation match of the I.D. and password with the data in the database usable for the instant transaction; | The OAuth standard is implemented to issue a "second data set," described as an "Access Token and Authorization Code," responsive to a successful validation. | ¶18 | col. 21:34-38 |
| submitting the second data set to the certification server upon the initiation of a transaction by the user; | The OAuth standard is implemented to submit the second data set (Access Token) to the certification server (Resource Server) to validate its authenticity before allowing website access to user information. | ¶19 | col. 21:39-41 |
| consummating the transaction subject to validation of the second data set by tying the confidential information in the data base to the user whereby the confidential information is retained undisclosed in the data base. | The OAuth standard is implemented to consummate a transaction using third-party credentials, where validation of the second data set ties the confidential information in the database to the user while keeping it undisclosed. | ¶20 | col. 21:42-47 |
Identified Points of Contention
- Scope Questions: The core of the dispute will likely involve translating the terminology of the 1996-era patent to the modern OAuth standard. A primary question is whether the components of an OAuth implementation (e.g., "Authorization Server," "Resource Server") can be considered to meet the limitations of the claimed "tracking and authentication control module" with its distinct "authentication server" and "certification server."
- Technical Questions: The complaint makes conclusory allegations that the accused system "implements the OAuth standard" to perform the claimed steps. A key factual question will be what evidence shows that the "Access Token and Authorization Code" functions as the claimed "second data set" (e.g., a session-specific "framed-IP-address") for the purpose of "tying the confidential information... to the user" in the specific manner required by the claim.
V. Key Claim Terms for Construction
"tracking and authentication control module"
- Context and Importance: This term defines the overall system architecture. Its construction is critical because the infringement case depends on mapping the allegedly distributed components of the OAuth standard onto this single, encompassing term from the patent.
- Intrinsic Evidence for a Broader Interpretation: The specification describes the module functionally as "comprising a certification server, an authentication server and a database each performing a validation function." (’070 Patent, col. 2:6-10). This may support an argument that any system containing these functional parts, regardless of how they are named or integrated, falls within the claim scope.
- Intrinsic Evidence for a Narrower Interpretation: Figure 3 depicts the module (50) as an overarching system containing structurally distinct components: the database (52), authentication server (53), and certification server (54). This could support an argument that the claim requires this specific, separated architecture, not a different one that merely performs analogous functions.
"second data set"
- Context and Importance: The complaint alleges this element is met by an "Access Token and Authorization Code" issued by OAuth. (Compl. ¶18). The viability of this assertion depends on whether this modern token is legally and technically equivalent to the "second data set" envisioned by the inventors.
- Intrinsic Evidence for a Broader Interpretation: The specification includes explicit broadening language, stating the second data set "can comprise any form of alpha or numeric data and it is intended that it not be limited to an address form." (’070 Patent, col. 3:30-33). This language directly supports interpreting the term to cover more than just the primary embodiment.
- Intrinsic Evidence for a Narrower Interpretation: The patent's abstract, claims, and detailed description repeatedly identify the primary embodiment of the "second data set" as a "framed IP address" issued by a Point of Presence (POP) for a specific session. (’070 Patent, Abstract; col. 2:4-6; Claim 2). An argument could be made that the invention is fundamentally tied to this specific networking concept of the 1990s and that an OAuth token serves a different technical purpose.
VI. Other Allegations
- Indirect Infringement: The complaint does not use the terms "inducement" or "contributory infringement." However, it alleges that Defendant enables infringement by its end-users and that such infringement is "attributable to Defendant" because the service is unavailable unless users perform the claimed steps. (Compl. ¶22-23, ¶27). This lays a factual predicate for a potential divided infringement or inducement theory.
- Willful Infringement: Willfulness is alleged based on Defendant’s knowledge of the ’070 patent "at least as of the service of the present complaint." (Compl. ¶26). This allegation supports a claim for enhanced damages based only on post-filing conduct. (Compl., Prayer for Relief ¶d).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of technological translation: can the specific, multi-part server architecture described in the 1998 patent (a "tracking and authentication control module" with distinct "authentication" and "certification" servers) be construed to read on the components of the modern, and allegedly implemented, OAuth standard (e.g., "Authorization Server," "Resource Server")?
- A key evidentiary question will be one of functional equivalency: does the accused "Access Token" generated by the OAuth protocol perform the same function, in the same way, to achieve the same result as the patent's "second data set" (primarily described as a "framed-IP-address")? The case may turn on whether the accused system "ties" a user to their confidential data in the specific manner recited by the final limitation of Claim 1.