DCT

2:17-cv-00058

Guyzar LLC v. Zazzle Inc

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Name: Guyzar LLC v. Zazzle, Inc.
  • Case Identification: 2:17-cv-00058, E.D. Tex., 01/13/2017
  • Venue Allegations: Venue is alleged to be proper based on Defendant being subject to personal jurisdiction in the district, regularly conducting business there, and certain acts of infringement occurring in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s website feature for signing in with a third-party account infringes a patent related to a security system for internet transactions.
  • Technical Context: The lawsuit concerns methods for securely authenticating a user's identity and confidential information to complete online transactions.
  • Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.

Case Timeline

Date Event
1996-12-18 U.S. Patent 5,845,070 Priority Date
1998-12-01 U.S. Patent 5,845,070 Issued
2017-01-13 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

  • U.S. Patent No. 5,845,070, “Security System for Internet Provider Transaction,” issued December 1, 1998

The Invention Explained

  • Problem Addressed: The patent addresses the risk of a user's confidential information (e.g., credit card details) being misappropriated when making purchases over the internet, particularly when such information must be revealed to an "Internet Entity" (a merchant) to complete a transaction (’070 Patent, col. 1:17-27, 57-63).
  • The Patented Solution: The invention describes a multi-step security process. A user logs in with a "first data set" (ID/password), which is validated by an authentication system. In response, the system issues a temporary "second data set," described as a "framed IP address," valid only for that session. When the user initiates a purchase from a merchant, this second data set is used to query a "tracking and authentication control module" which holds the user's confidential information. This module can then validate the transaction without disclosing the underlying confidential data to the merchant, tying the secure information to the specific user and session (’070 Patent, col. 2:1-10; Fig. 3).
  • Technical Importance: The invention proposed a method to centralize and secure a user's sensitive purchasing information, allowing for online transactions without repeatedly exposing that information to various third-party merchant websites (’070 Patent, col. 2:1-6).

Key Claims at a Glance

  • The complaint asserts infringement of at least independent Claim 1 (Compl. ¶11, 21).
  • Independent Claim 1 Elements:
    • accessing the Internet by the user entering a first data set into a computer based controller to control modems and communication protocols;
    • establishing a data base containing confidential information subject to authentication with a user's first data set;
    • submitting said first data set to a tracking and authentication control module requesting authentication of the user, said module including a data base, an authentication server, and a certification server;
    • comparing the user's first data set input to the authentication server with the I.D. and password in the data base and subject to a validating match;
    • issuing a second data set in real time by the authentication server subject to a validation match;
    • submitting the second data set to the certification server upon the initiation of a transaction by the user;
    • consummating the transaction subject to validation of the second data set by tying the confidential information in the data base to the user, whereby the confidential information is retained undisclosed in the data base.
  • The complaint does not explicitly reserve the right to assert dependent claims but references infringement of the "’070 patent" generally (Compl. ¶25, Prayer for Relief ¶a).

III. The Accused Instrumentality

Product Identification

The "Accused Instrumentality" is identified as Defendant's website features, specifically the "Sign In with" feature, which utilizes the OAuth open standard (Compl. ¶13).

Functionality and Market Context

The complaint alleges the accused feature allows a user to authenticate their identity using third-party credentials (e.g., from Facebook) to sign in to Defendant's website (Compl. ¶13-14). This feature is accused of implementing the OAuth standard to establish a database of confidential user information (e.g., email, profile), submit credentials to an "Authorization Server," and use an "Access Token and Authorization Code" to access that information to consummate a transaction on Defendant's website (Compl. ¶15-20).

IV. Analysis of Infringement Allegations

The complaint alleges that the accused "Sign In with" feature, by implementing the OAuth standard, performs each step of at least Claim 1 of the ’070 Patent (Compl. ¶22). A screenshot provided in the complaint shows a login page with a "Sign in with Facebook" button, which is identified as the Accused Instrumentality (Compl. p. 4).

5,845,070 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
accessing the Internet by the user entering a first data set into a computer based controller... The user enters a "first data set, such as third party log-in credentials," into a computer-based controller (Compl. ¶14). ¶14 col. 21:12-15
establishing a data base containing confidential information subject to authentication with a user's first data set; The OAuth standard is used "to establish a database containing confidential information, such as...a user's address, email, phone number, online profile, etc." (Compl. ¶15). ¶15 col. 21:16-18
submitting said first data set to a tracking and authentication control module requesting authentication...said...module including a data base...an authentication server...and a certification server... The OAuth standard is implemented "to submit a first data set to a tracking and authentication control module, such as a dedicated 'Authorization Server,'" which includes a database, an authentication server, and a certification server (Compl. ¶16). ¶16 col. 21:19-27
comparing the user's first data set input to the authentication server incident to accessing the internet with the I.D. and password in the data base and subject to a validating match; The OAuth standard is implemented "to compare the user's first data set input to the authentication server...with the I.D. and password in the data base" for a validating match (Compl. ¶17). ¶17 col. 21:28-32
issuing a second data set in real time by the authentication server subject to a validation match... The OAuth standard is implemented "in issuing a second data set, such as an Access Token and Authorization Code issued by the OAuth protocol," responsive to a successful validation (Compl. ¶18). ¶18 col. 21:33-37
submitting the second data set to the certification server upon the initiation of a transaction by the user; The OAuth standard is implemented "to submit the second data set to the certification server." The complaint alleges the "Resource Server...serves its certification purpose and validates the authenticity of the Access Token" (Compl. ¶19). ¶19 col. 21:38-40
consummating the transaction subject to validation of the second data set by tying the confidential information in the data base to the user whereby the confidential information is retained undisclosed... The OAuth standard is implemented in "consummating a transaction, such as using user's third-party credentials and profile information on Defendant's website, subject to the validation of the second data set" while retaining confidential information undisclosed (Compl. ¶20). ¶20 col. 21:41-46

Identified Points of Contention

  • Scope Questions: A central question may be whether the term "second data set," defined in the patent's preferred embodiment as a "framed-IP-address" (’070 Patent, col. 21:47-48), can be construed to read on the "Access Token and Authorization Code" of the OAuth protocol as alleged (Compl. ¶18).
  • Technical Questions: The complaint maps the claimed "tracking and authentication control module" containing an "authentication server" and a "certification server" onto components of the OAuth standard, such as an "Authorization Server" and a "Resource Server" (Compl. ¶16, 19). A potential issue is whether the functions of the accused OAuth components correspond to the specific functions of the server architecture described and claimed in the patent. For example, does the accused "Resource Server" perform the function of the claimed "certification server," which the patent describes as "containing validation data for authenticating and internet entity approved for conducting internet transaction" (’070 Patent, col. 21:25-27)?

V. Key Claim Terms for Construction

  • The Term: "second data set"

    • Context and Importance: The definition of this term is critical because the patent's specification repeatedly refers to it as a "framed-IP-address" (’070 Patent, col. 2:4-5, 45). The complaint, however, alleges this limitation is met by an "Access Token and Authorization Code" from the OAuth protocol (Compl. ¶18). The viability of the infringement case may depend on whether this term can be interpreted broadly enough to cover modern authentication tokens.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The detailed description states that the second data set "can comprise any form of alpha or numeric data and it is intended that it not be limited to an address form" (’070 Patent, col. 3:32-34). This language may support an interpretation that extends beyond a literal IP address to other forms of session-specific data like an access token.
      • Evidence for a Narrower Interpretation: Claim 2, which depends on Claim 1, explicitly recites "wherein the second data set is a framed-IP-address" (’070 Patent, col. 21:47-48). Under the doctrine of claim differentiation, this could suggest that Claim 1 is not limited to a framed-IP-address. However, a defendant could argue that the entire inventive concept is so tied to the session-based IP address model that other forms of data fall outside the claim's scope.

  • The Term: "tracking and authentication control module"

    • Context and Importance: Practitioners may focus on this term because the patent illustrates it as a seemingly integrated system (Module 50 in Fig. 3) comprising a database, authentication server, and certification server. The complaint alleges this single module reads on what may be separate components in the accused OAuth system, such as a "dedicated 'Authorization Server'" (Compl. ¶16). The dispute may turn on whether the claimed "module" requires a specific, monolithic architecture or can cover a distributed system of cooperating servers.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The term "module" is not explicitly defined, which may allow for flexibility in its interpretation to cover logically associated but physically separate components that collectively perform the claimed functions.
      • Evidence for a Narrower Interpretation: The patent’s description states "Included in the tracking and authentication module 50 is the data base 52, the authentication server 53 and the certification server 54" (’070 Patent, col. 4:60-62). Figure 3 depicts these as components of a single encompassing module 50. This could support an argument that the claims require a more integrated system than the distributed architecture of modern federated identity protocols.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges that Defendant "conditions end-users' use of the Accused Instrumentality upon the end-users' and Facebook's performance of the method" and "establishes the manner or timing of end-users' performance" (Compl. ¶22-23). This appears to lay the groundwork for a claim of induced infringement by alleging Defendant directs its users to perform the infringing steps, without which the service would not be available.
  • Willful Infringement: The complaint alleges that "Defendant has had knowledge of infringement of the ‘070 patent at least as of the service of the present complaint" (Compl. ¶26). This allegation is based on post-suit knowledge and is asserted to support a request for enhanced damages (Prayer for Relief ¶d).

VII. Analyst’s Conclusion: Key Questions for the Case

The resolution of this case will likely depend on the court’s interpretation of claim terms drafted in the 1990s and their application to modern web authentication technology. The central questions are:

  1. A core issue will be one of definitional scope: can the term "second data set", described in the patent's embodiment as a session-specific "framed-IP-address," be construed to cover a modern "Access Token" and "Authorization Code" as used in the OAuth protocol, especially in light of specification language stating the term is not limited to an address form?
  2. A key question of structural equivalence will be: does the claimed "tracking and authentication control module", depicted as a relatively integrated system, read on the potentially distributed architecture of the accused OAuth implementation, where functions of the claimed "authentication server" and "certification server" are allegedly performed by distinct "Authorization" and "Resource" servers?
  3. An evidentiary question of divided infringement may arise: does the complaint sufficiently allege facts showing that Defendant directs or controls the actions of both its end-users and third parties (e.g., Facebook) to such an extent that all steps of the claimed method can be attributed to Defendant?