DCT

2:18-cv-00504

Uniloc 2017 LLC v. Google LLC

I. Executive Summary and Procedural Information

Parties & Counsel:
- Plaintiff: Uniloc 2017 LLC (Delaware) and Uniloc USA, Inc. (Texas)
- Defendant: Google LLC (Delaware)
- Plaintiff’s Counsel: Etheridge Law Group, PLLC
Case Identification: 2:18-cv-00504, E.D. Tex., 11/17/2018
Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Google maintains a "regular and established place of business" in the district. The allegations point to Google's physical Google Global Cache (GGC) servers hosted within third-party ISP facilities, its operation of Google Fi cellular services via local towers, and its use of data centers for Google Cloud services, all of which are asserted to constitute a physical presence controlled or ratified by Google.
Core Dispute: Plaintiff alleges that Defendant’s two-step account verification system infringes a patent related to methods for detecting and notifying a user of an access attempt from an unrecognized computing device.
Technical Context: The technology at issue falls within the domain of multi-factor authentication, a widely adopted security measure for protecting online user accounts from unauthorized access.
Key Procedural History: The complaint was filed on November 17, 2018. Subsequent to the filing, the asserted patent, U.S. Patent No. 8,949,954, was the subject of an Inter Partes Review (IPR) proceeding (IPR2020-00441), which was initiated on January 17, 2020. The IPR resulted in the cancellation of claims 1-4, 6, 9, and 12-14, including the primary claim asserted in the complaint (Claim 1).

Case Timeline

Date	Event
2011-12-08	’954 Patent Priority Date
2015-02-03	’954 Patent Issue Date
2018-11-17	Complaint Filing Date
2020-01-17	IPR Proceeding (IPR2020-00441) Filed Against ’954 Patent
2023-11-30	IPR Certificate Issued, Cancelling Asserted Claim 1

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,949,954 - "Customer Notification Program Alerting Customer-Specified Network Address of Unauthorized Access Attempts to Customer Account"

The Invention Explained

Problem Addressed: The patent describes a weakness in conventional online security measures that rely on user-managed credentials like passwords, which can be stolen or compromised, leading to external fraud (’954 Patent, col. 1:21-51). The patent identifies a need for a security system that is "better insulated from user carelessness" and can more effectively involve the account holder in the fraud detection process (’954 Patent, col. 1:45-51, col. 2:1-3).
The Patented Solution: The invention proposes a system where a server receives a request for access to a user's account from a remote device (’954 Patent, Abstract). The server identifies the remote device by generating a "device fingerprint" and determines if this fingerprint matches one from a list of previously authorized devices (’954 Patent, col. 10:21-29). If a mismatch occurs, the system sends a notification to a separate, customer-specified device (e.g., a mobile phone), alerting the account holder of the access attempt and allowing them to approve or deny it (’954 Patent, Fig. 7). If approved, the new device's fingerprint can be stored as authorized for future access (’954 Patent, col. 11:40-50).
Technical Importance: This method provides an out-of-band verification channel triggered by device identification, aiming to give account holders a high level of assurance and direct control when a potentially unauthorized device attempts to access their information (’954 Patent, col. 2:3-6).

Key Claims at a Glance

The complaint asserts infringement of at least independent claim 1 (Compl. ¶99).
Essential elements of independent claim 1 include:
- A system with a server, a database, and memory storing a notification program.
- The program, when executed, performs steps for:
  - (a) identifying a remote computing device by its "device fingerprint" and its "requesting location."
  - (b) determining if the device fingerprint matches a "previously authorized" fingerprint.
  - (c) sending a notification to a "separate device specified by the customer" if there is a mismatch.
  - (d) "resolving the request" based on a reply to the notification.
  - (e) storing the device's fingerprint as "previously authorized" if access is permitted.
The complaint does not explicitly reserve the right to assert dependent claims but does reserve the right to pursue infringement by other software and devices (Compl. ¶104).

III. The Accused Instrumentality

Product Identification

The complaint identifies "Google's two-step verification system" as the "Accused Infringing Devices" (Compl. ¶¶83, 84).

Functionality and Market Context

The complaint describes the accused system as a security feature that protects Google accounts using a password and a second verification step on a separate device (Compl. ¶84). When a login is attempted from a new or unrecognized device, Google's servers are alleged to send a notification, or "Google Prompt," to a user's trusted device(s) (Compl. ¶¶86, 88). This prompt reportedly includes the identity and location of the device attempting to log in (Compl. ¶89). An image in the complaint shows a notification on a smartphone regarding a login attempt from a laptop, illustrating this cross-device functionality (Compl. p. 36). Users can then approve the login, and the system provides an option to mark the new device as trusted to prevent future prompts (Compl. ¶¶97, 98).

IV. Analysis of Infringement Allegations

’954 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
(a) identifying, responsive to the server receiving the request, the remote computing device fingerprint and by a requesting location;	Google's server allegedly identifies the remote device's identity (e.g., "Windows NT 10.0") and its location (e.g., "Near Virginia, USA") when a login is initiated.	¶¶89, 91, 96	col. 4:26-30
(b) determining whether the device fingerprint matches any of a number of device fingerprints previously authorized to access the customer account information;	The complaint alleges that a notification is sent only after Google's system determines that the remote device's identity does not match that of previously authorized or "trusted" devices.	¶92	col. 4:46-54
(c) sending, responsive to determining a mismatch... a notification of the request to an address of a separate device specified by the customer...	Google's system allegedly sends a "Google Prompt" notification to a user's trusted device, such as a mobile phone, when a login attempt is made from an unrecognized device, such as a laptop. The screenshot on page 36 of the complaint shows a prompt on a "Nexus 5X" phone for a login attempt from a "Lenovo Thinkpad."	¶¶86, 90, 95	col. 4:56-65
(d) resolving the request responsive to a reply to the notification;	The user allegedly resolves the login attempt by clicking a "Yes" button within the notification received on the trusted device.	¶97	col. 5:8-11
(e) if resolving the request responsive to a reply... results in permitting authorized access... storing the device fingerprint as a previously authorized device fingerprint...	The complaint alleges that after a user approves a login, Google's server stores the remote device's information, and the user can mark the device as trusted by checking a box labeled "Don't ask again on this computer," which stops future notifications for that device.	¶¶93, 98	col. 11:40-50

Identified Points of Contention:
- Scope Questions: A central question concerns the construction of "device fingerprint." The infringement theory depends on whether Google's method for identifying devices (which the complaint alleges involves collecting "unique identifiers," IP address, device type, OS, etc. (Compl. ¶¶87, 94)) meets the definition of a "device fingerprint" as defined in the patent, which describes a bit string derived from a combination of user-configurable and non-user-configurable data (’954 Patent, col. 7:31-52).
- Technical Questions: A key technical question is how Google's system determines that a device is "new" or "unrecognized." The complaint alleges this is based on a mismatch with "trusted devices previously authorized" (Compl. ¶92), which maps to the patent's claim language. The evidence required would need to show that Google's system performs this specific comparison of a generated device identifier against a stored list of authorized identifiers.

V. Key Claim Terms for Construction

The Term: "device fingerprint"
Context and Importance: This term is the technological core of the asserted claim. The entire security method is triggered by the system's ability to generate this identifier, recognize it as new or known, and act accordingly. The outcome of the infringement analysis may depend on whether the "unique identifiers" and other data Google is alleged to collect and use (Compl. ¶87) are legally equivalent to the patent’s "device fingerprint."
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent specification describes a "device fingerprint" as a "bit string or bit array that includes or is derived from user-configurable and non-user-configurable data" and provides a non-exhaustive list of potential data sources, such as model numbers, serial numbers, and registry entries (’954 Patent, col. 7:31-44). A party could argue this language supports a broad definition encompassing any unique identifier derived from device-specific data.
- Evidence for a Narrower Interpretation: The specification also describes the generation of the fingerprint as including a "combination of operations" such as "sampling, concatenating, appending... obfuscating, hashing, encryption, and/or randomization algorithms to achieve a desired degree of uniqueness" (’954 Patent, col. 7:46-52). A party could argue that "device fingerprint" is a term of art requiring this more complex, multi-step generation process, rather than a simple device ID or cookie.

VI. Other Allegations

Indirect Infringement: The complaint alleges Google induces infringement by providing customers with instructional materials, including training videos and user guides available on its websites, that allegedly direct users to operate the two-step verification system in an infringing manner (Compl. ¶101).
Willful Infringement: The complaint alleges that Google will have notice of the ’954 Patent "at the latest, the service of this complaint," and that any continued infringement would therefore be willful (Compl. ¶103). No pre-suit knowledge is alleged.

VII. Analyst’s Conclusion: Key Questions for the Case

A dispositive threshold issue will be the viability of the legal claim itself: the complaint's infringement count is based on claim 1 of the ’954 patent, which has been cancelled as a result of an Inter Partes Review. The primary question for the litigation is whether Plaintiff will be able to amend its allegations to assert infringement of the patent's surviving independent claims (e.g., claims 15 and 16), which are not mentioned in the current complaint.
Should the case proceed on surviving claims, a central issue will be one of definitional scope: can the term "device fingerprint," which the patent describes as being generated from a combination of specific device parameters, be construed to read on the methods Google uses to identify a user's device, which the complaint describes as based on "unique identifiers" and other collected data?
A related evidentiary question will be one of technical implementation: what is the precise mechanism by which Google’s system flags a login attempt as originating from a "new" device, and does this mechanism perform the specific comparison against a stored list of "previously authorized device fingerprints" as required by the patent's claims?