DCT
2:23-cv-00634
Croga Innovations Ltd v. IBM Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Croga Innovations Ltd. (Ireland)
- Defendant: International Business Machines Corporation (New York)
- Plaintiff’s Counsel: BC Law Group, P.C.
- Case Identification: 2:23-cv-00634, E.D. Tex., 12/29/2023
- Venue Allegations: Plaintiff alleges venue is proper because IBM is registered to do business in Texas, has transacted business in the district, committed acts of infringement in the district, and maintains regular and established places of business in the district.
- Core Dispute: Plaintiff alleges that Defendant’s cloud and mainframe development platforms, which provide sandboxed environments, infringe two patents related to network security through computing environment isolation.
- Technical Context: The technology concerns methods for protecting a primary computer system from internet-based threats by routing potentially unsafe activity through a separate, isolated "guest" or "sandbox" environment, thereby containing any malware.
- Key Procedural History: The U.S. Patent No. 10,601,780 is a continuation of an earlier application, which itself claims priority to a 2011 provisional application. The U.S. Patent No. 11,178,104 claims priority to a 2017 provisional application. The patents share inventors and an assignee, suggesting a related technology portfolio.
Case Timeline
| Date | Event |
|---|---|
| 2011-01-27 | Earliest Priority Date for U.S. Patent No. 10,601,780 |
| 2017-09-26 | Earliest Priority Date for U.S. Patent No. 11,178,104 |
| 2020-03-24 | U.S. Patent No. 10,601,780 Issued |
| 2021-11-16 | U.S. Patent No. 11,178,104 Issued |
| 2023-12-29 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,178,104: “Network Isolation with Cloud Networks” (Issued Nov. 16, 2021)
The Invention Explained
- Problem Addressed: The patent addresses the security risks that arise when a host computer system accesses the internet, which can lead to malware infections, data loss, and the compromise of other resources on a local area network (LAN) (’104 Patent, col. 1:13-46).
- The Patented Solution: The invention proposes a "sandbox based network isolation system" on a single host computer. The system creates two distinct environments: a trusted "workspace" and an "isolated computing environment" for accessing untrusted destinations like the internet. A key component is an "internal isolation firewall" that segregates the two environments, preventing malware in the isolated environment from affecting the trusted workspace ('104 Patent, Abstract; col. 2:1-12). Communication between the isolated environment and the internet is managed through one or more proxy devices ('104 Patent, col. 2:15-24).
- Technical Importance: This architecture aims to provide the security benefits of using a physically separate computer for browsing the internet without the cost and inconvenience, by creating a logically-separated "disposable" environment within a single machine.
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶10).
- Claim 1 of the ’104 Patent requires:
- A host computer system with a memory and a processor.
- The processor is configured to implement a "workspace" in a first memory space.
- The processor implements an "isolated computing environment" using a host operating system and a "sandboxed computing environment" in a second memory space to access an "Internet-based cloud service."
- An "internal isolation firewall" isolates the workspace from the isolated computing environment.
- The system authenticates the isolated computing environment with an "authentication device."
- The system communicates with a "proxy server" to access the cloud service after authentication.
- The complaint does not explicitly reserve the right to assert dependent claims.
U.S. Patent No. 10,601,780: “Internet Isolation for Avoiding Internet Security Threats” (Issued Mar. 24, 2020)
The Invention Explained
- Problem Addressed: The patent’s prior art section describes how malware delivered through websites or email attachments can compromise a computer, leading to data theft and remote control by malicious actors (’780 Patent, col. 1:24-58). The background notes that using two separate physical computers to mitigate this risk is costly and inefficient ('780 Patent, col. 2:60-64).
- The Patented Solution: The invention describes a host computer system that runs a "virtual guest system" on a hypervisor. The host system itself is firewalled and restricted from accessing the internet, except for whitelisted sites. The virtual guest system, however, has a separate, dedicated connection to the internet (e.g., via a VPN tunnel) and can browse freely ('780 Patent, Abstract; col. 3:28-49). An internal firewall strictly limits interaction between the host and the guest, containing any potential infection within the guest system, which can be easily reset to a "pristine" state ('780 Patent, col. 6:12-18).
- Technical Importance: This method provides a robust security model by creating a disposable, isolated pathway to the internet, protecting the user's primary operating system and local network from direct exposure to online threats.
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶20).
- Claim 1 of the ’780 Patent requires:
- A networked computer system comprising a network and at least one computer system.
- The computer system comprises a "host system" and a "virtual system," where the virtual system is a separate operating system or software module.
- An "internal firewall" separates the host system from the virtual system.
- A "host-based firewall" implements network isolation between the computer system and the network.
- At least one device configured as a "network firewall or a web proxy" to implement isolation from untrusted destinations.
- The complaint does not explicitly reserve the right to assert dependent claims.
III. The Accused Instrumentality
Product Identification
- The complaint identifies the accused products as "IBM Wazi Developer versions 1.4, 2.4, 2.5 and 2.6 with IBM Z and IBM LinuxOne platforms IBM Cloud, IBM Cloud Virtual Servers, and IBM Cloud Bare Metal Servers" (Compl. ¶9, ¶19).
Functionality and Market Context
- The complaint alleges that the accused products provide a "containerized, personal z/OS sandbox environment" (Compl. ¶12). This functionality allows developers to create and test mainframe applications in an isolated environment running on IBM's cloud infrastructure.
- The complaint references IBM documentation advertising these features, such as providing a z/OS sandbox and instructions on configuring a "Red Hat OpenShift target environment on the Wazi Sandbox" (Compl. ¶12, ¶22). One such document referenced as visual evidence describes the IBM Wazi Developer as providing a "containerized, personal z/OS sandbox environment" for development and test (Compl. ¶12, Ex. 3). Another visual reference points to IBM's instructions for creating a sandbox instance within its z/modernization stack (Compl. ¶22, Ex. 9).
- The functionality is positioned as a tool for modernizing mainframe applications by enabling development in a flexible, cloud-based "sandbox" that mimics a z/OS mainframe environment.
IV. Analysis of Infringement Allegations
The complaint references claim chart exhibits that were not provided with the filing. The following analysis is based on the narrative infringement allegations in the complaint body.
’104 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a host computer system | IBM Z and IBM LinuxOne platforms, IBM Cloud, IBM Cloud Virtual Servers, and IBM Cloud Bare Metal Servers are alleged to be the host computer system. | ¶9 | col. 11:7-22 |
| implement a workspace ... via a first memory space | The complaint does not provide sufficient detail for analysis of this element. | col. 5:40-44 | |
| implement an isolated computing environment ... comprising a sandboxed computing environment that uses a second memory space | The accused products allegedly provide a "containerized, personal z/OS sandbox environment," which is alleged to be the claimed isolated environment. | ¶12 | col. 6:1-17 |
| isolate the isolated computing environment from the workspace using an internal isolation firewall | The complaint does not provide sufficient detail for analysis of this element. | col. 2:1-4 | |
| authenticate the isolated computing environment with an authentication device | The complaint does not provide sufficient detail for analysis of this element. | col. 23:20-24 | |
| communicate with a proxy server to access the Internet-based cloud service | The complaint alleges IBM provides instructions for users to "communicate with a proxy server." | ¶12 | col. 23:26-34 |
Identified Points of Contention
- Scope Questions: A central question may be whether the "containerized ... sandbox environment" (Compl. ¶12) offered by IBM constitutes an "isolated computing environment" that uses a "second memory space" separate from a "first memory space" as required by the claim. The technical distinction between containerization (which may share a kernel with the host) and the patent's description of segregated memory spaces could be a key area of dispute.
- Technical Questions: The complaint alleges communication with a "proxy server" but provides limited detail on the specific function of the internal and external firewalls. A court may need to determine if the accused architecture includes an "internal isolation firewall" that performs the specific function of separating the "workspace" from the "isolated computing environment" as claimed.
’780 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A networked computer system comprising: a network; at least one computer system | The accused products are alleged to operate as a networked computer system. | ¶19 | col. 7:6-12 |
| the computer system comprising a host system and a virtual system | The complaint alleges the IBM Z platform acts as the host system, and the "Wazi Sandbox" and "Red Hat OpenShift target environment" act as the virtual system. | ¶22 | col. 8:1-12 |
| separating the host system from the virtual system using an internal firewall | The complaint does not provide sufficient detail for analysis of this element. | col. 8:15-22 | |
| implementing network isolation between the computer system and the network using a host-based firewall | The complaint does not provide sufficient detail for analysis of this element. | col. 8:41-48 | |
| at least one device configured to implement at least one of a network firewall or a web proxy | The complaint alleges the accused products operate within a cloud environment that necessarily includes network firewalls and proxies. | ¶9, ¶19 | col. 7:6-12 |
Identified Points of Contention
- Scope Questions: The infringement theory appears to depend on whether the "Wazi Sandbox" running in IBM's cloud qualifies as a "virtual system" as defined in the patent. The patent describes the virtual system as running on a "hypervisor" and being essentially a "blank PC with a browser" ('780 Patent, col. 5:18-20, col. 7:20-22). The court may need to decide if IBM's container-based sandbox meets this potentially narrower definition.
- Technical Questions: The claim requires a specific three-part security architecture: an internal firewall, a host-based firewall, and a network firewall/proxy. The complaint's allegations are high-level. A key factual question will be whether the accused IBM products actually implement three distinct firewalls that perform the separate isolation functions described and claimed in the patent.
V. Key Claim Terms for Construction
For the ’104 Patent:
- The Term: "isolated computing environment"
- Context and Importance: This term is the core of the invention. Its construction will determine whether IBM's "containerized ... z/OS sandbox environment" (Compl. ¶12) can infringe. Practitioners may focus on this term because the technical differences between containers and other forms of virtualization (like full VMs) are significant and could be dispositive.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the environment as one where "isolated applications" run, and its purpose is to access "untrusted Internet destinations" ('104 Patent, col. 1:63-65, col. 2:15-16). This functional language could support a construction that includes various isolation technologies, including containers.
- Evidence for a Narrower Interpretation: The claim requires the environment to use a "second memory space" that is segregated from a "first memory space" by a sandbox ('104 Patent, claim 1; col. 2:5-7). Embodiments describe the environment being "enforced via a sandbox container process" ('104 Patent, col. 3:21-24), which could be interpreted to require a specific type of sandboxing technology that enforces strict memory segregation, potentially beyond that of a standard container.
For the ’780 Patent:
- The Term: "virtual system"
- Context and Importance: The infringement case hinges on mapping the IBM "Wazi Sandbox" to this claim term. The patent was filed in an era where "virtual system" often implied a hypervisor-based virtual machine, which may differ from IBM's current container-based technology.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim itself defines the term broadly as "a separate operating system or a software module operating on the computer system" ('780 Patent, claim 1). This language could plausibly encompass a container, which acts as a software module.
- Evidence for a Narrower Interpretation: The specification repeatedly refers to the virtual system running on a "hypervisor" and being a "virtual machine" ('780 Patent, col. 5:18-19, col. 7:20-22). It is also described as being resettable to a "pristine clean state" ('780 Patent, col. 6:15-16), a characteristic often associated with non-persistent virtual machines. This could support a narrower construction limited to hypervisor-based virtualization.
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement for both patents. It asserts that IBM provides "user manuals and online instruction materials" that "actively encourage and instruct" customers to use the accused products in an infringing manner (Compl. ¶12, ¶22). The complaint cites specific IBM webpages with technical instructions as evidence of this encouragement (Compl. ¶12, ¶22, Ex. 4, Ex. 8, Ex. 9).
- Willful Infringement: The complaint alleges that IBM has knowledge of the patents and infringement "at least as of the filing and service of this complaint" (Compl. ¶12, ¶22). It further alleges that IBM acts "knowing and intending (or with willful blindness to the fact) that its customers and end users will commit these infringing acts," which supports a claim for willful infringement based on post-filing conduct (Compl. ¶12, ¶22).
VII. Analyst’s Conclusion: Key Questions for the Case
A question of definitional equivalence: Does IBM's "containerized ... sandbox" technology, as implemented in the Wazi Developer products, meet the specific claim requirements of an "isolated computing environment" ('104 patent) and a "virtual system" ('780 patent)? The outcome may depend on whether the court construes these terms functionally to cover modern containerization or more narrowly to require the hypervisor-based virtual machine architecture described in the patent specifications.
An evidentiary question of architectural mapping: Can the plaintiff demonstrate that the complex, multi-component IBM cloud and mainframe architecture actually implements the specific multi-firewall structures claimed in the patents? The claims require distinct "internal," "host-based," and "network" firewalls, and proving that the accused system contains components that map to each of these claimed elements with their respective functions will be a critical and fact-intensive part of the case.