DataCloud Tech LLC v. Imperva Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: DataCloud Technologies, LLC (Georgia)
  • Defendant: Imperva, Inc. (Delaware)
  • Plaintiff’s Counsel: Rozier Hardt McDonough PLLC
• Case Identification: 2:24-cv-00384, E.D. Tex., 05/24/2024
• Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant conducts regular business in the district, has a physical office in Plano, Texas, and the alleged acts of infringement occurred within the district.
• Core Dispute: Plaintiff alleges that Defendant’s web security products and services, including its Web Application Firewall and Content Delivery Network, infringe four patents related to anonymous network communication and remote management of data directory structures.
• Technical Context: The technologies at issue concern methods for anonymizing a user's network traffic and for remotely managing access permissions and data structures, which are foundational elements of modern cloud-based security and content delivery services.
• Key Procedural History: The complaint notes that U.S. Patent No. 8,370,457 was subject to a Certificate of Correction. The patents-in-suit descend from two distinct patent families; U.S. Patents 7,398,298 and 8,615,555 are continuations of an application that ultimately issued as U.S. Patent No. 7,197,537, while U.S. Patent 8,370,457 is a divisional of the application that led to U.S. Patent 7,209,959.

Case Timeline

Date	Event
2000-04-04	Priority Date for ’959 and ’457 Patents
2002-03-29	Priority Date for ’298 and ’555 Patents
2007-04-24	’959 Patent Issued
2008-07-08	’298 Patent Issued
2013-02-05	’457 Patent Issued
2013-12-24	’555 Patent Issued
2014-03-18	Certificate of Correction for ’457 Patent Issued
2024-05-24	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,209,959 - “Apparatus, System, And Method For Communicating To A Network Through A Virtual Domain Providing Anonymity To A Client Communicating On The Network,” Issued April 24, 2007

The Invention Explained

• Problem Addressed: The patent’s background section identifies the problem of client privacy on the internet, where a user’s identifying information, such as an IP address, can be recorded and tracked by servers, leading to privacy threats like unwanted solicitations (’959 Patent, col. 1:56-65). Existing proxy servers are described as a partial solution but one where the proxy itself becomes a fixed, traceable entity (’959 Patent, col. 2:7-18).
• The Patented Solution: The invention proposes a system using three distinct logical components—a “deceiver,” a “controller,” and a “forwarder”—to create a temporary, anonymous communication session. The controller, upon receiving a request routed through the deceiver, finds the true destination IP address and assigns a forwarder to handle the session. It then provides the forwarder's IP address back to the client, "deceiving" the client into communicating with the forwarder instead of the destination server, thereby masking the client's identity from the end server for that session (’959 Patent, Abstract; col. 3:13-48).
• Technical Importance: The technology aimed to create session-specific, ad hoc anonymity, offering a more dynamic and potentially more secure alternative to static proxy servers by creating temporary virtual domains for communication (’959 Patent, col. 2:25-29, 44-54).

Key Claims at a Glance

• The complaint asserts at least independent Claim 1 (Compl. ¶24).
• Essential elements of Claim 1 include:
  • In response to a client request to communicate with a destination website, setting up a forwarding session.
  • The session employs a “forwarder” between the client and destination server to forward packets in both directions.
  • The session is implemented such that neither the client nor the destination server is aware of the forwarder’s employment.
  • A “controller” communicates with the forwarder and a domain name server (DNS), querying the DNS to resolve the destination’s name.
  • A “deceiver” communicates with the client and controller, receiving the initial client request and initiating the controller to query the DNS.
  • The forwarding session is initiated in response to the controller receiving the answer from the DNS.
• The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 7,398,298 - “Remote Access And Retrieval Of Electronic Files,” Issued July 8, 2008

The Invention Explained

• Problem Addressed: The patent describes a need for users to have more than just remote access to data; specifically, it identifies a lack of remote control over the underlying data directory structures and a lack of confirmation that requested data has been successfully delivered to its intended target (’298 Patent, col. 2:1-14).
• The Patented Solution: The invention discloses a system, including a server-side computing application, that allows a user to remotely manage data directory structures. The system authenticates users, processes requests to view and manipulate data stored in those structures based on user profiles, coordinates the delivery of data to a specified target, and, crucially, provides a notification or confirmation of delivery back to the requesting user (’298 Patent, Abstract; col. 2:38-56).
• Technical Importance: This technology addressed the growing needs of a mobile workforce by providing not just remote access but also remote administrative control and delivery verification, enhancing reliability and control for corporate users accessing sensitive data (’298 Patent, col. 2:15-36).

Key Claims at a Glance

• The complaint asserts at least independent Claim 13 (Compl. ¶34).
• Essential elements of Claim 13 include:
  • Receiving a request at a server-based application for remote management control of data directory structures.
  • Processing the request by providing directory structure information from a profile store that dictates user-specific access.
  • A single directory structure is selected for modification from a plurality of structures available to the user.
  • Delivering desired data and management control to identified delivery targets.
  • Generating a notification of the delivery.
  • Determining if the requested data is accessible based on the profile store.
  • Delivering the data and sending a confirmation of the delivery.
• The complaint does not explicitly reserve the right to assert dependent claims.

Multi-Patent Capsule: U.S. Patent No. 8,370,457 - “Network Communication Through A Virtual Domain,” Issued February 5, 2013

• Technology Synopsis: Continuing the theme of the ’959 patent, this patent claims a method of network communication that establishes a specific forwarding IP address for a pre-defined combination of a client IP and a destination IP. When a request from that client for that destination is identified, the system forwards the request using the established forwarding IP, thereby managing traffic and obscuring the direct link between client and destination (Compl. ¶44; ’457 Patent, Abstract).
• Asserted Claims: At least independent Claim 9 (Compl. ¶44).
• Accused Features: The complaint alleges that Imperva’s "Cloud Web Application Firewall" infringes by using advanced firewall settings in its gateway to establish and use translated IP addresses as forwarding addresses for specific client-destination data requests (Compl. ¶¶43-44).

Multi-Patent Capsule: U.S. Patent No. 8,615,555 - “Remote Access And Retrieval Of Electronic Files,” Issued December 24, 2013

• Technology Synopsis: Related to the ’298 patent, this patent claims a method for remotely managing data directory structures. The method includes receiving a request, querying a profile data store to determine access rights, and then facilitating a request to send a data file to a specified electronic address that may belong to a user other than the requestor, followed by creating and sending a confirmation message back to the original requestor (Compl. ¶54; ’555 Patent, Abstract).
• Asserted Claims: At least independent Claim 1 (Compl. ¶54).
• Accused Features: The complaint accuses Imperva’s "SSL Protection" services, which involve email-based domain verification and SSL certificate generation. The process of managing domain validation files, handling requests for new user permissions, and sending verification data to specified email addresses is alleged to map to the claimed method (Compl. ¶¶53-54).

III. The Accused Instrumentality

Product Identification

The accused instrumentalities are Imperva's cloud-based security and content delivery services, identified as "Imperva cloud-based hosting websites," the "Imperva Web Application Firewall" (WAF), "Cloud Web Application Firewall," and "Imperva Web Protection and CDN services" that include "SSL Protection" (Compl. ¶16).

Functionality and Market Context

• The complaint alleges that these products form a core part of Imperva's business in providing website security, traffic management, and content delivery (Compl. ¶15).
• Functionally, the services are alleged to operate by positioning Imperva’s infrastructure, such as front-end server switches and firewalls, between a client (end-user) and a destination server (customer website) (Compl. ¶24).
• The "Imperva WAF tools" are alleged to include an administrative dashboard for managing user roles, permissions, and access to web resources (Compl. ¶34).
• The "Cloud Web Application Firewall" is accused of using a gateway to translate IP addresses and route traffic based on pre-defined combinations of source and destination addresses (Compl. ¶44). This functionality is illustrated in a network diagram provided in the complaint showing data flow from a client to a gateway ("GW") and then to web servers (Compl. p. 11, Figure).
• The "SSL Protection" service is described as a system that manages the generation of SSL certificates by, among other things, facilitating domain validation through file transfers and email communications (Compl. ¶¶53-54). A provided screenshot shows the user interface for issuing an "Incapsula SSL certificate," a service now part of Imperva (Compl. p. 13, Figure).

IV. Analysis of Infringement Allegations

’959 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
...setting up a forwarding session... employing a forwarder disposed between the client and the destination server to forward packets...	Imperva sets up a session using a "front-end server switch" as the forwarder, positioned between the client device and the destination WWW server, to handle bidirectional data packets.	¶24	col. 8:52-57
...wherein the forwarding session is set up and implemented such that neither the client or the destination server is aware of the employment of the forwarder...	The session is allegedly implemented such that the WWW server has a direct TCP connection with a local IP address, and neither it nor the client is aware of the intermediary forwarder.	¶24	col. 8:60-63
...employing a controller configured to communicate with the forwarder and a domain name server...	A firewall acts as the controller, communicating with the front-end server switch (forwarder) and a DNS to resolve the destination website's domain name.	¶24	col. 8:64-67
...employing a deceiver configured to communicate with the controller and the client... wherein the deceiver receives the request by the client...	A router acts as the deceiver, receiving the initial request from the client and initiating the firewall (controller) to query the DNS.	¶24	col. 7:4-8

Identified Points of Contention

• Scope Questions: A central issue may be whether the patent-specific terms "deceiver", "controller", and "forwarder" can be read to cover the functions of standard network components like routers, firewalls, and reverse proxy servers operating in a WAF/CDN architecture. The defense may argue these are distinct structures performing different functions from those claimed.
• Technical Questions: The complaint alleges that "neither the client or the destination server is aware of the employment of the forwarder" (Compl. ¶24). A key technical question will be what evidence demonstrates this specific lack of awareness, as opposed to the standard operation of a reverse proxy, which is a well-known architecture. The infringement allegation is supported by a screenshot from a "Subdomain Finder" tool, which shows numerous subdomains for imperva.com, suggesting a complex routing infrastructure is in place (Compl. p. 5, Figure).

’298 Patent Infringement Allegations

Claim Element (from Independent Claim 13)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
...receiving at least one request by a computing application... for remote management control of data directory structures...	The Imperva WAF tools receive requests through an administrative dashboard to remotely control "data directory structures," which the complaint equates to "webpages and functions accessible to discrete users."	¶34	col. 11:50-55
...processing the request... by providing data directory structure information if deemed accessible from data stored in a profile store...	The system processes requests using a profile data store (e.g., a secure SQL database) that contains information on user permissions, privileges, and available operations.	¶34	col. 11:59-col. 12:2
...a single directory structure from among a plurality of the data directory structures... is selected by each of the participating users for modification...	A user selects a single set of abilities/privileges/permissions for another user from among multiple available account access settings for modification.	¶34	col. 12:2-5
...delivering the user requested data and sending a confirmation of the delivery.	The complaint does not provide sufficient detail for analysis of this element.	¶34	col. 12:12-14

Identified Points of Contention

• Scope Questions: The viability of the infringement claim will heavily depend on the construction of "data directory structure." The complaint interprets this term to mean logical constructs like user permissions and access rights. This raises the question of whether the term, which is exemplified in the patent with file path names, can be broadened to cover the management of user roles in a WAF.
• Technical Questions: What evidence does the complaint provide that the Imperva WAF tools provide "confirmation of the delivery" of data as required by the claim? The infringement narrative in paragraph 34 focuses on setting permissions and does not detail a specific confirmation or notification step corresponding to this limitation.

V. Key Claim Terms for Construction

’959 Patent: "deceiver"

• The Term: "deceiver"
• Context and Importance: This term is a neologism central to the claimed architecture. Its construction will determine whether standard network components can be mapped onto the claim. Practitioners may focus on this term because the complaint equates it to a "router" (Compl. ¶24), a common component, while the patent describes a more specific function.
• Intrinsic Evidence for a Broader Interpretation: The specification describes its role as communicating with clients and the controller and providing name resolution, which could be argued to cover any initial-request-handling network device (’959 Patent, col. 2:36-39).
• Intrinsic Evidence for a Narrower Interpretation: The specification states the "deceiver" "works the same as a standard name server, except when a query is received from a client, the deceiver allows the controller to supply the information," and is involved in "DNS Misdirection" (’959 Patent, col. 2:35-43). This suggests a specific function tied to DNS manipulation, potentially narrower than a general-purpose router or firewall.

’298 Patent: "data directory structure"

• The Term: "data directory structure"
• Context and Importance: The infringement theory for the ’298 and ’555 patents hinges on this term covering the management of user permissions and roles within a security product. Practitioners may focus on this term because its interpretation is dispositive of infringement for two of the four asserted patents.
• Intrinsic Evidence for a Broader Interpretation: The patent background discusses the need for users to have "data management and storage control" and control over "directory structures," which could be argued to encompass logical controls over data access, not just physical file locations (’298 Patent, col. 2:17-18).
• Intrinsic Evidence for a Narrower Interpretation: The patent’s own figures provide strong evidence for a narrower meaning. Figure 9A explicitly shows an exemplary interface listing "DIRECTORIES" with conventional file paths like "WORK/QUARRY/POWERPOINTFILES" and "HOME/PEBBIES/PHOTOS" (’298 Patent, FIG. 9A). This suggests the term refers to traditional file and folder hierarchies.

VI. Other Allegations

• Indirect Infringement: The complaint does not contain separate counts for indirect infringement. However, it alleges that Defendant provides and advertises "tools and products for web-based account roles and permissions," which could potentially form a factual basis for a future claim of induced infringement (Compl. ¶16, ¶33).
• Willful Infringement: The complaint does not plead a specific count for willful infringement and includes no allegations of pre-suit knowledge of the patents-in-suit. The prayer for relief includes a request for a declaration that the case is exceptional under 35 U.S.C. § 285, but the factual basis for this is not detailed in the body of the complaint (Compl. ¶58.D).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the term "data directory structure", which is exemplified in the ’298 patent family with traditional file paths, be construed broadly enough to encompass the management of logical user roles, permissions, and access rights within Imperva’s Web Application Firewall dashboard?
• A second central question will be one of architectural mapping: can the specific, multi-component architecture of the ’959 patent family, with its claimed "deceiver", "controller", and "forwarder" performing distinct roles in a DNS misdirection scheme, be mapped onto the integrated functions of Imperva’s modern WAF and CDN infrastructure?
• A key evidentiary question will be one of functional proof: what evidence will be presented to establish that Imperva's products perform the specific functions of providing client anonymity (as required by the ’959 patent) and sending confirmation of delivery (as required by the ’298 patent), as these functions are central to the claimed inventions but may not be primary features of the accused security products?