DCT
2:24-cv-00798
BrowserKey LLC v. Bank Of America Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: BrowserKey, LLC (Texas)
- Defendant: Bank of America Corporation (Delaware)
- Plaintiff’s Counsel: Fabricant LLP
- Case Identification: 2:24-cv-00798, E.D. Tex., 10/02/2024
- Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant is registered to do business in Texas, has committed alleged acts of infringement in the district, and maintains regular and established places of business in the district.
- Core Dispute: Plaintiff alleges that Defendant’s web and mobile banking applications infringe a patent related to methods for securely authenticating a user's device and managing access sessions.
- Technical Context: The technology concerns secure computer network authentication, specifically methods that tie access rights to a particular client machine rather than just a portable username and password.
- Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 2002-05-06 | Earliest Priority Date for U.S. Patent No. 7,249,262 |
| 2007-07-24 | U.S. Patent No. 7,249,262 Issues |
| 2018-01-01 | Approximate start of alleged infringement |
| 2024-10-02 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,249,262 - "Method For Restricting Access To A Web Site By Remote Users"
The Invention Explained
- Problem Addressed: The patent addresses the security risks of traditional authentication methods like usernames and passwords, which can be easily stolen or shared, and the inconvenience of physical security hardware like "dongles," which can be lost or loaned to others (’262 Patent, col. 1:22-56). The goal is to ensure that a user is operating from a specific, pre-authorized client machine ('262 Patent, col. 1:8-13).
- The Patented Solution: The invention describes a multi-stage authentication process. First, it authenticates the specific client machine itself, for example, by generating a unique "machine-specific identifier" on the client and comparing it to a corresponding password ('262 Patent, col. 2:25-42). Once the machine is authorized, the server creates a "session identifier" for the current browsing session, which is stored on both the server (in a temporary table) and the client (as a "cookie"). For all subsequent requests within that session, the client machine simply presents this session identifier to the server, which validates it against its temporary table, granting continued access without re-authenticating the machine itself ('262 Patent, col. 3:12-54).
- Technical Importance: This method sought to increase security by binding access rights to a physical device while using lightweight session tokens to maintain an efficient user experience during an active session ('262 Patent, col. 4:55-65).
Key Claims at a Glance
- The complaint asserts independent claim 11 ('262 Patent, col. 13:37-col. 14:4).
- Essential elements of independent claim 11 include:
- creating a session identifier on a remote computer for a client's browsing session;
- transmitting the session identifier to the client machine;
- storing the session identifier on the client machine;
- verifying, on the client machine, that the client machine is authorized to access data on the server;
- if verified, obtaining the stored session identifier and storing it in a remote storage table;
- transmitting a subsequent access request from the client that includes the session identifier;
- comparing the transmitted session identifier with the one stored in the remote table to determine if the request is authorized; and
- permitting or denying access based on the outcome of the comparison.
- The complaint also alleges infringement of "one or more claims" of the '262 Patent, suggesting a potential reservation of rights to assert additional claims (Compl. ¶16).
III. The Accused Instrumentality
Product Identification
- The accused products are "all versions and variants of the Bank of America Web and Mobile Applications, including web and mobile applications for all Bank of America affiliates (e.g., Merrill Lynch) since 2018" (Compl. ¶12).
Functionality and Market Context
- The complaint alleges that the accused applications implement a system for restricting access to sensitive user data (Compl. ¶18). This system is alleged to involve an initial authentication step, such as using Apple's Touch ID or Face ID on a mobile device, which verifies the user locally (Compl. ¶18, 23). The complaint alleges that after this verification, the applications use session identifiers, such as cookies, to manage the user's logged-in state and authorize subsequent requests for access to protected URLs (Compl. ¶25-26). A screenshot from Defendant's website shows a prompt for a user to authenticate with Touch ID to access the mobile banking application (Compl. p. 8, fig. 4). Another screenshot displays a user's "Recent logins," listing the device type used for access, such as an "iPhone with Touch ID / Face ID" (Compl. p. 9).
IV. Analysis of Infringement Allegations
'262 Patent Infringement Allegations
| Claim Element (from Independent Claim 11) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a. creating a session identifier in a computer remote from the client machine for a current browsing session of the client machine; | Bank of America's server computers allegedly create one or more session identifiers when a user agent on a client machine initiates a session. | ¶19, 20 | col. 5:40-44 |
| b. transmitting to the client machine the session identifier created in step a.; | The session identifiers are allegedly transmitted from Bank of America servers to the client machine via the Internet, using HTTP response headers or bodies. | ¶21 | col. 3:30-34 |
| c. storing the session identifier transmitted in step b. within the client machine; | The client's web browser allegedly stores the transmitted session identifiers based on instructions from Bank of America's servers or code. A provided privacy notice indicates the use of "session cookies" for "Keeping users logged in while navigating the website" (Compl. p. 11). | ¶22 | col. 3:30-34 |
| d. verifying, on the client machine, that the client machine is authorized to access data maintained on the server computer; | It is alleged that when using the Bank of America Mobile Application, authorization is verified on the client machine via Apple's Touch ID or Face ID, which locally compares biometrics. | ¶18, 23 | col. 2:60-65 |
| e. obtaining the session identifier stored in step c., and storing such session identifier within a storage table remote from the client machine if such client machine was verified in step d.; | The complaint alleges that the Bank of America Web Application is an extension of or related to a remote storage table that stores session identifiers after the client machine has been verified. | ¶24 | col. 3:25-29 |
| f. transmitting a request by the client machine for access to data maintained on the server computer, such request including the session identifier stored in step c.; | Upon a successful sign-in, the user agent is allegedly redirected to a protected page, and subsequent HTTP requests to the server include the session identifier to overcome the stateless nature of the HTTP protocol. | ¶25 | col. 4:35-43 |
| g. comparing the session identifier transmitted in step f. with the session identifier stored in the storage table during step e. to determine whether the request for access transmitted in step f. is authorized; | Bank of America allegedly compares session identifiers remotely. The complaint notes that when session cookies are deleted from the client, the user is no longer logged in, suggesting a remote comparison is required for access. | ¶26 | col. 4:43-50 |
| h. permitting access... if the comparison... shows that the request for access is authorized, and denying access... if the comparison... shows that the request for access is not authorized. | Access to data on Bank of America's servers is allegedly authorized if the client machine is signed in and denied if it is not. | ¶27 | col. 4:60-65 |
Identified Points of Contention
- Scope Questions: A central question is whether the claim phrase "verifying, on the client machine" (element 11d) can be interpreted to cover a generic, operating-system-level biometric function like Apple's Touch ID. The '262 patent specification describes a much more specific verification method involving a custom client-side program that generates a unique machine-specific identifier and compares it to a password ('262 Patent, col. 8:3-11). The dispute may turn on whether the claim is limited to the detailed embodiment described in the patent.
- Technical Questions: The complaint must establish a direct causal link between the local verification (11d) and the remote storage of the session ID (11e), as the claim requires the latter to occur if the former is successful. It raises the question of what evidence Plaintiff will provide to show that the Bank of America system performs these specific, ordered steps, rather than implementing a more standard authentication flow where session token management may be functionally independent of the specific local authentication method used.
V. Key Claim Terms for Construction
- The Term: "verifying, on the client machine, that the client machine is authorized"
- Context and Importance: This term's construction is critical. The infringement theory hinges on whether the use of third-party biometric authentication (like Apple's Touch ID) meets this limitation. Practitioners may focus on this term because the patent's specification repeatedly details a proprietary verification method, and the outcome of the case could depend on whether the claim is limited to that method or can be read more broadly.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The plain language of claim 11 does not specify how the verification must be performed, only that it occurs "on the client machine." Plaintiff may argue this breadth was intentional and covers any method of local verification that confirms authorization.
- Evidence for a Narrower Interpretation: The specification provides only one detailed method for this verification: generating a "machine-specific identifier" and comparing it to a password provided by the server administrator ('262 Patent, Abstract; col. 8:3-22; Fig. 2B). Defendant may argue that the claims should be limited to this disclosed embodiment, as it appears to be the core of the described invention.
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement under 35 U.S.C. § 271(b), asserting that Bank of America provides instructions, documentation, marketing, and product manuals that encourage customers to use the accused applications in a way that directly infringes the '262 Patent (Compl. ¶29). It also alleges contributory infringement under § 271(c), stating the accused components are material to the invention, not staple articles of commerce, and are known by Defendant to be especially made for infringing use (Compl. ¶30).
- Willful Infringement: The complaint alleges that Defendant's infringement was and is willful, based on alleged knowledge of the '262 Patent and intent, or willful blindness, to infringe (Compl. ¶29, 30). The prayer for relief explicitly requests a judgment that the infringement is willful (Compl. p. 14, Prayer ¶ b).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: Can the claim term "verifying, on the client machine," which in the patent's specification is exclusively described as a specific process involving a machine-ID and password, be construed broadly enough to encompass the use of a generic, third-party biometric authentication service like Apple's Touch ID?
- A key evidentiary question will be one of technical causality: Can Plaintiff demonstrate that the accused Bank of America systems perform the precise, ordered sequence of steps in claim 11? Specifically, does the local verification on a user's phone directly cause a session identifier to be stored in a remote table for comparison, as required by the claim, or do the accused products use a standard web authentication framework where these events are not causally linked in the claimed manner?