DCT

2:24-cv-00799

BrowserKey LLC v. Charles Schwab Corp

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:24-cv-00799, E.D. Tex., 10/02/2024
  • Venue Allegations: Venue is alleged to be proper based on Defendants having regular and established places of business within the Eastern District of Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s web and mobile financial services applications infringe a patent related to methods for restricting access to data on a server by authenticating the specific client machine being used.
  • Technical Context: The technology concerns client-server authentication, focusing on methods to tie access rights to a specific, pre-authorized computer or device rather than merely to a user’s credentials.
  • Key Procedural History: The complaint does not allege any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.

Case Timeline

Date Event
2002-05-06 ’262 Patent Priority Date
2007-07-24 ’262 Patent Issue Date
2018-01-01 Alleged Infringement by Accused Products Begins (approx.)
2024-10-02 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,249,262 - Method For Restricting Access To A Web Site By Remote Users

  • Issued: July 24, 2007
  • Asserted: Direct infringement of at least claim 11. (Compl. ¶15).

The Invention Explained

  • Problem Addressed: The patent describes the security risks of conventional authentication systems that rely on user names, passwords, or even hardware "dongles," which can be easily shared or stolen, allowing unauthorized users to access sensitive data from any machine. (ʼ262 Patent, col. 1:33-55).
  • The Patented Solution: The invention proposes a method to tie access to a specific, pre-authorized client machine. It involves installing client-side software that generates a "machine-specific identifier" based on the client's unique hardware characteristics. This identifier is used to create a corresponding password. For subsequent access within a single session, the system uses a "session identifier" stored on both the client and a remote temporary table, allowing continued access without repeating the initial machine verification. (ʼ262 Patent, Abstract; col. 2:25-41, col. 3:12-24).
  • Technical Importance: This approach aimed to enhance security for online services like corporate intranets and online banking by verifying the physical device itself, not just the user's credentials. (ʼ262 Patent, col. 1:17-29).

Key Claims at a Glance

  • The complaint asserts direct infringement of at least independent claim 11. (Compl. ¶15). The complaint also alleges infringement of "one or more claims" of the patent, reserving the right to assert others. (Compl. ¶14).
  • Independent Claim 11 recites a method with the following essential steps:
    • creating a session identifier in a computer remote from the client machine;
    • transmitting the session identifier to the client machine;
    • storing the session identifier within the client machine;
    • verifying, on the client machine, that the client machine is authorized to access data maintained on the server computer;
    • obtaining the session identifier stored on the client, and storing it within a storage table remote from the client machine if the client was verified;
    • transmitting a request from the client machine for access, including the session identifier;
    • comparing the transmitted session identifier with the one stored in the remote storage table to determine if the request is authorized; and
    • permitting or denying access based on the comparison.

III. The Accused Instrumentality

Product Identification

The "Schwab Web and Mobile Applications," which include "Schwab Mobile, thinkorswim, Schwab Workplace Retirement, and Schwab Advisor Center Mobile." (Compl. ¶10).

Functionality and Market Context

The Accused Products are financial services platforms that allow users to access account data. The complaint alleges that these applications restrict access using a multi-step process. This process is alleged to include the creation of session identifiers by Schwab's servers, the storage of these identifiers on the user's device via "cookies, local storage, such as browser web storage or application data caches," and a verification step on the client device, such as prompting for a biometric signature via Apple's Touch ID or Face ID. (Compl. ¶¶16, 17, 20). A screenshot from the Schwab application's "Terms of Use" states that collected information is used for "security purposes, session management, and personalization." (Compl. p. 7).

IV. Analysis of Infringement Allegations

’262 Patent Infringement Allegations

Claim Element (from Independent Claim 11) Alleged Infringing Functionality Complaint Citation Patent Citation
a. creating a session identifier in a computer remote from the client machine for a current browsing session of the client machine; Schwab server computers allegedly create one or more session identifiers, such as a "guestToken," when a user agent on a client machine requests a protected URL. A screenshot depicts the creation of a "guestToken" in response to a request. (Compl. p. 6). ¶17 col. 3:15-21
b. transmitting to the client machine the session identifier created in step a.; Schwab allegedly transmits the session identifier(s) to the client machine via HTTP response headers and/or bodies. ¶19 col. 3:30-34
c. storing the session identifier transmitted in step b. within the client machine; The client's web browser allegedly stores the session identifiers, for example as cookies or in local storage, per instructions from Schwab's servers. ¶20 col. 3:33-34
d. verifying, on the client machine, that the client machine is authorized to access data maintained on the server computer; When a client machine has been provisioned for biometric sign-in, the Schwab application allegedly prompts the user to authenticate via Touch ID or Face ID, which the complaint describes as a local verification of authorization. A screenshot shows a "Touch ID for 'Schwab'" prompt. (Compl. p. 8). ¶21 col. 2:60-65
e. obtaining the session identifier stored in step c., and storing such session identifier within a storage table remote from the client machine if such client machine was verified in step d.; Schwab allegedly maintains a list of "Trusted Devices" in its web application, which the complaint asserts is an extension of or related to a remote storage table for storing session identifiers. A screenshot displays a "Trusted Devices" list. (Compl. p. 9). ¶22 col. 3:25-30
f. transmitting a request by the client machine for access to data maintained on the server computer, such request including the session identifier stored in step c.; Upon successful sign-in, the user agent allegedly sends HTTP requests that include the stored session identifier(s) to access protected URLs. Screenshots of a request header show a long string labeled "Cookie" containing identifier data. (Compl. pp. 10-11). ¶23 col. 4:37-43
g. comparing the session identifier transmitted in step f. with the session identifier stored in the storage table during step e. to determine whether the request for access...is authorized; Schwab allegedly compares session identifiers remotely. The complaint supports this by stating that when session cookies are deleted from the client, the user is no longer logged in and cannot access protected URLs. ¶24 col. 4:43-50
h. permitting access...if the comparison made in step g. shows that the request for access is authorized, and denying access...if the request...is not authorized. If the client machine is signed in, access to data on Schwab's servers is allegedly authorized; if it is not signed in, access is denied. ¶25 col. 4:50-59

Identified Points of Contention

  • Scope Questions: A central question may be whether "verifying, on the client machine, that the client machine is authorized" as required by claim 11(d) can be met by invoking a device's native biometric authentication (e.g., Apple's Touch ID), as the complaint alleges (Compl. ¶21), or if the term requires the specific method of generating and checking a "machine-specific identifier" as detailed in the patent's specification. (ʼ262 Patent, col. 7:60-67).
  • Technical Questions: The complaint alleges that a remote comparison of session identifiers occurs, but the primary evidence offered is inferential—that deleting client-side cookies logs the user out. (Compl. ¶24). The case may turn on what evidence is produced to show that Schwab’s architecture includes the specific remote "storage table" (claim 11(e)) and "comparison" (claim 11(g)) steps, as distinct from a standard stateless session cookie mechanism.

V. Key Claim Terms for Construction

The Term: "verifying, on the client machine, that the client machine is authorized"

  • Context and Importance: This term is critical because the plaintiff’s infringement theory relies on equating modern, OS-level biometric authentication with the patent's verification step. (Compl. ¶21). Practitioners may focus on this term to dispute whether the accused functionality is equivalent to what the patent discloses and claims.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The plain language of the claim does not specify the method of verification, only its location ("on the client machine") and its purpose ("that the client machine is authorized"). This could support an interpretation that covers any client-side process confirming authorization. (ʼ262 Patent, col. 13:46-49).
    • Evidence for a Narrower Interpretation: The specification repeatedly describes the verification process as involving a "client-side software program" that "re-generates its machine-specific identifier" for comparison against a password derived from that same identifier. (ʼ262 Patent, col. 2:60-65). This detailed description of a specific embodiment may be used to argue for a narrower construction limited to that mechanism.

The Term: "storage table remote from the client machine"

  • Context and Importance: The claim requires storing the authorized session identifier in a remote table for later checking. The plaintiff identifies Schwab's "Trusted Devices" list as this table. (Compl. ¶22). The nature of this "table" is central to whether the accused system has the claimed architecture.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The term "storage table" is generic. Any remote data structure that stores identifiers for authorized sessions could arguably meet this definition. The patent itself mentions the table can be on the main server or "another computer remote from the client machine." (ʼ262 Patent, col. 3:26-28).
    • Evidence for a Narrower Interpretation: The specification frequently refers to this as a "temporary storage table" for "currently engaged" or "active" sessions. (ʼ262 Patent, col. 3:9-10, col. 3:28-30). This could support an argument that a persistent list of "Trusted Devices," which may not be limited to a single active session, is distinct from the "temporary" table described in the patent.

VI. Other Allegations

Indirect Infringement

The complaint alleges inducement of infringement by Schwab's customers, asserting that Schwab provides instructions, manuals, and documentation that "suggest[] that they use the Accused Products in an infringing manner." (Compl. ¶27). Contributory infringement is also alleged, based on the claim that the accused components are not staple articles of commerce and are especially adapted for use in the infringing method. (Compl. ¶28).

Willful Infringement

The complaint alleges that Schwab's infringement was undertaken with "knowledge of the '262 Patent and with the intent, or willful blindness," and the prayer for relief requests a finding of willfulness. (Compl. ¶27, ¶(b) on p. 13). The complaint does not plead specific facts establishing pre-suit knowledge of the patent.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the claim term "verifying, on the client machine, that the client machine is authorized"—which the patent specification describes as a process of re-generating a unique hardware-based identifier—be construed to cover the invocation of general-purpose, operating-system-level biometric authenticators as used in the accused mobile applications?
  • A key evidentiary question will be one of architectural correspondence: will the plaintiff be able to demonstrate that the accused system's architecture maps onto the specific claim structure, particularly the requirements of storing a session identifier in a "remote storage table" upon authorization and later "comparing" a new request against that same stored identifier, as opposed to operating as a more conventional session management system?