DCT
2:24-cv-00855
Qprivacy USA LLC v. Cisco Systems Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: QPrivacy USA LLC (Texas)
- Defendant: Cisco Systems, Inc. (Delaware)
- Plaintiff’s Counsel: Cherian LLP
- Case Identification: 2:24-cv-00855, E.D. Tex., 10/21/2024
- Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant Cisco maintains a regular and established place of business in the district, including facilities in Richardson and Allen, and because Cisco's work-from-home policy allegedly constitutes an aggregate network of business locations within the district.
- Core Dispute: Plaintiff alleges that Defendant’s networking products and software featuring Encrypted Traffic Analytics (ETA) infringe patents related to analyzing and managing private or encrypted data during network communications without decryption.
- Technical Context: The technology addresses the challenge of inspecting encrypted network traffic for security threats while preserving user privacy and the integrity of the encryption.
- Key Procedural History: The complaint notes that Defendant has previously admitted to or not contested personal jurisdiction in the Eastern District of Texas in a prior case, Orckit Corp. v. Cisco Systems, Inc., No. 2:22-cv-276-JRG-RSP.
Case Timeline
| Date | Event |
|---|---|
| 2017-04-09 | Priority Date for ’824 and ’249 Patents |
| 2021-08-31 | Issue Date for U.S. Patent No. 11,106,824 |
| 2023-11-14 | Issue Date for U.S. Patent No. 11,816,249 |
| 2024-10-21 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,106,824 - "System and Method for Dynamic Management of Private Data," Issued Aug. 31, 2021
The Invention Explained
- Problem Addressed: The patent describes a problem where different types of data are "automatically (and uncontrollably) shared" with remote servers during network communication, often without the user's knowledge or explicit consent, making it difficult to enforce privacy agreements (’824 Patent, col. 1:22-34).
- The Patented Solution: The invention proposes a system that acts as a gatekeeper for private data. It determines the "type" of data in a packet based on its characteristics (such as its header or destination) rather than its actual content. This data type is then compared against a user-defined privacy preference list. If the data sharing is not permitted, the system can modify the data packet (e.g., by nullifying or randomizing content) before allowing the communication to proceed, thus maintaining both connectivity and privacy (’824 Patent, Abstract; Fig. 5).
- Technical Importance: The technology provides a method for enforcing granular data privacy policies at the network level without resorting to simply blocking traffic, addressing a key challenge in an era of increasing data collection and privacy regulation (’824 Patent, col. 1:35-50).
Key Claims at a Glance
- The complaint asserts independent claim 17 (Compl. ¶32).
- Essential elements of Claim 17 (a system claim) include:
- A memory, a communication data type database, a privacy preference database, and a communication module.
- A processor configured to instruct a remote server to determine a data type for a data packet that is compatible with allowed sharing patterns.
- The data type is determined based on the "characteristics of the communication data packet."
- Crucially, "the content of the at least one data packet is not read by the remote server" for continued real-time operation.
- The complaint reserves the right to assert additional claims (Compl. ¶27).
U.S. Patent No. 11,816,249 - "System and Method for Dynamic Management of Private Data," Issued Nov. 14, 2023
The Invention Explained
- Problem Addressed: The ’249 Patent addresses the same fundamental problem of uncontrolled data sharing as its parent ’824 Patent, but the claims are directed specifically to the management of encrypted data packets (’249 Patent, col. 1:25-28; Claim 1).
- The Patented Solution: The invention claims a method performed by a remote server that analyzes incoming encrypted data packets. Without decrypting them, the server determines the "content" of a packet by analyzing its "characteristics." This determined content is compared against a preference list, and if a policy violation is found, the server modifies the packet before sharing the modified communication. The entire process is performed in real time during a communication session (’249 Patent, Claim 1).
- Technical Importance: This approach seeks to resolve the conflict between security and privacy, enabling the identification of policy-violating or malicious traffic that is intentionally obscured by encryption, without compromising the encryption itself (’249 Patent, col. 1:29-34).
Key Claims at a Glance
- The complaint asserts independent claim 1 (Compl. ¶49).
- Essential elements of Claim 1 (a method claim) include:
- Receiving, by a remote server, encrypted data packets.
- Determining, by the remote server, a "content" of a packet "in accordance with characteristics of the... data packet," wherein the content is not decrypted.
- Performing this determination in real time.
- Storing a preference list.
- Determining whether to modify the packet based on a comparison of the determined content and the preference list, and if so, modifying it.
- Sharing the modified communication.
- The complaint reserves the right to assert additional claims (Compl. ¶27).
III. The Accused Instrumentality
Product Identification
The complaint names a range of Cisco networking devices (switches, routers, controllers) and software that implement "Encrypted Traffic Analytics (ETA) technology," including the "Cisco Secure Network Analytics suite" (Compl. ¶¶3, 23, 24).
Functionality and Market Context
- The complaint alleges that Cisco's ETA technology is designed to "illuminate the dark corners in encrypted traffic without any decryption" (Compl. p. 9). It functions by extracting metadata and telemetry from network flows, such as the Sequence of Packet Lengths and Times (SPLT), Initial Data Packet (IDP) information, and TLS-specific features (Compl. p. 9).
- This telemetry is then analyzed by Cisco Secure Network Analytics, which uses "advanced entity modeling and multilayer machine learning" to create a baseline of normal network behavior and detect anomalies that may indicate a threat (Compl. ¶35, p. 10). The complaint includes a diagram illustrating this process, where routers and switches provide telemetry to the analytics engine for malware detection (Compl. p. 10).
- The system is alleged to use this analysis to enforce security policies and contain threats, for example by enabling an administrator to "quarantine the suspected host off the network" (Compl. p. 11). The complaint alleges these functions are performed in real time to enable a faster response to security incidents (Compl. ¶36).
IV. Analysis of Infringement Allegations
'824 Patent Infringement Allegations
| Claim Element (from Independent Claim 17) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A system for dynamic management of private data ... comprising: a memory; a communication data type database ... a privacy preference database ... a communication module ... and a processor... | The Accused Products contain memory and processors, and the system of databases and modules is embodied by the ETA technology and Secure Network Analytics suite, which performs dynamic management of private data. | ¶¶34, 37 | col. 4:1-10 |
| the processor is configured to instruct the remote server to determine at least one data type for sharing of data packet that is compatible with the list of allowed patterns of data packets for sharing | The Secure Network Analytics product, using its processor, analyzes telemetry from routers/switches (remote servers) to determine a data type (e.g., malware vs. benign) and compares it against policies (allowed patterns). | ¶35 | col. 4:11-15 |
| wherein the at least one data type is determined in accordance with characteristics of the communication data packet | ETA determines the nature of the traffic by analyzing characteristics such as Sequence of Packet Lengths and Times (SPLT), Initial Data Packet (IDP), and TLS features, which are derived from the data packets. | ¶34; p. 9 | col. 8:55-61 |
| and wherein the content of the at least one data packet is not read by the remote server for continued operation by the user's device in real time... | The complaint repeatedly emphasizes that Cisco's ETA technology operates "without any decryption" and "without decrypting the underlying data," performing its analysis in real time to detect threats. | ¶¶34, 36; p. 9 | col. 8:62-67 |
'249 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A method of dynamic management of encrypted data... receiving, by the remote server, a communication comprising encrypted data packets; | The Accused Products (acting as remote servers) implement ETA to receive and analyze encrypted data traffic. | ¶51 | col.17:1-4 |
| determining, by the remote server, a content of at least one data packet... in accordance with characteristics of the... data packet, and wherein the content... is not decrypted... in real time... | Cisco's ETA analyzes telemetry from encrypted packets (characteristics) to determine their nature (content, e.g., malicious) without decryption and in real time. | ¶51; p. 18 | col. 17:5-12 |
| storing, by the remote server, a preference list; | The Secure Network Analytics product stores telemetry data and uses it to "create a baseline of normal behavior" and apply segmentation policies, which function as a preference list. The complaint includes a diagram showing the creation of a baseline from telemetry to alarm on anomalies. | ¶52; p. 12 | col. 17:13-14 |
| determining, by the remote server, based on a comparison of the determined content, whether to modify the at least one data packet, and if so, modifying... | The system compares observed traffic behavior against the baseline and policies to determine if a threat exists, and if so, takes responsive action ("modifying"). | ¶52 | col. 17:15-18 |
| and sharing, by the remote server, the modified communication. | The complaint alleges the system takes responsive action to contain threats, which it frames as a form of modified communication. | ¶51, ¶53 | col. 17:19-20 |
Identified Points of Contention
- Scope Questions: A central question will be whether Cisco's analysis of network telemetry (e.g., packet lengths, times) to identify security threats constitutes "determining a data type" ('824 Patent) or "determining a content" ('249 Patent) of a packet as those terms are used in the patents. The defense may argue that this telemetry is not equivalent to the patents' more semantic "data types" or "content" like "contact name" or "location" (e.g., ’824 Patent, Fig. 3C).
- Technical Questions: The complaint alleges that responsive actions like "quarantine the suspected host" (Compl. p. 11) or using the Identity Services Engine to "enforce policies and contain threats" (Compl. p. 9) satisfy the claim limitation of "modifying" a data packet. A point of contention may be whether these actions, which appear to block or isolate a source, meet the definition of "modifying the at least one data packet" and "sharing... the modified communication," which may suggest altering and forwarding the packet itself rather than blocking it.
V. Key Claim Terms for Construction
The Term: "modifying the at least one data packet" (’249 Patent, Claim 1)
Context and Importance
This term is critical because the plaintiff's infringement theory appears to equate Cisco’s security responses (like quarantining a host) with the act of "modifying" a packet. The viability of the infringement claim may depend on whether this construction is adopted. Practitioners may focus on this term because its interpretation will determine if blocking or isolating a traffic source is equivalent to altering and retransmitting a data packet.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The specification includes "blocking" in a list of potential modifications, stating the modification can be "selected from the group consisting of data nullification, blocking, data randomization, content modification..." (’824 Patent, col. 2:47-49). This language may support an argument that blocking is one form of modification.
- Evidence for a Narrower Interpretation: The same list also contains more granular alterations like "content modification, change of encoding, change of file template," suggesting a direct change to the packet itself. Further, Claim 1 of the ’249 Patent requires "sharing... the modified communication," which could be interpreted to preclude a complete block, raising the question of what is "shared" if the modification is a block.
The Term: "determine... a content of at least one data packet... in accordance with characteristics" (’249 Patent, Claim 1)
Context and Importance
This term is the linchpin connecting the accused analysis of statistical telemetry to the patent's claims. The dispute will likely center on whether analyzing patterns like packet length and timing (characteristics) is sufficient to "determine a content" without decryption.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The patents' core purpose is to operate on traffic without reading its underlying data, so "content" must be interpreted in a way that is discernable from external "characteristics." The specification explains that the system can determine a "data type" (a related concept) from metadata and other characteristics (’824 Patent, col. 2:20-22).
- Evidence for a Narrower Interpretation: The specification provides examples of data types and content that are semantic in nature, such as "Audio," "Location," "Contact Name," and "Password" (’824 Patent, Fig. 3C). A defendant may argue that determining "content" requires this level of semantic identification, which is different from the statistical anomaly detection alleged to be performed by the accused ETA technology.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement, stating that the Defendant encourages and instructs customers and end users on how to use the Accused Products in an infringing manner through "user manuals and online instruction materials on its website and various service and customer support" (Compl. ¶39, ¶56).
- Willful Infringement: Willfulness is alleged based on Defendant’s knowledge of the Asserted Patents "at least due to the filing of this Complaint," indicating a theory of post-filing willfulness (Compl. ¶43, ¶60).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the patent terms "determine a data type" or "determine a content" be construed to read on the accused system's process of analyzing statistical network telemetry (like packet sizes and timing) to identify security anomalies?
- A key evidentiary question will be one of functional equivalence: does the accused system's responsive action of "quarantining" a host or "containing" a threat meet the patents' claim requirement to "modify" a data packet and subsequently "share" the resulting modified communication, or is there a fundamental mismatch between the claimed packet alteration and the accused system's source-level blocking?