DCT
2:25-cv-00467
BrowserKey LLC v. Raymond James Financial Inc
Key Events
Complaint
Table of Contents
complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: BrowserKey, LLC (Texas)
- Defendant: Raymond James Financial, Inc. (Florida)
- Plaintiff’s Counsel: Fabricant LLP
- Case Identification: 2:25-cv-00467, E.D. Tex., 05/05/2025
- Venue Allegations: Plaintiff alleges venue is proper because Defendant has multiple regular and established places of business within the Eastern District of Texas.
- Core Dispute: Plaintiff alleges that Defendant’s web and mobile banking applications infringe a patent related to methods for restricting remote user access to data on a server by tying authentication to a specific client machine.
- Technical Context: The technology addresses client-server authentication, a foundational element for securing sensitive online services like banking and corporate network access.
- Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or specific prosecution history related to the patent-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 2002-05-06 | ’262 Patent Priority Date |
| 2007-07-24 | ’262 Patent Issue Date |
| 2019-01-01 | Alleged Infringement Begins (approx.) |
| 2025-05-05 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,249,262 - "Method For Restricting Access To A Web Site By Remote Users" (Issued Jul. 24, 2007)
The Invention Explained
- Problem Addressed: The patent describes the security vulnerabilities of then-common authentication methods, such as username/password systems that can be compromised if credentials are shared or stolen, and hardware "dongles" that can be lost, stolen, or loaned to unauthorized users ('262 Patent, col. 1:32-56). The stated goal is to provide an authentication system that ensures a user is operating from a "specific, pre-authorized client machine" ('262 Patent, col. 1:11-13).
- The Patented Solution: The invention proposes installing client-side software that generates a "machine-specific identifier" based on the unique hardware characteristics of that computer (e.g., hard drive or RAM characteristics) ('262 Patent, col. 8:62-67). This identifier is then used to generate a corresponding password. To gain access, the client machine re-generates the identifier and verifies that it corresponds to the password, thereby tying authorization to the physical device rather than just to credentials a user possesses ('262 Patent, Abstract). The patent also discloses a method using session identifiers to manage access for an already-authenticated client during a browsing session ('262 Patent, col. 3:12-25).
- Technical Importance: The described method offered a software-based approach to bind a user’s access rights to a particular physical device, enhancing security for emerging online services like internet banking and remote corporate network access without requiring specialized hardware ('262 Patent, col. 1:24-31).
Key Claims at a Glance
- The complaint asserts independent claims 1, 11, and 14 ('262 Patent, col. 12:13, col. 13:38, col. 14:11; Compl. ¶15, ¶23, ¶33). The complaint does not explicitly reserve the right to assert dependent claims.
- Independent Claim 1 outlines a method focused on device-specific authentication, with essential elements including:
- Installing a client-side program to generate a "client machine-specific identifier."
- Generating a password "remote from the client machine" that is derived from and uniquely corresponds to the identifier.
- Responding to an access request by having the client machine "re-generate its machine-specific identifier."
- "Verifying on the client machine" whether the re-generated identifier uniquely corresponds with the password.
- Granting or denying access based on the verification outcome.
- Independent Claim 11 outlines a method focused on session management, with essential elements including:
- Creating a "session identifier" on a remote computer.
- Transmitting the session identifier to the client machine for storage.
- "Verifying, on the client machine," that the client is authorized to access the server data.
- Storing the session identifier in a "storage table remote from the client machine" if the client is verified.
- Comparing subsequent requests, which include the session identifier, against the remotely stored identifier to authorize or deny access.
III. The Accused Instrumentality
Product Identification
- The accused instrumentalities are the "Raymond James Web and Mobile Applications," including the "Raymond James Client Access application for iOS, iPadOS, and Android, including all supporting servers, computer systems, and infrastructures, since at least 2019" (Compl. ¶9).
Functionality and Market Context
- The complaint alleges that the accused applications provide Raymond James customers with secure access to financial account information stored on Defendant's servers (Compl. ¶16, ¶20). The relevant functionality is the authentication process, which allegedly uses biometric (e.g., Touch ID, Face ID), token-based, and/or passwordless methods (Compl. ¶9, ¶16). This process is alleged to involve the generation of a unique "client machine specific identifier (e.g., a device key, certificate, public/private key pair, and/or other cryptographic material)" on the user's device (Compl. ¶17). This identifier is then used in a cryptographic exchange with Raymond James's servers to authorize the client device and grant access to protected data (Compl. ¶18-¶19, ¶21). A screenshot in the complaint shows a mobile application prompting a user to "Sign in to Raymond James Use biometrics" (Compl. p. 6).
IV. Analysis of Infringement Allegations
’262 Patent Infringement Allegations (Claim 1)
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a. installing a client-side software program on the client machine for generating a client machine-specific identifier... | The Raymond James Mobile Application is installed on a client device and generates a unique identifier such as a device key, certificate, or public/private key pair. | ¶17 | col. 12:16-21 |
| c. generating a password remote from the client machine and providing the password to a user... the password being derived from the client machine-specific identifier... | Raymond James servers allegedly generate a "password (e.g., a nonce, token, cryptographic key...)" derived from the identifier generated on the client machine and provide it to the client. | ¶19 | col. 12:25-30 |
| e. responding to the request for access... by having the client machine re-generate its machine-specific identifier; | Upon an access request, Raymond James servers allegedly transmit instructions for the client machine to re-generate the identifier or a related password/signed nonce. | ¶21 | col. 12:34-36 |
| f. verifying on the client machine whether the client machine-specific identifier re-generated... uniquely corresponds with the password... | The client machine allegedly uses biometrics to access a secure element-protected password and verifies that a derived value matches a token or nonce transmitted by the server. | ¶21 | col. 12:37-40 |
| g. recognizing the client machine as being authorized... if the verification... is true, and refusing to recognize the client machine... if the verification... is false. | If the sign-in is successful, the client machine is authorized to access data on Raymond James's servers; otherwise, access is denied. | ¶22 | col. 12:41-46 |
’262 Patent Infringement Allegations (Claim 11)
| Claim Element (from Independent Claim 11) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a. creating a session identifier in a computer remote from the client machine for a current browsing session... | Raymond James servers are alleged to create one or more session identifiers when a new user session requests a "protected URL." | ¶25 | col. 13:40-42 |
| d. verifying, on the client machine, that the client machine is authorized to access data maintained on the server computer; | The Raymond James Mobile App allegedly verifies user authorization locally by authenticating the operator's biometric information. The complaint provides a screenshot of a biometric sign-in prompt (Compl. p. 11). | ¶28 | col. 13:48-50 |
| e. obtaining the session identifier stored in step c., and storing such session identifier within a storage table remote from the client machine if such client machine was verified... | After local biometric authentication, the Raymond James server system allegedly obtains the session identifier from the client app and stores it in a remote storage table. | ¶29 | col. 13:51-54 |
| g. comparing the session identifier transmitted in step f. with the session identifier stored in the storage table... to determine whether the request for access... is authorized; | Raymond James servers allegedly compare the session identifier received in a client request with the one stored remotely to determine if the user is logged in. | ¶31 | col. 13:58-63 |
Identified Points of Contention
- Scope Questions: The dispute may center on whether the term "password", as used in the patent, can be construed to read on modern cryptographic elements like a "nonce", "token", or "signed nonce" as alleged by the complaint (Compl. ¶19). Similarly, whether a modern "device key" or "public/private key pair" constitutes a "client machine-specific identifier" derived from hardware characteristics as described in the specification raises a potential scope question ('262 Patent, col. 8:62-67).
- Technical Questions: Claims 1 and 11 both require a step of "verifying on the client machine". The complaint alleges a process where local biometrics grant access to a secure element, which is then used to process data from the server (Compl. ¶21, ¶28). A technical question for the court will be whether this complex, multi-stage process, which involves both the client and server, meets the claim limitation of verification occurring "on the client machine."
V. Key Claim Terms for Construction
The Term: "client machine-specific identifier"
- Context and Importance: This term is the foundation of the patent's security model. Its construction will determine whether the patent's scope is broad enough to cover the modern identifiers allegedly used by the accused products (e.g., cryptographic keys, device certificates). Practitioners may focus on this term because the accused technology was developed long after the patent's priority date.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself requires only that the identifier be "substantially unique to the particular machine" ('262 Patent, col. 12:19-21), suggesting the method of generation is less important than the result.
- Evidence for a Narrower Interpretation: The specification provides a specific example of how the identifier is generated, stating that a software application "analyzes hardware characteristics of a particular local computer... including hard drive characteristics, RAM characteristics, input/output device parameters and other hardware specific details" ('262 Patent, col. 8:62-67). This may support an argument that the term is limited to identifiers derived directly from such physical hardware properties.
The Term: "verifying on the client machine"
- Context and Importance: The location of this verification step is a critical limitation in both asserted method claims. The infringement analysis will depend heavily on whether the accused system, which involves communication with a server and use of a secure enclave, performs this step entirely "on the client machine."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A party could argue that as long as the dispositive comparison logic is executed by the client's processor, the limitation is met, regardless of where the data being compared originated.
- Evidence for a Narrower Interpretation: The patent abstract describes a process where "the client-side software is prompted to re-generate its machine-specific identifier... for comparison with the password previously entered by the user," suggesting a self-contained, local comparison ('262 Patent, Abstract). The flowchart in FIG. 2B also depicts the "Does password correspond to machine-specific ID?" step (52) as occurring entirely on the client side of the dashed line (19) ('262 Patent, FIG. 2B).
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement, stating that Raymond James provides its applications along with instructions, marketing, and technical support that encourage customers to use them in an infringing manner (Compl. ¶40).
- Willful Infringement: Plaintiff alleges willful infringement based on Defendant's alleged knowledge of the patent since its issuance or, alternatively, willful blindness. The complaint asserts that Defendant, as a bank, "regularly monitors ways to secure its mobile and web applications" and was therefore aware or deliberately avoided awareness of the asserted patent (Compl. ¶11, ¶42).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of technological translation: Can the patent’s terminology from the early 2000s, such as "client machine-specific identifier" and "password", be construed to encompass the more complex and abstract cryptographic constructs (e.g., device keys, tokens, signed nonces) that form the basis of modern secure application authentication?
- A key question of fact and claim construction will be the locus of verification: Does the accused system’s authentication process—which involves local biometrics, a secure enclave, and communication with a remote server—perform the crucial verification step "on the client machine" as strictly required by the claims, or is the dispositive verification ultimately performed or controlled by the server?
Analysis metadata