DCT

1:25-cv-00354

Spriv LLC v. Salesforce Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:25-cv-00354, W.D. Tex., 03/10/25
  • Venue Allegations: Venue is based on Defendant having a regular and established place of business in the Western District of Texas, specifically an office in Austin, and having committed acts of infringement in the District.
  • Core Dispute: Plaintiff alleges that Defendant’s multi-factor authentication products, including Salesforce Authenticator, infringe four patents related to methods for authenticating a user by cross-referencing a computer's "signature" with the geographical location of the user's mobile device.
  • Technical Context: The patents address multi-factor authentication (MFA), a critical security technology used to prevent fraud and unauthorized access in online transactions and enterprise systems.
  • Key Procedural History: The complaint alleges that the accused technology in Salesforce Authenticator is based on technology acquired from Toopher, an Austin-based company, in a deal announced on April 1, 2015. It also notes that several former Toopher technical personnel continue to work for Salesforce in its Austin location.

Case Timeline

Date Event
2007-05-29 Earliest Priority Date for all Asserted Patents
2015-04-01 Salesforce announces acquisition of Toopher
2015-05-19 U.S. Patent No. 9,033,225 Issues
2022-06-07 U.S. Patent No. 11,354,667 Issues
2023-01-17 U.S. Patent No. 11,556,932 Issues
2024-07-09 U.S. Patent No. 12,034,863 Issues
2025-03-10 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,033,225 - "Method and System for Authenticating Internet Users," Issued May 19, 2015

The Invention Explained

  • Problem Addressed: The patent describes the increasing risk of fraud in electronic credit and debit card transactions, including vulnerabilities in emerging "tap & pay" RFID technologies where a fraudster can illicitly capture a user's account information (’225 Patent, col. 2:1-34).
  • The Patented Solution: The invention proposes a method to authenticate an internet user by cross-referencing two independent data points: a "computer signature" from the device initiating a transaction and the geographical location of the user's mobile communication device, which is specifically traced using Wi-Fi (’225 Patent, col. 4:3-10; col. 16:6-18). The system compares the mobile device's current location to a previously stored location associated with that computer signature to determine if they are within an "acceptable distance" (’225 Patent, Abstract).
  • Technical Importance: This approach aimed to provide a rapid authentication method rooted in the physical proximity of a user's trusted mobile device to their transaction computer, thereby reducing fraud in online access and purchases (Compl. ¶27).

Key Claims at a Glance

  • The complaint asserts at least independent claim 1 (Compl. ¶¶26, 61).
  • Essential elements of claim 1 include:
    • Receiving the computer signature of the computer.
    • Requesting a geographical location of the mobile communication device, with the location being traced using Wi-Fi.
    • Checking if the computer signature is stored in a database.
    • If the signature is not stored, authenticating the computer and then assigning the mobile device's geographical location to the computer signature in the database.
    • If the signature is stored, comparing the assigned geographical location with the current geographical location of the mobile device.
    • If the comparison is not within an "acceptable distance," attempting to authenticate the computer.
  • The complaint reserves the right to assert other claims (Compl. ¶61).

U.S. Patent No. 11,354,667 - "Method for Internet User Authentication," Issued June 7, 2022

The Invention Explained

  • Problem Addressed: The patent addresses the general problem of authenticating internet users to reduce fraud and identity theft, noting that traditional IP address tracing is often insufficient (’667 Patent, col. 2:3-19).
  • The Patented Solution: The invention describes a computer system that authenticates a user by obtaining the geographical location of their mobile phone and comparing it to a stored geographical location previously associated with the user's "computer signature" (’667 Patent, Abstract). The system then performs actions such as allowing a transaction or assigning a "positive score" if the locations are within an "acceptable distance," or requiring additional authentication if they are not (’667 Patent, col. 8:31-col. 9:8).
  • Technical Importance: The claimed system provides a concrete, multi-step logical framework for using location as an authentication factor, adding a layer of security beyond simple password or device-based checks (Compl. ¶36).

Key Claims at a Glance

  • The complaint asserts at least independent claims 1 and 5 (Compl. ¶¶35, 72).
  • Essential elements of claim 1 include:
    • A computer system configured to obtain the geographical location of a mobile phone.
    • Determining if the user's computer signature is associated with a stored geographical location in a database.
    • If associated, comparing the stored location to the current location.
    • If not associated, requiring additional authentication and then storing the computer signature in association with the current mobile phone location.
    • Carrying out actions (e.g., allowing access, assigning a score) based on whether the location comparison is within an "acceptable distance."
    • The geographical location of the mobile phone is identified by methods including Galileo, GPS, and WiFi.
  • The complaint reserves the right to assert other claims (Compl. ¶72).

U.S. Patent No. 11,556,932 - "System for User Authentication," Issued January 17, 2023

  • Technology Synopsis: This patent claims a computer system for authenticating a user by receiving both a computer signature and the geographical location of the user's cell phone (Compl. ¶41). The system determines if the signature is already in a database; if so, it compares the received location to a saved location to see if it is within an "acceptable distance" before allowing access or a transaction (Compl. ¶44). If the signature is not in the database, it requires additional authentication before saving the new signature-location pair (Compl. ¶44).
  • Asserted Claims: At least independent claim 1 (Compl. ¶¶44, 83).
  • Accused Features: The Salesforce Authenticator product is accused of being the claimed computer system (Compl. ¶83).

U.S. Patent No. 12,034,863 - "Methods of Authenticating the Identity of a Computer," Issued July 9, 2024

  • Technology Synopsis: This patent claims a method for authenticating a transaction or website access by receiving a mobile phone's geographical location and determining if it is within an "allowed distance" of a location associated with a computer signature (Compl. ¶¶50, 54). The method includes different actions based on whether the computer signature is "known" (i.e., in a database) and whether the locations match, such as allocating a positive score for a match or a negative score for a new, unknown signature (Compl. ¶54).
  • Asserted Claims: At least independent claim 1 (Compl. ¶¶54, 94).
  • Accused Features: The Salesforce Authenticator product is accused of practicing the claimed method (Compl. ¶94).

III. The Accused Instrumentality

Product Identification

  • Defendant's multi-factor authentication ("MFA") products and services, with "Salesforce Authenticator" identified as a non-limiting, illustrative example (Compl. ¶1, ¶61).

Functionality and Market Context

  • The complaint alleges Salesforce Authenticator is built on location-based two-factor authentication technology acquired from Toopher, an Austin-based company (Compl. ¶19).
  • Its functionality is described as serving as the "exclusive push notification authenticator for Salesforce.com's cloud CRM platform" (Compl. ¶12).
  • The complaint alleges the technology became the foundation for the Salesforce Authenticator app, which was built as the front end to Toopher's authentication API (Compl. ¶12).
  • No probative visual evidence provided in complaint.

IV. Analysis of Infringement Allegations

The complaint states that claim charts demonstrating infringement are attached as Exhibits E, F, G, and H, but these exhibits were not included with the filed complaint (Compl. ¶¶62, 73, 84, 95). In their absence, the infringement theory must be summarized from the complaint's narrative allegations. The core allegation is that when a user attempts to log into a Salesforce service from a computer, the Salesforce Authenticator app on the user's mobile device is used as a second factor of authentication. This process allegedly practices the claims by using the mobile device's location to verify the user's identity in conjunction with an identifier for the computer, thereby infringing one or more claims of each of the Asserted Patents (Compl. ¶¶61, 72, 83, 94).

  • Identified Points of Contention:
    • Scope Questions: A central question will be whether the identifiers used by the Salesforce platform and Authenticator app constitute a "computer signature" as that term is used in the patents. The patents provide a broad definition, but the specific nature of the identifier used by Salesforce will be a key factual issue.
    • Technical Questions: A significant point of contention for the '225 patent will be whether Salesforce Authenticator's method for determining location meets the specific limitation of being "traced using Wi-Fi" (Compl. ¶26). Modern authenticator apps often use a combination of location services (GPS, cellular, Wi-Fi), and evidence of how the accused product specifically operates will be critical. Further, the claims require a comparison to an "acceptable distance," which raises the factual question of how this distance is determined and applied in the accused system.

V. Key Claim Terms for Construction

  • The Term: "computer signature" (appears in all four Asserted Patents)

    • Context and Importance: This term is the cornerstone of the asserted claims, defining one of the two key data points being cross-referenced. The case may hinge on whether the device/session identifiers used by Salesforce's system fall within the scope of this term. Practitioners may focus on this term because its construction will determine whether the accused product's fundamental architecture is covered.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The specifications provide a broad and non-limiting definition, stating a computer signature "can be set of one or more hardware devices information... [or] one or more software components" including "operating system serial number, cookie," and more (’667 Patent, col. 6:55-63). This language may support an interpretation that covers a wide range of software-based tokens or identifiers.
      • Evidence for a Narrower Interpretation: The specifications also list specific, physical hardware identifiers like "gateway Mac address, the computer Mac address, CPU serial number" (’667 Patent, col. 6:55-58). A defendant may argue that the term's meaning is anchored in these more concrete, hardware-based examples rather than ephemeral software data.

  • The Term: "the geographical location being traced using Wi-Fi" (’225 Patent, Claim 1)

    • Context and Importance: This limitation is highly specific to the '225 patent and creates a potential point of non-infringement if the accused product uses other location-determination methods. The infringement analysis for this patent will depend heavily on the technical evidence of how Salesforce Authenticator gathers location data.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: A plaintiff might argue that "using Wi-Fi" does not mean "using only Wi-Fi," and that any location-tracing process that incorporates Wi-Fi data (e.g., SSID triangulation) meets the limitation, even if GPS or cellular data is also used.
      • Evidence for a Narrower Interpretation: The claim language recites a single method, "using Wi-Fi." A defendant may argue this requires Wi-Fi tracing to be the operative method, and a system that relies primarily on GPS or requires it to be enabled would not infringe. The patent later discusses other technologies like GPS and Galileo in the context of mobile devices generally, but claim 1 singles out Wi-Fi (’225 Patent, col. 10:55-65).

VI. Other Allegations

  • Willful Infringement: The complaint alleges that Defendant's infringement has been and continues to be done "with knowledge of the 'XXX patent" at least as of the filing date of the complaint (Compl. ¶¶64, 75, 86, 97). This allegation appears to be based on the notice provided by the complaint itself and supports a claim for post-suit willfulness, as no facts supporting pre-suit knowledge are alleged.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of claim scope and construction: can the term "computer signature," defined broadly in the specifications to include both hardware and software identifiers, be construed to read on the specific authentication tokens or device identifiers generated and used by the Salesforce Authenticator system?
  • A key evidentiary question will be one of technical implementation: does the Salesforce Authenticator product determine location in a manner that meets the specific limitations of the claims, particularly the narrow requirement of being "traced using Wi-Fi" as recited in the '225 patent?
  • A central factual dispute will concern the functional requirement of "acceptable distance": what evidence demonstrates that the accused system compares locations and makes an authentication decision based on a defined proximity threshold, as required by all asserted patents, and how is that threshold determined?