DCT
1:23-cv-00329
Security First Innovations LLC v. Google LLC
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Security First Innovations, LLC (Virginia)
- Defendant: Google LLC (Delaware)
- Plaintiff’s Counsel: The Law Offices of Charles B. Molster, III PLLC; Irell & Manella LLP
- Case Identification: 1:23-cv-00329, E.D. Va., 03/10/2023
- Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Virginia because Google maintains a regular and established place of business in Reston, Virginia, and because the accused Google Cloud services are implemented on servers located within Google's data centers in the district.
- Core Dispute: Plaintiff alleges that Defendant’s Google Cloud system infringes four patents related to methods for securely storing data by splitting it into encrypted portions.
- Technical Context: The technology relates to "encryption at rest" for cloud storage systems, a critical security function for protecting large volumes of sensitive data stored by third-party providers.
- Key Procedural History: The asserted patents originated with Security First Corporation, which was established in 2002. Plaintiff SFI acquired the patents in 2022. The complaint does not mention any prior litigation or administrative challenges involving the asserted patents.
Case Timeline
| Date | Event |
|---|---|
| 2004-10-25 | Earliest Priority Date for ’116 and ’140 Patents |
| 2005-11-18 | Earliest Priority Date for ’854 and ’609 Patents |
| 2010 | Google Cloud Storage first launched |
| 2013-08 | Google added server-side encryption to Google Cloud Storage |
| 2016-05-10 | ’140 Patent Issued |
| 2019-10-22 | ’854 Patent Issued |
| 2021-07-20 | ’609 Patent Issued |
| 2021-11-16 | ’116 Patent Issued |
| 2023-03-10 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,452,854 - "Secure Data Parser Method And System"
- Patent Identification: U.S. Patent No. 10,452,854, "Secure Data Parser Method And System," issued October 22, 2019. (Compl. ¶62).
The Invention Explained
- Problem Addressed: The patent's background describes the security flaws of conventional public-key cryptographic systems, which are "highly reliant on the user for security" (’854 Patent, col. 1:60-62). It notes that unsophisticated users often store private keys on insecure hard drives or create copies through backup systems, a vulnerability referred to as "key migration." (Compl. ¶21; ’854 Patent, col. 1:64-2:8).
- The Patented Solution: The invention proposes a method where a data set is first split into multiple portions, or "shares." Each share is then encrypted with its own distinct encryption key. In a second security layer, these distinct encryption keys are themselves secured by an "external key" received from an "external storage system." The encrypted shares are then stored across a plurality of different storage devices. (’854 Patent, Abstract, Claim 1). This multi-layered approach, using what the patent elsewhere calls a "workgroup key," is intended to ensure that even if an attacker discovers all the required data shares, the original information cannot be recreated without the separate external key. (’854 Patent, col. 79:66-80:4).
- Technical Importance: The method of splitting data before encrypting each piece individually was presented as an unconventional approach that, while adding processing overhead, provided enhanced security for large-scale, server-based data storage environments. (Compl. ¶22-23).
Key Claims at a Glance
- The complaint asserts independent Claim 1. (Compl. ¶68).
- The essential elements of Claim 1 are:
- receiving an external key from an external storage system,
- generating a plurality of data chunks based on the data set, which comprises distributing the data set into a plurality of shares, accessing a plurality of distinct encryption keys, and encrypting each share with a respective distinct encryption key,
- performing an encryption operation based on the external key to further secure the plurality of data chunks, and
- storing with the data chunks data indicative of at least one of the distinct encryption keys on a plurality of different storage devices.
- The complaint generally alleges infringement of "one or more claims" but focuses its narrative allegations on Claim 1. (Compl. ¶66-68).
U.S. Patent No. 11,068,609 - "Secure Data Parser Method And System"
- Patent Identification: U.S. Patent No. 11,068,609, "Secure Data Parser Method And System," issued July 20, 2021. (Compl. ¶84).
The Invention Explained
- Problem Addressed: The patent addresses the same problems as the ’854 Patent, namely the security vulnerabilities arising from user management of private keys in conventional cryptographic systems. (’609 Patent, col. 1:60-2:8).
- The Patented Solution: The invention is a processor-executed method for securing data that uses a two-tiered key structure. A "first key" is received from a "storage system." A data set is then broken into chunks, and each chunk is encrypted with a distinct "second key." A cryptographic operation is then performed, based on the "first key," to further secure the data chunks. Finally, the encrypted chunks are stored in memory along with data indicative of the distinct "second keys." (’609 Patent, Abstract, Claim 1).
- Technical Importance: The claimed method is directed toward improving data security in the context of cloud storage, where a proprietary key management system can allow for secure data handling when many different data sets are stored together. (Compl. ¶28).
Key Claims at a Glance
- The complaint asserts independent Claim 1. (Compl. ¶90).
- The essential elements of Claim 1 are:
- executing code by a processor to perform the subsequent steps,
- receiving a first key from a storage system,
- generating a plurality of data chunks based on a data set,
- encrypting each respective data chunk with a respective second key, where the second keys are distinct from each other,
- performing a cryptographic operation based on the first key to further secure the plurality of data chunks, and
- storing, in memory, at least one data chunk with data indicative of at least one of the distinct encryption keys on at least one storage device.
- The complaint generally alleges infringement of "one or more claims" but focuses its narrative allegations on Claim 1. (Compl. ¶88-90).
U.S. Patent No. 11,178,116 - "Secure Data Parser Method And System"
- Patent Identification: U.S. Patent No. 11,178,116, "Secure Data Parser Method And System," issued November 16, 2021. (Compl. ¶105).
- Technology Synopsis: This patent addresses data security by claiming a method of distributing a data set into a plurality of chunks, where no single chunk is sufficient to reconstruct the original data. The method requires encrypting each chunk with a respective key from a plurality of different encryption keys, "obfuscating" each of those keys, and then separately storing each data chunk together with one of the obfuscated keys on a plurality of different storage devices. (Compl. ¶111, ¶117-118).
- Asserted Claims: The complaint asserts independent Claim 1. (Compl. ¶111).
- Accused Features: The complaint accuses Google's system of chunking data, encrypting each chunk with a unique Data Encryption Key (DEK), "wrapping" (the alleged obfuscation) each DEK with a Key Encryption Key (KEK), and storing the encrypted data chunks with their corresponding wrapped DEKs across Google's distributed storage infrastructure. (Compl. ¶114, ¶117, ¶118).
U.S. Patent No. 9,338,140 - "Secure Data Parser Method And System"
- Patent Identification: U.S. Patent No. 9,338,140, "Secure Data Parser Method And System," issued May 10, 2016. (Compl. ¶123).
- Technology Synopsis: This patent claims a secure storage network that stores a plurality of data "shares" on a plurality of physical storage devices, with the shares being associated with at least one "session key." A central feature of the invention is a system configured to present a "virtual disk" to a client device, where the virtual disk comprises a directory mapped to the physical storage devices in a way that hides the physical locations of the shares from the client. (Compl. ¶132, ¶135; ’140 Patent, Claim 1).
- Asserted Claims: The complaint asserts independent Claim 1. (Compl. ¶129).
- Accused Features: The complaint accuses Google Drive, which allegedly presents a virtual disk to a client device via its user interface. This interface shows a directory of files, but the underlying data is split into shares (chunks), associated with session keys (DEKs), and stored on a plurality of physical devices in Google's data centers, with the physical locations hidden from the client device. (Compl. ¶132, ¶135-136).
III. The Accused Instrumentality
Product Identification
- Google Cloud system, specifically Google Cloud Storage and its "Encryption At-Rest" technology. For the ’140 Patent, the accused instrumentality is Google Drive. (Compl. ¶1, ¶44, ¶129).
Functionality and Market Context
- The complaint alleges that Google Cloud Storage implements a multi-layered encryption system for data at rest. When data is uploaded, it is broken into "chunks." (Compl. ¶39). Each chunk is encrypted with an individual Data Encryption Key (DEK). These DEKs are themselves encrypted, or "wrapped," by a Key Encryption Key (KEK). (Compl. ¶41). The KEKs are stored in a central repository called "Keystore," which is in turn protected by a "keystore master key" stored in a "Root Keystore." (Compl. ¶41, ¶43). The complaint alleges that Google implemented this server-side encryption technology in 2013 after public trust was reduced by allegations related to a lack of encryption in its earlier cloud offerings. (Compl. ¶36-37). An annotated diagram in the complaint illustrates this alleged process of chunking data and encrypting each chunk with its own key. (Compl. p. 13). For Google Drive, the complaint alleges that it provides a user-facing directory that hides the physical location of the underlying stored data chunks. (Compl. ¶136). A screenshot from Google Drive is provided to show the virtual disk directory presented to a client device. (Compl. p. 48).
IV. Analysis of Infringement Allegations
’854 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving an external key from an external storage system, | Receiving a Key Encryption Key (KEK) from Google's "Keystore," which is alleged to be an external storage system. | ¶71 | col. 79:66-80:4 |
| generating a plurality of data chunks based on the data set...comprises: distributing the data set into a plurality of shares... | Splitting user data into smaller "subfile chunks" for storage. | ¶73, ¶75 | col. 2:48-50 |
| ...accessing a plurality of distinct encryption keys, | Accessing an individual Data Encryption Key (DEK) for each chunk, with each DEK being distinct. | ¶76 | col. 57:1-58:65 |
| ...encrypting each of the shares with a respective one of the plurality of distinct encryption keys, | Encrypting each data chunk with its own distinct DEK. | ¶77 | col. 57:1-58:65 |
| performing an encryption operation based on the external key to further secure the plurality of data chunks; and | Encrypting (or "wrapping") each DEK with a KEK received from the Keystore. | ¶78 | col. 79:66-80:4 |
| storing with the plurality of data chunks data indicative of at least one of the distinct encryption keys on a plurality of different storage devices. | Storing the DEKs with their corresponding data chunks and distributing these pairs across Google's different storage systems. | ¶79 | col. 83:33-84:24 |
- Identified Points of Contention:
- Scope Questions: A central issue may be whether Google’s "Keystore" constitutes an "external storage system" within the meaning of the claim. The analysis will question whether the Keystore is a functionally and architecturally separate system, as the patent may require, or an integrated component of a single Google Cloud system.
- Technical Questions: The complaint alleges that distributing encrypted chunks across Google's "storage systems" meets the limitation of storing on a "plurality of different storage devices." (Compl. ¶79). A key factual question will be what evidence demonstrates that this distribution occurs across physically distinct devices rather than just logically separate locations within the same hardware infrastructure.
’609 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving a first key from a storage system, | Receiving a KEK (the alleged "first key") from the Keystore (the alleged "storage system"). | ¶94 | col. 9:1-10:65 |
| generating a plurality of data chunks based on a data set... | Splitting a user's data set into smaller data chunks. | ¶96 | col. 57:1-58:65 |
| encrypting each respective data chunk of the plurality of data chunks with a respective second key, wherein each...are distinct from each other; | Encrypting each data chunk with an individual and distinct DEK (the alleged "second key"). | ¶98 | col. 57:1-58:65 |
| performing a cryptographic operation based on the first key to further secure the plurality of data chunks; and, | Encrypting (wrapping) the DEKs using the KEK. | ¶99 | col. 79:66-80:4 |
| storing, in a memory...at least one data chunk...with data indicative of at least one of the distinct encryption keys on at least one storage device. | Storing the DEKs with the data chunks throughout Google's storage infrastructure, which contains at least one storage device. | ¶100 | col. 83:33-84:24 |
- Identified Points of Contention:
- Scope Questions: Similar to the '854 Patent, a dispute may arise over whether the "Keystore" is a "storage system" from which a "first key" is "received," or if it is part of a single, indivisible system. The distinction between the system providing the key and the system storing the data chunks will be critical.
- Technical Questions: This claim requires storing the chunk and key data on "at least one storage device," a potentially lower evidentiary bar than the "plurality of different storage devices" required by the ’854 Patent. The core technical dispute remains focused on whether Google's two-tiered key hierarchy (DEK/KEK) maps onto the claimed "first key"/"second key" structure.
V. Key Claim Terms for Construction
’854 Patent
- The Term: "external storage system" (Claim 1)
- Context and Importance: The infringement theory hinges on casting Google's "Keystore" as an "external storage system" from which the "external key" (the KEK) is received. If the Keystore is construed as being internal to the primary storage system, this foundational element of the claim may not be met.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent does not appear to provide a specific definition, which may support an argument for applying the term's plain and ordinary meaning. This could encompass any component that is logically or functionally separate from the primary data storage, a description that may read on the Keystore's specialized function.
- Evidence for a Narrower Interpretation: The specification describes embodiments with geographically remote and independent depositories, which a party could argue implies that "external" requires a higher degree of physical or administrative separation than exists within Google's integrated cloud infrastructure. (’854 Patent, FIG. 7; col. 19:1-20:65).
’609 Patent
- The Term: "receiving a first key from a storage system" (Claim 1)
- Context and Importance: This term is critical because infringement requires a two-step process involving two distinct conceptual entities: a "storage system" that provides the "first key" and a separate memory/device where the data chunks (secured by "second keys") are ultimately stored. The case will question whether the transaction between the Keystore and the general storage infrastructure constitutes "receiving" a key from a "storage system."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A diagram in the patent distinguishes between a "Depository" for keys and "Mass Storage" for other data, which could support the argument that the patent contemplates distinct storage components within a single trust engine. (’609 Patent, FIG. 2). This may support viewing the Keystore as a "storage system."
- Evidence for a Narrower Interpretation: A party may argue that the claim language implies two completely separate systems, and that Google’s Keystore is merely a specialized part of a single, unified "storage system." They might argue that internal data transfers within this unified system do not constitute "receiving" a key from a separate system.
VI. Other Allegations
- Indirect Infringement: The complaint's allegations focus on Google's direct infringement by making and using the accused Google Cloud system, which allegedly performs the steps of the patented methods. (Compl. ¶67, ¶89). The complaint does not plead specific facts to support claims of induced or contributory infringement, such as allegations that Google instructs its users to perform the claimed steps.
- Willful Infringement: The complaint does not allege that Google had pre-suit knowledge of the asserted patents. Therefore, the complaint does not provide a basis for an analysis of willful infringement.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural scope: Does Google's integrated, multi-layered key management hierarchy (where data chunks are stored with DEKs, which are wrapped by KEKs from a Keystore) map onto the patents' claimed structure of receiving a key from an "external" or distinct "storage system"? This question combines claim construction with a detailed factual analysis of Google's cloud architecture.
- A second key question will be one of functional interpretation: Does the accused act of encrypting (or "wrapping") a data encryption key (DEK) with a key encryption key (KEK) constitute "performing an encryption operation...to further secure the plurality of data chunks," as required by the claims? The court may need to decide if securing the keys to the data is legally equivalent to securing the data itself under the patent's language.
- For the claim against Google Drive, a central question will be definitional: Can the graphical user interface of a cloud storage service, which presents a file directory to a user, be construed as a "virtual disk" that "hides" the physical locations of the underlying distributed data shares within the meaning of the ’140 Patent?