Google LLC v. Uniloc 2017 LLC

1. Case Identification

• Patent #: 8,949,954
• Filed: January 17, 2020
• Petitioner(s): Google LLC
• Patent Owner(s): Uniloc 2017 LLC
• Challenged Claims: 1-4, 6, 9, 12-14

2. Patent Overview

• Title: System and Method for Authorizing Remote Access
• Brief Description: The ’954 patent describes a system for authenticating remote access to customer account information. The system identifies a remote device using a "device fingerprint" and its location, compares the fingerprint against a list of previously authorized devices, and if a mismatch occurs, sends a notification to a separate, customer-specified device to approve or deny the access request.

3. Grounds for Unpatentability

Ground 1: Claims 1-4, 6, 12, and 14 are obvious over Steinberg in view of Oberheide

• Prior Art Relied Upon: Steinberg (Application # 2007/0136573) and Oberheide (Application # 2011/0219230).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Steinberg taught the core elements of the invention, including a system for authorizing remote access to a user's account (e.g., online banking) based on a device's "trusted" status. Steinberg disclosed identifying a device using a profile of its properties (IP address, browser version, etc., constituting a "fingerprint") and, if the device was unrecognized, sending a notification for two-factor authentication (e.g., a one-time password) to a separate device like a cell phone. Petitioner contended that Oberheide, which described an internet-accessible authentication server that processes transaction requests and sends push notifications to a user's mobile device for confirmation or denial, supplied the specific server-based architecture. The combination of Steinberg’s security logic with Oberheide’s server and notification implementation allegedly rendered the claims obvious.
  • Motivation to Combine: A POSITA would combine Steinberg and Oberheide because both address the same technical problem of secure remote authorization. Oberheide’s disclosure of an internet-accessible server and push notification service provided a well-known and commercially desirable architecture for implementing Steinberg's more conceptual two-factor authentication system, making the combination logical to improve security and functionality.
  • Expectation of Success: Combining Steinberg's authentication flow with Oberheide's server architecture would involve using standard, well-understood components (web servers, databases, push notifications). A POSITA would have had a high expectation of success in integrating these known elements to produce the predictable result of a more robust remote access security system.

Ground 2: Claim 9 is obvious over Steinberg, Oberheide, and McDowell

• Prior Art Relied Upon: Steinberg (Application # 2007/0136573), Oberheide (Application # 2011/0219230), and McDowell (Application # 2009/0260064).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the Steinberg and Oberheide combination to address claim 9, which specifically requires that device fingerprints be stored in a second database accessible by the server. Petitioner argued that McDowell taught a user verification system that explicitly used multiple databases: a "user-side database" to store device identifiers and a separate "merchant-side database."
  • Motivation to Combine: A POSITA, seeking to implement the Steinberg/Oberheide system, would look to McDowell’s architecture for managing sensitive data. Using a second database as taught by McDowell to segregate device fingerprints from primary customer account information was a known technique for enhancing security and improving data management efficiency. This would have been a simple and predictable design choice.

Ground 3: Claim 13 is obvious over Steinberg, Oberheide, and Yasushi

• Prior Art Relied Upon: Steinberg (Application # 2007/0136573), Oberheide (Application # 2011/0219230), and Yasushi (Japanese Application # 2010-262532).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground targeted claim 13, which requires that the identity of the remote device in the notification includes information such as "device type." Petitioner asserted that while Steinberg/Oberheide taught sending a notification, Yasushi explicitly disclosed sending a login alert email that included the "device type" (e.g., "PC" or "mobile terminal") as part of the notification details.
  • Motivation to Combine: A POSITA would be motivated to incorporate Yasushi's teaching to improve the security of the Steinberg/Oberheide system. Providing more specific details like the device type in a security alert helps the user more accurately determine if an access request is fraudulent, representing a common-sense improvement to the user notification process.

• Additional Grounds: Petitioner asserted additional obviousness challenges, including that claims 1-4, 6, 9, 12, and 14 are obvious over Steinberg, Oberheide, and McDowell, and that claim 13 is obvious over Steinberg, Oberheide, McDowell, and Yasushi. These grounds relied on the same core logic and prior art teachings detailed above.

4. Key Claim Construction Positions

• "device fingerprint": Petitioner proposed construing this term as "a bit string (or bit array) that uniquely identifies the device, which includes or is derived from both user-configurable and non-user-configurable data specific to the remote computing device." This construction was argued to be critical for capturing the claimed concept of a robust, multi-faceted identifier, which Petitioner contended was disclosed in the prior art.
• "an address of a separate device specified by the customer": Petitioner argued this should be construed as "an address specified by the customer, where the address is for a separate device." The proposed construction clarified that the customer specifies the device itself, not merely an address that happens to belong to a separate device.
• "identifying ... the remote computing device fingerprint and by a requesting location": Petitioner argued that the claim contained an erroneous deletion and should be read as "identifying ... the remote computing device by a device fingerprint and by a requesting location." This correction was asserted to be necessary for the claim to make logical sense and align with the specification.
• Temporal Ordering of Claim 1: Petitioner argued that the language and antecedent basis of claim 1 require that steps (a) through (e) be performed sequentially in the order recited. This interpretation was central to Petitioner's argument that the process flows described in the prior art mapped directly onto the claimed method.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-4, 6, 9, and 12-14 of the ’954 patent as unpatentable.