Walmart Inc v. RavenWhite Security Inc

1. Case Identification

• Case #: IPR2025-00810
• Patent #: 10,594,823
• Filed: March 28, 2025
• Petitioner(s): Walmart Inc. and Walmart Stores Texas, LLC.
• Patent Owner(s): Ravenwhite Security, Inc.
• Challenged Claims: 1-10

2. Patent Overview

• Title: Client-Server Communications Using Browser Storage for Device Identification
• Brief Description: The ’823 patent discloses systems and methods for client-server communications that identify a client device by causing its browser to store information in different browser storage areas. The technology uses two distinct types of "cache cookies"—such as URLs in a history cache and temporary internet files—which cannot be easily cleared by users, to persistently identify the device based on their presence or absence.

3. Grounds for Unpatentability

Ground 1: Claims 1-10 are obvious over Hinton

• Prior Art Relied Upon: Hinton (Application # 2003/0115267).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Hinton, which discloses a cross-domain single-sign-on system, anticipates or renders obvious all limitations of the challenged claims without needing combination with other references. Hinton’s system allegedly used two different types of cookies: a persistent “domain identity cookie” (DIDC) and a session-based “e-community cookie” (eCC). Petitioner mapped the DIDC to the claimed “first cookie of a first type” and the eCC to the “second cookie of a second type.” Hinton was asserted to disclose storing these cookies in different browser locations—the DIDC in a persistent cookie store (a first storage area) and the eCC in the browser’s temporary cookie memory (a second, different storage area). The claimed step of performing a determination based on the presence of one cookie and the absence of another was mapped to Hinton’s “vouch-for” process, which is initiated when a request includes a DIDC but not an eCC.
  • Motivation to Combine: Petitioner contended that no combination is required, as Hinton alone allegedly discloses every element of the claimed invention.

Ground 2: Claims 1, 3-6, and 8-10 are obvious over Varghese

• Prior Art Relied Upon: Varghese (Patent 7,908,645).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner asserted that Varghese, which describes a system for preventing identity theft, renders the claims obvious. Varghese’s system uses two different persistent identifiers: a standard “secure cookie” and a “flash cookie” (a Local Shared Object), which is harder for users to remove. Petitioner equated the secure cookie with the “first cookie” and the flash cookie with the “second cookie,” arguing they are stored in different client device locations (standard browser cookie storage vs. Flash plug-in storage). The claimed determination based on the presence or absence of these cookies was mapped to Varghese’s security model, detailed in its Table 8, which returns different fraud risk scores and initiates different checks based on whether the secure cookie, the flash cookie, both, or neither are present in a user request. Dependent claims were allegedly met by Varghese's disclosure of replacing cookies upon each login and its detailed description of device fingerprinting.
  • Motivation to Combine: Petitioner argued that no combination is necessary as Varghese alone teaches the claimed subject matter.

Ground 3: Claims 2 and 7 are obvious over Varghese in view of Hinton

• Prior Art Relied Upon: Varghese (Patent 7,908,645) and Hinton (Application # 2003/0115267).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground specifically targets claims 2 and 7, which require the client device to be identified by a server in a domain different from the server that caused the cookies to be stored. Petitioner argued that while Varghese teaches the core two-cookie identification system, it primarily describes its operation within a single authentication domain. Hinton, in contrast, explicitly teaches a system for authenticating users across different computer domains.
  • Motivation to Combine: A POSITA would combine Hinton’s established cross-domain architecture with Varghese’s more robust two-cookie security and identification method to solve a known business need. Specifically, a POSITA would be motivated to apply Varghese’s advanced identity theft protection system in a distributed, multi-domain environment (e.g., a business-to-business context), and Hinton provided a well-understood blueprint for achieving such cross-domain functionality.
  • Expectation of Success: A POSITA would have a reasonable expectation of success because the combination involves applying a known authentication technique (Varghese) to a known network architecture (Hinton) to achieve the predictable result of extending Varghese's security features across multiple domains.

4. Arguments Regarding Discretionary Denial

• Petitioner noted it was concurrently filing a Motion for Joinder with an already-instituted IPR for the ’823 patent (IPR2024-01316). Petitioner stated that if joined, it would take an "understudy role," which would not impact the Board's finite resources, suggesting that discretionary denial would be inappropriate.

5. Relief Requested

• Petitioner requests the institution of an inter partes review and the cancellation of claims 1-10 of the ’823 patent as unpatentable.