SRI International, Inc. v. Internet Security Systems, Inc.

SRI International, Inc. v. Internet Security Systems, Inc.
Court United States Court of Appeals for the Federal Circuit
Full case name SRI International, Inc. v. Internet Security Systems, Inc. (a Delaware Corporation) and Internet Security Systems, Inc. (a Georgia Corporation), and Symantec Corporation
Decided January 8, 2008
Citation(s) 511 F. 3d 1186, 1188 (Fed. Cir. 2008).
Court membership
Judge(s) sitting Randall R. Rader, Haldane Robert Mayer, and Kimberly A. Moore

SRI International, Inc. v. Internet Security Systems, Inc. was a patent infringement case which determined whether technical documents placed on a company's FTP server could be considered prior art as defined by 35 U.S.C. § 102(b). The United States District Court for the District of Delaware had held four of SRI International's patents invalid due to prior art considerations.

A three member panel of the United States Court of Appeals for the Federal Circuit reversed and remanded the District Court decision. The decision is particularly relevant to patent law because it set the precedent for treatment of electronic information under the Federal Circuit's public accessibility precedents for prior art. The decision is also notable for an impassioned dissent-in-part filed by Judge Kimberly A. Moore.

Background

The case involved four United States patents filed by SRI International, Inc. (SRI). SRI attempted to license these patents to Symantec and Internet Security Systems (ISS). When these negotiations broke down SRI filed a lawsuit in the United States District Court of the District of Delaware, alleging that the patents were infringed by Symantec's ManHunt product and by ISS's Site Protector and Proventia products.[1] Symantec and ISS moved for summary judgement that their products were non-infringing; the motion was denied.[2] ISS and Symantec then moved for summary judgement that the patents were invalid due to prior art considerations.

Patents

All of the patents stem form a patent application filed with the United States Patent and Trademark Office by SRI on November 9, 1998. The patents involved methods for network intrusion detection.

Patent Nos. 6,484,203 (the '203' patent)

The '203' patent was approved on November 19, 2002.[3] It outlined a computer-automated method for network monitoring and analysis where network monitors are deployed at gateways, routers or proxy servers. The network monitors detect suspicious network activities based on analysis of network traffic data from information included in the network packet. The suspicious activity is reported to other networks allowing appropriate counter-measures to be applied.[4]

Patent Nos. 6,711,615 (the '615' patent)

The '615' patent was approved on March 23, 2004.[5] Similar to the '203' patent, it also outlined a computer-automated method for network monitoring and analysis.[4]

Patent Nos. 6,321,338 (the '338' patent)

The '338' patent was approved on November 20, 2001.[6] It described a particular statistical algorithm for detecting suspicious network activity. In this method a long-term and short-term statistical profile was created from information in the network packets. The short-term profile could then be compared to the long-term profile pointing out changes in network activity, an indication of suspicious network activity.[4]

Patent Nos. 6,708,212 (the '212' patent)

The '212' patent was approved on March 16, 2004.[7] It described the combination of the statistical algorithm described in the '338' patent with the network monitoring methods described in the '203' and '615' patents.[4]

Prior art

According to 35 U.S.C. § 102(b), a patent is invalid if "the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of the application for patent in the United States". Since the patent application was filed on November 9, 1998, prior art determination focused on the date of November 9, 1997.[4]

The opinions of this case concentrated on four prominent cases in the determination of a document as a "printed publication". In re Bayer,[8] In re Hall,[9] and In re Cronyn[10] were known as "thesis/library" cases and were used to define the boundaries of public accessibility of a printed document. The boundaries of public accessibility for a presentation were described in In re Klopfenstein,[11] which is referred to as a dissemination case.

Papers

Disputes over patent validity were focused on the existence of two papers on SRI's website.

EMERALD 1997

The EMERALD paper was presented to the National Information Systems Security Conference (NISSC) as "Event Monitoring Enabling Responses to Anomalous Live Disturbances".[12] EMERALD was described as a new approach to network surveillance with a streamlined event-analysis system combining signature analysis with statistical profiling. This paper provided part of the description for the '212' patent. This paper was published in October 1997.

Live Traffic Paper

The Live Traffic paper was presented at the Internet Society's Networks and Distributed System Security (NDSS) Symposium as "Live Traffic Analysis of TCP/IP Gateways".[13] The paper described statistical and signature-based techniques to monitor network traffic. Methods for the '212', '615', '338', and '203' patents were all described in this paper. The paper was published on SRI's website on November 10, 1997. Prior to this publication, the paper had been available on SRI's FTP server starting on August 1, 1997.

District court analysis

The case was heard by District Judge Sue Lewis Robinson on October 17, 2006. She held that the EMERALD paper enabled the '212' patent and that the Live Traffic paper qualified as prior art before November 9, 1997.[4]

The validity of the ‘212’ patent hinged on the description given in the EMERALD paper. SRI argued the EMERALD paper was a “statement of intent” and could not be accomplished by a person with ordinary skill. SSI and Symantec contended that the details for implementing these methods were within the knowledge of a person of ordinary skill. Robinson concluded that the ‘212’ patent was anticipated by the EMERALD paper over a year in advance of the patent application and was therefore invalid.[4]

The prior art qualification for the Live Traffic paper centered on the public accessibility of a document available on a FTP server. SRI argued that the FTP site was not publicly accessible because one would need the complete FTP address to view the paper. Additionally, the posting was not indexed and could only be found by an ordinary skilled user through “dumb luck”. Symantec and SSI countered that on multiple occasions SRI had provided links to the FTP site to multiple members of the intrusion detection community. Furthermore, SRI’s FTP site had been referenced by Google Groups and was widely regarded as a repository of information for computer security. Robinson’s examination of the case evidence noted that no attempts were made to limit access via password security. Robinson deemed the Live Traffic paper publicly accessible as established by the United States Court of Appeals for the Federal Circuit in the precedent cases In re Bayer,[8] In re Hall,[9] In re Cronyn,[10] and In re Klopfenstein.[11] As such, Robinson ruled that the Live Traffic paper constituted as prior art and that the patents described in the publication were invalid.[4]

SRI subsequently appealed the decision to the United States Court of Appeals for the Federal Circuit.

Appeals court analysis

A three member panel of the United States Court of Appeals for the Federal Circuit issued a decision on January 8, 2008.[14] Writing for the majority, Chief Judge Randall R. Rader upheld the District Court's decision that the '212' patent was enabled by the EMERALD paper and therefore invalid. However, he concluded that there were issues of material fact about whether the Live Traffic paper constituted prior art. Since a grant of summary judgment requires that there be no remaining issues of material fact between the parties, the majority vacated and remanded the District Court's grant of summary judgment that the Live Traffic paper invalidated the '203', '212', '338', and '615' patents.

In the decision, Rader discerned that there were two lines of Federal Circuit precedents which applied to the case. In the "library/thesis" line of cases, the Federal Circuit had set precedents regarding how the storage of documents affected their accessibility to persons interested and skilled in the field, and thus their status as prior art. In the "dissemination" line of cases, the Federal Circuit had set precedents regarding how dissemination of the document to persons interested and skilled in the field affected their accessibility and thus their status as prior art. As elements of both storage and dissemination occurred in SRI International, Rader's analysis attempted to determine where the case stood in relation to these precedents.

Library/thesis case analysis

As "library/thesis" precedents, Rader cited the Federal Circuit case In re Bayer, which had held that a graduate school thesis that had not been cataloged or placed on library shelves, and that was only known to the three faculty members who served on the thesis committee, did not qualify as a printed publication. Rader also cited the Federal Circuit case In re Cronyn, in which a thesis was placed in a library and indexed by the author's last name, and was determined not to qualify as a printed publication. Rader acknowledged that SRI International had elements in common with In Re Bayer. His analysis likened the uncatalogued nature of the thesis in the library to the posting of the Live Traffic paper on an FTP server which did not allow for searching and did not contain an index. According to Rader, the fact that Porras emailed direct links to those accessing the papers showed that a person skilled in the field would not have been able to access the Live Traffic Paper. Moreover, Rader argued that the public accessibility was less compelling for SRI International than it was for In re Bayer, as the document in the former case was in pre-publication review, while the thesis in the latter had already been completed.

Dissemination case analysis

As a "dissemination" precedent, Rader cited the Federal Circuit case In re Klopfenstein, which held that information presented on posters at professional conferences qualified as prior art, as the sole intent of such a poster is to publicly communicate research results. Rader recognized that, similar to the posters at a conference, the Live Traffic paper was posted in an open forum and might have been available to anyone with knowledge of FTP and the structure of SRI's FTP server. Unlike the posters at a conference, however, existence of the Live Traffic paper was not publicized or put in a location in which it could be viewed by interested people. According to Rader, SRI's posting of the Live Traffic paper on its FTP server was most similar to "placing posters at an unpublicized conference with no attendees".

Decision

Rader found that the Live Traffic paper was in a situation much more similar to the uncatalogued thesis in In re Bayer than the publicly disseminated posters in In re Klopfenstein. Rader concluded that the pre-publication Live Traffic paper could not be considered catalogued or indexed in a meaningful way and was not intended to be disseminated to the public. Rader concluded that, without additional information about the structure of SRI's FTP server, genuine issues of fact should have prevented the Delaware District Court from rendering summary judgment on the patent invalidity issues. The Federal Circuit thus vacated and remanded the Delaware District Court's determination of invalidity based on the Live Traffic paper.

Moore's dissent-in-part

Judge Kimberly A. Moore filed a detailed dissent-in-part, agreeing with the majority's decision that the EMERALD paper was enabling, but holding that the Live Traffic paper was publicly accessible and thus a prior art bar to patent validity.[14] According to Moore, SRI failed to show evidence that there were genuine issues of material fact which would prohibit summary judgment, as required by Rule 56(e) of the Federal Rules for Civil Procedure .[15] Moore argued that the defendants had met the burden of showing that the Live Traffic paper was publicly accessible, both from the "library/thesis" standpoint and the "dissemination" standpoint, while SRI had failed to provide any contrary evidence which would prevent summary judgment.

Moore analyzed the case under the same precedents as those cited by the majority. She concluded that whereas the thesis in In re Bayer had not been catalogued, the structure of SRI's FTP server made the Live Traffic paper publicly accessible. According to Moore, the defendants had presented evidence that, given the host address for SRI's FTP server, one only needed to enter two directories to obtain the Live Traffic paper. The paper was stored under a directory titled "EMERALD", which she argued would have been an obvious searching place for anyone looking for information on the project. Moreover, the Live Traffic paper was stored under the name "ndss98.ps", the acronym for 1998 Network and Distributed System Security Symposium, a well-known conference. This evidence, according to Moore, was sufficient for a determination that the Live Traffic paper was not at all similar to the thesis in In re Bayer. Thus, Moore held that the "library/thesis" cases could not be applied to deny the defendants their motion for summary judgment of patent invalidity.

Moore also analyzed the case under the precedents set by the "dissemination" cases. In discussing the pertinence of In re Klopfenstein, Moore analyzed each of that case's four requirements for patent invalidity due to public disseminations. According to Moore, the Live Traffic paper was available on the FTP server 24 hours per day for seven days, longer than the three days during which the posters from In re Klopfenstein were displayed. Thus, the Live Traffic paper met the first requirement of being available for longer than a transient period. Moreover, SRI had admitted during oral arguments that the target audience of the paper was members of the Internet security community. The defendants showed that this community included people who knew how to use SRI's FTP server and actually used it to share information. Thus, the FTP server met the second requirement of being accessible to experts in the field. Furthermore, neither Porras nor SRI took any steps to ensure that the paper would not be copied. Porras emailed links to the paper to many people outside of SRI and failed to take protective measures such as non-disclosure agreements or even disclaimers. Thus, the Live Traffic paper met the third requirement of failing to create a reasonable expectation that the work would not be copied. Finally, the very nature of the Live Traffic paper as an electronic document forced it to meet the fourth requirement that the document be easy to copy. Thus, Moore held that the "dissemination" cases clearly showed that the Live Traffic paper was publicly accessible.

Critical analysis

SRI International is discussed at length in patent attorney Eric Guttag's treatise Applying the Printed Publication Bar in the Internet Age.[16] Guttag argues that SRI International has contributed to a growing confusion about whether electronic documents should be considered printed publications due to the Federal Circuit's conflation between the "dissemination" of a document and whether the document is publicly accessible, as in the "library/thesis" cases. Guttag is highly critical of the majority opinion's decision to simply cite In Re Bayer and In Re Klopfenstein without any real analysis and agrees that Judge Moore's much more careful analysis of the factors enunciated in In Re Klopfenstein are hard to overcome. Guttag concludes, however, that the simple fact that there is a disagreement between Moore and the majority is sufficient to support the majority's assertion that there are issues of material fact in the case and that summary judgment of invalidity is inappropriate.

References

  1. SRI, International, Inc. v Internet Security Systems, Inc., Civ. No. 04-1199-SLR (D. Del. 2005)
  2. SRI, International, Inc. v Internet Security Systems, Inc., Civ. No. 04-1199-SLR (D. Del. 2006)
  3. 6,484,203, Porras, Philip Andrew & Alfonso Valdes, issued November 19, 2002
  4. 1 2 3 4 5 6 7 8 SRI, International, Inc. v Internet Security Systems, Inc., 456 F. Supp. 2d 623 (D. Del. 2006)
  5. 6,711,615, Porras, Philip Andrew & Alfonso Valdes, issued March 23, 2004
  6. 6,321,338, Porras, Philip Andrew & Alfonso Valdes, issued November 20, 2001
  7. 6,708,212, Porras, Philip Andrew & Alfonso Valdes, issued March 16, 2004
  8. 1 2 Application of John William Bayer, 568 F.2d 1357 (Fed. Cir. 1978)
  9. 1 2 in Re Leo M. Hall, 781 F.2d 897 (Fed. Cir. 1986)
  10. 1 2 in Re Marshall W. Cronyn, 890 F.2d 1158 (Fed. Cir. 1989)
  11. 1 2 in Re Carol F. Klopfenstein and John L. Brent, Jr., 380 F.3d 1345 (Fed. Cir. 2004)
  12. Phillip A. Porras and Peter G. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, 20th National Information Systems Security Conference, October 9, 1997
  13. Phillip A. Porras and Alfonso Valdes, Live Traffic Analysis of TCP/IP Gateways, Internet Society's Networks and Distributed Systems Security Symposium, December 12, 1997
  14. 1 2 SRI, International, Inc. v. Internet Security Systems, Inc., 511 F.3d 1186 (Fed. Cir. 2008)
  15. Fed. R. Civ. P. 56(e)
  16. Eric W. Guttag, Applying the Printed Publication Bar in the Internet Age: Is It as Simple as Googling for Prior Art?, Virginia Journal of Law & Technology, 16(1), 2011
This article is issued from Wikipedia - version of the Friday, February 28, 2014. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.