Square, Inc.v.Protegrity CorporationDownload PDFPatent Trial and Appeal BoardApr 28, 201609027585 (P.T.A.B. Apr. 28, 2016) Copy Citation Trials@uspto.gov Paper No. 41 571.272.7822 Entered: April 28, 2016 UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ SQUARE, INC., Petitioner, v. PROTEGRITY CORPORATION, Patent Owner. ____________ CBM2015-00014 Patent 6,321,201 B1 ____________ Before KEVIN F. TURNER, MEREDITH C. PETRAVICK, and GREGG I. ANDERSON, Administrative Patent Judges. TURNER, Administrative Patent Judge. FINAL WRITTEN DECISION Covered Business Method Patent Review 35 U.S.C. § 328(a) and 37 C.F.R. § 42.73 CBM2015-00014 Patent 6,321,201 B1 2 I. INTRODUCTION A. Background Square, Inc. (“Petitioner”) filed a Petition1 (Paper 9, “Pet.”) requesting a review under the transitional program for covered business method patents of claims 1–7 and 18–35 of U.S. Patent No. 6,321,201 B1 (Ex. 1001, “the ’201 Patent”). Protegrity Corporation (“Patent Owner”) filed a Preliminary Response (Paper 12, “Prelim. Resp.”). Pursuant to 35 U.S.C. § 324, we instituted this trial on the following grounds: Ground Prior Art Challenged Claim(s) § 101 n/a 1–7 and 18–35 § 103 Hoffman2 and Codd3 1, 5, 6,18, and 27–29 § 103 Hoffman, Codd, and Laribi4 2 and 19–26 § 103 Hoffman, Codd, and Shear5 3 and 7 § 103 Hoffman, Codd, and Johansson6 3 and 4 § 103 Hoffman, Codd, and Friedman7 6 1 We refer to the Amended Petition for Covered Business Method Patent Review. Paper 9. 2 Lance J. Hoffman, The Formulary Model for Flexible Privacy and Access Controls, AFIPS Fall Joint Computer Conference Proceedings (1971) (Ex. 1005). 3 E.F. Codd, Extending the Database Relational Model to Capture More Meaning, 4 ACM Transactions on Database Systems 397–434 (1979) (Ex. 1006). 4 Dennis Laribi & Atika Laribi, A Protection Model Incorporating Both Authorization and Constraints, TR-85-30, Computer Science, Virginia Polytechnic Institute and State University (1985) (Ex. 1007). 5 U.S. Patent No. 4,827,508 issued May 2, 1989 (Ex. 1008). 6 PCT No. WO 95/15628 published June 8, 1995 (Ex. 1024). 7 T.D. Friedman, The Authorization Problem in Shared Files, 9.4 IBM Systems Journal 258–281 (1970) (Ex. 1010). CBM2015-00014 Patent 6,321,201 B1 3 § 103 Hoffman, Codd, and Du8 30–35 Paper 17 (“Dec.”). Subsequently, Patent Owner filed a Patent Owner’s Response. Paper 24 (“Resp.”). Petitioner filed a Reply to Patent Owner’s Response. Paper 27 (“Reply”). Additionally, Patent Owner also filed a Motion for Observation Regarding Cross Examination of Petitioner’s declarant Dr. Michael Shamos. Paper 29. Petitioner filed a Motion to Expunge Patent Owner’s Observations (Paper 33), and Patent Owner filed an Opposition to Petitioner’s Motion (Paper 35). We granted Petitioner’s Motion to Expunge Patent Owner’s Motions for Observations. Paper 36. An oral hearing was held on November 13, 2015. A transcript of the hearing is included in the record. Paper 39 (“Tr.”). We have jurisdiction under 35 U.S.C. § 6(c). This Final Written Decision is issued pursuant to 35 U.S.C. § 328(a) and 37 C.F.R. § 42.73. B. Related Matters Petitioner identifies Square, Inc. v. Protegrity Corp., No. 3:14-cv- 03423-EDL (N.D. Cal. July 28, 2014) as a related district court proceeding. Pet. 12. Patent Owner identifies numerous other related district court matters that would be affected by a decision in this proceeding. See Paper 8, 3–5. The ’201 Patent is also the subject of previously pending proceeding CBM2015-00002, and pending proceedings CBM2015-00021 and 8 U.S. Patent No. 5,412,806 issued May 2, 1995 (Ex. 1011). CBM2015-00014 Patent 6,321,201 B1 4 CBM2015-00030. The ’201 Patent was also the subject of Reexamination No. 90/011,364, with some originally issued claims confirmed and cancelled, one claim amended, and several claims added. U.S. Patent No. 8,402,281 B2 is a continuation of the ’201 Patent (Ex. 1004, “the ’281 Patent”). The ’281 Patent is the subject of previously pending proceedings CBM2014-00182 andCBM2015-00006, and pending proceeding CBM2015-00010. The ’281 Patent was also the subject of terminated proceedings CBM2014-00024 and CBM2014-00121, where those proceedings terminated due to settlement between the parties. C. The ’201 Patent The ’201 Patent, titled “Data Security System for a Database having Multiple Encryption Levels Applicable on a Data Element Value Level,” issued on November 20, 2001, based on Application No. 09/027,585, filed on February 23, 1998. The ’201 Patent claims priority as a continuation application to PCT/SE97/01089, filed on June 18, 1997. The ’201 Patent is concerned with protecting data against unauthorized access. Ex. 1001, 2:21–34. The ’201 Patent states that “in other fields, such as industry, banking, insurance, etc[.], improved protection is desired against unauthorized access to the tools, databases, applications[,] etc.[,] that are used for administration and storing of sensitive information.” Id. at 1:27–39. Figure 4 is reproduced below. CBM2015-00014 Patent 6,321,201 B1 5 Figure 4 depicts the ’201 Patent’s system The system shown in Figure 4 includes an operative database (O-DB) and another database, IAM-DB. O-DB database contains data element values DV that are to be protected. Id. at 5:53–58. IAM-DB database contains a data protection catalogue (DPC), which stores protection attributes (e.g., P1*) for data element types (e.g., DT1) that are associated with data element values DV. Id. at 9:29–51. The protection attributes state rules for processing the corresponding data element values DV. Id. at 3:46– 51. For example, a protection attribute indicates the degree to which data element value DV is encrypted (id. at 7:57–63) or indicates that only accepted, or certified, programs are allowed to process data element value DV (id. at 9:20–28). See id. at 4:45–65. When a user initiates an attempt to process a certain data element value DV, a compelling calling is created to data protection catalogue DPC to obtain the protection attributes associated with the data element type for data element value DV. Id. at 2:54–61. The processing of data element value DV is then controlled in conformity with CBM2015-00014 Patent 6,321,201 B1 6 the protection attributes. Id. at 2:64–67, 3:55–65. Thus, the individual data element or data element type becomes the controlling unit for determining the level of protection. Id. at 4:33–38. Claim 1 of the ’201 Patent is illustrative of the claims at issue, with all other challenged claims being dependent thereon, and read as follows: 1. A method for processing of data that is to be protected, comprising: storing the data as encrypted data element values (DV) in records (P) in a first database (O-DB), the first database (O-DB) having a table structure with rows and columns, each row representing a record (P) and each combination of a row and a column representing a data element value (DV), in the first database (O-DB) each data element value (DV) is linked to a corresponding data element type (DT); storing in a second database (IAM-DB) a data element protection catalogue (DPC), which contains each individual data element type (DT) and one or more protection attributes stating processing rules for data element values (DV), which in the first database (O-DB) are linked to the individual data element type (DT); for each user-initiated measure aiming at processing of a given data element value (DV) in the first database (O-DB), initially producing a calling to the data element protection catalogue for collecting the protection attribute/attributes associated with the corresponding data element type, and controlling the user's processing of the given data element value in conformity with the collected protection attribute/attributes. II. ANALYSIS A. Claim Construction The Board interprets claims of unexpired patents using the broadest reasonable construction in light of the specification of the patent in which CBM2015-00014 Patent 6,321,201 B1 7 they appear. 37 C.F.R. § 42.300(b); In re Cuozzo Speed Techs., LLC, 793 F.3d 1268, 1278–79 (Fed. Cir. 2015), cert. granted sub nom. Cuozzo Speed Techs., LLC v. Lee, 136 S. Ct. 890 (2016) (mem.). Under the broadest reasonable construction standard, claim terms are given their ordinary and customary meaning, as would be understood by one of ordinary skill in the art in the context of the entire disclosure. In re Translogic Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). Any special definition for a claim term must be set forth with reasonable clarity, deliberateness, and precision. In re Paulsen, 30 F.3d 1475, 1480 (Fed. Cir. 1994). In our Institution Decision, we construed three terms specifically: “processing rules,” “data element type,” and “database.” Dec. 14–18. Although apparently not taking issue with our construction of “processing rules,” Patent Owner argues that our constructions for “data element type” and “database” should be modified, arguing that we applied “an unreasonably broad definition to the term ‘database.’” Resp. 14–20. Patent Owner also argues that specific constructions of claim terms “given data element value in the first database” and “initially producing a calling,” are necessary to understand the context of the instant claims. We address these contentions below. i. Database Petitioner proposed that the broadest reasonable construction of “database” is “any organization of structured data.” Pet. 14. According to Petitioner, its proposed construction is the same construction taken by Patent Owner in a district court proceeding concerning the ’201 Patent. Id. CBM2015-00014 Patent 6,321,201 B1 8 Patent Owner argues that Petitioner’s proposal is unreasonably broad and proposes that the broadest reasonable construction of “database” is “a data processing system for managing an organized collection of structured data.” Resp. 15–18. Patent Owner argues that Petitioner’s proposed construction is unreasonably broad in the context of the ’201 Patent because the database must be construed to allow for the database to make automatic and compelling callings to the data element protection catalogue. Id. at 15– 16. Patent Owner argues that its construction is consistent with the ’201 Patent and is supported by the testimony of its declarants Mr. Mattsson and Dr. Direen, Petitioner’s declarant Mr. Schneier, and Dr. Shamos and supported by certain database manuals and technical definitions of the era. Id. at 15–18. a. Claim Language “Claim construction begins, as it must, with the words of the claims.” Vehicular Techs. Corp. v. Titan Wheel Int'l, 141 F.3d 1084, 1088 (Fed. Cir. 1998) (citing Bell Commc’ns Research, Inc. v. Vitalink Commc’ns Corp., 55 F.3d 615, 619–20 (Fed. Cir. 1995)). Independent claim 1 recites “[a] method for processing of data that is to be protected” that includes, among other steps, “storing the data as encrypted data element values (DV) in records (P) in a first database (O-DB)” and “storing in a second database (IAM-DB) a data element protection catalogue (DPC).” Ex. 1001, 11:12– 24. Independent claim 1 also recites that the first database has a table structure with rows and columns. As such, claim 1, and the other challenged claims that depend therefrom, recites that the database comprises or stores different types of data. CBM2015-00014 Patent 6,321,201 B1 9 Claim 1 and the claims dependent on claim 1 do not recite that the database performs any other function, other than the storage of data. Although claim 1 recites that for each user-initiated measure aiming at processing of a given data element, a calling to the data element protection catalogue is initially produced, the claim does not specify what element produces the calling. See id. at 11:29–32. Additionally, independent claim 8, although not a challenged claim, recites an apparatus having a database that stores data to be protected. Ex. 1001, Ex Parte Reexamination Certificate 1:24–51 (amended claim 8). This latter claim was amended during reexamination to recite that the apparatus, not the database, controls the user’s processing of the data according to the data processing rules, and the apparatus, not the database, also produces the compelling calling to the data element protection catalogue. Id. at Ex Parte Reexamination Certificate 1:41–51. The words of the claims of the ’201 Patent, thus, are consistent with Petitioner’s proposed construction as being the broadest reasonable construction. b. Written Description The written description is “always highly relevant” in construing a claim, and “it is the single best guide to the meaning of a disputed term.” Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1582 (Fed. Cir. 1996). The written description of the ’201 Patent provides specific definitions of many terms (Ex. 1001, 2:64–3:43) but does not contain a definition of “database.” The claimed database for storing a plurality of data element values corresponds to the O-DB database disclosed in the ’201 Patent. The O-DB CBM2015-00014 Patent 6,321,201 B1 10 database is part of a larger “database management system” that includes multiple databases. Id. at 5:49–6:12, Fig. 3. Similar to the other databases, the O-DB database is described as containing data and, in particular, data to be protected. Id. at 5:53–58. Contrary to Patent Owner’s argument (Resp. 20), the ’201 Patent does not describe the O-DB database, or any other database, as performing any other data processing or managing functions. In particular, the ’201 Patent does not describe that the O-DB database produces the compelling calling to the data protection catalogue. See Ex. 1001, 10:44–58 (“is first collected by the system”); see id. at Abstract, 2:54– 61, 3:51–65, 4:16–22, 7:57–61 (describing a compelling calling to a data protection catalogue, but failing to describe the compelling calling being produced by the O-DB database). The database managing system includes not only a number of databases, but also, a number of modules. Id. at 6:13–45 (“The data system in FIG. 3 further comprises a hardware component 10, a control module 20 (IAM-API), and a program module 30 (PTY-API).”), Fig. 3. The modules include control module 20, also labeled as an Information Assets Manager Application Program Interface (“IAM-API”), which “controls the handling of the types of data protection that the system can supply” and “carries out the processing requested via API . . . programming interface.” Id. at 6:34– 39, Fig. 3. Petitioner’s proposed construction as the broadest reasonable construction is consistent with the written description of the ’201 Patent. c. Declarant Testimony Patent Owner proffers the testimony of declarants Mr. Mattsson and Dr. Direen in support of its proposed construction. Resp. 19 (citing Ex. CBM2015-00014 Patent 6,321,201 B1 11 2066 ¶¶ 33–38; Ex. 2067 ¶¶ 52–58). Mr. Mattsson testifies that “[d]efintions vary among practitioners but, generally, a database is meant to be a collection of data whereby the data is held so that it can be retrieved, manipulated, reported on, managed, queried, and protected” and that in the context of the ’201 Patent the database does more than store data, such as manage or process the data. Ex. 2066 ¶¶ 33–35. Specifically, Mr. Mattsson testifies that “the Specification describes how the first database must ‘automatically produce[] a system calling to the data element protection catalogue” and that Petitioner’s construction “does not provide for how system callings (or any calling or processing) could take place if database is only to mean the data that is managed by the system.” Id. ¶ 37. Dr. Direen’s testimony is substantially the same as Mr. Mattsson’s testimony. See Ex. 2067 ¶¶ 52–58. Mr. Mattsson’s and Dr. Direen’s testimony is unpersuasive because it is inconsistent with the ’201 Patent. As discussed above, the ’201 Patent describes the O-DB as one database in a larger database management system. Ex. 1001, 5:49–6:12. The ’201 Patent describes the O-DB database as containing data and describes the modules of the larger database management system as performing data processing. Id. at 5:53–58, 6:13–45. The ’201 Patent does not describe the O-DB database as producing the compelling calling. See Ex. 1001, 10:44–58 (“is first collected by the system”); see id. at Abstract; 2:54–61, 3:51–65; 4:16–22; 7:57–61 (disclosing a compelling calling to a data protection catalogue, but failing to describe the compelling calling being produced by the O-DB database). The assertion that the compelling calling is produced by the O-DB database is only found in Patent Owner’s arguments, Mr. Mattsson’s testimony, and CBM2015-00014 Patent 6,321,201 B1 12 Dr. Direen’s testimony, and not the ’201 Patent. See, e.g., Ex. 2066 ¶¶ 13, 17–19, 37; Ex. 2067 ¶ 57. Extraneous features should not be read into the claim. Renishaw PLC v. Marposs Societa’ per Azioni, 158 F.3d 1243, 1249 (Fed. Cir. 1998); E.I. du Pont de Nemours & Co. v. Phillips Petroleum Co., 849 F.2d 1430, 1433 (Fed. Cir. 1988). In that regard, “extrinsic evidence may be used only to assist in the proper understanding of the disputed limitation; it may not be used to vary, contradict, expand, or limit the claim language from how it is defined, even by implication, in the specification or file history.” Bell Atl. Network Servs. v. Covad Commc'ns Grp., 262 F.3d 1258, 1269 (Fed. Cir. 2001); see Vitronics, 90 F.3d at 1584 (“expert testimony, which was inconsistent with the specification and file history, should have been accorded no weight”). Further, we give little weight to Mr. Mattsson’s testimony because Mr. Mattsson is not a disinterested witness. Mr. Mattsson is Patent Owner’s Chief Technology Officer (Ex. 2066 ¶ 1) and has an interest in the outcome of this proceeding. Patent Owner also argues that the testimony of Petitioner’s declarant Dr. Shamos and the testimony of Mr. Schneier, a declarant from a related proceeding, support its proposed construction. Resp. 15–18 (citing Ex. 2065, 71:23–72:6–15, 115:2–15; Ex. 2064, 36:10–37:24, 106:25–107:3; Ex. 2070, 64:15–21, 69:9–13). Mr. Schneier’s and Dr. Shamos’s testimony, however, does not support Patent Owner’s proposed construction, but supports Petitioner’s proposed construction as the broadest reasonable construction. Mr. Schneier agreed, when questioned by Patent Owner, that a reasonable interpretation of database is “a system that includes blobs of data in the organization and structure to make that works” (Ex. 2065, 76:2–6), but CBM2015-00014 Patent 6,321,201 B1 13 Mr. Schneier also testifies that Petitioner’s proposed construction is a reasonable definition that “coincided with what the patent seemed to say” (id. at 76:16–77:2). Likewise, Dr. Shamos testifies that “database” can have multiple definitions (Ex. 2064, 36:10–37:24), but Dr. Shamos also testifies that in the context of the ’201 Patent and under the broadest reasonable interpretation standard “database” means an “organized collection of structured data” (id. at 37:25–38:8; Ex. 1002 ¶ 48). The Board construes claims using the broadest reasonable construction in light of the specification of the patent in which they appear. 37 C.F.R. § 42.300(b). d. Database Manual and Technical Encyclopedia Patent Owner also proffers a database manual and a technical entry for “database management system” of a technical encyclopedia to support its construction. Resp. 18 (citing Exs. 2071, 2072). This extrinsic evidence is also unpersuasive as both the database manual and the encyclopedia entry are directed to a database management system, as opposed to simply a database. e. Broadest Reasonable Construction of “Database” We determine that the broadest reasonable construction of “database,” in light of the Specification of the ’201 Patent and the proffered evidence, is “an organized collection of structured data.” As discussed above, this construction is consistent with the words of the claims, the disclosure of the ’201 Patent, the testimony of Mr. Schneier and Dr. Shamos, and the position taken by Patent Owner in the related district court proceeding. We are not persuaded by Patent Owner’s arguments, Patent Owner’s declarants’ testimony, database manual, or technical encyclopedia that this construction is unreasonably broad. CBM2015-00014 Patent 6,321,201 B1 14 ii. Data Element Type In our Decision to Institute, we determined that the broadest reasonable construction, in light of the Specification, of “data element type” is “identification of a specific category of data” as proposed by Petitioner and disclosed in the Specification. Dec. 16–17 (citing Pet. 15; Ex. 1001 3:1– 6). Patent Owner contends that a portion of the construction, “identification of,” is not supported and is not accurate, and should be omitted from the construction. Resp. 18–19. As we are not persuaded that there is any appreciable difference in scope, with or without the addition of “identification of,” we adopt Patent Owner’s construction, such that the broadest reasonable construction, in light of the Specification of the ’201 Patent, and the proffered evidence, of “data element type” is “a specific category of data.” Patent Owner also raises the issue that we described claim 1 as not requiring data element types (Dec. 13), that this was contrary to the Specification and the claims, and that our construction of “data element type” should take that into consideration. Resp. 19–20. We acknowledged the misstatement in response to Patent Owner’s Request for Rehearing, acknowledging the error and determining it to be de minimis with respect to our claim construction and initial determinations. Paper 40, 9–11. iii. Processing Rule In our Decision to Institute, we determined that the broadest reasonable construction, in light of the Specification, of “data processing rule” is “rules for processing data,” as proposed by Petitioner. Dec. 14–16 (citing Pet. 17–18). Patent Owner does not dispute this construction in its Patent Owner’s Response. CBM2015-00014 Patent 6,321,201 B1 15 For the reasons proffered by Petitioner (Pet. 17–18), the broadest reasonable construction, in light of the Specification of the ’201 Patent, of “data processing rules” is “rules for processing data.” See Dec. 14–16. iv. Given Data Element Value in the First Database Patent Owner argues that the claim term in claim 1, “given data element value in the first database,” must be read as “the unencrypted data element value,” and the processing request must be “aimed at the unencrypted (given) data element value.” Resp. 20–21 (citing Ex. 2066 ¶ 20; Ex. 2067 ¶ 48). We do not agree. Claim 1 does not recite unencrypted data element values, and only recites “encrypted data element values.” Claim 1 does not specify that the “given data element value” should be encrypted or unencrypted. We are not persuaded by Patent Owner’s declarants (Ex. 2066 ¶ 20; Ex. 2067 ¶ 48) as their testimonies are conclusory and are unsupported by the Specification or claims of the ’201 Patent. Although the “given data element value” could be the unencrypted data element value, it need not be in the context of claim 1. v. Initially Producing a Calling Patent Owner argues that the claim term in claim 1, “initially producing a calling,” should be read as “the database itself that produces the calling to the data element protection catalogue,” as compared to the operating system or the individual field producing the calling. Resp. 21 (citing Ex. 1001, 3:53–61; Ex. 2067 ¶ 22; Ex. 2066 ¶¶ 19, 41). We do not agree. As discussed above, we are persuaded that the application 40, control module 20, and program module 30 handle system calls in the ’201 Patent, and the calling need not be produced by the first database itself. CBM2015-00014 Patent 6,321,201 B1 16 vi. Other Proposed Constructions Both Petitioner and Patent Owner propose constructions for various other claim terms. See Pet. 13–22; Prelim. Resp. 49–53. For the purposes of our review of the claims of the ’201 Patent, however, no explicit construction of any other claim term is needed. B. Standing to Seek Covered Business Method Patent Review Section 18 of the AIA9 provides for the creation of a transitional program for reviewing covered business method patents. Section 18 limits review to persons or their privies that have been sued or charged with infringement of a “covered business method patent,” which does not include patents for “technological inventions.” AIA §§ 18(a)(1)(B), 18(d)(1). 37 C.F.R. § 42.302 states “[c]harged with infringement means a real and substantial controversy regarding infringement of a covered business method patent exists such that the petitioner would have standing to bring a declaratory judgment action in Federal court.” Petitioner states that it was charged with infringement of the ’201 Patent in Square, Inc. v. Protegrity Corp., No. 3:14-cv-03423- EDL (N.D. Cal.). Pet. 12. Patent Owner does not dispute this statement. i. Financial Product or Service A covered business method patent “claims a method or corresponding apparatus for performing data processing or other operations used in the practice, administration, or management of a financial product or service, except that the term does not include patents for technological inventions.” 9 Leahy-Smith America Invents Act, Pub. L. No. 112-29, 125 Stat. 284, 329 (Sept. 16, 2011) (“AIA”). CBM2015-00014 Patent 6,321,201 B1 17 AIA § 18(d)(1). The “legislative history explains that the definition of covered business method patent was drafted to encompass patents ‘claiming activities that are financial in nature, incidental to a financial activity or complementary to a financial activity.’” Transitional Program for Covered Business Method Patents—Definitions of Covered Business Method Patent and Technological Invention, 77 Fed. Reg. 48,734, 48,735 (Aug. 14, 2012) (Final Rule) (quoting 157 Cong. Rec. S5432 (daily ed. Sept. 8, 2011) (statement of Sen. Schumer)). The legislative history indicates that “financial product or service” should be interpreted broadly. Id.; see Versata Dev. Grp., Inc. v. SAP America, Inc., 793 F.3d 1306, 1323–26 (Fed. Cir. 2015). A patent need have only one claim directed to a covered business method to be eligible for review. 77 Fed. Reg. at 48,736 (Response to Comment 8). Petitioner contends that the ’201 Patent “claims a method for performing data processing or other operations that are at least incidental to the practice, administration, or management of a financial product or service” and, thus, is a covered business method patent. See Pet. 6–8. Patent Owner contends that the ’201 Patent does not claim a financial service or product. Resp. 54–58. Patent Owner argues that “not a single word in any single claim of the ’201 Patent . . . is purportedly directed to a ‘financial product or service.’” Resp. 57. We do not interpret the statute as requiring the literal recitation of terms of data processing of financial products or services. As recognized in the legislative history: “[t]o meet this [eligibility] requirement the patent need not recite a specific financial product or service. Rather, the patent CBM2015-00014 Patent 6,321,201 B1 18 claims must only be broad enough to cover a financial product or service.” 157 Cong. Rec. S1365 (daily ed. Mar. 8, 2011) (statement of Sen. Schumer). In this regard, claim 1 recites “controlling the user’s processing of the given data element value in conformity with the collected protection attribute/attributes.” The Specification discloses that protection attributes are used to protect against unauthorized access of a data portion in a database (see Ex. 1001, 4:26–32) and that banking is a field where protection against unauthorized access to databases that are used for administering and storing sensitive information is desired. Id. at 1:27–31; see also id. at Fig. 5, 11:1–10 (describing an example where “Social Allowance” and “Housing Allowance” are the protected data and “Financial manager” is an authorized user). Banking is a financial activity. Likewise, Patent Owner’s declarant Dr. Direen testifies that “[t]he standard examples, which are examples of market concern, are protecting data items such as credit card numbers and social security numbers[s].” Ex. 2046 ¶ 27 (emphasis added). Dr. Direen’s testimony discusses such an example. Id. ¶¶ 11, 14, 27–49, Figs. 1–15. In Dr. Direen’s example, the data include credit card numbers, credit card PIN numbers, and salary information; the data categories include credit card number and salary; and the data processing rules include credit card protection attributes and salary protection attributes. See, e.g., id. ¶¶ 31, 34, 44, Figs. 1, 10. Credit card numbers, credit card PIN numbers, and salary are all data which are financial in nature. Although not sufficient on its own, the ’201 Patent is classified in 705/51 of the Office’s patent classification system. See 77 Fed. Reg. at 48,739; see Versata, 793 F.3d at 1324, n.14 (noting that while Class 705 CBM2015-00014 Patent 6,321,201 B1 19 “apparently served as the original template for the definition of a ‘covered business method,’ . . . [it] was thought to be too narrow”) (citation omitted); Pet. 6. Class 51—“Usage protection of distributed data files” is a subclass indented under subclass 705/50—“Subject matter including cryptographic apparatus or methods uniquely designed for or utilized in . . . the processing of financial data.” Classification Definitions (Jan. 2012), http://www.uspto.gov/web/patents/classification/uspc705/defs705.htm. We are persuaded by Petitioner that at least claim 1 encompasses activities that are financial in nature, incidental to a financial activity, or complementary to a financial activity. See 77 Fed. Reg. at 48,735. We are not persuaded by Patent Owner’s argument that previous Board decisions demonstrate that the ’201 Patent is not a covered business method patent. Resp. 54–57 (citing PNC Fin. Servs Grp., Inc. v. Intellectual Ventures I, LLC, Case CBM2014-00032, slip op. at 10 (PTAB May 22, 2014) (Paper 13); J.P. Morgan Chase & Co. v. Intellectual Ventures II LLC, Case CBM2014-00160, slip op. at 11 (PTAB Jan. 29, 2015) (Paper 11); Salesforce.com Inc. v. Applications in Internet Time, LLC, Case CBM2014- 00162, (PTAB Feb. 2, 2015) (Paper 11)). The cited previous Board decisions are not precedential and are not binding on this panel. Nonetheless, we have reviewed the allegedly conflicting decisions. Our review of these decisions, however, reveals that the determination of whether the patent is a covered business method patent rests upon the specific facts of those proceedings. For example, in PNC Financial Services, the Board determined that a showing that the patent was asserted against a financial service in an infringement proceeding was not enough to establish that the patent was a covered business method patent. See PNC CBM2015-00014 Patent 6,321,201 B1 20 Fin. Servs, CBM2014-00032, Paper 13 at 14. The Board stated that whether an allegedly infringing product was a financial service was just one factor and that the petitioners had not shown how “the ’298 patent, either through its claims, Specification, or prosecution history, encompasses ‘activities that are financial in nature, incidental to a financial activity or complementary to a financial activity.’” Id. at 13–14. Similarly, in J.P. Morgan and Salesforce, the Board determined whether the patent was a covered business method patent based upon the particular facts of those proceedings. Patent Owner does not establish that the facts in those proceedings are sufficiently similar to the facts in this proceeding. As discussed above, we determined, based upon the facts in this proceeding, that the ’201 Patent is a covered business method patent. We are also not persuaded by Patent Owner that the ’201 Patent is not a covered business method patent, because “the entire reasons behind the invention contradicts any allegation that the invention of the ’201 Patent is incidental to a financial service or product.” Resp. 58. According to Patent Owner, the Swedish Data Inspection, AB, mandated protection legislation for personally-identifiable information to protect students and “[t]hey did not, however, mandate data protection solely for financial institutions.” Id. (citing Ex. 2022 ¶¶ 14–16 (testimony of Mr. Mattsson); Ex. 2040 (U.S. Patent No. 5,606,610, which allegedly discloses Patent Owner’s first attempt to comply with the Swedish legislation)). The ’201 Patent makes no mention of the Swedish legislation or that the legislation was for the protection of students. The ’201 Patent makes no mention of students at all. Notably, U.S. Patent No. 5,606,610, which Patent Owner argues was also the result of the Swedish legislation, likewise fails to CBM2015-00014 Patent 6,321,201 B1 21 mention the Swedish legislation or the need to protect student data, but does disclose that banking is a sector where it is essential that stored data be protected against unauthorized access. See Ex. 2040, 1:13–15. We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 1 of the ’201 Patent encompasses a method or corresponding apparatus for performing data processing or other operations used in the practice, administration, or management of a financial product or service. ii. Technological Invention The definition of “covered business method patent” in Section 18(d)(1) of the AIA does not include patents for “technological inventions.” To determine whether a patent is for a technological invention, we consider “whether the claimed subject matter as a whole recites a technological feature that is novel and unobvious over the prior art; and solves a technical problem using a technical solution.” 37 C.F.R. § 42.301(b). Both prongs must be satisfied in order for the patent to be excluded as a technological invention. The following claim drafting techniques, for example, typically do not render a patent a “technological invention”: (a) Mere recitation of known technologies, such as computer hardware, communication or computer networks, software, memory, computer-readable storage medium, scanners, display devices or databases, or specialized machines, such as an ATM or point of sale device. (b) Reciting the use of known prior art technology to accomplish a process or method, even if that process or method is novel and non-obvious. (c) Combining prior art structures to achieve the normal, expected, or predictable result of that combination. CBM2015-00014 Patent 6,321,201 B1 22 Office Patent Trial Practice Guide, 77 Fed. Reg. 48,756, 48,763–64 (Aug. 14, 2012). a. A Technological Feature that Is Novel and Unobvious over the Prior Art Petitioner argues that the ’201 Patent is not for a technological invention because none of the claims recite a technological feature that is novel and nonobvious over the prior art. Pet. 8–11. According to Petitioner, “[n]one of the ’201 claim limitations, taken alone or in combination, rises to the level of a technological feature, let alone a novel and unobvious one.” Pet. 9–10. Patent Owner argues that “[t]he evidence demonstrates that the claims of the ’201 Patent recite technological features that were novel and nonobvious over the prior art at the time of the invention.” Resp. 59. We are persuaded by Petitioner that the ’201 Patent is not for a technological invention because at least claim 1 does not satisfy the first prong of the test. Claim 1 does not recite a technological feature that is novel or unobvious over the prior art. Claim 1 recites a method that is “storing” data in multiple “databases,” and controlling a user’s processing “in conformity with the collected protection attribute/attributes.” Data processing computers having databases, which store the data, and controlling access thereto, were known at the time of filing the ’201 Patent. See Ex. 1001, 1:20–31; Pet. 10–11. Although Patent Owner argues that the claims recite technological features that were novel and unobvious over the prior art, Patent Owner, does not specify which claimed technical features are allegedly novel and unobvious. See Resp. 58–62. Patent Owner appears to argue that the novel and unobvious technological features rely on a database that is “much more complex than a collection of stored data” and that “[a]pplying the correct CBM2015-00014 Patent 6,321,201 B1 23 construction of database demonstrates the novel and nonobvious aspects of the ‘201 Patent.” See Resp. 60–61, n.16. Patent Owner’s argument, however, is unpersuasive because, as discussed in section II(A)(i) above, when the claim term “database” is given its proper, broadest reasonable construction, in light of the ’201 Patent, claim 1 does not require these alleged features. We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 1 does not recite a technological feature that is novel or unobvious over the prior art and does not satisfy the first prong of the test. The ’201 Patent, thus, is a covered business method patent that is not a technological invention. b. Solves a Technical Problem with a Technical Solution Petitioner argues that the ’201 Patent is not for a technological invention because none of the claims solve a technical problem using a technical solution. Pet. 10–11. According to Petitioner, the ’201 Patent is directed to the problem of granting access to data only if associated rules are satisfied, which is solved by maintaining a database of data and a separate data protection table that has rules. Id. at 10. Petitioner argues that such a use of a data processing computer with databases is known technology. Id. at 10–11. Patent Owner argues that the ’201 Patent is for a technological invention, because it solves a technical problem with a technical solution. Resp. 29–35, 58–62. According to Patent Owner, the ’201 Patent solves three problems: 1) “separation of duties,” thereby “prevent[ing] the [database administrator] from accessing the data” (id. at 34); 2) “the ability to implement data protection at the data element level [in the database] CBM2015-00014 Patent 6,321,201 B1 24 without requiring application-level changes to the various computer programs and applications that were seeking to retrieve protected data from the database” (id.); and 3) providing “data element level protection across many brands of databases (e.g., Oracle, IBM DB2, Informix, and Microsoft) that a company might be using in-house” (id. at 34–35). The alleged solution is “data to be protected in a first database, while the rules for protection were stored outside that database and thus outside the purview of the [database administrator].” Id. at 35. We are persuaded by Petitioner that the ’201 Patent does not solve a technical problem with a technical solution. See Pet. 10–11. The ’201 Patent discloses that its objective is “to increase the protection against unauthorized access to sensitive information.” Ex. 1001, 2:21–24; see also id. at 2:3–18, 1:15–17 (describing that the ’201 Patent “concerns . . . a method and apparatus for data processing . . . for accomplishing increased protection against unauthorized processing of data”). None of the three technical problems identified by Patent Owner are described in the ’201 Patent. See Resp. 29–35. The ’201 Patent makes no mention of a need to protect data from a database administrator, to eliminate application-level changes to the various computer programs and applications that were seeking to retrieve protected data from the database, or to provide protection across many brands of databases. Id. Likewise, the ’201 Patent does not describe the technical solution, alleged by Patent Owner, because the ’201 Patent does not describe a first database that calls out to the second database, as discussed above in section II(A)(ii). The claims of the ’201 Patent also do not require the alleged technical solution. Neither claim 1 nor CBM2015-00014 Patent 6,321,201 B1 25 any other claim requires specifically that a first database calls out to a second database. Further, the cited testimony of Mr. Schneier does not support Patent Owner’s argument. See Resp. 59 (citing Ex. 2043, 90:15–91:9). We do not find his testimony to be persuasive because it arose in the context of a “philosophical debate” about problems generally, such as “legal problem[s]” and “social problem[s].” Ex. 2043, 90:15–91:9. We are not convinced that 37 C.F.R. § 42.301(b) should be satisfied through the process of elimination, such that problems and solutions are determined to be “technical” because they do not fall into categories of “legal,” “social,” or “spiritual.” Under such a rubric, simple algebraic problems and solutions could be technical in nature, but we are not persuaded that would be the intent of the regulation. We are persuaded by Petitioner that a preponderance of the evidence shows that at least claim 1 does not solve a technical problem using a technical solution, and, thus, at least claim 1 also does not satisfy the second prong. Thus, the ’201 Patent is a covered business method patent that is not a technological invention. For the reasons discussed above, we are persuaded by Petitioner that the ’201 Patent is eligible for covered business method patent review. C. 35 U.S.C. § 101 i. Section 101 Subject Matter Eligibility For claimed subject matter to be patent-eligible, it must fall into one of four statutory classes set forth in 35 U.S.C. § 101: a process, a machine, a manufacture, or a composition of matter. The Supreme Court recognizes three categories of subject matter that are ineligible for patent protection: CBM2015-00014 Patent 6,321,201 B1 26 “laws of nature, physical phenomena, and abstract ideas.” Bilski v. Kappos, 561 U.S. 593, 601 (2010) (internal quotations and citation omitted). A law of nature or an abstract idea by itself is not patentable; however, a practical application of the law of nature or abstract idea may be deserving of patent protection. Mayo Collaborative Servs. v. Prometheus Laboratories, Inc., 132 S. Ct. 1289, 1293–94 (2012). To be patentable, however, a claim must do more than simply state the law of nature or abstract idea and add the words “apply it.” Id. In Alice Corp. Pty, Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014), the Supreme Court recently clarified the process for analyzing claims to determine whether claims are directed to patent-ineligible subject matter. In Alice, the Supreme Court applied the framework set forth previously in Mayo, “for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent-eligible applications of those concepts.” Alice, 134 S. Ct. at 2355. The first step in the analysis is to “determine whether the claims at issue are directed to one of those patent-ineligible concepts.” Id. If they are directed to a patent- ineligible concept, the second step in the analysis is to consider the elements of the claims “individually and ‘as an ordered combination’” to determine whether the additional elements ‘transform the nature of the claim’ into a patent-eligible application.” Id. (quoting Mayo, 132 S. Ct. at 1298, 1297). In other words, the second step is to “search for an ‘inventive concept’ — i.e., an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.’” Id. (alteration in original) (quoting Mayo, 132 S. Ct. at 1294). Further, the “prohibition against patenting abstract ideas CBM2015-00014 Patent 6,321,201 B1 27 ‘cannot be circumvented by attempting to limit the use of the formula to a particular technological environment’ or adding ‘insignificant postsolution activity.’” Bilski, 561 U.S. at 610–11 (quoting Diamond v. Diehr, 450 U.S. 175, 191–92 (1981)). Accordingly, utilizing this framework, we review Petitioner’s contention that claims 1–7 and 18–35 of the ’201 Patent are directed to ineligible subject matter. ii. Availability of § 101 Patent Owner argues that § 101 is not available to challenge patentability in a covered business method patent review, because it is not included in 35 U.S.C. § 282(b)(2) or (3). Resp. 22–23. We disagree. Under the AIA, any ground that could be raised under §§ 282(b)(2) or (3) can be raised in a post-grant review or (with exceptions not relevant here) in a covered business method patent review. The final rules implementing post-grant review and covered business method patent review in the Federal Register state that the “grounds available for post-grant review include 35 U.S.C. [§§] 101 and 112, with the exception of compliance with the best mode requirement.” 77 Fed. Reg. 48,680, 48,682 (Aug. 14, 2012). This interpretation is consistent with both the relevant case law and the legislative history. See, e.g., Mayo Collaborative Servs. 132 S. Ct. at 1305 (addressing invalidity under § 101 when it was raised as a defense to an infringement claim); Graham v. John Deere Co., 383 U.S. 1, 12 (1966) (stating that the 1952 Patent Act “sets out the conditions of patentability in three sections,” citing 35 U.S.C. §§ 101, 102, and 103); Dealertrack, Inc. v. Huber, 674 F.3d 1315, 1330 n.3 (Fed. Cir. 2012); H.R. Rep. No.112-98, at 47 (2011); 157 Cong. Rec. S1375 (daily ed. Mar. 8, CBM2015-00014 Patent 6,321,201 B1 28 2011). Additionally, the Federal Circuit decided that covered business method patent reviews may include challenges under § 101. See Versata Dev. Grp., Inc. v. SAP America, Inc., 793 F.3d 1306, 1329–30 (Fed. Cir. 2015). Thus, § 101 is a proper ground for a review under the transitional program for covered business method patents. iii. Ineligible Concept Petitioner contends that the claims of the ’201 Patent are merely directed to an abstract idea of determining whether access to data should be granted based on whether one or more rules are satisfied. Pet. 23–25. Patent Owner disputes that the challenged claims of the ’201 Patent are directed to an abstract idea. See Resp. 23–36. According to Patent Owner, “protection of data in a first database through rules stored in a second database” provides a solution to a problem “necessarily rooted in computer technology.” Id. at 24; see id. at 23–44 (citing DDR Holdings, LLC v. Hotel.com, L.P., 773 F.3d 1245 (Fed. Cir. 2014)). Of the challenged claims, only claim 1 is an independent claim, and all of the other challenged claims depend directly or indirectly on claim 1. Claim 1 is directed to a method of processing data that is to be protected and is nominally within the process category of statutory subject matter. Statutory class, however, is not by itself determinative of whether a claim is directed to patent-eligible subject matter. “Regardless of what statutory category (‘process, machine, manufacture, or composition of matter,’ 35 U.S.C. § 101) a claim’s language is crafted to literally invoke, we look to the underlying invention for patent-eligibility purposes.” CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1374 (Fed. Cir. 2011). See Alice, CBM2015-00014 Patent 6,321,201 B1 29 134 S. Ct. 2358–59; Bancorp Servs. v. Sun Life Assurance Co., 687 F.3d 1266, 1275 (Fed. Cir. 2012). Independent claim 1 recites a data processing method that grants access to a data element value if the rules associated with a data element type that is associated with the requested data element value are satisfied. Ex. 1001, 11:12–37. Claim 1 also requires a database that comprises the data element values, where the database has a table structure with each combination of a row and a column representing a data element value. Id. A data element protection catalogue is in a second database and comprises data processing rules that must be satisfied before the data element value can be accessed. Id. The data processing rules are linked with the data element type. Id. Thus, independent claim 1 recites a method that grants access to a requested data element value if the rules associated with a data element type that is associated with the requested data element value are satisfied. Id. Given the above, we are persuaded by Petitioner that the claims are directed to the abstract idea of determining whether access to data should be granted based on whether one or more rules are satisfied. Patent Owner raises several counter arguments that we address below. Patent Owner argues that the solution provided by the ’201 Patent is necessarily rooted in computer technology because it addresses the protection of data in a first database through rules stored in a second database. Resp. 23–24 (citing DDR Holdings, 773 F.3d 1245). Patent Owner alleges additionally that the claims of the ’201 Patent are directed to a specific solution for protecting data at the data element level in a databases through use of rules stored in a separate database. Id. at 24. We do not agree. CBM2015-00014 Patent 6,321,201 B1 30 The claims in DDR Holdings are described as providing a result that “overrides the routine and conventional sequence of events.” DDR Holdings, 773 F.3d at 1258. The databases and access rules recited in claim 1 perform their normal functions and achieve expected results. The protection of data in a database at the data element level still comports with the abstract idea of determining whether access to data should be granted based on whether one or more rules are satisfied. Similarly, storing the rules in a separate database does not change the expected operation of the rules or the database, merely the location of those rules. Patent Owner also argues that the claims of the ’201 Patent cannot preempt the use of the abstract idea in all fields, because the Petition and supporting declaration show that there are other ways of implementing “rule-based data access control,” none of which do so at the data element level based on rules stored in an external database. Resp. 26–27 (citing Pet. 40–50; Bilski v. Kappos, 561 U.S. at 611–12). This is not persuasive, however, because the elements that Patent Owner determines to be outside the abstract idea, i.e., access control at the data element level based on rules stored in an external database, may simply be a particular technological environment, as discussed in the next section. iv. Inventive Concept Next, we look for additional elements that can “transform the nature of the claim” into a patent-eligible application of an abstract idea. That is, we determine whether the claims include an “inventive concept,” i.e., an element or combination of elements sufficient to ensure that the patent in practice amounts to significantly more than a patent on the abstract idea itself. Alice, 134 S. Ct. at 2357. The Supreme Court in Alice cautioned that CBM2015-00014 Patent 6,321,201 B1 31 merely limiting the use of an abstract idea “to a particular technological environment” or implementing the abstract idea on a “wholly generic computer” is not sufficient as an additional feature to provide “practical assurance that the process is more than a drafting effort designed to monopolize the [abstract idea] itself.” Alice, 134 S. Ct. at 2358. a. Independent Claim 1 Petitioner argues that the claims “fail to add sufficiently meaningful limitations that restrict the claimed subject matter beyond an abstract idea.” Pet. 27. In this regard, Petitioner argues that the claims recite only generic computer elements and functions that were well-known and conventional. Id.; see id. at 26–30. Petitioner argues that the steps of maintaining a database of data element values and maintaining a separate data element protection catalogue are simply data-gathering steps and that receiving a request to access a data element value and granting access to that value are insignificant pre- and post-solution activity. Id. at 27–29. Petitioner states that the third limitation of claim 1 “relates to identifying the protection attributes containing the processing rules associated with the data before accessing the data and is another pre-processing step that adds nothing meaningful to the claim.” Id. at 30. Petitioner, further, argues that even when the claimed steps are considered as an ordered combination, “the claim merely requires that the abstract idea be performed on a generic set of databases,” i.e., the application of the abstract idea on some unspecified generic computer.” Id. Claim 1 requires the steps of storing data in databases, where some data are stored as encrypted data element values, associated with a data element type, and a plurality of data processing rules, associated with a data CBM2015-00014 Patent 6,321,201 B1 32 element type, are stored in a separate data protection catalogue. Ex. 1001, 11:15–28. Data processing computers having separate databases, which store associated data and associated attributes, were well-known and conventional at the time of filing the ’201 Patent. See Ex. 1023 ¶¶ 17–20, 23–28. Storing data and associated rules in separate databases is nothing more than routine data gathering and does not transform the abstract idea into a patent-eligible invention. See CyberSource, 654 F.3d at 1370. Claim 1 also recites that the first database has a table structure with rows and columns, which is also conventional and was well-known. See Ex. 1023 ¶ 19. Restricting access to columns or fields of databases is well-understood and conventional activity. See Ex. 1023 ¶ 24. Well-understood, routine, conventional activity does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298. Claim 1 further requires that for each user-initiated measure aiming at processing of a given data element value, a calling is produced to the data element protection catalogue for the protection attributes of the data element type. Ex. 1001, 11:29–34. This is well-understood, routine, conventional activity that does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298; see Pet. 30; Ex. 1023 ¶ 27. Claim 1 finally requires that user’s processing of the requested data element value occurs in conformity with the collected protection attributes. Ex. 1001, 11:35–37. Such granting of access to a user is merely a conventional post-solution activity. Conventional post-solution activity is not sufficient to transform the abstract idea into patent-eligible subject matter. See Parker v. Flook, 437 U.S. 584, 590–92 (1978). CBM2015-00014 Patent 6,321,201 B1 33 Even when the claim elements are considered as a combination, they add nothing that is not already present when the elements are considered separately. Alice, 134 S. Ct. at 2359. Claim 1 conveys nothing more meaningful than the fundamental concept of determining whether access to data should be granted based on whether one or more rules are satisfied. Upon review of Petitioner’s analysis and supporting evidence and taking into account Patent Owner’s arguments, discussed below, we are persuaded by Petitioner that independent claim 1 does not recite additional elements that transform the claim into a patent-eligible application of an abstract idea. We are not persuaded by Patent Owner’s arguments that the claims require additional elements that transform that abstract idea into a patent eligible application (Resp. 36–41) because they are based upon an overly narrow construction of the claimed elements, as discussed in section II(A)(i) above, i.e., the ability of the first database calling out to the data protection catalogue, and based on additional elements not recited or required by the claims, as discussed in section II(B)(ii) above. In addition, we are not persuaded by Patent Owner’s argument regarding DDR Holdings. See Resp. 23–24. Unlike the claimed combination of elements in DDR Holdings, the claims of the ’201 Patent appear to combine elements according to their known functions to achieve routine and conventional results. See DDR Holdings, 773 F.3d at 1257–58. As discussed above, we are persuaded that the databases and access rules recited in claim 1 perform their normal functions and achieve expected results. Patent Owner proffers declarations from Mr. Bill Schmidt (Ex. 2068), CBM2015-00014 Patent 6,321,201 B1 34 Mr. Kurt Pachik (Ex. 2069), and Mr. Ulf Mattsson (Ex. 2066) to demonstrate that the ’201 Patent provides a novel and nonobvious solution to a problem deeply rooted in computer technology. Resp. 30–32. The declarations allegedly show that the invention of the ’201 Patent was used to protect the formula for Coca-Cola from unauthorized access by database administrators or system administrators. Id. Mr. Schmidt’s, Mr. Pachik’s, and Mr. Mattsson’s declarations, however, fail to establish a relationship between the system provided to Coca-Cola and the claims of the ’201 Patent. Mr. Schmidt makes no mention of the ’201 Patent and provides no details as to the system implemented by Coca-Cola. See Ex. 2068. Mr. Pachik, a former employee of Patent Owner, testifies that he “assisted in implementing the solution provided in U.S. Patent Nos. 6,321,201 and 8,402,281 . . . for Coca-Cola” but provides no details of the system. See Ex. 2069 ¶ 5. Mr. Mattsson, Chief Technology Officer of Patent Owner, testifies generally to the technology disclosed in the ’201 Patent, but makes no mention of the system implemented by Coca-Cola. See Ex. 2066. Thus, we are not persuaded by the declarations of Mr. Schmidt, Mr. Pachik, and Mr. Mattsson that the ’201 Patent provides a novel and nonobvious solution to a problem deeply rooted in computer technology. b. Dependent Claims 2–5 and 18 Petitioner argues that dependent claims 2–5 and 18 are directed to basic aspects of data encryption which serve as pre- and post-processing steps that do not limit the abstract idea. See Pet. 31–32. Patent Owner argues that the claims are directed to the very goal of the ’201 Patent, i.e., protecting data in a database at the data element level using encryption. Resp. 42–43. Patent Owner also argues that “Petitioner has provided no CBM2015-00014 Patent 6,321,201 B1 35 evidence that these concepts of pre- and post-processing steps were used in the specific manner recited by the challenged claims.” Id. at 43. Claims 2–5 and 18 require that elements of the databases be encrypted or unencrypted, as well as rules of encryption being the protection attributes of the data element types. Ex. 1001, 11:38–57, Ex Parte Reexamination Certificate 1:52–54. Encrypting data using a cryptographic key and providing the key to authorized users was well-understood and was a conventional activity. See Ex. 1023 ¶¶ 83, 88; Ex. 1005, 8. Encrypting on a field level was also known. Ex. 1005, 8–9. Encrypting data using cryptographic keys is well-known conventional activity. Well-understood, routine, conventional activity does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298. Therefore, we are persuaded by Petitioner that the additional elements of dependent claims 2–5 and 18 provide no meaningful limitations to the abstract idea. c. Dependent Claim 6 Petitioner argues that dependent claim 6 “requires the rules to restrict access to data based on a specific program, or version of a program,” and that such a concept for restricting access was well-known. Pet. 31–32 (citing Ex. 1023 ¶¶ 33, 34). Patent Owner argues that Dr. Shamos’ testimony is false, as he acknowledged that it is the application, and not the operating system, that decides what can be opened. Resp. 43 (citing Ex. 2064 90:18–91:1). Patent Owner also argues that statements about backward-compatibility do not involve operating or database systems, and that all of Dr. Shamos’ testimony should be entitled little or no weight. Id. at 44. We are persuaded by Petitioner’s assertions. CBM2015-00014 Patent 6,321,201 B1 36 Claim 6 recites, in part, “attributes stating rules for which program/programs or program versions is/are allowed to be used for managing the corresponding data element values in the first database.” Ex. 1001, 11:60–62. Although Petitioner’s arguments and evidence may be directed to the behavior of applications, and not operating systems, they still demonstrate the use of limiting access based on a program or version of a program. Dr. Shamos’ testimony demonstrates that such restrictions were known in the relevant timeframe, and we are persuaded by Petitioner that the additional elements of dependent claim 6 provide no meaningful limitations to the abstract idea. d. Dependent Claim 7 Petitioner argues that dependent claim 7 requires that the rules relate to logging of values in the first database, but that activity logging was well- known, and the limitations of claim 7 incorporate well-known concepts and serve as meaningless pre- and post-processing steps. Pet. 32 (citing Ex. 1023 ¶ 35). Patent Owner responds that Petitioner’s arguments and its declarant’s testimony are conclusory. Resp. 44. Based on the testimony and arguments supplied by Petitioner, we are persuaded that logging was well- known and the limitations of claim 7 provide no meaningful limitations to the abstract idea. e. Dependent Claims 19–26 Dependent claims 19 and 20 require the storage of the data element types and processing rules as specific types of data within the data element protection catalogue. Ex. 1001, Ex Parte Reexamination Certificate 1:55–65 (with claim 19 being corrected by a Certificate of Correction). Petitioner argues that “[i]t was standard in relational database systems, CBM2015-00014 Patent 6,321,201 B1 37 however, to store data element types and protection attributes as data in the database.” Pet. 32 (citing Ex. 1023 ¶ 37). Patent Owner disputes that the additional elements provide no meaningful limitation. Resp. 44–45. Patent Owner argues that the ’201 Patent demonstrates that the claimed association between data element types and data element values was novel. Id. Additionally, Patent Owner argues that Petitioner’s statements are unsupported. We do not agree with Patent Owner. Encryption and other processes performed on a field level were known. Ex. 1005, 12. Simply storing data in particular forms, without more, is a well-understood, routine, conventional activity that does not add significantly more to the abstract idea. Mayo, 132 S. Ct. at 1298. With respect to claims 21–26, Petitioner argues that the limitations of those claims relate to functionally generic aspects of a relational database, and present no meaningful limitations to the abstract idea. Pet. 32–33 (citing Ex. 1023 ¶¶ 38–44). As discussed above, we are persuaded that the limitations of claims 21–26 are directed to conventional database operations. See Ex. 1006, 399. Thus, we are persuaded by Petitioner that the additional elements of dependent claims 19–26 provide no meaningful limitation to the abstract idea. f. Dependent Claims 27–29 With respect to claims 27–29, Petitioner asserts that “[r]equiring security measures to be followed for every data request was well-known in the art at the time and the fundamental teaching of Hoffman.” Pet. 33 (citing Ex. 1023 ¶ 45). See also Ex. 1005, 8 (“[A]ccess can be controlled at arbitrary levels, even at the bit level”). Similarly, Petitioner asserts that CBM2015-00014 Patent 6,321,201 B1 38 access requirements not based on user identity and not changeable by users were well-known. Pet. 33 (citing Ex. 1023 ¶ 45). Patent Owner counters that Petitioner has provided no concrete evidence, that elements of the claims were novel at the time of invention, and that Petitioner has not demonstrated that the limitations of the claims were used in the specific manner recited by those claims. Resp. 45. Based on the evidence and arguments supplied by Petitioner, we are persuaded that it was well-known to restrict access on the basis of user actions and that the restrictions applied would not generally be accessible to the users, as that would logically defeat the process of the restrictions. As such, we are persuaded by Petitioner that the additional elements of dependent claims 27–29 provide no meaningful limitation to the abstract idea. g. Dependent Claims 30–35 Petitioner argues that dependent claims 30–35 relate to storing databases in different locations and replicating databases for redundancy, and that such processes were well-known, and the claims incorporate conventional and well-known aspects of distributed database systems. Pet. 33–34 (citing Ex. 1023 ¶ 46). Patent Owner argues that Petitioner has presented no evidence and that its arguments should be rejected as being conclusory. Resp. 45. We agree with Petitioner that the distribution of databases was well-known and it would be logical to distribute data, if possible, to increase redundancy. As such, we are persuaded by Petitioner that the additional elements of dependent claims 30–35 provide no meaningful limitation to the abstract idea. CBM2015-00014 Patent 6,321,201 B1 39 v. Conclusion Based on the arguments and evidence presented by Petitioner, we determine that Petitioner has established by a preponderance of the evidence that claims 1–7 and 18–35 of the ’201 Patent are directed to ineligible subject matter under 35 U.S.C. § 101. D. 35 U.S.C. § 103 i. Obviousness over Hoffman and Codd – Claims 1, 5, 6, 18, and 27–29 Petitioner asserts that claims 1, 5, 6, 18, and 27–29 are obvious over Hoffman and Codd. Pet. 34–49. Hoffman “presents a model for engineering the user interface for large data base systems in order to maintain flexible access controls over sensitive data.” Ex. 1005, 8. “Access control is based on sets of procedures called formularies. The decision on whether a user can read, write, update, etc., data is controlled by programs (not merely bits or tables of data) which can be completely independent of the contents or location of raw data in the data base.” Id. Hoffman discloses that the database could take a variety of different forms: “some users will manipulate data structures—such as trees, lists, sparse files, ring structures, arrays, etc.—which are accessed by algorithms specifically designed for these structures.” Id. at 11. Figure 2 of Hoffman is reproduced below. CBM2015-00014 Patent 6,321,201 B1 40 Figure 2 of Hoffman depicts a user / database interface Hoffman also discloses that the formulary model is concerned with individual data elements, where those elements can be encrypted and decrypted using SCRAMBLE and UNSCRAMBLE procedures as prescribed by the formulary. Id. at 9, 12. Additionally, “[a]ccess control is not restricted to the file level or the record level, . . . access can be controlled at arbitrarily lower levels, even at the bit level.” Id. at 8. Petitioner also argues that “[o]ne of ordinary skill in the art would understand that Hoffman teaches a modular set of formulary procedures with associated functions to be applied to different data elements.” Pet. 38 (citing Ex. 1023 ¶ 88). Additionally, Hoffman discloses a formulary comprising blocks labeled “ACCESS” and “CONTROL,” as shown in Fig. 2, above, and Petitioner argues that one of ordinary skill in the art would have understood blocks to constitute an “organization of structured data,” because the procedures must be organized so that they can be retrieved from memory CBM2015-00014 Patent 6,321,201 B1 41 and executed on demand. Pet. 39. Petitioner alleges that this formulary is equivalent to the claimed “data protection catalogue,” with the formulary including procedures that control access to and the operations performed on data element values. Id. Also, Hoffman discloses accessing the protection attributes in response to a data request. To access data elements, a user communicates with ACCESS through TALK. Ex. 1005, 11. TALK gets information about the data being requested and the operation the user wishes to perform on the data. Id. TALK translates the data information into an internal identification of the data used by ACCESS to carry out the operation. Id. ACCESS handles all requests for operations on the database, including invoking formulary procedures such as CONTROL, which, as described above, determines whether or not the requested operation to the data is permitted. Id. at 11, 16. Petitioner also alleges that to the extent that Hoffman is not deemed to disclose a database, such a database is disclosed by Codd. Codd describes the structural aspects of relational databases, disclosing that “[a] relational database is a time-varying collection of data, all of which can be accessed and updated as if they were organized as a collection of time-varying tabular (nonhierarchic) relations.” Ex. 1006, 399. Petitioner also alleges that “[b]y 1996, relational databases were a well-known database structure” (Ex. 1023 ¶¶ 80–83), and that a person of ordinary skill in the art in 1996 looking to implement Hoffman would naturally use the relational database structure of Codd to store the data to be protected. Pet. 37. Patent Owner argues that Codd and Hoffman are incompatible. Resp. 54–56. Patent Owner asserts that Hoffman relies upon linear storage and CBM2015-00014 Patent 6,321,201 B1 42 requires that the system programmer have intimate knowledge of how the data was stored, but that Codd relates only to relational databases, which do not require understanding how the stored data was structured. Id. at 54–55. Additionally, Patent Owner argues that Codd’s relational database supplanted Hoffman’s formularies, and that Codd fails to disclose encryption. Id. at 55. As well, Patent Owner argues that Hoffman and Codd teach away from the proposed combination because “Codd shows a way to avoid the intricacies and complications with managing how the underlying data is structured, while Hoffman proposes a solution to deal with the fact that the underlying data is hard to find and manage.” Id. at 56. We do not agree. Patent Owner’s arguments are premised on Hoffman only allowing for the location of data stored in a database, but Hoffman is more broadly directed to controlling the processing of data through formularies. See Ex. 1005, 8. We agree with Petitioner that Codd’s relational database did not supplant Hoffman’s formulary, but instead would have shown one of ordinary skill in the art that it would have been obvious to use Codd’s relational database as the database to store the data within the formulary model. See Pet. 36–37. Additionally, we are not persuaded that the different processes employed by Hoffman and Codd would constitute a “teaching away” from their combination. See In re Fulton, 391 F.3d 1195, 1201 (Fed. Cir. 2004). Lastly, we are not persuaded that any lack of discussion in Codd of encryption is a deficiency because Hoffman discusses encryption and the obviousness ground is over both Hoffman and Codd. Patent Owner also argues that because of the architectural differences between the ‘201 Patent and Hoffman and Codd, the combination cannot CBM2015-00014 Patent 6,321,201 B1 43 render certain claim elements obvious, such as “for each user-initiated measure aiming at processing of a given data element value (DV) in the first database (O-DB), initially producing a calling to the data element protection catalogue.” Resp. 57–61. Patent Owner’s arguments are akin to arguments requiring bodily incorporation of one reference into another. See In re Keller, 642 F.2d 413, 425 (CCPA 1981) (“The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference.... Rather, the test is what the combined teachings of those references would have suggested to those of ordinary skill in the art”). The teachings of Hoffman can be applied to Codd, without requiring every aspect of each reference to remain the same in the combination. Further, as discussed above, we are not persuaded by Patent Owner’s argument that “[u]nder the ’201 Patent, the database itself then produces a compelling calling to a separate database to gather (and then enforce) protection attributes.” Resp. 57–58. Lastly, although Patent Owner argues that the given data element value in the first database must be read as the unencrypted data element value, and that the processing request must be aimed at the unencrypted (given) data element value, we do not agree with Patent Owner’s formulation, as discussed above in Section II.A.iv. Patent Owner argues that Hoffman does not disclose protection attributes as recited in claim 1. Resp. 61–63. Patent Owner argues that Hoffman discloses that access control is made by a program, as opposed to bits or a table, where the ’201 Patent makes clear that the protection attributes are information stored in the second database, such that Hoffman teaches away from the claimed protection attributes. Id. at 61 (citing Ex. CBM2015-00014 Patent 6,321,201 B1 44 1005, 589). Patent Owner also argues that the Petition fails to demonstrate how the protection attributes are collected, or which elements of Hoffman constitute the separate claim elements of “protection attributes” and “processing rules.” Id. at 62–63. We do not agree. The ‘201 patent Specification describes protection attributes as data which provide the complete information on the processing rule or data that when combined with other information state the processing rule. See Ex. 1001, 3:26–34. Thus, we do not find the Specification or claims to limit “protection attributes” to bits or information in a table. Further, Hoffman describes a formulary as having a “set of procedures and their associated functions [which] are the essential elements of the formulary model of access control.” Ex. 1005, 11. See Pet. 44–45. Therefore, we do not find Patent Owner’s arguments to be persuasive. Patent Owner also argues that Hoffman does not disclose that “each data element value (DV) is linked to a corresponding data element type.” Resp. 63–64. Patent Owner continues that the Petition only provides an association between the user, the terminal, and the formulary, but does not indicate what part of Hoffman discloses a data element value or a data element type. Id. at 63. We do not agree. The Petition identifies in Hoffman that once a formulary is connected, “CONTROL” accepts the internal data name and the operation to be performed. See Pet. 38, 43–45 (citing Ex. 1005, 8). We are persuaded that one of ordinary skill in the art would understand that Hoffman discloses that the characteristic of a data element is used to apply the formulary procedure, and that would be equivalent to the data element types of the ’201 Patent, such that access depends on the data rather than the user. Therefore, we find CBM2015-00014 Patent 6,321,201 B1 45 the position taken by Petitioner in the Petition to be both clear and reasonable. Patent Owner argues that data element-type protections is fundamentally different from user-based data access control. Resp. 64–66. Patent Owner further asserts that “the ‘201 Patent’s data protection catalogue requires that protection attributes be linked to data element types independent of the user.” Id. at 66 (citing Ex. 1001, 11:25–28). First, we note that the challenged claims, like claim 1, do not recite that the protection attributes are independent of the user, as argued by Patent Owner, but only state that “protection attributes stat[e] processing rules for data element values (DV).” Additionally, we are not persuaded that user-based and data- based restrictions are mutually exclusive. Patent Owner’s declarant, Dr. Direen, agrees that access privileges are distinct and separate from encryption and decryption privileges to the protected data, and that systems may have both. See Ex. 2067 ¶¶ 43–44. We are persuaded that both systems disclose user authorization to connect to the database, and processing of the requested data is done in accordance with processing rules associated with that data. Patent Owner also argues that Hoffman does not disclose a second database storing the data protection catalogue. Resp. 66–67. Patent Owner continues that even if the blocks “ACCESS” and “CONTROL” in Hoffman are considered databases, they would be two separate databases and that they cannot be a single second database as required by claim 1. Id. We do not agree. The “comprising” language found in claim 1 connotes that the claim is not exclusively limited to just the elements recited. See Mars Inc. v. H.J. Heinz Co., 377 F.3d 1369, 1376 (Fed. Cir. 2004). Further, we concur with CBM2015-00014 Patent 6,321,201 B1 46 Petitioner’s argument that “to the extent that the Board does not find that the protection catalog of Hoffman has the claimed protection catalog and data element types stored as data element values, IBM DB2, or the references of the DB2 Documentation, cures this ‘deficiency.’” Pet. 56. Implementing the blocks “ACCESS” and “CONTROL” in Hoffman as a single database would have been obvious to ordinarily skilled artisans for the reasons supplied by Petitioner’s declarant. Id. Additionally, Patent Owner argues that claims 2 and 31 make clear, in certain embodiments, the data element protection catalogue is inaccessible to the user, which cannot be met by Hoffman. Resp. 66–67. We would agree that Hoffman and Codd would not meet the limitations of claims 2 and 31, but it is not dispositive because those claims are not subject to the instant ground. Those claims are addressed in subsequent grounds, relying on additional references. Patent Owner argues that Hoffman does not disclose initially producing a calling, per claim 1. Resp. 67–68. Patent Owner continues that “the database system itself must ‘automatically produce a system calling’ to the second database,” and that an application call is not the same as a system call. Id. As discussed above, the ’201 Patent does not describe that the O- DB database produces the compelling calling to the data protection catalogue. See Ex. 1001, 10:44–58 (“is first collected by the system”); see id. at Abstract, 2:54–61, 3:51–65, 4:16–22, 7:57–61 (describing a compelling calling to a data protection catalogue, but failing to describe the compelling calling being produced by the O-DB database). Therefore, we do not agree with Patent Owner’s distinction because we are not persuaded that the database itself must produce the calling, per the challenged claims. CBM2015-00014 Patent 6,321,201 B1 47 Lastly, Patent Owner argues that Petitioner has failed to demonstrate obviousness of the claims. Resp. 68–71. Patent Owner reiterates that the analysis of Hoffman relies on patently unreasonable claim constructions, and that the testimonies of Petitioner’s declarants lack credibility and are unreliable. We do not agree. We are persuaded that Dr. Shamos’ testimony is consistent, stating that Hoffman discloses a data protection catalog (formulary) that includes processing rules. Ex. 1023 ¶¶ 89, 91; Ex. 2070, 112:22–113:4 (analogizing the data protection catalogue and the formulary), 116:12–117:1 (formulary stores processing rules), and 127:17–24 (the procedures of the formulary are the processing rules). Further, we agree with Petitioner that Dr. Shamos interpreted claim terms within the context of the Specification and claims of the ’201 Patent. Reply 23–24. Therefore, we are persuaded that Petitioner has established by a preponderance of the evidence that claims 1, 5, 6, 18, and 27–29 of the ’201 Patent are unpatentable under 35 U.S.C. § 103 as being obvious over Hoffman and Codd. ii. Obviousness over Hoffman, Codd, and Laribi – Claims 2 and 19–26 Petitioner asserts that claims 2 and 19–26 are obvious over Hoffman, Codd, and Laribi. Pet. 50–65. Laribi discloses “a powerful and flexible protection model which includes both authorizations of open systems and constraints of closed systems,” presented in the context of a distributed relational database system. Ex. 1007, Abs. Laribi provides that any query or update to a database has to satisfy the access control rules defined by particular authorizations and constraints, where both those data and the authorizations and constraints are stored in relational databases. Id. at 6. CBM2015-00014 Patent 6,321,201 B1 48 Petitioner argues that ordinarily skilled artisans would have been motivated to combine Hoffman and Laribi because they are both directed to protecting data in databases, their disclosures would have been complementary to one another, and Laribi “reflects evolution in the art of database protections,” with Laribi making reference to Hoffman. Pet. 51 (citing Ex. 1023 ¶¶ 105–106). Petitioner also argues that “a person of ordinary skill in the art would understand how to implement the formulary from Hoffman as an authorization database in Laribi.” Pet. 52. With respect to claim 2, Petitioner argues that Laribi teaches that some of the disclosed constraints control the transmission and storage of data, which are similar to Hoffman’s disclosure of SCRAMBLE and UNSCRAMBLE procedures for storing data. Pet. 53. Petitioner concludes that the combination suggests that encryption is one of the constraints applied to the storage of data, including the data in the constraints and authorization databases. Id. Patent Owner argues that Laribi does not disclose the limitations of the claims because Laribi requires the partitioning of data into accessible and restricted access data, and the need to have two separate database calls to perform any decryption. Resp. 72–73. However, Laribi discloses that the authorization and constraint databases, such as encryption, have access control applied to themselves. Pet. 53 (citing Ex. 1007, Abstract, 6). We are persuaded that claim 2 does not require more than having protection attributes be encrypted in the data protection catalogue and decrypted when called upon. Therefore, even though Laribi’s system requires calling of two separate databases and is database-centric, we are not persuaded that these CBM2015-00014 Patent 6,321,201 B1 49 differences distinguish the combination of Hoffman, Codd, and Laribi from claim 2. With respect to claims 19–26, which recite that the data protection catalogue is implemented in a tabular or relational database, Petitioner acknowledges that Hoffman does not disclose a relational database, but asserts such databases are disclosed in Laribi, and that Hoffman and Laribi would have been readily combined. Pet. 53–58. Patent Owner argues that Laribi’s disclosure of domains in the databases does not include data element types and nowhere discloses the type of data being accessed. Resp. 73–74. Patent Owner also argues that Laribi does not disclose that the authorizations or constraints are stored as data element values. Id. at 74. We do not find the distinctions raised by Patent Owner to be persuasive because the Petition acknowledges that Laribi’s protections as being user- based and relies upon Hoffman for the data-type protections. Pet. 51–52. We are persuaded that Petitioner has established by a preponderance of the evidence that claims 2 and 19–26 of the ’201 Patent are unpatentable under 35 U.S.C. § 103 as being obvious over Hoffman, Codd, and Laribi. iii. Obviousness over Hoffman, Codd, and Shear – Claims 3 and 7 Petitioner asserts that claims 3 and 7 are obvious over Hoffman, Codd, and Shear. Pet. 65–69. Claim 3 recites that each record has a record identifier, with that identifier stored in encrypted form, and claim 7 recites “rules for logging the corresponding data element values in the first database.” Shear describes techniques for preventing unauthorized use of an electronic digital database, for measuring the utilization of the database by authorized users, and teaches controlling access to data in a database. Ex. 1008, 1:6–10, 3:66–4:2. Petitioner argues that activity logging was CBM2015-00014 Patent 6,321,201 B1 50 recognized as a known technique for protecting data, and is disclosed in Shear. Pet. 66 (citing Ex. 1023 ¶ 143). Petitioner continues that it would have been obvious to apply the known technique taught by Shear to the system of Hoffman and Codd as an effective data protection measure within a flexible system. Id. Further, Petitioner argues that it was generally recognized that encryption could be applied to entire databases or to specific cells, with Shear teaching the encryption of index keys as a means of providing additional protection against unauthorized access of the data. Id. at 67 (citing Ex. 1023 ¶¶ 24, 145). With respect to claim 3, Patent Owner argues that claim 3 requires both the protected data and the encrypted record identifier to be stored in the first database, but that Shear stores the index and the encrypted database entries separately. Resp. 75–76. However, Shear discloses that the encrypted index and encrypted database are stored on the same medium 100 and, therefore, discloses the encrypted record identifier stored in the first database. See Pet. 68 (citing Ex. 1008, 10:20–30). Additionally, even if stored separately, we are persuaded that one of ordinary skill in the art could have placed them both in the same location as a simple matter of design choice. Patent Owner also argues that “Shear does not discuss the requirement that the record identifier defined as SID go through the multi- algorithm encryption scheme which is described in the ‘201 Patent.” Resp. 76. Patent Owner’s argument, however, is not based on the claim’s language, but rather on steps disclosed in the Specification, such that it attempts to improperly import limitations from the Specification into claim 3. CBM2015-00014 Patent 6,321,201 B1 51 With respect to claim 7, Patent Owner argues that Shear limits logging to times when the data are being decrypted without tying any such processing to the data element type, whereas the ’201 Patent requires that any logging be stated in the form of a protection attribute that is enforced whenever a data element value is processed. Resp. 76–77. This argument, however, ignores the teachings of Hoffman, which disclose both protection attributes and data element type protection; we are not persuaded that one of ordinary skill in the art would have abandoned these specific teachings in incorporating the activity logging of Shear. We are persuaded that Petitioner has established by a preponderance of the evidence that claims 3 and 7 of the ’201 Patent are unpatentable under 35 U.S.C. § 103 as being obvious over Hoffman, Codd, and Shear. iv. Obviousness over Hoffman, Codd, and Johansson – Claims 3 and 4 Petitioner asserts that claims 3 and 4 are obvious over Hoffman, Codd, and Johansson. Pet. 69–73. Johansson discloses methods for storing data which use identifying information, “such as personal code numbers, as well as associated descriptive information.” Ex. 1024, 1:1–4. The Specification of the ’201 Patent discusses Johansson and provides that those methods “result in increased possibilities of linking and matching with no risk of reduced integrity.” Ex. 1001, 1:33–35. Petitioner argues that one of ordinary skill in the art would have combined Johansson with Hoffman and Codd because Hoffman explicitly recognizes the benefits of flexibly encrypting any type or portion of data desired, and Johansson teaches the benefits of encrypting the record identifier, to create a floating storage ID. Pet. 70. Thus, according to Petitioner, Johansson and Hoffman are both directed to the protection of data in the database, and it would have been CBM2015-00014 Patent 6,321,201 B1 52 obvious to apply the teachings in Johansson to the Hoffman and Codd system because it uses known techniques to add protection to the database. Id. Claim 3 recites that each record has a record identifier, with that identifier stored in encrypted form, and claim 4 recites that “encryption of data is carried out in accordance with a PROTEGRITY principle with floating storage identity.” Petitioner argues that Johansson discloses that “[t]he storage identity SID is, along with the associated descriptive information DI, stored as a record in a storage medium,” which is encrypted. Pet. 70–71 (citing Ex. 1024, 2:18–20). Petitioner also argues that the Specification of the ’201 Patent states that the PROTEGRITY principle is described in Johansson. Pet. 71 (citing Ex. 1001, 1:32–65). Patent Owner argues that the combination of Hoffman, Codd, and Johansson does not anticipate or render obvious all of the elements of claim 1, from which claims 3 and 4 depend. Resp. 77. Patent Owner also cites to the testimony of Dr. Direen, but that testimony merely asserts that “Johansson does not teach concerning Claim 1.” Ex. 2067 ¶ 113. As we are not persuaded as to deficiencies in the ground against claim 1 over Hoffman and Codd, and we are persuaded by Petitioner of the obviousness of combining Hoffman, Codd, and Johansson, we are persuaded that Petitioner has established by a preponderance of the evidence that claims 3 and 4 of the ’201 Patent are unpatentable under 35 U.S.C. § 103 as being obvious over Hoffman, Codd, and Johansson. v. Obviousness over Hoffman, Codd, and Friedman – Claim 6 Petitioner asserts that claim 6 is obvious over Hoffman, Codd, and Friedman. Pet. 73–75. Friedman discloses data access through a grant of CBM2015-00014 Patent 6,321,201 B1 53 data privileges, “apart from specific access mechanisms or operating systems.” Ex. 1010, 4. Instead, the focus is on protecting data and programs, with “[a]uthorization involv[ing] the comparison of restrictions placed on information-data and programs-in files with privileges of users requesting access to this information,” where different programs may have privileges separate from users. Id. at 6, 10. Claim 6 recites that the protection attributes provide rules for which programs or program versions are allowed to be used for managing the corresponding data element values in the first database. Petitioner acknowledges that Hoffman does not disclose controlling access based upon the program, but asserts that this is disclosed explicitly by Friedman. Pet. 74 (citing Ex. 1023 ¶ 163). Petitioner asserts that it would have been obvious to combine Hoffman, Codd, and Friedman because the two fields of Hoffman and Friedman, database systems and file-based systems, “are of sufficient similarity that one of skill in the art relating to database management and access would be motivated to look at the type of protections applied to file based systems to determine whether similar protections could be implemented in a database.” Pet. 74 (citing Ex. 1023 ¶ 164). Patent Owner argues that Friedman teaches away from using a separate data protection catalogue, and one of ordinary skill in the art would have not combined Friedman with Hoffman and Codd. Resp. 77 (citing Ex. 2056; Ex. 2066 ¶ 68). We do not agree with Patent Owner, as Friedman provides an alternate means from a separate data protection catalogue, but still provides that different programs may have privileges separate from users. We are not persuaded that Friedman’s adjacent tagging of data privileges would be taken as a “teaching away” from Hoffman and Codd. CBM2015-00014 Patent 6,321,201 B1 54 Instead, it is merely an alternate provision of data access. See In re Fulton, 391 F.3d at 1201 (“[T]he prior art’s mere disclosure of more than one alternative does not constitute a teaching away from any of these alternatives because such disclosure does not criticize, discredit, or otherwise discourage the solution claimed”). Patent Owner also cites to the Institution Decision finding that “Friedman allows access because the program has provided the prerequisite privilege whereas the [’]201 Patent allows access by the program by checking that it is covered in the data protection catalogue,” arguing that the processes are fundamentally different and not obvious in view of each other. Resp. 77 (citing Dec. 36). However, we also found that a “comparison between Friedman and claims 1 and 6 does not necessarily distinguish those claims from the combination of Hoffman, Codd, and Friedman.” Dec. 36. We continue to be persuaded that the disclosure of Friedman, in the context of Hoffman and Codd, would have motivated one of ordinary skill in the art to provide rules for which programs or program versions are allowed to be used for managing the corresponding data element values. Therefore, we are persuaded that Petitioner has established by a preponderance of the evidence that claim 6 of the ’201 Patent is unpatentable under 35 U.S.C. § 103 as being obvious over Hoffman, Codd, and Friedman. vi. Obviousness over Hoffman, Codd, and Du – Claims 30–35 Petitioner asserts that claims 30–35 are obvious over Hoffman, Codd, and Du. Pet. 76–80. Claims 30–32 relate to storing the data protection catalog and first database in different databases and/or locations. Claims 33–35 relate to replication of the database protection catalogue, including storage in various locations. Du discloses a method “for managing CBM2015-00014 Patent 6,321,201 B1 55 electronic data access among multiple relational databases in a network distributed database environment.” Ex. 1011, Abs. Du discloses storing parts of the same database at different locations (fragmentation), as well as database replication. Id. at 2:23–63. Petitioner argues that one of ordinary skill in the art would have applied the techniques described in Du to Hoffman and Codd, as applying a known technique to a system ready for improvement to yield predictable results. Pet. 76–77 (citing Ex. 1023 ¶ 164). Petitioner also asserts that one of skill in the art would understand that Du discloses storage in a flexible system in which data could be stored in multiple locations and fragmented along different logical lines. Pet. 77–78 (citing Ex. 1023 ¶¶ 168, 171–172, 184). Petitioner asserts that it would have been obvious to apply Du to Hoffman and Codd for the benefits described in Du. Id. Patent Owner argues that although Du describes the distribution of databases at several different locations, each site has its own database administration functions, such that any security check would be entirely self- contained to a particular location. Resp. 77–78 (citing Ex. 1011, 1:26–28). Patent Owner contrasts this with the ’201 Patent which “requires a calling to the data protection catalogue for each user-initiated measure, regardless of where the data protection catalogue is located.” Id. at 78. We are not persuaded, however, that the combination of Hoffman, Codd, and Du would not allow this to occur; any combination by ordinarily skilled artisans would allow for smooth operation with the distant databases. Additionally, claims 30–35 are directed to separation of the first database and the data protection catalogue, and not to whether any additional security checks might be needed for distant databases. CBM2015-00014 Patent 6,321,201 B1 56 Therefore, we are persuaded that Petitioner has established by a preponderance of the evidence that claims 30–35 of the ’201 Patent are unpatentable under 35 U.S.C. § 103 as being obvious over Hoffman, Codd, and Du. III. CONCLUSION We determine that Petitioner has demonstrated by a preponderance of the evidence that claims 1–7 and 18–35 are unpatentable under 35 U.S.C. § 101 as being directed to non-statutory subject matter. We further determine that Petitioner has demonstrated by a preponderance of the evidence that claims 1–7 and 18–35 are unpatentable under 35 U.S.C. § 103 as being obvious over combinations of Hoffman, Codd, Laribi, Shear, Johansson, Friedman, and Du, as discussed in Section II.D above. This is a Final Written Decision of the Board under 35 U.S.C. § 328(a). Parties to the proceeding seeking judicial review of this Decision must comply with the notice and service requirements of 37 C.F.R. § 90.2. IV. ORDER In consideration of the foregoing, it is hereby: ORDERED that claims 1–7 and 18–35 of U.S. Patent No. 6,321,201 B1 are unpatentable. CBM2015-00014 Patent 6,321,201 B1 57 PETITIONER: Michael T. Rosato Robin L. Brewer WILSON SONSINI GOODRICH & ROSATI mrosato@wsgr.com rbrewer@wsgr.com PATENT OWNER: Woodrow H. Pollack GRAYROBINSON, P.A. woodrow.pollack@gray-robinson.com Copy with citationCopy as parenthetical citation
