3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`Page 1
`
` UNITED STATES PATENT AND TRADEMARK OFFICE
` BEFORE THE PATENT TRIAL AND APPEAL BOARD
`-----------------------------x
`COMMERCE BANCSHARES, INC., :
`COMPASS BANK, and FIRST :
`NATIONAL BANK OF OMAHA, :
` :
` Plaintiffs, :
` : Case No.
` vs. :
` : IPR2014-00801
`INTELLECTUAL VENTURES II, :
`LLC, :
` :
` Defendant. :
`-----------------------------x
` Washington, D.C.
` Friday, March 13, 2015
`
` Deposition of: DAVID M. GOLDSCHLAG, Ph.D.,
`the witness, was called for examination by counsel
`for the Defendants, pursuant to notice, commencing
`at 9:16 a.m., at the law offices of Sterne Kessler
`Goldstein Fox, 1100 New York Avenue, Northwest,
`Washington, D.C., before Dawn A. Jaques, CSR, CLR,
`and Notary Public in and for the District of
`Columbia, when were present on behalf of the
`respective parties:
`
`---------------------------------------------------
` DIGITAL EVIDENCE GROUP
` 1726 M Street NW, Suite 1010
` Washington, DC 20036
` (202) 232-0646
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 1
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`APPEARANCES:
` On behalf of the Plaintiff:
` JONATHAN M. STRANG, ESQ.
` JON E. BOLJESIC, ESQ.
` Sterne Kessler Goldstein Fox
` 1100 New York Avenue, N.W.
` Washington, D.C. 20005
` PHONE: (202) 772-8893
` FAX: (202) 371-2540
` EMAIL: jstrang@skgf.com
` jboljesic@skgf.com
`
` On behalf of the Defendants:
` ROBERT M. EVANS, JR., ESQ.
` Senniger Powers LLP
` 100 North Broadway
` 17th Floor
` St. Louis, Missouri 63102
` PHONE: (314) 345-7004
` FAX: (314) 345-7600
` EMAIL: revans@senniger.com
`
`Page 2
`
`APPEARANCES (Continued):
` On behalf of Defendant Compass Bank:
` GEOFFREY K. GAVIN, ESQ.
` Jones Day
` 1420 Peachtree Street, N.E.
` Suite 800
` Atlanta, Georgia 30309-3053
` PHONE: (404) 581-8646
` FAX: (404) 581-8330
` EMAIL: ggavin@jonesday.com
`
` ALSO PRESENT (via telephone):
` JASON S. JACKSON, ESQ.
` Kutak Rock LLP
` 1650 Farnam Street
` The Omaha Building
` Omaha, Nebraska 68102-2186
` PHONE: (402) 231-8359
` FAX: (402) 346-1148
`
` ALSO PRESENT:
` Tim R. Seeley, Intellectual Ventures
`Page 3
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
` I-N-D-E-X
`WITNESS: PAGE:
`DAVID M. GOLDSCHLAG, Ph.D.
` Examination by Mr. Evans ............ 5
`
` E-X-H-I-B-I-T-S
`EXHIBIT NUMBER: PAGE:
`1009 Publications of David M.
` Goldschlag .................. 144
`
` PREVIOUSLY MARKED EXHIBITS REFERRED TO
` EXHIBIT NUMBER: PAGE:
` 1001 ......... 78
` 1004 .......... 59
` IV 2011 ....... 98
` Paper 7 ....... 133
` (Institution Decision)
` Paper 1 ....... 134
` (Petition)
`
`Page 4
`
` P R O C E E D I N G S
`Whereupon,
` DAVID M. GOLDSCHLAG, Ph.D.,
` was called as a witness, after having been
` first duly sworn by the Notary Public, was
` examined and testified as follows:
` EXAMINATION BY COUNSEL FOR THE DEFENDANTS
` BY MR. EVANS:
` Q What is your full name?
` A David Goldschlag.
` Q What is your educational background?
` A I have a Ph.D. in computer science
`from the University of Texas at Austin, and a BS
`in computer science, and a minor in mathematics
`from Wayne State University.
` Q And when did you earn the Ph.D.?
` A I got my Ph.D. in May of 1992.
` Q And how about the BS in computer
`science?
` A BS was 1985.
` Q Did you work after you got your BS, or
`did you go straight into school for your Ph.D.?
`
`1
`2
`3
`4
`
`5 6 7
`
`8
`9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`Page 5
`Pages 2 to 5
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 2
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
` A I worked during college, and then I
`continued directly into my Ph.D.
` Q And who did you work for?
` A I worked for Ford Motor Company while
`I was in college.
` Q What did you do for Ford?
` A I did programming.
` Q What language?
` A FORTRAN, PL/I.
` Q And your thesis for your Ph.D., what
`was the topic?
` A The title of the thesis was
`Mechanically Verifying Concurrent Programs.
` Q What does that concern?
` A Concurrent programs are what are now
`known as distributed systems. It's computer
`systems that solve problems with pieces of the
`program running on different computers, either
`nearby or geographically distributed, and the
`problem we were trying to solve was how do you
`predict the behavior of a complex distributed
`system.
`
`Page 6
`
` Q And when you say how you predict the
`behavior, what needs to be predicted?
` A So, in general, when you build a
`computer system, you have a certain function that
`it's supposed to fulfill in mind, and the question
`is how do you have some assurance that the program
`that you actually make, the distributed system you
`actually make, will solve that problem, will meet
`that functional requirement.
` Q Obviously, there's a timing question.
`You have different variables that are in different
`states as you work your way through a program or
`work your way through a problem, and you have to
`get a timing issue correlated between both of the
`machines, right?
` A Right.
` Q But apart from timing, what other
`kinds of issues do you face in terms of predicting
`behavior?
` A So like you pointed out, distributed
`systems have the complexity of timing issues.
`Different components may not run in exactly the
`Page 7
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
`same rates that you were expecting, and then
`messages may not come in in exactly the time and
`order that you'd expect.
` In general, though, the difficulty
`with gaining assurance about how a computer
`program operates is you might know through testing
`that it works properly on tested data, but you
`don't know that it works on all inputs, and the
`real world always surprises us.
` So the problem that we were solving,
`the approach we took is we would verify it for
`arbitrary inputs, right? So you would say instead
`of testing it on numbers one, two and three, you
`test it on variables A, B and C and see if the
`outputs were the anticipated expected functions of
`the inputs.
` Q After your Ph.D. in 1992, what was
`your next employment?
` A I left Texas, and we moved to
`Washington, D.C., and I worked for the National
`Security Agency. I began that job in 1991.
` Q And National Security Agency, the NSA,
`Page 8
`
`is that the acronym?
` A Yeah.
` Q So when you worked for the NSA in
`1991, what types of responsibilities did you have
`early on?
` MR. STRANG: I'd like to caution the
`witness not to reveal any classified or
`confidential information.
` THE WITNESS: Thank you. So I can't
`drill down too far on that.
` BY MR. EVANS:
` Q I'm not looking for you to drill down.
`I'd just like a flyover.
` A So the NSA had a strong interest in
`being able to produce reliable systems that in the
`context of faults, right, or unusual behaviors,
`right, it would continue to function properly, and
`that mapped back to my graduate work.
` Q Is that like a Hamming code where you
`get errors and you can self-correct and keep
`going, or in the computer context where you're
`trying to keep the system up and running even
`Page 9
`Pages 6 to 9
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 3
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`though you might have some faults?
` What types of -- broadly, what types
`of instabilities do you have in a system you had
`to overcome?
` A Yeah, so the broad categories include
`the stuff that everybody would worry about, right?
`Does the program have an unknown flaw, right?
` I think at the time that Intel had the
`Pentium bug, which was a fault in long division;
`that was just an example of testing, didn't detect
`everything.
` You might also have then edge cases,
`and you may have timing issues. You may have
`faults injected, right, either happening or
`injected by the environment or by the adversary,
`and so a lot of this is how do you model both the
`system that you're trying to predict its behavior
`and the environment in which it's operating in
`order to show that, you know, with the right
`assumptions, it's behaving the right way.
` Q How long did you work for the NSA?
` A I worked for the NSA for two years
`Page 10
`
`until 1994.
` Q And what was your next employment
`after the NSA?
` A I left the NSA for another government
`job. I worked for Naval Research Laboratory; the
`acronym there is NRL. They're located in
`Washington, D.C.
` Q What did you do for the NRL?
` A NRL was a research shop. The group I
`was working on did both basic and applied research
`in computer security.
` Q What types of categories of computer
`security did you work on?
` A We did a wide variety of things. When
`you look at my publications, you'll see from
`there.
` We did database security. We did
`multilevel security, how do you move data from one
`government classification level to another that
`has analogies in the commercial world as well.
` We did modeling of systems for
`predictable behavior, not unlike what I was
`Page 11
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
`describing for my NSA work.
` The work that probably received the
`most attention when I was at Naval Research
`Laboratory was I was one of the coinventors of
`onion routing. Onion routing is now called Tor,
`capital T, little O-R.
` Onion routing was a system funded by
`the government that's become in relatively wide
`use today to secure private communication over the
`Internet.
` Q And, broadly, the concept of onion
`routing is that by using multiple routers,
`connecting data from the entry point to the
`delivery point, you make it what, harder to track
`or harder to accept, or what is the security
`component?
` A Yeah, so the problem -- I think you're
`getting to the right picture, the right topology.
` The problem that we were trying to
`solve is that an observer of the Internet can see
`the traffic on the Internet and can therefore see
`who's talking to whom.
`
`Page 12
`
` But by routing the messages through a
`series of notes, called onion routers, you can
`hide who's talking to whom. In fact, you could
`hide who's talking to whom even from those notes
`in the network, those routers in the network.
` Q So you know what they're saying, you
`just don't know who's saying it, and you don't
`know to whom it's being said?
` A Well, in general, when you use the
`Internet today using HTTPS, for example, you don't
`know what people are saying.
` Q If you encrypt it, that's a different
`issue?
` A Right. So in general, you encrypt
`anyway, and then if you route it through the
`onion routers, you can't track it.
` Q So onion routing is I can't tell who's
`talking to whom, right?
` A That's correct.
` Q But if I don't encrypt, I can know
`what they're saying?
` A A consequence of onion routing is you
`Page 13
`Pages 10 to 13
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 4
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`get encryption for free.
` Q So you encrypt the message as well?
` A That's right. The technique that's
`used for the routing is encryption.
` Q What types of network security issues
`did you work on with the NRL?
` A So we worked on a variety of --
` Q Let me be more specific because I
`don't want to veer off in other directions.
` Did you do any work where you were
`trying to detect attacks on a computer system?
` A Some of my work at NRL was related to
`attacks -- was related to attacks beyond the onion
`routing work, which was related to attacks of
`discovery of who's talking to whom.
` Covert channels was an example of
`attacks on networks of how do you infer
`information about what a system is doing based on
`how it's interacting with the outside world.
` Q Did any of your work involve trying to
`sense patterns of attacks to use the pattern
`activity to identify that a system was being
`Page 14
`
`attacked by an outsider?
` A Absolutely. So both covert channels
`and onion routing, right, as examples, are highly
`statistical based, right, because, for example, in
`onion routing, if only one user is using the onion
`routing network, you know who's talking to whom.
` So you need to be able to have enough
`traffic on the network in order to determine -- to
`get good hiding, okay. So statistics and
`anomalies, right, and being able to infer things
`that are happening was a large part of that
`problem.
` Q Any other types of detection
`techniques you used to sense whether or not
`someone was attacking your computer system during
`your work with the NRL?
` A So we did some work -- this is going
`way back, right, so I'm thinking.
` We did work on moving data from low
`computer systems to higher, right, which included
`protecting both ends of the network.
` Q When you move data or you move
`Page 15
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
`information from a low level to a higher level,
`what types of issues do you have to address?
` A So you're worried both about data
`security. You're worried that, along with the
`data movement, commands will come into the system
`in order to change the integrity of the system.
` So it might be okay to move data
`upwards, but it's not okay for commands to come in
`that will affect the system.
` There's clearly buffer overflow
`attacks and things like that when you're moving
`things upward that can take advantage of flaws in
`the system no matter how much you secure the
`channel.
` So all of the usual problems that come
`into place, for example, with Web-based systems,
`right, where you put a firewall in front of the
`system to guarantee that the traffic isn't taking
`advantage of vulnerabilities behind or part of the
`environments that we were working in.
` Q When you say move data up, what do you
`mean by up as distinguished from down? I'm trying
`Page 16
`
`to understand the difference.
` A It's kind of like north and south,
`yeah. So moving from a less sensitive place to a
`more sensitive place. So, for example, when you
`take information from the Internet and bring it
`into a commercial system, that's an enterprise
`system, that's bringing information from a less
`trusted place to a more trusted place.
` From government speak, it's bringing
`it from a lower level of classification, perhaps
`unclassified, to a higher level of classification,
`perhaps secret.
` Q And you mentioned that commands could
`move in. By those you mean attacks where someone
`is going to sneak some kind of a virus or a bug or
`something into the data so that when it gets
`inside the firewall, when it gets at the higher
`level, it then operates in ways that you don't
`want it to as the owner, but the attacker wants it
`to as the person who's trying to disrupt things?
` A That's right. That's correct.
` Q How long did you work for the NRL?
`Page 17
`Pages 14 to 17
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 5
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
` A I worked for the NRL from 1994 to
`1997.
` Q And what was your next employment
`after that?
` A I moved from NRL to Divx, D-I-V-X,
`capital D, which was a subsidiary of Circuit City.
` Q How long did you work for them?
` A I worked for Divx for two years, from
`1997 to 1999.
` Q And what did you do for Divx?
` A At Divx, I was responsible for their
`security infrastructure.
` Q And does that mean you were
`responsible for all the infrastructure at Circuit
`City because Divx was the subsidiary who handled
`it, or was it something different than Circuit
`City?
` A So Divx's core business was to be able
`to distribute and sell on behalf of the movie
`studios unlimited license DVDs, so it was kind of
`a one-way DVD rental system, where instead of
`going to Blockbuster and renting a videotape -- do
`Page 18
`
`you remember those at the time? So instead of
`renting a videotape, and then forgetting to return
`it and being charged a late fee, okay, you would
`buy a disk for, I don't remember, four and a half
`dollars, that included a two-day rental window
`that began only when you started to use the disk,
`not at the time of rental, and then after you used
`it, you could throw the disk out. So it was a
`one-way rental system.
` Q And after two days, you changed the
`code on the disk in some manner so it couldn't be
`read any further?
` A Disks are read only, so you couldn't
`change the disk.
` You would record -- when an encrypted
`disk was used, it needed permission from the Divx
`store, so the encryption in many cases is used
`sometimes to protect data, but sometimes to force
`interaction with a management service, and that's
`what happened here at Divx.
` Q So the disk would phone home, it would
`be told, okay, go ahead and tell them what's going
`Page 19
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
`on or play the movie, and after two days it would
`say don't play the movie anymore?
` A Right. It was actually the box that
`the disk was played in, but the DVD would phone
`home, that's right.
` So I was responsible there -- just to
`tie back to your original question, I was
`responsible there for the security infrastructure
`that was used to create these movies, as well as
`to protect, control the playing back of the movies
`on the specialized DVD players that the consumers
`would buy.
` Q What was your next employment after
`that?
` A My next employment after that was at
`USinternetworking. I began there in 1999.
` Q And how long were you employed there?
` A I was CTO at USinternetworking for
`about two years.
` Q 2001?
` A I think that's correct.
` Q You said U.S. internetting (sic)?
`Page 20
`
` A I'll say it more carefully.
`USinternetworking.
` Q Internetworking.
` A Capital U, capital S. It was
`sometimes known as USI.
` Q What line of business was
`USinternetworking in?
` A So USinternetworking was formed during
`the first Internet boom, okay, which we probably
`remember, okay. USinternetworking was what was
`known at the time as an application service
`provider, ASP, which later became known as SAS,
`software as a service.
` So USinternetworking ran a data
`center, and within that data center ran
`application services for its enterprise customers.
` Q What was your responsibility in that
`context as CTO?
` A As CTO, I was generally responsible
`for security and architecture, and being able to
`make the operation of the company more efficient
`than the customers could do themselves, right.
`Page 21
`Pages 18 to 21
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 6
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
` How do you gain efficiency by bringing
`all of these different applications under one
`roof, while maintaining security in isolation of
`enterprise data from the other customers on the
`same network?
` Q How many employees did your company
`have at that point, USinternetworking?
` A USinternetworking, I'm guessing
`because it was a while ago, probably had about a
`thousand employees.
` Q And of those thousand employees, how
`many reported to you?
` A So I had various responsibilities over
`time. At times I was responsible for a small
`group, at times I was responsible for about half
`of the data center operations group. So I don't
`remember exact numbers.
` Q Can you give me just -- was it 5
`employees? 50 employees? 500 employees? Just a
`sense of magnitude.
` A It probably ranged from five to a
`hundred.
`
`Page 22
`
` Q And those five to a hundred employees
`for whom you were responsible, what was the range
`of job responsibilities they had?
` A So in the operations part of the
`business, I had responsibility for the security
`group, and for the networking group, and for the
`management systems group.
` Q How many were in the security group?
` A I wouldn't remember. I'd have to look
`back, and I don't know if I have those notes.
` Q Was it like 5 or 10? 50? I'm just
`trying to get a sense of size. 2?
` A Take the sizes that I said and split
`them up by the number of groups. So, again,
`I'm --
` Q I think you said 5 to 100, so you'd
`say 2 to 33, roughly?
` A Yes.
` Q At various times?
` A Yeah, in the various groups.
` Q What was your next employment after
`USinternetworking in 2001?
`
`Page 23
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
` A So after USinternetworking, I started
`a small company called Keysec.
` Q How do you spell that?
` A K-E-Y-S-E-C.
` Q And what did Keysec do?
` A Keysec was a start-up trying to solve
`the encrypted storage problem.
` Q And what was your approach for solving
`the encryption storage problem?
` A So we had a key management mechanism
`that would protect the key and produce a key that
`would be used to secure data at rest.
` For example, where a company was using
`a third-party storage provider to store data, kind
`of what people call today cloud storage. So how
`do you protect the data although the data is not
`under your control?
` Q You use, what, RSA encryption with a
`private key? Is that what you're talking about?
` A It's a combination of public/private
`key, as well as symmetric key. You wouldn't use
`public/private key for the actual encryption of
`Page 24
`
`the data that's stored, just like you wouldn't use
`it for encryption of the data in transit; it's too
`slow. But you use the public/private key for the
`protection of the keys that are used to encrypt
`the data.
` Q I see. So you encrypt the keys with
`an RSA algorithm, and then you use just a specific
`key, no public/private, just a specific encryption
`key, encrypt the data, and then you store the
`encrypted data?
` A That's right, and that second key is
`called the symmetric encryption key.
` Q That makes sense.
` How did that work for you?
` A So that company -- start-ups sometimes
`don't succeed. That one did not succeed.
` Q And looking back, what was the reason
`it didn't succeed if you had three bullet points
`on a PowerPoint sheet?
` A We needed to raise money, and we
`needed to move faster in getting customers.
` Q So you would say it was a business
`Page 25
`Pages 22 to 25
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 7
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`execution issues as distinct from technological?
` A I think that that's fair.
` Q After Keysec -- how long did that
`last? You started 2001. How long did that
`company --
` A I think two years.
` Q 2003?
` A Yeah.
` Q What was your next employment after
`Keysec?
` A I went and worked for a company,
`another start-up, called Trusted Edge.
` Q And how long did Trusted Edge, your
`employment there last?
` A I worked with Trusted Edge until 2006.
`The company was sold to a document management
`company in the Washington, D.C. area.
` Q What did you do for Trusted Edge?
` A I was responsible for product and
`product strategy. I think I ended there with the
`title of CTO.
` Q Was Trusted Edge your start-up, or
`Page 26
`
`were you an employee of someone else's start-up?
` A I was an employee of the start-up. I
`was brought into the start-up through the VC firm,
`a local D.C. firm called Novak Biddle.
` Q And what types of responsibilities did
`you have for Trusted Edge?
` A There I was responsible for technology
`and product strategy.
` Q Product strategy was a business
`function?
` A In the start-up world today, product
`strategy is always a combination of technology
`strategy and matching that to the market.
` Q What aspects of technology were you
`responsible for during your work at Trusted Edge?
` A I was responsible for all aspects of
`technology strategy.
` Q And what aspects -- or what was
`implicated by that?
` A So we were both a rights management
`company, how do you protect data and control
`access to it, okay. That sounds a lot like the
`Page 27
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
`Divx story, but this was for enterprise and for
`documents, not for movies.
` We also had technologies for
`controlling access and for securely shredding --
`digitally shredding documents and data when they
`were no longer supposed to be accessed or supposed
`to exist.
` Q When you say digitally shredded,
`that's where you clear a hard drive, remove all
`data from the hard drive and make it impossible to
`repoint it or reconfigure it, recover it. You
`literally take its media and you reduce it to
`random noise or something?
` A Yeah. So I think the last phrase you
`had is the most accurate part. What we would
`actually do is since all content that we protected
`was encrypted, the way to shred it would be to
`destroy the key, because then all you're left with
`is the random bits, which at that point are noise.
` Q And when you say you destroy the key,
`how do you make certain that someone doesn't have
`a copy of the key?
`
`Page 28
`
` A So the key, that's where the guts of
`the system are, and how do you make sure that the
`key itself, okay, is always only made available to
`components of the system that can be trusted to
`destroy the key, right, either when they're
`finished with it or when they're no longer
`authorized to see it.
` Q Did you ever use the technique where
`you just load random bits into a memory to wipe
`out whatever was there and store noise just to
`make sure that if somebody did have a second key,
`that they couldn't recover the data?
` A So we didn't do that at Trusted Edge.
`We did that in government work at Trust Digital
`where it was an added requirement to overwrite
`memory even if the memory was previously
`encrypted.
` Q When you were at Trusted Edge, did you
`do any work trying to thwart any attacks on the
`computer systems?
` A Yeah. So this was a data security
`problem, right, where what you needed to be able
`Page 29
`Pages 26 to 29
`202-232-0646
`
`Commerce Bancshares, Inc., et al. - Exhibit 1010
`Commerce Bancshares, Inc., et al. v. Intellectual Ventures II, LLC - IPR2014-00801
`Page 8
`
`

`

`3/13/2015
`
`Commerce Bancshares Inc., et al. v. Intellectuals Ventures
`
`David Goldschlag
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`to know is who was using the data, were people
`trying to use the data without permission? Were
`people trying to get the key, right, like we
`talked about, without authorization.
` Q What was your next employment after
`Trusted Edge?
` A I joined another start-up that had
`been in existence for about three years called
`Trust Digital. The first word is the same, and
`that was a source of confusion for several years.
` Q You started that in what year?
` A I joined them in 2006.
` Q And how long were you there?
` A I was there until Trust Digital was
`acquired by McAfee in 2010.
` Q And what was your title at Trust
`Digital?
` A At Trust Digital, I had a variety of
`responsibilities. I was responsible for product,
`then I became CTO, and I ended as President.
` Q When you say you were responsible for
`product, what did that involve?
`
`Page 30
`
` A Product is the software and solution
`that we were building, right, and testing and
`delivering to customers.
` Q So would you characterize your work
`for the product as being software development
`work?
` A Right, as well as the research
`necessary to build that software.
` Q And when you became the CTO, how did
`your responsibilities change?
` A I was probably more responsible for
`technology strategy, okay, and IP, as well as
`company strategy than being responsible for
`development.
` Q When you say you were responsible for
`IP, what does that mean?
` A Oh, I'm sorry. Intellectual property,
`patents.
` Q Right, but what aspects of that were
`you responsible for?
` A So, in general, we invented new
`things, and we would file patents on those.
`Page 31
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`www.DigitalEvidenceGroup.com
`
`Digital Evidence Group C'rt 2015
`
` Q Which law firms did you use to file
`th