`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`AMAZON.COM, INC., AMAZON DIGITAL SERVICES, INC., AMAZON
`FULFILLMENT SERVICES, INC., HULU, LLC, and NETFLIX, INC.,
`Petitioners
`v.
`UNILOC LUXEMBOURG, S.A.,
`Patent Owner
`
`Case IPR2017-00948
`Patent No. 8,566,960
`
`SUPPLEMENTAL DECLARATION OF
`DR. AVIEL RUBIN IN SUPPORT OF PETITIONERS'
`OPPOSITION OF PATENT OWNER'S CONTINGENT
`MOTION TO AMEND
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 1
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`1. My name is Dr. Aviel Rubin.
`
`2.
`
`I have been engaged by Petitioners Amazon.com, Inc., Amazon Digi-
`
`tal Services, Inc., Amazon Fulfillment Services, Inc., Hulu, LLC, and Netflix, Inc.
`
`to investigate and opine on certain issues relating to U.S. Patent No. 8,566,960 (Ex.
`
`5
`
`1001) (“the ’960 Patent”) in connection with IPR2017-00948.
`
`3.
`
`I possess the knowledge, skills, experience, training, and education to
`
`form an expert opinion in this matter. Ex. 1030 is a copy of my curriculum vitae.
`
`This declaration supplements my previous declaration in this matter, dated Febru-
`
`ary 17, 2017 (Ex. 1002), and incorporates the information and opinions presented
`
`10
`
`in my earlier declaration.
`
`4.
`
`I understand that Patent Owner, Uniloc Luxembourg, S.A. (“Uniloc”),
`
`has filed a Contingent Motion to Amend Claims 1, 22, and 25 of U.S. Patent No.
`
`8,566,960 in IPR2017-00948 (Paper 17) (the “Motion to Amend”). I understand
`
`that the Motion to Amend includes proposed substitute claims 26-28, which pur-
`
`15
`
`port to amend original claims 1, 22, and 25 of the ʼ960 patent, respectively. I have
`
`reviewed the Motion to Amend, including the proposed substitute claims.
`
`5.
`
`In forming my opinions, I have studied and relied on the information
`
`and evidence identified in my previous declaration, as well as the additional infor-
`
`mation and evidence identified in this declaration, including U.S. Patent 7,752,139
`
`20
`
`(“Hu”) (Ex. 1026), U.S. Patent 5,490,216 (“the ʼ216 patent”) (Ex. 1010), U.S. Pa-
`
`2
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 2
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`tent 8,234,302 (“Goodwin”) (Ex. 1032), International Patent Publication No.
`
`WO2007/046706 A1 (“Birdstep”) (Ex. 1033), the ’960 Patent (Ex. 1001), and the
`
`Motion to Amend.
`
`6.
`
`I have also considered U.S. Provisional Patent Application No.
`
`5
`
`60/988,778 (Ex. 2005) and U.S. Patent Application No. 12/272,570 (Ex. 2004),
`
`which I understand are the applications that became the ʼ960 patent.
`
`7.
`
`This declaration is based on the information currently available to me.
`
`To the extent that additional information becomes available, I reserve the right to
`
`continue my investigation and study, which may include a review of documents
`
`10
`
`and information that may be produced, as well as testimony from depositions that
`
`may not yet be taken.
`
`8.
`
`I have formulated my opinions from the perspective of a person of or-
`
`dinary skill in the art (“POSITA”) at the time of the earliest possible priority date
`
`of the claims (in November 2007). As in my earlier declaration submitted in this
`
`15
`
`matter, it remains my opinion that POSITA would have possessed a bachelor’s de-
`
`gree in computer science and/or electrical engineering or comparable experience,
`
`plus at least two years of experience using DRM, cryptography, and content distri-
`
`bution or related software technology. (Ex. 1002, ¶¶ 33-38.)
`
`3
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 3
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`I.
`
`The Substitute Claims.
`
`9.
`
`I have reviewed proposed substitute claims 26-28 in Appendix A of
`
`the Motion to Amend.
`
`10.
`
`I understand that that the underlined text in substitute claims 26-28
`
`5
`
`represents claim language that Uniloc proposes to add to original claims 1, 22, and
`
`25, respectively, and that the text surrounded by double brackets in substitute
`
`claims 26-28 represents claim language that Uniloc proposes to delete from origi-
`
`nal claims 1, 22, and 25, respectively.
`
`11.
`
`I understand that substitute claim 26 is proposed to replace original
`
`10
`
`claim 1 as follows (Motion to Amend, Appx. A, at vii-viii):
`
`
`
`4
`
`
`
`
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 4
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`
`
`
`
`12.
`
`I understand that substitute claim 27 is proposed to replace original
`
`5
`
`claim 22 as follows (Motion to Amend, Appx. A, at viii-ix):
`
`
`
`5
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 5
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`
`
`13.
`
`I understand that substitute claim 28 is proposed to replace original
`
`claim 25 as follows (Motion to Amend, Appx. A, at ix-xi):
`
`6
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 6
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`
`
`
`
`7
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 7
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`
`
`II. The Substitute Claims Use Conventional, Generic Hardware to Imple-
`ment Licensing Restrictions.
`
`5
`
`14. Proposed substitute claims 26-28 do not recite or require any specific
`
`computer technology. For the reasons explained below, the substitute claims de-
`
`scribe generalized, non-technical operations and include only generic computer
`
`technology that would have been considered conventional by a POSITA in No-
`
`vember 2007.
`
`10
`
`15. Substitute claim 26 claims a system for adjusting a license for a digital
`
`product over time. The only computer hardware recited in claim 26 is a series of
`
`generic “modules” for carrying out fundamental computing functions that would
`
`have been well-known to a POSITA, such as a “communication module,” a “pro-
`
`cessor module,” and a “memory module.” Claim 26 does not specify any particu-
`
`15
`
`lar type of communication hardware, processor, or memory. Similarly, the specifi-
`
`8
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 8
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`cation describes the modules in generic terms (Ex. 2004 at 3:5-4:9, 11:14-13:6)
`
`and states that a “module” lacks specificity and may refer to any hardware, soft-
`
`ware, or combination of the two (Ex. 2004 at 16:29-31, 17:19-29).
`
`16. Substitute claim 27 claims a method for adjusting a license for a digi-
`
`5
`
`tal product over time and does not recite any computer hardware or specific com-
`
`puter technology used to carry out the claimed method.
`
`17. The steps of substitute claim 27 could be performed by a human men-
`
`tally or using a pen and paper, for example, with manual bookkeeping procedures
`
`and simple calculations. A person could use a notebook and pen to maintain rec-
`
`10
`
`ords of license data, allowed copy counts, and devices authorized to use certain
`
`software, review those records upon receiving a request to add another device
`
`(such as a written or oral request), compare license and device records to license
`
`and device identity data included in the request, and allow access for a previously
`
`recorded device or adjust the allowed copy count, compare the device count with
`
`15
`
`the maximum number of permitted devices, and then grant or deny authorization
`
`accordingly. None of those steps would necessarily require hardware implementa-
`
`tion or any specific computer technology.
`
`18. Substitute claim 28 recites a computer program product for adjusting a
`
`license for a digital product over time. The only computer hardware recited in
`
`20
`
`claim 28 is a generic “non-transitory computer-readable medium” and a generic
`
`9
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 9
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`“computer” for executing various generic pieces of code. Those generic compo-
`
`nents would have been well known to a POSITA by November 2007.
`
`19. The computer technology identified in the substitute claims is limited
`
`to basic, well-known, and generic hardware or software such as “a communication
`
`5
`
`module,” “a processor module,” “a memory module,” a “computer-readable medi-
`
`um,” “a computer,” and “a computer program product” or computer “code.” None
`
`of those items would have been considered inventive or new by a POSITA. In-
`
`stead, all of the claimed limitations in the substitute claims individually or collec-
`
`tively would have implied the use of generic computer technology well known to a
`
`10
`
`POSITA.
`
`20. Substitute claims 26-28 also recite using a “device identity” to identi-
`
`fy the generic device requesting authorization to use a licensed digital product.
`
`Specifically, each claim recites “a device identity generated at the given device at
`
`least in part by sampling physical parameters of the given device.” (Motion to
`
`15
`
`Amend, Appx. A at vii-x.) Identifying a device using a device identity generated
`
`at least in part by sampling physical parameters of the device was well known by
`
`November 2007 (the earliest possible priority date for the ʼ960 patent) and would
`
`have been considered conventional by a POSITA at that time.
`
`21. For example, U.S. Patent 5,490,216 (“the ʼ216 patent”) (Ex. 1010) is-
`
`20
`
`sued on February 6, 1996, more than ten years before the earliest possible priority
`
`10
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 10
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`date for the ʼ960 patent. The ʼ216 patent is cited in, and incorporated by reference
`
`into, the specification of the ʼ960 patent. (Ex. 1001, ʼ960 patent at 4:45-48.) The
`
`ʼ216 patent is also cited in the specifications of both applications underlying the
`
`ʼ960 patent. (Ex. 2004 at 6:26-30; Ex. 2005 at 1:11-15, 2:49.) The ʼ216 patent is
`
`5
`
`prior art to the ʼ960 patent.
`
`22. The prior art ʼ216 patent discloses a DRM system that includes using
`
`physical parameters of a device to create a device identity to allow the DRM sys-
`
`tem to identify devices requesting access to a digital product. The ʼ216 patent dis-
`
`closed generating a unique ID based in part upon “system information” that identi-
`
`10
`
`fies the hardware of the user device platform. Such system information included
`
`CPU number, firmware parameters, the amount of system memory, or the type of
`
`processor. (Ex. 1010 at 12:12-19.)
`
`23.
`
`In addition to referencing the ʼ216 patent, the specification of the ʼ960
`
`patent lists numerous other well-known, conventional means for device identifica-
`
`15
`
`tion that could be used interchangeably in the substitute claims. (Ex. 1001 at 4:42-
`
`50, 9:20-10:67; Ex. 2004 at 14:1-16:21.) A POSITA would not have considered
`
`the use of such well-known physical parameters of a computer or other device for
`
`the conventional purpose of device identification to be inventive because the use of
`
`a device’s physical characteristics to create a device identity used to keep track of
`
`20
`
`device authorizations was not novel in November 2007. It was well known in sys-
`
`11
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 11
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`tems for setting and enforcing user device limits, as was the concept of using a de-
`
`vice’s physical parameters to create a device identity.
`
`24. Numerous other prior art references disclosed the use of physical pa-
`
`rameters to generate a device ID. For example, other publicly known systems veri-
`
`5
`
`fied a request based, in part, upon hardware information such as the user device’s
`
`microprocessor serial number (Ex. 1004 (Staruiala) at 8; Ex. 1027 (Cohen) at
`
`¶ [0079]), Media Access Control (“MAC”) address (Ex. 1004 (Staruiala) at 8; Ex.
`
`1019 (Singer) at ¶ [0078]), or “unique computer serial number that is specific only
`
`to that computer” (Ex. 1028 (Ferrante) at 1:51-57).
`
`10
`
`25. Substitute claims 26-28 also specify that a request for authorization to
`
`use the digital product on a device includes (1) license data associated with the dig-
`
`ital product, and (2) a device identity generated at least in part by sampling physi-
`
`cal parameters of the device. A POSITA would not have considered communi-
`
`cating license data and a device identity together, rather than sequentially in sepa-
`
`15
`
`rate communications, to be novel or inventive because DRM systems including
`
`such combined communications were known in the field. Hu provides one such
`
`example. (Ex. 1026 at 6:15-39, Fig. 2 step 2-3.) Other examples include Goodwin
`
`(Ex. 1032 at 5:1-10, 6:9-27) and Birdstep (Ex. 1033 at 6, 13).
`
`26. Additionally, taking two pieces of data communicated separately in a
`
`20
`
`prior art reference and placing both of those pieces of data together in a single
`
`12
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 12
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`communication is not novel nor inventive, absent some specific problem that need-
`
`ed to be overcome in communicating the pieces of information together. Here,
`
`there were no issues that would have precluded communicating license data and a
`
`device identity in a single communication in November 2007, and the ’960 patent
`
`5
`
`does not identify any such issues nor any special steps that would need to be taken
`
`to communicate those two pieces of data together. Therefore, combining them into
`
`a single communication would have been considered simple and routine by a
`
`POSITA.
`
`III. Substitute Claims 26-28 Would Have Been Obvious to a POSITA.
`
`10
`
`27.
`
`In my opinion, substitute claims 26-28 would have been obvious to a
`
`POSITA in view of DeMello and Hu. Substitute claims 26-28 make five primary
`
`changes to the original independent claims addressed in my first declaration.
`
`These changes are: (1) the substitute claims recite that the authorization request re-
`
`ceived from the device includes both “license data” and “a device identity”; (2) the
`
`15
`
`substitute claims specify that the device identity is generated at the device; (3) the
`
`substitute claims remove claim language reciting that license data verification be
`
`based at least in part on the device identity; (4) the substitute claims specify deter-
`
`mining whether the device is on a record in response to (i.e., after) verifying li-
`
`cense data; and (5) the substitute claims recite temporarily adjusting the allowed
`
`20
`
`copy count from its current number to a different number. It is my opinion that the
`
`13
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 13
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`substitute claims bearing those changes would have been obvious to a POSITA in
`
`the 2007 time frame, at least in part for the reasons discussed below.
`
`A.
`
`The Prior Art
`
`28. DeMello (Ex. 1003) issued on May 16, 2006, more than a year before
`
`5
`
`the earliest possible priority date for the ʼ960 patent. I understand that DeMello is
`
`prior art to the ʼ960 patent.
`
`29. A detailed description of DeMello is contained in my previous decla-
`
`ration. Below, I further discuss some of the specific disclosures in DeMello that
`
`are relevant to the amended claim limitations. DeMello discloses a DRM system
`
`10
`
`that uses a unique hardware ID to uniquely identify a device requesting access to a
`
`digital product. (Ex. 1003 at 22:44-51.) The hardware ID is derived from physical
`
`parameters (hardware components) that uniquely identify the device. (Ex. 1003 at
`
`22:44-51.)
`
`30. DeMello discloses that the activation server in the DRM system stores
`
`15
`
`a “machine ID” in a database. (Ex. 1003 at Fig. 8 (step 186), 14:23-29.) In some
`
`embodiments, DeMello discloses that the machine ID that is stored is generated
`
`from the hardware ID. (Ex. 1003 at 13:62-66.) DeMello does not specify how to
`
`compute the machine ID from a hardware ID, but a POSITA would have under-
`
`stood that a one-way function (such as a cryptographic hash function or a cyclic
`
`20
`
`redundancy check function) could be used given that the device must provide the
`
`14
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 14
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`hardware ID in an authorization request and that is then compared to a machine ID
`
`in a server database and the machine ID therefore should be easily producible from
`
`the hardware ID input. (Ex. 1003 at 22:44-53; Fig. 8, (steps 156-164).) As a
`
`POSITA would have known, such one-way functions can be used to add user pri-
`
`5
`
`vacy protection by inhibiting unauthorized authentication attempts that could occur
`
`if an attacker acquired the original hardware_id from the server database.
`
`31.
`
`In other embodiments DeMello uses the two ID terms, hardware ID
`
`and machine ID, interchangeably. (See, e.g,. Ex. 1003 at 30:9-11 (“The Us-
`
`ersDevices is a list of all Hardware IDs (i.e., Machine IDs) . . . .”).) Therefore, a
`
`10
`
`POSITA would have understood that a hardware ID generated on the user device
`
`can be used and stored as the machine ID on the server.
`
`32. Other references similarly disclosed generating on the client device
`
`the device ID that is stored in the DRM system.
`
`33. For example, Hu (Ex. 1026) is entitled “Method and System for Man-
`
`15
`
`aging Software Licenses and Reducing Unauthorized Use of Software.” Hu issued
`
`on July 6, 2010, from an application filed on December 27, 2005. I understand that
`
`Hu is prior art to the ʼ960 patent.
`
`34. Hu discloses a DRM system for managing software licenses. In Hu’s
`
`system, a user creates a user account on a server, and the user’s account infor-
`
`20
`
`mation is associated with a software license. (Ex. 2026 at 6:10-31.) The user ac-
`
`15
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 15
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`count is also associated with user account authentication information to authenti-
`
`cate the user. (Ex. 1026 at 6:18-31.) The account authentication information con-
`
`veys to the server whether the requesting user is licensed to use the software, so the
`
`account authentication information constitutes license data associated with the
`
`5
`
`software.
`
`35.
`
`In Hu’s system, when the user requests authorization to run licensed
`
`software on a device—such as a computer—the device sends account authentica-
`
`tion information to the server together with a “computer_id.” (Ex. 1026 at 6:31-
`
`39.) The computer_id is generated at the computer at least in part by sampling
`
`10
`
`physical parameters of the device, i.e., using “information that uniquely identifies
`
`the computer,” including physical parameters like a MAC address or “a basket of
`
`hardware identifiers such as motherboard and hard drive serial numbers.” (Ex.
`
`1026 at 6:31-39.) Those are all parameters assigned by the manufacturer and
`
`stored in the computer’s hardware that can uniquely identify a computer.
`
`15
`
`36. The system then determines whether to authorize the computer to use
`
`the licensed software based on the license and device information in the request.
`
`(Ex. 1026 at 6:55-7:10.) Upon receiving the combined communication that in-
`
`cludes the license-associated user account information and the device-identifying
`
`computer_id from the user’s computer, the server authenticates the user by the user
`
`20
`
`account information and determines whether to enable or disable the software
`
`16
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 16
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`based on the computer_id and the license terms, including the number of comput-
`
`ers that can be authorized under the license. (Ex. 1026 at 6:21-39, 6:55-7:10.)
`
`37. Hu also suggests optionally using a one-way function on the comput-
`
`er_id to protect user privacy. Specifically, Hu discloses that the hardware-derived
`
`5
`
`computer_id “may be run through a one-way transformation algorithm such as a
`
`CRC32 so that the vendor would not be able to reverse-engineer the computer’s
`
`hardware identity from the stored computer_ids.” (Ex. 1026 at 6:39-43.) A POSI-
`
`TA would have known that a CRC32 is a one-way error-detection function.
`
`38. The optional use of a one-way CRC32 function as disclosed in Hu is
`
`10
`
`similar to the optional use of a one-way function to create a machine ID indicated
`
`in DeMello. In each case, a POSITA would have known that a one-way function
`
`could be added to enhance user privacy protection, but a POSITA would not have
`
`considered the use of a one-way function to be necessary for the DRM authentica-
`
`tion process or to be a significant change in the disclosed authentication schemes.
`
`15
`
`Further, a POSITA would have known that such one-way functions could have
`
`been applied to the hardware ID on the device before sending it to the activation
`
`server because the output of a collision-resistant one-way function is unique, thus,
`
`it need not be generated at the server. This transform protects the underlying phys-
`
`ical parameters from being revealed outside the device. A POSITA would have
`
`20
`
`recognized advantages in carrying out the one-way function at the user device be-
`
`17
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 17
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`cause of improved security from transmitting only the transformed ID rather than
`
`the original hardware parameters.
`
`B.
`
`Sending License Data and a Device Identity in a Single
`Communication Would Have Been Obvious to a POSITA.
`
`5
`
`39. Substitute claims 26-28 recite that the request for authorization re-
`
`ceived from the device seeking to use the digital product comprises both license
`
`data and a device identity.
`
`40. DeMello discloses that the client device seeking to use the digital
`
`product sends license data to the server in the form of PASSPORT credentials.
`
`10
`
`The authentication procedure uses credentials that are associated with a persona,
`
`i.e., the “particular user.” (Ex. 1003 at 2:56-60.) The disclosed PASSPORT ID is
`
`the “persona ID associated with the user, which is provided by the user during ac-
`
`tivation.” (Ex. 1003 at 16:32-33.) The PASSPORT ID is associated with a user’s
`
`licenses to protected digital content. (Ex. 1003 at 14:22-51.) In DeMello, activa-
`
`15
`
`tion realizes “‘fully individualized’ titles that can only be opened by authenticated
`
`reader applications that are ‘activated’ for a particular user.” (Ex. 1003 at 6:17-
`
`22.) A POSITA would have recognized that PASSPORT credentials in DeMello
`
`would qualify as license data because those credentials associate a particular user
`
`with his or her individualized content licenses for using authorized digital prod-
`
`20
`
`ucts. During a request for access to protected content, a user enters PASSPORT
`
`18
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 18
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`credentials at the device, which are then transmitted to the server for authentica-
`
`tion. (Ex. 1003 at 22:33-46.) DeMello also discloses that the client device seeking
`
`to use the digital product sends the device identity to the server. (Ex. 1002 at
`
`¶ 22:46-53.) To the extent that DeMello does not disclose including both the li-
`
`5
`
`cense data and device identity in a single request, placing both of those pieces of
`
`data in a single request would have been obvious to a POSITA for the reasons dis-
`
`cussed below.
`
`41. As described above, Hu disclosed a DRM system in which a request
`
`from a device seeking authorization to use a digital product includes both license
`
`10
`
`data associated with the digital product (account authentication information) and a
`
`device identity (computer_id) generated at the device at least in part by sampling
`
`physical parameters of the device, such as a MAC address or motherboard and
`
`hard drive serial numbers. (Ex. 1026 at 6:10-39.)
`
`42. Hu was not novel in that regard. Other prior art references disclose a
`
`15
`
`device requesting authorization to use a digital product by sending a request that
`
`includes license data associated with the digital product and a device identity gen-
`
`erated at least in part by sampling physical parameters of the device. For example,
`
`this is also disclosed in Goodwin (Ex. 1032 at 5:1-10, Fig. 2) and Birdstep (Ex.
`
`1033 at 13-14).
`
`19
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 19
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`43. A POSITA would have been motivated to use Hu’s combined request
`
`that includes license and device identity information in the DeMello system to
`
`simplify the authentication process by eliminating an extra communication step.
`
`Like Hu, DeMello discloses that the device sends a license-associated user creden-
`
`5
`
`tial (PASSPORT) and a device identifier (hardware ID) generated by sampling
`
`physical parameters of the device when requesting authorization to use a digital
`
`product. A POSITA would have recognized that combining that information into a
`
`consolidated request for authorization, as disclosed by Hu, rather than sending the
`
`license and device identifying information separately would have streamlined and
`
`10
`
`simplified the authentication procedure in the DeMello system.
`
`44. A POSITA therefore would have been aware that it was both possible
`
`and desirable to combine the transmission of both the license data and device iden-
`
`tity into a single communication from the user device requesting authorization to
`
`use a digital product. Thus, it was not inventive in 2007 (the earliest possible pri-
`
`15
`
`ority date for the ’960 patent) to combine the communication of the license data
`
`and device identity into a single communication, and it would have been obvious
`
`to do so in view of DeMello and Hu.
`
`20
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 20
`
`
`
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`C. Generating a Device Identity on a User Device Was Disclosed
`in DeMello or Would Have Been Obvious to a POSITA.
`
`45. Substitute claims 26-28 also recite that the device identity is “generat-
`
`ed at the given device.”
`
`5
`
`46. DeMello discloses a DRM system that uses a unique hardware ID to
`
`uniquely identify a device requesting access to a digital product. (Ex. 1003 at
`
`22:44-51.) The hardware ID is generated on the device and is derived from physi-
`
`cal parameters (hardware components) that uniquely identify the device. (Ex. 1003
`
`at 22:44-51.) DeMello discloses that the activation server in the DRM system
`
`10
`
`stores a “machine ID” in a database. (Ex. 1003 at Fig. 8 (step_186), 14:23-29.) In
`
`some embodiments, DeMello discloses that the machine ID that is stored in the
`
`DRM system’s activation database is generated from the hardware ID. (Ex. 1003
`
`at 13:62-66.) But in other embodiments DeMello uses the two ID terms, hardware
`
`ID and machine ID, interchangeably. (See, e.g,. Ex. 1003 at 30:9-11 (“The Us-
`
`15
`
`ersDevices is a list of all Hardware IDs (i.e., Machine IDs) . . . .”).) DeMello fur-
`
`ther would have indicated to a POSITA that, in at least some embodiments, the
`
`machine ID is generated on the client device and transmitted from the user device
`
`to the server. (Ex. 1003 at 23:49-52 (disclosing that the machine ID is “uploaded”
`
`to the activation server).) Therefore, a POSITA would have understood that De-
`
`21
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 21
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`Mello discloses generating on the client device the “device identity” that is recited
`
`in the amended claims.
`
`47.
`
`In addition, the computer_id in Hu’s combined request is a device
`
`identity generated at the device requesting authorization to use a digital product.
`
`5
`
`Hu discloses that the computer_id is sent from the computer requesting authoriza-
`
`tion to the authorization server (Ex. 1026 at 6:31-39), and a POSITA would have
`
`understood that the local software on the computer generates the computer_id at
`
`the computer because the computer_id is based on local hardware parameters and
`
`is sent from the computer to the server.
`
`10
`
`48. Whether using DeMello’s hardware ID or Hu’s computer_id, a POSI-
`
`TA would have been motivated to use those device identifiers created at the re-
`
`questing device to identify and verify the requesting device to simplify the DeMel-
`
`lo system by forgoing the additional step of generating a machine ID from the
`
`hardware ID information as disclosed in some embodiments in DeMello. Further-
`
`15
`
`more, DeMello’s system authenticates users using their PASSPORT credentials
`
`(Ex. 1003 at 13:30-35), which would have indicated to a POSITA that the hard-
`
`ware id did not require stringent privacy protections. In practice, and as seen in
`
`Hu, a POSITA would have known to apply the appropriate privacy protections
`
`given the architecture of their system. I know of other security mechanisms that
`
`20
`
`are both applicable to DeMello’s system and what a POSITA would have known to
`
`22
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 22
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`do to protect the privacy of the user. For example, applying database encryption
`
`techniques on the server that stores the device identifier.
`
`49. Combining the features of Hu as described with DeMello’s teaching
`
`of a DRM system would have represented no more than the combination of known
`
`5
`
`elements in a way that yields predictable results. In my opinion, it would have
`
`been obvious to use Hu’s computer_id and combined request in the DeMello sys-
`
`tem, and a POSITA would have reasonably expected to succeed in doing so given
`
`that the technology and techniques were well-known and well within the ordinary
`
`level of skill in the art.
`
`10
`
`D. DeMello Discloses Verifying that the License Data Associated
`with the Digital Product is Valid.
`
`50. Substitute claims 26-28 recite verifying “that the license data associ-
`
`ated with the digital product is valid,” and those claims delete claim language from
`
`the “verify” step of original claims 1, 22, and 25 reciting that verifying be based at
`
`15
`
`least in part on a device identity generated by sampling physical parameters of the
`
`given device.
`
`51. DeMello discloses verifying that the license data associated with the
`
`digital product is valid by authenticating PASSPORT credentials. (Ex. 1003 at
`
`16:32-35, 22:33-53.) The disclosed PASSPORT ID is the “persona ID associated
`
`20
`
`with the user, which is provided by the user during activation.” (Ex. 1003 at
`
`23
`
`Petitioners Amazon, Hulu, and Netflix
`Exhibit No. 1031, p. 23
`
`
`
` Supplemental Declaration of Dr. Aviel Rubin
`in Support of Petitioners
`
`
`
`16:32-33.) In DeMello, activation realizes “‘fully individualized’ titles that can
`
`only be opened by authenticated reader applications that are ‘activated’ for a par-
`
`ticular user.” (Ex. 1003 at 6:17-22.) The authentication procedure uses credentials
`
`that are associated with a persona, i.e., the “particular user.” (Ex. 1003 at 2:56-60.)
`
`5
`
`A POSITA would have recognized that authenticating PASSPORT credentials in
`
`DeMello can serve to verify license data because the disclosed digital products are
`
`individualized for licensed use for a particular user persona identified with the
`
`PASSPORT ID.
`
`10
`
`E. DeMello Discloses Determining Whether the Device is on a Rec-
`ord in Response to Verif