`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`_________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_________________________
`
`InAuth, Inc.
`
`Petitioner
`
`v.
`
`mSIGNIA, Inc.
`
`Patent Owner
`_________________________
`
`Case No. Unassigned
`
`_________________________
`
`
`
`DECLARATION OF DR. PATRICK TRAYNOR
`
`
`
`IA1003
`
`IA1003
`
`

`

`
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`II.
`
`OVERVIEW AND SUMMARY OF OPINIONS.................................................... 1
`A. My Background And Qualifications ............................................................. 4
`LIST OF DOCUMENTS I CONSIDERED IN FORMULATING MY
`OPINIONS ............................................................................................................... 7
`PERSON OF ORDINARY SKILL IN THE ART ................................................... 9
`III.
`STATE OF THE ART ............................................................................................ 10
`IV.
`OVERVIEW OF THE ‘852 PATENT ................................................................... 13
`V.
`THE ‘852 FILE HISTORY .................................................................................... 24
`VI.
`VII. CLAIM CONSTRUCTION ................................................................................... 26
`VIII. BASIS OF MY ANALYSIS WITH RESPECT TO ANTICIPATION ................. 27
`IX. BASIS OF MY ANALYSIS WITH RESPECT TO OBVIOUSNESS AND
`OBJECTIVE INDICIA OF NONOBVIOUSNESS ............................................... 28
`SUMMARY OF GROUNDS ................................................................................. 30
`X.
`XI. GROUND 1: CLAIMS 1-5, 7, 14-21, AND 24-25 ARE ANTICIPATED
`BY ETCHEGOYEN ................................................................................................ 31
`A.
`The Etchegoyen System .............................................................................. 35
`B. Methods of Authenticating in Etchegoyen .................................................. 38
`C.
`Independent Claim 1 ................................................................................... 41
`D.
`Independent Claim 24 ................................................................................. 54
`E.
`Independent Claim 25 ................................................................................. 64
`F.
`Dependent Claim 2 ...................................................................................... 74
`G.
`Dependent Claim 3 ...................................................................................... 74
`H.
`Dependent Claims 4 and 5........................................................................... 75
`I.
`Dependent Claim 7 ...................................................................................... 78
`J.
`Dependent Claims 14, 15, and 16 ............................................................... 79
`K.
`Dependent Claims 17, 18, and 19 ............................................................... 81
`L.
`Dependent Claim 20 .................................................................................... 84
`M.
`Dependent Claim 21 .................................................................................... 84
`XII. GROUND 2: CLAIMS 1-5, 7, 14-21, AND 24-25 WOULD HAVE BEEN
`OBVIOUS IN VIEW OF ETCHEGOYEN ............................................................. 85
`
`
`
`IA1003
`
`IA1003
`
`

`

`
`
`XIII. GROUND 3: DEPENDENT CLAIMS 6 AND 8-12 WOULD HAVE
`BEEN OBVIOUS IN VIEW OF ETCHEGOYEN AND JAKOBSSON ................. 88
`A.
`Dependent Claim 6 ...................................................................................... 92
`B.
`Dependent Claims 8-12 ............................................................................... 95
`XIV. GROUND 4: DEPENDENT CLAIMS 13, 22, AND 23 WOULD HAVE
`BEEN OBVIOUS IN VIEW OF ETCHEGOYEN AND VARGHESE ................ 100
`A.
`Dependent Claims 13, 22, and 23 ............................................................. 101
`XV. GROUND 5: CLAIMS 1-23, 25 ARE ANTICIPATED BY VARGHESE ......... 103
`A.
`Independent Claim 1 ................................................................................. 104
`B.
`Independent Claim 25 ............................................................................... 118
`C.
`Dependent Claim 2 .................................................................................... 125
`D.
`Dependent Claim 3 .................................................................................... 125
`E.
`Dependent Claims 4, 5, and 6 ................................................................... 126
`F.
`Dependent Claim 7 .................................................................................... 131
`G.
`Dependent Claims 8-12 ............................................................................. 132
`H.
`Dependent Claims 13, 22, and 23 ............................................................. 134
`I.
`Dependent Claims 14, 15, and 16 ............................................................. 136
`J.
`Dependent Claims 17, 18, and 19 ............................................................. 138
`K.
`Dependent Claim 20 .................................................................................. 140
`L.
`Dependent Claim 21 .................................................................................. 141
`XVI. GROUND 6: CLAIM 24 WOULD HAVE BEEN OBVIOUS IN VIEW
`OF VARGHESE AND BACKGROUND KNOWLEDGE OF A POSA ............. 142
`A.
`Independent Claim 24 ............................................................................... 142
`XVII. OBJECTIVE INDICIA DO NOT SUPPORT PATENTABILITY ..................... 149
`XVIII. CONCLUSION .................................................................................................... 150
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`I, Patrick Traynor, Ph.D., hereby declare as follows.
`
`1.
`
`I am over the age of eighteen (18) and otherwise competent to make
`
`this declaration.
`
`2.
`
`I have been retained as an expert witness on behalf of InAuth, Inc.
`
`(“InAuth”) in connection with the above-captioned requested inter partes review
`
`(“IPR”). I am being compensated for my time in connection with this IPR at my
`
`standard consulting rate, which is $500 per hour. My compensation does not
`
`depend on the outcome of this proceeding. I have no personal interest in the
`
`outcome of this proceeding.
`
`I.
`
`OVERVIEW AND SUMMARY OF OPINIONS
`
`3.
`
`I understand that a petition for inter partes review has been filed
`
`regarding U.S. Patent No. 9,559,852 (“the ‘852 patent”) (IA1001), which resulted
`
`from U.S. Application No. 15/075,066 (“the ‘066 Application”), filed on March
`
`18, 2016, naming Paul Timothy Miller and George Allend Tuvell as inventors. I
`
`understand that the petition for inter partes review challenges claims 1-25 of the
`
`‘852 patent (the “Challenged Claims”) as anticipated and/or obvious.
`
`4.
`
` The ‘852 Patent issued on January 31, 2017, from the ‘066
`
`application.
`
`5.
`
`I understand that the ‘852 patent lists mSIGNIA, Inc. (“Patent
`
`Owner”) as assignee.
`
`
`
`1
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`I understand that the earliest possible filing date for the ‘852 patent is
`
`6.
`
`February 3, 2011, which is the filing date of Provisional Patent Application No.
`
`61/462,474 (“the ‘474 provisional”). IA1009. I have not been asked to opine
`
`regarding whether the ‘474 provisional provides adequate written description for
`
`and/or enables the Challenged Claims, and I offer no opinion on this matter in this
`
`declaration. I have assumed, only for purposes of this Declaration, that the priority
`
`date for all Challenged Claims is February 3, 2011. My opinions as to invalidity
`
`discussed herein would not change if February 3, 2011 or a later date is used as the
`
`priority date. I am not aware of any evidence to suggest that any claim of the ‘852
`
`patent should get the benefit of any earlier priority date. I am also not aware of
`
`any claim by Patent Owner to an earlier priority date that would change any of my
`
`opinions set forth in this declaration or otherwise. I reserve the right to respond
`
`with specificity if Patent Owner alleges an earlier priority date.
`
`7.
`
`In preparing this Declaration, I have reviewed the ‘852 patent, its file
`
`history (IA1002), the parent U.S. Patent No. 9,294,448 (“the ‘448 patent”)
`
`(IA1010), the file history of the ‘448 patent (IA1011), the grand-parent U.S. Patent
`
`No. 8,817,984 (“the ‘984 patent”) (IA1012), the file history of the ‘984 patent
`
`(IA1013), and the ‘474 Provisional and considered each of the documents cited
`
`herein, in light of general knowledge in the art (i.e., field) on or before February 3,
`
`2011. In formulating my opinions, I have relied upon my nearly 20 years of
`
`
`
`2
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`experience, education, and knowledge in the relevant art. In formulating my
`
`opinions, I have also considered the viewpoint of one of ordinary skill in the art as
`
`of February 3, 2011. A brief summary of my opinions follows:
`
`a. Etchegoyen discloses all limitations of Claims 1-5, 7, 14-21, and
`
`24-25 of the ‘852 patent and therefore anticipates these claims.
`
`(Ground 1 of Petition)
`
`b. To the extent it is found that Etchegoyen does not disclose any of
`
`the limitations of Claims 1-5, 7, 14-21, and 24-25 of the ‘852
`
`patent, Etchegoyen, when viewed against
`
`the background
`
`knowledge and understanding of a POSA, would render obvious as
`
`a whole the claimed subject matter of these claims. (Ground 2 of
`
`Petition)
`
`c. Etchegoyen in view of Jakobsson renders obvious Claims 6 and 8-
`
`12 of the ‘852 patent. (Ground 3 of Petition)
`
`d. Etchegoyen in view of Varghese renders obvious Claims 13, 22,
`
`and 23 of the ‘852 patent. (Ground 4 of Petition)
`
`e. Varghese discloses all limitations of Claims 1-23 and 25 of the
`
`‘852 patent and therefore anticipates these claims. (Ground 5 of
`
`Petition)
`
`
`
`3
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`f. Varghese, when viewed against the background knowledge and
`
`understanding of a POSA, renders obvious the claimed subject
`
`matter for Claim 24. (Ground 6 of Petition)
`
`8.
`
`I understand that the Petition advances the following grounds, which
`
`accord with my opinions expressed above:
`
`Claims
`
`References
`
`Ground
`
`1
`
`2
`
`3
`
`4
`
`5
`
`35 U.S.C. §
`(pre-AIA)
`§ 102
`
`§ 103
`
`§ 103
`
`§ 103
`
`§ 102
`
`Claims 1-5, 7, 14-21,
`and 24-25
`
`Claims 1-5, 7, 14-21,
`and 24-25
`
`Claims 6 and 8-12
`
`Claims 13, 22, and 23
`
`Claims 1-23, 25
`
`Etchegoyen
`
`Etchegoyen
`
`Etchegoyen and
`Jakobsson
`
`Etchegoyen and
`Varghese
`
`Varghese
`
`Varghese
`
`§ 103
`
`6
`
`A. My Background And Qualifications
`
`Claim 24
`
`9.
`
`I received a B.S. in Computer Science from the University of
`
`Richmond in 2002 and an M.S. and a Ph.D. in Computer Science and Engineering
`
`from the Pennsylvania State University in 2004 and 2008, respectively. My
`
`dissertation, entitled “Characterizing the Impact of Rigidity on the Security of
`
`
`
`4
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`Cellular Telecommunications Networks,” focused on security problems that arise
`
`in cellular infrastructure when gateways to the Internet are created.
`
`10.
`
`I am currently an Associate Professor in the Department of Computer
`
`and Information Science and Engineering (CISE) at the University of Florida. I
`
`was hired under the “Rise to Preeminence” hiring campaign and serve as the co-
`
`founder and co-director of the Florida Institute for Cybersecurity (FICS). I have
`
`since been named the John and Mary Lou Dasburg Preeminent Chair in
`
`Engineering. Prior to joining the University of Florida, I was an Associate
`
`Professor from March to August 2014 and an Assistant Professor of Computer
`
`Science from 2008 at the Georgia Institute of Technology. I have supervised many
`
`Ph.D., M.S. and undergraduate students during the course of my career.
`
`11.
`
`I am a Senior Member of the Association for Computing Machinery
`
`(ACM) and the Institute of Electrical and Electronics Engineers (IEEE). I am also
`
`a member of the USENIX Advanced Computing Systems Association.
`
`12. My area of expertise is security, especially as it applies to mobile
`
`systems and networks, including cellular networks. As such, I regularly teach
`
`students taking my courses and participating in my research group to program and
`
`evaluate software and architectures for mobile and cellular systems.
`
`13.
`
`I have published over 70 articles in the top journals and conferences in
`
`the areas of information security, mobility and networking. Many of my results are
`
`
`
`5
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`highly cited, and I have received a number of “Best Paper” Awards. I have also
`
`written a book entitled Security for Telecommunications Networks, which is used
`
`in wireless and cellular security courses at a number of top universities.
`
`14.
`
`I serve as an Associate Editor for the ACM Transactions on Privacy
`
`and Security (TOPS), have been the Program Chair for seven conferences and
`
`workshops, and have served as a member of the Program Committee for over 50
`
`different conferences and workshops.
`
`15.
`
`I have received numerous awards for research and teaching, including
`
`being named a Kavli Fellow (2017), a Fellow of the Center for Financial Inclusion
`
`(2016) and a Research Fellow of the Alfred P. Sloan Foundation (2014), won the
`
`Lockheed Inspirational Young Faculty Award (2012), was awarded a National
`
`Science Foundation (NSF) CAREER Award (2010), and received the Center for
`
`the Enhancement of Teaching and Learning at Georgia Tech’s “Thanks for Being a
`
`Great Teacher” Award (2009, 2012, 2013).
`
`16.
`
`I was a Co-Founder and Research Fellow for the private start-up,
`
`Pindrop Security, from spring 2012 to spring 2014. Pindrop provides anti-fraud
`
`and authentication solutions for Caller-ID spoofing attacks in enterprise call
`
`centers by creating and matching acoustic fingerprints.
`
`
`
`6
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`I am the Co-Founder and Chief Executive of a private start-up,
`
`17.
`
`CryptoDrop. CryptoDrop developed a ransomware detection and recovery tool to
`
`provide state of the art protection to home, small business, and enterprise users.
`
`18.
`
`I have taught courses on the topics of network and systems security,
`
`cellular networks, and mobile systems at both Georgia Tech and the University of
`
`Florida. I also advised and instructed the Information Assurance Officer Training
`
`Program for the United States Army Signal Corps in the spring of 2010.
`
`19.
`
`I am a named inventor on two United States patents, which are listed
`
`in my CV. These patents detail methods for determining the origin and path taken
`
`by phone calls as they traverse networks and for providing a secure means of
`
`indoor localization.
`
`20. Further detail on my education, work, and teaching experience, and
`
`the cases in which I have previously given testimony in at least the past four years
`
`are contained in my curriculum vitae (CV) included as Appendix A. IA1028.
`
`II. LIST OF DOCUMENTS I CONSIDERED IN FORMULATING MY
`OPINIONS
`
`21.
`
`In formulating my opinions, I considered all of the references cited in
`
`this Declaration, including the documents listed below.
`
`Exhibit Number
`
`Description
`
`IA1001
`IA1002
`
`
`
`U.S. Patent No. 9,559,852 to Miller et al.
`Prosecution File History of U.S. Patent No. 9,559,852
`
`7
`
`
`
`IA1003
`
`IA1003
`
`

`

`Exhibit Number
`
`Description
`
`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`
`IA1003
`IA1004
`IA1005
`IA1006
`IA1007
`IA1008
`IA1009
`IA1010
`IA1011
`IA1012
`IA1013
`IA1014
`
`IA1015
`IA1016
`IA1017
`
`IA1018
`IA1019
`
`IA1020
`
`IA1021
`IA1022
`IA1023
`
`
`
`Declaration of Professor Patrick Traynor
`U.S. Patent No. 8,316,421 to Etchegoyen
`U.S. Patent Pub. No. 2006/0282660 to Varghese et al.
`U.S. Patent No. 8,312,157 to Jakobsson et al.
`U.S. Patent No. 6,185,316 to Buffam et al.
`U.S. Patent Pub. No. 2011/0007177 to Kang et al.
`Provisional Patent Application No. 61/462,474
`U.S. Patent No. 9,294,448 to Miller et al.
`Prosecution File History of U.S. Patent No. 9,294,448
`U.S. Patent No. 8,817,984 to Miller et al.
`Prosecution File History of U.S. Patent No. 8,817,984
`Provisional Patent Application No. 61/252,960 to
`Etchegoyen
`Patent Application No. 12/903,948 to Etchegoyen
`Patent Application No. 12/504,159 to Jakobsson et al.
`Kohno et al., “Remote Physical Device Fingerprinting”
`(Apr. 2005)
`Pang et al., “802.11 User Fingerprinting” (2007)
`“Race Is On To ‘Fingerprint’ Phones, PCs”, WALL STREET
`JOURNAL (Nov. 30, 2010)
`Denning & MacDoran, “Location-Based Authentication:
`Grounding Cyberspace for Better Security” (Feb. 1996)
`Cortes et al., “Communities of Interest” (2001)
`Johansen et al., “Email Communities of Interest” (2007)
`Aiello et al., “Analysis of Communities of Interest in Data
`Networks” (2005)
`
`8
`
`
`
`IA1003
`
`IA1003
`
`

`

`Exhibit Number
`
`Description
`
`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`
`IA1024
`
`IA1025
`
`IA1026
`
`IA1027
`
`Smart et al., “Defeating TCP/IP Stack Fingerprinting”
`(1999)
`“The Man Who Invented The Cash Machine”, BBC NEWS
`(June 25, 2007)
`Redline Comparison of Provisional Patent Application No.
`61/462,474 to Specification of Application No. 12/903,948
`mSIGNIA, Inc. v. InAuth, Inc., No. 8:17-cv-1289, Dkt. No. 1,
`Complaint (C.D. Cal. July 26, 2017)
`Curriculum Vitae of Professor Patrick Traynor (Appendix A)
`
`IA1028
`
`III. PERSON OF ORDINARY SKILL IN THE ART
`
`22. A person of ordinary skill in the art (“POSA” or “one of ordinary skill
`
`in the art”) is a hypothetical person who is presumed to be aware of all pertinent
`
`art, thinks along the lines of the conventional wisdom in the art, and is a person of
`
`ordinary creativity. As of February 3, 2011, a POSA in the technical field of the
`
`‘852 Patent – authentication technologies – would have had knowledge of the
`
`scientific literature concerning methods of securely authenticating devices and
`
`users by way of digital fingerprinting and data minutiae associated with those
`
`devices and users.
`
`23. A POSA at the time the application leading to the ‘852 patent was
`
`filed would have had an undergraduate degree in Computer Science, Electrical
`
`Engineering or related fields and two years experience with networking
`
`technologies, or a masters degree in Computer Science, Electrical Engineering or
`
`
`
`9
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`related fields with one year experience with networking technologies. Additional
`
`education could substitute for hands-on experience.
`
`IV. STATE OF THE ART
`
`24.
`
`I understand that the ‘852 patent claims priority to the ‘474
`
`Provisional, which was filed on February 3, 2011. For purposes of my invalidity
`
`analyses below, I have considered the relevant priority date to be February 3, 2011.
`
`25. Capturing the identity of a user or machine has long been a goal in
`
`computer security. Some of the earliest and most intuitive means of doing so came
`
`in the form of usernames and passwords on early timesharing systems (e.g., MIT’s
`
`Compatible Time Sharing System (CTSS)) in the 1960s.
`
`26. Advancements in the field of cryptography provided increasingly
`
`stronger protocols by which such information could be conveyed. For instance, the
`
`public release of the Data Encryption Standard (DES) algorithm (1977) provided
`
`public and private entities with a relatively strong means of encrypting usernames
`
`and passwords over networked connections. Similarly, the Needham-Schroeder
`
`Public-Key Protocol (1978) allowed authentication to be enabled via newly
`
`discovered asymmetric cryptosystems. Such advances allowed for strong, explicit
`
`means of authentication.
`
`27. The advent of the World Wide Web led to new challenges in
`
`capturing identity. For instance, the addition of “cookies” to web requests allowed
`
`
`
`10
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`for websites to customize a user’s experience across multiple pages. Specifically,
`
`by keeping a record of the pages that were being accessed with a specific cookie, a
`
`website could develop profiles of users (i.e., fingerprints) and provide them with
`
`additional resources that were likely to be of interest. Cookies, which began
`
`appearing in 1994, allowed for that customization to be based not necessarily on
`
`the specific identity of a user, but on the machine from which requests were being
`
`made.
`
`28. However, because cookies could easily be deleted, many others
`
`sought techniques to develop more long-lived fingerprints. Researchers developed
`
`the nmap tool (1999) and demonstrated that the software and operating system
`
`running on remote machines could be accurately identified by looking at the
`
`distinctive ports and message parameters returned from those machines when they
`
`received a message.
`
`29. Researchers also developed methods for the remote identification of
`
`specific users and machines based on clock skew1, semi-persistent network
`
`configuration data2, and many other features3.
`
`
`1 IA1017 (T. Kohno, A. Broido, and K. C. Claffy, “Remote Physical Device
`Fingerprinting,” IEEE Trans. Dependable Secur. Comput., vol. 2, pp. 93–108,
`April 2005).
`2 IA1018 (J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall,
`“802.11 User Fingerprinting,” in MobiCom ‘07: Proceedings of the 13th Annual
`ACM International Conference on Mobile Computing and Networking. ACM
`11
`
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`30. Geo-location, both through GPS coordinates and highly dynamic
`
`location signatures (updating on the millisecond timescale based on observability
`
`of satellites), was also commonly discussed.4
`
`31. Fingerprinting users and devices based on their community of interest,
`
`or the entities with which they regularly communicated was also widely discussed
`
`and applied to spaces including telephony5, email spam6 and intrusion detection7.
`
`32.
`
`In response, the research community also built mechanisms to help
`
`scrub such data from communications to ensure that devices could not be
`
`fingerprinted unless the user/administrator allowed it.8
`
`
`Press, 2007, pp. 99–110).
`3 IA1019 ( J. Angvin and J. Valentino-Devries, “Race Is On to ‘Fingerprint’
`Phones, PCs,” WALL STREET JOURNAL, November 30 2010).
`4 IA1020 (D. Denning and P. MacDoran, Location-Based Authentication:
`Grounding Cyberspace for Better Security, Computer Fraud & Security, 1996:2,
`12-16, 1996).
`5 IA1021 (C. Cortes, D. Pregibon, and C. Volinsky. Communities of interest.
`Lecture Notes in Computer Science, 2189:105–114, 2001).
`6 IA1022 (L. Johansen, M. Rowell, K. Butler, and P. McDaniel, Email
`Communities of Interest, Proceedings of the Conference on Email and Anti-Spam,
`2007).
`7 IA1023 (W. Aiello, C. Kalmanek, P. McDaniel, S. Sen, O. Spatscheck, and J.
`V. der Merwe. Analysis of communities of interest in data networks. Lecture Notes
`in Computer Science, 3431:83–96, 2005).
`8 IA1024 (M. Smart, G.R. Malan, and F. Jahanian, Defeating TCP/IP Stack
`Fingerprinting, Proceedings of the USENIX Security Symopsium, 1999).
`12
`
`
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`33. Using multiple factors for authentication has also long been known in
`
`the field of information security. The Personal Identification Number (PIN) was
`
`created in parallel with the first Automated Teller Machine (ATM) in 19679. While
`
`static, PINs create a second factor (e.g., beyond the possession of an account
`
`number) by which the authenticity of a transaction can be validated.
`
`V. OVERVIEW OF THE ‘852 PATENT
`
`34.
`
`I understand that this Declaration is being submitted together with a
`
`petition for inter partes review of Claims 1-25 of the ‘852 patent. I have reviewed
`
`the ‘852 patent, the parent ‘448 patent, the file history of the ‘448 patent, the
`
`grand-parent ‘984 patent, the file history of the ‘984 patent, and the ‘474
`
`Provisional to which the ‘852 patent claims priority. In assessing the ‘852 patent, I
`
`have considered the state of the scientific literature before February 3, 2011, in
`
`light of general knowledge in the art before that date.
`
`35. The ‘852 patent specification identifies a number of purported
`
`problems with prior art computer authentication methods such as use of a
`
`“computer fingerprint.” Prior art computer fingerprints according to the ‘852
`
`specification were formed by “calculating a hash of the minutia found on a
`
`computer to uniquely identify the computer.” IA1001, 2:44-45. A drawback of
`
`such fingerprints was that “current fingerprints use a relatively small set of static
`
`9 IA1025 (BBC NEWS, The Man Who invented the Cash Machine (June 25,
`2007)).
`
`
`
`13
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`minutia which may be prone to spoofing.” Id., 2:51-54. While some prior art
`
`approaches increased the number of minutia to be included in the fingerprint, “as
`
`more minutia are included in the computation, the probability [rises] that changes
`
`occurr[ing] naturally to the minutia can result in a new computer fingerprint,”
`
`resulting in false negatives. Id., 2:63-65.
`
`36. The ‘852 patent purports to solve this problem by “anticipating
`
`changes to the user device or computer” and thus “deliver[ing] a tolerant, yet
`
`secure authentication with fewer false negatives.” Id., 5:40-44. The ‘852 patent
`
`describes methods of formulating cryptographic keys using minutia found on the
`
`computer such that “the computer itself is uniquely identified” by the key. Id.,
`
`5:59-64. Examples of minutia that may be used include hardware, firmware,
`
`software, user secrets, user biometrics, or location information from the device.
`
`37. The ‘852 patent discloses methods by which the alleged invention can
`
`be used to determine that a valid user is using an authenticated computer. All three
`
`independent claims recite an “identity recognition system” using at least two
`
`components (memory and processor(s)) to perform a four-step method to
`
`determine whether or not a device and/or user are authentic. Claim 1 is exemplary
`
`and reads as follows:
`
`[Preamble] An identity recognition system comprising:
`
`[1.a] a non-transitory memory storing information associated with
`
`
`
`14
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`
`one or more identities,
`[1.b] wherein the information stored for an identity includes (a) data
`values associated with that identity;
`[1.c] and (b) information regarding anticipated changes to one
`or more of the stored data values associated with that identity;
`[1.d] one or more hardware processors in communication with
`the memory and configured to execute instructions to cause the
`identity recognition system to recognize that the presentation of
`identity information by a computer is authentic, by performing
`operations comprising:
`[1.e] generating a challenge to the computer, wherein the
`challenge prompts the computer to provide a response
`based on one or more data values from the computer that
`correspond to one or more of the stored data values
`associated with the identity;
`[1.f] receiving, from the computer, the response to the
`challenge;
`[1.g] determining whether the response is allowable,
`wherein such determining comprises using the stored
`information regarding anticipated changes to the stored
`data values associated with the identity to determine
`whether a data value used to form the response is based
`on an acceptable change to a corresponding stored data
`value;
`[1.h] and recognizing that the presentation of identity
`information by the computer is authentic, according to
`whether the computer has provided an allowable
`15
`
`
`
`
`
`IA1003
`
`IA1003
`
`

`

`response to the challenge.
`
`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`
`38. As recited above, the claimed identity recognition system includes a
`
`memory storing “data values associated with that identity.” Examples of such data
`
`values are described in the specification as computer minutia and encompass
`
`hardware, firmware, software, user secrets, user biometrics, or location information
`
`from the device. Also stored in the memory is “information regarding anticipated
`
`changes to one or more of the stored data values.” Such changes include “changes
`
`to the minutia caused by updates and natural usage of the computer.” The
`
`specification notes that “behavioral algorithms” can be applied to the minutia.
`
`39. Claim 1 recites a four-step method of using this system. First, the
`
`identity recognition system generates a “challenge” to the computer. The
`
`challenge prompts the computer to provide a response based on one or more data
`
`values (minutia). Second, the identity recognition system receives from the
`
`computer a response to the challenge. Third, the system determines whether the
`
`response is allowable by using the stored information regarding anticipated
`
`changes to the minutia. Lastly, the system “recogniz[es] that the presentation of
`
`identity information by the computer is authentic.”
`
`40.
`
`I understand that Claims 2-23 “depend” from from Claim 1 of the
`
`‘852 Patent because they refer directly to Claim 1 or claims that themselves depend
`
`from Claim 1. The dependent claims are reproduced below:
`
`
`
`16
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
` Claim 2 requires the further limitation that “the identity is associated
`
`with the computer and is a user identity or a device identity.”
`
` Claim 3 requires the further limitation that “the challenge prompts a
`
`response based on one or more user minutia data values.”
`
` Claim 4, which further depends from claim 3, requires the further
`
`limitation that “the operation of determining whether the response is
`
`allowable includes evaluating whether at least a portion of the
`
`response is based on one or more acceptable changes to a user minutia
`
`data value.”
`
` Claim 5, which further depends from claim 4, requires the further
`
`limitation that “the user minutia data values used to determine
`
`whether the response is allowable comprise user secrets, user
`
`customization, entertainment data, bio-metric data, or contacts.”
`
` Claim 6, which further depends from claim 4, requires the further
`
`limitation that “the user minutia data values used to determine
`
`whether the response is allowable comprise calling app data, geo-
`
`location data, frequently called phone numbers, email, or network
`
`connection data.”
`
` Claim 7 requires the further limitation that “a stored data value is used
`
`to generate at least a portion of the challenge, and wherein the
`
`
`
`17
`
`
`
`IA1003
`
`IA1003
`
`

`

`IPR of USPN 9,559,852
`Declaration of Dr. Patrick Traynor
`determining operation comprises evaluating whether the data value
`
`used to form the response is the same as the stored data value.”
`
` Claim 8 requires the further limitation that “a change to the stored
`
`data value is acceptable when the data value used to form the response
`
`is within a set of acceptable values for the stored data value that are
`
`determined independently from receiving the response from the
`
`computer.”
`
` Claim 9, which futher depends from claim 8, requires the further
`
`limitation that “the set of acceptable values includes one or more
`
`values based on anticipated changes to the data value.”
`
` Claim 10, which further depends from claim 8, requires the further
`
`limitation that “the set of acceptable values includes one or more
`
`values based on anticipated changes to the data value, based on
`
`industry updates to hardware, firmware, or software elements.”
`
` Claim 11, which further depends from claim 8, requires the further
`
`limitation that “the set of acceptable values includes one or more
`
`values based on an anticipated user customization of the computer.”
`
` Claim 12, which further dep