MEMORANDUM AND ORDER ON PRE-DISCOVERY CLAIM CONSTRUCTION

RICHARD G. STEARNS, District Judge.

In these intellectual property disputes, plaintiff StrikeForce Technologies, Inc., asserts infringement claims of U.S. Patents Nos. 8,484,698 (the '698 patent) and 8,713,701 (the '701 patent) against two sets of defendants: Gemalto, Inc., Gemalto N.V., and SafeNet, Inc. (collectively Gemalto); and Vasco Data Security, Inc. Given the similar subject matter, the parties elected to consolidate pre-trial proceedings. Accepting their proposal, the court bifurcated the Markman hearing and agreed to undertake pre-discovery claim construction of three groups of key disputed terms. See Markman v. Westview Instruments, Inc., 517 U.S. 370 (1996). The court received tutorials in the underlying technology and heard argument on August 30, 2017.

THE ASSERTED PATENTS

Both the '698 and '701 patents are entitled "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System (COBAS)." Both patents list Ram Pemmaraju as the sole inventor. The '698 patent was issued on July 9, 2013. The '701 patent was issued on April 29, 2014.

The '701 patent's application is a continuation of the application that led to the issuance of the '698 patent.1 Both patents are directed to "[a] multichannel security system . . . for granting and denying access to a host computer in response to a demand from an access-seeking individual and computer." '698 patent, Abstract. According to the inventor, at the time of the invention, computer security "access control products authenticate[d] only the user and not the location." Id. col. 2, ll. 40-41.

Id. col. 2, ll. 31-36. Dialing back to the originating modem was a feasible means of location verification when computer networks could be accessed only through modems. See id. col. 2, ll. 42-45. However, today's computer networks are typically accessible by modem-independent internet connections and "there is no necessary connection between the internet address and a location." Id. col. 2, ll. 46-53.

The asserted patents address the perceived security weakness through a "unique combination of user and host authentication." Id. col. 4, ll. 34-35.

Id. col. 4, ll. 34-42. Figure 1A, reproduced below, exemplifies an embodiment of the invention in a wide area network (WAN) environment.

Id. col. 6, ll. 33-43.

The patents also disclose embodiments in local area network (LAN) and internet settings. The second embodiment is "applied to the intranet in which an internal accessor in a local area network seeks entry into a restricted portion of the host system." Id. col. 5, ll. 46-48.

Id. col. 12, ll. 43-50; see also Fig. 10. "Th[e third] embodiment describes the application of the security system to access over the Internet." Id. col. 12, ll. 65-67.

Id. col. 13, ll. 7-23; see also Fig. 11.2

Claim 1 of each asserted patent is emblematic.

'698 patent claim 1.

A software method for employing a multichannel security system to control access to a computer, comprising the steps of:

'701 patent claim 1.

A security system for accessing a host computer comprising:

an access channel comprising:

an authentication channel comprising:

(Emphasis added to highlight disputed terms.) For purposes of this threshold Markman proceeding, the parties dispute the construction of the terms "host computer," "access channel" / "first channel" and "authentication channel" / "second channel," and "multichannel security system" / "security system."3

DISCUSSION

Claim construction is a matter of law. See Markman, 517 U.S. at 388-389. Claim terms are generally given the ordinary and customary meaning that would be attributed by a person of ordinary skill in the art in question at the time of the invention. Phillips v. AWH Corp., 415 F.3d 1303, 1312-1313 (Fed. Cir. 2005) (en banc) (citations omitted). In determining the understanding of this hypothetical person of ordinary skill in the art, the court looks to the specification of the patent, its prosecution history, and in those instances where appropriate, extrinsic evidence such as dictionaries, treatises, or expert testimony. Id. at 1315-1317. Ultimately, "[t]he construction that stays true to the claim language and most naturally aligns with the patent's description of the invention will be, in the end, the correct construction." Id. at 1316 (citation omitted).

"host computer"

The parties agree that a "host computer" is something "to which an accessor is attempting to gain access." However, they part company on two particulars. First, StrikeForce contends that, consistent with instances where a user accesses a secure website on a web server or a secure portion of a website, see '698 patent, claim 3 ("wherein a host computer is a web server"), a "host computer" may be "a computer or a restricted portion thereof." Defendants protest the inclusion of the phrase "restricted portion." As defendants see it, while the patentee certainly knew how to describe a "restricted portion of the host system," as he did in explicating Figure 10, see id. col. 5, ll. 45-48; he nonetheless expressly directed his claims simply to a "host computer." Consequently, both the "restricted portion" and the embodiment illustrated in Figure 10 are excluded by the claims.

In the court's view, defendants' reading of the specification is much too narrow. Although it is true that the "restricted portion" language was used only in describing Figure 10, it is not a unique feature of that embodiment.4 In all the embodiments of the patents, a user may attempt to access a specific portion of a computer rather than the undivided system. Figure 1A, which defendants concede discloses a covered embodiment, shows a user attempting to access specific content in the form of a webpage "xyz.com" — that is, a restricted portion of a computer — hosted on a web server. In describing the details of this embodiment, the patents in numerous instances recite a web server as an exemplar of a "host computer." See id. Fig. 7 (block numbered 34 is "host computer or web server or router;" id. col. 7, l. 36 ("host computer or web server"); id. col. 8, ll. 41-42 (same); id. col. 8, l. 45 (same); id. col. 9, ll. 25-26 (same); id. col. 12, l. 24 (same). Indeed, claim 40 of the '698 patent expressly delineates a "host computer or web server." In addition, the patentee used parallel language in describing access to the webpage of the Figure 1 WAN embodiment as well as the secure database of the Figure 10 LAN embodiment. Compare id. col. 6, ll. 38-39 ("user 24 requests access to a web page 32 located at a host computer or web server 34.") with id. col. 12, ll. 44-46 ("user 224 requests access to a high security database 232 located at a host computer 234 through computer 222."). A construction of a "host computer" must therefore, consistent with all the embodiments, encompass seeking access to a restricted portion of a computer.

Second, defendants maintain that a "host computer" is one to which "no information from an accessor is allowed to enter unless access is granted by the security computer." Defendants offer several arguments in support of the additional constraint. Because the purpose of the claims is to determine whether a user is authorized to access the host computer, until the security computer "output[s] an instruction . . . to the host computer to grant access," id. claim 1, the user is denied access to the host computer. In the specification, the patentee emphasized the interception feature of the invention. See, e.g., id. col. 6, ll. 40-42 ("[T]he request-for-access is diverted by a router 36 internal to the corporate network 38 to an out-of-band security network 40."). In like fashion, during the reexamination of the parent '599 patent, the patentee distinguished prior art on the concept of interception. See, e.g., Gabberty Decl., Defs.' Ex. 20 at SF_1016 ("[T]he Walker patent does not disclose intercepting a user's (accessor's) login prior to allowing the user access to a host computer."). According to defendants, because the login information is diverted to the out-of-band security network, it follows that no user information reaches the host computer unless and until the security computer grants access.

StrikeForce counters, and the court agrees, that while the claims require that a user is not granted access to the host computer until the security computer gives permission, the user may have prior contact with the host computer. As a threshold matter, how or when a user may contact a host computer is not an attribute inherent in the "host computer" itself. Nor did the patentee suggest that it is. It is the claimed components and steps of the invention that control user authentication and access. Although the majority of the claims of the asserted patents include an interception limitation,5 not all do. Claims 25 and 53 of the '698 patent both recite a "host computer" but do not claim an interception device or step. See Phillips, 415 F.3d at 1314 ("Because claim terms are normally used consistently throughout the patent, the usage of a term in one claim can often illuminate the meaning of the same term in other claims.").

'698 patent claim 53.

A software method for employing a multichannel security system to control access to a computer, comprising the steps of:

Unlike claims that recite an interception device or step, claim 53 does not identify a specific component that must receive the login information in the first channel.6 Without such a limitation, claim 53 is broad enough to encompass methods whereby the host computer itself receives the login information before relaying it to the security computer. Indeed, this is disclosed in both the third and fourth embodiments of the patent. "The user from a computer 322 accesses the web application over an access channel and enters their USER ID. The web server 334 sends the USER ID to the security system 340, also referred to as the centralized out-of-band authentication system (COBAS)." Id. col. 13, ll. 9-13 (emphasis added); see also id. col 14, ll. 7-10. Figure 11, which illustrates the third embodiment, is reproduced below.7, 8

Because diverting the user login information is a function of an interception device or step, and not a function of the host computer, the court will not read the diversion requirement into the term "host computer." See Ventana Med. Sys., Inc. v. Biogenex Labs., Inc., 473 F.3d 1173, 1181 (Fed. Cir. 2006) ("When the claim addresses only some of the features disclosed in the specification, it is improper to limit the claim to other, unclaimed features."). "Host computer" will therefore be construed as "a computer (or a restricted portion thereof) to which the accessor is attempting to gain access."

In essence this is a dispute over the meaning of the term "out-of-band." Although the term "out-of-band" does not appear in any claim, it figures prominently in the title of the patents and the written description. Unlike prior art "in-band authentication systems with the data and the authentication information on the same network," '698 patent, col. 2, ll. 33-34, "[t]he security system of the present invention is out-of-band with respect to the host computer," id. col. 4, ll. 34-35.

Id. col. 4, ll. 52-57. "[A]n `out-of-band' system is defined herein as one having an authentication channel that is separated from the information channel." Id. col. 6, ll. 19-20.

Consistent with the specification, the parties agree that the "access channel" or "first channel" is "an information channel," that the "authentication channel" or "second channel" is "a channel for performing authentication," and that the two channels are separate in the sense that the authentication channel is "out-of-band." They dispute, however, the degree of separation required for a channel to be "out-of-band." StrikeForce argues that information in the two channels may be "carried over separate facilities, frequency channels, or time slots than those used by the authentication channel/second channel." Defendants maintain that the two channels must "not share any facility."

In support of its position, StrikeForce notes that its understanding of "out-of-band" is a meaning accepted by persons of ordinary skill in the art, demonstrated by the standard definition for "out-of-band signaling" contained in Newton's Telecom Dictionary. See Pl.'s Ex. 8. In addition, StrikeForce's proposed definition is also explicitly recited in the specification of the patents.

Id. col. 3, ll. 12-19.

Defendants point out that the broader "out-of-band" definition relied on by StrikeForce is set out in the BACKGROUND section of the specification discussing and disparaging prior art, and does not describe the patented invention. With respect to the invention itself, defendants contend, and the court agrees, that the patentee acted as his own lexicographer in adopting a narrower definition. See Thorner v. Sony Computer Entm't Am. LLC, 669 F.3d 1362, 1365 (Fed. Cir. 2012) ("To act as its own lexicographer, a patentee must `clearly set forth a definition of the disputed claim term' other than its plain and ordinary meaning." (citation omitted)). "[A]n `out-of-band' system is defined herein as one having an authentication channel that is separated from the information channel and therefore is nonintrusive as it is carried over separate facilities than those used for actual information transfer." '698 patent, col. 6, ll. 19-23 (emphasis added).

This understanding is also the one that was relied upon by the patentee during prosecution. During prosecution of the '297 application, the patentee distinguished the Tuai prior art on the in-band/out-of-band distinction. Tuai disclosed a "controller 15 [] interconnected between the host computer 10 and the modem 12," U.S. Patent 5,153,918, col. 4, ll. 2-3, and that "the capabilities of the central access controller 15 also include the optional call-back measure to enhance the security of the communication system," id. col. 8, ll. 3-5. The patentee argued that the central controller was "in-band" and while it performs either an access or an authentication function at different times, "an in-band call back device operating after verification is not an out-of-band device which is integral in providing verification." Defs.' Ex. 15 at SF_714.

Similarly, during the prosecution of the '599 parent patent, the patentee distinguished the LaDue prior art, which disclosed "logically defined control channels," U.S. Patent No. 6,088,431, col. 8, l. 47, including an "authentication channel," id. col. 8, ll. 52-53. The patentee argued that the logically defined channels would not, in combination with Tuai, motivate the patented invention because the claimed system involved "the extra step of . . . adding a completely separate authentication channel." Defs.' Ex. 16 at SF_121.

Finally, during the reexamination of the '599 parent patent, the patentee summarized his invention as "an `out-of-band' network security system having an authentication channel that is separated from an information (i.e. `access') channel and therefore is noninstrusive as the authentication channel is carried over separate facilities than those used for actual information transfer." Defs.' Ex. 19 at SF_994. In support of the same reexamination, the patentee also submitted an expert declaration distinguishing the Woodhill prior art, inter alia, as not disclosing "an out-of-band authentication channel that is separate from an access channel," because although Woodhill disclosed two channels, "both access and authentication merge in the same network (like the Internet)." Gabberty Decl., Defs.' Ex. 20 at SF_1017.

In light of the specification's clear and consistent definition (as reflected in the prosecution history), StrikeForce's rebuttal arguments fail. StrikeForce insists that because the patents require communication between the access and authentication channels, see, e.g., '698 patent, claim 2 ("the security computer receives the demand and login identification from the interception device"), the two channels necessarily share facilities. However, that a security computer may receive data from two channels does not place the security system into both channels. Claim 1, upon which claim 2 depends, is clear that while the "interception device [is] in a first channel," the "security computer [is] in a second channel."

StrikeForce also suggests that weight should to be accorded to the dropping of a narrower interpretation of "out-of-band" that appeared in the abandoned '297 application from the issued patents. See MPHJ Tech. Investments, LLC v. Ricoh Americas Corp., 847 F.3d 1363, 1369 (Fed. Cir. 2017) ("[I]t is the deletion from the '798 Provisional application that contributes understanding of the intended scope of the final application."). During the prosecution of the '297 application, the patentee inserted in the specification the admonition that "[a]n `out-of-band' operation is defined herein as one conducted without reference to the host computer or any database in the network." Defs.' Ex. 13 at SF_657. The "without reference" sentence was removed from the specification when the patentee submitted the applications for the subsequently issued patents.

In MPHJ, the Court found the deletion of the provisional application step significant because "[t]he '173 Patent in its final form contains no statement or suggestion of an intent to limit the claims to the deleted one-step operation." 847 F.3d at 1369. In contrast, while the admonitory language does not appear verbatim in the patents at issue here, the specification continues to emphasize the physical independence of the authentication channel from the access channel. See '698 patent, col. 6, ll. 44-47 ("This is in contradistinction to present authentication processes as the out-of-band security network 40 is isolated from the corporate network 38 and does not depend thereon for validating data."); id. col. 12, ll. 58-61 ("This is in contradistinction to present authentication processes as the out-of-band security network 240 is isolated from the corporate network 238 and does not depend thereon for validating data."); id. col. 14, ll. 4-7 ("The security system 420 has two distinct and independent channels of operation, namely, the access channel and the authentication channel."). The persistent emphasis on "isolat[ing]" the "distinct and independent" authentication channel from the access channel in all the disclosed embodiments also traverses StrikeForce's contention that the narrower definition was only descriptive of the Figure 1A WAN embodiment and not of the invention as a whole.9

Consistent with the patentee's own definition and use of the term "out-of-band" in the specification and the prosecution history, the court will construe "access channel" / "first channel" as "an information channel that is separate from and does not share any facility with the authentication channel;" and "authentication channel" / "second channel" as "a channel for performing authentication that is separate from and does not share any facilities with the access channel."

"multichannel security system" / "security system"

The terms "multichannel security system" and "security system" appear in the preamble of all but one of the independent claims.10 Defendants contend that these terms are limiting, arguing that they should be construed as "a system that operates without reference to a host computer or any database in a network that includes the host computer." StrikeForce maintains that the terms are not limiting, but proposes in the alternative the following construction: "a security system including an access/first channel and an authentication/second channel."

Defendants' proposed construction incorporates the language that was removed from the '297 application. Although defendants accurately note that during prosecution the patentee distinguished prior art based on the multichannel/out-of-band nature of the claimed invention, see Catalina Mktg. Int'l, Inc. v. Coolsavings.com, Inc., 289 F.3d 801, 808 (Fed. Cir. 2002) ("[C]lear reliance on the preamble during prosecution to distinguish the claimed invention from the prior art transforms the preamble into a claim limitation because such reliance indicates use of the preamble to define, in part, the claimed invention."), the court agrees with StrikeForce that the claim elements set out the comprehensive constituent components or steps of the claimed systems and methods independent of the disputed preamble terms, see id. at 808 ("[A] preamble is not limiting `where a patentee defines a structurally complete invention in the claim body and uses the preamble only to state a purpose or intended use for the invention.'" (citation omitted)). That the claimed systems or methods are "out-of-band" is already captured by the incorporation of that requirement in the construction of the access and authentication channels.11 Inserting the same limitation into the preamble but using different words is both redundant and confusing. See O2 Micro Intern. Ltd. v. Beyond Innovation Tech. Co., 521 F.3d 1351, 1362 (Fed. Cir. 2008), quoting U.S. Surgical Corp. v. Ethicon, Inc., 103 F.3d 1554, 1568 (Fed. Cir. 1997) (The purpose of claim construction is to "clarify," "not an obligatory exercise in redundancy."). Thus, the court will not construe the preamble's recitation of a "multichannel security system" / "security system" as a claim limitation.

ORDER

The three sets of claim terms at issue will be construed for the jury and for all other purposes in a manner consistent with these rulings of the court.

SO ORDERED.