HTTPS lawsuits, a new low for patent trolls

Obvious troll

Patent trolls are a blight on the tech industry, extolling licence fees for “inventions” that they never implemented, sitting on broad claims waiting until enough people are deemed to be using the technology and then suing them. These are not innovators, they are often just shells made up of an empty office in Texas that has never produced a single line of code.

Now dozens of companies are being sued by a patent troll CryptoPeak, because they use HTTPS protocol, which they claim infringes their patent. We know this is a patent troll because it is a company that doesn’t sell anything, doesn’t produce any applications, doesn’t even have a website, and seems to be made up of just one lawyer. The subject of contention is US Patent 6,202,150 (150 patent), protecting a method of “Auto-escrowable and auto-certifiable cryptosystems”. This is a patent protecting a specific variation of public-key encryption that supposedly relies on a self-verifiable algorithm that does not require third party trust systems.

Perhaps it is necessary to quickly explain private-key cryptography to see just how basic the patent claims are. Using a box and key analogy, in symmetric (private-key) cryptography if you have a secret you place it in a box an lock it with a key. Only a person with the key can open the box, but the key can be copied, so others would be able to open the box. In asymmetric (public-key) cryptography, the lock has two keys, and both are necessary to open the box as each can perform half of the opening sequence. One key is placed in a public space and can be used and copied by everyone, while the other key is held only by the key holder. The public key can be used to lock the box, but it can only be opened with the private key.

Sorry Zuul, he has the wrong private key

While the above analogy is an over-simplification (you can do other things with private keys, such as ensure the author of a document), it may suffice to explain the claims in the patent. Public-key cryptography as such pre-dates the 150 patent, which was filed in 1997 and published in March 2001; the concept was actually formulated in 1970, and the first implementation of the concept was the RSA encryption algorithm in 1973. Further implementations and algorithms have been formulated since, and many of these standards do have patents protecting them, such as Diffie-Hellman (US Patent 4,200,770), RSA (US Patent 4,405,829), DSA (US Patent 5,231,668), and perhaps most importantly, Fair Public Key Cryptosystem (US Patent 5,315,658, hereafter the 658 patent).

I think that the Fair Cryptosystem patent is quite relevant because it covers an invention that is similar to that described in the 150 patent. The 658 patent describes a system that breaks the private key into shares and then places them in an escrow system in which it is given to trustees, and only a specified quorum of which can reconstruct these keys.  Think horcruxes in Harry Potter. The 150 patent creates a method of  auto-recoverable and auto-certifiable cryptography (ARC), in which the keys  are generated by a key generation mechanism, and a certificate of proof that the key was generated according to the algorithm. The main difference is that the ARC protocol does not need trusted third parties, while the Fair Cryptosystem does.

There are several issues here. As far as I can tell, the ARC described in the 150 patent is not a popular method in any sense of the word, and I cannot find any reference to specific uses of this implementation of public-key encryption. On the contrary, the HTTPS format was first used in 1994 by the Netscape browser using SSL protocols. Furthermore, the TLS standard protocol documents also pre-date the patent publication date. So if the patent troll is trying to attack HTTPS alone, it should be evident that the patent is invalid. The problem is that CryptoPeak argues that current HTTPS implementation uses Elliptic Curve Cryptography (ECC), and they claim that this is covered by their patent. There are problems with the claim, as ECC originates from 1985, and the 150 patent doesn’t even mention it in any of the claims. So if they argue that ECC is covered by their patent, they would be invalidating it because of prior art. 

The key argument in the plaintiff is to re-jig their own patent to try to cover something that is actually not covered by the patent, it does not even mention it! On the contrary, if their patent was actually for ECC, then it would have to be declared invalid. Furthermore, CryptoPeak seems to have been aware of some of the limitations of the patent, and asked for the claims to be read in a different manner than the awarded patent! Netflix, one of the defendants, has accurately called this tactic for what it is, asking for immediate dismissal.

I hope that those sued will stand their ground and not give in to this blatant effort to misuse a patent. Patent trolls must be stopped, for too long have they managed to get money from the true creators and innovators in the market.

Leave a Reply