CosmoKey Gets a Duo-Over – Federal Circuit Panel Reverses Finding of Ineligibility

In CosmoKey Solutions GMBH & Co. KG v. Duo Security LLC, No. 2020-2043 (Fed. Cir. Oct. 4, 2021), the Federal Circuit reversed a finding of ineligibility for claims directed to a computer authentication method.

CosmoKey’s patent is directed to an authentication method that requires a user to activate a timed authentication function on a mobile device to log into a computer. Duo Security moved for judgment on the pleadings. The district court found the claims ineligible under § 101, specifically finding that the claims were directed to the abstract idea of “authentication” at step one of Alice, and that the remaining elements were generic computer functionality at step two.

The Federal Circuit reversed. The majority first stated it was “not convinced” the claims were broadly “directed to” authentication, instead noting the focus of the claims and the specification on the activation of a timed authentication function. Nonetheless, according to the majority, answering this question at step one was “unnecessary” because the claims were eligible at step two for reciting a specific improvement to authentication that “increases security, prevents unauthorized access by a third party, is easily implemented, and can advantageously be carried out with mobile devices of low complexity.”

Judge Reyna concurred in the judgment, but did so by resolving the inquiry at step one, finding the claims directed to a “specific improvement to authentication.” He viewed the majority’s decision to skip step one and resolve the inquiry at step two as “turn[ing] the Alice inquiry on its head.” He noted that, without the step one analysis, it is difficult to determine whether “additional elements transform the nature of the claim into a patent-eligible application” of an abstract idea.

© 2021 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP

For more patent litigation, visit the NLR Intellectual Property Law section.

Online Behavioral Advertising: Industry Guides Require Real Time Notice When Data Are Collected or Used for Personalized Ads

Greenberg Traurig Law firm

WHAT’S COVERED?

Online behavioral advertising (OBA) has become a very common tool for commercial websites. OBA can be defined as follows:

the collection of data online from a particular computer or device regarding web viewing behaviors over time and across Web sites for the purpose of using such data to predict preferences or interests and to deliver advertising to that computer or device presumed to be of interest to the user of the computer/device based on observed Web viewing behaviors.

OBA might be implemented by use of cookies directly on a company’s website by the company itself. Or it might occur through technology embedded in ads from other parties displayed on the company’s site. Either way, the operators of commercial websites need to be aware when OBA is occurring on their sites and should be taking steps to provide greater transparency about OBA occurring on their sites.

WHAT’S THE CONCERN?

While the use of OBA is largely unregulated by law in the U.S. at this time, its spread has generated concern among privacy advocates. Of particular concern is the gathering of data about consumers without their knowledge where such information is supposed to be anonymous but advances in technology make it more and more possible to link that information to individuals (not just devices) through combination with other information. Examples can include information about health conditions and other sensitive information gleaned by watching the sites a user visits, the searches he/she conducts, etc. Key characteristics of OBA include that it is: (a) invisible to the user; (b) hard to detect; and (c) resilient to being blocked or removed.

In an effort to stave off government regulation of OBA in the United States, the Digital Advertising Alliance (DAA), a consortium of the leading advertising trade associations, has instituted a leading set of guidelines. Based on standards proposed by the Federal Trade Commission, the DAA Self-Regulatory Program is designed to give consumers enhanced control over the collection and use of data regarding their Internet viewing for OBA purposes.

WHAT’S REQUIRED?

The key principles of the DAA’s guides are to provide greater transparency to consumers to allow them to know when OBA is occurring and to provide the ability to opt out. For commercial website operators that allow OBA on their sites, the compliance implications are as follows:

  1. First Party OBA. First Parties are website operators/publishers. If a company simply gathers information for its own purposes on its own site, it is generally not covered by the guidelines. However, as soon as the First Party allows others to engage in OBA via the site, it has a duty to monitor and make sure that proper disclosures are being made and even to make the disclosures itself if the others do not do so, including assuring that “enhanced notice” (usually the icon discussed below or a similar statement) appears on every page of the First Party’s site where OBA is occurring.

  2. Third-Party OBA. Third parties are ad networks, data companies/brokers, and sometimes advertisers themselves, who engage in OBA through ads placed on other parties’ sites. These Third Parties should provide consumers with the ability to exercise choice with respect to the collection and use of data for OBA purposes. (See below on how to provide recommended disclosures.)

  3. Service Providers. These are providers of Internet access, search capability, browsers, apps or other tools that collect data about sites a user visits Service Providers generally are expected to provide clear disclosure of OBA practices which may occur via their services, obtain consumer consent for such practices, and provide an easy-to-use opt-out mechanism.

HOW TO COMPLY

Generally, Third Parties and Service Providers should give clear, meaningful, and prominent notice on their own websites that describes their OBA data collection and use practices. Such notice should include clear descriptions that include:

  • The types of data collected online, including any PII for OBA purposes;

  • The uses of such data, including whether the data will be transferred to a nonaffiliate for OBA purposes;

  • An easy to use mechanism for exercising choice with respect to the collection and use of the data for OBA purposes or to the transfer of such data to a nonaffiliate for such purpose; and

  • The fact that the entity adheres to OBA principles.

In addition, “enhanced notice” should appear on each and every ad (or page) where OBA is occurring. The “enhanced notice” means more than just traditional disclosure in a privacy policy. It means placement of a notice on the page/ad where OBA is occurring. The notice typically is given in the form of the following icon (in blue color) which should link to a DAA page describing OBA practices and providing an easy-to-use opt-out mechanism:

online behavioral advertising

The icon/link should appear in or around each ad where data are collected. Alternatively, it can appear on each page of a website on which any OBA ads are being served. It is normally the duty of the advertisers (Third Parties) to deploy the icon. However, if they fail to do so, then the operator of the site where the OBA ads appear has the duty to make appropriate real-time disclosures about OBA on each page where OBA activity is occurring, including links to the DAA page describing OBA practices and providing an easy-to-use opt-out mechanism.

ENFORCEMENT

The DAA is taking its OBA guidelines seriously. It has issued sets of “compliance warnings” to many major U.S. companies. While DAA has no direct authority to impose fines or penalties, its issuance of a ruling finding a violation of its guidelines could create a tempting target for the FTC or plaintiffs’ class action lawyers to bring separate actions against a company not following the DAA guidelines. For all these reasons, operators of websites employing OBA (either first party or third party) should pay heed to the DAA Guidelines.

ARTICLE BY

OF

Supreme Court to Consider Case on Patent Eligibility of Computer-Implemented Inventions

Michael Best Logo

On December 6, 2013, the Supreme Court agreed to consider Alice Corp. v. CLS Bank Internationala case concerning the patent eligibility of computer-implemented inventions. The Court will review a split decision issued by the en banc Federal Circuit in May 2013. In that decision, seven of 10 judges concluded Alice Corporation’s claims to computer-based methods for minimizing settlement risk in financial transactions, as well as claims to computer-readable media containing program code for performing such methods, constituted patent-ineligible subject matter under § 101. The judges split evenly, however, regarding the patent eligibility of Alice’s remaining claims to computerized systems for performing such transactions. Given the stark differences of opinion expressed by members of the Federal Circuit, it was widely predicted that the Supreme Court would step in to settle the dispute. The Court’s decision could have significant implications for the computer hardware and software industries, as well as for patent eligibility standards in general.

The Supreme Court is expected to hear arguments in early 2014, and a decision is expected by the end of the term in June 2014. The case number is 13-298.

Article by:

Of:

Michael Best & Friedrich LLP