Electronic ID service provider off the hook in patent infringement case

On 10th February 2010 the Oslo District Court returned its judgment in a high-profile patent infringement and nullity case. Danish company Cryptomathic had brought a patent infringement action against Bankenes Betalingssentral (BBS) - one of the largest suppliers of electronic identification services in the Nordic region - potentially threatening to stop a substantial part of BBS’s services. BBS responded by, among other things, bringing a nullity action. The two cases were heard and decided in conjunction.

Patent
Cryptomathic’s patent relates to a device and methods for signing electronic data with an advanced digital signature based on public key infrastructure, whereby the central infrastructure includes both a signature server and an authentication server. The private keys of the private-public key pairs of a number of users are stored centrally in the signature server. Using a workstation, the user can access the system through a secure channel that has been set up for this purpose. The user provides a derived version of a password to the signature server based on information previously received from the authentication server through an alternative channel. The authentication server provides the signature server with a derived version of the same information through a permanently secured tunnel between the servers. This information is compared to that provided by the user. If they match, the data received from the user is signed with the user’s private key.

Arguments
Cryptomathic argued that, through its BankID system, BBS was infringing the patent by equivalent means, and requested an injunction and damages to be fixed by the court at its discretion.

BBS contended that it was not infringing the patent, and further claimed that the patent should be declared invalid.

Decision
The Oslo District Court, comprising a judge and two technical experts, dismissed BBS’s claim that Cryptomathic’s patent was invalid for lack of novelty and inventive step. The court expressly stated that it attached importance to the fact that both the Norwegian Patent Office and the European Patent Office had held the invention to be patentable. On this issue, the court reached a unanimous decision.

With regard to the question of infringement, the court found, by a majority of two to one, that BBS had not infringed the patent. The majority held that BankID was not equivalent to the patent’s solution. The court held that even though BankID uses one-off passwords stored in a separate server, as the patented solution does, BankID's security is not achieved through this, but rather by the use of a permanent password in connection with various cryptographic techniques. The majority found that the patent does not require or suggest the use of a permanent password in addition to the one-off password; rather, the patent's security is based solely on the separation of the signature and authentication servers. Further, the patent calls for the use of a hash value (a one-way encrypted version) of the one-off password, whereas BankID uses two-way encryption (a cipher text encryption). The majority held that the requirement that the difference between the patented and the allegedly infringing solutions not amount to more than a modification that is obvious to the average skilled person had not been fulfilled.

The dissenting judge considered the solutions to be fully equivalent.

Comment
Pending a final decision in this case, the most interesting legal aspect is the court's reference to decisions of the European Patent Office and the Norwegian Patent Office. From a business point of view, a final decision in Cryptomathic’s favour will force BBS to request and negotiate a licence from Cryptomathic, which has been open to this option all along.

The judgment has been appealed.