Microsoft loses another jury verdict, this time over obviousness of VPN patent

Usually the purpose of a virtual private network is to establish a secure, tunneled route between two points in an IP network. Is the idea that such a network could be secured using two encryption layers rather than one, and without the need for a user to log in first, worthy of a patent? These were questions central to the latest Tyler, Texas patent infringement case for Microsoft to lose: VPN technology provider VirnetX was awarded $105.75 million yesterday, in a case closely followed by the Seattle P.I.'s Nick Eaton.

It's clear from a reading of VirnetX's key patent on VPN technology, issued in 2002, that it is an attempt to go one step further with the VPN concept. The firm calls its system Tunneled Agile Routing Protocol (TARP). Here, the communications between VPN hosts are encrypted at one level, but then the routing information is hidden behind a second level. The intent is to hide not only what's being talked about or shared over a VPN, but who is sharing it, and what route it's taking to get there.

"Each TARP packet's true destination is concealed behind a layer of encryption generated using a link key," reads a portion of the summary from US Patent #6,502,135. "The link key is the encryption key used for encrypted communication between the hops intervening between an originating TARP terminal and a destination TARP terminal. Each TARP router can remove the outer layer of encryption to reveal the destination router for each TARP packet. To identify the link key needed to decrypt the outer layer of encryption of a TARP packet, a receiving TARP or routing terminal may identify the transmitting terminal by the sender/receiver IP numbers in the cleartext IP header.
Once the outer layer of encryption is removed, the TARP router determines the final destination."

Microsoft implemented its own interpretation of VPN technology for Office Communicator, the endpoint for the company's bold Unified Communications project -- its effort to render the phone networks, and PBXes that support them, obsolete. To make the Internet work more like a phone, people using a telephone console need to be able to pick up the receiver and dial. They shouldn't have to go to some dialog box and log in. Avoiding that option is what UC tries to do, and is one of the acts for which VirnetX cried foul.

In hearings last July (which Eaton also covered closely), Microsoft defended itself by asserting that the whole point of a VPN is to establish both secure and anonymous communications between points, so the idea that VirnetX was somehow inventing the addition of anonymity was absurd. If you doubt that a VPN is supposed to be anonymous, counsel argued, just look it up in a glossary. Which the judge did, and that got into a wholly separate argument over the quality of glossaries, resulting in the judge in the case issuing his own glossary for the jury to interpret as fact.

An excerpt from Judge Leonard Davis' opinion last July shows the extent of the argument over how deeply a glossary may define a concept, especially if that concept may be proof of "prior art" that could invalidate a patent (PDF available here, from SeattlePI.com): "Microsoft cites the portion of the 'FreeS/WAN' glossary definition for 'virtual private networks' that states, 'IPSEC [Internet Protocol Security] is not the only technique available for building VPNs, but it is the only method defined by RFCs [Request for Comments, Internet documents -- some of which are informative while others are standards] and supported by many vendors. VPNs [virtual private networks] are by no means the only thing you can do with IPSEC, but they may be the most important application for many users.'...Microsoft points out that IPSEC is the only method defined by RFCs and supported by many vendors. Microsoft argues that this narrow language shows that the 'FreeS/WAN' glossary does not identify Secure Sockets Layer ('SSL') or Transport Layer Security ('TLS') as methods for building 'virtual private networks.' Microsoft then argues that VirnetX's proposed construction is overly broad because it allows for a network using SSL and TLS. However, Microsoft's cited excerpt is an ancillary portion of the 'virtual private network' definition and is set apart in a different paragraph from the primary portion of the definition...Also, Microsoft selectively asserts that IPSEC is the only method defined by RFCs and supported by many vendors and ignores that its cited excerpt states that, 'IPSEC is not the only technique available for building VPNs.' Thus, Microsoft's cited excerpt does not support that the 'FreeS/WAN' glossary restricts 'virtual private network' to IPSEC."

If Microsoft could have proved that VirnetX's contribution to VPN architecture was so obvious that it would still be covered by a published glossary definition of the term, then it might have persuaded the jury that no patent should have been issued in the first place. But that assertive defense became problematic (at best) last summer when it was revealed that Microsoft itself attempted to patent the same technology, in an application that was denied by the US Patent Office. The basis of the denial was prior art -- specifically, the pre-existence of patents issued to VirnetX.

As the jury no doubt heard from plaintiff's counsel, if Microsoft didn't know about the existence of VirnetX's patents before, it did when it received its rejection notice. No haggling over glossary definitions could save the case at that point. In a statement, Microsoft continued to assert the invalidity of VirnetX's patents, and will begin the long and arduous process of appealing to overturn the verdict.