Stupid Patent Of The Month: Veripath Patents Following Privacy Laws
from the your-privacy-is-infringing dept
What if we allowed some people to patent the law and then demand money from the rest of us just for following it?
As anyone with a basic understanding of democratic principles can see, that is a terrible idea. In a democracy, elected representatives write laws that apply to everyone, ideally, based on the public interest. We shouldn't let private parties "own" legal principles or use technical jargon to re-cast those principles as "inventions."
But that's exactly what the U.S. Patent Office has allowed two inventors, Nicholas Hall and Steven Eakin, to do. Last September, the government proclaimed that Hall and Eakin are the inventors of "Methods and Systems for User Opt-In to Data Privacy Agreements," U.S. Patent No. 10,075,451.
The owner of this patent, a company called "Veripath," is already filing lawsuits against companies that make privacy compliance software. With Congress and many states actively engaged in debates over consumer privacy laws, Veripath might soon be using this patent to extract licensing cash from U.S. companies as well.
Privacy-For-Functionality isn't an "Invention," it's a Policy Debate
Claim 1 of the '451 patent describes a basic data privacy agreement. An API provides personal information from a software application; then the user is asked for a "required permission" for the use of that information. There's one add-on to the privacy deal: in exchange for the permission, the user gets access to "at least one enhanced function."
The next several claims go on to describe minor variations on this theme. Claim 2 specifies that the "enhanced function" won't be available to other users. Claim 3 describes the enhanced function as being fewer advertisements; Claim 4 describes offering the enhanced function in exchange for a monetary payment.
To say this "method" is well-known is a major understatement. The idea of exchanging privacy for enhanced functionality or better service is so widespread that it has been codified in law. For example, last year's California Consumer Privacy Act (CCPA) specifically allows a business to offer "incentives" to a user to collect and sell their data. That includes "financial incentives," or "a different price, rate, level, or quality of goods or services." The fact that state legislators were familiar enough with these concepts to write them into law is a sign of just how ubiquitous and uninventive they are. This is not technology this is policy.
(An important aside: EFF strongly opposes pay-for-privacy, and is working to remove it from the CCPA. Pay-for-privacy undermines the law's non-discrimination provisions, and more broadly, creates a world of privacy "haves" and "have-nots." We've long sought this change to the CCPA.)
Follow the Law, Infringe this Patent
Veripath has already sued two companies that help website owners comply with Europe's General Data Protection Regulation, or GDPR, saying they infringe its patent. Netherlands-based Faktor was sued [PDF] on Feb. 15, and France-based Didomi was sued [PDF] on Feb. 22
Some background: Venpath, Inc., a company with a New York address that appears to be a virtual office, assigned the rights in the '451 patent to VeriPath just days before the patent issued in September last year. As it happens, the FTC began enforcement proceedings against VenPath last September. The FTC's complaint [PDF] alleged that VenPath's website represented that "VenPath participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework." The FTC alleged a count of "privacy misrepresentation." It claimed that VenPath "did not complete the steps necessary to renew its participation in the EU-U.S. Privacy Shield framework after that certification expired in October 2017." The FTC issued a Decision and Order [PDF] requiring VenPath to remove the misrepresentations.
An exhibit [PDF] attached to the complaint shows that one of the named inventors on the patent, Nick Hall, contacted Faktor to ask what its prices were. Hall identified himself as the CEO of VenPath. Once Faktor responded, Veripath sued Faktor in federal court in New York.
In its lawsuits, Veripath claims that basic warnings about cookies on websites, a now-common method of complying with the GDPR, violate its patent. The lawsuit against Faktor notes that Faktor's own website "might not work properly" unless a user consents to having her browser accept cookies.
Veripath and its legal team argue that this simple deal—accepting cookie use, in order to visit websites—is enough to infringe the patent. They also claim that Faktor's Privacy Manager software infringes at least Claim 1 of the patent, and facilitates infringement by others.
The '451 patent should never have been granted. In our view, its claims are clearly ineligible for patent protection under Alice v. CLS Bank. In Alice, the Supreme Court held that an abstract idea (like privacy-for-functionality) doesn't become eligible for a patent simply because it is implemented using generic technology. Courts have struck down similar claims, like a patent on the idea of conditioning access to content on viewing ads.
Even when a patent is invalid, defendants face pressure to settle. Patent litigation is expensive and it can cost tens or hundreds of thousands of dollars just to get through the early stages. To really protect innovation we have to ensure that patents like the '451 patent are never issued in the first place. The fact that this patent was granted shows the Patent Office is failing to apply the law.
We are currently urging the public to tell the Patent Office to stop issuing abstract software patents. You can use our Action Center to submit comments.
Republished from the EFF's Stupid Patent of the Month series.
Filed Under: compliance, gdpr, patents, privacy, stupid patent of the month, stupid patents
Companies: venpath, veripath