Here we go again.

On March 15, Cloudflare was sued by a patent troll called Sable Networks — a company that doesn’t appear to have operated a real business in nearly ten years — relying on patents that don’t come close to the nature of our business or the services we provide. This is the second time we’ve faced a patent troll lawsuit.

As readers of the blog (or followers of tech press such as ZDNet and TechCrunch) will remember, back in 2017 Cloudflare responded aggressively to our first encounter with a patent troll, Blackbird Technologies, making clear we wouldn’t simply go along and agree to a nuisance settlement as part of what we considered an unfair, unjust, and inefficient system that throttled innovation and threatened emerging companies. If you don’t want to read all of our previous blog posts on the issue, you can watch the scathing criticisms of patent trolling provided by John Oliver or the writers of Silicon Valley.

We committed to fighting back against patent trolls in a way that would turn the normal incentive structure on its head. In addition to defending the case aggressively in the courts, we also founded Project Jengo — a crowdsourced effort to find evidence of prior art to invalidate all of Blackbird’s patents, not only the one asserted against Cloudflare. It was a great success — we won the lawsuit, invalidated one of the patent troll’s other patents, and published prior art on 31 of Blackbird’s patents that anyone could use to challenge those patents or to make it easier to defend against over broad assertion of those patents. And most importantly, Blackbird Technologies went from being one of the most prolific patent trolls in the United States to shrinking its staff and filing many fewer cases.

We’re going to do it again. And we need your help.

Sable Networks and its lawsuit fit neatly within the same troubling trends we were trying to address the first time we launched Project Jengo. Sable is taking ancient, 20-year-old patents and trying to stretch those patents light years beyond what they were meant to cover. It has already sued over a dozen technology companies targeting a wide range of different products and services, and by extending its claims to a company like Cloudflare suggests it may next try to stretch its claims to people that merely use routers … namely, anyone that uses the Internet.

We think Sable’s choice to bring these lawsuits on such a tenuous basis should come with some risk related to the underlying merits of its patents and its arguments, so we are sponsoring another prior-art contest seeking submissions to identify prior art for all of Sable’s active patents. We are seeking the help of the Cloudflare community to identify prior art — i.e., evidence that the patented technology was already in use or known before the patent application was filed — that can be used to invalidate Sable’s patents. And we will make it worth your while, by offering $100,000 to be shared by the winners who are successful in finding such prior art.

Again this time, we are committing $100,000 to be split among entrants who provide what we determine to be the most useful prior-art references that can be used in challenging the validity of Sable’s patents. You can submit prior-art references as long as Sable’s case is pending against us (Sable Networks, Inc. v. Cloudflare, Inc., No. 6:21-cv-00261-ADA (W.D. Tex.)), which means until Sable drops the case fully (and with prejudice — meaning Sable can’t re-file later), there’s a settlement, or the case has been resolved by the court and all appeal rights are exhausted.

Every three months for two years or until the case ends, whichever comes first, we will select winners from the submissions to date, and give out a portion of the $100,000 as awards. Once the case ends, we will select final winners from all submissions and award the remaining funds. We will also make all relevant submissions available to the public.

Here are the four Sable patents asserted against us:

And here are the six remaining Sable patents:

In addition to helping with our case, we hope that making prior art public on all of Sable’s patents will provide a head start and decrease the costs for others who want to fight back against Sable’s patent trolling. The significant decrease we saw in Blackbird’s staff and filings after publishing prior art on Blackbird’s patents suggests this approach can be an effective way to undermine the threat posed by those patents.

Last time, we received 275 submissions from 155 different people on 49 of the Blackbird patents. In the end, we made payments to 18 participants. We were heartened by how many members of the Cloudflare community not only participated in this effort, but expressed great gusto and appreciation for the opportunity to be involved:

Over the years I've been disappointed and angered by a number of patent cases where I feel that the patent system has been abused by so-called ‘patent trolls’ in order to stifle innovation and profit from litigation. With Jengo in particular, I was a fan of what Cloudflare had done previously with Universal SSL. When the opportunity arose to potentially make a difference with a real patent troll case, I was happy to try and help.— Adam, Security Engineer

I'm pretty excited, I've never won a single thing in my life before. And to do it in service of taking down evil patent trolls? This is one of the best days of my life, no joke. I submitted because software patents are garbage and clearly designed to extort money from productive innovators for vague and obvious claims. Also, I was homeless at the time I submitted and was spending all day at the library anyway.— Garrett, San Francisco

To understand why we are asking again for your help fighting back, it’s worth taking a closer look at this case and the fundamental problems it represents.

The patents at issue in this case started with Caspian Networks, a company that tried to commercialize what it called a “flow-based router” in the early 2000s. Caspian was originally founded as Packetcom in 1998, and revealed to the public its flow-based router named Apeiro in 2003. A press story from that time explained that Apeiro routers worked like traditional routers already in existence, but with additional memory and logic for handling packets from the same “flow.” A 2003 slide deck from Caspian distinguished its “flow-based” router from the already existing conventional routers in the following way:

Despite its attempts to tout the benefits of its router, Caspian went out of business in 2006.

That’s when Sable Networks, the company that is suing Cloudflare, enters the picture. Though it doesn’t appear to be much of an entrance. As best we can tell, Sable briefly picked up where Caspian left off and tried to commercialize Caspian’s flow-based routing technology. Sable was equally unsuccessful in doing so, and the last activity of any sort that we could find was from 2011. After a long period of apparent inactivity, Sable’s focus shifted last year to trying to extract money by filing lawsuits through broad application of patents filed on Caspian’s flow-based router technology twenty years ago. In other words, Sable became a patent troll.

In the first round of litigation, Sable filed, and later promptly settled, eight lawsuits asserting infringement of Sable’s router patents. The defendants in those cases (including Cisco and Juniper Networks) provide a range of Internet services, but they all at least manufacture and sell network equipment.

Interestingly, all of those cases were settled just before Sable would have had to do two things that would have actually put its legal claims to the test: (1) respond to an administrative proceeding before the US Patent & Trademark Office (“USPTO”) challenging the validity of its patents; and (2) attend a hearing before the district court where the judge would have determined the proper interpretation and scope of the patent claims. So Sable filed cookie-cutter cases against eight defendants, waited for the defendants to respond, then settled the cases before meaningfully litigating its claims or facing a binding court or administrative ruling, which may have addressed, or likely undermined, Sable’s overly-broad assertion of those patents.

Shortly after settling the original eight cases earlier this year, Sable turned around and filed six new lawsuits against a new batch of technology companies, this time including Cloudflare. Unlike the earlier named defendants, Cloudflare is not in the business of making or selling routers or switches. Sable’s infringement claim therefore is not a close one, and now it’s picked a defendant that is eager to fight back.

This case is a good illustration of how patent trolls operate. All four patents asserted by Sable against Cloudflare were filed between 2000 and 2004, when dial-up Internet access was still common, and are based on Caspian’s “flow-based routing” technology, which is nothing like the technology Cloudflare’s products and services employ. To take one example, one of the patents Sable asserts is U.S. Patent No. 6,954,431, entitled “Micro-Flow Management.” This patent is from April 19, 2000 — almost exactly 21 years ago. Just like Caspian’s Apeiro routers from 2003, the ’431 patent discloses a router that puts a label on the packets for a given flow, and forwards all the packets in that same flow based on the label:

’431 Patent, Fig. 3A‌‌

It claims to teach a “[n]ew switching technology [that] relies upon state information for providing a previously unavailable degree of quality of service” — presumably, Caspian’s flow-based routing technology featured in its 2003 Apeiro, which the market rejected over a decade ago.

Sable is now trying to stretch the patents way beyond what they were ever meant to cover. Many of Sable’s infringement claims appear to extend to basic routing and switching functionality known long before any alleged invention date. For the ’431 patent, Sable’s interpretation of the patent appears to stretch the scope so broadly as to cover any kind of packet processing, possibly even the “conventional routers” from the 2000s that routed each packet independently.

Having made this leap, Sable has demonstrated an intent to apply its patents far afield. It’s now a small step for Sable to assert claims against any person or business using a firewall or even a router. On the basis of its logic, any person using a WiFi router in their home may be in Sable’s cross-hairs. And Sable has already claimed that its patents cover firewalls — including firewall software and firewall devices. Again, its wildly broad interpretation threatens not just large companies; anyone trying to protect their networks from outside threats is potentially at risk.

If you think you or your small business are safe because you haven’t really done anything wrong, and no court would ever hold you liable, then you haven’t been paying attention to the current state of patent litigation where small businesses are sued for using copy machines. Without some of us fighting back, the incentives for patent trolls won’t change.

Patent trolls like Sable proliferate because of a distorted incentive structure fuelled by the astronomical costs associated with defending against even bogus patent claims. According to the 2019 Report of the Economic Survey by the American Intellectual Property Law Association, the median litigation cost for defending claims of patent infringement brought by a non-practicing entity through trial and appeal was staggering \$4,500,000 for big cases (i.e., cases with more than \$25 million at risk). Even for small cases that had less than $1 million at stake, the median defense cost was \$750,000.

Knowing that most defendants will settle at a percentage of their expected litigation costs long before infringement claims see the inside of a courtroom, patent trolls see only upside from each additional lawsuit they file. Their business model is built around filing as many lawsuits as possible regardless of the strength of their legal claims, because they know most defendants will pay to settle before the merits of their case are put to the test. They therefore take vague technology patents issued years ago and apply them as broadly as imaginable to new technologies and new companies. Most of these trolls are non-practicing entities who don’t have their own products in the marketplace but merely exist to extract a tax on other companies.

After declining in numbers for a few years, patent lawsuits were up last year about 12% over 2019, and increased activity by non-practicing entities buying patents suggested even further growth among such lawsuits in the future. The Electronic Frontier Foundation observed similar increases in patent troll filings in 2020, highlighted a case where one patent troll decided that the middle of a pandemic was a good time to sue a company that makes COVID-19 tests, and noted that “some patent owners actually saw the rise of the COVID-19 health emergency as a business opportunity.” This trend is showing no signs of slowing down — according to a recent report, there was a 43.3% increase in patent litigation in Q1 of 2021 compared to the same period a year ago, and non-practicing entities had their busiest Q1 since 2015, fuelled by the litigation finance industry that is flush with capital.

To reaffirm what we’ve always said: Cloudflare is a strong supporter of the patent system. The 160+ patents we’ve been issued to date give us the ability to run our business with confidence by marketing and providing our services around the world, innovating on our existing products, and developing new products. But patent trolls live in a world where they allege fictional potential uses of their patents without having to make the investment to hire and pay employees or identify and satisfy the demands of the marketplace. Project Jengo is intended to address this distorted incentive structure by imposing real costs on the filing of meritless patent lawsuits. With your help, we can again send the message that by filing the wrong case, patent trolls risk losing not just a single lawsuit but a lot more.

We hope you’re all rested and ready to begin again the hunt for prior art!

In 2010, within months of Cloudflare’s launch, we connected with the National Center for Missing and Exploited Children (NCMEC) and started a collaborative process to understand our role and how we could cooperate with them. Over the years, we have been in regular communication with a number of government and advocacy groups to determine what Cloudflare should and can do to respond to reports about CSAM that we receive through our abuse process, or how we can provide information supporting investigations of websites using Cloudflare’s services.

Recently, 36 tech companies, including Cloudflare, received this letter from a group of U.S Senators asking for more information about how we handle CSAM content. The Senators referred to influential New York Times stories published in late September and early November that conveyed the disturbing number of images of child sexual abuse on the Internet, with graphic detail about the horrific photos and how the recirculation of imagery retraumatizes the victims. The stories focused on shortcomings and challenges in bringing violators to justice, as well as efforts, or lack thereof, by a group of tech companies including Amazon, Facebook, Google, Microsoft, and Dropbox, to eradicate as much of this material as possible through existing processes or new tools like PhotoDNA that could proactively identify CSAM material.  

We think it is important to share our response to the Senators (copied at the end of this blog post), talk publicly about what we’ve done in this space, and address what else we believe can be done.

From our work with NCMEC, we know that they are focused on doing everything they can to validate the legitimacy of CSAM reports and then work as quickly as possible to have website operators, platform moderators, or website hosts remove that content from the Internet. Even though Cloudflare is not in a position to remove content from the Internet for users of our core services, we have worked continually over the years to understand the best ways we can contribute to these efforts.

The first prong of Cloudflare’s response to CSAM is proper reporting of any allegation we receive. Every report we receive about content on a website using Cloudflare’s services filed under the “child pornography” category on our abuse report page leads to three actions:

1. We forward the report to NCMEC. In addition to the content of the report made to Cloudflare, we provide NCMEC with information identifying the hosting provider of the website, contact information for that hosting provider, and the origin IP address where the content at issue can be located.

2. We forward the report to both the website operator and hosting provider so they can take steps to remove the content, and we provide the origin IP of where the content is located on the system so they can locate the content quickly. (Since 2017, we have given reporting parties the opportunity to file an anonymous report if they would prefer that either the host or the website operator not be informed of their identity).

3. We provide anyone who makes a report information about the identity of the hosting provider and contact information for the hosting provider in case they want to follow up directly.

Since our founding, Cloudflare has forwarded 5,208 reports to NCMEC. Over the last three years, we have provided 1,111 reports in 2019 (to date), 1,417 in 2018, and 627 in 2017.  

Reports filed under the “child pornography” category account for about 0.2% of the abuse complaints Cloudflare receives. These reports are treated as the highest priority for our Trust & Safety team and they are moved to the front of the abuse response queue. We are generally able to respond by filing the report with NCMEC and providing the additional information within a matter of minutes regardless of time of day or day of the week.

The second main prong of our response to CSAM is operation of our “trusted  reporter” program to provide relevant information to support the investigations of nearly 60 child safety organizations around the world. The "trusted reporter" program was established in response to our ongoing work with these organizations and their requests for both information about the hosting provider of the websites at issue as well as information about the origin IP address of the content at issue. Origin IP information, which is generally sensitive security information because it would allow hackers to circumvent certain security protections for a website, like DDoS protections, is provided to these organizations through dedicated channels on an expedited basis.

Like NCMEC, these organizations are responsible for investigating reports of CSAM on websites or hosting providers operated out of their local jurisdictions, and they seek the resources to identify and contact those parties as quickly as possible to have them remove the content. Participants in the “trusted reporter” program include groups like the Internet Watch Foundation (IWF), the INHOPE Association, the Australian eSafety Commission, and Meldpunt. Over the past five years, we have responded to more than 13,000 IWF requests, and more than 5,000 requests from Meldpunt. We respond to such requests on the same day, and usually within a couple of hours. In a similar way, Cloudflare also receives and responds to law enforcement requests for information as part of investigations related to CSAM or exploitation of a minor.

Among this group, the Canadian Centre for Child Protection has been engaged in a unique effort that is worthy of specific mention. The Centre’s Cybertip program operates their Project Arachnid initiative, a novel approach that employs an automated web crawler that proactively searches the Internet to identify images that match a known CSAM hash, and then alerts hosting providers when there is a match. Based on our ongoing work with Project Arachnid, we have responded to more than 86,000 reports by providing information about the hosting provider and provide the origin IP address, which we understand they use to contact that hosting provider directly with that report and any subsequent reports.

Although we typically process these reports within a matter of hours, we’ve heard from participants in our “trusted reporter” program that the non-instantaneous response from us causes friction in their systems. They want to be able to query our systems directly to get the hosting provider and origin IP  information, or better, be able to build extensions on their automated systems that could interface with the data in our systems to remove any delay whatsoever. This is particularly relevant for folks in the Canadian Centre’s Project Arachnid, who want to make our information a part of their automated system.  After scoping out this solution for a while, we’re now confident that we have a way forward and informed some trusted reporters in November that we will be making available an API that will allow them to obtain instantaneous information in response to their requests pursuant to their investigations. We expect this functionality to be online in the first quarter of 2020.

Cloudflare takes steps in appropriate circumstances to terminate its services from a site when it becomes clear that the site is dedicated to sharing CSAM or if the operators of the website and its host fail to take appropriate steps to take down CSAM content. In most circumstances, CSAM reports involve individual images that are posted on user generated content sites and are removed quickly by responsible website operators or hosting providers. In other circumstances, when operators or hosts fail to take action, Cloudflare is unable on its own to delete or remove the content but will take steps to terminate services to the  website.  We follow up on reports from NCMEC or other organizations when they report to us that they have completed their initial investigation and confirmed the legitimacy of the complaint, but have not been able to have the website operator or host take down the content. We also work with Interpol to identify and discontinue services from such sites they have determined have not taken steps to address CSAM.

Based upon these determinations and interactions, we have terminated service to 5,428 domains over the past 8 years.

In addition, Cloudflare has introduced new products where we do serve as the host of content, and we would be in a position to remove content from the Internet, including Cloudflare Stream and Cloudflare Workers.  Although these products have limited adoption to date, we expect their utilization will increase significantly over the next few years. Therefore, we will be conducting scans of the content that we host for users of these products using PhotoDNA (or similar tools) that make use of NCMEC’s image hash list. If flagged, we will remove that content immediately. We are working on that functionality now, and expect it will be in place in the first half of 2020.

Cloudflare’s approach to addressing CSAM operates within a comprehensive legal and policy backdrop. Congress and the law enforcement and child protection communities have long collaborated on how best to combat the exploitation of children. Recognizing the importance of combating the online spread of CSAM, NCMEC first created the CyberTipline in 1998, to provide a centralized reporting system for members of the public and online providers to report the exploitation of children online.

In 2006, Congress conducted a year-long investigation and then passed a number of laws to address the sexual abuse of children. Those laws attempted to calibrate the various interests at stake and coordinate the ways various parties should respond. The policy balance Congress struck on addressing CSAM on the Internet had a number of elements for online service providers.

First, Congress formalized NCMEC’s role as the central clearinghouse for reporting and investigation, through the CyberTipline. The law adds a requirement, backed up by fines, for online providers to report any reports of CSAM to NCMEC. The law specifically notes that to preserve privacy, they were not creating a requirement to monitor content or affirmatively search or screen content to identify possible reports.

Second, Congress responded to the many stories of child victims who emphasized the continuous harm done by the transmission of imagery of their abuse. As described by NCMEC, “not only do these images and videos document victims’ exploitation and abuse, but when these files are shared across the internet, child victims suffer re-victimization each time the image of their sexual abuse is viewed” even when viewed for ostensibly legitimate investigative purposes. To help address this concern, the law directs providers to minimize the number of employees provided access to any visual depiction of child sexual abuse.  

Finally, to ensure that child safety and law enforcement organizations had the records necessary to conduct an investigation, the law directs providers to preserve not only the report to NCMEC, but also “any visual depictions, data, or other digital files that are reasonably accessible and may provide context or additional information about the reported material or person” for a period of 90 days.

Because Cloudflare’s services are used so extensively—by more than 20 million Internet properties, and based on data from W3Techs, more than 10% of the world’s top 10 million websites—we have worked hard to understand these policy principles in order to respond appropriately in a broad variety of circumstances. The processes described in this blogpost were designed to make sure that we comply with these principles, as completely and quickly as possible, and take other steps to support the system’s underlying goals.

We are under no illusion that our work in this space is done. We will continue to work with groups that are dedicated to fighting this abhorrent crime and provide tools to more quickly get them information to take CSAM content down and investigate the criminals who create and distribute it.

Cloudflare's Senate Response (PDF)

Cloudflare's Senate Res... by Cloudflare on Scribd

US Court of Appeals for the Federal Circuit

Frequent readers of the Cloudflare blog are aware of the efforts we’ve undertaken in response to our first encounter with a patent troll. We’re happy to report that on Wednesday, the U.S. Court of Appeals for the Federal Circuit issued an opinion affirming a lower court decision dismissing the case brought by Blackbird Tech. This is the last step in the process ¹, we’ve won.

In addition to vigorously opposing this case in court, we created and sponsored Project Jengo to push back against the incentives that empower patent trolls like Blackbird Tech. Now that the case is over, we will be wrapping up Project Jengo and will report back with a summary of the Project’s successes in the near future.

But before we move on from the litigation, I want to share a few reflections on this case.

We noted from the very beginning: “The infringement claim is not a close one … if the ‘335 patent is read broadly enough to cover our system (which shouldn’t happen), it would also cover any system where electronic communications are examined and redacted or modified.”

Our initial observation, which we thought was obvious, was borne out. And we were able to prevail on our arguments as swiftly and cleanly as is possible in the federal court system. The U.S. District Court resolved the case on a motion to dismiss, meaning the court didn’t even consider the factual circumstances of the case, but looked at the face of the complaint and the language of the patent itself and determined that the claims in the patent were too vague to allow anyone to enforce it. It was so obvious to the court that Judge Chabbria’s decision was little more than a single page. You can read our discussion of the lower court decision in a previous blog.

Yet Blackbird appealed that dismissal to the U.S. Court of Appeals for the Federal Circuit, a specialized court based in Washington, DC that hears appeals of all patent cases. A panel of three judges from that court heard arguments on the appeal last Friday, but didn’t ask our attorney a single question about the substance of our argument on the abstractness of the patent. He sat down with almost half of his 15 minutes of argument time left because there was nothing more to say. Yesterday, just three business days after that hearing, the court affirmed the lower court’s decision in summary fashion, which means they didn’t even write about the claims or arguments, they just said “Affirmed” (see below).  

If it were a boxing match, it would have been called by the referee in the first minute of the first round after three knockdowns. It was easy and painless, right?  

Not at all.  

Blackbird filed this case in March 16, 2017. For nearly two years, anyone doing due diligence on Cloudflare might have had questions about whether there was a cloud over our rights to our technology. And we had to go through a lot of briefing, and the related legal expenses, to get to this point. Blackbird’s combined legal filings at the district court and appellate court amounted to more than 650 pages, our responsive briefs were more than 900 pages.

The two courts spent less than two pages describing a result that was obvious to them, but it took us two years of uncertainty and cost to get there. Federal court litigation doesn’t make anything easy. Even if Blackbird had won the case, it is not clear they would have been able to collect significant damages. Our allegedly infringing use was not a product or feature that we charged for or made money from – it was essentially posting interstitial messages for various errors. Even though we were able to win this case early in the legal process and keep our costs as low as possible, it’s possible we spent more money resolving this matter than Blackbird would have been able to collect from us after trial.

This is the dysfunction that makes patent trolling possible. It is why the option for a quick settlement, in the short term, is always so appealing to parties sued by patent trolls. It’s why we exerted efforts on Project Jengo to try and change the long-term calculus and help out others in the community who may soon find themselves in a similar predicament.  

A final note…

Anthony Garza and Steven Callahan of Charhon Callahan Robson & Garza, a litigation boutique in Dallas, are great lawyers. They provided exceptional counseling, perfect legal work, and strong arguments at every step of this process. In every hearing, I was extremely happy that Anthony was the lawyer on our side -- he demonstrated complete control of both the relevant legal authorities and the intricate details of the patent and its various claims. He had the advantage of being right, but he never left any doubt who was making the better argument.  My thanks for their hard work and guidance.

Footnote

[1] Yes, I am aware that Blackbird could seek discretionary review of this decision at the U.S. Supreme Court. But the Supreme Court accepts less than 5% of the cases presented to it, so there isn’t even a request to that court in most cases unless the case is particularly significant or reflects a disagreement among federal courts. I don’t reasonably expect they would take this case.

Courtesty of PublicDomainPictures.net

As we have talked about repeatedly in this blog, we at Cloudflare are not fans of the behavior of patent trolls. They prey upon innovative companies using overly-broad patents in an attempt to bleed settlements out of their targets. When we were first sued by a patent troll called Blackbird Technologies last spring, we decided that we weren’t going along with their game by agreeing to a modest settlement in lieu of going through the considerable effort and expense of litigation. We decided to fight.

We’re happy to report that earlier today, the United States District Court for the Northern District of California dismissed the case that Blackbird brought against Cloudflare. In a two-page order (copied below) Judge Vince Chhabria noted that “[a]bstract ideas are not patentable” and then held that Blackbird’s attempted assertion of the patent “attempts to monopolize the abstract idea of monitoring a preexisting data stream between a server” and is invalid as a matter of law. That means that Blackbird loses no matter what the facts of the case would have been.

The court’s ruling comes in response to a preliminary motion filed by Cloudflare under Section 101 of the U.S. Patent Act. That section defines what sort of things can be patented. Such motions are generally referred to as “Alice” motions because the U.S. Supreme Court held in a 2014 case (Alice Corp. v. CLS Bank Int’l) that a two-part test could be used to determine patent eligibility based on whether something is more than merely an abstract idea or at least creates an inventive use for an abstract principle. The Alice test helps to determine whether something is patentable subject matter or an unpatentable fundamental concept. Judge Chhabria found that Blackbird’s ‘355 patent was too abstract to be patentable subject matter.

Before the court ever even considered Cloudflare’s actions, it found that the supposed innovation reflected in Blackbird’s patent was too abstract to have been protectable in the first place. This means that the case against Cloudflare could not continue, but further, that the patent is completely invalid and Blackbird cannot use it to sue ANYONE in the future.

All of this only confirms the position we’ve taken from the beginning with regard to the way that Blackbird and other patent trolls operate. Blackbird acquired an absurdly broad patent from an inventor that had apparently never attempted to turn that patent into a business that made products, hired people, or paid taxes. And Blackbird used that patent to harass at least three companies that are in the business of making products and contributing to the economy.

Blackbird still has a right to appeal the court’s order, and we’ll be ready to respond in case they do. We will also report back soon to review our related efforts under Project Jengo.

via Giphy

CC-BY 2.0 image by a200/a77Wells

This is the latest chapter in a court proceeding that dates back to 2013, when Cloudflare initiated a challenge to the previous form of the NSL statute with the help of our friends at EFF. Our efforts regarding NSLs have already seen considerable success. After a federal district court agreed with some of our arguments, Congress passed a new law that addressed transparency, the USA FREEDOM Act. Under the new law, companies were finally permitted to disclose the number of NSLs they receive in aggregate bands of 250. But there were still other concerns about judicial review or limitation of gag orders that remained.

Today’s outcome is disappointing for Cloudflare. NSLs are “administrative subpoenas” that fall short of a warrant, and are frequently accompanied by nondisclosure requirements that restrict even bare disclosures regarding the receipt of such letters. Such gag orders hamper transparency efforts, and limit companies’ ability to participate in the political process around surveillance reform.

In its ruling, the Ninth Circuit upheld NSL gag orders by ruling that the current system does not run afoul of the First Amendment. Currently, the laws governing the issuance of NSLs permit a nondisclosure requirement so long as the requesting official certifies that the lack of a prohibition “may result” in certain types of harm. However, there is no judicial scrutiny of these claims before the gag order goes into full effect. Only once the restriction has already been imposed can a company seek judicial review before a court. Furthermore, the FBI must only reassess the gag order at three years in, or when investigation has closed.

Along with our co-petitioner, CREDO Mobile, Cloudflare challenged the NSL gag orders as a “prior restraint” on free speech. In First Amendment law, prior restraints are judicial orders or administrative rules that function to suppress speech before it ever takes place. There is a heavy presumption against the constitutionality of prior restraints, but they can be justified in narrowly defined circumstances or if the restraint follows certain procedural safeguards. In the context of NSLs, we considered those safeguards to be lacking.

The Appeals Court disagreed: in its ruling, the Court determined that NSL gag order was indeed a prior restraint subject to “strict” constitutional scrutiny, but that such orders were “narrowly tailored to a compelling state interest” and provided enough procedural safeguards to pass constitutional muster.

While we are still reviewing the specifics of the court’s decision, Cloudflare will continue to report on NSLs to the extent permitted by law. We will also continue to work with EFF as we weigh how to proceed: the next steps may be to make a request for an en banc appeal all the members of the 9th Circuit, or petition the U.S. Supreme Court to take up the case.

Cloudflare’s approach to law enforcement requests will continue to be that while we are supportive of their work, any requests we receive must adhere to due process, and be subject to judicial oversight. When we first decided to challenge the FBI’s request for customer information through a confidential NSL, we were a much smaller company. It was not an easy decision, but we decided to contest a gag order that we felt was overbroad and in violation of our principles. We are grateful to our friends at EFF for taking our case, and applaud the excellent job they have done pushing this effort.

The patent system exists to reward inventors, so it is no surprise that a patent has to claim something new — an “invention.” Sometimes the United States Patent and Trademark Office (USPTO) — the agency that administers the patent system — mistakenly issues patents that do not claim anything particularly new. The patent examiner may not be aware that the proposed “invention” was already in use in the industry, and the patent applicant (the only party in the process) doesn’t have an incentive to share that information. Often, the USPTO issues patents that are too vague and can later be broadly interpreted by patent owners to cover different and subsequent technologies that could not otherwise have been patented in the first place and couldn’t have been anticipated by the patent examiner.

The first step to invalidating the Blackbird Tech patents is to collect prior art on the patents. Prior art can include almost any type of evidence showing that the “invention” described in a patent already existed when the patent was filed. Common types of prior art include earlier-filed patents, journal articles, and commercial products (e.g., computer programs) that predate the challenged patent.

Prior art can be used to challenge the validity of the patent in several ways. First, we can challenge the validity of the patent asserted against us (the ‘335 patent) in the patent infringement case that Blackbird Tech filed against us. We can also challenge any of Blackbird’s patent in proceedings at the USPTO, through either a petition for inter partes review (IPR) or ex parte reexamination.

In this blog post, we walk through the administrative challenges to patents at the USPTO, especially the IPR, which we consider to be one of the most effective ways to shield ourselves and others from patent troll attacks on innovation.

The IPR process was created by Congress in 2011 through the America Invents Act with overwhelming bipartisan support, passing the House by a vote of 304 to 117 and the Senate 89 to 9, and was signed by President Obama on September 16, 2011. The law was based on a growing awareness that it had become too easy to obtain low quality patents and too hard to challenge them in expensive and long court proceedings. As technologies continued to grow and develop, the patent system became inundated with bad patents issued during the dot-com era, many of which included vague claims relating to rudimentary web technologies. Over a decade later, these claims were being applied out of context and asserted broadly to shake down innovative companies using vastly more sophisticated technologies.

While few of the patents used in these shake-downs would have survived an invalidity challenge in front of a judge, the prohibitively high cost and delay of litigation meant that the vast majority of patent infringement claims settled outside of court for nuisance value. Defending a patent lawsuit in federal court costs millions of dollars (regardless of whether you ultimately have to pay a Plaintiff) and can take 2-3 years to resolve. As a result, courts rarely had an opportunity to invalidate bad patents. The patents lived on, and the nefarious cycle continued.

Seeking to break the cycle of misuse, Congress stepped in and created IPR to provide a streamlined process for invalidating bad patents. IPR is an administrative proceeding conducted by the USPTO itself, rather than a federal court. IPR proceedings have a limited scope and harness the USPTO’s special expertise in resolving questions of patent validity. As a result, a typical IPR proceeding can be completed in about half the time and at one tenth of the cost of a federal court case.

To date, over 6,000 IPR petitions have been filed, of which over 1,600 have resulted in written decisions by the USPTO. Many other cases either settled or remain pending. IPR petitioners have had a high rate of success. Of the 1,600 cases that reached a written decision, 1,300 of those cases were successful in having the USPTO invalidate at least one claim, and 1,000 were successful in having the entire patent invalidated.

To initiate an IPR, the party challenging the patent files a petition with the USPTO identifying the patents, explaining why the patents should be found invalid, and presenting the relevant prior art. The owner of the challenged patent has an opportunity file a written response to the petition.

Image by Katherine Tompkins

The USPTO actually makes two major decisions during an IPR. The first is a threshold determination of whether to institute the IPR at all. The USPTO will institute an IPR if the petition (combined with the patent owner’s response, if one was filed) establishes a “reasonable likelihood that the petitioner will prevail” in invalidating one or more claims. One unusual feature of the IPR process is that the USPTO’s institution decision cannot be appealed. Both parties must live with whatever institution decision the USPTO makes. Since 2015, the USPTO has instituted about two thirds of all IPR petitions.

After an IPR is instituted, both sides have an opportunity to gather evidence, file motions, and present arguments. The USPTO then issues a final written decision on the validity of the patent. Unlike the institution decision, the final written decision of an IPR is appealable to the Federal Circuit Court of Appeals (a specialized appeals court that, among other things, hears appeals in most cases that involve patents). The time between the institution decision and the final written decision should not exceed a year, making IPR exceptionally compact compared to most full court proceedings.

In addition to speed, the legal standards that the USPTO applies in IPR proceedings are more favorable to the patent challenger than those applied in federal court:

• The burden of proof for invalidating a patent in an IPR is lower than in federal court. The petitioner in an IPR proceeding must meet the “preponderance of the evidence” standard. This is the same standard of proof that applies in the vast majority of civil (non-criminal) cases. Simply put, whichever side has more convincing evidence wins. By contrast, a party raising an invalidity challenge in federal court must meet a higher “clear and convincing evidence” standard to prove that the patent is invalid.

• The “strike zone” for prior art is bigger in an IPR than in federal court. The USPTO interprets challenged patents broadly — using the “broadest reasonable interpretation” standard — making it relatively easy to find prior art that falls within the scope of the patent. This makes sense as patent trolls often take the broadest possible interpretation of their patents when they decide whom to sue, thereby creating pressure for those parties to settle. Federal courts, on the other hand, interpret the challenged patent more narrowly, through the eyes of a hypothetical “person of ordinary skill in the art” (POSITA). A POSITA is someone who has experience in the technological field of the patent and can use technical context to narrow the scope of the patent. This narrower scope makes it harder to find prior art that falls within the scope of the patent.

• Although the legal standards in an IPR proceeding tend to favor the challenger, other aspects of IPR proceedings can favor the patent owners. For example, unlike federal courts, IPR proceedings provide an opportunity for patent owners to amend their claims to circumvent the challenger’s prior art.

For all of the built-in efficiencies of the IPR process, an IPR still closely resembles a traditional court case in many important respects. For example, an IPR generally requires a petitioner to undertake a full slate of heavy-duty legal tasks, like writing briefs, filing motions, and making oral arguments. As a result, even though going through an IPR process is far less painful and expensive than being dragged through the federal courts, it still involves significant legal fees and demands a high level of attention that could otherwise be spent innovating.

Enter ex parte reexamination, which strips down the process for challenging patent validity even further. In ex parte reexamination, the party challenging the patent files a petition with the USPTO in much the same manner as an IPR. However, once the petition is filed, the petitioner steps out of the picture entirely. Instead, the USPTO reassesses the validity of the challenged patent by engaging in a semi-collaborative back-and-forth between the USPTO and the patent owner, without the challenger’s continued involvement. This back-and-forth is virtually identical to the original examination process between the USPTO and applicant that led to the patent being issued in the first place.

Like an IPR petition, the petition for ex parte reexamination has to cast sufficient doubt on the validity of the patent before the USPTO will order an ex parte reexamination. In this case, the legal standard that the USPTO uses is whether the petition establishes a “substantial new question of patentability.” To date, over 90% of petitions for ex parte reexamination have been granted.

With a relatively low up-front investment and no continuing costs incurred by the petitioner, an ex parte reexamination has the advantage of forcing patent owners back to the USPTO to defend their patents or risk invalidation. And more often than not, the patent owner in an ex parte reexamination will end up making significant concessions along the way -- amendments that narrow the scope of a patent. To date, 67% of ex parte reexaminations have resulted in at least an amendment to the patent, and another 12% have been successful in having an entire patent invalidated. These concessions, even seemingly minor ones, can successfully thwart a dubious claim of patent infringement and severely limit the owner’s ability to pursue future claims of infringement.

In a surprise decision last week, the U.S. Supreme Court announced that it has decided to hear the case of Oil States vs. Greene’s Energy Group, et al. The key questions that the Court will decide is whether or not the IPR process is constitutional. The stakes are significant: if the Supreme Court finds IPR unconstitutional, then the entire system of administrative review by the USPTO — including IPR and ex parte — will be abandoned.

Oil States had a patent related to — you guessed it — oil drilling technology invalidated in an IPR proceeding and subsequently lost an appeal in a lower federal court. It has asked the Supreme Court to hear the case because it feels that once the USPTO issues a patent, an inventor has a constitutionally protected property right that — under Article III of the U.S. Constitution (which outlines the powers of the judicial branch of the government), and the 7th Amendment (which addresses the right to a jury trial in certain types of cases) — cannot be revoked without judicial intervention.

Image by Eric Kounce

It’s important to understand what it means for the Supreme Court to agree to hear a case — or as lawyers would insist: grant a writ of certiorari. The Supreme Court only hears the case it wants to in order to resolve issues of sufficient importance or disagreement. Over the past several years, the Court has only agreed to hear about 1% of the cases submitted to it. Four Justices have to vote in favor before a writ of certiorari is granted. Grants are almost always made where there is disagreement among the federal appellate courts or on issues taken from the front page.

Oil States is not the first case to make its arguments against the IPR system, but it is the first that the Supreme Court has agreed to hear. Notably, lower courts have repeatedly rejected the stance taken by the petitioner in Oil States. This is more problematic than it seems because if the Supreme Court was comfortable with the status quo, there would be no reason for them to hear the case. The decision to hear the case suggests that at least the four justices who voted to grant the writ of certiorari are considering going in another direction (though perhaps predicting the Supreme Court’s views is better left to science).

Because Congressional action creating the IPR was a prudent and resoundingly popular action to blunt abuses of the patent system, there are several concerning aspects of a potential invalidation of the IPR system by the Supreme Court. The patent troll system is based on the idea that American companies would rather pay billions of dollars to resolve meritless claims of infringement than suffer the delay and expense of pursuing those claims in federal court.

In response, members of Congress set up a better--though still not perfect--system for having these disputes resolved. The court system should have taken steps to improve its own processes to make them less susceptible to being used to distort the ability to have legitimate disputes resolved. Instead, a decision by the Court to invalidate the IPR process would be the equivalent of the Court failing to clean up its own mess and then prohibiting anyone else from doing so.

And it seems a bit incongruous that rights granted through a system created by statute which gave decision making authority to a patent examiner at the USPTO—the patent system—cannot be modified or altered through a system created by a subsequent statute and using the benefit of actual experience. USPTO reviewers grant patent rights, so why are other USPTO reviewers prohibited from changing that designation?

CC BY-SA 2.0 image by meanie

We will be closely monitoring developments in Oil States and expect that we will contribute to an Amicus (or “friend of the court”) brief making sure the justices are aware of our position on this issue. Our hope is that the justices voting to grant the writ of certiorari were only considering the implications on the parties to that case (neither of which is an NPE), and not fully considering the larger community of innovative companies that are helped by the IPR system.

While we await a decision in Oil States, expect to see Cloudflare initiate IPR and ex parte proceedings against Blackbird Tech patents in the coming months. In the meantime, you can continue to support our efforts by searching for prior art on the Blackbird Tech patents, and you can engage in the political process by supporting efforts to improve the patent litigation process.