A company called CryptoPeak Solutions LLC, based in Longview, Texas, has filed lawsuits against a number of big businesses in the US. The legal action is being undertaken because CryptoPeak alleges that the (numerous) defendants have illegally used its patented encryption key exchange method on their HTTPS websites.
The encryption method in question is Elliptic Curve Cryptography (ECC) – an algorithm used on websites secured with Transport Layer Security (TLS) – that determines what symmetric keys will be used during a session. According to the company, its Patent (US Patent 6,202,150) is being abused by anybody that illegally uses ECC on their website to securely encrypt traffic.
What is interesting, is that many firms do use ECC to encrypt their traffic – meaning that CryptoPeak has engaged in legal action with many US firms. Just last week, Tadlock law firm from Texas filed infringement claims on behalf of its client against AT&T, Priceline, Pinterest, Hyatt Hotels, Best Western, and Experia. That is only the most recent of claims too, having already launched action against well-known firms like AT&T, Yahoo, Netflix, GoPro, Macy’s and Sony amongst others (including large Hotel and insurance companies) since it started working on behalf of its client back in July.
In fact, the patent-holding company now has around 70 different cases on the go and is asking for a trial by jury to determine damages and royalties (including future royalties). Also demanding that all its legal bills be covered by the defendants (as an exceptional case under the 35 U.S. Code § 285).
The US Patent (6,202,150) in question was granted to the two cryptography experts that own CryptoPeak back in 1997. Their names as they appear in the patent are Adam Lucas Young and Marcel Mordechay Yung. In that patent it states,
‘This invention relates to cryptosystems, and in particular to the escrowing and recovering of cryptographic keys and data encrypted under cryptographic keys. The escrow and recovery process assures that authorized entities like law-enforcement bodies, government bodies, users, and organizations, can when allowed or required, read encrypted data. The invention relates to cryptosystems implemented in software, but is also applicable to cryptosystems implemented in hardware.’
The most important part of the patent (in relation to the ongoing cases) is its description of ‘generating public keys’ and ‘publishing public keys’ – both which certainly do seem to apply to websites that use ECC to encrypt traffic. The reason being that ECC does require the generation and use of public keys.
Despite the bad news for the many firms being sued by the CryptoPeak patent holders, there is still hope. That is because the patent held by Yung and Young concentrates on ‘a key recovery agent to recover the user’s private key or information encrypted under said user’s corresponding public key’ – which is not really what ECC is about. A subtle point that was clearly not enough to deter CryptoPeak from filing legal action against the many US firms (due to its belief that there is enough similarity between the patent it holds and the use of ECC to generate keys on the defendants’ websites).
Apart from the current legal action, not an awful lot is known about what CryptoPeak does. Nor why it’s two patent holders have waited so long to begin filing for damages. However, some information about the two patent holders can be gained from the publicly available paperwork that its Texas-based law firm Tadlock filed against insurance company Progressive last week. This is what it says about the two men in sections 14 and 15 of that paperwork,
‘Dr. Moti Yung obtained his Ph.D. in Computer Science in 1988 at Columbia University. His professional career includes research and technical work for IBM, RSA Security (now a division of EMC), and Google. He has been an adjunct professor for many years at Columbia University, serving on Ph.D. committees and advising more than 60 Ph.D. students. He is an author or co-author of more than 300 refereed abstracts and journal papers, including several in collaboration with Dr. Young. He is an inventor on dozens of issued U.S. patents. He is a Fellow of the ACM (Association for Computing Machinery), the IACR (International Association for Cryptologic Research), and the IEEE (Institute of Electrical and Electronics Engineers)’
‘Dr. Adam Young obtained his Ph.D. in Computer Science in 2002 at Columbia University. His professional career includes research and technical work for Lucent, Lockheed Martin, MITRE Corporation, and Bloomberg. He has been a guest lecturer at NYU and Rensselaer Polytechnic Institute. He is an author or co-author of more than three dozen papers and journal articles, including several with Dr. Yung. He is an inventor on at least 8 issued U.S. patents.’
It does seem somewhat strange that so little is known about CryptoPeak when both of the patent-holders do appear to have such reputable backgrounds. Having said that, it does not look like many of the companies facing litigation are feeling particularly threatened by the pending cases.
Netflix, for example, has already filed for the case to be dismissed under FED. R. CIV. P. 12(B)(6), on the grounds that CryptoPeak’s infringement claim does not specify clearly enough what exactly it is that it has infringed on. According to Netflix’s lawyers, the legal action should be dismissed because,
‘The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims.’