Opinion
2019-2074 2019-2146
12-30-2020
JAMES R. HANNAH, Kramer Levin Naftalis & Frankel LLP, Menlo Park, CA, for appellant. Also represented by PAUL J. ANDRE; JEFFREY PRICE, New York, NY. PATRICK D. MCPHERSON, Duane Morris LLP, Washington, DC, for cross-appellant. Also represented by PATRICK C. MULDOON; MATTHEW CHRISTOPHER GAUDET, Atlanta, GA; JOSEPH POWERS, Philadelphia, PA.
NOTE: This disposition is nonprecedential. Appeals from the United States Patent and Trademark Office, Patent Trial and Appeal Board in No. IPR2018-00391. JAMES R. HANNAH, Kramer Levin Naftalis & Frankel LLP, Menlo Park, CA, for appellant. Also represented by PAUL J. ANDRE; JEFFREY PRICE, New York, NY. PATRICK D. MCPHERSON, Duane Morris LLP, Washington, DC, for cross-appellant. Also represented by PATRICK C. MULDOON; MATTHEW CHRISTOPHER GAUDET, Atlanta, GA; JOSEPH POWERS, Philadelphia, PA. Before LOURIE, REYNA, and WALLACH, Circuit Judges. WALLACH, Circuit Judge.
Cisco Systems, Inc. ("Cisco") sought inter partes review ("IPR") of claims 1-4, 8, and 11-14 ("the Challenged Claims") of Finjan, Inc.'s ("Finjan") U.S. Patent No. 7,647,633 ("the '633 patent"). The U.S. Patent and Trademark Office's Patent Trial and Appeal Board ("PTAB") issued a final written decision concluding that Cisco "ha[d] shown by a preponderance of the evidence that claims 1-4, 8, and 11-13 of the '633 patent are unpatentable" as obvious, but "ha[d] not shown by a preponderance of the evidence that [independent] claim 14 of the '633 patent is unpatentable" as obvious. Cisco Sys., Inc. v. Finjan, Inc., No. IPR2018-00391, 2019 WL 2237141, at *1 (P.T.A.B. May 23, 2019).
Finjan appeals and Cisco cross-appeals. We have jurisdiction pursuant to 28 U.S.C. § 1295(a)(4)(A). We affirm.
BACKGROUND
I. The '633 Patent
Entitled "Malicious Mobile Code Runtime Monitoring System and Methods," the '633 patent "relates generally to computer networks, and more particularly" to "a system and methods for protecting network-connectable devices from undesirable downloadable operation." '633 patent col. 1 ll. 30-33. The '633 patent "provides protection systems and methods capable of protecting . . . network accessible devices or processes," such as personal computers, "from harmful, undesirable, suspicious or other 'malicious' operations that might otherwise be effectuated by remotely operable code," such as computer viruses. Id. col. 2 ll. 20-25; see id. col. 1 ll. 40-44 (noting that "the Internet and other public networks have . . . become a major source of potentially system-fatal or otherwise damaging computer code commonly referred to as 'viruses'"). The '633 patent discloses "embodiments" that first "determin[e], within one or more network 'servers' . . . whether received information includes executable code"—referred to as a "Downloadable"—then, based on that determination, "deliver[] static, configurable, and/or extensible remotely operable protection [code or] policies" to the location of the Downloadable, and "caus[e] the mobile protection code to be executed within a Downloadable-destination in a manner that enables various Downloadable operations to be detected, intercepted or further responded to via protection operations." Id. col. 2 ll. 39-55; see id. col. 1 ll. 60-66 (providing that "[d]ownloadable information" may include "distributable components (e.g.[,] Java™ applets and JavaScript scripts, ActiveX™ controls, Visual Basic, add-ins and/or others)" and "application programs, Trojan horses, multiple compressed programs such as zip or meta files, among others"), col. 2 ll. 28-33 (similar).
Independent claims 1 and 14, and claims 2 and 3 of the '633 patent, are illustrative. Independent claim 1 recites:
A computer processor-based method, comprising:
Id. col. 20 ll. 54-62. Claim 2 depends from independent claim 1, and provides that "receiving includes monitoring received information of an information re-communicator." Id. col. 20 ll. 63-65. Claim 3, which depends from claim 2, provides that claim 2's "information re-communicator is a network server." Id. col. 20 ll. 66-67.receiving, by a computer, downloadable-information;
determining, by the computer, whether the downloadable-information includes executable code; and
based upon the determination, transmitting from the computer mobile protection code to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
Independent claim 14 recites:
A computer program product, comprising a computer usable medium having a computer readable program code therein, the computer readable program code adapted to be executed for computer security, the method comprising:
Id. col. 21 l. 58-col. 22 l. 5.providing a system, wherein the system comprises distinct software modules, and wherein the distinct software modules comprise an information re-communicator and a mobile code executor;
receiving, at the information re-communicator, downloadable-information including executable code; and
causing mobile protection code to be executed by the mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code.
II. The Prior Art
A. Hanson
Entitled "Reverse Proxy Server," WIPO Pub. No. WO 98/31124 ("Hanson") is an international application published under the Patent Cooperation Treaty, and "relates to client/server computer communications over an internetwork system and, more particularly, to improved access of firewall protected servers." J.A. 833; see J.A. 831- 52 (Hanson). Hanson discloses "a method and system for securely accessing servers" over a network by providing "secure bi-directional data packet communication between" an external "client . . . and [internal] servers," with the servers "protected by a firewall . . . and bastion server." J.A. 835-36. The bastion server "includes a processor and memory like typical servers, but also includes an internal [IP] address file . . . and a rules file . . . stored in memory." J.A. 836.
Hanson defines "internetwork" as "the joining of multiple computer networks, both similar and dissimilar, by means of gateways or routers that facilitate data transfer and conversion from various networks." J.A. 833.
A "bastion server" is "a special-purpose computer on a network . . . specifically designed and configured to protect against unauthorized access." J.A. 775.
Hanson teaches that its bastion server uses its address and rule files to limit "external access to [the internal servers] through the firewall," J.A. 837, specifically, by checking both outgoing and incoming "data packet[s]" against its internal address file and rules file, J.A. 838. Data packets are routed through the bastion server. J.A. 838. Incoming data packets are addressed to an internal server name. J.A. 838. The bastion server receives the data packet and, first, "determines whether a match exists between the server name and an internal address located in the internal address file." J.A. 838. "If no match is found, the bastion" server notifies the client that the "packet cannot be delivered." J.A. 838. If the address is found, the bastion server then "check[s]" "the received packet . . . against [the] rules contained within the rules file." J.A. 838. If the data packet "fails to pass" any of the rules, the bastion server notifies the client and does not deliver the packet. J.A. 838. "[I]f the received packet passes all the rules contained within the rules file, a connection is made between the client and the [addressed internal] server" and the packet is delivered. J.A. 838. "The rule checks include certain security [check] programs that operate upon received data packets and, particularly, data packets that are or include programs." J.A. 838; see J.A. 842-43 (providing that these programs may be "J[ava™] applets" or "ActiveX[™] programs which are intended to be run on the destination client or server"). Hanson explains that the "security check program" does this by "tagging" or "attaching itself to the [executable code] being sent in the data packet," such that, when the executable code is "run at the destination client or server," the security check program "runs simultaneously" and "performs [the necessary] security operations." J.A. 842, 845. Outgoing packets undergo a similar check through the bastion server. J.A. 840.
B. Hyppönen
Entitled "Computer Virus Screening," U.S. Patent No. 6,577,920 ("Hyppönen") "relates to the screening of computer data for viruses and more particularly to the screening of computer data for macro viruses." J.A. 857; see J.A. 854-61 (Hyppönen). Hyppönen defines "macros" as "small executable programs written in a simple high level language" that provide, for example, "customized menu bars" or "document templates" in word processing programs. J.A. 857.
Hyppönen discloses a "method of screening a software file for viral infection" using three databases—one "of known macro virus signatures, a second . . . of known and certified commercial macro signatures, and a third . . . of known and certified local macro signatures." J.A. 854. Hyppönen teaches that a software file may be "scanned to determine whether or not [it] contains a macro." J.A. 854. "If [it does] contain[] a macro," then the method determines "a signature for the macro" such that it may be "screened against the signatures contained in [the three] databases" of known signatures. J.A. 854. If the macro is a known virus, the file system event is suspended and the user alerted. J.A. 859. If the macro is a known legitimate program, it is allowed to proceed. J.A. 859. If the macro is unknown and unverifiable, the file system event is suspended and "a report is sent to the network manager" with "a copy of the [unknown] macro." J.A. 859. The databases may be updated as more macros are encountered or become available. J.A. 857. Hyppönen suggests that its system may be modified "to screen files for viruses other than macro viruses." J.A. 859.
DISCUSSION
Finjan argues that the PTAB made a series of claim construction errors, and that, under the proper construction, claims 1-4, 8, and 11-13 of the '633 patent are not obvious over Hanson and Hyppönen. Appellant's Br. 20-36. On cross-appeal, Cisco argues that the PTAB's conclusion that independent claim 14 of the '633 patent is not obvious over Hanson and Hyppönen is unsupported by substantial evidence. Cross-appellant's Br. 40. We address each argument in turn.
I. Standard of Review
"We review the PTAB's factual findings for substantial evidence and its legal conclusions de novo." Redline Detection, LLC v. Star Envirotech, Inc., 811 F.3d 435, 449 (Fed. Cir. 2015) (citation omitted). "Substantial evidence is something less than the weight of the evidence but more than a mere scintilla of evidence," meaning that "[i]t is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion." In re NuVasive, Inc., 842 F.3d 1376, 1379-80 (Fed. Cir. 2016) (internal quotation marks and citations omitted). "If two inconsistent conclusions may reasonably be drawn from the evidence in record, the PTAB's decision to favor one conclusion over the other is the epitome of a decision that must be sustained upon review for substantial evidence." Elbit Sys. of Am., LLC v. Thales Visionix, Inc., 881 F.3d 1354, 1356 (Fed. Cir. 2018) (internal quotation marks, brackets, and citation omitted).
II. Claim Construction
A. Legal Standard
"[C]laim construction must begin with the words of the claims themselves." Amgen Inc. v. Hoechst Marion Roussel, Inc., 457 F.3d 1293, 1301 (Fed. Cir. 2006) (citation omitted). "[W]ords of a claim are generally given their ordinary and customary meaning," i.e., "the meaning that the term would have to a person of ordinary skill in the art [('PHOSITA')] in question at the time of the invention[.]" Phillips v. AWH Corp., 415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc) (internal quotation marks and citation omitted). "The words used in the claims are interpreted in light of the intrinsic evidence of record, including the written description, the drawings, and the prosecution history[.]" Teleflex, Inc. v. Ficosa N. Am. Corp., 299 F.3d 1313, 1324 (Fed. Cir. 2002) (citation omitted). The PHOSITA "is deemed to read [a] claim term not only in the context of the particular claim in which [it] appears, but in the context of the entire patent, including the specification." Phillips, 415 F.3d at 1313. Prosecution history may also be looked to in order to supply additional evidence of a claim term's intended meaning. See Home Diagnostics, Inc. v. Lifescan, Inc., 381 F.3d 1352, 1356 (Fed. Cir. 2004). "A patent's specification, together with its prosecution history, constitutes intrinsic evidence to which the PTAB gives priority when it construes claims." Knowles Elecs. LLC v. Cirrus Logic, Inc., 883 F.3d 1358, 1361-62 (Fed. Cir. 2018) (citation omitted). We review the PTAB's assessment of the intrinsic evidence de novo and extrinsic evidence for substantial evidence. See id. at 1362.
Because the '633 patent expired between conclusion of the IPR and this appeal, see Appellant's Br. 20 (noting that the '633 patent expired in November 2019); see generally Cross-appellant's Br. (discussing neither expiration of the '633 patent nor the appropriate claim construction standard), we construe the Challenged Claims in accordance with the standard set forth in Phillips, 415 F.3d at 1312-13, rather than the broadest reasonable interpretation ("BRI") as applied by the PTAB, Cisco, 2019 WL 2237141, at *2; see In re Rambus, Inc., 753 F.3d 1253, 1256 (Fed. Cir. 2014) (providing that, once a patent has expired, "we apply the Phillips claim construction standards").
The "specification includes both the written description and the claims of the patent." Cisco Sys., Inc. v. TQ Delta, LLC, 928 F.3d 1359, 1362 (Fed. Cir. 2019) (internal quotation marks and citation omitted).
A patent's prosecution history "consists of the complete record of the proceedings before the [US]PTO," providing "evidence of how the [US]PTO and the inventor understood the patent." Phillips, 415 F.3d at 1317 (citation omitted).
B. The PTAB Properly Construed the Term
"Information Re-Communicator"
The PTAB concluded that the "information re-communicator" as recited in claims 2 and 3 "is not limited to receiving downloadable-information from an external network." Cisco, 2019 WL 2237141, at *4. Finjan argues that, by not requiring that the received downloadable information come "from an external network," the PTAB's construction is "overbroad and inconsistent with the specification and [expert] testimony." Appellant's Br. 33-34. We disagree with Finjan.
Finjan refers to the recited "information re-communicator" as the "information re-communicator/monitor." See, e.g., Appellant's Br. 34. Finjan does not raise any arguments specific to the term "monitor." See generally Appellant's Br. Consistent with the PTAB, we discuss this term as the "information re-communicator." See, e.g., Cisco, 2019 WL 2237141, at *4.
The PTAB properly construed the term "information re-communicator." Consistent with claim construction principles, we look first to the language of the claims, followed by the language of the specification and prosecution history. See Phillips, 415 F.3d at 1315-17. Independent claim 1 recites "[a] computer processor based method" in which "a computer" "receiv[es] . . . downloadable information." '633 patent col. 20 ll. 54-56. Dependent claims 2 and 3 further provide that this "receiving" may be done by an "information re-communicator" within the computer, id. col. 20 ll. 63-65, and the "information re-communicator" may be a "network server," id. col. 20 ll. 66-67. The claim language does not, however, specify from where the "downloadable information" is "receiv[ed]." See id. col. 20 ll. 64-67. This indicates that the "information re-communicator" is not limited to receiving "downloadable information" from an external network. See Phillips, 415 F.3d at 1314 ("[T]he claims themselves provide substantial guidance as to the meaning of particular claim terms."). Accordingly, the PTAB properly concluded that the "claims are silent as to the source of the 'downloadable-information,'" and, as such, the plain meaning of the claim language" does not require that source be "an external network." Cisco, 2019 WL 2237141, at *4.
We next turn to the specification. See Phillips, 415 F.3d at 1315 ("[C]laims must be read in view of the specification, of which they are a part." (internal quotation marks and citation omitted)). The specification repeatedly describes the "re-communicator" as a "server" or "firewall." See, e.g., '633 patent, Abstract (disclosing embodiments with "a server, firewall or other suitable 're-communicator'"); id. col. 5 ll. 34-36 ("Embodiments provide, within one or more 'servers' (e.g.[,] firewalls, resources, gateways, email relays or other information re-communicating devices)[.]"). The specification provides that "re-communicators" include "one or more network servers, firewalls or other network connectable information re-communicating devices." Id. col. 2 ll. 58-62. Thus, based on the specification, "information re-communicators" are devices that re-communicate received information, regardless of whether that information comes from an external network or other source. The specification does not narrow the term "information re-communicator," and instead, supports the conclusion that the "information re-communicator" is not limited to receiving "downloadable information" from an external network. Accordingly, the PTAB properly concluded that the specification "does not restrict" the "information re-communicator" to "processing the downloadable-information solely" from "external networks." Cisco, 2019 WL 2237141, at *4.
Neither party argues that the prosecution history illuminates the meaning of "information re-communicator." Accordingly, we do not consider it here. See Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1582 (Fed. Cir. 1996) (providing that we will consider the prosecution history "if in evidence").
Finjan's primary counterargument is unpersuasive. Finjan "does not disagree" that "(1) the claims are silent as to the source of the downloadable-information and (2) the [s]pecification describes consistently a server or a firewall as a re-communicator." Appellant's Br. 33 (internal quotation marks and citation omitted). Finjan nonetheless urges us to adopt an additional limitation to the term because, based on expert testimony, "a P[H]OS[IT]A would understand . . . 'information re-communicator'" to require it. Id.; see id. at 34 (citing J.A. 2302 (Finjan's expert testimony), 2369 (Cisco's expert deposition)). This argument is without merit. First, while "extrinsic evidence," such as expert testimony, "can shed useful light on the relevant art," "it is less significant than the intrinsic record[.]" Phillips, 415 F.3d at 1317. Finjan agrees that the claims are silent as to whether "downloadable-information" must come from an external network and that the specification does not require it. Appellant's Br. 33. Where, as here, "an analysis of the intrinsic evidence alone will resolve any ambiguity in [the] disputed claim term," it is "improper to rely on extrinsic evidence," such as expert testimony, to introduce ambiguity. Vitronics, 90 F.3d at 1583; see Phillips, 415 F.3d at 1318 ("[A] court should discount any expert testimony that is clearly at odds with the claim construction mandated by the claims themselves, the written description, and the prosecution history[.]").
Second, Finjan's proffered expert testimony does not persuasively support its argument that the term "information re-communicator" must be narrowed to receiving "downloadable-information from" only "an external network." Appellant's Br. 33. Finjan's expert testimony is premised on exemplary embodiments of the '633 patent. J.A. 2302-04. Finjan's expert explains that the '633 patent's "information re-communicator" receives "downloadable-information from an external network" because "the '633 patent describes" an exemplary embodiment with "a network that includes subsystems . . . , which are separated via [an] external network . . . from resource servers[.]" J.A. 2302-03 (citing '633 patent col. 5 l. 63-col. 6 l. 33, Figs. 1a, 1b, 1c); see '633 patent col. 5 ll. 57-62 (explaining that "F[igs]. 1a through 1c illustrate a computer network system . . . according to an embodiment of the invention. F[ig]. 1a broadly illustrates [a] system . . . , while F[igs]. 1b and 1c illustrate exemplary protectable subsystem implementations[.]"), col. 5 l. 63-col. 6 l. 33 (describing Figs. 1a, 1b, and 1c). That is, Finjan's expert seeks to improperly read "limitations from the specification . . . into the patent claims." Bell Atl. Network Servs., Inc. v. Covad Commc'ns Grp., Inc., 262 F.3d 1258, 1270 (Fed. Cir. 2001). Finjan also asserts that Cisco's expert "agreed that the claimed 'information re-communicator . . .' must receive downloadable information over an external network." Appellant's Br. at 18; see id. at 34 (similar). Finjan is incorrect. Cisco's expert declined to "construe any terms," but noted, when asked "[w]hat problem the '633 patent" tries to "solve," that he "underst[oo]d from reading the patent that the re[-]communicator receives the downloadable information from the external network," with "downloadables" only "usually" "downloaded from an external network." J.A. 2368-69 (without citation or specific reference). Even if we were to interpret this statement as requiring "an external network" as Finjan urges, "[w]here the patent documents are unambiguous, expert testimony regarding the meaning of a claim is entitled to no weight." Texas Digital Sys., Inc. v. Telegenix, Inc., 308 F.3d 1193, 1212 (Fed. Cir. 2002); Vitronics, 90 F.3d at 1584 ("[E]xpert testimony . . . often only indicates what a particular expert believes a term means[.]"). The PTAB, therefore, properly construed the term "information re-communicator" as "not limited to receiving downloadable-information from an external network." Cisco, 2019 WL 2237141, at *4; see In re CSB-Sys. Int'l, Inc., 832 F.3d 1335, 1341 (Fed. Cir. 2016) ("In many cases, the claim construction will be the same under the Phillips and BRI standards.").
Finjan's argument that Hanson "does not disclose an 'information re-communicator,'" is predicated on us adopting Finjan's construction of "information re-communicator." Appellant's Br. 36 (arguing that Hanson "does not disclose an 'information re-communicator . . .' under the proper construction"). Because we do not adopt Finjan's construction, we need not address Finjan's conditional argument. See Knowles Elecs. LLC v. Iancu, 886 F.3d 1369, 1373 n.3 (Fed. Cir. 2018) ("Because we conclude that the PTAB did not err in its construction of the disputed limitation, we need not address the appellant's conditional arguments as to the PTAB's unpatentability determinations." (internal quotation marks, brackets, and citation omitted)).
II. Obviousness
A. Legal Standard
A patent claim is invalid "if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a [PHOSITA]." 35 U.S.C. § 103(a) (2006). Obviousness "is a question of law based on underlying findings of fact." See In re Gartside, 203 F.3d 1305, 1316 (Fed. Cir. 2000). Those underlying findings of fact include: (1) "the scope and content of the prior art," (2) "differences between the prior art and the claims at issue," (3) "the level of ordinary skill in the pertinent art," and (4) the presence of objective indicia of nonobviousness such "as commercial success, long felt but unsolved needs, failure of others," and unexpected results. Graham v. John Deere Co. of Kan. City, 383 U.S. 1, 17 (1966); see United States v. Adams, 383 U.S. 39, 50-52 (1966). In assessing the prior art, the PTAB also "consider[s] whether a PHOSITA would have been motivated to combine the prior art to achieve the claimed invention and whether there would have been a reasonable expectation of success in doing so." In re Warsaw Orthopedic, Inc., 832 F.3d 1327, 1333 (Fed. Cir. 2016) (internal quotation marks, brackets, and citation omitted). "What a prior art reference teaches and whether a [PHOSITA] would have been motivated to combine references are questions of fact." Apple Inc. v. Samsung Elecs. Co., Ltd., 839 F.3d 1034, 1051 (Fed. Cir. 2016) (en banc).
Congress amended § 103 when it enacted the Leahy-Smith America Invents Act ("AIA"). Pub. L. No. 112-29, § 3(c), 125 Stat. 284, 287 (2011). However, because the application that led to the '633 patent never contained (1) a claim having an effective filing date on or after March 16, 2013, or (2) a reference under 35 U.S.C. §§ 120, 121, or 365(c) to any patent or application that ever contained such a claim, the pre-AIA § 103 applies. See AIA, § 3(n)(1), 125 Stat. at 293; '633 patent, Cover Page.
B. Substantial Evidence Supports the PTAB's Finding
that Hanson Discloses "Downloadable-Information" as
Recited in Independent Claim 1
The PTAB concluded that it "need not construe the term" "downloadable-information," because even if it adopted Finjan's proposed construction, Cisco "ha[d] shown that prior art teaches the limitation." Cisco, 2019 WL 2237141, at *5; see id. (noting that Finjan defined the term "downloadable-information" as "information which is downloaded from a source computer which may or may not include executable code" (quoting J.A. 305 (Patent Owner's Response)). The PTAB then found that "Hanson's bastion server receives 'downloadable-information'" and, therefore, Hanson teaches "receiving . . . downloadable-information" as recited in independent claim 1. Id. at *13. Finjan argues that the PTAB's construction of "downloadable-information" was "premised on a very clear misinterpretation of Finjan's argument." Appellant's Br. 29. Finjan asserts that the PTAB's "failure to address Finjan's actual argument means that" the PTAB's finding that Hanson teaches "receiving . . . downloadable-information" is unsupported by substantial evidence. Id. at 31. We disagree with Finjan.
Substantial evidence supports the PTAB's finding that Hanson teaches "receiving . . . downloadable-information." Independent claim 1 recites a "computer processor-based method," in which "a computer" first "receiv[es] . . . downloadable-information," then "determin[es] . . . whether the downloadable-information includes executable code," and last, "if the downloadable-information is determined to include executable code," "transmit[s] . . . [a] mobile protection code to [an] information-destination of the downloadable-information." '633 patent col. 20 ll. 54-62. "Downloadable-information" is "information which is downloaded from a source computer which may or may not include executable code." Cisco, 2019 WL 2237141, at *5 (quoting J.A. 305); see Appellant's Br. 27-28 (offering the same definition); J.A. 305 (same).
Hanson discloses, in relevant part, that its bastion server—a computer, J.A. 836; see J.A. 775—receives both incoming ("received") and outgoing ("reply") data packets for and from a client and checks these data packets against address and rules files, J.A. 838. Hanson explains that, for received packets, its bastion server runs "rule checks" that "include certain security [check] programs that operate upon received data packets and, particularly, data packets that are or include programs." J.A. 838. These programs may be, for example, "J[ava™] applets" or "ActiveX[™] programs which are intended to be run on the destination client or server." J.A. 842-43. The bastion server performs "[s]imilar" checks on "outgoing" or "reply data packet[s]." J.A. 840. Both Java™ applets and ActiveX™ programs are "downloadable" information. J.A. 842-43; see '633 patent col. 1 ll. 60-63, col. 2 ll. 28-33. Hanson, therefore, teaches "a computer," specifically its bastion server, that "receive[s] . . . downloadable-information," such as Java™ applets and ActiveX™ programs, in both incoming and outgoing data packets. '633 patent col. 20 ll. 54-62; J.A. 842-43. Accordingly, substantial evidence supports the PTAB's finding that Hanson discloses "the transmitting step" of independent claim 1, "a computer" that "receive[s] . . . downloadable-information." Cisco, 2019 WL 2237141, at *12-13; see NuVasive, 842 F.3d at 1380 ("[Substantial evidence] is such relevant evidence as a reasonable mind might accept as adequate to support a conclusion." (internal quotation marks and citations omitted)).
Finjan's counterarguments are unpersuasive. First, to the extent Finjan tries to alter its proposed construction of "downloadable-information" on appeal, see Appellant's Br. 27 (arguing that the PTAB's "construction of 'downloadable-information' is overbroad"), its argument is waived, see Conoco, Inc. v. Energy & Envtl. Int'l, L.C., 460 F.3d 1349, 1358-59 (Fed. Cir. 2006) ("[A] party may not introduce new claim construction arguments on appeal or alter the scope of the claim construction positions it took below."). To the extent Finjan argues that the PTAB misunderstood its proposed claim construction, Appellant's Br. 31 (suggesting that the PTAB was "confused"), 32 (suggesting that the PTAB "set up a strawman"), its argument is without merit. Finjan argued, and continues to argue, that "downloadable-information" is "information which is downloaded from a source computer which may or may not include executable code." Appellant's Br. 27-28; see J.A. 305 (same). The PTAB adopted this construction verbatim. Cisco, 2019 WL 2237141, at *5. Any issue Finjan takes with the PTAB's understanding of what the prior art teaches in light of its claim construction is a substantial evidence challenge—"[w]hat is disclosed by a prior art reference is a question of fact." Mettler-Toledo, Inc. v. B-Tek Scales, LLC, 671 F.3d 1291, 1297 (Fed. Cir. 2012); see Appellant's Br. 27 (arguing that the PTAB "ignored . . . evidence" about the definition of downloadable information, when it concluded Hanson "does not disclose 'receiving downloadable information'").
Second, Finjan argues that the PTAB's finding that Hanson teaches "downloadable-information" is unsupported by substantial evidence because the PTAB "confused Finjan's arguments regarding" what Hanson discloses. Appellant's Br. 31. The PTAB stated that Finjan "characterizes [Hanson's] reply data packets as a request for server resources." Cisco, 2019 WL 2237141, at *13 (citing J.A. 318 (Patent Owner's Response)). Finjan asserts that it actually argued that Hanson's incoming, request data packets are "requests for server resources and, consequently, are not data that can be downloaded," Appellant's Br. 30 (citing J.A. 318), while Hanson's outgoing, reply data packets are "outgoing" and therefore "are not . . . downloaded," id. at 31 (citing J.A. 319). Finjan asserts that the PTAB's "failure to address Finjan's actual argument means that there is not even a scintilla of evidence supporting the [PTAB's] finding." Id. at 31 (internal quotation marks and citation omitted). Finjan is mistaken. The PTAB did indeed consider Finjan's argument—it simply found it unpersuasive. See Cisco, 2019 WL 2237141, at *13 (explaining that, while Finjan had argued that "Hanson's bastion server does not receive 'downloadable-information' because . . . requests are not data that can be downloaded," this argument failed because "Hanson's bastion server receives data packets . . . that may include executable programs," and executable programs are examples of "downloadable information"); see also id. (explaining that Finjan's arguments concerning Hanson's reply data packets also failed because Hanson "describes the outgoing reply data packets in the same vein as describing the incoming data packet," "plac[ing] emphasis" on "secure two-way data communication," not on differences between incoming and outgoing packets). Further, that the PTAB may have misstated that Finjan characterized Hanson's "reply data packets" as "a request," does not alter the PTAB's finding that "Hanson's bastion server receives data packets . . . that may include executable programs," both incoming and outgoing, or undermine the substantial evidence that supports that conclusion. Id.; see In re Watts, 354 F.3d 1362, 1369 (Fed. Cir. 2004) ("[T]he harmless error rule applies to appeals from the [PTAB]."); Munoz v. Strahm Farms, Inc., 69 F.3d 501, 504 (Fed. Cir. 1995) ("The correction of an error must yield a different result in order for that error to have been harmful and thus prejudice a substantial right of a party."). Accordingly, the PTAB's finding that Hanson teaches "downloadable information" is supported by substantial evidence.
Finjan also argues "Hanson in view of Hyppönen does not disclose" "determining . . . whether the downloadable-information includes executable code." Appellant's Br. 23; see '633 patent col. 20 ll. 56-57 (independent claim 1). While Finjan raised this argument in its preliminary response, J.A. 237-38, it abandoned it in its Patent Owner's Response, J.A. 287-343; see Appellant's Reply & Resp. 7 (arguing that it was sufficient to raise the argument in its sur-reply below (citing J.A. 508-11)). Finjan was on notice that such an omission would result in waiver. J.A. 268 (PTAB Scheduling Order) ("The patent owner is cautioned that any arguments for patentability not raised in the response will be deemed waived."). The argument is, accordingly, waived. See NuVasive, 842 F.3d at 1380-81 (providing that an argument raised in a preliminary response, but omitted in the patent owner's response, despite the PTAB's "warn[ing] . . . that this would result in waiver," is "abandoned" and deemed "waived").
C. Substantial Evidence Supports the PTAB's Finding
that Hanson Does Not Disclose "Executable Code" as
Recited in Independent Claim 14
The PTAB concluded that Cisco "ha[d] not shown by a preponderance of the evidence that [independent] claim 14 would have been obvious over Hanson." Cisco, 2019 WL 2237141, at *17. The PTAB explained that Cisco had failed to establish that Hanson discloses "causing mobile protection code to be executed . . . at a downloadable-information destination such that one or more operations of the executable code . . . , if attempted, will be processed by the mobile protection code," '633 patent col. 22 ll. 1-5, because Cisco had failed to show that Hanson teaches, as the '633 patent requires, that its "executable code" be "not modified" when processed by its "bastion server," Cisco, 2019 WL 2237141, at *17. Cisco argues that the PTAB's finding is unsupported by substantial evidence because Hanson "does not require [its] executable code to be modified," Cross-appellant's Br. 41, and substantial evidence does not support the conclusion Hanson's executable code is "modified," id. at 45. We disagree with Cisco.
Substantial evidence supports the PTAB's finding that Hanson does not disclose "executable code" as recited in independent claim 14. Independent claim 14 recites "causing mobile protection code to be executed . . . at a downloadable-information destination such that one or more operations of the executable code . . . , if attempted, will be processed by the mobile protection code." '633 patent col. 22 ll. 1-5. The PTAB concluded, and the parties do not contest, that this limitation requires that "the executable code whose operations are processed by the mobile protection code at the destination is the same as the executable code received, i.e., it undergoes no modification." Cisco, 2019 WL 2237141, at *15; see Cross-appellant's Br. 40; Appellant's Reply & Resp. 16. Cisco argued that a PHOSITA would have understood Hanson alone to teach this limitation, J.A. 126 (Petition), 435-38 (Petitioner's Reply); it has not, however, proven that to be true, Cisco, 2019 WL 2237141, at *17. Hanson provides that its "bastion server" has "security check program[s]" that "execute if the bastion receives" executable code "as or in a data packet." J.A. 842; see J.A. 845. These security check programs "ensure[] that the data within the data packet . . . is not destructive for the intended recipient." J.A. 842. The "security check program" does this by "tagging" or "attaching itself to the [executable code] being sent in the data packet," such that, when the executable code is "run at the destination client or server," the security check program "runs simultaneously" and "performs [the necessary] security operations[.]" J.A. 842; see J.A. 845. Cisco's expert stated that Hanson's "tagging" or "attaching" were "well[-]known" "concatenation methods, in which two items may be interleaved or sent together in a packet or series of packets." J.A. 1554-55. In contrast, Finjan's expert stated that a PHOSITA would have understood Hanson's "attaching" or "tagging" to result in "modification" of the executable code." J.A. 2314; see J.A. 2317. Finjan's expert explained that in Hanson's specific "attaching" process, a security check program is "inserted" into "the data packet carrying" the executable code, modifying it such that, when the executable code is run, the security check program "alter[s] [the] operations" of the executable code and "override[s]" any destructive operations. J.A. 2314-15 (citing J.A. 844); see J.A. 1761-62 (Cisco's expert deposition) (explaining that "concatenation" is "a logical term" meaning two packets "go together," that is, "are transferred as a pair," and "[t]here are many different ways you can do that"). The PTAB credited Finjan's expert and found that Cisco had not established that Hanson discloses running executable code that was "not modified." Cisco, 2019 WL 2237141, at *17. The PTAB "was within its discretion to weigh the credibility of expert testimony." Shoes by Firebug LLC v. Stride Rite Children's Grp., LLC, 962 F.3d 1362, 1372 (Fed. Cir. 2020). Accordingly, substantial evidence supports the PTAB's finding that Hanson does not teach processing "not modified" executable code. See Celgene Corp. v. Peter, 931 F.3d 1342, 1352 (Fed. Cir. 2019) ("[S]ubstantial evidence supports the [PTAB's] assessment and weighing of this evidence, and we decline to reweigh the evidence on appeal.").
Cisco's primary counterargument is unpersuasive. Cisco argues that the PTAB erred because it "held Cisco to a higher standard" than other petitioners, requiring "Cisco . . . prove [a] negative—that [Hanson's] executable [code] was not modified[,] even though Hanson does not disclose any modification[.]" Cross-appellant's Br. 40. This argument is without merit. The PTAB required that Cisco prove what it pled—that Hanson teaches what independent claim 14 recites, "executable code" that "is not modified." Cisco, 2019 WL 2237141, at *15. The PTAB did not err by requiring that Cisco "have the burden of proving . . . unpatentability by a preponderance of the evidence." 35 U.S.C. § 316(e); see Novo Nordisk A/S v. Caraco Pharm. Labs., Ltd., 719 F.3d 1346, 1352 (Fed. Cir. 2013) ("[A] party challenging [a patent's] validity bears the burden of proving the factual elements of invalidity[.]"). Cisco argues that, because Hanson's plain language "does not require the executable code to be modified," it discloses running executable code that is "not modified." Appellant's Br. 41. This is insufficient. "Mere speculation is not substantial evidence." OSI Pharm., LLC v. Apotex Inc., 939 F.3d 1375, 1382 (Fed. Cir. 2019) (internal quotation marks and citation omitted). Accordingly, the PTAB's conclusion that Cisco failed to establish that independent claim 14 of the '633 patent would have been obvious over Hanson, is supported by substantial evidence.
CONCLUSION
We have considered the parties' remaining arguments and find them unpersuasive. Accordingly, the Final Written Decision of the U.S. Patent and Trademark Office's Patent Trial and Appeal Board, is
Finjan also proposes a construction of "mobile protection code" as recited in independent claim 1. Appellant's Br. 20. Finjan did not, however, raise this argument before the PTAB. J.A. 305-06 (Patent Owner's Response). It is therefore waived. See Conoco, 460 F.3d at 1358. Finjan argues we should nonetheless consider its new construction, asserting that "the circumstances . . . warrant deviating from th[e] [general] principle" of waiver. Appellant's Br. 22. Finjan has not, however, shown any "exceptional circumstances" to warrant consideration of its untimely argument. In re Baxter Int'l, Inc., 678 F.3d 1357, 1362 (Fed. Cir. 2012).
First, Finjan asserts that Cisco "would not be prejudiced" because Cisco "advocated" for the same "construction" in parallel district court proceedings. Appellant's Br. 21. Finjan's assertion is, at best, inaccurate. J.A. 2957 (Cisco's Responsive Supplemental Claim Construction Brief) (arguing, before the district court, that construction of "mobile protection code" was "unnecessary," but stipulating to Finjan's construction "in th[at] case to eliminate the dispute"). Further, whatever construction Cisco subsequently stipulated to in other proceedings, Finjan must have "timely present[ed] [its] arguments to the [PTAB]." Baxter, 678 F.3d at 1362.
Second, Finjan argues that we should consider its waived claim construction because, in effect, we owe no deference to the PTAB. Appellant's Br. 22-23; see id. at 22 (noting our de novo standard of review for claim construction), 22-23 (noting that, because the '633 patent expired between the PTAB's decision and our review, our analysis shifts from BRI to Phillips), 23 (noting the "strange circumstances" of the PTAB's decision—specifically, that the PTAB changed its mind about the efficacy of Finjan's arguments between institution and its final written decision). This argument is without merit. "No matter how independent an appellate court's review of an issue may be, it is still no more than that—a review." Sage Prod., Inc. v. Devon Indus., Inc., 126 F.3d 1420, 1426 (Fed. Cir. 1997). A de novo standard of review is not an exceptional circumstance, Conoco, 460 F.3d at 1358 ("[L]egal issues in patent infringement suits are not immune to the doctrine of waiver on appeal[.]"), neither is a tribunal's change in its appraisal of the merits following full consideration of the evidence, see Trivascular, Inc. v. Samuels, 812 F.3d 1056, 1068 (Fed. Cir. 2016) ("[T]he [PTAB] is not bound by any findings made in its Institution Decision. . . . The [PTAB] is free to change its view of the merits after further development of the record, and should do so if convinced its initial inclinations were wrong." (emphasis original)). Accordingly, we decline to consider Finjan's waived claim construction argument.
AFFIRMED
COSTS
Each party to bear its own costs.