Opinion
No. C 12-01106 WHA
12-21-2012
NETWORK PROTECTION SCIENCES, LLC, Plaintiff, v. FORTINET, INC., Defendant.
TENTATIVE CLAIM
CONSTRUCTION ORDER,
REQUEST FOR CRITIQUE
AND ORDER STRIKING
REPLY MATERIALS IN PART
INTRODUCTION
In this patent infringement action involving network firewalls, the parties seek construction of six phrases found in the asserted patent. Those phrases are construed below. This order also GRANTS IN PART AND DENIES IN PART Fortinet's motion to strike portions of plaintiff's reply claim construction brief.
Each side has until NOON ON JANUARY 2, 2012, to submit a five-page critique (double-spaced, 12-point Times New Roman font, no footnotes, and no attachments) limited to points of critical concern regarding claim construction only. This is an opportunity for the parties to focus solely on their most cogent critique, not to rehash every point made in the briefs and at the hearing.
STATEMENT
The technology described in United States Patent No. 5,623,601 dates to 1994. Although the modern internet was still unknown to large sections of the general public at the time, networked computing had been around for decades. Computer viruses and other network security threats were already a problem of substantial concern. Computer firewalls — network barriers that analyze packets of information to determine whether they should be let through — were a relatively recent response to these threats. The technology at issue in this action relates to firewall technology intended to improve network security and user convenience.
Plaintiff Network Protection Sciences ("NPS") is asserting 54 of the 59 claims in the '601 patent against defendant Fortinet, Inc. The parties seek construction of six phrases appearing in this patent. Fortinet also moves to strike two items of evidence cited in NPS' reply claim construction brief. This order begins by addressing Fortinet's motion to strike; overviews of the patents, the disputed phrases, and the associated claim are covered in detail afterward.
ANALYSIS
1. FORTINET'S MOTION TO STRIKE.
The parties disagree over the proper construction of the Patent Local Rules. Patent Local Rule 4-2(b) requires that the parties "identify all references from the specification or prosecution history that support its proposed construction and designate any supporting extrinsic evidence" at the same time they exchange preliminary claim constructions. For the joint claim construction statement, Patent Local Rule 4-3(b) requires that each party identify "any extrinsic evidence known to the party on which it intends to rely either to support its proposed construction or to oppose any other party's proposed construction." For claim construction briefs, Patent Local Rule 4-5 requires that the parties serve and file "any evidence supporting . . . claim construction" along with the opening briefs, and "any evidence directly rebutting the supporting evidence" with the reply briefs.
NPS contends that Patent Local Rule 4-5 allows a party to submit new evidence in a reply claim construction brief for rebuttal purposes. Fortinet contends that Patent Local Rules 4-2(b) and 4-3(b) preclude doing so. The parties have identified decisions in this district that are inconsistent. Compare Nordic Naturals, Inc. v. J.R. Carlson Labs., Inc., No. 7-2385, 2008 WL 2357312, at *11 (N.D. Cal. June 6, 2008) (Judge Hamilton) (striking a declaration filed with an opposition claim construction brief), with Competitive Techs. v. Fujitsu Ltd., 286 F. Supp. 2d 1161, 1169 (N.D. Cal. 2003) (Magistrate Judge Spero) (refusing to strike a declaration because Patent Local Rule 4-5 "expressly permits" rebuttal testimony).
Our local rules aside, Federal Rule 12(f) addresses a more fundamental concern — relevance — and allows a court to strike any "immaterial" matter from a pleading. Fortinet first objects to Exhibit M from NPS' claim construction reply, which is a 2005 press release from the website "gpl-violations.org" claiming that certain Fortinet products use a Linux operating system kernel. NPS candidly admits that the exhibit is not relevant to claim construction. Nevertheless, NPS wishes to use this exhibit to rebut Fortinet's attempt to limit the invention to a UNIX system and to "cast UNIX as an outdated, obsolete operating system" (Dkt. No. 174).
It is clear that Fortinet's alleged use of Linux in 2005 has no bearing on NPS's 1994 patent. Although Fortinet calls the claimed invention "obsolete," Fortinet clarifies in its reply to the motion to strike that it is not arguing that UNIX itself is outmoded (Dkt. No. 182). Fortinet will be held to this representation and Exhibit M to NPS' claim construction reply shall be deemed STRICKEN.
Fortinet also objects to Exhibit O from NPS' claim construction reply, which is a collection of statements by Fortinet during ex parte reexamination regarding the construction of the term "transparently." NPS argues that these statements will help the Court construe the term in the instant action. Fortinet claims that its own statements during reexamination are irrelevant. On this point, Fortinet is incorrect.
During reexamination, Fortinet asserted that "transparently" meant "not requiring the user to log in to the firewall." In this proceeding, an element of NPS' proposed construction is the absence of "extra procedures" to accomplish communications, and NPS contends that an example of an extra procedure would be logging into a firewall. Fortinet asserts that NPS' construction here is an "audacious attempt" redefining the term "transparently," and that it "makes no sense" (Dkt. No. 171 at 18, 20).
Fortinet's position on this term during reexamination and its position here conflict sharply. Exhibit O is therefore relevant to the credibility of the current argument by Fortinet and the weight that it should be accorded.
As to whether the exhibit was untimely submitted under our local rules, NPS was or should have been aware that Fortinet was taking a conflicting position on the term "transparently" when the parties submitted their joint claim construction statement (Dkt. No. 166). Under Patent Local Rule 4-3(b), NPS should have identified "extrinsic evidence . . . on which it intends to rely . . . to oppose any other party's proposed construction." NPS cannot argue that it should be exempted from the rule. Although the intensity of Fortinet's rhetoric may have been unexpected, NPS cannot (and does not) argue that it only learned during the claim construction briefing that Fortinet would contradict its prior position. On the other hand, the rationale behind this rule is to prevent one party from catching the other off guard with new, surprise evidence. Fortinet cannot be surprised by its own statements to the PTO. This order finds that the rationale for enforcing the local rule is not met in these particular circumstances. Fortinet's motion to strike Exhibit O is DENIED.
Because Exhibit M has been stricken, Fortinet's request for a sur-reply on that issue is MOOT. Fortinet had an adequate opportunity to address the issue of its prior statements during oral argument, so further briefing regarding Exhibit O is unnecessary. It is also unnecessary to address NPS' contention that Fortinet failed to timely disclose evidence because NPS does not request any resulting relief.
2. CLAIM CONSTRUCTION LEGAL STANDARD.
Claim construction is from the perspective of one of ordinary skill in the pertinent art at the time the patent was filed. Chamberlain Group, Inc. v. Lear Corp., 516 F.3d 1331, 1335 (Fed. Cir. 2008). While claim terms "are generally given their ordinary and customary meaning," the "claims themselves provide substantial guidance as to the meaning of particular claim terms." As such, other claims of the patent can be "valuable sources of enlightenment as to the meaning of a claim term."
Critically, a patent's specification "is always highly relevant to the claim construction analysis." Phillips v. AWH Corp., 415 F.3d 1303, 1312-15 (Fed. Cir. 2005) (en banc) (internal quotations omitted). Indeed, claims "must be read in view of the specification, of which they are a part." Markman v. Westview Instruments, Inc., 52 F.3d 967, 979 (Fed. Cir. 1995) (en banc), aff'd, 517 U.S. 370 (1996). Finally, courts also should consider the patent's prosecution history, which "can often inform the meaning of the claim language by demonstrating how the inventor understood the invention and whether the inventor limited the invention in the course of prosecution, making the claim scope narrower than it would otherwise be." These components of the intrinsic record are the primary resources in properly construing claim terms. Although courts have discretion to consider extrinsic evidence, including dictionaries, scientific treatises, and testimony from experts and inventors, such evidence is "less significant than the intrinsic record in determining the legally operative meaning of claim language." Phillips, 415 F.3d at 1317-18 (internal quotations omitted).
While this order acknowledges that the parties have a right to the construction of all disputed and litigated claim terms by the time the jury instructions are settled, the Court will reserve the authority, on its own motion, to modify the constructions in this order if further evidence — intrinsic or extrinsic — warrants such a modification. Given that claim construction is not a purely legal matter, but is (as the Supreme Court describes it) a "mongrel practice" with "evidentiary underpinnings," it is entirely appropriate for the Court to adjust its construction of claims prior to instructing the jury if the evidence compels an alternative construction, or if one side or the other advances a spin on the words that is unwarranted. Markman, 517 U.S. at 378, 390. The parties should be aware, however, that they are not invited to ask for reconsideration of the constructions herein. Motions for reconsideration may be made only in strict accordance with the rules of procedure, if at all.
3. THE '601 PATENT.
The '601 Patent, entitled "Apparatus and Method for Providing a Secure Gateway for Communication and Data Exchanges Between Networks," was filed on November 21, 1994, and issued on April 22, 1997. Milkway Networks Corporation is the assignee, and plaintiff is Milkway's successor-in-interest. In 2011, Fortinet filed a request for reexamination, and in May, 2012 the USPTO issued a reexamination certificate for the patent confirming all claims (1-41) and adding new claims (42-59).
In this action, NPS is asserting 54 of the 59 claims in the '601 patent, including both method and apparatus claims. The six claim terms for which the parties seek constructions can be found, inter alia, in claims 1, 10, and 11 (reproduced below with the relevant claim terms italicized).
Claim 1 covers the following method (col. 14:11-42):
1. A method of providing a secure gateway between a private network and a potentially hostile network, comprising the steps of:
(a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to the host, but encapulating [sic] the packets with a hardware destination address that matches a device address of the gateway;Claim 10 covers the following method (cols. 15:45-16:14):
(b) accepting at the gateway communications packets from either network that are encapsulated with a hardware destination address which matches the device address of the gateway;
(c) determining at the gateway whether there is a process bound to a destination port number of an accepted communications packet;
(d) establishing transparently at the gateway a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet;
(e) establishing transparently at the gateway a second communications session with a destination address/destination port of the accepted communications packet if a first communications session is established; and
(f) transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.
10. A method of providing a secure gateway between a private network and a potentially hostile network, comprising the steps of:
(a) addressing communications packets directly to a host on the potentially hostile network as if there were a communications path to the host, but encapulating [sic] the packets with a hardware destination address that matches a device address of the gateway;
(b) accepting from either network all TCP/IP packets that are encapsulated with a hardware destination address which matches the device address of the gateway;
(c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet;Dependent claim 11 covers the following method (col. 16:15-23):
(d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is [sic] proxy process bound to the port for serving the destination port number, else dropping the packet;
(e) determining if the source address/source port number of the accepted packet is permitted to communicate with a destination address/destination port number of the accepted packet by referencing a rule base, and dropping the packet if a permission rule cannot be located;
(f) establishing a second communications session with the destination address/destination port number of the accepted TCP/IP packet if a first communications session is established and the permission rule is located; and
(g) transparently moving data associated with each subsequent TCP/IP packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions.
11. A method of providing a secure gateway between a private network and a potentially hostile network as claimed in claim 10 wherein the step of determining involves checking a table to determine if a custom proxy process is bound to the destination port number, and passing the packet to a generic proxy process if a custom proxy process is not bound to the destination port number, the generic proxy process being executed to establish the first and second communications sessions and to move the data between the first and second communications sessions.
The patent addresses a basic concern created by the existence of public and private computer networks. Private networks, such as single corporation's intranet, are relatively secure, and often store trade secret and confidential information that must be shielded from public exposure. Public networks, such as the internet, are accessible to anyone with the right hardware and software, and as a consequence attract sabotage, vandalism, and espionage. When a private network connects to a public network, it becomes exposed to these threats. To deal with the problem, secure gateways are installed between the networks to serve as "firewalls" (col. 1:23-40).
At the time of the invention, firewalls suffered from known disadvantages that compromised their security or inconvenienced users. One firewall technology in the prior art was the "packet filter." Packet filters were (and are) host-based applications that permitted certain kinds of communications over predefined ports and use pre-defined rule sets to determine what information to let through. Because an operating system such as UNIX running TCP/IP (the communication protocol for the internet) could have 64K communication ports, it was considered impractical to maintain a comprehensive rule base (col. 2:35-45).
Another firewall technology, "dual homed gateways," blocked direct traffic and required the public and private networks to each communicate with the gateway. When implemented at the application level, users could (and can) only access specific public services allowed by the gateway. These application level firewalls, however, were inefficient because they generally required the user to execute time-consuming extra operations or to use specially-adapted network-service programs (col. 3:4-22). Also, application level firewalls required application interfaces for each public network service, and did not support applications using dynamic port allocations assigned in real time (col. 3:48-52).
The claimed invention allegedly overcame these problems by modifying a secure gateway station to accept all IP packets with a certain encapsulation. The invention provided for communication sessions to be initiated between (i) the source network (the network sending the packet) and (ii) the destination network (the network receiving the packet). The "payload" data in the packet were then passed between the two sessions. The new process was more efficient for the user because from the user's perspective the information was passed as if no gateway existed. The invention also provided for a generic proxy process to handle data such that the gateway could use all 64K ports available on a UNIX operating system and could support dynamic port allocation (cols. 4:17-5:55).
A. "Session"
The parties dispute the term "session." Both provide constructions, but NPS argues that "session" is a term of art that preferably should be given its ordinary meaning. The parties' proposed constructions are provided below:
+-----------------------------------------------------------------------------+ ¦ ¦FORTINET'S PROPOSED ¦ ¦NPS' PROPOSED CONSTRUCTION ¦ ¦ ¦ ¦CONSTRUCTION ¦ +--------------------------------------------+--------------------------------¦ ¦Plain and ordinary meaning; or ¦The application level network ¦ ¦ ¦gateway and source maintain a ¦ ¦A connection between two functional units, ¦ ¦ ¦such as two terminals, stations, or ¦connection and transfer ¦ ¦computers, that allows them to communicate ¦information, or the application ¦ ¦for a period of time or a logical ¦level network gateway and ¦ ¦association that is established and ¦destination maintain a ¦ ¦maintained between two functional units that¦connection and transfer ¦ ¦allows them to communicate. ¦information ¦ +-----------------------------------------------------------------------------+
This order concludes that the plain and ordinary meaning of the term "session" should govern, as understood by one of ordinary skill in the art in 1994.
NPS' proposed alternative construction for "session" is turgid and unhelpful. Its proposal to use the ordinary meaning fares better. NPS does not provide much explanation for its argument that the term should given its ordinary meaning. Nevertheless, it was a straightforward term in 1994 (and today).
Fortinet's only challenge to using the ordinary meaning of the term "session" is that the patent "always" referred to a session as including the transfer of information. Fortinet's assertion is incorrect. Information could be transferred during a session, for example by a proxy process or by the kernel (the program at the core of the computer operating system that supported programs running at the application level). The specification also disclosed a situation where a proxy process handling communications would not transfer information. The proxy process could determine that a session had not ended and could wait for data packets to arrive (col. 11:56-65). If a proxy process could wait for data to arrive during an active session but without transferring data, it is clear that a session did not necessarily require information transfer.
This order concludes that the plain and ordinary meaning of the term "session" should govern (subject to a possible refinement after the trial evidence is heard).
B. "Proxy process"
The parties dispute the term "proxy process." The parties' proposed constructions are provided below:
+-----------------------------------------------------------------------------+ ¦ ¦FORTINET'S PROPOSED ¦ ¦NPS' PROPOSED CONSTRUCTION ¦ ¦ ¦ ¦CONSTRUCTION ¦ +-------------------------------+---------------------------------------------¦ ¦An application layer process ¦ ¦ ¦adapted to handle a respective ¦ ¦ ¦service. ¦A program running on an application level ¦ ¦ ¦network gateway that initiates the first ¦ ¦or (at oral argument): ¦session and second session, and relays "the ¦ ¦ ¦data portion of each packet" between the ¦ ¦An application layer process ¦sessions. ¦ ¦adapted to handle ¦ ¦ ¦communications across a gateway¦ ¦ ¦for a respective service ¦ ¦ +-----------------------------------------------------------------------------+
This order finds that the term should be construed as: "an application layer process adapted to handle communications for a network service."
The term "proxy" was defined in the patent specification. To wit:
When the gateway station 14 is initialized, a system configuration file is examined to determine what network services are to be supported by the gateway station 14. In order to maximize performance efficiency of the gateway station 14, commonly used services are supported by processes adapted to most efficiently handle communications for each respective service. These processes are called "proxies."(Col. 9:47-54.) NPS' proposed constructions are reworded versions of this definition. Fortinet asserts that it is improper to rely on an isolated passage of the specification in support of a broad construction. Fortinet's attempt to define the patent differently than it was defined by the patentee himself is unpersuasive.
Fortinet asserts that NPS' proposed construction is an attempt to scrub the patent of its reliance on a "proxy concept," and that the term should be construed to require a process that "actually acts as a proxy." At oral argument, Fortinet explained that the patent should be viewed through a particular technological lens — what Fortinet refers to as a "proxy everything" environment. This is an attempt to limit the scope of the claims generally by creating a limiting context. Otherwise, Fortinet contends, NPS' definition could be read to include any process, even processes that are not proxies.
Fortinet's desire to ignore the definition in the specification is improper. "It is a well-established axiom in patent law that a patentee is free to be his or her own lexicographer, and thus may use terms in a manner contrary to or inconsistent with one or more of their ordinary meanings." Hormone Research Found., Inc. v. Genentech, Inc., 904 F.2d 1558, 1563 (Fed. Cir. 1990) (citation omitted). "When a patentee explicitly defines a claim term in the patent specification, the patentee's definition controls." Martek Biosciences Corp. v. Nutrinova, Inc., 579 F.3d 1363, 1380 (Fed. Cir. 2009).
Aside from this general principle of patent claim construction, the specific limitations requested by Fortinet are unwarranted. Fortinet asserts that the term proxy process should be limited to include (i) the concept of relaying a data packet between communication sessions, and (ii) the concept that the proxy process initiated the communication sessions. NPS agrees that a proxy process could relay data, but does not agree that it should be so limited. In support, NPS cites examples in the specification where a proxy process did something else, such as verifying an IP address. Fortinet's limitation, therefore, goes to far. The Court's construction — "an application layer process adapted to handle communications for a network service" — is more suitable because these other activities are within the general scope of "handling communications."
As for whether the proxy process initiated the communication session, Fortinet concedes that NPS cites examples from the specification where the gateway or kernel initiated the communications. Fortinet contends that these examples are ambiguous. This order disagrees. In particular, Figure 6, which was a "flow diagram of . . . TCP routing by a modified UNIX kernel in accordance with the invention" (col. 6:65-67), showed that the kernel started a session with a source prior to delivering a packet to a proxy process. The fact that elsewhere in the patent the proxy process initiated the communication session only demonstrates that both ideas were disclosed.
Another objection by Fortinet in its papers points out a flaw in NPS' original proposed construction. A close comparison of the definition in the specification and NPS' proposed construction reveals that NPS has omitted the concept of handling communications. This omission unjustifiably broadens the scope of the claim language, and is easily corrected. At oral argument, NPS conceded this point by offering compromise construction that included the concept of communications. In order to align the construction with the definition, this order specifies that the proxy process handles "communications for a network service."
The full construction of "proxy process" therefore shall read: "an application layer process adapted to handle communications for a network service."
C. "Generic proxy process"
During briefing and oral argument, the parties modified and narrowed their differences over this term, but they still dispute the term "generic" as it modifies the term "proxy process." The parties' current proposed constructions are shown below:
+-----------------------------------------------------------------------------+ ¦ ¦FORTINET'S PROPOSED ¦ ¦NPS' PROPOSED CONSTRUCTION ¦ ¦ ¦ ¦CONSTRUCTION ¦ +--------------------------------------+--------------------------------------¦ ¦A process which can handle a service ¦ ¦ ¦for which a dedicated or custom proxy ¦ ¦ ¦process is not running. ¦ ¦ ¦ ¦ ¦ ¦or (at oral argument): ¦ ¦ ¦ ¦ ¦ ¦A proxy process which can handle a ¦A proxy process that serves any ¦ ¦service for which a dedicated custom ¦application not already served by a ¦ ¦proxy process is not running. ¦dedicated custom proxy process. ¦ ¦ ¦ ¦ ¦or: ¦ ¦ ¦ ¦ ¦ ¦A "proxy process" that serves any ¦ ¦ ¦service not already served by a ¦ ¦ ¦dedicated or "custom" proxy process. ¦ ¦ +-----------------------------------------------------------------------------+
This order construes "generic proxy process" as "a proxy process which can handle communications for a network service for which a dedicated or custom proxy process is not running."
Aside from the underlying disagreement over "proxy process," one aspect of the parties' dispute over this term is whether the terms "dedicated" and "custom" should be listed in the conjunctive or the disjunctive. The specification referred to the generic proxy process operating wherever there was not a "dedicated proxy process" (col. 5:48-52). It is also clear from the specification that the inventor anticipated that a generic proxy process could support a network service until a new, custom proxy processes was written (col. 12:52-55). Thus, the invention conceived of at least three proxy scenarios: a dedicated proxy, a generic proxy, and a custom proxy that displaced a generic proxy already in use. Fortinet's construction in the conjunctive cannot accommodate all three possibilities, and is therefore too narrow. This order will use the disjunctive phrasing "dedicated or custom."
The other significant distinction between the proposed constructions lies in the gap between "handle a service" and "serves any application." Here, Fortinet's proposed construction strays too far afield from the definition of proxy provided by the inventor, and the phrase "serves any application" is ambiguous.
A "generic proxy process" was a specific type of "proxy process." Once again, NPS' construction strays from the definition of "proxy process" in the specification. For clarity and consistency, this order will rely on the inventor's definition.
In sum, a "generic proxy process" shall be construed to mean "a proxy process which can handle communications for a network service for which a dedicated or custom proxy process is not running."
D. "Process bound to a destination port number"
During briefing, Fortinet modified its proposed construction of this term, but the parties still dispute "process bound to a destination port number." The parties' latest proposed constructions are shown below:
+-----------------------------------------------------------------------------+ ¦NPS' PROPOSED ¦FORTINET'S PROPOSED ¦ ¦CONSTRUCTION ¦ ¦ ¦ ¦CONSTRUCTION ¦ +-------------------------+---------------------------------------------------¦ ¦Plain and ordinary ¦Proxy process that is bound to the port on the ¦ ¦meaning; or ¦gateway that matches the destination port number of¦ ¦ ¦the incoming packets. ¦ ¦Process assigned or ¦ ¦ ¦linked to a destination ¦or: ¦ ¦port number. ¦ ¦ ¦ ¦Proxy process bound to a destination port. ¦ +-----------------------------------------------------------------------------+
This order construes "process bound to a destination port number" as meaning a "process assigned to a destination port number."
The parties do not appear to dispute the "destination port number" component of the term, and the parties did not address the issue in their briefs or at oral argument. Fortinet nevertheless provides an proposed construction for this element. Fortinet's construction defines "destination port number" as "the port on the gateway that matches the destination port number of the incoming packets." Compared with a plain meaning construction, Fortinet's proposal for this segment is wordy and potentially confusing. Fortinet also does not explain in why explication of "destination port number" is necessary.
The parties' dispute involves two issues. First, they dispute whether "process" must be construed to refer to a "proxy process." This is the focus of the parties' dispute over this term, both in the briefing and at oral argument. Here, Fortinet again offers its unsubstantiated contention that the patent taught a "proxy everything" environment. Fortinet further contends that the intrinsic evidence shows that "process bound" always meant a "proxy process."
What Fortinet's contentions do not account for is how the term was actually used in the claims. The disputed term appeared in claim 1 in the following clauses:
(c) determing at the gateway whether there is a process bound to a destination port number of an accepted communications packet(Col. 14:23-29 (emphasis added).) In claim 10, the term was used differently:
(d) establishing transparently at the gateway a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet;
(c) determining whether there is a proxy process bound to a port for serving a destination port number of an accepted TCP/IP packet;(Col. 15:56-64 (emphasis added).) In claim 11, there was another variation.
(d) establishing a first communications session with a source address/source port number of the accepted TCP/IP packet if there is [sic] proxy process bound to the port for serving the destination port number, else dropping the packet;
11. A method . . . as claimed in claim 10 wherein the step of determining involves checking a table to determine if a custom proxy process is bound to the destination port number, and passing the packet to a generic proxy process if a custom proxy process is not bound to the destination port number . . . .(Col. 16:15-20 (emphasis added).) The reader will note the progression: a "process" was claimed in claim one, but a "proxy process" and a specific type of "proxy process" appeared in claims 10 and 11, respectively. It seems clear that the drafter intended to refer to different types of processes being bound. Fortinet's construction of the disputed term to mean "proxy process" in claim one would therefore require reading a limitation from the specification into the claims, or limiting a broader claim based on subsequent narrower claims. This would be improper. Fortinet's construction would also render the language in claims 10 and 11 that specifies a "proxy process" superfluous.
Second, the parties dispute the meaning of the word "bound." Fortinet asserts that bound should be understood to refer specifically to the UNIX "bind" command but does not propose to include that limitation in the construction. Instead, Fortinet asserts that a POSA would have considered the ordinary meaning of the term bound to mean the bind command.
It is useful to note at this point that Fortinet's assumption of a UNIX environment is faulty. It is true that the patent used UNIX to describe an embodiment of the patent (see cols. 9:41-10:24). However, the claims of the patent were not limited to the UNIX operating system. For example, claim 19 described an apparatus that included "an operating system executable by the gateway station, a kernel of the operating system having been modified . . ." (col:17:41-50 (emphasis added)). Claim 20, which was dependent on claim 19, covered an apparatus "wherein the operating system [was] a Unix operating system" (col. 18:9-12).
NPS also wishes to use the ordinary meaning of the term "bound," but disagrees that it must include the UNIX bind command. NPS offers "assigned or linked" as an alternative meaning for "bound." NPS cites several places in the specification where the term "assigned" is used in relation to the concept of something being "bound," but does not cite and support in the specification for "linked."
This order concludes that only the word "bound" in the disputed term requires a construction. Helpfully, the patent itself provided a definition:
On system initialization, any proxy given operating rights by the system administrator is said to "bind" to the port to which the proxy has been assigned. Thereafter, the process is said to be "bound" to the port.(Col. 9:54-57.) Fortinet argues that this was not a definition, but rather a factual description of a series of events: the system initialized, and then a process assigned to a port was subsequently bound in the sense of the UNIX "bind" command. This reading is not justified from the plain language of the patent, and is premised on Fortinet's unduly narrow assumption that the patent required a UNIX environment.
The use of the term "assigned" to explain "bound" is evident. "Linked" is not. Accordingly, this order adopts a modified version of NPS's construction: "process bound to a destination port number" should be construed as meaning a "process assigned to a destination port number."
E. "Transparently"
The parties dispute the term "transparently." The parties' proposed constructions are shown below:
+-----------------------------------------------------------------------------+ ¦ ¦FORTINET'S PROPOSED ¦ ¦NPS' PROPOSED CONSTRUCTION ¦ ¦ ¦ ¦CONSTRUCTION ¦ +---------------------------------------------------+-------------------------¦ ¦Such that clients on networks can run network ¦Appearing to the ¦ ¦service applications without extra procedures or ¦initiator to be one ¦ ¦modifications to accomplish communications across a¦direct communications ¦ ¦gateway. ¦session. ¦ +-----------------------------------------------------------------------------+
This order adopts Fortinet's proposed construction of "transparently": "appearing to the initiator to be one direct communications session." Fortinet cites multiple instances in the patent specification and in the declaration of NPS' expert during reexamination where "transparently" was defined in this manner or explained in terms of whether the communications session appears to be direct.
NPS objects on several grounds, none of which are persuasive. First, NPS argues that this construction is improper because it defines the term with a description of the subjective result of the claimed method. NPS cites West v. Quality Gold, Inc., No. 10-3124, slip op. at 9-10 (N.D. Cal. Sept. 16, 2011) (Judge Jeremy Fogel), for the proposition that claims should not be defined by the subjective opinion of an individual practicing an invention. NPS's reliance on West is misplaced. NPS conflates subjective opinion with a subjective experience of an objective fact. Unlike the phrase "pleasing appearance" in West, "transparency" in Fortinet's proposed construction does not require a subjective evaluation. Whether a communication session appears to be direct is only based on whether there is an objectively perceptible intermediary. An intermediary either appears and is perceived by the client, or it does not. This does not require a subjective opinion.
Second, NPS asserts that the patent specification stated that "communications are said to be transparent because the client . . . does not have to run extra procedures or modify the network source code." NPS' paraphrase misstates the patent language. The full section cited by NPS stated:
The apparatus in accordance with the invention is, however, configured to provide a transparent interface between the interconnected networks so that clients on either network can run standard network service applications transparently without extra procedures, or modifications to accomplish communications across the secure gateway.(Col. 6:28-34.) NPS' interpretation of this passage improperly turns the last 12 words into an explanation of the word "transparently." The passage did not state that the network service applications were transparent because they were run without extra procedures or modifications. Rather, transparency was one of three distinct characteristics of network service applications in the patented invention. Further, Fortinet's proposed construction allows this passage to be read without rendering the last 12 words in the sentence redundant.
Third, NPS points out that during reexamination, Fortinet's proposed definition of transparently was something more akin to NPS' current construction, and that Fortinet has since changed its tune. At the time, Fortinet was pushing to define transparency as not requiring a user login. This is similar to NPS' current proposal, which references "extra procedures" that NPS argues applied to user logins.
Despite this similarity, Fortinet's prior position is materially different from NPS' current construction. NPS's construction not only references extra procedures, it also references "modifications." Fortinet's prior position and NPS' current position are thus not directly comparable. The fact that Fortinet previously relied on a materially different construction casts doubt over Fortinet's current position, but it does not help NPS in equal measure. Nor is there any basis to deem Fortinet estopped from advancing a different position in this proceeding.
At oral argument, NPS' counsel stated they would accept the same definition of transparently that Fortinet advanced during reexamination. However, the record in this action does not contain adequate briefing on that construction. Based on the available evidence, this order tentatively adopts Fortinet's proposal for "transparently": "appearing to the initiator to be one direct communications session." The parties are invited to address the issue of Fortinet's contention at reexamination in their critiques of this preliminary claim construction order.
F. "Accepting at the gateway"
The parties dispute the term "accepting at the gateway." The parties' proposed constructions are provided below:
+-----------------------------------------------------------------------------+ ¦ ¦FORTINET'S PROPOSED ¦ ¦NPS' PROPOSED CONSTRUCTION ¦ ¦ ¦ ¦CONSTRUCTION ¦ +-------------------------------------------------+---------------------------¦ ¦Allowing received packets to be processed by the ¦ ¦ ¦gateway even though the packets designate an IP ¦ ¦ ¦destination address other than that of the ¦ ¦ ¦gateway. ¦ ¦ ¦ ¦Retaining for further ¦ ¦or (at oral argument): ¦evaluation and processing ¦ ¦ ¦at the application level ¦ ¦Allowing received packets to be processed by a ¦network gateway. ¦ ¦gateway with application level security and data ¦ ¦ ¦screening capability even though the packets ¦ ¦ ¦designate an IP destination address other than ¦ ¦ ¦that of the gateway. ¦ ¦ +-----------------------------------------------------------------------------+
This order holds that the ordinary meaning of the term to a POSA in 1994 should govern. Although the parties do not recognize their common ground, they agree that "accepting at the gateway" meant "receiving" packets at the gateway instead of rejecting them. This is simply a plain meaning construction of the term, and it is supported in particular by Figure 6 in the patent, which showed the first packet processing step on a UNIX embodiment as "receive data packet." Moreover, at oral argument both parties agreed that a plain meaning construction would be acceptable to them.
This order agrees that a plain language construction charts a better course. Both parties' constructions attempt to read in additional limitations to the claim term, but neither provides an adequate justification for doing so. Fortinet's construction adds the additional element of "retaining for further evaluation." It is clear from the claim language and from Figure 6 of the patent, however, that the disputed term only referred to the first step in the packet processing process, and not to retention after receipt. Fortinet's construction is also ambiguous because it is not clear whether "retaining" refers to receipt at the application level network gateway, or receipt at the gateway before being retained for processing at the application level.
NPS attempts to include a limitation based on the IP destination address of the packet. NPS does not explain why this limitation should be read into the claim, and did not address this issue at oral argument. The closest NPS comes to justifying this position is its assertion that language in the patent supports the interpretation that the gateway would accept packets regardless of their IP address. This is equivalent to arguing that accepting packets regardless of IP destination address was an implied result of the other claims. It does not justify adding an additional concept to the definition of the claim term.
Neither party has justified their constructions, and this order shall hold the parties to their common ground at oral argument: the plain meaning of the term to a POSA in 1994 shall govern.
CONCLUSION
The constructions set forth above will apply in this action. The Court reserves the authority, on its own motion, to modify these constructions if further evidence warrants such a modification (but counsel may not move to reconsider them). Additionally, by NOON ON JANUARY 2, each side may file a five-page critique (double-spaced, 12-point Times New Roman font, no footnotes, and no attachments) limited to points of critical concern. This is an opportunity for the parties to focus solely on their most cogent critique, not to rehash every point made in the briefs and at the hearing. No replies, please.
IT IS SO ORDERED.
___________________
WILLIAM ALSUP
UNITED STATES DISTRICT JUDGE