The European Patent Office refused to grant a software patent for a security token cache. Here are the practical takeaways from the decision T 1307/11 (Security token cache/ASSA ABLOY) of 14.3.2017 of Technical Board of Appeal 3.5.06:
The patent application states that when a token receives many requests in a short period of time, some requests may have to wait, which may be aggravated by a slow serial data connection, but also by the need for exclusive access to the smart card to protect data integrity.
As a solution to this problem, the application proposes the provision of a “memory cache” for the token.
In essence, claim 1 defines that when an application requests information from the token (5), it will first be referred to the memory cache (45) to see whether the information is available and “current” in the cache. If yes, the information is retrieved and returned from the cache (45), otherwise the request is forwarded to the token (5).
Claim 1 (main request)A system for caching information retrieved from at least one hardware security token (5) wherein:
said at least one hardware security token (5) is in processing communications with a security token interface API (35), said at least one hardware security token (5) including information retrievable by said security token interface API (35),
said security token interface API (35) is functionally associated with a cache API (40), said security token interface API (35) including means for retrieving said information from said at least one hardware security token (5), means for sending said information to said cache API (40) and means for requesting said information from said cache API (40), and
said cache API (40) is functionally associated with at least one memory cache (45), said cache API (40) including means for storing said retrieved information in said at least one memory cache (45), means responsive to said request from said security token interface API (35) for locating and returning said information from said at least one memory cache (45) to said security token interface API (35) if the requested information is available from the at least one memory cache (45),
wherein said information in said at least one memory cache (45) is refreshed if it is not current, and wherein said security token interface API (35) is notified to retrieve said information from the hardware security token (5) if said information is not available from the at least one memory cache (45).
Is it patentable?
Interestingly, the Board did not dispute that the concept of caching data is technical.
However, the Board took the view that caching, as well as refreshing a cache, is common general knowledge:
2. D2 relates to a cache for a web server. In its background section, it discloses caching to be a known technology to speed up frequent accesses to slow storage devices (page 1, line 9, to page 2, line 2). D2 also discloses that cached data may become “invalid” when the original data in the storage device has been changed, and that the data in the cache may then have to be refreshed (see paragraph bridging pages 1 and 2). The board considers these features of caching to belong to the common general knowledge in the art , and the appellant did not challenge that view.
One remaining difference over the prior art was that the data being cached is stored in the memory of a “hardware security token”. This, however, was considered to be straight-forward by Board:
5.1 As regards feature (a), the board takes the view that the idea of providing a cache for memory on a security token is, in itself, obvious. As explained above, the claimed “hardware security token” is in particular a slow memory device. Caching was an established technology for speeding up access to slow memory devices. Therefore, in the board’s judgement, the skilled person would not hesitate to use a cache for a “hardware security token” if the cost of the cache was justified by the gained speed.
Furthermore, the security token is accessed via a “security token API” and the cache is accessed via a “cache API”. However, also these differences were considered to be obvious:
5.2 As regards features (b) and (c), the board considers that the provision of APIs is a matter of workshop practice for a person with the appropriate programming skill.
Therefore, the Board ultimately decided that the subject-matter of the claims does not involve an inventive step.
You can read the whole decision here: T 1307/11 (Security token cache/ASSA ABLOY) of 14.3.2017
Bastian is a European patent attorney and a partner at BARDEHLE PAGENBERG. He specializes in software patents in Europe both from a prosecution and litigation point of view.