The European Patent Office considered row-based selective auditing in an relational database system technical. Here are the practical takeaways from the decision T 0963/09 (Selective auditing/ORACLE) of 5.6.2014 of Technical Board of Appeal 3.5.07:
Key takeaways
The invention
The invention underlying the present decision relates to providing security in computerized databases. Databases oftentimes store highly sensitive data, such as salaries, corporate financial data, and even classified military secrets. For security reasons it is essential to be able to audit accesses to this sensitive data. Conventional database systems typically provide a general auditing facility that records an audit trail containing general information about the user and the query issued. However, conventional auditing facilities have a number of shortcomings. They do not record specific information about the application, the session environment or most importantly, the query results. Consequently, information gathered by a conventional auditing facility is frequently insufficient to reconstruct an event, or even to determine whether access rights have been violated (cf. WO 01/82118 A2, p. 1, l. 19-28). Hence, the application intends to provide an auditing mechanism that can specify a finer granularity of audit conditions during accesses to relational tables in order to minimize the number of false audit records that are generated (cf. WO 01/82118 A2, p. 2, l. 3-5).
Fig. 1 of WO 01/82118 A2
-
Claim 1 (main request)
Is it patentable?
The first instance examining division decided that the independent claims of the main request lacked an inventive step in view of two cited prior art documents. Apart from the discussion of the prior art, the Board expressed some concerns in the summons whether the claimed subject-matter is technical at all:
7.6 In the communication accompanying the summons, the Board observed that auditing of database accesses, while in itself a technical operation, in the context of the present invention appeared not to serve any specific technical purpose going beyond the act of auditing. Similarly, the motivation for making auditing selective, i.e. limiting auditing of database accesses to accesses of rows satisfying a particular auditing condition, appeared to be non-technical.
During the oral hearing, the appellant argued against this (preliminary) view of the Board in charge:
7.8 At the oral proceedings, the appellant explained that the claimed invention allowed row-based selective auditing to be performed based on an auditing condition that referred to fields that were not included in the query result returned to the client.
Apparently, the Board followed this argument and considered the claimed subject-matter of the main request to involve an inventive step:
7.9 In view of this explanation the Board accepts that the claimed solution to the problem of implementing selective auditing cannot be regarded, without documentary evidence, as a mere obvious possibility.
Hence, at least implicitly, the Board in charge also considered the claimed subject-matter of the main request to be of technical nature and set the first instance decision aside.
More information
You can read the whole decision here: T 0963/09 (Selective auditing/ORACLE) of 5.6.2014.