SSL Servs., LLC v. Citrix Sys., Inc.
| Decision Date | 14 October 2014 |
| Docket Number | Nos. 2013–1419,2013–1420.,s. 2013–1419 |
| Citation | 769 F.3d 1073 |
| Parties | SSL SERVICES, LLC, Plaintiff–Appellant, v. CITRIX SYSTEMS, INC. and Citrix Online, LLC, Defendants–Cross–Appellants. |
| Court | U.S. Court of Appeals — Federal Circuit |
OPINION TEXT STARTS HERE
Gregory G. Garre, Latham & Watkins LLP, of Washington, DC, argued for plaintiff-appellant. With him on the brief were Adam M. Greenfield and Katya S. Cronin. Of counsel on the brief were Megan S. Woodworth and Thomas D. Anderson, Dickstein Shapiro LLP, of Washington, DC.
J. Anthony Downs, Goodwin Procter LLP, of Boston, MA, argued for defendants-cross-appellants. With him on the brief were Lana S. Shiferman; and William M. Jay, of Washington, DC. Of counsel on the brief were Erica D. Wilson, Davis Wright Tremaine LLP, of San Francisco, CA; and Blair Martin Jacobs, McDermott Will & Emery LLP, of Washington, DC, and Leigh John Martinson, of Boston, MA.
Before LOURIE, LINN, and O'MALLEY, Circuit Judges.
This patent case involves multi-tier virtual private networks. SSL Services, LLC (“SSL”) asserted that Citrix Systems, Inc. and Citrix Online, LLC (collectively, “Citrix”) infringed claims contained in U.S. Patent Nos. 6,061,796 (“the '796 Patent”) and 6,158,011 (“the '011 Patent”). The district court held a Markman hearing and construed several terms raised on appeal. After a jury trial, the jury found that Citrix willfully infringed claims 2, 4, and 7 of the '011 Patent, and that those claims were not shown to be invalid. The jury also found that Citrix did not infringe claim 27 of the '796 Patent. The district court subsequently denied motions for judgment as a matter of law (“JMOL”) and a new trial regarding non-infringement of claim 27 of the '796 Patent, willful infringement of the asserted claims of the '011 Patent, and invalidity with respect to those same claims. The district court also denied SSL prevailing party status, awarded prejudgment interest, and precluded the jury from hearing certain testimony.
SSL appeals the district court's denial of a new trial on non-infringement of claim 27 of the '796 Patent, arguing that the district court erred in its claim construction of the terms “intercepting” and “destination address,” and in imposing a set step order requirement for the claim. SSL also appeals the district court's finding that it was not the prevailing party in the litigation overall. Citrix cross-appeals the district court's denial of JMOL of no willful infringement and invalidity of claims 2, 4, and 7 of the '011 Patent. Citrix further contests the district court's award of prejudgment interest and asserts that certain of its evidentiary rulings justify a new trial on willful infringement and damages.
Based on the “destination address” limitation, we affirm the denial of a new trial on non-infringement of claim 27 of the '796 Patent. Furthermore, we affirm the district court's denial of JMOL requesting a finding of no willful infringement and invalidity of the asserted claims of the '011 Patent. We also affirm the denial of a new trial based on the district court's evidentiary rulings, and affirm the award of prejudgment interest. Finally, we vacate the district court's denial of prevailing party status to SSL because we find that SSL is the prevailing party, and remand for an assessment of costs and fees.
SSL acquired the 796 Patent, at [54] (filed August 26, 1997); '011 Patent, at [54] (filed February 26, 1999). The '011 Patent is a continuation of the '796 Patent. The patents contain virtually identical specifications. The key difference is that the claims of the '011 Patent are directed to allowing users to establish encrypted connections with a server, whereas the claims of the '796 Patent are directed to allowing users to establish encrypted communications with another client computer.
According to the '796 Patent, a Virtual Private Network (“VPN”) is “a system for securing communications between computers over an open network such as the Internet.” '796 Patent col. 1 ll. 14–16. The asserted patents have the same abstract, which states:
A virtual private network for communicating between a server and clients over an open network uses an applications level encryption and mutual authentication program and at least one shim positioned above either the socket, transport driver interface, or network interface layers of a client computer to intercept function calls, requests for service, or data packets in order to communicate with the server and authenticate the parties to a communication and enable the parties to the communication to establish a common session key. Where the parties to the communication are peer-to-peer applications, the intercepted function calls, requests for service, or data packets include the destination address of the peer application, which is supplied to the server so that the server can authenticate the peer and enable the peer to decrypt further direct peer-to-peer communications.
'011 Patent, at [57]; '796 Patent, at [57].
The claimed methods and system require an authentication and encryption program that encrypts computer files usinga “session key” 1 before transmitting data over the Internet. Once the other client computer has received the encrypted files, it can decrypt those files using the same session key. This approach allows the transfer of encrypted data directly from one client computer to another client computer over the open network.
For the '796 Patent, only claim 27 is at issue. It states:
A method of carrying out communications over a multi-tier virtual private network, said network including a server and a plurality of client computers, the server and client computers each including means for transmitting data to and receiving data from an open network, comprising the steps of:
intercepting function calls and requests for service sent by an applications program in one of said client computers to a lower level set of communications drivers;
causing an applications level authentication and encryption program said one of said client computers to communicate with the server, generate a session key, and use the session key generated by the applications level authentication and encryption program to encrypt files sent by the applications program before transmittal over said open network;
intercepting a destination address during initialization of communications between said one of said client computers and a second of said client computers on said virtual private network;
causing said applications level authentication and encryption program to communicate with the server in order to enable the applications level authentication and encryption program to generate said session key;
transmitting said destination address to said server;
causing said server to communicate with the second of said two client computers;
enabling said second of said two client computers to recreate the session key;
causing said authentication software to encrypt files to be sent to the destination address using the session key; and
transmitting the encrypted files directly to the destination address.
'796 Patent col. 20 l. 49–col. 22 l. 5.
In the claimed method, a first client computer runs an application that attempts to open a communication link with a second client computer by making “function calls and requests for service” 2 to a “lower level set of communication drivers.” The patents describe three basic layers: (1) the applications level, (2) the transport driver interface (“TDI”) layer, and (3) the network driver interface (“NDI”) layer. The patents reference the TDI and NDI layers together as the lower level set of communication drivers.
Before the communication drivers can execute the function call, a software module on the first client computer intercepts the function call. The specification explains that this separate software module is called a “shim.” After the shim intercepts the function call, an “authentication and encryption program” initiates communication with the authentication server and generates a session key that is used to encrypt data. For the two client computers to communicate, the “shim” must also intercept the “destination address” of the second client computer and transmit it to the server. The server then communicates with the second client computer, and provides information that allows the second client computer to recreate the previously generated session key.
The first client computer uses the session key to encrypt files. The encrypted files are then transmitted directly to the second client computer over the open network without having to route the communications through the authentication server. The second client computer can decrypt the encrypted files using the recreated session key.
For the '011 Patent, claims 2, 4, and 7 are at issue on appeal. Claim 2 of the '011 Patent is directed to a multi-tier VPN. Claim 4 of the '011 Patent is directed to computer software for installation on a client computer of a multi-tier VPN. Claim 7 of the '011 Patent is directed to a method of carrying out communications over a multi-tier VPN. All three claims include a limitation of “encrypting files,” which is the only limitation at issue on appeal for the '011 Patent.
Before SSL acquired the asserted patents from V–One, Citrix and V–One had entered into a joint development and licensing agreement that lasted from 2000 to 2003 (“V–One Agreements”). During this time, Citrix also considered V–One as a potential target for acquisition, and V–One provided Citrix with access to its technology. The purpose of the V–One Agreements was to rebrand and distribute V–One's SmartGate software. While the V–One Agreements incorporated the asserted patents, the SmartGate software did not use the '011 Patent's claimed technology.
To continue reading
Request your trial