T 0951/12 (Persistent servicing agent II/ABSOLUTE SOFTWARE) of 7.10.2015

Summary of Facts and Submissions

I. The appeal lies against the decision of the examining division, with reasons dated 8 December 2011, to re­fuse European patent application No. 06748543.3 for lack of inventive step over document

D1: US 5 680 547 A.

The decision made further reference to further documents, including

D4: US 5 748 084 A,

but did not rely on any of them for its reasons.

II. A notice of appeal was received on 8 February 2012, the appeal fee being paid on the same day. A statement of grounds of appeal was received on 10 April 2012. The appellant requested that the decision under appeal be set aside and that a patent be granted based on claims according to the main or first to fourth auxiliary re­quests filed with the grounds of appeal, the other appli­cation documents on file being the description and the drawings as originally filed.

III. With a summons to oral proceedings, the board informed the appellant of its preliminary opinion that the claims according to all requests lacked cla­rity, Ar­ticle 84 EPC 1973, and an inventive step vis-à-vis D1. The board also introduced two documents from related appeal case T 1261/12, namely

D6: US 6 507 914 B1 and

D7: WO 98/43151 A1,

and raised an inventive-step objection based on D6 or D7 in view of D1, Article 56 EPC 1973.

IV. In response to the summons, with letter dated 24 March 2015 the appellant filed amended claims according to a new sole request.

V. Oral proceedings were held on 7 October 2015, together with the oral proceedings in case T 1261/12. During these oral proceedings, the appellant replaced its sole request by an amended set of claims 1-23 bearing the date of 6 October 2015.

VI. Claim 1 reads as follows:

"An electronic device comprising a persistent servicing agent disposed in the electronic device, the electronic device connected to [sic] a network to a remote server, the persistent servicing agent configured to provide an asset tracking service with respect to the electronic device, comprising:

a driver agent comprising a partial driver agent concealed in the electronic device and a full function driver agent, wherein the full function driver agent is responsible for all communications with the remote server in providing the asset tracking service, and the partial driver agent is configured with a reduced set of functions compared to the full function driver agent, and to determine whether the full function driver agent is available in the electronic device; wherein the partial driver agent is not resident within the file system and is configured to reload portions of the full function driver agent, across the network, that may have been removed or are missing from the electronic device

a run module configured to automatically initiate operation of the driver agent without user initiation or user intervention;

wherein the full function driver agent is configured to communicate with the remote server in providing a data deletion service under control from the remote server, to perform one or more of (a) deleting all or specific files or directories based on user preference, (b) restarting the data deletion service if the device is rebooted while data deletion is in progress, (c) deleting the operating system, (d) overriding the data deletion service if the device is recovered, (e) obtaining log files from the agent after a first stage delete before deleting the operating system in a second stage delete, (f) overriding the data deletion service to stop the data deletion from running again if the device is recovered, (g) checking whether a theft report exists for the device, checking that the device is positively identified and checking that a pre-authorisation agreement is in place, (h) sending notifications to interested parties when the deletion service is launched."

VII. At the end of the oral proceedings, the chairman announced the decision of the board.

Reasons for the Decision

The invention

1. The application relates to the provision of a tamper-re­sistant "agent" program for providing what is referred to as an asset tracking service on a networked client device.

1.1 An asset tracking service is meant to reduce the risk that net­worked devices (assets) are lost or stolen and, if they are, that confidential data is lost or the integrity of the enterprise network is compro­mised (see e.g. the paragraph bridging pages 1 and 2). In per­for­ming its services, the agent automatically and regu­lar­ly contacts a moni­toring cen­tre in order to transmit ser­vice-re­levant infor­ma­tion, e.g. about the identity of the device and its loca­tion (page 4, lines 7-10).

1.2 An agent deployed on a device is protected against de­tection, i.e. hidden ("stealthy"; page 4, last para­graph), and tamper-resistant, i.e. protected against unau­tho­rised modi­fi­cation or removal, even against "ope­rating system installation, hard drive for­mat and hard drive replacement" (see page 13, 2nd paragraph). To achieve this, the agent is disclosed as incorpora­ting "self-healing tech­no­logy" which is meant to re­store the agent if removed. The "self-healing function" is "not resident within the file sys­tem" (loc. cit.).

1.3 The description explains that the agent may consist of three "modules", the "Computrace" Loader Module CLM, the Adaptive Installer Module AIM and the Communi­ca­tions Driver Agent CDA (page 14, 3rd paragraph). The CDA con­tains a driver, the "mini CDA", which checks whether the entire CDA is present and, if not, ini­ti­ates the download or up­date of the CDA (page 15, 2nd paragraph; page 18, 2nd paragraph et seq.; page 33, lines 10-12 from the bottom).

1.4 It is disclosed that the agent may also provide a data deletion service to cope with the possibility that phy­sical recovery of the tracked device may not be fea­sible (see pages 30 to 33; esp. section "Data Delete", 1st paragraph). The data deletion service is disclosed as having a number of optional functions (page 30, line 8 from the bottom to page 31, line 14), including the function of deleting all or some local files or direc­to­ries or of deleting the local operating system.

The prior art

2. D6, also filed by the present applicant, discloses an asset tracking system based on the same soft­ware pro­duct ("Computrace"; see e.g. figure 2a). D6 also dis­closes an "agent" which is "concealed" and pro­tected against tampering. The agent "hides with­in the soft­ware/firm­ware/hardware" of the protected device so as to "evade de­tec­tion" and "resist possible attempts to disable it by an unauthorized user" (see e.g. column 2, lines 14-24; column 5, lines 32-36) and may be stored on the boot sector of the hard disk, i.e. out­side the file system (column 2, lines 42-45). The agent is loa­ded and started during boot up without user initia­tion or intervention (see e.g. column 5, line 23 to column 6, line 18; esp. column 6, lines 17-18). It is also dis­closed that the asset tracking service may provide an automatic call to the local authorities to re­port a sto­len device (see column 8, line 65 to column 9, line 7). D7 also stems from the present appli­cant and is very simi­lar to D6 (see in D7 esp. figure 3-1; page 4, lines 8-11 and 21-23; page 30, last paragraph; and page 36, lines 10-12).

3. D1 discloses a system providing for pre-boot file and informa­tion transfer between networked devices (see abstract, lines 1-3). Whenever a client connects to a net­­work, the client firm­ware (column 4, lines 47-50) executes a program which seeks a server with which to commu­­­nicate. The server management appli­ca­tion (SMA) then "performs whatever tasks it is preprogrammed to per­form", for instance "file transfers, file updates or operating system rescue (due to malicious or acciden­tal damage)" (column 4, lines 43-46 and 60-63). It is al­so dis­closed that the SMA might check whether the cli­ent boot sector is virus-free and, if not, remove the virus and restore the boot sector (column 4, lines 63-67).

4. D4 discloses an asset tracking and managing system based on a "beacon" device attached to the tracked com­puter (see esp. column 1, 1st paragraph and column 4, 2nd para­graph to column 6, penultimate paragraph). The beacon contains tracking software which cannot be by­passed or removed without impairing the functio­nality of the computer. Normally, the function of the beacon is concealed (column 8, 2nd paragraph). The bea­con de­ter­mines whether the pro­tec­ted compu­ter has been tam­pered with and reacts to tampering (see column 4, lines 55-61; column 8, penultimate paragraph to co­lumn 9, 1st paragraph) for instance by shutting the computer down, transferring files to the server, dele­ting the local operating system, dis­abling access to the hard drive or prohibiting cer­tain operations on files.

Inventive step

5. The board considers that D6 constitutes a suitable starting point for the assessment of inventive step.

6. The appellant argued that "persistent" in the context of the claimed invention referred to the partial driver agent's function of reconstituting the full servicing agent if it was corrupted or parts of it were removed or lost, and that D6 therefore did not disclose a "per­sistent servicing agent".

6.1 The board disagrees, noting that appellant's use of the term "persistent" is not established in the art. Speci­fi­cally, it does not correspond to ­­the conven­tio­nal understanding that­ memory may be called "persistent" if its contents are not lost when the power is switched off and that program code may be called "persis­tent" if it is held in persistent memory.

6.2 The board also notes that the capa­bility of the agent to reconstitute itself is expressly claimed, so the characterisation of the servicing agent as "per­sis­tent" - as interpreted by the appellant - does not limit the claim further.

6.3 The board concludes that D6 discloses a "persistent ser­vi­cing agent" according to a conventional under­stan­ding of the term, because the servicing agent of D6 is held in persistent memory (see column 2, lines 38-54).

7. Amended claim 1 contains new language according to which the full function driver agent is responsible for all communications with the remote server in providing its services. The board notes that the agent according to D6 has this feature as well (see e.g. column 6, line 60 - column 7, line 29).

8. Claim 1 according to the main request differs from D6 in that

i) the "persistent servicing agent disposed in the electronic device" comprises two parts, a "full function driver agent" and a "partial driver agent [...] with a reduced set of functions",

ii) wherein the partial driver agent is "configured to determine whether a full function driver is avai­lable in the electronic device" and "to reload por­tions of the full function driver" should that not be the case; and

iii) wherein the full function driver agent "is con­fi­gured to communicate with the server in providing a data deletion service, to perform one or more of" a number of alternative functions.

8.1 The board considers that differences i) and ii) solve a problem which is different from and independent of the problem solved by difference iii).

8.1.1 An effect of the arrangement according to features i) and ii) is that the servicing agent can be made larger than would fit in the concealed section of memory. The board considers that occasions will natu­rally arise in which the functionality of the servicing agent must be exten­ded. It may further happen that the concealed memory location allocated for the servicing agent becomes too small. This corresponds to a state­ment made in the description itself (see page 35, sec­tion B, lines 9-10).

8.1.2 The objective technical problem solved by the above diffe­rence can therefore be considered as how to handle the situation that an extended servicing agent does not fit in the concealed memory space of D6.

8.1.3 The effect of difference iii) however is primarily the protection of confidential data on a tracked electronic device.

8.1.4 In the board's view, these problems are unrelated to each other. A data deletion service can be provided by an agent such as that according to D6, which is con­cealed as a whole, if the concealed memory is large enough to store the agent with the additional functio­nality. And the claimed "reloading" functionality is useful to address a space limitation of the concealed memory, whatever may be the speci­fic service the agent provides.

8.1.5 The appellant took the position that the claimed inven­tion had to be considered solving a single problem, because the full function driver agent, which was sub­ject to a potential reloading by the partial driver agent, was "responsible for all communications with the remote server" and thus also for the communications needed for the data deletion service.

8.1.6 The board disagrees. The fact that the data deletion service uses the communication means provided by a par­ti­cular agent component does not establish a functional link between the service and the way in which the commu­­­ni­cation service is provided (beyond the fact that it is provided at all).

8.1.7 The board thus concludes that the claimed invention solves two separate problems over the prior art, the in­ven­tive step of which can thus be addressed se­pa­rately.

Inventive step of differences i) and ii)

9. If the functionality of the servicing agent is extended in such a way that the concealed memory space becomes too small, the board considers it obvious for the skilled person to store parts of the servicing agent elsewhere. The skilled person may also be forced to store the additional functionality in a place in which it is less "con­cealed" and thus can be removed or corrup­ted. D3 teaches the skilled person to protect the servicing agent against tampering. The skilled person would there­fore be led to search for known ways of pro­tecting the non-concealed parts of the servicing agent.

10. In the board's view, D1 provides such a teaching.

10.1 D1 discloses that the client workstation, in a pre-boot process, initiates communication with a server running "server management application" SMA, which then per­forms "whatever tasks it is preprogrammed to perform", such as "file transfers" and "file updates" (column 4, lines 42-50 and 56-57). As an example, D1 discloses that the SMA may remove a virus from the boot sector and restore the boot sector (column, lines 63-67). The board considers that detecting that a piece of software is virus-infected falls within the claimed determi­na­tion of whether the software is "available" or "missing". The board therefore finds that D1 discloses the reloading of software which may be missing from or not available at the electronic device.

10.2 The appellant argued that D1 did not disclose a "ser­vicing agent" within the meaning of the claim because it was confined to pre-boot activities. The term "ser­vi­­cing agent" and "service" clearly related to an "ope­ra­ting system service", whereas D1 taught ter­mi­nating the SMA's interaction with the client before running the operating system. As a consequence, it was argued­, the skilled person would not turn to D1 in trying to solve a problem with D6.

10.3 The board notes that the claims do not explicitly spe­ci­fy when the agent programs are to run, i.e. before or after the boot phase, and disputes that the term "ser­vice" alone must be con­strued, as the appellant suggests, to imply that they are run after booting. The board there­fore takes the posi­tion that whatever the SMA accor­ding to D1 performs can va­lid­ly be called a ser­vice, notwith­standing the fact that it runs before booting. More­over, the board con­si­ders that the skilled person, star­ting from D6, would be taught by D1 that - and how - missing or corrupted software can be recon­sti­tuted in the pre-boot phase and would not hesitate to apply this teaching to D6.

10.4 The appellant further argued that D1 did not disclose a pro­gram arranged in such a way that a part of it was set up to reload other parts of itself. D1 disclosed that the operating system could be the subject of the pre­-boot service, and that the latter had a "functional sub­set of the operation system" at its disposal (column 5, lines 1-15) but that the missing portions were re­loa­ded not by the partial operating system itself but by a separate device.

10.5 The board also rejects this argument. The claimed in­ven­tion does not specify in detail the asset tracking service the agent is meant to provide. Therefore, what does or does not belong to this ser­vice is, in the board's view, an exclusively concep­tual definition. Accordingly, it is justified to consi­der the reloading function of the SMA according to D1 (see point 10.1 above) to constitute a part of the provided service which, hence, is equipped to reload "itself".

11. In view of the above, the board considers that the skilled person would, without exercising any inventive skill, apply the cited teaching of D1 to D6 and arrive at the claimed invention - except for the fact that the "reloading" service of D1 is carried out under the con­trol of software (the SMA) running at the server, where­­as the claimed driver agent controls the reloading it­self.

11.1 In this regard, the board considers it obvious for the skilled person to transfer some functions from the ser­ver to the client and to run some of the pre-boot acti­vi­ties locally rather than on the server, for instance if the number of clients communicating with the same server made better load-balancing desirable.

11.2 In summary, the board concludes that differences i) and ii) do not establish an inventive step of claim 1 over D6 in view of D1.

Inventive step of difference iii)

12. Document D4 discloses an asset tracking service to per­form a number of security processes on a tracked client device that has been reported stolen (see col. 5, line 59 - col. 6, line 2). In particular, it is dis­closed that this may include erasure of the hard drive or the re­mo­val of the operating system or of other files (col. 6, lines 2-5 and 39-45). In the board's view, D4 thus dis­closes a data deletion service implementing at least the claimed features (a) and (c).

12.1 Noting that the functions (a) to (h) of the data dele­tion service are claimed as alternatives, this is suffi­cient to con­clude that D4 discloses the data dele­tion service as claimed.

12.2 The board therefore finds that the skilled person try­ing to protect confi­dential data in the context of an asset tracking ser­vice would be instructed by D4 to provide a data deletion service as claimed.

12.3 Hence, difference iii) does not establish inventive step over D6 either, in particular not in view of D4.

Summary

13. The board finds that claim 1 of the main request lacks inventive step over D6 in view of D1 and D4, Article 56 EPC 1973.

Order

For these reasons it is decided that:

The appeal is dismissed.