European Case Law Identifier: | ECLI:EP:BA:2021:T121315.20210113 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Date of decision: | 13 January 2021 | ||||||||
Case number: | T 1213/15 | ||||||||
Application number: | 08825892.6 | ||||||||
IPC class: | G06F21/00 G06F21/24 |
||||||||
Language of proceedings: | EN | ||||||||
Distribution: | D | ||||||||
Download and more information: |
|
||||||||
Title of application: | EXTERNAL INTERFACE ACCESS CONTROL | ||||||||
Applicant name: | Johnson & Johnson Surgical Vision, Inc. | ||||||||
Opponent name: | - | ||||||||
Board: | 3.5.06 | ||||||||
Headnote: | - | ||||||||
Relevant legal provisions: |
|
||||||||
Keywords: | Inventive step - (no) Inventive step - closest prior art Inventive step - skilled person |
||||||||
Catchwords: |
- |
||||||||
Cited decisions: |
|
||||||||
Citing decisions: |
|
Summary of Facts and Submissions
I. The appeal lies from the decision to refuse European patent application No. 08 825 892.6 for lack of an inventive step, Article 56 EPC in view of
D1: US 6 106 396 A and
D3: US 2003/159141 A1.
II. Notice of appeal was filed on 23 March 2015, the appeal fee being paid on the same day. A statement of grounds of appeal was received on 29 May 2015. The appellant requested that the decision be set aside and a patent be granted on the basis of claim 1-10 according to a main request or one of auxiliary request 1 to 4, or claims 1-5 according to one of auxiliary requests 5 to 7 (the latter corresponding to merely the method claims of auxiliary requests 2 to 4).
III. Claim 1 of the main request reads as follows:
"A phacoemulsification/vitrectomy system configured to be used in association with an external Universal Serial Bus, USB, memory storage device (107) comprising a USB compliant file system, the system comprising:
an input/output data port (106) configured to receive the external USB memory storage device (107); and
an operating system capable of reading system data from and writing system data to said USB memory storage device (107);
wherein files (201) in the fil system of the external USB memory storage device (107) are all associated with a signature value (203) readable by the system to determine whether each file (201) is permitted to be used in the system."
Claim 1 of auxiliary request 1 differs from claim 1 of the main request in that the files used in the claimed system are limited to "program files" which are "executed" in the system.
Claim 1 of auxiliary request 2 differs from claim 1 of auxiliary request 1 in that the input/output data port is specified to be a "USB input/output data port" and that the external USB device is "connected by a user".
Claim 1 of auxiliary request 3 differs from claim 1 of auxiliary request 2 in that the external USB memory storage device is specified to be an "external USB memory-stick flash memory storage device".
Claim 1 of auxiliary request 4 differs from claim 1 of auxiliary request 3 in that the program files are specified to be associated with a "multiple hash values" rather than with a signature.
Claim 1 of auxiliary request 5 is the method claim of auxiliary request 2 and reads as follows:
"A method of protecting system resources of a phacoemulsification/vitrectomy system from access by unauthorized files stored in an external Universal Serial Bus, USB, memory storage device (107), the method comprising:
connecting said external USB memory storage device (107) to a USB input/output data port (106) of said phacoemulsification/vitrectomy system by a user:
inspecting (304, 305) at least one signature value (203) associated with one system (201) located on said external USB memory storage device (107); and
verifying (306, 307, 308) at least one system file (201) stored within the external USB memory storage device (107) is a known software application asset by assessing at least one signature value (203) associated with at least one system file (201), and on successful verification allowing execution of the software application asset from the external USB memory storage device (107)."
Claim 1 of auxiliary request 6 and claim 1 of auxiliary request 7 differ from claim 1 of auxiliary request 5 in the same way as claim 1 of auxiliary request 3 and auxiliary request 4 differ from claim 1 of auxiliary request 4.
IV. In an annex to a summons to oral proceedings, the board informed the appellant of its preliminary opinion that claim 1 of all requests lacked an inventive step over D3 in view of common general knowledge or, alternatively, over D3 in view of D1, Article 56 EPC.
V. Oral proceedings were held on 13 January 2021 by video conference. During the hearing, the board referred to a document cited in D1, namely
D4: Fahn P, "Answers To Frequently Asked Questions About Today's Cryptography - Version 2.0", RSA Laboratories, 20 September 1993
Reasons for the Decision
The invention
1. The application generally relates to the access from a computer system to software and data stored in an external file system (see page 1 of the application as originally field, lines 9-12).
2. The description starts explaining that many of today's computing systems, including medical ones, are equipped with I/O interfaces such as USB to enable access from outside the system (page 1, lines 4 to 27). In particular, the use of an external USB memory stick is disclosed as being commonly known (page 1, line 27 to 35; page 3, lines 10 to 12). On page 8 the computer system is disclosed as "for example" a "phacoemulsification/vitrectomy" system (page 8, lines 17 to 21).
2.1 The invention as claimed relates to a phacoemulsification/vitrectomy system or method "configured to be used with" a USB memory storage device" and a "USB compliant file system" storing files which "are all associated with a signature value [...] to determine whether each file is permitted to be used in the system". This could mean that the files on the external USB memory are digitally signed by some trusted authority such as the software manufacturer (page 6, lines 29 to 32).
The prior art
3. D3 discloses a "surgical apparatus ... such as ... [a] phacoemulsification unit" (see paragraph 83; see no. 18 in figure 2). The unit also provides a (preferably) wireless data transmitter (RS-232 or other, USB included) for transmitting a data signal to a video overlay console (see e.g. claim 1, paragraphs 97, 101, 105, 108). It is disclosed that other "files corresponding to surgical procedures" can be further transferred "for retrieval, display and analysis in another computer" (see paragraph 98). For this purpose, all kinds of "File input/output device[s]" may be used, including non-volatile memory cards or I/O data ports for connection to another device (loc. cit.).
The starting point for the inventive step assessment
4. The original claims related to any system connected to an external USB compliant file system, or associated method (see e.g. original claims 1 and 2) and were not limited to the mentioned medical class of systems. Initially, therefore, inventive step was assessed starting from document D1 (see the WO-ISA, point V.3).
5. Claim 1 was limited to a "phacoemulsification/vitrectomy" system with the letter dated 22 October 2014. In response, the examining division introduced document D3 as new preferred starting point ("closest prior art") for the assessment of inventive step.
6. The board agrees with that choice. More to the point, the board takes the view that the skilled person, starting from an electronic gaming system such as that according to D1, would normally have no occasion to produce a medical device such as the claimed one.
Differences over D3
7. The examining division determined as differences between claim 1 of the then main request, which is identical to the present main request, and D3 that the system of D3 was not
i) able to read system data from and write system data to an external USB memory storage device, wherein
ii)the files in that storage decide were all associated with a signature value [..] to determine whether each file was permitted to be used in the system.
It further found these differences to be obvious for the skilled person in view of D1. See the decision, points 10.2 to 10.4.1.
8. The appellant stressed that D3 did not disclose an external USB memory device but only the use of the USB data protocol (see the grounds of appeal, page 3, paragraph 3). Thus D3 at best suggested the use of USB "as a communication bus" between components of the overall system (page 3, last paragraph). As a consequence, the examining division considered the wrong problem to be solved (page 4, paragraphs 2 and 3) and the connection established between D3 and D1 relied on hindsight (page 4, paragraphs 5 and 6, and page 6, paragraph 3).
9. The board takes the view that the claimed phacoemulsification/vitrectomy system reads on the combination of the "unit" (i.e. the "ophtalmic surgery apparatus 18 in figures 2 and 5) and the video overlay console (including all its components, depicted on the left hand side of figures 2 and 5). The appellant accepted this during the oral proceedings as a possible and appropriate construction of the claimed system.
9.1 Thus, although the transmission from the unit to the console in D3 is one-way and does not include a memory storage as claimed, the video overlay console itself is disclosed as providing an external memory storage device (with a suitable file system) and, implicitly, an operating system capable of writing to ("files corresponding to surgical procedures") and reading from it ("user input in the form of program updates"; see paragraph 98 and figure 6, no. 60).
9.2 That given, the board finds there to be two differences between the subject-matter of claim 1 of the main request and D3, namely:
i) the external memory device is a USB memory storage device, and
ii) the files stored on this memory device are digitally signed (and allow to the system to determine whether each file [...] is permitted to be used in the system).
Obviousness
10. The board holds these differences to solve different, unrelated problems in view of D3. Difference i) provides an alternative "input/output device" for the update of "stored files corresponding to surgical procedures", i.e. "program files" or "software application assets" as claimed (see paragraph 98 of D3). Difference ii) contributes to the system security, which is at risk where files can be loaded from an external input/output device, by allowing the system to increase trust in read files. The appellant also stated that difference ii) constituted a particular convenient way of increasing security.
10.1 Re difference i) The board considers replacing the memory card disclosed in D3 by a USB memory storage device to be obvious, for example following the technological trend towards USB devices. The board notes in this context that the description itself states it to be "related" - i.e. prior - "art" to use USB memory sticks in all kinds of system, medical ones included, for convenience and flexibility (see page 1, line 14, to page 2, line 23). The appellant did not challenge this argument.
10.2 Re difference ii) During the oral proceedings, the appellant argued that the choice of D3 as the "closest prior art" defined the "field of the invention" to be that of eye surgery apparatus and that the skilled person would, consequently, have to be an engineer in manufacturing eye surgery systems rather than, for example, an IT specialist. Inventive step would have to be assessed through the eyes of that skilled person and in view of that persons common general knowledge and prejudices. Further, it referred to the statement in board of appeal decision T 422/93 that the "appropriate skilled person's basic knowledge [did not] include that of a specialist in [a] different field to which the proposed solution belonged, if the closest prior art gave no indication that the solution was to be sought in this other technical field" (cited after the Case Law book, Ninth edition, July 2019, I.D.8.1.1, page 204).
10.2.1 The appellant also criticized the board for having assumed (see the summons, point 12.7) without supporting evidence that the use of electronic signatures to increase security in the mentioned sense was common general knowledge in the field of the invention.
10.2.2 The board agrees that the chosen starting point and the objective technical problem posed for the assessment of inventive step determines the skilled person in that the skilled person would normally have to be one to which the "closest prior art" is directed and who would have posed him or herself the objective technical problem.
10.2.3 In the present case, where the system of D3 comprises a substantial part of computing equipment, the skilled person must be assumed to have substantial skill also in the computing field.
10.2.4 More specifically, the board considers that the skilled person to which D3 is addressed must be assumed to know about the security issues implied by loading program files from an external input/output device such as a memory card and thus would pose him or herself the problem to increase the security of performing an update in this manner.
10.2.5 In view of the foregoing, the board considers this to be consistent with the cited statement from T 422/93.
10.2.6 As regards common general knowledge, the board refers to D4, a version of which is cited in D1, column 7, lines 61-66 (D4 being the version of 20 September 1993, while D1 cites the version of 5 October 1993). The board holds that a document relating to "Frequently" asked question relating to "Today's Cryptography" in 1993 can be taken as an indication of what was on the relevant skilled person's mind at the time and thus part of his or her common general knowledge. This document states in section 1.2 that "Authentication in a digital setting is a process whereby the receiver of a digital message can be confident of the identity of the sender and/or the integrity of the message" and that "authentication in public-key systems uses digital signatures". Moreover, in sections 8.1 and 8.2, this document explains the use of hashing in the context of digital signatures.
10.2.7 In view of the common general knowledge exemplified by D4, the board considers that difference ii) would have been an obvious solution to increase the security of the system of D3 for the person with the appropriate technical skill.
10.3 As a consequence, the board concludes that claim 1 of the main request lacks an inventive step over D3 and common general knowledge, Article 56 EPC 1973.
11. In the above analysis, reference has already been made to program files loaded into the system. The amendment to auxiliary request 1 has thus already been covered. The same applies to the fact that the external memory device is provided by the user and, hence, auxiliary request 2.
11.1 Choosing the external USB memory device to be a USB memory-stick flash device (auxiliary request 3) is found to be obvious for exactly the same reason as given above.
11.2 The technical effect of using "multiple hash values" per program or data file (see auxiliary request 4) is unclear to the board, and the description does not provide any explanation in this regard (see esp. the passage referred to by the appellant, page 11, lines 16 and 17), so that this feature cannot contribute to inventive step. This objection was raised in the board's summons (point 14.2) and not challenged by the appellant.
11.3 As regards auxiliary requests 5 to 7, the board considers that the preceding analysis applies to systems and methods alike. Also this objection was raised in the board's summons (point 14.3) and was not challenged by the appellant.
Order
For these reasons it is decided that:
The appeal is dismissed.