T 0691/21 (Secure web browsing/RANDED TECHNOLOGIES) of 3.5.2023

European Case Law Identifier: ECLI:EP:BA:2023:T069121.20230503
Date of decision: 03 May 2023
Case number: T 0691/21
Application number: 16382216.6
IPC class: H04L 29/06
H04L 29/08
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 381 KB)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: Server and method for providing secure access to web-based services
Applicant name: Randed Technologies Partners, S.L.
Opponent name: Ozámiz, Antonio
Board: 3.5.03
Headnote: -
Relevant legal provisions:
European Patent Convention Art 56
European Patent Convention Art 100(a)
European Patent Convention R 76(1)
European Patent Convention R 76(2)(c)
European Patent Convention R 103(4)(c)
Rules of procedure of the Boards of Appeal 2020 Art 012(8)
Keywords: Admissibility of opposition - (yes): opposition substantiated
Inventive step - all requests (no)
Decision in written proceedings: cancellation of hearing following appellant's announcement of non-attendance
Partial reimbursement of appeal fee at 25% - (yes)
Catchwords:

-

Cited decisions:
G 0001/92
T 0222/85
T 0003/90
T 1541/16
T 0517/17
Citing decisions:
-

Summary of Facts and Submissions

I. The patent proprietor (appellant) appealed against the decision of the opposition division concerning maintenance of the present European patent in amended form on the basis of "auxiliary request 8".

II. The opposition had been filed on the grounds of lack of novelty and lack of inventive step (Article 100(a) in conjunction with 54 and 56 EPC).

III. The contested decision cited, inter alia, the following prior-art documents:

D1:|WO 2008/038277 A2, 3 April 2008; |

D7:|A. Larsson: "Gtk3 vs HTML5", 23 November 2010, retrieved from https://blogs.gnome.org/alexl/2010/11/23/gtk3-vs-html5; |

D8:|A. Larsson: "Broadway update 3", 18 April 2011, retrieved from https://blogs.gnome.org/alexl/2011/04/18/broadway-update-3; |

D13:|A. Larsson: "broadwayd: GTK+ 3 Reference Manual", 23 March 2015, retrieved from https://developer.gnome.org/gtk3/3.16/broadwayd.html.|

IV. In its statement of grounds of appeal, the appellant requested that the decision under appeal be set aside and that the opposition be rejected, i.e. that the patent be maintained as granted (main request) or, in the alternative, that the patent be maintained in amended form on the basis of the claims of one of auxiliary requests 1, 5, 3 and 4, in that order. The appellant requested oral proceedings should the board not allow its main request.

V. The opponent (respondent) did not file a written reply.

VI. In a communication under Article 15(1) RPBA 2020, the board expressed its preliminary opinion that the opposition was admissible and that the subject-matter of claim 1 of each request lacked an inventive step.

VII. In response to the summons to oral proceedings, the appellant informed the board that it would not be attending the oral proceedings. It did not comment on the board's communication.

VIII. The board cancelled the oral proceedings.

IX. Claim 1 of the patent as granted (main request) reads as follows:

"An intermediary server (101,201,301,502) for providing secure access to a web page of a web-based service to a client terminal (110,111,210,240,241) upon request of one of a web server (120-122,220,221,503) and a client terminal (110,111,210,240,241) comprising a web browser (501), the intermediary server (101,201,301,502) comprising:

an operating system (302) configured to run an instance (304,305,504) of a web browser engine (303);

the web browser engine (303) is configured to produce an image of the web page rendered in the instance (304,305,504) of the web browser engine (303), and to transmit an access web page (401) to the web browser (501) of the client terminal (110,111,210,240,241); and

the access web page (401) is configured to retrieve (404) the image from the web browser engine (303), and to display (404) the image in the web browser (501)."

X. Claim 1 of auxiliary request 1 is identical to claim 1 as granted.

XI. Claim 1 of auxiliary request 5 differs from claim 1 as granted in that the text "for each request to provide secure access to a web page of a web-based service to a client terminal (110,111,210,240,241)" has been inserted after "an operating system (302) configured to run an instance (304,305,504) of a web browser engine (303)".

XII. Claim 1 of auxiliary request 3 differs from claim 1 as granted in that the following text has been added at the end of the claim:

"comprises JavaScript code (402) or HTML code configured to load JavaScript code (402) retrievable from the intermediary server (101,201,301,502)".

XIII. Claim 1 of auxiliary request 4 differs from claim 1 as granted in that the text following "and to transmit an access web page (401) to the web browser (501) of the client terminal (110,111,210,240,241);" has been replaced with:

"the web browser engine (303) is further configured to detect changing portions of the web page in the instance (304-305), and to produce images of the changing portions; and

the access web page (401) is configured to retrieve (404) the image from the web browser engine (303), to display (404) the image in the web browser (501), to retrieve (404) the images of the changing portions from the web browser engine (303), and to replace portions of the image displayed in the web browser (501) with the images of the changing portions, and the access web page (401) comprises JavaScript code (402) or HTML code configured to load JavaScript code (402) retrievable from the intermediary server (101,201,301,502)."

Reasons for the Decision

1. Withdrawal of the request for oral proceedings

1.1 It is well established in the case law of the boards of appeal that the appellant's statement that it would not take part in the oral proceedings is to be understood as a withdrawal of its request for oral proceedings in the absence of any indication to the contrary (see e.g. T 3/90, OJ EPO 1992, 737, Reasons 1). The decision can therefore be taken without holding oral proceedings (Article 12(8) RPBA 2020).

1.2 Since the appellant withdrew its request for oral proceedings within one month of the notification of the board's communication in preparation for the oral proceedings, and this decision is taken without holding oral proceedings, the conditions for a reimbursement of the appeal fee at 25% under Rule 103(4)(c) EPC are fulfilled (see e.g. T 517/17, Reasons 6).

2. Admissibility of the opposition

2.1 The appellant submitted that the notice of opposition did not fulfil the requirements of Article 99(1) EPC and Rule 76(2)(c) EPC because the opponent had not provided the facts and evidence in support of at least one attack under one of the grounds for opposition listed in Article 100 EPC.

2.2 In its decision, the opposition division considered that section 9.2.1.1, in particular pages 23 and 24, of the notice of opposition contained a sufficiently substantiated attack, but it did not state under which ground for opposition. From point 2.8 of the minutes of the oral proceedings before the opposition division, it can be understood that the opposition division considered the attack to be that of lack of inventive step.

The appellant contested that pages 23 and 24 of the notice of opposition contained a substantiated inventive-step attack.

2.3 Since the heading of section 9.2.1.1 reads "Claim 1 does not fulfil the requirements of novelty as required by Article 100(a) EPC and Article 52(1) and 54(1) and (2) EPC for the following reasons", and there is nothing in this section between pages 23 to 28 which attempts to make a case for obviousness or lack of inventive step, the board does not consider this attack to be an inventive-step attack. Rather, this section presents facts substantiated by evidence together with a reasoning which allegedly leads to the conclusion that the subject-matter of claim 1 lacks novelty.

Although it may be uncommon to argue lack of novelty on the basis that each of the features of claim 1 can be found in either document D1 or documents D7 and D8, as is done in section 9.2.1.1, whether or not the

lack-of-novelty reasoning is convincing is irrelevant for the admissibility of the appeal. In the board's view, the substantiation of the novelty attack allowed the opponent's case to be properly understood on an objective basis and therefore meets the minimum requirements of Article 99(1) in conjunction with Rule 76(1) and (2)(c) EPC (see T 222/85, Reasons 4 and 5).

2.4 Moreover, section 9.1.7 read in combination with section 9.1.1 of the notice of opposition essentially presents a novelty attack based on a public prior use in the form of the "Broadway HTML5 back-end for the GTK3 graphical widget toolkit" and the "Epiphany and Firefox browsers" as part of the Fedora 20 Linux distribution. Likewise, section 9.1.8 presents a novelty attack based on a public prior use in the form of a code sample. The question whether these alleged public prior uses indeed disclose the subject-matter of claim 1, for example taking into account the criteria developed in opinion G 1/92, is an issue of substantive examination rather than of admissibility of the opposition.

2.5 The opposition is therefore admissible.

2.6 Since the opposition is admissible and the ground of lack of inventive step was examined in the opposition proceedings, there is no need to consider whether the notice of opposition contains sufficient substantiation of this additional ground for opposition.

3. Background of the patent

The opposed patent relates to providing a client terminal with secure access to a web page hosted by a web server. This is achieved essentially by rendering the web page at an intermediary server and transmitting an "image" of the rendered web page to the client terminal for display in the client's web browser.

4. Main request (maintenance of the patent as granted)

4.1 Granted claim 1 includes the following limiting features (board's labelling):

An intermediary server for providing secure access to a web page of a web-based service to a client terminal upon request of one of a web server and a client terminal comprising a web browser, the intermediary server comprising:

(a) an operating system configured to run an instance of a web browser engine;

(b) [wherein] the web browser engine is configured to produce an image of the web page rendered in the instance of the web browser engine, and to transmit an access web page to the web browser of the client terminal;

(c) [wherein] the access web page is configured to retrieve the image from the web browser engine, and to display the image in the web browser.

4.2 Inventive step

4.2.1 Document D1 relates to a system for secure web browsing (see abstract). In the system of document D1, client computers 110 communicate with external communication networks 180 via intermediary remote servers in a "Secure Internet Browsing Zone 140" (see paragraph [0042]). An intermediary remote server ("remote AVS Server 150") receives actions performed by the users of a client computer and implements user activities on a browser residing on the remote server (paragraph [0045]). Changes occurring in the browser are transmitted to the client computer using a

client-server communication protocol such as Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA) or any other protocol (ibid.).

4.2.2 As to feature (a), in the board's view, the skilled person understands that, in document D1, the remote browser on the intermediary remote server runs on top of an operating system. In this respect, the appellant argued that "an operating system configured to run an instance of a web browser" did not disclose "an operating system configured to run an instance of a web browser engine".

However, any web browser includes a "web browser engine" (see paragraph [0020] of the opposed patent). Hence, running a web browser implies running its web browser engine. An operating system configured to run an instance of a web browser is therefore necessarily "configured to run an instance of a web browser engine" in accordance with feature (a).

4.2.3 As to feature (b), the appellant also argued that the web browser engine of document D1 did not "produce an image" of the rendered web page.

Although "rendering a web page" can be said to "produce an image" of the web page, in view of feature (c), according to which the transmitted "access web page" is supposed to be "configured to retrieve the image from the web browser engine", the board accepts that the claimed "web browser engine" not only renders the web page of a web-based service but also converts the rendering results into an "image" for transmission to the web browser of the client terminal.

4.2.4 Hence, the subject-matter of claim 1 differs from the disclosure of document D1 in features (b) and (c).

4.2.5 In document D1, it is an RDP, ICA or another remote display server running at the intermediary server which produces an image of the rendered web page for transmission to the RDP, ICA or other remote display client running at the client terminal. Moreover, the image of the rendered web page is not displayed within a web page in a web browser on the client terminal but by an RDP, ICA or another remote display client.

4.2.6 The opposition division formulated the objective technical problem to be solved as "how to transfer the result of a remotely rendered web page to a local web browser in an alternative way". It argued essentially that documents D7 and D8 taught the skilled person that the web browser of a client terminal could be used to display what is being rendered by another web browser running on a remote server. The skilled person would apply this teaching to the system of document D1 and thereby arrive at the claimed invention.

4.2.7 Documents D7 and D8 relate to the "broadwayd" backend, which is a remote display server that allows GTK-based applications running on a server to be displayed within an ("access") web page in a web browser (see also document D13). In particular, documents D7 and D8 show that "broadwayd" can be used to display the "Epiphany web browser" as a web page in a web browser.

4.2.8 In the board's view, the skilled person, starting from document D1, would have considered using the "broadwayd" remote display server as an alternative to an RDP or ICA remote display server. This would in turn have resulted in the broadwayd display server being "configured to produce an image of the rendered web page and to transmit an access web page to the web browser of the client terminal", i.e. configured to provide the functionality of the "web browser engine" specified in feature (b), the access web page being "configured to retrieve the image from the web browser engine, and to display the image in the web browser" as required by feature (c).

4.2.9 In that regard, the appellant argued that a display server was not a "web browser engine".

The board agrees that document D1 does not disclose that the RDP, ICA or other kind of remote display server is part of the remote web browser (engine). However, whether the remote display server functionality is implemented by the "web browser engine" running on the intermediary server, as required by feature (b), or by a separate server module running on the same server is a matter of mere computer programming preferences and not a distinction which can support an inventive step (see e.g. T 1541/16, Reasons 2.6 and 2.8).

4.2.10 On this point, the appellant argued that "[t]he skilled person could not change a web browser engine with features of a display server in an obvious manner, let alone would she/he do so".

The board notes that the claimed invention requires the skilled person to provide a "web browser engine" with the functionality of a display server, but the opposed patent does not provide the skilled person with detailed instructions on how to do this. In the board's view, at the priority date and absent any further implementation details, the skilled person would indeed have been able to modify a known "web browser engine" to include the known remote display server functionality.

4.2.11 The appellant further argued that the fact that a "web browser" was displayed did not mean that web browsing was secure. Since "Broadway" was not isolated, any malware in the web page that was loaded affected the device.

However, in document D1, security is provided by rendering the potentially malicious web page in the remote web browser at the intermediary server in the same way as it is done by the claimed invention. The manner in which the results of the rendering are transmitted to and displayed on the local machine does not affect security.

4.3 In view of the above, the board concludes that the subject-matter of claim 1 as granted lacks inventive step (Articles 100(a) and 56 EPC).

5. Auxiliary request 1

Since claim 1 of auxiliary request 1 is identical to claim 1 as granted, its subject-matter also lacks an inventive step (Article 56 EPC).

6. Auxiliary request 5

6.1 Claim 1 of auxiliary request 5 adds to claim 1 as granted that

(d) the operating system is configured to run a web browser engine instance for each request to provide secure access to a web page of a web-based service to a client terminal.

6.2 Inventive step

6.2.1 Since each browsing session requires the remote web browser (engine) to maintain its state, it is obvious to use a different web browser (engine) instance for each session request. Moreover, document D7, page 2, discloses spawning "a new instance of the app for every user", i.e. for each user session.

6.2.2 Insofar as the appellant takes the view that the references to "application virtualization" in document D1 imply that each instance is to be run in its own virtual machine, the board notes that virtual machines typically run on top of a host operating system.

6.3 Hence, the subject-matter of claim 1 of auxiliary request 5 lacks inventive step, too (Article 56 EPC).

7. Auxiliary request 3

7.1 Claim 1 of auxiliary request 3 adds to claim 1 as granted that

(e) the access web page comprises JavaScript code or HTML code configured to load JavaScript code retrievable from the intermediary server.

7.2 Inventive step

7.2.1 Web pages which include HTML or JavaScript code configured to load JavaScript code from a web server according to feature (e) are well known in the art. Since claim 1 leaves the functionality of the loaded JavaScript code undefined, this known feature merely serves its known purpose and cannot support an inventive step.

7.2.2 The board further notes that the "access web page" provided by the broadwayd remote display server includes JavaScript code (see document D7, "XMLHttpRequest", "dom events") and that it is a

well-known possibility to include such JavaScript code in a web page by means of an HTML "<script>" tag. Moreover, the screenshots on pages 29 and 30 of the notice of opposition confirm that the broadwayd access web page includes an HTML "<script>" tag configured to load the "broadway.js" JavaScript code from the web server.

7.2.3 The appellant argued that the teaching of documents D7 and D8 could not be combined with the teaching of document D1.

In this regard, the board notes that this argument has already been treated in point 4.2 above.

7.2.4 The appellant referred to the phrase "without executing any HTML" on page 7, lines 17 to 20, of document D1. However, this expression refers to not executing, at the client computer, any HTML pages obtained from external websites for security reasons. The broadwayd "access web page" does not come from an external website.

7.3 Hence, the subject-matter of claim 1 of auxiliary request 3 likewise lacks an inventive step (Article 56 EPC).

8. Auxiliary request 4

8.1 Claim 1 of auxiliary request 4 adds to claim 1 of auxiliary request 3 the following features:

(f) the web browser engine is further configured to detect changing portions of the web page in the instance, and to produce images of the changing portions;

(g) the access web page is [further] configured to retrieve the images of the changing portions from the web browser engine, and to replace portions of the image displayed in the web browser with the images of the changing portions.

8.2 Inventive step

8.2.1 The "tech[ni]cal description for the web geeks" on page 1 of document D7 discloses that:

- the broadwayd remote display server detects changing portions of the application being remotely displayed and produces images of the changing portions;

- the access web page receives the images of the changing portions over a multipart/x-mixed-replace XMLHttpRequest to replace ("updated") the corresponding portions of the image.

Hence, using "broadwayd" as the remote display server in the system of document D1 would directly result in added features (f) and (g).

The appellant argued that the "image diffs" mentioned in document D7 are "of the entire contents of the display server" and included image differentials of the user interface of the application and the desktop. The board agrees that the images of changing portions transmitted by the "broadwayd" server are not limited to the web page displayed by the remote web browser but also cover other parts of the remote web browser such as its user interface as well as any visible portions of the remote desktop. However, features (f) and (g) of present claim 1 do not rule this out.

8.2.2 Moreover, document D1, paragraph [0045], discloses that

"[a]ny changes occurring in the browser on remote AVS Server 150 are transmitted to the appropriate client computer 110".

It would thus have been an obvious possibility to transmit such changes in the form of "images" of the changed portions.

8.3 Hence, the subject-matter of claim 1 of auxiliary request 4 also lacks an inventive step (Article 56 EPC).

9. Since none of the claim requests on file is allowable, the appeal is to be dismissed.

Order

For these reasons it is decided that:

The appeal is dismissed.

Quick Navigation