Troll wins Newegg encryption patent case, threatening web firms that protect customers

Just as the web is clamoring for more encryption, a Texas jury has set a terrifying precedent for companies that want to deploy it. Late Monday, the jury said online retailer Newegg was infringing on a patent that supposedly covers such security techniques. The court ordered Newegg to pay $2.3 million in damages, essentially for the sin of protecting its e-commerce transactions from online criminals.

U.S. Patent 5412730 (the ‘730 patent) was filed in 1992 by and granted in 1995 to one Michael Jones, at the time of a company called Telequip. It now belongs to TQP Development, an outfit established by Erich Spangenberg for the sole purpose of extracting cash from companies that allegedly infringe on its claims. Such outfits are officially known as “non-practising entities” and unofficially as “trolls”.

TQP has already used the patent to wring around $40 million in settlements out of Amazon(s amzn), Microsoft(s msft) and many smaller companies. The cost of defending a patent trial in the U.S. is so onerous that most companies will pay to make the troll go away – but not Newegg, a firm that has such a strong anti-troll stance that it even sells T-shirts declaring: “Settling Feeds Trolls”.

Prior art

Newegg seemed to have a pretty good case. The patent itself doesn’t refer to the web – it describes “a modem suitable for transmitting encrypted data over voice-grade telephone line” — and TQP’s interpretation of the patent’s claims in the web context (which only existed in a public sense from 1993 onwards) don’t stand up as novel technology. We’re talking about broad, fundamental encryption techniques here.

Indeed, Newegg was able to point to solid “prior art” – examples of the described techniques being used before the patent was even filed. According to TQP, Newegg was infringing on the patent’s claims by using the Secure Sockets Layer (SSL) protocol together with the RC4 encryption algorithm. RC4 came out of RSA Security(s rsas) in 1987, the invention of RSA cryptographer Ron Rivest.

Netscape released SSL in 1995, but using public-key cryptography techniques that date back to Whitfield Diffie and Martin Hellman’s work in 1976 (as we know now, these techniques were actually invented separately and secretly in 1970 by James Ellis, an employee of the British NSA equivalent GCHQ). And in any case, as Newegg’s lawyers argued, the ‘730 patent doesn’t even describe public key cryptography, but rather a more primitive method of symmetric cryptography.

Newegg managed to get testimony from Diffie, Rivest and even former Microsoft(s msft) tech chief Ray Ozzie, whose Lotus(s ibm) Notes email software was using RC4 in the late 1980s. But to no avail: the 8-person jury found Newegg to be infringing on all 4 of the asserted claims, and ordered it to pay $2.3 million in damages (TQP wanted $5.1 million).

Not the end

On the face of it, this is a disastrous outcome. Thanks to the hyperactivity of the NSA and other intelligence agencies, and the ever-present criminal threat, we all need more encryption in our lives – yes, the NSA may be able to crack it if it tries, but encryption almost certainly remains a valuable shield against dragnet surveillance, and it’s definitely needed to protect consumers against online fraudsters.

The verdict sets an ominous precedent for the many other suits TQP has on the boil, with defendants including the likes of Google(s goog) and LinkedIn(s lnkd) — although the patent expired in 2012, TQP was still able to sue over its past “infringement” for a further 6 (now 5) years. It also reinforces TQP’s strategy, which is to convince targets to pay up without going to trial.

However, this story isn’t over yet. Newegg has been here before – when the company won its greatest anti-troll triumph at the start of this year, defeating a firm called Soverain that claimed to own the rights to basic online shopping cart technology, it was only on appeal. And Newegg will definitely appeal the TQP verdict, arguing that the ‘730 patent should be invalidated. Which it should; its claims are being interpreted way too broadly, and it doesn’t actually describe a novel invention.

“We respectfully disagree with the verdict that the jury reached tonight,” Newegg legal chief Lee Cheng told Ars Technica after the trial. “We fully intend, as we did in the Soverain case, to take this case up on appeal and vindicate our rights.”

This article was amended at 10.30am PT to include a detail about the patent’s expiration.