14-15 November 2018
|European Case Law Identifier:||ECLI:EP:BA:2014:T064310.20141008|
|Date of decision:||08 October 2014|
|Case number:||T 0643/10|
|IPC class:||G06F 21/24|
|Language of proceedings:||EN|
|Download and more information:||
|Title of application:||Systems and methods for protecting sensitive data|
|Applicant name:||SAP SE|
|Relevant legal provisions:||
|Keywords:||Inventive step - (no)|
Summary of Facts and Submissions
I. The appeal lies against the decision of the examining division, with reasons dispatched on 19 October 2009, to refuse European patent application no. 08100426.9 for lack of an inventive step over the document
D1: Ennser L et al., "The XML Files: Using XML and XSL with IBM Websphere 3.0", IBM Corporation, International Technical Support Organization (ITSO), IBM Form Nr. SG24-5479-00, March 2000.
II. A notice of appeal was filed on 16 November 2009, the appeal fee being paid on the same day. A statement of grounds of appeal was received on 11 February 2010. The appellant requested that the decision under appeal be set aside and that a patent be granted based on the description and the drawings as originally filed in combination with claims 1-15 according to the main request or claims 1-13 according to the auxiliary request as filed on 24 July 2009 and as subject to the decision under appeal, or claims 1-15 according to a second auxiliary request filed with the grounds of appeal.
III. With a summons to oral proceedings, the board informed the appellant of its preliminary opinion according to which the independent claims of the main request lacked an inventive step over D1 or, alternatively, over a prior solution discussed in the application itself, Article 56 EPC 1973. With regard to the auxiliary requests, the board noted that the appellant had only referred to its submission of 24 July 2009 and thus arguably not fully taken into account the examining division's reasons as laid out in the decision.
IV. In response to the summons, with letter dated 8 September 2014, the appellant clarified its arguments regarding the first auxiliary request and withdrew the second auxiliary request. Furthermore, it argued that the board's argument based on the prior solutions discussed in the application was moot because the discussion of these "prior solutions" was not an "admission of prior art".
V. Claim 1 of the main request reads as follows:
"A computer-implemented method for transmitting an XML document (107) from a sender (105) within a secure environment (102) to a receiver (125) within an insecure environment (122) via a communication channel (120), the method comprising the steps of:
receiving the XML document from the sender by a filter module (115) before transmission via the communication channel, the XML document having a tree structure, each node of the tree (642) being representative of one element of the XML document, each element having content,
using a configuration file (220) to selectively remove some of the content, the configuration file comprising a first set (953) of statements specifying a first set of elements and a second set (954) of statements specifying a second set of elements, wherein the content is selectively removed by generating an intermediate XML document (956), identifying the first set of elements in the XML document using the first set of statements, copying the first set of elements into the intermediate XML document, identifying the second set of elements in the intermediate XML document using the second set of statements, and removing the content of the second set of elements from the intermediate XML document which provides a filtered XML document,
sending the filtered XML document via the communication channel to the receiver,
wherein the first and second sets of statements are XPATH statements, wherein the configuration file is an XML document, wherein the generation of the filtered XML document is performed by an XSL transformation using the configuration file, wherein if one (K3.2) of the elements of the first set of elements is not a leaf node of the tree, copying the sub-tree (644) originating from that element into the intermediate XML document, whereby the removal is performed by replacing the content by a dummy information, wherein the dummy information is chosen to be in compliance with the requirements specified in an XML schema (960) being associated with the XML document, wherein the dummy information is specified as an attribute of an XPATH, and wherein the XPATH statement specifies the element whose content is to be removed."
Claim 1 of the auxiliary request corresponds to claim 1 of the main request with the following text added at its end:
"... wherein the filter module is executed by a gateway server that all messages transmitted by the origin data processing system must pass through before transmission over communication channel 120 to the destination data processing system, and wherein each one of the elements of the first and second sets of elements is identified by one of a search term for searching within the content,  a search term for searching within the elements' names, [and] an explicit tree path description leading to the element."
Both requests also contain an independent data processing system claim - numbered 13 and 11, respectively - which corresponds closely with the respective independent method claims.
VI. The oral proceedings took place as scheduled on 8 October 2014. At the end of the oral proceedings, the chairman announced the decision of the board.
Reasons for the Decision
1. The application relates to the transmission of data between systems of different security levels and addresses the problem of ensuring that sensitive information is not transmitted into an insecure environment. The invention proposes a way of filtering classified information from a given document before transmission.
1.1 Specifically, the invention relates to the transmission of an "XML document" which is filtered by an "XSL transformation" on the basis of a "configuration file" which defines, via two separate sets of XPATH statements, which "elements" of the XML document may be kept and which are to be removed. The filtering takes place in two steps: In the first step, the elements specified by the first set of XPATH statements are copied into an intermediate XML document, and in the second step, the elements specified by the second set of XPATH statements are removed to produce the "filtered XML document" to be transmitted.
1.2 It is specified in the independent claims that a first XPATH statement selecting an inner tree node to be kept denotes the entire subtree rooted at that position, and that content is removed by replacement with some "dummy information" which is specified in the pertinent XPATH statement as an "attribute" and which complies with a given XML schema.
1.3 In the independent claims of the auxiliary request it is further specified that the "filter module is executed by a gateway server that all messages ... must pass through" and that the "elements" specified in the configuration file are identified by a "search term" for either "searching within the content" or searching within the elements' names, or an "explicit tree path description leading to the element".
The prior art
2. D1 discusses XML and related tools, amongst which XSL, XPath and XML schemas, their background and their benefits in general and by way of example (see e.g. title and p. 3, 1st par.). Amongst "three main applications" of XML mentioned, two relate to the transmission of data, between computer systems and to users (see pp. 5-7 and secs. 1.3, 1.3.1 and 1.3.3; see also p. 63, sec. 6.3.2). It is disclosed that XML documents must be well-formed for an XML application to work on and that well-formedness of an XML document is defined in a DTD or XML schema (see e.g. sec. 2.1.2). XPath is disclosed as a notation "for navigating through XML documents" which are "model[led] as a tree of nodes", and to "address parts of ... XML document[s]", possibly comprising an entire "set of nodes", (p. 25, sec. 2.3, 1st par.; p. 31, sec. 2.5.4, 1st par.). It is also disclosed that XPath expressions have "attributes" and what can be dubbed "search terms" (p. 25, sec. 2.3), both for elements' names or for "content" (see e.g. the element name "copies" in the path "/child::book/child::copies" and the type attribute in the path "/book/author[@type='old']"; loc. cit.). It is disclosed that XSL is a "common language for transforming one XML document into another"(p. 30, lines 7-8) or for "filter[ing] ... data" (p. 31, sec. 2.5.3) and uses XPath expressions "to extract data from [an] XML document". The LotusXSL processor is disclosed as a known component for converting XML documents based on XSL (p. 46, sec. 4.2; p. 55 ff., ch. 6). One example given to illustrate the use of XSL mentions that elements in an XML document may be "CONFIDENTIAL" and for that reason deserve special treatment (see sec. 6.2.2).
3. The application refers to the situation that a "message including classified information" may have to be transmitted and as a "prior solution" to the security problem that the "person responsible for communicating [that] message" had to create "a new message by manually copying the unclassified portions into an empty message template" and transmit this "redacted version of the original message" instead of the original message (p. 2, penult. par.). The appellant argued that this passage was not to be construed as "an admission of prior art" (see letter of 8 September 201, p. 3, 2nd par.). The board concedes that the application itself does not imply whether such prior solutions had actually been prior art in the sense of Article 54 (2) EPC 1973 and the board could not establish whether such prior solutions had been prior art independently of whether the application admitted it.
4. However, the board considers it to be common knowledge that confidential data may have to be deleted from a document before it can be made available to certain third parties. It is commonly known that original documents are published with sensitive information blackened out. Also known are documents in which sensitive information is omitted and marked by an ellipsis such as "...". Both occasionally happens for instance when decisions of the boards of appeal are published in anonymized form.
5. The decision under appeal found (reasons 1.3) that the subject matter of claim 1 of the main request "differ[ed] from the disclosure of D1 in that an intermediate XML document [was] used" into which elements identified by the first set of statements were copied and from which elements identified by the second set of statements were removed "whereas in D1 the copying ... and the replacing ... [was] done on the fly and in one go". The decision found (reasons 1.4) that this distinguishing feature did not involve an inventive step because "generating a copy of a document and then filtering the copy or copying and filtering the original document simultaneously (on the fly) [were] merely well-known alternative implementations having no special technical effect." The decision further considered that an "intermediary representation" [was] probably generated in computer memory by the XSL processor as a matter of course (reasons 1.4 as well). The decision further dealt with and refuted the applicant's argument that the differences had a speed up effect, arguing inter alia that "[t]he creation of an intermediate XML document tend[ed] to render the whole processing slower" (see reasons 1.5).
6. The appellant took particular issue with this analysis in the decision under appeal (see grounds of appeal, section II, referring specifically to sections 1.3-1.5 of the decision), and argued that the invention had a technical advantage at least in certain situations. The appellant conceded that creating the intermediary XML document may slow down the processing for small files but explained that this was not true in all cases (see grounds of appeal, p. 3, lines 4-7), especially not if the given XML document was large and/or if the second set of statements identified a large set of elements (p. 3, 2nd and 3rd pars.). Since the claims did not specify the size of the XML document to be transmitted or the content of the configuration files the appellant argued in oral proceedings that the claimed filtering process reduced processing time at least for the worst case and thus, while possibly not reducing transmission latency in all cases, reduced the maximal transmission latency.
7. The appellant also referred to the arguments presented in the letter dated 24 July 2009 with regard to patentability for the main request (see grounds of appeal, sec. II, 1st par. and letter of 8 September 2014, p. 2, 4th par.) and stated that "this entire argument" formed part of the appeal. In this context it is also stated that the applicant challenged the comparison of the claimed invention with D1 as outlined in the letter of 24 July 2009 (see grounds of appeal, p. 3, lines 4-7). That communication argued (see p. 4, lines 4-6) that D1 did not disclose
a) the transmission of a document "from a sender to a receiver where the level of security changes".
In favour of an inventive step of the main request, it was argued (see p. 6, last par and p. 7, 1st par.) that D1 did not disclose
b) the production of an intermediate XML document,
c) a two-step filtering process as claimed nor, in this context,
d) the "copying of an entire tree from an element which is not a leaf node".
8. The board agrees with the appellant with regard to the differences between the claimed invention and D1 and assesses their inventive step as follows.
8.1 The board is of the opinion that the requirement to delete certain information from a document is determined by the circumstances, for example the policy decision to guard military or commercial secrets or the legal obligation that certain information not be made public. It is also determined by circumstances what is considered to be a "secure" or an "insecure" environment (difference a). For instance it may be an enterprise policy to consider all internal communication to be secure and all communication to the outside to be insecure. Typically, such a policy will apply to paper documents and digital documents in the same way.
8.2 The board further considers that the circumstances determine how a document is to be redacted or how this requirement is phrased. For illustration the following exemplary situations may be referred to: A court order may oblige a book publisher to delete every mention of a particular public person from a forthcoming book. The order might specifically state that a chapter dedicated to that person be deleted entirely - or, equivalently, that all chapters except this one may be published - and that all occurrences of that person's name in the rest of the book be blackened out. Anonymization of a decision by the boards of appeal may mean that name, address and affiliation of a party is deleted from the front page of the decision and that the name of the party's representative is replaced by a placeholder such as "XXX" throughout the body of the decision.
9. Starting from D1, i.e. from a system using XML and its tools for the transmission of documents, the skilled person would find himself confronted with a given policy of redacting documents containing sensitive information before making it available to a third party considered to be "insecure". As mentioned before, it can be reasonably assumed that this policy applies in particular to digital documents, so that the skilled person will have to address the problem of implementing the redaction policy in the context of D1.
9.1 The obligation to delete an entire chapter of a document straightforwardly translates into the deletion of the entire subtree starting at some <chapter> node (difference d). The obligation to blacken out a particular name translates into the removal of that name from the content and its replacement by a placeholder such as "XXX".
9.2 The board agrees with the appellant that the order in which these redaction tasks are performed has an impact on efficiency (difference c): It is more efficient to perform the deletions first because all replacements done in a part of the document will be made redundant if and when that part is eventually deleted. However, the board considers that this advantage is obvious from common sense. In the board's view, efficiency considerations are always on the skilled person's mind so that he or she would arrange the different redaction tasks in the claimed order as a matter of course and without exercising an inventive step.
9.3 This consideration is independent of whether the deletion tasks are formulated in an "aggressive" or a "permissive" way, as the application puts it (see p. 15, lines 21-25), i.e. whether the "first set of statements" defines what is to be kept or what is to be deleted. How the redaction rules are formulated may be a matter of policy ("paranoid" or "trusting", loc. cit.) and/or of convenience: If a large part of a document must be deleted it may be shorter to list what is to be kept than what is to be deleted; the inverse holds if only little is to be deleted. The board considers it obvious for the skilled person to formulate the redaction rules in the way they are given or according to convenience considerations as explained.
9.4 However, in the board's view, it does not have any significant technical advantage for the processing (or transmission) efficiency whether an intermediate XML document is produced during the filtering process or not (difference b).
9.4.1 The result of any filtering must be made available to a later filtering phase. It is possible that a first phase has to terminate before the second phase starts, in which case the result of the first phase naturally produces an "intermediate XML document". It is also possible that the first and second phase operate concurrently and that the intermediate results are passed on continuously so that at no point an entire intermediate XML document will be obtained.
9.4.2 The board deems both options to be common-place design decisions which the skilled person will make as a matter of course when implementing a modular process.
10. In summary, the board concludes that none of the differences between the claimed invention and D1 establishes an inventive step of the claimed matter over D1 since they are either given by circumstances and therefore constitute part of the problem rather than the solution or a matter of common sense and common practice in the art of program development.
11. Therefore claim 1 (and, by analogy, claim 13) of the main request lacks an inventive step in the sense of Article 56 EPC 1973 over D1 in view of common knowledge.
12. Claim 1 of the auxiliary request differs from claim 1 of the main request in requiring a "gateway server" which all transmitted messages must pass through and a number of details how the statements in the configuration file are formulated.
12.1 Neither the grounds of appeal nor the appellant's letter of 8 September 2014 argue that the provision of a gateway as claimed per se establishes an inventive step. In the board's view, the use of such gateway servers is a common architectural feature of conventional networks. For instance, gateway servers are commonly used to connect an enterprise network to the Internet and often run security relevant software such as a firewall. During oral proceedings, the appellant did not challenge the board on this point when it referred to the gateway server as a common network feature.
12.2 The appellant argued that the combination of these features is particularly advantageous "because a large number of messages from different sources may pass through the gateway server" (see letter of 8 September 2014, p. 3, last par.). In the board's understanding this language is intended to express the argument that the efficiency advantage of the claimed filtering process is particularly relevant, i.e. notable and desirable, if a gateway server as claimed is used. During oral proceedings, the appellant agreed that the board's paraphrase reflected the argument correctly.
12.3 The appellant thus did not argue that the additional features of the auxiliary request had any additional advantage relevant for inventive step, but only that they made an existing advantage more pertinent.
12.4 This fact, however, does not establish that claim 1 of the auxiliary request shows an inventive step. In the board's judgment as laid out above (see esp. point 9.2) it would have been obvious for the skilled person to obtain the mentioned efficiency gain with the claimed features even without the use of a gateway server. The claimed features can therefore not be less obvious in a different context in which the advantage may be more prominent.
12.5 Finally, the appellant argued that the use of search terms in the path statements avoids the need to formulate the redaction rules only in terms of "explicit tree paths" so that, as the board understands the argument, the configuration file becomes smaller (see letter of 8 September 2014, p. 3, last sentence).
12.6 The board is not convinced by this argument either. It is implied by the use of XPATH - as known from D1 - that the three types of path statements are available to the programmer. Their availability alone thus cannot contribute to an inventive step. It is, in the board's view, obvious for the skilled person that certain redaction rules may be more conveniently formulated by one type of expression in XPATH than another one. For instance, the rule that a specific chapter be deleted entirely is more conveniently expressed using an explicit tree path leading from the root node to the pertinent chapter node, whereas the rule that individual names be deleted is more conveniently formulated by reference to content which must be searched in the document, i.e. via "search terms". The skilled person would, therefore, make appropriate use of the features provided by XPATH in view of the given redaction rules and without the exercise of an inventive step.
12.7 In summary, the board therefore comes to the conclusion that also claim 1 (and, by the same token, claim 11) of the auxiliary request lacks an inventive step over D1 and common knowledge, Article 56 EPC 1973.
For these reasons it is decided that:
The appeal is dismissed.