14-15 November 2018
|European Case Law Identifier:||ECLI:EP:BA:2015:T095112.20151007|
|Date of decision:||07 October 2015|
|Case number:||T 0951/12|
|IPC class:||G06F 21/00|
|Language of proceedings:||EN|
|Download and more information:||
|Title of application:||Persistent servicing agent|
|Applicant name:||Absolute Software Corporation|
|Relevant legal provisions:||
|Keywords:||Inventive step (no)|
Summary of Facts and Submissions
I. The appeal lies against the decision of the examining division, with reasons dated 8 December 2011, to refuse European patent application No. 06748543.3 for lack of inventive step over document
D1: US 5 680 547 A.
The decision made further reference to further documents, including
D4: US 5 748 084 A,
but did not rely on any of them for its reasons.
II. A notice of appeal was received on 8 February 2012, the appeal fee being paid on the same day. A statement of grounds of appeal was received on 10 April 2012. The appellant requested that the decision under appeal be set aside and that a patent be granted based on claims according to the main or first to fourth auxiliary requests filed with the grounds of appeal, the other application documents on file being the description and the drawings as originally filed.
III. With a summons to oral proceedings, the board informed the appellant of its preliminary opinion that the claims according to all requests lacked clarity, Article 84 EPC 1973, and an inventive step vis-à-vis D1. The board also introduced two documents from related appeal case T 1261/12, namely
D6: US 6 507 914 B1 and
D7: WO 98/43151 A1,
and raised an inventive-step objection based on D6 or D7 in view of D1, Article 56 EPC 1973.
IV. In response to the summons, with letter dated 24 March 2015 the appellant filed amended claims according to a new sole request.
V. Oral proceedings were held on 7 October 2015, together with the oral proceedings in case T 1261/12. During these oral proceedings, the appellant replaced its sole request by an amended set of claims 1-23 bearing the date of 6 October 2015.
VI. Claim 1 reads as follows:
"An electronic device comprising a persistent servicing agent disposed in the electronic device, the electronic device connected to [sic] a network to a remote server, the persistent servicing agent configured to provide an asset tracking service with respect to the electronic device, comprising:
a driver agent comprising a partial driver agent concealed in the electronic device and a full function driver agent, wherein the full function driver agent is responsible for all communications with the remote server in providing the asset tracking service, and the partial driver agent is configured with a reduced set of functions compared to the full function driver agent, and to determine whether the full function driver agent is available in the electronic device; wherein the partial driver agent is not resident within the file system and is configured to reload portions of the full function driver agent, across the network, that may have been removed or are missing from the electronic device
a run module configured to automatically initiate operation of the driver agent without user initiation or user intervention;
wherein the full function driver agent is configured to communicate with the remote server in providing a data deletion service under control from the remote server, to perform one or more of (a) deleting all or specific files or directories based on user preference, (b) restarting the data deletion service if the device is rebooted while data deletion is in progress, (c) deleting the operating system, (d) overriding the data deletion service if the device is recovered, (e) obtaining log files from the agent after a first stage delete before deleting the operating system in a second stage delete, (f) overriding the data deletion service to stop the data deletion from running again if the device is recovered, (g) checking whether a theft report exists for the device, checking that the device is positively identified and checking that a pre-authorisation agreement is in place, (h) sending notifications to interested parties when the deletion service is launched."
VII. At the end of the oral proceedings, the chairman announced the decision of the board.
Reasons for the Decision
1. The application relates to the provision of a tamper-resistant "agent" program for providing what is referred to as an asset tracking service on a networked client device.
1.1 An asset tracking service is meant to reduce the risk that networked devices (assets) are lost or stolen and, if they are, that confidential data is lost or the integrity of the enterprise network is compromised (see e.g. the paragraph bridging pages 1 and 2). In performing its services, the agent automatically and regularly contacts a monitoring centre in order to transmit service-relevant information, e.g. about the identity of the device and its location (page 4, lines 7-10).
1.2 An agent deployed on a device is protected against detection, i.e. hidden ("stealthy"; page 4, last paragraph), and tamper-resistant, i.e. protected against unauthorised modification or removal, even against "operating system installation, hard drive format and hard drive replacement" (see page 13, 2nd paragraph). To achieve this, the agent is disclosed as incorporating "self-healing technology" which is meant to restore the agent if removed. The "self-healing function" is "not resident within the file system" (loc. cit.).
1.3 The description explains that the agent may consist of three "modules", the "Computrace" Loader Module CLM, the Adaptive Installer Module AIM and the Communications Driver Agent CDA (page 14, 3rd paragraph). The CDA contains a driver, the "mini CDA", which checks whether the entire CDA is present and, if not, initiates the download or update of the CDA (page 15, 2nd paragraph; page 18, 2nd paragraph et seq.; page 33, lines 10-12 from the bottom).
1.4 It is disclosed that the agent may also provide a data deletion service to cope with the possibility that physical recovery of the tracked device may not be feasible (see pages 30 to 33; esp. section "Data Delete", 1st paragraph). The data deletion service is disclosed as having a number of optional functions (page 30, line 8 from the bottom to page 31, line 14), including the function of deleting all or some local files or directories or of deleting the local operating system.
The prior art
2. D6, also filed by the present applicant, discloses an asset tracking system based on the same software product ("Computrace"; see e.g. figure 2a). D6 also discloses an "agent" which is "concealed" and protected against tampering. The agent "hides within the software/firmware/hardware" of the protected device so as to "evade detection" and "resist possible attempts to disable it by an unauthorized user" (see e.g. column 2, lines 14-24; column 5, lines 32-36) and may be stored on the boot sector of the hard disk, i.e. outside the file system (column 2, lines 42-45). The agent is loaded and started during boot up without user initiation or intervention (see e.g. column 5, line 23 to column 6, line 18; esp. column 6, lines 17-18). It is also disclosed that the asset tracking service may provide an automatic call to the local authorities to report a stolen device (see column 8, line 65 to column 9, line 7). D7 also stems from the present applicant and is very similar to D6 (see in D7 esp. figure 3-1; page 4, lines 8-11 and 21-23; page 30, last paragraph; and page 36, lines 10-12).
3. D1 discloses a system providing for pre-boot file and information transfer between networked devices (see abstract, lines 1-3). Whenever a client connects to a network, the client firmware (column 4, lines 47-50) executes a program which seeks a server with which to communicate. The server management application (SMA) then "performs whatever tasks it is preprogrammed to perform", for instance "file transfers, file updates or operating system rescue (due to malicious or accidental damage)" (column 4, lines 43-46 and 60-63). It is also disclosed that the SMA might check whether the client boot sector is virus-free and, if not, remove the virus and restore the boot sector (column 4, lines 63-67).
4. D4 discloses an asset tracking and managing system based on a "beacon" device attached to the tracked computer (see esp. column 1, 1st paragraph and column 4, 2nd paragraph to column 6, penultimate paragraph). The beacon contains tracking software which cannot be bypassed or removed without impairing the functionality of the computer. Normally, the function of the beacon is concealed (column 8, 2nd paragraph). The beacon determines whether the protected computer has been tampered with and reacts to tampering (see column 4, lines 55-61; column 8, penultimate paragraph to column 9, 1st paragraph) for instance by shutting the computer down, transferring files to the server, deleting the local operating system, disabling access to the hard drive or prohibiting certain operations on files.
5. The board considers that D6 constitutes a suitable starting point for the assessment of inventive step.
6. The appellant argued that "persistent" in the context of the claimed invention referred to the partial driver agent's function of reconstituting the full servicing agent if it was corrupted or parts of it were removed or lost, and that D6 therefore did not disclose a "persistent servicing agent".
6.1 The board disagrees, noting that appellant's use of the term "persistent" is not established in the art. Specifically, it does not correspond to the conventional understanding that memory may be called "persistent" if its contents are not lost when the power is switched off and that program code may be called "persistent" if it is held in persistent memory.
6.2 The board also notes that the capability of the agent to reconstitute itself is expressly claimed, so the characterisation of the servicing agent as "persistent" - as interpreted by the appellant - does not limit the claim further.
6.3 The board concludes that D6 discloses a "persistent servicing agent" according to a conventional understanding of the term, because the servicing agent of D6 is held in persistent memory (see column 2, lines 38-54).
7. Amended claim 1 contains new language according to which the full function driver agent is responsible for all communications with the remote server in providing its services. The board notes that the agent according to D6 has this feature as well (see e.g. column 6, line 60 - column 7, line 29).
8. Claim 1 according to the main request differs from D6 in that
i) the "persistent servicing agent disposed in the electronic device" comprises two parts, a "full function driver agent" and a "partial driver agent [...] with a reduced set of functions",
ii) wherein the partial driver agent is "configured to determine whether a full function driver is available in the electronic device" and "to reload portions of the full function driver" should that not be the case; and
iii) wherein the full function driver agent "is configured to communicate with the server in providing a data deletion service, to perform one or more of" a number of alternative functions.
8.1 The board considers that differences i) and ii) solve a problem which is different from and independent of the problem solved by difference iii).
8.1.1 An effect of the arrangement according to features i) and ii) is that the servicing agent can be made larger than would fit in the concealed section of memory. The board considers that occasions will naturally arise in which the functionality of the servicing agent must be extended. It may further happen that the concealed memory location allocated for the servicing agent becomes too small. This corresponds to a statement made in the description itself (see page 35, section B, lines 9-10).
8.1.2 The objective technical problem solved by the above difference can therefore be considered as how to handle the situation that an extended servicing agent does not fit in the concealed memory space of D6.
8.1.3 The effect of difference iii) however is primarily the protection of confidential data on a tracked electronic device.
8.1.4 In the board's view, these problems are unrelated to each other. A data deletion service can be provided by an agent such as that according to D6, which is concealed as a whole, if the concealed memory is large enough to store the agent with the additional functionality. And the claimed "reloading" functionality is useful to address a space limitation of the concealed memory, whatever may be the specific service the agent provides.
8.1.5 The appellant took the position that the claimed invention had to be considered solving a single problem, because the full function driver agent, which was subject to a potential reloading by the partial driver agent, was "responsible for all communications with the remote server" and thus also for the communications needed for the data deletion service.
8.1.6 The board disagrees. The fact that the data deletion service uses the communication means provided by a particular agent component does not establish a functional link between the service and the way in which the communication service is provided (beyond the fact that it is provided at all).
8.1.7 The board thus concludes that the claimed invention solves two separate problems over the prior art, the inventive step of which can thus be addressed separately.
Inventive step of differences i) and ii)
9. If the functionality of the servicing agent is extended in such a way that the concealed memory space becomes too small, the board considers it obvious for the skilled person to store parts of the servicing agent elsewhere. The skilled person may also be forced to store the additional functionality in a place in which it is less "concealed" and thus can be removed or corrupted. D3 teaches the skilled person to protect the servicing agent against tampering. The skilled person would therefore be led to search for known ways of protecting the non-concealed parts of the servicing agent.
10. In the board's view, D1 provides such a teaching.
10.1 D1 discloses that the client workstation, in a pre-boot process, initiates communication with a server running "server management application" SMA, which then performs "whatever tasks it is preprogrammed to perform", such as "file transfers" and "file updates" (column 4, lines 42-50 and 56-57). As an example, D1 discloses that the SMA may remove a virus from the boot sector and restore the boot sector (column, lines 63-67). The board considers that detecting that a piece of software is virus-infected falls within the claimed determination of whether the software is "available" or "missing". The board therefore finds that D1 discloses the reloading of software which may be missing from or not available at the electronic device.
10.2 The appellant argued that D1 did not disclose a "servicing agent" within the meaning of the claim because it was confined to pre-boot activities. The term "servicing agent" and "service" clearly related to an "operating system service", whereas D1 taught terminating the SMA's interaction with the client before running the operating system. As a consequence, it was argued, the skilled person would not turn to D1 in trying to solve a problem with D6.
10.3 The board notes that the claims do not explicitly specify when the agent programs are to run, i.e. before or after the boot phase, and disputes that the term "service" alone must be construed, as the appellant suggests, to imply that they are run after booting. The board therefore takes the position that whatever the SMA according to D1 performs can validly be called a service, notwithstanding the fact that it runs before booting. Moreover, the board considers that the skilled person, starting from D6, would be taught by D1 that - and how - missing or corrupted software can be reconstituted in the pre-boot phase and would not hesitate to apply this teaching to D6.
10.4 The appellant further argued that D1 did not disclose a program arranged in such a way that a part of it was set up to reload other parts of itself. D1 disclosed that the operating system could be the subject of the pre-boot service, and that the latter had a "functional subset of the operation system" at its disposal (column 5, lines 1-15) but that the missing portions were reloaded not by the partial operating system itself but by a separate device.
10.5 The board also rejects this argument. The claimed invention does not specify in detail the asset tracking service the agent is meant to provide. Therefore, what does or does not belong to this service is, in the board's view, an exclusively conceptual definition. Accordingly, it is justified to consider the reloading function of the SMA according to D1 (see point 10.1 above) to constitute a part of the provided service which, hence, is equipped to reload "itself".
11. In view of the above, the board considers that the skilled person would, without exercising any inventive skill, apply the cited teaching of D1 to D6 and arrive at the claimed invention - except for the fact that the "reloading" service of D1 is carried out under the control of software (the SMA) running at the server, whereas the claimed driver agent controls the reloading itself.
11.1 In this regard, the board considers it obvious for the skilled person to transfer some functions from the server to the client and to run some of the pre-boot activities locally rather than on the server, for instance if the number of clients communicating with the same server made better load-balancing desirable.
11.2 In summary, the board concludes that differences i) and ii) do not establish an inventive step of claim 1 over D6 in view of D1.
Inventive step of difference iii)
12. Document D4 discloses an asset tracking service to perform a number of security processes on a tracked client device that has been reported stolen (see col. 5, line 59 - col. 6, line 2). In particular, it is disclosed that this may include erasure of the hard drive or the removal of the operating system or of other files (col. 6, lines 2-5 and 39-45). In the board's view, D4 thus discloses a data deletion service implementing at least the claimed features (a) and (c).
12.1 Noting that the functions (a) to (h) of the data deletion service are claimed as alternatives, this is sufficient to conclude that D4 discloses the data deletion service as claimed.
12.2 The board therefore finds that the skilled person trying to protect confidential data in the context of an asset tracking service would be instructed by D4 to provide a data deletion service as claimed.
12.3 Hence, difference iii) does not establish inventive step over D6 either, in particular not in view of D4.
13. The board finds that claim 1 of the main request lacks inventive step over D6 in view of D1 and D4, Article 56 EPC 1973.
For these reasons it is decided that:
The appeal is dismissed.