T 1921/13 (Authentication of products / INEXTO) 15-10-2019
Download and more information:
METHODS AND SYSTEMS FOR MARKING, TRACKING AND AUTHENTICATION OF PRODUCTS
Grounds for opposition - insufficiency of disclosure (yes)
Grounds for opposition - invention not sufficiently disclosed over whole breadth of claim
Late-filed auxiliary requests - request clearly allowable (no)
I. In its decision to revoke the European patent, the opposition division held, inter alia, that the invention, as defined in the independent claims as granted, was sufficiently disclosed, but that the subject-matter of claim 1 was not new.
II. The proprietor appealed the decision.
III. With the decision to revoke the patent, the opposition division also rejected the opposition of Opponent 1 (Keit Ltd) as inadmissible. Opponent 1 did not appeal this and, therefore, has not been party to the appeal proceedings.
IV. In its statement setting out the grounds of appeal, the proprietor requested that the patent be maintained as granted, or, alternatively, on the basis of one of six auxiliary requests filed with the statement of grounds. The proprietor submitted that the independent claims, as granted, were novel and comprised an inventive step. With regard to the auxiliary requests, observations were submitted concerning Articles 123(2), 83, 84 and 52(1) EPC.
V. In response to the proprietor's statement of grounds, Opponent II (Sicpa Holding SA: hereinafter simply "opponent") presented arguments with respect to novelty and inventive step of the independent claims, as granted. In addition, observations were presented regarding the question of sufficiency of disclosure with respect to claims 7, 13 and 34, 38 and 39, as granted. The admissibility of the auxiliary requests was questioned, and objections of lack of novelty and of insufficient disclosure were raised.
VI. The Board issued a communication in preparation of oral proceedings, and briefly addressed all of the issues raised.
VII. At oral proceedings, the proprietor clarified how the invention worked. On this basis, it was discussed whether the invention, as defined in independent claim 33 as granted, was disclosed in a manner sufficiently clear and complete for it to be carried out by a skilled person. Following on from this discussion, the appellant retracted auxiliary requests 1 to 3 and 5, and filed a "new auxiliary request based on auxiliary request 4", to be considered after auxiliary request 6.
VIII. The final requests of the parties were formulated as follows:
The appellant (proprietor) requested that the decision under appeal be set aside and that the opposition be rejected (main request) or, alternatively, that the patent be maintained on the basis of one of the sets of claims filed as auxiliary requests 4 or 6 with the statement of grounds of appeal, or the new auxiliary request filed during the oral proceedings.
The respondent (opponent) requested that the appeal be dismissed.
IX. Claim 33 of the main request reads as follows:
A method of authenticating a manufactured item (43), comprising:
providing a plurality of secret codes to a checking centre (30) for authenticating ID codes on the manufactured items, and to a production line (101, 102) for producing the manufactured items;
generating a code and signing said code with a digital signature within a code generator (106);
marking the item (43) with the signed code;
transmitting the signed code to the checking centre (30) over a public network for authentication;
authenticating the digital signature by the checking center (30) using the plurality of secret codes;
retrieving the significance of the code at the checking center (30); and
transmitting the significance to a user over the public network.
X. Claim 1 of Auxiliary Request 4 reads as follows:
A method of marking manufactured items (43), comprising:
providing a plurality of secret codes to a checking centre (30) for authenticating ID codes on the manufactured items, and to a production line (101, 102) for producing the manufactured items (43);
generating an ID code for each manufactured item (43);
digitally signing each ID code by means of a secret derived from the plurality of secret codes and known to the checking centre (30), the checking centre being arranged to use the plurality of secret codes during authentication of the ID codes; and marking each manufactured item (43) with said signed ID code;
wherein the plurality of secret codes is a collection of random codes;
the method further comprising:
generating an index relating to the manufacture of one or more items (43);
transmitting the index to the checking centre (30) the checking centre (30) being arranged to use the collection of random codes and the index during authentication of the ID codes;
deriving the secret by a code generator, from the collection of random codes and from the index; and
digitally signing each ID code for each manufactured item (43) with a noise code derived by encrypting a copy of the ID code with the secret.
XI. Claim 1 of Auxiliary Request 6 is identical to claim 1 of Auxiliary Request 4, except that the end of the claim now reads:
digitally signing each ID code for each manufactured item (43) with a noise code derived by encrypting a copy of the ID code with the secret;
wherein the secret is further derived from the ID code.
XII. Claim 1 of the "New request based on Auxiliary request 4" reads as follows:
A method of marking manufactured items (43), comprising:
providing a plurality of secret codes to a checking centre (30) for authenticating ID codes on the manufactured items, and to a production line (101, 102) for producing the manufactured items (43);
generating an ID code for each manufactured item (43);
by processing data in a Production Information Code (PIC) which combines various data related to the manufacture of the item, including a code (MC) identifying a manufacturing centre 10, a code PL identifying a particular production 1ine 101 within a manufacturing centre 10, or a code generator ID instead of the manufacturing centre and production line codes MC, PL, and codes YR, DY, HR identifying the year, day and hour, respectively, when a particular item was manufactured and an individual number TI which is a progressive number corresponding to the chronological production sequence;
digitally signing each ID code by means of a secret derived from the plurality of secret codes and known to the checking centre (30), the checking centre being arranged to use the plurality of secret codes during authentication of the ID codes; and
marking each manufactured item (43) with said signed ID code;
wherein the plurality of secret codes is a collection of random codes;
the method further comprising:
generating, at the beginning of each production batch an index relating to the manufacture of one or more items (43);
transmitting the index together with the ID code of the first item to be produced in the batch to the checking centre (30), wherein the index is stored in a database 31 related to various information about the item to be manufactured to enable the checking centre 30, upon receipt of a request to check a particular signed ID code, to retrieve the particular index and, knowing the collection of random codes used by the code generator 106 to sign that signed ID code, validate the signature, the checking centre (30) being arranged to use the collection of random codes and the index during authentication of the ID codes;
deriving the secret by a code generator, from the collection of random codes and from the index; and
digitally signing each ID code for each manufactured item (43) with a noise code derived by encrypting a copy of the ID code with the secret;
wherein the checking centre retrieves the information related to the production batch corresponding to the received ID code from the database 31, and, if the retrieval is successful, the retrieved collection of random codes and the index are used to reconstruct the noise code from the received ID code and to verify the validity of the signature.
XIII. The arguments of the parties, insofar as they are pertinent, are set out below, with the reasons for the decision.
Background of the invention
1. The invention relates to the marking and authentication of manufactured items so as to prevent counterfeiting and contraband. An item is marked with a digitally-signed product code, at a production line, when it is manufactured. At each stage of the distribution and commercialisation process, the authenticity of the item can be verified by sending a query, containing the signed code, to a checking centre. The invention lies in the idea that the checking centre can reconstruct the signed code in the same manner as it was constructed at the production line, and can compare the two signed codes to verify the authenticity of the received code. This means that the checking centre does not have to store a large number of production codes, against which to compare the received code. This, in turn, obviates the need to transfer large amounts of confidential data to the checking centre, and thus reduces the risk that this data may be somehow compromised. It is only necessary for the checking centre to know which secret was used to sign the product code.
Main request
Sufficiency of disclosure - Article 100(b) EPC
2. Claim 33 defines a method of authenticating a manufactured item. The claim first defines the steps which are required to mark manufactured items with a code that can be authenticated. A plurality of secret codes is provided to the production line and the manufactured items are marked with an ID code which has been signed with a digital signature. When authentication of a manufactured item is to be performed, this signed ID code is transmitted to a checking centre. The checking centre is also provided with the same plurality of secret codes as were provided to the production line, and authenticates the digital signature "using the plurality of secret codes".
3. During the opposition proceedings, the opponent submitted, inter alia, that the patent did not contain sufficient teaching with regard to how the authentication was performed. In particular, the description did not disclose that the checking centre contained any sort of correspondence table allowing the secrets to be linked to the product ID codes. This meant that, when an authentication request was received at the checking centre, there was no disclosure of how the correct secret could be retrieved for a given product. The opposition division, in its decision, held that the skilled person would understand from the patent that a database must be provided linking the secrets with the corresponding product ID codes. On this basis, the opposition division considered that the invention was sufficiently disclosed. However, the opponent returned to this argument during the appeal proceedings.
4. In accordance with established case law, the requirement of sufficiency of disclosure is only complied with if the disclosure of the invention allows the skilled person to perform, without undue burden, essentially all the embodiments falling within the ambit of the claims. This is important, because the protection obtained with the patent should be commensurate with the disclosed teaching (see Case law of the Boards of Appeal of the European Patent Office, 9th edition 2019, II.C.5.4).
5. In contrast to the opinion of the opposition division, the Board considers that the disclosure of a single way of carrying out the invention (as required by Rule 42(1)(e) EPC) does not necessarily imply that the invention has been sufficiently disclosed. It is only sufficient if it allows the invention to be performed over the whole scope of the claim.
6. The description sets out how the ID code is generated and how it is signed. Specifically, a Unique Product Identifier (UPI) is generated for each item. Paragraphs [0031] to [0035] explain that the UPI can be made up of a Product Information Code (PIC) and an individual number (TI). The PIC can include data relating to the manufacture of the item, e.g. a code identifying the manufacturing centre MC; the specific production line PL; and the year YR, day DY, and hour HR of production. The TI can be a unique, chronological number, given to each item in a specific hour.
7. Paragraphs [0037] and [0038] explain that a salt generator centre generates a large collection of secret codes, known as a salt matrix, made up of random or pseudorandom data. Each salt matrix is unique and is transmitted to both the intended production line and the checking centre. The checking centre stores the salt matrices in a database, with identification of the respective production lines to which they correspond. In each production line, the respective salt matrix is used to generate the secret key which is used to sign the UPI of the items from that production line.
8. Paragraph [0046] explains that, at the start of each production batch, a random salt index alpha ("index") is generated. This index is changed at the start of each production batch and may be regarded as a dynamic secret code. Although not disclosed as such in the description, it would appear that this index serves to provide a mechanism by which the secret can be derived from the salt matrix.
9. Paragraph [0047] explains that the UPI code of the first item to be produced in a batch is sent, together with the corresponding index, to the checking centre. In the checking centre, the index is stored in a database "related to various information about the item". When the checking centre receives a request to authenticate a particular signed UPI code (SUPI code), the index related to that SUPI code can, therefore, be retrieved from the database. Knowledge of the index enables the secret used by the production line to create the signature to be derived from the salt matrix and the signature can therefore be reconstructed and authenticated.
10. The proprietor explained that the invention was about providing the necessary information to the checking centre, to enable it to authenticate the SUPI. When the checking centre received a SUPI for authentication, it extracted the UPI from it, retrieved the corresponding secret from its database, reconstructed the signed UPI using the extracted UPI and the retrieved secret, and compared the reconstructed SUPI to the received SUPI. Since the authentication was performed by reconstructing the SUPI at the checking centre in the same way as it was initially constructed at the production line, the checking centre had to have the same information as the production line at its disposal.
11. The proprietor submitted that the paragraphs of the description referred to above explained, in detail, how the authentication was performed. The skilled person would understand from the description that not only the index, but also the UPI code should be stored in the database and that the corresponding UPI codes and indices should be stored in a manner which allowed the correct index to be retrieved from a particular UPI code. Paragraph [0033] set out that the manufactured items are assigned chronological numbers. The UPI code of the first item in a particular batch allowed the checking centre to identify the batch. From this, the corresponding index could be ascertained. Thus the description clearly set out one way which would permit the index to be retrieved from the UPI.
12. The proprietor explained that claims 1 and 33 attempted to define this authentication concept in general terms. In particular, they defined the system architecture, the "who knows what", and the steps which have to be performed to mark and authenticate the manufactured items.
13. However, the invention of claim 33 is defined in such general terms that it encompasses embodiments which have not been sufficiently disclosed.
14. Although paragraphs [0046] and [0047] provide some explanation of how the checking centre gains knowledge of the secret used to sign the UPI code (although no details are provided with respect to how the index, the matrix and the secret are related and how the secret is derived from the plurality of secret codes), this disclosure is based on the premise that data are stored in the checking centre in a manner which allows a link to be made between the received SUPI and the secret used to create the signature. However, the method of claim 33 does not define such a link. Claim 33 only defines that a plurality of secret codes are provided to the checking center and that this plurality of secret codes is used by the checking centre to authenticate the digital signature. It is not defined, in claim 33, that the plurality of secret codes is in any way identified as belonging to a specific production line or that the checking centre knows which secret was used at which production line. The claim, therefore, encompasses embodiments in which the checking centre is not provided with any means of matching the secret codes to the corresponding ID codes.
15. Although one way of carrying out the invention has been described (Rule 42(1)(e) EPC), there is no disclosure in the patent of how the checking centre can perform authentication using the plurality of secret codes without a link being defined between the SUPI and the secret used to create the signature. The patent only contains information as to how to reconstruct the SUPI when the UPI can be linked to a secret stored in the checking centre.
16. The invention, in the breadth defined by claim 33, is, therefore, not disclosed in a manner sufficiently clear and complete enough for it to be carried out by a person skilled in the art.
17. This finding also applies - for even stronger reasons - to claim 34. Here, it is further specified that codes generated by the code generator are not stored. These codes are the UPI codes.
18. On the basis of the previous discussion, the opponent recalled that at least one UPI of a production batch and the index associated with that UPI would have to be stored at the checking centre. How the method could be implemented, without storing any UPI codes at all, was not disclosed. If the UPI codes were not stored, then the checking centre would not have the information necessary to reconstruct the SUPIs for the authentication process.
19. The proprietor explained that, since the UPIs were generated batch-wise, it would be sufficient to store only the first UPI of a particular batch, together with the associated secret. This would allow a link to be formed between the UPI representative of a production batch and the index, from which the secret used to sign the UPIs of that batch could then be derived. Since it was clearly necessary to store at least one UPI per production batch, claim 34 should be interpreted to mean only that some of the codes were not stored.
20. The Board does not agree with this interpretation. On a natural reading of claim 34, the skilled person would understand that the codes generated by the code generator are not stored: in other words, none of the generated codes is stored. According to claim 34, the checking centre, therefore, does not contain any of the UPI codes generated by the code generator and so has no means of establishing the link between the received SUPI and the secret used to create the signature. In the absence of the necessary UPI data, the checking centre will not be able to link the received SUPI to any of the plurality of secret codes, and will not be able to authenticate the received SUPI. No indication is provided in the patent as to how the authentication may be carried out when the data required to establish the link is not available, as covered by claim 34. The invention defined in claim 34 is, therefore, not disclosed in a manner sufficiently clear and complete for it to be carried out by a person skilled in the art.
21. The opposition division referred to the principle set out in T 190/99, that the patent must be construed by a a mind willing to understand. On this basis, the opposition division concluded that it would be nonsensical to create a database in the checking centre in which the indices and the salt matrices could not be linked to the production lines and the corresponding UPIs. However, the Board points out that this principle relates to the interpretation of claims and does not provide a carte blanche to read features into the claim which are simply not there. The broad reference to authenticating the digital signature using the plurality of secret codes, and specifically, the absence of any definition in claims 33 and 34 to a link between the secret and the ID code, therefore, has to be understood to extend to cases in which the checking centre is not provided with the means for directly deriving the secret from the UPI.
22. In summary, the invention, as set out in claims 33 and 34, is not sufficiently disclosed.
23. The main request is therefore not allowable.
Auxiliary Request 4
Admissibility
24. The opponent submitted that Auxiliary Request 4 could have been presented during the proceedings before the opposition division, but was not. It should not, therefore, be considered in the appeal proceedings. Moreover, the requirement that the requests be convergent should be satisfied at the date of their filing. Since the claims of Auxiliary Request 4 were not convergent with the claims of Auxiliary Request 2 when it was filed with the statement of grounds, Auxiliary Request 4 should not be considered in the proceedings.
25. The Board decided to consider Auxiliary Request 4. This request attempts to deal with the question of insufficient disclosure, on the basis of which the main request was not allowed. Since Auxiliary Request 4 was filed with the statement setting out the grounds of appeal, the opponent was aware of its contents and could not be taken by surprise. With the deletion of the Auxiliary Requests 1, 2 and 3, the question of lack of convergence no longer arises: claim 1 of Auxiliary Request 4 is more limited than claim 1 of the main request. It is the convergence of the current requests which matters, and not the convergence of previously-filed requests which have since been withdrawn. In addition thereto, the Board notes that Auxiliary Requests 1, 3, 4, 5 and 6, filed with the statement setting out the grounds of appeal, formed a convergent set of requests. Auxiliary Request 2 was a clear outlier, which did not fall into this convergent pattern. It was, therefore, unsurprising that the proprietor retracted Auxiliary Request 2 once the Board drew attention to this deficiency.
Sufficiency of disclosure
26. Claim 1 relates to a method of marking manufactured items. The items are marked in a manner which allows them to be authenticated by a checking centre. The method of marking therefore involves providing the checking centre with the necessary information to perform the authentication.
27. In the claimed method, an ID code is generated for each manufactured item. A plurality of secret random codes are provided to the production line and to a checking centre. Furthermore, an "index" relating to the manufacture of one or more items is generated. A secret is derived from this index, together with the plurality of secret random codes. The secret is used to sign the respective product ID codes. In contrast to the method of claim 33 of the main request, this secret is known to the checking centre.
28. However, in the same way as claim 33 of the main request, claim 1 does not define that any link is established in the checking centre between the secret (or the index) and the product ID codes. Thus, even although the secret itself is known to the checking centre, how this secret relates to the product ID codes is not known. In this situation, there is no disclosure of how the items can be marked in a manner which allows the checking centre to authenticate them.
29. The proprietor submitted that paragraph [0047] made clear that a link was established between the UPI code of the first item to be produced in a batch and the corresponding index. Both of these pieces of data were transmitted to the checking centre. The skilled reader would realise that - although paragraph [0047] only stated that the salt index alpha was stored in a database - both pieces of data would have to be stored in a manner linking them together. Only in this way could the checking centre, on receiving a request to authenticate a particular SUPI code, retrieve the correct index and derive the correct secret for re-constructing the SUPI. In other words, the skilled person would know what to do with the data which was sent to the checking centre.
30. As noted above, the Board agrees that paragraph [0047] at least suggests to the skilled reader that the UPI code of the first item in a batch is linked to the index in the checking centre. However, claim 1 is drafted so broadly that it encompasses methods of marking in which the index and the ID codes are not linked in any manner. In fact, claim 1 does not even define that the ID code is transmitted to the checking centre. When this link is missing, the skilled person receives no guidance from the patent as to how to derive the index from the UPI. Without knowledge of the correct index, the correct secret cannot be established, and the received SUPI cannot be authenticated. In other words, claim 1 is drafted so broadly that it extends to subject-matter which has not been sufficiently disclosed. Specifically, the contested patent contains no disclosure of how the items can be marked so as to allow authentication if the necessary correspondences cannot be established.
31. The invention, as defined in claim 1, is, therefore, not disclosed in a manner sufficiently clear and complete for it to be carried out by a person skilled in the art.
32. Auxiliary Request 4 is, therefore, not allowable.
Auxiliary Request 6
Admissibility
33. Claim 1 still does not define any link between the ID code of a manufactured item and the corresponding index. Prima facie, Auxiliary Request 6, therefore, does not overcome the objection of insufficient disclosure set out above with respect to claim 1 of Auxiliary Request 4.
34. The proprietor accepted that this was the case.
35. The Board, therefore, did not admit Auxiliary Request 6 into the procedure (Article 13(1) RPBA 2007).
"New auxiliary request based on Auxiliary request 4"
Admissibility
36. The new auxiliary request based on Auxiliary request 4 was filed during oral proceedings, after the previous requests had been dealt with. It was, therefore, presented very late in the proceedings.
37. Under Article 13(3) RPBA 2007, amendments sought to be made after oral proceedings have been arranged shall not be admitted if they raise issues which the Board or the other party cannot reasonably be expected to deal with without adjournment of the oral proceedings. One of the criteria frequently applied by the boards when deciding whether to consider a new request filed at the oral proceedings, is that the request should be clearly allowable, in the sense that it is immediately apparent to the board, with little investigative effort on its part, that the amendments made successfully address the objections raised without giving rise to new ones (Case law of the Boards of Appeal of the European Patent Office, 9th edition 2019, V.A.4.5.1a)).
38. The proprietor indicated that claim 1 was based on claim 1 of auxiliary request 4, but included additional passages which had been copied from the description, to address the objection of insufficient disclosure raised with regard to the previous requests.
39. In view of the extensive amendments, it was not immediately apparent whether a basis existed for all of the amendments (Article 123(2) EPC). Although the proprietor clearly indicated the passages of the description which had been copied into the claims, it was not apparent whether the resulting conglomeration of features in claim 1 was originally disclosed as a single embodiment, or whether features of a single embodiment of the original disclosure had been omitted from the amended claim. It was also not immediately apparent whether the features defined in the dependent claims were originally disclosed in combination with the subject-matter of new claim 1.
40. In view of these doubts, the Board did not admit the new auxiliary request into the procedure (Article 13(1) RPBA 2007).
For these reasons it is decided that:
The appeal is dismissed.