T 2287/16 (Secured personal data handling system/OS NEW HORIZON) 09-10-2018

The invention

1. The application relates to the fact that users need to have "easy, affordable, and immediate" access to personal data, some of which may be sensitive (such as medical records) and must hence be specially protected (page 1, paragraph 1).

1.1 The application discloses that, as a solution, security tokens are known to store and protect sensitive data (see page 1, paragraph 2). Some such tokens are discussed in detail, esp. the "Medicard", which require biometric authentication before providing access to the stored data (see page 3, last paragraph, to page 4, paragraph 1). Known tokens are said to have a number of shortcomings such as lacking "connectivity" and liveness detection (see the paragraph bridging pages 4 and 5).

1.2 The invention proposes a particular such security token (see page 9, paragraph 2, and figures 3a and 3b). It provides encryption so that the sensitive data need not be stored in plain text, and different biometric, liveness and affect sensors, so that access to the data can be limited to authorized users, possibly depending on their emotional or physiological state (see e.g. page 14, last paragraph, to page 15, paragraph 2; page 26, paragraph 2, to page 28, paragraph 2; page 37, paragraph 2). The security token may act as a "mass memory" of private data for its owner (page 12, paragraph 1; page 13, lines 9-12 and 26-32; pages 33 and 39, paragraph 3) and may, insofar, replace other portable devices (see page 14, paragraph 2). It may also offer further functionality such as initiating an emergency call, e.g. through a connected cell phone, and communicating the device location (page 12, paragraph 2; page 15, last paragraph; page 24, paragraph 3; page 28, last paragraph, to page 29, paragraph 2; page 34, paragraph 2).

1.3 The envisaged typical use scenario is depicted in figure 1 (see page 23, penultimate paragraph, to page 24, paragraph 1). The token may be attached to one of several "external" devices, such as a smartphone (355), a landline phone (365), a computer terminal (360) or multi-user I/O terminals (362) connected to some service network, be it a landline or cellular telephone communication network (305, 310) or the Internet (370). When the token is attached to an external device and held by an authorized user, the external device can retrieve data from the token's memory or write into it (see page 41, lines 16-19).

1.4 It is also disclosed that biometric data can be obtained and verified "continuously" and that, if this fails, further access to the personal data may be denied and the token may "completely" shut down (see original claim 2).

Article 11 RPBA, Rule 103(1)(a) EPC,

alleged substantial procedural violations

2. The appellant requests that the appeal fee be reimbursed because two substantial procedural violations occurred during examination.

2.1 It argues that its right to be heard under Article 113(1) EPC was violated because it could not comment on documents D6-D8, which were mentioned first in the reasoned decision (see the grounds of appeal, page 3, paragraph 2; page 4, paragraphs 1-2).

2.2 It also takes the view that the decision was insuffi­ciently reasoned (Rule 111(2) EPC), because

i) the examining division justified an Article 123(2) EPC objection to a feature merely with the statement that "the applicant did not provide, and the examining division could not identify in the application as filed", disclosure of that feature (see page 6, last paragraph, to page 7, paragraph 1),

ii) it did not provide evidence for its statement that "the use of encryption for data protection is a well known tech­nique" (see the grounds of appeal, page 9, point 2.3.1), and

iii) it did not use, as would have been required, the prob­lem-solution-approach to show why the skilled person would have combined D1 and D2 (see page 10, point 4) or these two with any of D6-D8 (see page 10, point 2.4).

3. As regards the alleged violation of the appellant's right to be heard, the board's opinion is as follows.

3.1 The board agrees with the appellant that the mention of new documents only with the reasoned decision may affect the its right to be heard, but also where it does not may cause avoidable misunderstandings.

3.2 That said, the board notes that point 2.4 of the reasons, to which documents D6-D8 relate, discusses a feature which the examining division considered to contravene Article 123(2) EPC (see reasons 1.1). Ignoring this feature, the examining division concluded in point 2.3 of the reasons (last sentence) that claim 1 lacked inventive step.

3.3 The board has no objection to the examining division ignoring, in an inventive-step assessment, a feature that it found to contravene Article 123(2) EPC. More specifically, the board considers that the examining division is not obliged to anticipate the replacement of such a feature with a similar one that might be originally disclosed and provide a speculative inventive step assessment of a so-amended claim.

3.4 The board thus considers that point 2.4 of the reasons contains - and is easily recognisable as containing - an obiter dictum itself and not to form part of the reasons for the inventive-step objection. Thus, a potential deficiency of the argument in point 2.4 cannot be a fundamental one within the meaning of Article 11 RPBA or a substantial procedural violation according to Rule 103(1)(a) EPC. This applies in particular to the citation of documents D6-D8 "in support of the statement in section 2.4" (see further remarks 1 in the decision and point 3.1 above).

3.5 The board also notes that the argument put forward in point 2.4 of the reasons was already given in the communication of 30 March 2016 (point 2.1) without reference to any written evidence. The appellant not having responded to this communication, the examining division was entitled to maintain its opinion without having to produce evidence for it. And that the examining division has indeed maintained its opinion appears to follow from the fact that the newly cited documents were introduced merely "[f]or completeness" in a section clearly separate from the reasons for the decision.

3.6 Finally, while the appellant stresses that it should have been given an opportunity to study D6-D8, it does not, in its grounds of appeal, contradict the substantive assumption about the common knowledge in the art which D6-D8 were cited to support (reasons 2.4 and further remarks 1). Hence, the substantive assumption per se seems to be uncontroversial irrespective of the disclosure of D6-D8.

4. With regard to the allegedly insufficient reasoning, the board takes the following view.

4.1 The examining division found (see the decision, reasons 1.1) that it was not derivable from the passage in the description cited by the appellant - and which had been identified by the examining division in the annex to its summons to oral proceedings (see point 1.1) - and the last passage of page 39 "that the apparatus [was] operable to inter[face] with any other external device" as claimed. It was added ("Furthermore") that "the applicant did not provide, and the examining division could not identify in the application as filed, the support for the amendment" in question (see reasons 1.2). The examining division had already raised the same objection in its communication dated 30 March 2016 (see point 1.2), to which the appellant chose not to respond.

4.2 The board considers that the reasons provided by the examining division are sufficient to justify the Article 123(2) objection. It is not relevant in this regard whether the board agrees with it. Moreover, the examining division had no occasion to assume that the appellant considered this reasoning to be insufficient or in what respect.

5. Also as regards points ii) and iii), the board does not agree that the decision is deficient. Regarding point ii), the board notes that the appellant does not challenge the examining division's assumption in substance, and regarding point iii), the board notes that the examining division has formulated an objective technical problem and then stated that it was solved in D2 (see reasons 2.3.2). The board takes the view that this scenario would have provided sufficient prompt for the skilled person to combine D1 with D2 and sees no lack of compliance with the problem-solution approach.

6. When the board drafted its preliminary opinion, and for the reasons reproduced above, the board did not see any fundamental deficiency in the first instance proceedings that would have required an immediate remittal of this case to the first instance under Article 11 RPBA.

7. A reconsideration of this issue, and a decision as to whether a substantial procedural violation had occurred that could make reimbursement of the appeal fee equi­table, is not necessary because the board does not find the appeal to be allowable (see Rule 103(1)(a) EPC).

8. The appellant further argued that "the present application was unfairly prejudiced against as a result of the Unity Objection which was raised in the Search Opinion" (see the letter received on 4 October 2018, paragraph 2).

8.1 It is true that the search division raised a nine-fold non-unity objection against the set of claims 1-15 that were filed before the supplementary European search report. More specifically, based on the finding that independent claims 1, 6 and 12 were not allowable due to lack of novelty or inventive step over D1, it argued that the dependent claims made different and non-unitary contributions over D1. It is also true that the examining division maintained its non-unity objection - and the appellant objected to it - throughout the examination proceedings.

8.2 However, the application was refused inter alia for lack of inventive step and not for lack of unity. The non-unity objection against the dependent claims was kept only as an obiter dictum that expressly depended on the finding that the independent claims 1 and 5 lacked inventive step (see the decision, further remarks 2).

8.3 Thus, the non-unity objection is secondary (a posteriori) to the question whether the independent claims are allowable or not. If the independent claims had been found to be allowable, the non-unity objection would have fallen, too, and any objection to the dependent claims is immaterial for the application as a whole if the independent claims are found to lack inventive step.

8.4 The appellant states that he had to delete a substantial part of the claimed subject-matter in response to the non-unity objection. It also suggests that remittal for further prosecution by the examining division is required for the applicant to have the deleted subject-matter "fully examined" (see the letter received on 4 October 2018, page 3, paragraph 2).

8.5 The appellant does not, however, specify which subject-matter it had to delete or what kept it from reintro­ducing it during examination or appeal. At no point did the examining division - or this board - object to an amendment because it related to "deleted" subject-matter. Any subject-matter that the appellant might want to have "fully examined" by the examining division after remittal could have been filed during the appeal proceedings. That this has not happened renders unclear what purpose the requested remittal could serve.

8.6 Consequently, and irrespective of whether and to what extent the board agrees with the non-unity objection in substance, the board cannot allow this request.

Claim construction

9. The board notes that the term "interphase" does not exist in the relevant art and takes it that "interface" is meant instead.

10. The independent claims of all requests specify that the claimed "apparatus [is] operable to [interface] with an external device for various operations" without specifying the kind of operations or whether or how they interact with the security mechanism specified in the remainder of the claims.

11. The independent claims state that "access to the stored data files in said first memory module is denied to said external device and the operation of the portable handheld apparatus is completely shut down". Due to the "and", this phrase is ambiguous between saying that access is denied "by way of" shutting down the device or access is denied independently of the shutdown.

12. The independent claims specify that "access [...] is only enabled" after successful authentication of the user. The board notes that this phrase refers to any access, not just access by the external device.

13. The independent claims specify continuous biometric authentication and the detection of a "change" in the biometric parameters. Illustrating the notion of change, the appellant refers to a device that detects a change in the user's heart rate, takes this to indicate that the user is under duress and shuts down the device to protect the data (see the grounds of appeal, page 10, paragraph 2). However, the claim wording is much broader than that: Specifically, if the apparatus was handed over to a different user after the first authentication, a "change" in the measured biometric parameters would also be detected.

The prior art

14. D1 discloses an electronic device, preferably a mobile phone (see figures 6 and 7), with several biometric and liveness sensors for controlling access to its data (see paragraph 25, 28, 41, 57, 75 and 76).

15. D2 discloses a protected system that requires continuous biometric authentication for a user to get and keep access to the system (see column 2, lines 41-66, and column 3, lines 21-26) and that may shut down when the user "fails more than a prescribed number of [biometric] comparison tests" (see column 5, lines 4-6, and column 7, lines 24-28).

Inventive step

16. In a nutshell, the invention is a mobile data storage for sensitive data which can be attached to all kinds of "external devices" to provide them with access to the sensitive data. Access is controlled by biometric and liveness sensors and further protected by encryption. A central idea is that the mobile device keeps data storage separate from the applications running on the external devices (see the grounds of appeal, page 7, paragraph 4 from the bottom).

16.1 D1 discloses a smartphone storing sensitive data, access to which is controlled by biometric and liveness sensors, i.e. providing the claimed data storage functionality and the biometric access protection. The data access being controlled is "local", i.e. originates from a user manipulating the smartphone rather than from any "external device".

16.2 However, the board considers it to be commonly known that smartphone data can be accessed from an "external device", via its display and keyboard, for example from a PC in order to backup the smartphone memory or to transfer pictures. It is also commonly known that the data on the phone can only be accessed from the PC when the user has logged in at the phone. In its preliminary opinion, the board did not provide any written evidence for this assumed common general knowledge, and the appellant did not challenge it.

16.3 The board therefore takes it to be common practice in the art - and thus at least obvious in the context of D1 - that the access control mechanisms provided on the phone may also control access to the data from an external device such as a PC.

16.4 Beyond that, the board agrees with the assessment in the decision under appeal (see reasons 2.2), that the claimed invention differs from D1 by

(a) an encryption module for the storage of user's data,

(b) continuous biometric (re-)authentication, and

(c) shutdown of the apparatus should biometric re-authentication fail.

16.5 The appellant stresses that the "working relationship" between the "processing module", the "memory module", the "encryption module" and the biometric sensors is very specific and provides a link between the above differences (see the grounds of appeal, page 11, point 5). On this account the board notes that it is obvious that a "processing module" be "in communication" with all the other components. The board does not accept that any further interaction between the difference features can be derived from the claimed subject-matter.

16.6 As regards feature (a), the board agrees with the decision under appeal (reasons 2.3.1) that "the use of encryption for data protection" in computer memory is well-known in the art. Also the appellant has not challenged this assumption in substance (see the grounds of appeal, point 2.3.1).

16.7 As regards features (b) and (c), the board notes that there is no clear difference between "repeated" and "continuous" re-authentication, and reiterates (see point 13 above) that the notion of "change" is very vague and subsumes the situation that biometric data has changed because the apparatus was handed to a different user. From this perspective, the board agrees with the decision (see reasons 2.3.2) that D2 provides a solution to the problem given by the examining division, namely to avoid an unauthorized change of users.

16.8 The board therefore concludes that none of features (a) to (c) establishes an inventive step of the claimed invention over D1, Article 56 EPC.

Auxiliary requests 1-6

17. The auxiliary requests differ from the main request in referring to the external device's display or keyboard (auxiliary request 1), in limiting the "external device" to, respectively, "a mobile communication device or a personal computer" or simply "a mobile communication device" (auxiliary requests 3, 4, 5, 6), and in the deletion of dependent claims (auxiliary requests 2, 5 and 6).

17.1 The deletion of dependent claims is immaterial to the deficiencies of the independent claims. Also, in considering the main request the board has assumed the external device to be a personal computer. Therefore, the assessment of the main request applies directly to auxiliary requests 1-3 and 5.

17.2 The fact that the independent claims of auxiliary requests 4 and 6 are limited to external access by a "mobile communication device" does not have any impact on the accessed apparatus itself. Moreover, it was an obvious trend in the art well before the priority date in 2010 of the present application that "mobile communication devices" were carrying out more and more functions which used to be limited to desktop computers. Thus the board concludes that this difference cannot render the claimed invention non-obvious either.