T 1332/19 23-11-2022
Secure handling of stored-value data objects
I. The appeal is against the decision of the examining division refusing the European patent application No. 05 110 957.7 for lack of inventive step.
II. The appellant-applicant requested initially that the decision under appeal be set aside and that a patent be granted on the basis of the "claims on file" as main request or of the auxiliary request filed with the statement of the grounds of appeal.
As "claims on file" the board understands the claims underlying the contested decision, i.e. claims 1 to 22 filed on 3 October 2018.
III. The following documents are referred to in this decision:
D5: EP 1 109 138 A2
D6: WO 01/39055 A1
IV. The board summoned the appellant to oral proceedings scheduled for 1 December 2022. In a communication under Article 15(1) RPBA 2020 the board expressed its preliminary opinion that the claims according to the main request seemed to involve an inventive step. It however raised objections under Article 84 EPC and indicated that a decision could be issued in writing, if the appellant submitted amendments overcoming those objections in time before the oral proceedings.
V. With a letter dated 10 October 2022 the appellant submitted amended description pages. The board is satisfied that the amendment addresses its objections (see the reasons for the decision below).
VI. With a letter dated 15 November 2022 and received at the EPO on 17 November 2022, the appellant filed new claims replacing the claims then on file.
Since these claims differ from the previous main request only in some editorial aspects and not in substance, the board does not see any reason to change its preliminary opinion with respect to inventive step, as based on the claims of the main request.
Therefore, the board cancelled the oral proceedings and issues its decision in writing, as it had announced in its communication.
VII. The current main - and sole - request is constituted by the following application documents:
Pages 1/31 to 6/31, and 21/31 filed with letter dated 10 October 2022;
Pages 7/31 to 20/31 as originally filed
- Claims 1 to 20 filed with letter dated 15 November 2022;
- Drawings, Sheets 1/6-6/6 as originally filed.
VIII. Claim 1 of the main request reads as follows:
A user device (16) serving as a secure agent for electronic ticket redeeming systems, the user device comprising:
At least one wireless communication interface (42, 44) to communicate redemption transactions with the redeeming systems and electronic ticket transactions with a ticket issuing system, TIS (12);
A security element (20) being a tamper resistant secure module, comprising at least one processor and associated memory, arranged for:
storing an electronic ticket in the memory of the security element (20), said electronic ticket being generated with the desired content and signed or otherwise authenticated by the TIS (12) and
sending the electronic ticket to a redeeming system (14) for high security verification of the ticket by a redeeming system, the electronic ticket comprised in a composite data object, digitally signed by the user device (16) and encrypted with a key known to the redeeming system, wherein the redeeming system (14) checks whether the received electronic ticket includes an authentic signature or other verification information from a legitimate TIS (12); wherein the user device further being arranged for:
receiving a rapid verification object comprising a seed value from the redeeming system, in response to the verification; and
using the rapid verification object for subsequent verification by generating a rapid verification token, RVT, based on the seed value of the rapid verification object, and for providing the rapid verification token to a rapid verification system (100) for subsequent verification by the rapid verification system having the same seed value as used by the user device (16), wherein the RVT is a verification sequence having at least one pseudorandom element generated in dependence on the seed value provided by the redeeming system (14).
Independent claim 5 of the main request has the following wording:
A redeeming system (14) arranged for managing the redemption of electronic tickets; the redeeming system comprising:
At least one communication interface (80) to communicate redemption transactions with user devices storing electronic tickets; and
A processing system (82) arranged for:
Receiving, via the communication interface (80), an electronic ticket comprised in a composite data object, digitally signed by the user device (16) and encrypted with a key known to the redeeming system from a user device (16) according to any of claims 1-4; and
Verifying the electronic ticket by high security verification, wherein the redeeming system (14) checks whether the received electronic ticket includes an authentic signature or other verification information from a legitimate TIS (12);
Wherein the redeeming system being further arranged for:
Issuing a rapid verification object comprising a seed value to the user device (16), in response to the verification for subsequent verification use, wherein said seed value is provided by the redeeming system (14).
Independent claims 9 and 12 define corresponding methods to the device of claims 1 and the system of claim 5, respectively.
1. The claimed invention
1.1 The application relates to handling of electronic tickets. A user purchases an electronic ticket from a Ticket Issuing System (TIS). The TIS sends the ticket to the user, who stores it in their user device (e.g. mobile phone) within a tamper-proof secure module (memory).
The user wishing to redeem the ticket connects through their user device to a Ticket Redeem System (TRS) and transmits the electronic ticket as part of a composite data object, including the digital signature of the user device.
The TRS verifies the electronic ticket ("high security verification"), including the digital signature of the TIS and, if the verification is positive, it sends a Rapid Verification Object (RVO) comprising a seed value, back to the user device.
When the user wants to use the ticket (e.g. enter a venue for which the ticket was bought), their user device generates a Rapid Verification Token (RVT) using the RVO and the seed value. Upon entry to the venue, the RVT is verified by a corresponding Rapid Verification System (RVS).
2. In the context of the described invention, claim 1 of the main request defines a user device, claim 5 a redeeming system and claim 7 a system comprising both the claimed user device and redeeming system. Claims 9, 12 and 15 define corresponding methods. Although claim 5 defines a broader scope of protection, the decision under appeal was based on claim 1.
3. Amendments, extension of subject-matter, clarity and support in the description
3.1 Claim 1 is based on a combination of original claims 5, 6, and 7 with additional features from the description which find basis as follows (references to passages of the application as originally filed, unless otherwise indicated):
- the security element is a tamper resistant module; this is disclosed on page 10, lines 14 to 22 (and not on page 12, lines 7 and 8 as the appellant, then applicant, suggested in its letter of 3 October 2018, see page 2, 4th paragraph);
- the electronic ticket is stored in the memory of the security element (20); this is disclosed on page 9, lines 5 to 7, page 10, lines 16 to 20 and Figure 3;
- the electronic ticket is generated with the desired content and signed or otherwise authenticated by the TIS; this is disclosed on page 11, lines 24 to 26 and/or page 12, lines 3 to 6.
3.2 Claim 5 is based on a combination of original claims 10, 11 and 12 with the same features from the description as claim 1.
3.3 Claim 7 is based on a combination of current claims 1 and 5 and finds support in the same claims and passages as these claims. Claims 9, 12 and 15 define corresponding methods to the devices/systems of claims 1, 5 and 7 respectively and find basis correspondingly.
3.4 The terms "high security verification" and "rapid verification".
3.4.1 Claim 1 gives brief explanations about the meaning of those terms:
- in high security verification, the redeeming system checks whether the received electronic ticket includes an authentic signature or other verification information from a legitimate TIS (12) (see claim 1, lines 16 to 18);
- the rapid verification is done by generating a rapid verification token (RVT), based on the seed value of the rapid verification object, and... providing the rapid verification token to a rapid verification system (100) for subsequent verification by the rapid verification system having the same seed value as used by the user device (16) (see claim 1, lines 22 to 25).
3.4.2 In the board's view, the skilled reader understands from reading claim 1 that the high security verification and the rapid verification are different verification procedures. Any ambiguities that may exist to the skilled reader as to these verification procedures are dispelled by turning to the description.
At first, there is a distinction of the procedures and the explanation of the difference between a "high security" and a "rapid" verification, see page 7, line 21 to page 8, line 2. It becomes thus clear that the "high security verification" is a stricter verification procedure, carried out at/by the redeeming system. The rapid verification procedure is a faster, less secure procedure meant to be carried out at/by a rapid verification system at a subsequent stage. The board has no doubts that even from the definition of claim 1, it becomes clear for the skilled reader that a successful high-security verification is a prerequisite for the obtention of a rapid verification object that can be used in a subsequent rapid verification procedure (see also page 15, lines 11 to 21).
The details of the high security verification are described on page 14, line 5 to page 15, line 10, while those of the rapid verification on page 16, line 3 to page 17, line 8.
3.4.3 The board is thus satisfied that these terms are clear and supported by the description.
3.5 The description has been adapted to the claims. It is thus correspondingly limited to electronic tickets without the reference to the more general "value data objects". The board is thus also satisfied that the objections raised in its communication under Article 15(2) RPBA 2020 have been overcome.
3.6 The board's conclusion is, hence, that the requirements of Articles 84 and 123(2) EPC are fulfilled.
4. Inventive step
4.1 The examining division concluded that claim 1 was obvious for the skilled person starting either from D6 or from D5.
4.2 Regarding D6, the board does not share the examining division's interpretation of D6, and in particular in relation of the rapid verification object (RVO), the seed value and the rapid verification token (RVT).
4.2.1 In the method of D6, the user purchases a ticket from a remote ticket selling server using their user device. When the payment is settled, the server sends a "cyber ticket" (i.e. ticket information), an ID, and a password to the user device (see Figure 2 and Page 12, lines 7 to 17). When the user wants to use the ticket (e.g. to enter a venue), they log to the ticket selling server with their user device using the received ID and password and the ticket selling server sends the ticket to be displayed ("in real time") at the user device (see e.g. page 12, line 18 to page 13, line 29). In the board's understanding, the electronic ticket is never stored or generated at the user device but is received "in real time" from the ticket selling server when required (e.g. to enter a venue), after the user has logged in with their ID and password. Indeed, D6 states explicitly that the ticket is not stored at the user device but can be received from the server when needed (see e.g. page 13, lines 30 to 37, and page 15, lines 8 to 18).
4.2.2 The examining division considered the ID and password received from the ticket selling server to correspond to the rapid verification object (RVO) and the seed value of claim 1. According to the examining division, the user entering the ID and password causing the display of the ticket at their device corresponded to using the seed value of the RVO to generate the rapid verification token (RVT). Moreover, the examining division concluded that for the ticket to be displayed at the user device, it had to be stored at the device first. Hence, the displayed electronic ticket was also stored in the user device. In any case, claim 1 did not define that the user device stored the RVO or the seed value, it only defined that they were used by the user device to generate the RVT.
4.2.3 The board cannot follow this interpretation. D6 discloses explicitly that the ticket implemented in the form of a cyber ticket is not information previously stored in the memory of the mobile communication terminal, but information obtained in real time from the ticket selling server connected thereto and displayed (see page 15, lines 8 to 13). In the board's view, there is nothing in D6 that would have led the skilled person to conclude that the ticket is stored in the user device. Even if it could be considered that when the ticket is received from the server to be displayed it would be cached in a display memory cache or similar, the board cannot see this as the ticket being stored in the user device in the sense of the claims.
In any case, the board agrees with the appellant that claim 1 does not explicitly mention that the RVO and the seed value received from the TRS are stored in the user device. Although it might be convincingly argued that both the RVO and the seed value have to be stored in the memory of the user device in order to be used in the subsequent generation of the RVT, the board points rather to the fact that in claim 1 the RVT (i.e. the "ticket" displayed for verification at the entrance of a venue) is generated by the user device and not by any remote server.
4.2.4 Claim 1 differs thus from D6 at least in that the rapid verification token is generated locally at the user device using information received from the remote server (the RVO and the seed value).
The technical effect of this difference is that the user device does not need to connect to any remote server at the moment of the final verification (e.g. when the user is about to enter a venue or board a train, etc.). The verification can thus take place (and the user can receive the service they purchased a ticket for) without depending on the ability of the user device to connect to a remote server. In situations like entering a stadium or a concert venue where several thousands of people must have their tickets verified within a short time it is plausible that connection problems to a remote server could arise. Connection problems may also arise from other causes, such as a disruption in the network.
4.2.5 The skilled person would not be motivated to make any modifications to the system of D6 and arrive at the claimed invention without exercising inventive skill.
At first, D6 teaches clearly away from allowing the user device to generate or even store the electronic ticket or any similar token. As D6 states, by keeping all the ticket information at the ticket selling server it is easier to control and manage all the relevant information relating to e.g. whether the ticket has been used (see page 15, lines 13 to 18). Letting the user device manage (generate, store) the ticket would be against this teaching. Moreover, there would be more modifications needed, e.g. instead of sending a user ID and a password to the user device, the server would have to send the necessary information for the user device to generate the ticket/token itself. The board takes the view that without any corresponding incentive in D6, such modifications would go beyond what can be considered obvious for the skilled person.
4.2.6 The board's conclusion is, therefore, that claim 1 involves an inventive step when D6 is taken as a starting point. In view of this conclusion there is no need to address any other possible distinguishing features.
4.2.7 The same conclusion is valid for claim 5 as well. In the impugned decision, the examining division did not assess claim 5 separately. In view of its conclusion that claim 1 was not inventive there was also no need to do so.
In its interpretation of D6 the examining division considered that the ticket selling server corresponded to the ticket redeeming system (TRS) of the application. It also considered that the "payment settling means" sent from the user device to the ticket selling server corresponded to the electronic ticket of the claims.
4.2.8 Claim 5 of the main request defines, among others, that the redeeming system receives an electronic ticket from a user device and is configured (the system has a processor which is configured) to check whether the electronic ticket includes an authentic signature or other verification information from a legitimate TIS.
Although the electronic ticket is not part of the claimed redeeming system, the board considers that checking whether the ticket includes an authentic signature or other verification information from a legitimate TIS is a function of the system, i.e. it is a feature of the claimed redeeming system.
4.2.9 The board cannot follow the interpretation of the examining division. In the context of the application and D6, an electronic ticket has a specific meaning and is not merely "commercial data" as the examining division stated. An electronic ticket, like a conventional (paper) ticket, usually represents access to goods or services the user has paid for. Under these considerations, the payment settlement means in D6 (i.e. user's bank account data or even digital money) cannot be seen as an electronic ticket. This becomes more evident when the whole of the application is considered, i.e. an electronic ticket is purchased from a TIS, sent to a user device, and then sent from the user device to a TRS for redemption. In D6 there is no such course of action: a user purchases an electronic ticket from a ticket selling server, they receive a user ID and password to store in their device and use these ID and password to have the ticket sent from the server and displayed in their own device. In the board's view, the ticket selling server of D6 cannot be seen as the redeeming system of claim 5 and the action of the user sending their payment settlement means to the ticket selling server cannot be seen to correspond as a redemption of an electronic ticket.
In addition, as explained with reference to claim 1, the ID and the password of D6 cannot be seen as the RVO and the seed value of the claim, either.
4.2.10 Thus the redeeming system of claim 5 substantially differs from the system in D6 and the board holds that D6 is not a suitable starting point for the skilled person for arriving at the subject-matter of claim 5.
Even if D6 were considered as the starting point, the skilled person wishing to modify the system of D6 and arrive at the redeeming system of claim 5 would have to carry out extensive and substantial modifications of the system in D6, which, in the board's view, would go beyond what can be considered obvious.
Therefore, the board holds that claim 5 involves an inventive step when starting from D6.
4.3 The board does not agree with the examining division's interpretation of D5, either.
D5 describes an electronic settlement system. The examining division referred to the embodiment of Figure 10 and paragraphs  to . In that embodiment, a user with a mobile user device wants to purchase an electronic ticket for a theatre, bus, train, etc. The user's device (3B) communicates with the ticket vending apparatus (40). A ticket is selected and the vending apparatus (40) sends ticket information to the user device (3B). The user device sends (3B) (payment) settling information (of the user) to an electronic bank (1). The vending apparatus (40) sends settling information (of the vendor) to the electronic bank (1). The bank (1) carries out the settlement and sends settlement result information to the vending apparatus (40). The vending apparatus (40) sends ticket data to the user device (3B). The ticket data are stored in the user device (3B) and retrieved for verification by an access control apparatus (60) when the user wants to use the ticket, e.g. to enter a theatre.
4.3.1 The examining division considered the whole "ticket purchasing system" of D5 to correspond to the ticket issuing system (TIS) of the application. It regarded the settlement information sent from the user device to the electronic bank as the electronic ticket of the claims. The vending apparatus together with the electronic bank of D5 were seen to correspond to the redeeming system of the claims. The electronic ticket data received and stored in the user device in D5 were seen to correspond to the rapid verification object (RVO), the seed value and the rapid verification token (RVT) of the claims.
4.3.2 The board cannot follow this interpretation of D5. The ticket issuing system (TIS) and the ticket redeeming system (TRS) are separate systems, both as defined in the claims and as described in the application as a whole. Even if not explicitly mentioned as physically separate entities, the skilled reader of the claims understands that they are two distinct operational entities. In the specific embodiment of D5 there are only two entities (besides the user device) involved in the purchase of the electronic ticket, the vending apparatus and the electronic bank. The division referred to an abstract "ticket issuing system" as corresponding to the TIS. Such a system is not described in D5 and, even if it were to be accepted that such a system was indeed described, this would correspond to the vending apparatus together with the electronic bank. The examining division, however, considered the vending apparatus with the electronic bank also to correspond to the redeeming system of the claims. As the TIS and the TRS of the claims are separate entities, this interpretation of the system in D5 cannot be accepted.
4.3.3 The examining division considered the settling information sent from the user device to the electronic bank to correspond to the electronic ticket of the claims. D5 however defines an electronic ticket ("electronic ticket data") that is sent from the vending apparatus to the user device. The board cannot accept that an arbitrary piece of data (the settling information) can be regarded as an electronic ticket when D5 mentions explicitly a different electronic ticket.
4.3.4 Finally, the application and the claims differentiate between a RVO, a seed value and a RVT. The two first are sent from the redeeming system to the user device, which uses them to generate the third. Nothing similar is disclosed in D5 and the board cannot accept that the RVO, the seed value and RVT correspond to one and same entity, the electronic ticket data of D5, as the examining division argued.
4.3.5 Summarising, the disclosure of D5 differs significantly from the claimed subject-matter, and the board is of the view that D5 does not represent a suitable starting point for any of the inventions claimed in the independent claims of the main request.
Even if D5 were taken as a starting point, the skilled person would have to carry out extensive modifications in its disclosure, changing its teaching significantly, to arrive at the claimed inventions. The board considers such modifications to go beyond what can be considered obvious for the skilled person, especially in the absence of any corresponding incentive in D5.
4.3.6 The board's conclusion is that the claims of the main request are not obvious when starting from D5.
4.4 The board's conclusion is, therefore, that the subject-matter of the claims of the main request involves an inventive step within the meaning of Article 56 EPC 1973.
5. The board is hence convinced that the application according to the main request and the invention to which it relates meet the requirements of the EPC and EPC 1973 and a European patent is to be granted according to Article 97(1) EPC.
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the examining division with the order to grant a European patent in the following version:
Pages 1/31 to 6/31, and 21/31 filed with letter dated 10 October 2022;
Pages 7/31 to 20/31 as originally filed
- Claims 1 to 20 filed with letter dated 15 November 2022;
- Drawings, Sheets 1/6-6/6 as originally filed.