T 0547/20 (Missing browser extension/THALES) 04-05-2022
Download and more information:
A system and method for providing security in browser-based access to smart cards
Decision in written proceedings - (yes): no oral proceedings necessary or appropriate
Substantial procedural violation - (yes): appealed decision not sufficiently reasoned
Remittal - (yes)
Reimbursement of appeal fee - (yes): for both parties
I. The appeals of the proprietor and the opponent lie from the interlocutory decision of the opposition division to maintain the opposed patent in amended form on the basis of the claims of the proprietor's then "auxiliary request 2". Claim 1 of the proprietor's main request was deemed to be unallowable for added subject-matter (Article 123(2) EPC) and claim 1 of the then "auxiliary request 1" for lack of clarity (Article 84 EPC).
II. The opponent requests that
- the decision under appeal be set aside;
- the appeal fee be reimbursed;
and
- the patent be revoked.
Oral proceedings were requested should the board be of the opinion that one of these requests cannot be granted. Moreover, the opponent requested to remit the case to the opposition division because of a violation of the right to be heard.
III. The proprietor requests
- that the decision under appeal be set aside;
- as a main request, that the opposition be rejected;
- or, in the alternative, that the patent be maintained in amended form in accordance with the claims of one of five auxiliary requests.
Oral proceedings are requested in the event that the board is minded not to reject the opposition.
IV. Claim 1 of the main request, i.e. claim 1 as granted, reads as follows (board's feature labelling):
(a) "A method for providing a secure connection between a web server application (300) originating on a web server (505) having a website domain name and a security device (104) connected to the web server (505) over a network (509) via a host computer (103), comprising:
(b) ? connecting to the web server using a browser (203) executing on the host computer (103) over the network (509);
(c) ? loading the web server application (300) from the web server (505) into the browser (203);
(d) ? executing a browser extension (303) for providing the web server application (300) access to the security device (104) subject to confirming that the web server application (300) may access the security device (104);
the method being characterised in that the confirming that the web server application (300) may access the security device (104) comprises:
(e) ? authenticating the web server (505) by verifying that the connection is a secure connection established using a digital certificate issued by a trusted root certificate authority;
(f) ? receiving from the web server (505) a connection key issued by an authorizing organization (510) wherein the connection key is cryptographically linked to the authorizing organization (510) and cryptographically linked to the digital certificate of the web server;
(g) ? determining whether the connection key presented by the web server (505) is valid by verifying whether the connection key is indicative of that the web server application (300) has been properly authorized to access the security device (104) by the authorizing organization (510);
(h) ? if the connection key is valid, allowing the web server application (300) to connect to the security device (104); and
(i) ? if the connection key is not valid, denying the web server application (300) the opportunity to connect to the security device (104)".
V. Claim 1 of the fourth auxiliary request, i.e. claim 1 of the then "auxiliary request 2" as maintained by the opposition division, includes all the features of claim 1 of the main request, with the difference that
- the expression "security device" is replaced, throughout claim 1, by the term "smart card"
and that
- features (e) and (f) are replaced by the following clauses respectively (board's feature labelling, amendments highlighted by the board):
(e') "authenticating the web server (505) by
verifying that the connection is an
https secure connection established using
a [deleted: digital] SSL certificate issued by a trusted
root certificate authority;"
(f') "receiving from the web server (505) a
connection key issued by an authorizing
organization (510) wherein the connection key
is cryptographically linked to the
authorizing organization (510) and
cryptographically linked to the [deleted: digital] SSL
certificate of the web server;".
1. Decision under appeal: main request - added
subject-matter
1.1 Claim 1 as granted is related to original claim 1 in that features (a) to (c) and parts of features (d) and (g) to (i) are similar to the subject-matter of original claim 1.
1.2 However, claim 1 as granted is silent about which entity is involved in confirming that the web server application may access the security device according to features (d) to (i). In particular, feature (g) is silent about which entity performs the action of "verifying whether the connection key is indicative of that the web server application (300) has been properly authorized to access the security device (104) by the authorizing organization (510)".
1.3 This is in contrast to original claim 1, which comprises a determining step to which feature (g) is related and which clearly states that the action of verifying is executed by a "browser extension", as indicated in the following clause of original claim 1 (emphasis added):
"executing a browser extension for providing the web server application access to the mobile device subject to confirming that the web server application may access the mobile device, the confirming that the web server application may access the mobile device comprises:
determining whether a connection key associated with the web server is valid wherein the connection key provides a mechanism by which the browser extension can verify that the web server application has been properly authorized to access the mobile device by an authorizing organization and provides a mechanism by which the browser extension can verify the validity and authenticity of the connection key".
1.4 In fact, as correctly pointed out by the opponent, the "browser extension" is mentioned only once in claim 1 as granted, namely in feature (d). In particular, any entity can perform the confirming "that the web server application (300) may access the security device" as defined in features (d) to (i). That the browser extension is missing in this respect in granted claim 1 can therefore be seen as a broadening of original claim 1.
1.5 In the decision under appeal, the opposition division did not indicate any support in the application as filed for this broadening. As a result, neither the parties nor the board can verify the opposition division's conclusion that claim 1 of the then "auxiliary request 2 meets the requirements of Article 123(2) EPC".
1.6 This broadening of claim 1 is a crucial point to consider under Article 123(2) EPC, and the opposition division could have realised this based on its technical understanding of the case. The opposition division also seems to have done so when summoning to oral proceedings, as can be gleaned from the reasoning with respect to the "deletion of 'browser extension'" in point 6.3 of its preliminary opinion sent as an annex to its summons. However, it did not include that part of their preliminary opinion in the decision under appeal.
1.7 The board acknowledges in this respect that there may not have been a necessity for the opposition division to address the broadening mentioned in point 1.4 above with respect to granted claim 1, given that this claim comprised other amendments for which the "opposition division concluded that the granted independent claim 1 does not meet the requirements of Article 123(2) EPC" in Reasons 13.1 of the impugned decision. However, a direct and unambiguous disclosure in the application as filed should have been identified at the latest in Reasons 20.1 of the appealed decision, where the "opposition division concluded that the independent claim 1 of the auxiliary request 2 meets the requirements of Article 123(2) EPC, because the amendments do not add subject-matter to the originally filed application". Instead, the opposition division merely contented itself with stating in Reasons 20.3 to 20.6 of the impugned decision why the opponent's arguments were not convincing.
In particular, Reasons 20.3 to 20.6 of the appealed decision do explain why certain arguments of the opponent regarding added subject-matter were not convincing, but the broadening mentioned in point 1.4 above is not addressed. If anything, the sentence "[t]he example shows the extension browser carrying out the verification steps" of Reasons 20.4 of the impugned decision rather indicates to the contrary that the opposition division acknowledged at least paragraphs [0015], [0041], [0042] and [0046] of the description as filed to disclose an example requiring the browser extension's involvement in the verifying action of feature (g). Likewise, Reasons 20.5 of the appealed decision address features (g) to (i), but focus on the objection that these features would have been taken in isolation "because there are no examples in the description of this key validation and consequent connection or denial of connection". The board cannot recognise how this would be in any way connected to the missing "browser extension".
1.8 Even if the opposition division had not realised by itself the importance of the broadening mentioned in point 1.4 above, it should have recognised that this was of crucial importance to the opponent because the latter had brought the missing "browser extension" repeatedly to the opposition division's attention.
The board refers in this respect to the submissions
- in the notice of opposition
and
- in the opponent's letter dated 2 October 2019 as a reply to the summons to oral proceedings issued by the opposition division.
In the former submission, the opponent had raised the issue of the missing "browser extension" in dedicated sections on pages 10 to 12. With the latter submission, the missing "browser extension" is addressed not only in point 1.4 where a separate section is dedicated on this issue but also in, for instance, the last full paragraph of page 13, the second full paragraph of page 14 and the first full paragraph of page 17, which extensively address features (e) to (h). This is done in terms of the features which the opposition division labelled in its preliminary opinion as annexed to its summons (see point 1.5 above) with "M.4.1", "M.4.1.1", "M.4.1.1.1", "M.4.1.1.2" and "M.4.1.2" to "M.4.1.3".
The length and detail of the line of argument regarding the missing "browser extension" palpably illustrate the relevance of this point, from the opponent's point of view. Therefore, the opposition division should have realised that features (e) to (h) encompass contentious issues that must be dealt with in its written decision.
1.9 Conversely, the proprietor confirmed in point 2.1.4 on page 12 of its reply to the opponent's appeal that the issue of the missing "browser extension" has "already been extensively discussed during the opposition proceedings".
1.10 Therefore, the appealed decision did not address all of the issues of crucial importance to at least one of the parties regarding the main request.
2. Decision under appeal: auxiliary requests - sufficiency of reasoning - clarity
In addition to the deficiency invoked by the opponent relating to added subject-matter regarding claim 1 of the main request as addressed in point 1 above, the appealed decision also suffers from some further defects regarding the underlying auxiliary requests.
2.1 Reasons 15 and 16 of the appealed decision state that the amendments underlying claim 1 of the then "auxiliary request 1" are "in contradiction with dependent claims 11, 12 and 13-15" (emphasis added by the board). This, however, is not in alignment with the minutes of the oral proceedings before the opposition division, where on page 4, in the paragraph starting with "The chairperson underlined", it is referred only to "claims 11 and 13-15" and not to claim 12.
2.2 Moreover, the appealed decision does not state why the opposition division deemed a contradiction between claim 1 and the dependent claims to be present for the then "auxiliary request 1".
2.3 Furthermore, auxiliary requests 1 and 2 underlying the appealed decision, comprising in particular the same wording for claim 1, seem to differ only in that claims 13 to 15 of auxiliary request 1 are not present in auxiliary request 2. By contrast, claim 11 is still present in the latter auxiliary request. However, Reasons 17 and 18 of the appealed decision does not state why, for auxiliary request 2, claim 11 is not or no longer in contradiction with claim 1.
2.4 Hence, Reasons 15 to 18 of the appealed decision do not allow the parties or the board to understand why the opposition division deemed the then "auxiliary request 1" not to be allowable and the then "auxiliary request 2" to be allowable under Article 84 EPC.
3. Decision under appeal: sufficiency of reasoning
3.1 It is in line with established jurisprudence of the Boards of Appeal that the opposition division is not required to address each and every argument of a party. However, the opposition division's decision must enable the party concerned and the board to objectively understand whether or not the decision was justified. Therefore, the decision under appeal should have provided at least some reasoning on all crucial points of debate.
3.2 It is apparent from point 1 above that one of those crucial points has not been addressed, namely why the opponent's arguments regarding the missing "browser extension" were not convincing. At the very least, the opposition division should have identified a concrete support for claim 1 as granted, in particular for the contentious features (e) to (h) (cf. point 1.8 above). Instead, the opposition division ignored the amendment that feature (g) (see point 1.2 above) does not mention the "browser extension": this amendment was not even acknowledged as one of the "key amended features" in Reasons 13.1 of the appealed decision.
3.3 Moreover, regarding point 2 above, the impugned decision should have provided reasons for its finding that claim 1 of the underlying auxiliary request 1 is in contradiction with some of its dependent claims and that this contradiction is no longer present in the underlying auxiliary request 2.
3.4 The board therefore agrees with the opponent that the decision under appeal is insufficiently reasoned under Rule 111(2) EPC.
4. Substantial procedural violation - remittal to the opposition division - reimbursement of the appeal fee
4.1 An insufficiency in the reasoning of an appealable decision is generally considered to constitute a substantial procedural violation (cf. T 1123/04, Reasons 3.3 and 4.1, relating to Rule 68(2) EPC 1973; T 655/13, Reasons 2.2 and 2.4.4; T 3071/19, Reasons 8).
4.2 Furthermore, in agreement with the opponent's request (see point II above), a remittal of the case to the opposition division for further prosecution in accordance with Article 11 RPBA 2020 is appropriate in the present appeal case. This is because the appealed decision's insufficient reasoning is such that it prevents the board from reviewing its correctness, thus constituting "special reasons" for a remittal.
4.3 The board further deems it to be equitable to reimburse the appeal fee under Rule 103(1)(a) EPC to both appellants for the present appeal case.
5. Decision in written proceedings
5.1 Both parties requested oral proceedings (see points II and III above). Given that any negative impact incurred by the board's remittal affects both parties in the same way, the board does not consider it to be expedient or necessary to appoint oral proceedings for the present appeal case.
5.2 Therefore, the present decision is handed down in written proceedings (Article 12(8) RPBA 2020).
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the opposition division for further prosecution.
3. The appeal fee is reimbursed in full to both appellants.