T 0643/10 (Protecting sensitive data/SAP) of 8.10.2014

European Case Law Identifier: ECLI:EP:BA:2014:T064310.20141008
Date of decision: 08 October 2014
Case number: T 0643/10
Application number: 08100426.9
IPC class: G06F 21/24
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 328 KB)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: Systems and methods for protecting sensitive data
Applicant name: SAP SE
Opponent name: -
Board: 3.5.06
Headnote: -
Relevant legal provisions:
European Patent Convention 1973 Art 56
Keywords: Inventive step - (no)


Cited decisions:
Citing decisions:

Summary of Facts and Submissions

I. The appeal lies against the decision of the examining division, with reasons dispatched on 19 October 2009, to refuse European patent application no. 08100426.9 for lack of an inventive step over the document

D1: Ennser L et al., "The XML Files: Using XML and XSL with IBM Websphere 3.0", IBM Corporation, In­ter­na­tional Technical Support Organization (ITSO), IBM Form Nr. SG24-5479-00, March 2000.

II. A notice of appeal was filed on 16 November 2009, the appeal fee being paid on the same day. A statement of grounds of appeal was received on 11 February 2010. The appellant requested that the decision under appeal be set aside and that a patent be granted based on the de­scription and the drawings as originally filed in com­bi­­nation with claims 1-15 according to the main request or claims 1-13 accor­ding to the auxiliary request as filed on 24 July 2009 and as subject to the decision un­der appeal, or claims 1-15 according to a se­cond auxiliary request filed with the grounds of appeal.

III. With a summons to oral proceedings, the board informed the appellant of its preliminary opinion according to which the independent claims of the main request lacked an inventive step over D1 or, alternatively, over a pri­or solution discussed in the application itself, Article 56 EPC 1973. With regard to the auxiliary requests, the board noted that the appellant had only referred to its submission of 24 July 2009 and thus argu­ably not fully taken into account the exami­ning division's reasons as laid out in the decision.

IV. In response to the summons, with letter dated 8 Sep­tember 2014, the appellant clarified its arguments regarding the first auxiliary request and withdrew the second auxiliary request. Furthermore, it argued that the board's argument based on the prior solutions dis­cussed in the application was moot because the dis­cussion of these "prior solutions" was not an "admission of prior art".

V. Claim 1 of the main request reads as follows:

"A computer-implemented method for transmitting an XML document (107) from a sender (105) within a secure environment (102) to a receiver (125) within an insecure environment (122) via a communication channel (120), the method comprising the steps of:

receiving the XML document from the sender by a filter module (115) before transmission via the communication channel, the XML document having a tree structure, each node of the tree (642) being representative of one element of the XML document, each element having content,

using a configuration file (220) to selectively remove some of the content, the configuration file comprising a first set (953) of statements specifying a first set of elements and a second set (954) of statements specifying a second set of elements, wherein the content is selectively removed by generating an intermediate XML document (956), identifying the first set of elements in the XML document using the first set of statements, copying the first set of elements into the intermediate XML document, identifying the second set of elements in the intermediate XML document using the second set of statements, and removing the content of the second set of elements from the intermediate XML document which provides a filtered XML document,

sending the filtered XML document via the communication channel to the receiver,

wherein the first and second sets of statements are XPATH statements, wherein the configuration file is an XML document, wherein the generation of the filtered XML document is performed by an XSL transformation using the configuration file, wherein if one (K3.2) of the elements of the first set of elements is not a leaf node of the tree, copying the sub-tree (644) originating from that element into the intermediate XML document, whereby the removal is performed by replacing the content by a dummy information, wherein the dummy information is chosen to be in compliance with the requirements specified in an XML schema (960) being associated with the XML document, wherein the dummy information is specified as an attribute of an XPATH, and wherein the XPATH statement specifies the element whose content is to be removed."

Claim 1 of the auxiliary request corresponds to claim 1 of the main request with the following text added at its end:

"... wherein the filter module is executed by a gateway server that all messages transmitted by the origin data processing system must pass through before transmission over communication channel 120 to the destination data processing system, and wherein each one of the elements of the first and second sets of elements is identified by one of a search term for searching within the content, [] a search term for searching within the elements' names, [and] an explicit tree path description leading to the element."

Both requests also contain an independent data pro­cessing system claim - numbered 13 and 11, respectively - which corresponds closely with the respective inde­­pen­dent method claims.

VI. The oral proceedings took place as scheduled on 8 Octo­ber 2014. At the end of the oral proceedings, the chair­man announced the decision of the board.

Reasons for the Decision

The invention

1. The application relates to the transmission of data between systems of different security levels and addresses the problem of ensuring that sensitive in­for­mation is not transmitted into an in­se­cure environment. The invention proposes a way of fil­tering classified information from a given document before transmission.

1.1 Specifically, the invention relates to the transmission of an "XML document" which is filtered by an "XSL trans­­­formation" on the basis of a "configuration file" which defines, via two separate sets of XPATH state­ments, which "elements" of the XML document may be kept and which are to be removed. The filtering takes place in two steps: In the first step, the elements specified by the first set of XPATH statements are copied into an intermediate XML document, and in the second step, the elements specified by the second set of XPATH state­ments are removed to produce the "filtered XML docu­ment" to be transmitted.

1.2 It is specified in the independent claims that a first XPATH statement selecting an inner tree node to be kept denotes the entire subtree rooted at that position, and that content is removed by replace­ment with some "dummy information" which is specified in the per­­tinent XPATH statement as an "attribute" and which complies with a given XML schema.

1.3 In the in­de­pen­dent claims of the auxiliary request it is fur­ther spe­­cified that the "filter module is execu­ted by a gateway server that all messages ... must pass through" and that the "elements" specified in the con­fi­gu­ration file are identified by a "search term" for ei­ther "sear­ching within the content" or searching with­­in the elements' names, or an "explicit tree path descrip­tion leading to the element".

The prior art

2. D1 discusses XML and related tools, amongst which XSL, XPath and XML schemas, their background and their bene­fits in general and by way of example (see e.g. title and p. 3, 1st par.). Amongst "three main appli­cations" of XML men­tioned, two relate to the transmission of data, be­tween computer systems and to users (see pp. 5-7 and secs. 1.3, 1.3.1 and 1.3.3; see also p. 63, sec. 6.3.2). It is disclosed that XML documents must be well-formed for an XML application to work on and that well-formedness of an XML document is defined in a DTD or XML schema (see e.g. sec. 2.1.2). XPath is disclosed as a notation "for navigating through XML documents" which are "model[led] as a tree of nodes", and to "address parts of ... XML document[s]", possib­ly com­pri­sing an entire "set of nodes", (p. 25, sec. 2.3, 1st par.; p. 31, sec. 2.5.4, 1st par.). It is also dis­closed that XPath expressions have "attributes" and what can be dubbed "search terms" (p. 25, sec. 2.3), both for elements' names or for "content" (see e.g. the element name "copies" in the path "/child::book/child::copies" and the type attribute in the path "/book/author[@type='old']"; loc. cit.). It is disclosed that XSL is a "common language for transforming one XML document in­to an­other"(p. 30, lines 7-8) or for "fil­ter[ing] ... da­­ta" (p. 31, sec. 2.5.3) and uses XPath expressions "to extract data from [an] XML do­cu­ment". The LotusXSL pro­cessor is disclosed as a known compo­nent for conver­ting XML documents based on XSL (p. 46, sec. 4.2; p. 55 ff., ch. 6). One example given to illus­­trate the use of XSL mentions that ­ele­ments in an XML document may be "CONFIDENTIAL" and for that reason deserve special treatment (see sec. 6.2.2).

3. The application refers to the situation that a "message including classified information" may have to be trans­mitted and as a "prior solution" to the security prob­lem that the "person responsible for communicating [that] message" had to create "a new message by manu­ally copying the unclassified portions into an empty message template" and transmit this "redacted ver­sion of the original message" instead of the original message (p. 2, penult. par.). The appellant ar­gued that this passage was not to be construed as "an ad­mission of prior art" (see letter of 8 Sep­tem­ber 201, p. 3, 2nd par.). The board concedes that the applica­tion itself does not imply whether such prior solutions had actually been prior art in the sense of Article 54 (2) EPC 1973 and the board could not establish whether such prior solutions had been prior art independently of whether the application admitted it.

4. However, the board considers it to be common knowledge that confidential data may have to be deleted from a do­cument before it can be made available to certain third parties. It is commonly known that original do­cu­ments are published with sensitive in­for­mation blackened out. Also known are documents in which sen­sitive information is omitted and marked by an ellipsis such as "...". Both occasionally happens for instance when decisions of the boards of appeal are published in anonymized form.

Inventive step

Main request

5. The decision under appeal found (reasons 1.3) that the subject matter of claim 1 of the main request "differ[ed] from the disclosure of D1 in that an intermediate XML document [was] used" into which ele­ments identified by the first set of statements were copied and from which elements identified by the second set of statements were removed "whereas in D1 the copy­ing ... and the replacing ... [was] done on the fly and in one go". The decision found (reasons 1.4) that this distin­gui­shing feature did not involve an inventive step because "generating a copy of a document and then filtering the copy or copying and filtering the origi­nal document simultaneously (on the fly) [were] merely well-known alternative implementations having no spe­cial technical effect." The decision further considered that an "intermediary representation" [was] probably generated in computer memory by the XSL pro­cessor as a matter of course (reasons 1.4 as well). The decision further dealt with and refuted the applicant's argument that the differences had a speed up effect, arguing in­ter alia that "[t]he creation of an intermediate XML document tend[ed] to render the whole processing slow­er" (see reasons 1.5).

6. The appellant took particular issue with this analysis in the decision under appeal (see grounds of appeal, section II, referring specifically to sections 1.3-1.5 of the decision), and argued that the inven­tion had a technical advantage at least in certain situations. The appellant conceded that creating the intermediary XML document may slow down the processing for small files but explained that this was not true in all cases (see grounds of appeal, p. 3, lines 4-7), especially not if the given XML document was large and/or if the second set of statements identified a large set of elements (p. 3, 2nd and 3rd pars.). Since the claims did not specify the size of the XML document to be transmitted or the content of the configuration files the appellant argued in oral proceedings that the claimed filte­ring process reduced processing time at least for the worst case and thus, while possibly not reducing transmission latency in all cases, reduced the maximal transmission latency.

7. The appellant also referred to the arguments presented in the letter dated 24 July 2009 with regard to paten­tability for the main request (see grounds of appeal, sec. II, 1st par. and letter of 8 Septem­ber 2014, p. 2, 4th par.) and stated that "this entire argument" formed part of the appeal. In this context it is also stated that the applicant challenged the comparison of the claimed invention with D1 as outlined in the letter of 24 Ju­ly 2009 (see grounds of appeal, p. 3, lines 4-7). That communication argued (see p. 4, lines 4-6) that D1 did not disclose

a) the trans­mission of a document "from a sender to a receiver where the level of security changes".

In favour of an inven­tive step of the main request, it was argued (see p. 6, last par and p. 7, 1st par.) that D1 did not disclose

b) the production of an intermediate XML document,

c) a two-step filtering process as claimed nor, in this context,

d) the "copying of an entire tree from an element which is not a leaf node".

8. The board agrees with the appellant with regard to the differences between the claimed invention and D1 and assesses their inventive step as follows.

8.1 The board is of the opinion that the requirement to de­lete certain information from a document is deter­mined by the circumstances, for example the policy de­ci­sion to guard military or commercial secrets or the legal obligation that certain information not be made public. It is also determined by circumstances what is consi­dered to be a "secure" or an "insecure" environ­ment (difference a). For instance it may be an enterprise po­licy to consider all internal communication to be secure and all comm­u­ni­cation to the outside to be in­se­cure. Typically, such a policy will apply to paper do­cu­ments and digital documents in the same way.

8.2 The board further considers that the circumstances de­ter­mine how a document is to be redacted or how this re­quirement is phrased. For illustration the following exemplary situations may be referred to: A court order may oblige a book publisher to delete every men­tion of a particular pub­lic person from a forthcoming book. The order might specifically state that a chapter dedicated to that person be deleted entirely - or, equi­valently, that all chapters except this one may be published - and that all occurrences of that person's name in the rest of the book be blackened out. Anonymi­za­tion of a decision by the boards of appeal may mean that name, address and affiliation of a party is de­leted from the front page of the decision and that the name of the party's representative ­­is replaced by a placeholder such as "XXX" throughout the body of the decision.

9. Starting from D1, i.e. from a system using XML and its tools for the transmission of documents, the skilled person would find himself confronted with a given poli­cy of redacting documents containing sensitive informa­tion before making it available to a third party con­sidered to be "insecure". As mentioned before, it can be reasonably assumed that this policy applies in par­ticular to digital documents, so that the skilled per­son will have to address the problem of implementing the redaction policy in the context of D1.

9.1 The obligation to delete an entire chapter of a docu­ment straightforwardly translates into the deletion of the entire subtree starting at some <chapter> node (difference d). The obligation to blacken out a parti­cular name translates into the removal of that name from the content and its replacement by a placeholder such as "XXX".

9.2 The board agrees with the appellant that the order in which these redaction tasks are performed has an impact on efficiency (difference c): It is more efficient to perform the deletions first because all replacements done in a part of the document will be made redundant if and when that part is eventually deleted. However, the board consi­ders that this advantage is obvious from common sense. In the board's view, efficiency conside­ra­tions are always on the skilled person's mind so that he or she would arrange the different redaction tasks in the claimed order as a matter of course and without exer­ci­sing an inven­tive step.

9.3 This consideration is independent of whether the dele­tion tasks are formulated in an "aggressive" or a "per­missive" way, as the application puts it (see p. 15, lines 21-25), i.e. whether the "first set of state­ments" defines what is to be kept or what is to be de­le­­ted. How the redaction rules are formulated may be a matter of policy ("paranoid" or "trusting", loc. cit.) and/or of con­venience: If a large part of a document must be deleted it may be shorter to list what is to be kept than what is to be deleted; the inverse holds if only little is to be deleted. The board considers it obvi­ous for the skilled person to formulate the re­dac­tion rules in the way they are given or according to conve­ni­ence considerations as explained.

9.4 However, in the board's view, it does not have any significant technical advantage for the processing (or transmission) effi­ciency whether an intermediate XML document is produced during the filtering process or not (difference b).

9.4.1 The result of any filtering must be made available to a later filtering phase. It is possible that a first phase has to terminate before the second phase starts, in which case the result of the first phase naturally produces an "intermediate XML document". It is also possible that the first and second phase operate con­currently and that the intermediate results are passed on continuously so that at no point an entire inter­mediate XML document will be obtained.

9.4.2 The board deems both options to be common-place design decisions which the skilled person will make as a matter of course when implementing a modular process.

10. In summary, the board concludes that none of the diffe­rences between the claimed invention and D1 establishes an inventive step of the claimed matter over D1 since they are either given by circumstances and therefore con­stitute part of the problem rather than the solution or a matter of common sense and common practice in the art of program development.

11. Therefore claim 1 (and, by analogy, claim 13) of the main request lacks an inventive step in the sense of Article 56 EPC 1973 over D1 in view of common know­ledge.

Auxiliary request

12. Claim 1 of the auxiliary request differs from claim 1 of the main request in requiring a "gateway server" which all transmitted messages must pass through and a number of details how the statements in the confi­gu­ration file are formulated.

12.1 Neither the grounds of appeal nor the appellant's letter of 8 September 2014 argue that the provision of a gateway as claimed per se establishes an inventive step. In the board's view, the use of such gateway ser­vers is a common architectural feature of conventional networks. For instance, gateway servers are commonly used to connect an enterprise network to the Internet and often run security relevant software such as a firewall. During oral proceedings, the appellant did not challenge the board on this point when it referred to the gateway server as a common network feature.

12.2 The appellant argued that the combination of these fea­tures is particularly advantageous "because a large num­­ber of messages from different sources may pass through the gateway server" (see letter of 8 Sep­tem­ber 2014, p. 3, last par.). In the board's under­stan­ding this language is intended to express the argument that the efficiency advantage of the claimed filtering process is particularly relevant, i.e. notable and de­si­rable, if a gateway server as claimed is used. During oral proceedings, the appellant agreed that the board's paraphrase reflected the argument correctly.

12.3 The appellant thus did not argue that the additional features of the auxiliary request had any additional advantage relevant for inventive step, but only that they made an existing advantage more pertinent.

12.4 This fact, however, does not establish that claim 1 of the auxiliary request shows an inventive step. In the board's judgment as laid out ­above (see esp. point 9.2) it would have been obvious for the skilled person to obtai­n the mentioned efficiency gain with the claimed features even without the use of a gateway server. The claimed features can therefore not be less obvious in a different context in which the advantage may be more prominent.

12.5 Finally, the appellant argued that the use of search terms in the path statements avoids the need to formu­late the redaction rules only in terms of "explicit tree paths" so that, as the board understands the ar­gument, the configuration file becomes smaller (see letter of 8 September 2014, p. 3, last sentence).

12.6 The board is not convinced by this argument either. It is implied by the use of XPATH - as known from D1 - that the three types of path statements are available to the programmer. Their availability alone thus cannot contri­bute to an inventive step. It is, in the board's view, obvious for the skilled person that certain re­dac­tion rules may be more conveniently formulated by one type of expression in XPATH than another one. For instance, the rule that a specific chapter be deleted entirely is more conve­nient­ly expressed using an ex­pli­cit tree path leading from the root node to the perti­nent chapter node, whereas the rule that individual names be deleted is more conveniently formulated by reference to content which must be searched in the do­cu­ment, i.e. via "search terms". The skilled person would, therefore, make appropriate use of the features provided by XPATH in view of the given redaction rules and without the exercise of an inventive step.

12.7 In summary, the board therefore comes to the conclusion that also claim 1 (and, by the same token, claim 11) of the auxiliary request lacks an inventive step over D1 and common knowledge, Article 56 EPC 1973.


For these reasons it is decided that:

The appeal is dismissed.

Quick Navigation