BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
England and Wales High Court (Patents Court) Decisions |
||
You are here: BAILII >> Databases >> England and Wales High Court (Patents Court) Decisions >> MMI Research Ltd v Cellxion Ltd & Ors [2009] EWHC 418 (Pat) (11 March 2009) URL: http://www.bailii.org/ew/cases/EWHC/Patents/2009/418.html Cite as: [2009] Info TLR 35, [2009] EWHC 418 (Pat) |
[New search] [Printable RTF version] [Help]
CHANCERY DIVISION
PATENTS COURT
Strand, London, WC2A 2LL |
||
B e f o r e :
____________________
MMI RESEARCH LIMITED |
Claimant |
|
- and - |
||
CELLXION LIMITED CELLXION NETWORKS LLC MARK BRUMPTON DATONG ELECTRONICS PLC ROHDE & SCHWARZ GMBH & CO. KG. ANTHONY TIMSON |
Defendants |
____________________
Alastair Wilson QC and Simon Malynicz (instructed by Edwin Coe LLP) for the Defendants
Hearing dates: February 11th-13th, 16th-18th and 20th, 2009
____________________
Crown Copyright ©
Mr Justice Floyd:
Introduction
The Parties
The Patent in suit
"In the case of modern public digital cellular mobile telephony networks, there is frequently a need, in the public interest, to identify the user of a mobile telephone by ascertaining his/her IMSI (International Mobile Subscriber Identity) or the IMEI (International Mobile Station Equipment Identity) of the mobile telephone used by him/her, or even to intercept the calls of that user."
"It is therefore the object of the invention to make available to the thus authorised public services such as, for example, the police, a method by which, in a digital cellular mobile telephony network, any users of mobile telephones can be identified..."
"The [transmission] power of the VBTS received at the location of the MS must be greater than that of the base station [to which the target mobile is attached], in order to fulfil the radio criterion C1 for a cell reselection. This is achieved through appropriate transmission power of the VBTS and/or through spatial proximity of the VBTS to the MS to be identified."
"This has the result that, upon the inscription in the VBTS of the MS which is to be identified, the MS also actually transmits its relevant parameters such as IMSI, IMEI and such identifications to the VBTS, which can then be appropriately evaluated in the latter."
"Method for identifying a mobile telephone (MS) in a public digital cellular mobile telephony network,
a virtual base station (VBTS) with a test mobile telephone (TMS) connected thereto being operated in spatial proximity to the mobile telephone (MS),
the network base station (BTS1), assigned to the selected location, having the highest power being used to ascertain, through a cell monitoring by means of the test mobile telephone (TMS), the list (BA) of all base stations adjacent to the location,
there being selected therefrom a base station (BTS2), which is adjacent to the base station (BTS1) of highest power assigned to the selected location,
and the virtual base station (VBTS) being then operated on its channel frequency (BCCH) with a power which, at the mobile telephone (MS), is greater than that of the network base station (BTS1) associated with the location,
and with an area code which differs from the area code (LAC) associated with the location,
and the mobile telephone (MS) being thereby caused to reselect to the virtual base station (VBTS) and exchange its parameters (IMSI, IMEI) with the latter."
The witnesses
The person skilled in the art
The common general knowledge
IMSI and IMEI
Network security
Location updates
The BA List and Roaming
Mobile phone test systems
Was an IMSI catcher possible with GSM?
"Well, I have to say, at the time, you know, the analogue method was easy. There was not much to it because you could use a scanner and listen in to cell phones on the analogue side. It was the fact they said it was GSM that I did not believe they could do it, because there were a lot of people at the time who were saying they could do it and nobody had actually proved it and, of course, the obvious way to prove it is prove it on a cell phone that you do not have anything to do with.
Q. So your perception at the time, though we do not know the exact date, was that it was a very difficult task to achieve?
A. Correct, yes."
"I knew at the time, you know, I have got to say it was definitely something that was considered to be very difficult to do because there was no physical way of matching the phone -- you know, the actual phone handset -- to the actual thing you were listening to. And then there was also talk about encryption and you had to manage to decrypt it and to decrypt it in real time off air was something that was going to be quite difficult to do because you would have to have an understanding of where the cell phone was in comparison. Those were the things that, as I recall, at the time I would have known."
"Q. It was the perception, was it not, in 1998 that cracking GSM, even to the point of getting identities, getting IMSIs, was a very difficult task?
A. That is a fair statement, yes."
"the opportunity was the difficult part actually understanding the opportunity rather than necessarily the technical side of it".
"It may be that the most important part of this article, which really gives the whole game away, is its disclosure that there is a working device which is actually capable of recovering IMSI numbers. Without the benefit of this article it is possible that some people might have thought the task was impossible, because of the widespread confidence in the security of the GSM system."
Construction
"virtual base station"
"with a power which … is greater than that of the network base station"
"in spatial proximity"
"… the VBTS is set up as spatially close as possible to the mobile telephone MS, so that approximately the same cellular environment prevails in respect of the VBTS as for the MS to be identified, as represented schematically in Figure 1."
Figure 1 shows the VBTS in a neighbouring cell to the target mobile.
"The [transmission] power of the VBTS received at the location of the MS must be greater than that of the base station BTS1, in order to fulfil the radio criterion C1 for a cell reselection. This is achieved through appropriate transmission power of the VBTS and/or through spatial proximity of the VBTS to the MS to be identified."
"public network"
The description of the DX918
"An additional feature of the GSX system is the use of the so-called "Cell Reselect Offset" parameter. This causes all handsets that can receive the signal transmitted from the GX to add an offset to the received power (we call this feature " Virtual Power"). So, we can transmit a signal of 200mW, and tell it to appear to handsets in range as 200W - thus overriding the physical power necessity of the system. All systems sold after January 2006 were shipped with the CRO hard coded to 40 dB (although it could be modified by customers via a documented procedure GXTS - 2006-03-24 CRO.pdf), and it was introduced into the client GUI in May 2006."
"By way of further clarification, both the physical transmit power of the system and the virtual power (CRO) are adjustable in 2dB steps from bare minimum values up to their maximum. The CRO cannot be fully disabled and has a minimum setting of 2dB is and a maximum setting of 120dB. Both of these settings are controlled entirely at the user's discretion. Therefore, if the user decides to transmit 20W with a CRO of 2dB, then they are able to. Training (and general practices of our clients' customers) promotes the use of CRO over power. CRO provides for a far more effective solution, whilst reducing the risk of interference and draining unnecessarily from the power source.
There is no negative effect of using CRO, so it makes sense from a user perspective to employ it. It is possible that an inexperienced user may choose to transmit a large amount of power with limited CRO. Our clients see no need to limit the user interface in any way and restrict the users configuration capability, which is why they provide a full range of control. They do not, however, recommend high physical power usage unless a high physical range is anticipated, for instance, if a target was 10 km away then they will recommend 10 W. It is even more important in those cases to use a high CRO, as we would expect your clients to be aware."
Infringement
"where the invention is a process, he uses the process or he offers it for use in the United Kingdom when he knows, or it is obvious to a reasonable person in the circumstances, that its use there without the consent of the proprietor would be an infringement of the patent."
i) no virtual base station;
ii) the CRO point.
Validity
Lack of novelty - Law
"If I may summarise the effect of these two well-known statements, the matter relied upon as prior art must disclose subject-matter which, if performed, would necessarily result in an infringement of the patent."
"Enablement means that the ordinary skilled person would have been able to perform the invention which satisfies the requirement of disclosure."
"The effect of the submission is to put a gloss on the words of the Convention: to read it as if it said "made available to the interested public". The submission is contrary to the decision of the Technical Board of Appeal of the EPO in Decision T 482/89 (OJ EPO 1992 646 at paragraphs 2.1-2.8) relying on German law to the same effect. "
The novelty citations
i) The prior presentation of the R&S GA-090 machine to T-Mobile, Vodafone and E-Plus in Munich in December 1996.ii) The prior supply of R&S's GA-900 machine and/or its instruction manuals to a number of third parties before the priority date.
iii) The prior demonstration of MMI's GSM-X device:
a) to Mr Munoz of the Spanish company Cifra at the Institute of Directors on 23rd February 1999;b) to various government agencies in March 1999 in Australia and New Zealand; andc) to GCHQ on 22 April 1999.iv) The prior publication of Nokia Patent Application No EPA 0827536 ("Nokia").
Lack of novelty over GA-900
i) Some proceedings of the German Parliament on 23 May 1997.ii) A resolution of the German Federal Council dated 4 July 1997. These proceedings refer to the GA-900. They state that "the technology is already in place for the identification of unknown call numbers of a suspicious party by means of radio measures". They describe the device as "an IMSI catcher".
iii) Articles by Dirk Fox dated September and December 1997.
iv) A document published by the German state of Nordrhein-Westfalen in 1999 based on events which had occurred in the 2 year period ending on 31 December 1998.
i) Was the GA900 and/or its instruction manuals supplied without fetter of confidence?ii) If so, did the supply of the GA 900 disclose a method in accordance with claim 1?
"We treated at the time all information from commercial sources as commercial in confidence, and we did not share that between them. It was not in our interests at all to share that information with a competitor because, in defence, it was against our way of doing business."
"Q. ... What I am implying is that you, as I think you said at the beginning, regarded yourself and your associates as being bound by duties to each other and, let us say, the Australian state under the Defence Clearance Obligations?
A. Yes.
Q. As part of that, none of you would go off and tell criminals or terrorists or the newspapers about things that went on at these meetings?
A. Yes.
Q. However, I suggest to you that it is not correct that you felt you owed a duty of confidence to Mr. Stokes as such because your primary duty is to the state and to your employers?
A. But we need to be careful to separate here. We would evaluate a product and see if it would do what we required it to do, and if it did we would buy it. But we would not discuss with Rohde & Schwarz what Nick Stokes discussed with us, and we would not discuss with Nick Stokes what Rohde & Schwarz discussed with us, for a purely practical reason, that we needed to be above any sort of collusion. We had to be above any sort of preferential treatment to any contractor, so we were always very careful not to achieve that."
i) The first document was dated after the priority date in 2000. It is headed "Commercial in Confidence".ii) The second document, carrying the date 20th February 1998, is headed "Commercial in Confidence" and entitled "GSM Test System 900: GSM networks are becoming transparent". It has a screenshot of a device which includes a button labelled "SET LAC". The text explains that:
"This base station (GA900) transmits a beacon frequency with modified parameters. All mobiles in the vicinity of the simulated base station will now sequentially log-in on GA900 and it is possible to request IMSI and IMEI. This procedure is like a normal location update from one cell to another and therefore not noticeable for the subscriber."iii) The third document is headed Confidential and is entitled "Technical Description – GSM Test System GA900" and dated 28th September 1995. In section 4 headed "Realization Concept": it says this:
"As described in chapter 3.3, the mobile station continually controls the CCH carrier of the adjacent cells. If required, it actuates a change of cells. Changing the location area is combined with a location update. The intercept station introduced then generates such a carrier simulating that the mobile station is requested to change into another cell of the same network.
The system selects one of the adjacent cells. The simulated cell requires to have another LAC so that a mobile explicitly can log in into the GA900. … The location update can be effected without problems. The network is not disturbed. This is why adjacent cell configurations are adopted by the cell to be simulated, too. …
As soon as a mobile station has performed a location update and logged in the virtual base station, the GSM test system GA900, the monitoring system can interrogate the parameters IMSI and IMEI without any problems, as it acts like a normal base station."
H and B
Lack of Novelty over prior disclosure of GSM-X
"I do recall that at the beginning of each one of the demonstrations that took place in March 1999 both Anthony Timson, Peter Harris and myself did express to those present at the demonstrations that what they were about to be told and see was highly confidential".
Obviousness
Law
"In the result I would restate the Windsurfing questions thus:
(1) (a) Identify the notional "person skilled in the art"
(b) Identify the relevant common general knowledge of that person;
(2) Identify the inventive concept of the claim in question or if that cannot readily be done, construe it;
(3) Identify what, if any, differences exist between the matter cited as forming part of the "state of the art" and the inventive concept of the claim or the claim as construed;
(4) Viewed without any knowledge of the alleged invention as claimed, do those differences constitute steps which would have been obvious to the person skilled in the art or do they require any degree of invention?"
The obviousness attacks
i) common general knowledge alone;ii) GA 900 prior use;
iii) the article by Dirk Fox;
iv) Nokia Patent Application EP 0827356 ("Nokia");
v) 8922 test equipment.
Obviousness over common general knowledge
i) It is impossible to rely on getting a targeted individual's IMSI or IMEI from the network provider, because the target could be using a pay-as-you-go phone or a stolen one.ii) The IMSI and IMEI numbers cannot be captured by passive tapping of the network, because only the TMSI is transmitted before encryption is enabled.
iii) It follows that the IMSI must be extracted by communicating with the phone itself.
iv) There is only one way to communicate with a GSM phone, and that is to emulate a base station, because GSM mobiles are programmed to ignore all communications other than those from base stations whose frequencies are listed on their current BA list.
v) To emulate a base station whose frequency is on the target's current BA list requires one to know (or at least make an intelligent guess at) what the BA list consists of, which can be done either by having each network's map (not easily accessible and possibly out of date) or by using a conventional test mobile.
vi) In order to get the mobile to do anything, it is not enough merely to emulate one of its neighbouring base stations: it is necessary to make the IMSI catcher more attractive than the mobile's current base station.
vii) Once the IMSI catcher is more attractive than the current base station, the target (and other mobiles in the area) will camp to it.
viii) Even then, nothing will necessarily happen straight away because when mobiles camp to base stations they do not announce their presence unless the new base station is transmitting a different location area code.
ix) So the IMSI catcher must either wait for the mobiles in range to perform their periodic updates (after a minimum of six minutes, an essentially pointless wait in any practical scenario) or transmit a different location area code which will prompt a location area update right away.
x) Having got the mobile to perform a location area update it is possible to require it to produce its IMSI and IMEI.
Obviousness over GA900 prior use
Obviousness over the Fox article
"In GSM mobile telephone systems, the encrypted transmission to the air interface (between device and base station) prevents mobile phones from being directly tapped. Due to the use of temporary, alternating subscriber identities (TMSI), which is a kind of technical "pseudonym", it is not possible to identify the mobile phone subscriber (or his telephone number)."
"IMSI Catchers" are devices that affect a subscriber located in the vicinity like a terrestrial mobile telephone network base station system. Every mobile phone that is switched on within the footprint is automatically registered for this "IMSI Catcher". Subscribers are not aware of such a "disguised" device, because GSM involves only one-way authentication (from the mobile phone to the mobile telephone network). A two-way authentication protocol would prevent this type of masqueraded breach, although this is not part of the GSM specification.
To identify a telephone number assigned to a mobile phone, the worldwide unique identity number (International Mobile Subscriber Identity - IMSI) of the mobile phone must be known. The "IMSI Catcher" therefore requires the mobile phone to use the IMSI instead of a TMSI. "
"Rohde & Schwarz (Munich) has developed an "IMSI Catcher" under the name of "GA 900", which enables an IMSI to be identified…. Other manufacturers may now have developed similar devices. "
Obviousness over Nokia
"60. Since the tapping device described in the Nokia Patent Application is a fake base station (and Nokia specifically suggest that it can be made by adapting standard base station equipment), it seems to me obvious that it could also be used for IMSI catching by the use of the standard base station procedures described in previous sections of this report. Trying again to put myself in the position of an investigator using the device described by Nokia, it seems to me obvious the investigator would want to know the IMSI and IMEI for the evidential purposes mentioned above. The first time a call from a target mobile was intercepted, the connection with the fake base station would be initiated by the target mobile (as always happens when a mobile makes a call) and, in the course of the call, the fake base station could issue an instruction to the mobile to disclose its IMSI and IMEI, using the standard commands. "
"61. But investigators do not (I imagine) generally confine themselves to recording just one mobile phone call from a person under investigation. … Obviously, as I see it, the investigator would like to know in advance of calls being intercepted whether the target phone is actually in range of the fake base station. Assuming a target phone's IMSI is already known to from earlier interceptions, it would be desirable to know that the target phone is still in range. Any GSM engineer would know that the target mobile will not respond unprompted to the tapping device, unless the tapping device gives out a signal indicating it is in a different Location Area. This is elementary. So if the user of the tapping equipment described by Nokia wished to use it in the manner I have described, it would have to be operated in the manner described in the Patent".
Obviousness over HP8922 GSM test sets
Liability of Mr Timson
Conclusion