BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

England and Wales High Court (Patents Court) Decisions


You are here: BAILII >> Databases >> England and Wales High Court (Patents Court) Decisions >> MMI Research Ltd v Cellxion Ltd & Ors [2009] EWHC 418 (Pat) (11 March 2009)
URL: http://www.bailii.org/ew/cases/EWHC/Patents/2009/418.html
Cite as: [2009] Info TLR 35, [2009] EWHC 418 (Pat)

[New search] [Printable RTF version] [Help]


Neutral Citation Number: [2009] EWHC 418 (Pat)
Case No: HC 2006 C02649

IN THE HIGH COURT OF JUSTICE
CHANCERY DIVISION
PATENTS COURT

Royal Courts of Justice
Strand, London, WC2A 2LL
11/03/2009

B e f o r e :

THE HON MR JUSTICE FLOYD
____________________

Between:
MMI RESEARCH LIMITED
Claimant
- and -

CELLXION LIMITED
CELLXION NETWORKS LLC
MARK BRUMPTON
DATONG ELECTRONICS PLC
ROHDE & SCHWARZ GMBH & CO. KG.
ANTHONY TIMSON





Defendants

____________________

Martin Howe QC and Henry Ward (instructed by Charles Russell LLP) for the Claimant
Alastair Wilson QC and Simon Malynicz (instructed by Edwin Coe LLP) for the Defendants
Hearing dates: February 11th-13th, 16th-18th and 20th, 2009

____________________

HTML VERSION OF JUDGMENT
____________________

Crown Copyright ©

    Mr Justice Floyd:

    Introduction

  1. The Global System for Mobile Communications (GSM) was intended to increase the security of mobile phone communications from unauthorised tracking of users and tapping of their conversations. Law enforcement authorities may nevertheless wish to break through the security thus provided in order to track the movement of telephones and their owners. This case is about a patent for a method of breaking through the GSM security so that the identification numbers of a mobile telephone and its user can be obtained.
  2. The Parties

  3. The claimant, MMI Research Limited ("MMI"), is a co-owner with the fifth defendant, Rohde & Schwarz GmbH & Co. KG ("R&S"), of European Patent (UK) No. 1 051 053 ("the Patent"). R&S, a German company and the original patentee, has taken no active part in the proceedings beyond giving disclosure of documents. It is a party because section 66(2) of the Patents Act 1977 requires it to be one.
  4. In 2004 R&S deployed the Patent to sue MMI in Germany in respect of MMI's product. MMI contended that the Patent was invalid, relying, amongst other things, on R&S's prior sales. The proceedings between R&S and MMI were settled in October 2005, whereupon MMI entered into a co-ownership agreement with R&S. In the present proceedings, MMI contend that the Patent is valid and sue CellXion for infringement.
  5. The first defendant, CellXion Limited ("CellXion"), sells a product called variously the DX918 or GX918 which is alleged to infringe the Patent. The second defendant, CellXion Networks LLC ("CellXion US"), is the CellXion company which operates in the United States.
  6. The third defendant, Mark Brumpton, owns 100% of CellXion US and (with his wife) 100% of CellXion. He is a director of both companies. The sixth defendant, Anthony Timson is a consultant to CellXion and CellXion US. Both Mr Brumpton and Mr Timson are former employees of MMI. Mr Timson was also a director and shareholder of MMI. Both Messrs. Brumpton and Timson left MMI at the end of 2003. Mr Timson is not a director or shareholder of, but is a paid consultant to, CellXion. There is an issue about whether Mr Timson is personally liable for the acts of the CellXion companies.
  7. The fourth defendant, Datong Electronics plc ("Datong"), is a distributor of the products of CellXion and CellXion US in the United Kingdom, including the alleged infringing products.
  8. I will refer to the defendants (other than the fifth defendant) together as "CellXion" except when it is necessary to distinguish between them. Mr Alastair Wilson QC appeared for CellXion with Mr Simon Malynicz; Mr Martin Howe QC appeared for MMI with Mr Henry Ward.
  9. The Patent in suit

  10. The Patent is entitled "Method for identifying a mobile phone user or for eavesdropping on outgoing calls". It has a priority date of 3rd May 1999.
  11. The text of the Patent is in the German language. The trial has been conducted on the basis of an English translation, and page references in this judgment are to that translation.
  12. At page 1 lines 6 to 12 the specification says the following:
  13. "In the case of modern public digital cellular mobile telephony networks, there is frequently a need, in the public interest, to identify the user of a mobile telephone by ascertaining his/her IMSI (International Mobile Subscriber Identity) or the IMEI (International Mobile Station Equipment Identity) of the mobile telephone used by him/her, or even to intercept the calls of that user."
  14. Having discussed a number of items of prior art not relied on in this action, at page 3 lines 1 to 6, the specification explains the object of the invention in the following terms:
  15. "It is therefore the object of the invention to make available to the thus authorised public services such as, for example, the police, a method by which, in a digital cellular mobile telephony network, any users of mobile telephones can be identified..."
  16. The specification goes on to explain at page 4 lines 11 onwards that, in order to capture the IMSI and IMEI, a virtual base station [VBTS] is used. The virtual base station is said to be, preferably, a mobile device constructed like an ordinary network base station. The virtual base station is connected to a test mobile telephone [TMS]. The virtual base station is set up as spatially close as possible to the target mobile telephone [MS], so that approximately the same cellular environment prevails in respect of the virtual base station as for the target mobile.
  17. A mobile phone network provides all mobiles with a BA list. The BA list is a list of all the base stations operated in the vicinity of the mobile, together with the associated channel information. The test mobile phone is used to obtain the BA list prevailing in the area where the target mobile is situated. The virtual base station then selects a base station from the BA list obtained for it by the test mobile. The virtual base station now has the information it needs in order to "pretend" that it is a neighbouring base station to the target mobile and can broadcast on an appropriate channel.
  18. The virtual base station needs, however, not only to pretend to be a base station, but also to cause the target mobile to attach to it, rather than to any of the other base stations on the target mobile's BA list. At page 5 lines 24 to 29, the specification says this:
  19. "The [transmission] power of the VBTS received at the location of the MS must be greater than that of the base station [to which the target mobile is attached], in order to fulfil the radio criterion C1 for a cell reselection. This is achieved through appropriate transmission power of the VBTS and/or through spatial proximity of the VBTS to the MS to be identified."
  20. The next step is to cause the mobile to give up its IMSI and IMEI numbers. As explained at page 6 line 1 onwards, in the GSM network, groups of spatially adjacent base stations are combined by the network operator into groups identified by local area code, or LAC. When a mobile telephone moves into a new group identified by a new LAC, it has to re-inscribe itself onto the network. In the method according to the invention, although the virtual base station may be in the same LAC as the target mobile, it transmits a different ("out-of-area") LAC, in order to persuade the mobile that it has moved to a different group of cells (when in fact it has not). As the specification explains at page 6 line 13:
  21. "This has the result that, upon the inscription in the VBTS of the MS which is to be identified, the MS also actually transmits its relevant parameters such as IMSI, IMEI and such identifications to the VBTS, which can then be appropriately evaluated in the latter."
  22. Only claim 1 is relevant. Claim 4 is also alleged to be infringed and relates to tapping of conversations, but it is accepted not to be independently valid. Claim 1 is in the following form:
  23. "Method for identifying a mobile telephone (MS) in a public digital cellular mobile telephony network,
    a virtual base station (VBTS) with a test mobile telephone (TMS) connected thereto being operated in spatial proximity to the mobile telephone (MS),
    the network base station (BTS1), assigned to the selected location, having the highest power being used to ascertain, through a cell monitoring by means of the test mobile telephone (TMS), the list (BA) of all base stations adjacent to the location,
    there being selected therefrom a base station (BTS2), which is adjacent to the base station (BTS1) of highest power assigned to the selected location,
    and the virtual base station (VBTS) being then operated on its channel frequency (BCCH) with a power which, at the mobile telephone (MS), is greater than that of the network base station (BTS1) associated with the location,
    and with an area code which differs from the area code (LAC) associated with the location,
    and the mobile telephone (MS) being thereby caused to reselect to the virtual base station (VBTS) and exchange its parameters (IMSI, IMEI) with the latter."

    The witnesses

  24. MMI called a number of factual witnesses, and an expert. With the exception of Mr Stokes (dealt with below) the factual witnesses gave their evidence fairly. For some reason MMI adduced a lengthy witness statement of Mr Slatter which traversed previous litigation between the parties which had been settled. It was said to go to Mr Timson's credibility: but in the end no real attack on his credibility was made. It should not have been prepared, let alone adduced. Patent litigation is complex and costly enough as it is.
  25. MMI's expert, Dr Maile is a qualified engineer who has acted as a consultant to numerous telecommunications operators. He was directly involved in looking at the potential for GSM interception from 1995 to 1998 as a consultant to a network operator.
  26. CellXion also called factual witnesses and an expert. All their witnesses, including Mr Timson and Mr Brumpton, gave their evidence fairly. Their expert was Mr Mark Anderson, a software engineer with practical GSM experience. From 1998 to 2000 he worked as a senior member of one of the software development teams at Nokia.
  27. Both sides also called witnesses with practical experience of the use of the devices in question. MMI called Mr Kenneth McDonald and CellXion called Mr Jack Crosley. Their evidence may have at times crossed the boundary into expert evidence, but neither side took objection to this. I found their evidence helpful as well.
  28. The person skilled in the art

  29. The Patent is addressed to an engineer with the hardware and software skills necessary to build and operate a virtual base station for collecting the IMSIs and IMEIs of mobile telephones within its footprint. In practice this would be a GSM engineer concerned with the security aspects of the GSM system.
  30. Mr Wilson submitted that the skilled person would be someone familiar with "Mobility Management". Whilst I accept that the skilled person would be familiar with the basic technology which allows a mobile phone to roam in a network, there is a danger in supposing that the skilled person has too close a focus on mobility management, which is not really what the Patent is concerned with.
  31. The common general knowledge

  32. All of the following would be part of the common general knowledge of the skilled person.
  33. IMSI and IMEI

  34. An important feature of GSM is the subscriber identity module or SIM. The SIM is a smart card which stores data personal to the subscriber, including a unique International Mobile Subscriber Identity or IMSI. GSM also provides that each handset is separately identified by a unique number, called the International Mobile Equipment Identity or IMEI.
  35. Network security

  36. Prior to the advent of GSM, mobile telephone networks could be easily tapped simply by listening on the correct frequency. In these prior analogue systems, as soon as a mobile telephone was used to make a call, it could be intercepted by any listening device which was in range. These devices were passive, depending as they did on intercepting an outgoing call from the mobile.
  37. GSM set out to provide a greater measure of security both to network providers and to subscribers: the former because they wished to be protected against the misuse of subscriber data so as to make free calls; the latter because they wished to ensure that their conversations and data transmissions were private.
  38. GSM introduced two major changes to assist with security. The first was the introduction of the Temporary Mobile Subscriber Identity or TMSI. The TMSI is supplied by the network and is used, once the phone is logged on to the network, for all communications thereafter with the network. The TMSI changes regularly (unlike the IMSI which does not change), so it is of limited use to anyone seeking to misuse it. The second security feature introduced by GSM was encryption. In the course of ordinary communication, if encryption is enabled, all voice and data traffic is encrypted. For practical purposes in 1999 this meant that it was impossible to listen to a call by decrypting the signal. Not all networks use encryption. Where encryption is used, the network is able to turn encryption off.
  39. Location updates

  40. When a mobile telephone is in idle mode it will perform periodic location updates by communicating with the network. In order to save battery, these updates are relatively infrequent. The frequency will vary between networks, from as little as 6 minutes to as much as 180 minutes or even 240 minutes. Although called a location "update", a phone which has not moved between updates will obviously be returning the same location information each time it reports.
  41. The mobile phone must also perform a location update when it enters a new location area. A location area is a group of base stations, sharing a location area code or LAC. The mobile phone does not perform a location update when it merely changes base stations within a location area. Thus the network will know which location area a phone is in, but not which base station in the area it is camped to.
  42. Finally a location update is performed when the mobile phone is switched on, provided that the network requires it to do so by setting a flag (ATT).
  43. When the location update is performed in this way, the mobile uses its TMSI and not its IMSI. The base station can then perform an identification request and obtain the IMSI. It can also turn off the encryption.
  44. However, when switched on and in idle mode, the mobile phone only performs a location update on the periodic basis or when moving from one location area to another.
  45. The BA List and Roaming

  46. In order to have access to a network, the caller's IMSI must be registered on that network. Some networks also require the phone to give its IMEI: this can be used as a means of preventing that phone from being used on other networks.
  47. All mobiles which are camped on a particular base station will receive from that base station the Broadcast Control Channel (BCCH). One of the pieces of information broadcast on that channel is the BA (BCCH Allocation) List. This is a list of a number of neighbouring base stations which the network designer considers appropriate and which the mobile might encounter as it proceeds to move through the network. The BA List gives the channel number of the neighbouring stations included on it. If a channel is not on the BA list, the mobile phone will not listen to radio transmissions on it.
  48. The mobile constantly scans the frequencies of the base stations on the BA list for the purpose of selecting, on the basis of the C1 parameter, the most powerful base stations. The C1 parameter is based on the actual received power.
  49. The six most powerful stations based on the C1 parameter are then examined by the mobile phone to determine, using the C2 parameter, whether they are more attractive as base stations. The C2 parameter not only takes account of actual power, but also of an offset called the Cell Reselection Offset or CRO. The CRO boosts the apparent power of the base station (but not the real power). This is done, for example, when it is desired to cause all phones in a particular area to camp on to a temporary base station, such as one erected at a pop concert or sporting event. If a base station is found to be more attractive, the mobile will reselect to that base station. Once camped to the new base station, the mobile phone will take a new BA List from that base station and discard the old one.
  50. Mobile phone test systems

  51. Systems engineers would be familiar with test equipment for mobile telephones and base stations. Such test equipment is capable of simulating a base station with a very small footprint, and can be used to check the operation of mobile phones. Normally such a test equipment would transmit at very low power to mobiles situated on the test bench in close proximity to it.
  52. Test equipment of this kind includes settable parameters, including Mobile Country Code, Mobile Network Code and Local Area Code. The effect of changing any of these parameters on a test equipment of this kind would be to cause a location update procedure in the mobiles within its range.
  53. An example of a test equipment of this kind was the Agilent 8922 marketed by Hewlett Packard. Rohde & Schwarz marketed comparable machines before the priority date called the CMD 52 and CMD 55. They also sold a device called the CTD go/no go tester. All these devices can be used to obtain the IMSI from the mobile under test by performing a location update procedure.
  54. Was an IMSI catcher possible with GSM?

  55. It is common ground that there was a natural desire, of which the skilled team would be aware, for a device capable of catching IMSIs in 1999. There was, however, a widely held belief that GSM security was unbreakable, and that accordingly tapping of conversations and the obtaining of identities would be very difficult or impossible. The perceived difficulty was created by the fact that the procedures which had been possible in analogue were prevented by the fact that GSM was (a) almost always protected by the use of the TMSI and (b) encrypted.
  56. Mr Shivtiel, an engineer who worked for Datong in the relevant time period gave evidence about this:
  57. "Well, I have to say, at the time, you know, the analogue method was easy. There was not much to it because you could use a scanner and listen in to cell phones on the analogue side. It was the fact they said it was GSM that I did not believe they could do it, because there were a lot of people at the time who were saying they could do it and nobody had actually proved it and, of course, the obvious way to prove it is prove it on a cell phone that you do not have anything to do with.
    Q. So your perception at the time, though we do not know the exact date, was that it was a very difficult task to achieve?
    A. Correct, yes."
  58. Mr Shivtiel also said:
  59. "I knew at the time, you know, I have got to say it was definitely something that was considered to be very difficult to do because there was no physical way of matching the phone -- you know, the actual phone handset -- to the actual thing you were listening to. And then there was also talk about encryption and you had to manage to decrypt it and to decrypt it in real time off air was something that was going to be quite difficult to do because you would have to have an understanding of where the cell phone was in comparison. Those were the things that, as I recall, at the time I would have known."
  60. Mr Timson confirmed the perceived difficulty in cross-examination:
  61. "Q. It was the perception, was it not, in 1998 that cracking GSM, even to the point of getting identities, getting IMSIs, was a very difficult task?
    A. That is a fair statement, yes."
  62. Mr Timson later explained that he was surprised at how easy it had been for him, whilst working at MMI, to achieve a device which obtained the IMSI. He said that:
  63. "the opportunity was the difficult part actually understanding the opportunity rather than necessarily the technical side of it".
  64. Even Mr Anderson, CellXion's expert said, in relation to the Dirk Fox citation:
  65. "It may be that the most important part of this article, which really gives the whole game away, is its disclosure that there is a working device which is actually capable of recovering IMSI numbers. Without the benefit of this article it is possible that some people might have thought the task was impossible, because of the widespread confidence in the security of the GSM system."
  66. In my judgment the notion that the task was regarded as a difficult or impossible one would form part of the mental approach of the skilled team. That is not to say that, if faced with a disclosure of a device which claimed to catch the IMSI, the skilled person would not believe it. The perceived technical difficulty is, however, a factor when considering whether the invention is obvious from some of the starting points relied on here.
  67. Construction

  68. There was no dispute as to the approach to be taken to the construction of a patent specification. The task for the court is to determine what the person skilled in the art would have understood the patentee to have been using the language of the claim to mean: see Kirin Amgen v TKT [2005] RPC 9 [30]-[35].
  69. "virtual base station"

  70. CellXion contended that the claim was limited to use of a base station built around test apparatus rather than a "real base station". They contended that numerous things pointed towards this conclusion. Firstly they pointed to the absence of any discussion in the specification of the TMSI. Secondly they pointed to the fact that the specification did not refer to any positive steps to require the mobile to transmit its IMSI or IMEI. Thirdly they drew attention to the fact that the test machines of which evidence had been given appeared to operate by returning the IMSI in response to a LAC change, without the need for any intervention. Fourthly they point to the fact that the final words of the claim ("the mobile telephone being thereby caused to reselect") suggest direct causation, which would be the case in the test machine, but not, so they contended, in a machine built around a real base station.
  71. I reject these submissions. They involve reading into the claims a limitation which is not present. There is no difficulty with the term "virtual base station". It is merely a false base station introduced into the network. There is no restriction in the claim to base stations built around test apparatus, or any basis for distinguishing these from any other type of false base station. The "thereby" clause at the end of the claim does not imply that no further step is necessary to cause the mobile to give up its IMSI or IMEI.
  72. "with a power which … is greater than that of the network base station"

  73. There was, in the end, no issue as to the correct construction of this phrase. It means real power (as measured at the mobile telephone) as opposed to the power after taking into account CRO. Although there was plainly scope for an argument that, taking into account the technical purpose, the skilled person would understand power to include virtual power (i.e. power adjusted taking into account CRO), Mr Howe expressly disclaimed the latter construction as unnecessary.
  74. "in spatial proximity"

  75. CellXion contends that this phrase is unclear. Two passages in the specification are relevant. First, at page 4 line 23:
  76. "… the VBTS is set up as spatially close as possible to the mobile telephone MS, so that approximately the same cellular environment prevails in respect of the VBTS as for the MS to be identified, as represented schematically in Figure 1."

    Figure 1 shows the VBTS in a neighbouring cell to the target mobile.

  77. Second, at page 5 lines 24-29:
  78. "The [transmission] power of the VBTS received at the location of the MS must be greater than that of the base station BTS1, in order to fulfil the radio criterion C1 for a cell reselection. This is achieved through appropriate transmission power of the VBTS and/or through spatial proximity of the VBTS to the MS to be identified."
  79. It is possible that the most powerful network base station both at the virtual base station and at the mobile is the same (say BTS1). Where this is the case, the virtual base station will know that it must transmit at a greater power than BTS1. It is clear, however, that the Patent contemplates that the virtual base station may be in a different cellular environment from that of the mobile. If so, its BA list may not show BTS1 as the strongest: it may show a different base station (say BTS2) as the strongest. There is therefore no guarantee that, when the virtual base station transmits as, and with a power greater than, BTS2, it will be reselected by the mobile. Nevertheless, if it transmits on a frequency chosen from its BA list and does attract the mobile by using a power greater than BTS1, I see nothing to prevent the method falling within the claim.
  80. CellXion's real objection to this aspect of the claim is that it does not specify what degree of proximity is required. I think that all that is required is that the VBTS is sufficiently close that it can transmit with enough real power to be re-selected by the target mobile. If the claim were to be read as limited to the case where the virtual base station and target mobile were in an identical cellular environment, the claims would be inconsistent with the description and drawings.
  81. CellXion did not suggest that, if I was able to reach a conclusion as to a meaning of the phrase, this point on construction would have any further significance to the issues in the case.
  82. "public network"

  83. This question arises because an early demonstration of the CellXion system was performed on a private network. It is alleged that this constituted a use of the method of claim 1. The issue is of relatively minor significance in view of the other conclusions I have reached.
  84. MMI submitted that the phrase extended to any public network, and any private network set up to function in the relevant respects like a public network. It submitted that the skilled reader would understand that the term "public" was being used in a technical rather than a legal sense. CellXion submitted that the method was only infringed when used on a public network, in the sense of a network to which the public at large can have access.
  85. On balance I prefer MMI's submissions. The underlying purpose of the method is the detection of IMSIs and IMEIs of telephones operating in a network consisting of a number of base stations. I cannot conceive of any reason why the skilled reader would understand that the patentee wished to exclude from its claim to networks which have all the technical features of the claim but which are not open to the public.
  86. The description of the DX918

  87. The CellXion device is called the DX918 or GX918. It is not necessary for the purposes of this judgment to provide a complete description of the way in which it works. The important question is the use of the cell reselection offset to increase the apparent or virtual power. As to this, the Description provided by CellXion states as follows:
  88. "An additional feature of the GSX system is the use of the so-called "Cell Reselect Offset" parameter. This causes all handsets that can receive the signal transmitted from the GX to add an offset to the received power (we call this feature " Virtual Power"). So, we can transmit a signal of 200mW, and tell it to appear to handsets in range as 200W - thus overriding the physical power necessity of the system. All systems sold after January 2006 were shipped with the CRO hard coded to 40 dB (although it could be modified by customers via a documented procedure GXTS - 2006-03-24 CRO.pdf), and it was introduced into the client GUI in May 2006."
  89. A GUI is a graphical user interface. The documented procedure GXTS - 2006-03-24 CRO.pdf contains a set of commands which can alter the gain in dBs from zero to 120dB. It explains that virtual power will be implemented through the GUI in future releases, but the procedure outlined in the documents allows the functionality to be enabled through the system admin console.
  90. Despite what is said in the Description, neither Mr Timson nor Mr Brumpton was certain that the system shipped to Datong in March 2006 had the CRO hard wired at 40dB. This is unsatisfactory. The effect of the service of the Description is that CellXion has been relieved of giving disclosure on the issue of infringement. It is clear from Mr Timson's evidence that he did have access to documents which might have thrown considerable light on this issue, but which had not been disclosed. If a party is not certain about important technical features of an alleged infringing device, then a product description is inappropriate. Proper disclosure should be given. On balance, I conclude that the machine shipped to Datong in March 2006 did not have fixed CRO.
  91. In a letter dated 14th of January 2009, CellXion's solicitors provided further clarification as follows:
  92. "By way of further clarification, both the physical transmit power of the system and the virtual power (CRO) are adjustable in 2dB steps from bare minimum values up to their maximum. The CRO cannot be fully disabled and has a minimum setting of 2dB is and a maximum setting of 120dB. Both of these settings are controlled entirely at the user's discretion. Therefore, if the user decides to transmit 20W with a CRO of 2dB, then they are able to. Training (and general practices of our clients' customers) promotes the use of CRO over power. CRO provides for a far more effective solution, whilst reducing the risk of interference and draining unnecessarily from the power source.
    There is no negative effect of using CRO, so it makes sense from a user perspective to employ it. It is possible that an inexperienced user may choose to transmit a large amount of power with limited CRO. Our clients see no need to limit the user interface in any way and restrict the users configuration capability, which is why they provide a full range of control. They do not, however, recommend high physical power usage unless a high physical range is anticipated, for instance, if a target was 10 km away then they will recommend 10 W. It is even more important in those cases to use a high CRO, as we would expect your clients to be aware."
  93. A CRO of 2 dB provides only minimal additional apparent power.
  94. Infringement

  95. The allegation of infringement is made pursuant to section 60(1)(b) of the Patents Act 1977. That section provides that a person will infringe a patent if:
  96. "where the invention is a process, he uses the process or he offers it for use in the United Kingdom when he knows, or it is obvious to a reasonable person in the circumstances, that its use there without the consent of the proprietor would be an infringement of the patent."
  97. CellXion ran two main points of non-infringement:
  98. i) no virtual base station;

    ii) the CRO point.

  99. The first of these points is essentially one of construction. The DX918 is a virtual base station as I have construed that term. It also satisfies the "thereby" clause at the end of the claim.
  100. The CRO point is that, by using a combination of power and CRO, the DX918 does not satisfy the requirement of the claim that the target mobile selects the base station of highest power. There is no doubt that users of the DX918 are recommended to use substantial amounts of CRO. Although there were differences between Mr McDonald and Mr Crosley as to the advisability of using power alone to attract mobiles to a base station when CRO was available, it was in the end common ground that there will inevitably be times when the DX918 is transmitting at a higher real power than the network base station and will therefore be re-selected on this basis.
  101. In order to infringe under section 60(1)(b) it is only necessary to offer a method, the use of which will obviously infringe. Mr Howe puts this in two ways. First he says that, in the light of the evidence, it is obvious that any machine that is sold will infringe some of the time, and that is enough for section 60(1)(b). Secondly he says that where, as here, a device is sold with a user-settable parameter, the vendor is in fact offering a range of processes made up of each of the possible settings of that parameter, and some of these will inevitably infringe. I think that both these ways of putting the case are made out on the evidence in this case. The CRO point is not a ground of non-infringement.
  102. Validity

  103. Both lack of novelty and obviousness are relied on by CellXion.
  104. Lack of novelty - Law

  105. A patent will be invalid for lack of novelty if the invention claimed in it is not new in the light of the state of the art at its correct priority date. The state of the art is everything made available to the public by written or oral description or by use or in any other way (see s. 2(2) 1977 Act).
  106. In Synthon BV v SmithKline Beecham plc [2005] UKHL 59 Lord Hoffmann explained the dual requirements for the objection of lack of novelty to succeed: disclosure and enablement. After quoting from the judgments of Lord Westbury LC in Hills v Evans (1862) 31 LJ(NS) 457, 463 and of the Court of Appeal (Sachs, Buckley and Orr LJJ) in General Tire and Rubber Co v Firestone Tyre and Rubber Co Ltd [1972] RPC 457, 485-486, Lord Hoffmann said this at paragraph 20:
  107. "If I may summarise the effect of these two well-known statements, the matter relied upon as prior art must disclose subject-matter which, if performed, would necessarily result in an infringement of the patent."
  108. At paragraph 26 of his opinion Lord Hoffmann said this:
  109. "Enablement means that the ordinary skilled person would have been able to perform the invention which satisfies the requirement of disclosure."
  110. The matter relied upon must have been made available to the public. It is sufficient to make a document or other subject matter available to the public if it is made available to a single person who is free in law and equity to make use of it for himself: PLG v Ardon International [1993] FSR 197 at 226. If the communication is encumbered with an obligation of confidence, expressed or implied, the communication has no invalidating effect.
  111. A person is no less free in law and equity to make use of information if he decides autonomously to keep the information secret. Thus, in T 1022/99 (Van Wonterghem, Antoine) the Technical Board of Appeal of the European Patent Office held that a sale to a single purchaser with no obligation of secrecy towards the vendor was invalidating notwithstanding the fact that the object sold was destined to be incorporated into the purchaser's confidential prototype. De facto secrecy of this kind is not enough.
  112. CellXion reserved for further argument on appeal the submission that, where a document or other matter is effectively made available in fact to every person having an interest in it, it should be treated as made available to the public, even if all the individual recipients were supplied the material in confidence. I cannot accept that submission. As I said in relation to a similar submission in Qualcomm v Nokia [2008] EWHC 329 (Pat) at 112:
  113. "The effect of the submission is to put a gloss on the words of the Convention: to read it as if it said "made available to the interested public". The submission is contrary to the decision of the Technical Board of Appeal of the EPO in Decision T 482/89 (OJ EPO 1992 646 at paragraphs 2.1-2.8) relying on German law to the same effect. "
  114. Where prior availability of a machine is relied upon, it is not enough simply to prove that the sale was made. It is necessary to go further and establish what information was made available by the sale, and compare that information with the requirements of the claim. If the prior use was uninformative as to those matters, it will not count as an anticipation: see per Lord Hoffmann in Merrell Dow v Norton [1996] RPC 76 at 86. What the prior use discloses in fact will normally require evidence.
  115. The burden of proving that matter was made available to the public lies with the party asserting it, i.e. CellXion.
  116. The novelty citations

  117. CellXion alleged that the invention of claim 1 lacked novelty over:
  118. i) The prior presentation of the R&S GA-090 machine to T-Mobile, Vodafone and E-Plus in Munich in December 1996.

    ii) The prior supply of R&S's GA-900 machine and/or its instruction manuals to a number of third parties before the priority date.

    iii) The prior demonstration of MMI's GSM-X device:

    a) to Mr Munoz of the Spanish company Cifra at the Institute of Directors on 23rd February 1999;
    b) to various government agencies in March 1999 in Australia and New Zealand; and
    c) to GCHQ on 22 April 1999.

    iv) The prior publication of Nokia Patent Application No EPA 0827536 ("Nokia").

  119. Mr Wilson abandoned the GA-090 allegation in the course of his final speech. He also, correctly in my judgment, did not press the allegation of lack of novelty over Nokia.
  120. Lack of novelty over GA-900

  121. It is common ground that the method of operation of the GA-900 fell within claim 1. The issues are therefore whether the GA900 or its instruction manuals were supplied; whether such supply was without fetter of confidence and if so whether such supply amounted to a disclosure of the invention of claim 1.
  122. CellXion say that a number of documents show that the GA-900 was disclosed to the public before the priority date:
  123. i) Some proceedings of the German Parliament on 23 May 1997.

    ii) A resolution of the German Federal Council dated 4 July 1997. These proceedings refer to the GA-900. They state that "the technology is already in place for the identification of unknown call numbers of a suspicious party by means of radio measures". They describe the device as "an IMSI catcher".

    iii) Articles by Dirk Fox dated September and December 1997.

    iv) A document published by the German state of Nordrhein-Westfalen in 1999 based on events which had occurred in the 2 year period ending on 31 December 1998.

  124. I do not think that these materials demonstrate any more than the fact that a machine known to be capable of IMSI catching had been sold or supplied, and some deductions had been made as to how it worked. In their pleadings CellXion indicated that they would rely on supplies of the GA-900 and/or its instruction manuals to the Australian Government in April 1998 (by R&S Australia), and to two further parties identified in the confidential further particulars of the grounds of invalidity dated 30th January 2009. I shall refer to these further parties as H and B respectively.
  125. It is clear that the GA900 was supplied to the Australian Government. So far as the Australian Government is concerned, there are two points:
  126. i) Was the GA900 and/or its instruction manuals supplied without fetter of confidence?

    ii) If so, did the supply of the GA 900 disclose a method in accordance with claim 1?

  127. On the first of these points, I heard evidence from Lieutenant Colonel Cooke, a former Director of Electronic Warfare Projects – Land at the Australian Department of Defence. He had direct knowledge of the sale. His evidence about commercial confidence was this:
  128. "We treated at the time all information from commercial sources as commercial in confidence, and we did not share that between them. It was not in our interests at all to share that information with a competitor because, in defence, it was against our way of doing business."
  129. Lt. Col Cooke was cross-examined in order to suggest that the decision to treat the information as confidential was that of the Australian state alone:
  130. "Q. ... What I am implying is that you, as I think you said at the beginning, regarded yourself and your associates as being bound by duties to each other and, let us say, the Australian state under the Defence Clearance Obligations?
    A. Yes.
    Q. As part of that, none of you would go off and tell criminals or terrorists or the newspapers about things that went on at these meetings?
    A. Yes.
    Q. However, I suggest to you that it is not correct that you felt you owed a duty of confidence to Mr. Stokes as such because your primary duty is to the state and to your employers?
    A. But we need to be careful to separate here. We would evaluate a product and see if it would do what we required it to do, and if it did we would buy it. But we would not discuss with Rohde & Schwarz what Nick Stokes discussed with us, and we would not discuss with Nick Stokes what Rohde & Schwarz discussed with us, for a purely practical reason, that we needed to be above any sort of collusion. We had to be above any sort of preferential treatment to any contractor, so we were always very careful not to achieve that."
  131. Nick Stokes was MMI's Australian representative. The Australian Government did not buy an MMI machine.
  132. The parties took opposing views as to the effect of this evidence. CellXion's position was that the Australian state was in the same position as the recipient of the information in T 1022/99 (Van Wonterghem, Antoine), the prototype case referred to above: the receipt of the information was subject only to self-imposed restrictions, not subject to any duties owed to R&S. MMI's position was that the information was impressed also with a duty of commercial confidence owed to the supplier R&S.
  133. I think one needs to be careful to distinguish between three categories of information: (a) information which is supplied for the purpose of a demonstration of equipment, which might legitimately be said to be provided for a limited purpose, (b) information in expressly confidential technical manuals, and (c) information which can be derived from a machine once sold. Normally, an outright sale of a piece of equipment does not, without more, attract any obligations of confidence. In the case of the plea of anticipation by the sale of the GA 900 to the Australian Government, we are concerned with categories (b) and (c).
  134. There is no evidence to suggest that express obligations of confidence were insisted on by R&S in relation to information which the Australian Government could derive from the GA900 which it purchased. It is also true to say that the evidence shows that governments were reluctant to accept any such express obligations.
  135. It is nevertheless clear that R&S did regard information about their device as confidential, as evidenced by their distributor contracts and the annexed customer declarations and by their technical information documents which are all headed "confidential" or "commercial in confidence". It would have been apparent to the Australian Government that R&S shared the Government's desire to keep this information away from criminals and newspapers, and indeed from any unnecessary disclosure. Lt. Col. Cooke's evidence, did, it seemed to me, tend to show that the Australian Government did recognise that it was not free, as against R&S, to make use of the information entirely as it wished.
  136. In my judgment, the GA900 manuals, if they were supplied to the Australian Government, were impressed with an obligation of confidence to R&S. They were marked confidential and there was other evidence to show that manufacturers regarded manuals of this character as being confidential. Mr Timson, for example, recognised that he should not have had an R&S manual.
  137. What I have found rather more difficult is whether that obligation extended to information derivable from the machine itself. In relation to that information, there is greater force in Mr Wilson's submission that, when R&S supplied the GA900 machine, it relied on the Australian Government's security classification as the means by which the information derivable from the machine was to be kept from further disclosure. Nevertheless, I think it would be odd if two different confidentiality regimes applied. Once it is recognised, as I think it has to be, that the Australian Government was not free to disclose the information in the manuals, it would be strange if they could discover that same information by analysing the machine in depth and then disclose it. I think that the totality of circumstances in which the GA900 was supplied were such as to impose on the Australian Government an obligation of confidence in relation to this information as well.
  138. I would qualify what I have said above only by saying that a high level description of the device, for example as an IMSI catcher, would probably not be caught by this obligation. Lt. Col. Cooke's evidence suggested that he had in fact disclosed the existence of the device to other agencies within government. And disclosure at that level was plainly occurring elsewhere as evidenced by the Fox article and German Parliament materials referred to above. But information at that level is not sufficient to anticipate the Patent.
  139. Even if I am wrong, and some or all of this information was imparted without fetter of confidence, it is trite law that a sale of an article does not necessarily disclose information about how the article works. There was no evidence as to what a user of the machine would be able to infer as to its method of operation from its possession or use. Mr Wilson pointed in opening and closing to a number of extracts from three R&S documents which had been disclosed:
  140. i) The first document was dated after the priority date in 2000. It is headed "Commercial in Confidence".

    ii) The second document, carrying the date 20th February 1998, is headed "Commercial in Confidence" and entitled "GSM Test System 900: GSM networks are becoming transparent". It has a screenshot of a device which includes a button labelled "SET LAC". The text explains that:

    "This base station (GA900) transmits a beacon frequency with modified parameters. All mobiles in the vicinity of the simulated base station will now sequentially log-in on GA900 and it is possible to request IMSI and IMEI. This procedure is like a normal location update from one cell to another and therefore not noticeable for the subscriber."

    iii) The third document is headed Confidential and is entitled "Technical Description – GSM Test System GA900" and dated 28th September 1995. In section 4 headed "Realization Concept": it says this:

    "As described in chapter 3.3, the mobile station continually controls the CCH carrier of the adjacent cells. If required, it actuates a change of cells. Changing the location area is combined with a location update. The intercept station introduced then generates such a carrier simulating that the mobile station is requested to change into another cell of the same network.
    The system selects one of the adjacent cells. The simulated cell requires to have another LAC so that a mobile explicitly can log in into the GA900. … The location update can be effected without problems. The network is not disturbed. This is why adjacent cell configurations are adopted by the cell to be simulated, too. …
    As soon as a mobile station has performed a location update and logged in the virtual base station, the GSM test system GA900, the monitoring system can interrogate the parameters IMSI and IMEI without any problems, as it acts like a normal base station."
  141. A number of points arise from these documents, quite apart from the fact that they are all on their face confidential. Firstly there is no evidence as to which, if any, of them was supplied to the Australian Government. Secondly, not even the most detailed of them, the Technical Description from September 1995, explains in clear terms how the frequency for transmitting from the virtual base station was obtained. None of this material contains an explicit description of how the device operates at the necessary level of detail. Thirdly, none of this material was put to any witness, expert or otherwise. Fourthly, none of it addresses what I consider to be the critical question, namely what could be derived from an examination of the machine in the absence of the confidential manuals.
  142. The question of what the prior sale was capable of revealing to the skilled person was not a matter addressed in the evidence at all. I do not think it would be right for me to conclude without evidence that the relevant features of the method of operation according to the Patent would be apparent to the purchaser of the GA-900 from the machine or its instruction manual.
  143. H and B

  144. H was a distributor of R&S equipment from the 1930s, and became its subsidiary in 1999. In general it would appear that R&S had confidentiality agreements with its distributors.
  145. The supply to B was of a device in fact sold to an R&S's subsidiary. B was an installer of equipment, and not an end user. The end user was likely to have been an organ of government.
  146. I think that both these supplies were likely, on balance, to have been on confidential terms. It is true that the letter obtained from B did not say so expressly, but a party who is entrusted with the device for a specific purpose such as installation would not in general be free to make use of the device or information derived from it for any other purpose.
  147. The allegation of lack of novelty over the GA 900 supplies is not established.
  148. Lack of Novelty over prior disclosure of GSM-X

  149. MMI's device was called the GSM-X. There is no dispute that it was in fact a device falling within claim 1 of the Patent. There is also no dispute that the device itself was in fact demonstrated before the priority date on the occasions relied on.
  150. The issues are therefore whether these demonstrations were in confidence; and if not whether they amounted to a disclosure of the method of claim 1.
  151. As no machine was handed over at these demonstrations it is important to ascertain what was disclosed. The main feature of the demonstration was to show invitees that the device could cause their own mobile phone to attach to the virtual base station and hand over its IMSI. Mr Timson explained that there was a software button on the device which would have been visible to invitees which said "Roll LAC", but he did not explain the significance of the LAC at the demonstrations. In my judgment, although the end result of the use of the machine was demonstrated, there was no disclosure to invitees of the method claimed in claim 1.
  152. The evidence as to what was said at the demonstrations about confidentiality was somewhat confused. Mr Stokes, who after working for R&S became MMI's representative in Australia, initially made a witness statement for the proceedings between R&S and MMI that the demonstrations were not confidential. His witness statement in these proceedings said that:
  153. "I do recall that at the beginning of each one of the demonstrations that took place in March 1999 both Anthony Timson, Peter Harris and myself did express to those present at the demonstrations that what they were about to be told and see was highly confidential".
  154. It is right to record that I found Mr Stokes to be a thoroughly unsatisfactory witness in almost every respect. For example, he sought to maintain in relation to a letter which referred to "the competitor" that he did not know that this referred to R&S, when this was plainly the only company it could have referred to. He tried to explain the difference between his two statements on the basis that he had thought about it more carefully this time. The fact is that Mr Stokes gave his evidence in order to help the party who asked him to give it, without regard to his genuine recollections or the truth. He also said that his earlier witness statement was drafted by Mr Timson for him to sign. This was a wholly untrue and rather disgraceful suggestion. I find that nothing express was said at the beginning of demonstrations by MMI about confidentiality.
  155. Superintendant Barton of the Australian Federal Police Force told me that there was an unspoken understanding that information from demonstrations would not be allowed to fall into the wrong hands. He would, on the other hand, feel free to share information about the capabilities and functionalities of the machine with colleagues and other agencies, including giving details of the vendor. On the other hand, as he explained in cross-examination, he would never hand details of one company's product to a competing vendor, whether provided in written specifications or at a demonstration. He regarded this obligation as stemming from national security obligations, rather than from any obligation to MMI.
  156. Notwithstanding Mr Stokes' evidence, which I put entirely to one side, I consider that these demonstrations were all subject to an obligation of confidence to MMI which would have been inferred from the circumstances. Mr Wilson accepted that demonstrations of this nature were more likely to be protected than outright sales. That is correct. Moreover Mr Munoz signed a confidentiality agreement after the demonstration making express what would have previously been implied. Letters making arrangements for the Australian demonstrations were marked "confidential" or "in confidence". MMI themselves were extremely reluctant to allow the New South Wales police access to the GSM-X unsupervised by an MMI engineer. Mr Barton's view as to where the obligation of confidence arose from is not conclusive.
  157. It follows that the objection of lack of novelty fails.
  158. Obviousness

    Law

  159. It is useful for the court to follow the structured approach explained in the judgment of Jacob LJ in Pozzoli v BDMO SA, [2007] EWCA Civ 588; [2007] FSR 37 at [23]:
  160. "In the result I would restate the Windsurfing questions thus:
    (1) (a) Identify the notional "person skilled in the art"
    (b) Identify the relevant common general knowledge of that person;
    (2) Identify the inventive concept of the claim in question or if that cannot readily be done, construe it;
    (3) Identify what, if any, differences exist between the matter cited as forming part of the "state of the art" and the inventive concept of the claim or the claim as construed;
    (4) Viewed without any knowledge of the alleged invention as claimed, do those differences constitute steps which would have been obvious to the person skilled in the art or do they require any degree of invention?"
  161. The approach assists the fact-finding tribunal, but is not a substitute for the statutory question: "is it obvious"? In applying it, hindsight is impermissible.
  162. The primary evidence on the question of obviousness is that of the expert: see Nicholls VC in Molnlycke v. Procter & Gamble [1994] RPC 49 at 112. The usefulness (or otherwise) of the expert evidence is not so much the assertion (obvious/inventive) which the expert expresses, but the explanations and reasons he gives for them: see Jacob LJ in Rockwater v. Technip [2004] RPC 46 at [6] to [15].
  163. The obviousness attacks

  164. CellXion ran their obviousness attacks from a multiplicity of different starting points. By the time of closing speeches the dozen or so independent starting points had reduced to five, largely because Mr Wilson recognised that in relation to some groups of citations, if he could not succeed on one he could not succeed on any. Those that remained were:
  165. i) common general knowledge alone;

    ii) GA 900 prior use;

    iii) the article by Dirk Fox;

    iv) Nokia Patent Application EP 0827356 ("Nokia");

    v) 8922 test equipment.

  166. I have dealt with the skilled person and the common general knowledge above.
  167. Neither side attempted to paraphrase the inventive concept: so I propose to treat this as a case where it is appropriate to take the concept as being the method which is defined by claim 1, as I have interpreted it.
  168. Obviousness over common general knowledge

  169. Mr Wilson submitted that there was a known and obvious need at the priority date for an IMSI catcher. This knowledge alone would lead the skilled person to the invention nearly inevitably. On this approach, the Pozzolli differences consist of more or less the whole of claim 1.
  170. There is no dispute that the skilled team would have appreciated the need for an IMSI catcher at the priority date. As I have indicated above, however, there was also a widespread belief that it was difficult or impossible to make one. Mr Wilson submits that, assuming that the skilled person decided to give thought to the matter, he or she would have no option but to think as follows:
  171. i) It is impossible to rely on getting a targeted individual's IMSI or IMEI from the network provider, because the target could be using a pay-as-you-go phone or a stolen one.

    ii) The IMSI and IMEI numbers cannot be captured by passive tapping of the network, because only the TMSI is transmitted before encryption is enabled.

    iii) It follows that the IMSI must be extracted by communicating with the phone itself.

    iv) There is only one way to communicate with a GSM phone, and that is to emulate a base station, because GSM mobiles are programmed to ignore all communications other than those from base stations whose frequencies are listed on their current BA list.

    v) To emulate a base station whose frequency is on the target's current BA list requires one to know (or at least make an intelligent guess at) what the BA list consists of, which can be done either by having each network's map (not easily accessible and possibly out of date) or by using a conventional test mobile.

    vi) In order to get the mobile to do anything, it is not enough merely to emulate one of its neighbouring base stations: it is necessary to make the IMSI catcher more attractive than the mobile's current base station.

    vii) Once the IMSI catcher is more attractive than the current base station, the target (and other mobiles in the area) will camp to it.

    viii) Even then, nothing will necessarily happen straight away because when mobiles camp to base stations they do not announce their presence unless the new base station is transmitting a different location area code.

    ix) So the IMSI catcher must either wait for the mobiles in range to perform their periodic updates (after a minimum of six minutes, an essentially pointless wait in any practical scenario) or transmit a different location area code which will prompt a location area update right away.

    x) Having got the mobile to perform a location area update it is possible to require it to produce its IMSI and IMEI.

  172. Mr Wilson recognised that, set out in this way, the obviousness case could easily be characterised as rather a long list of steps that has to be gone through in order to arrive at the invention, but he suggested that this was because it was only necessary to do that in order to explain it to a lay tribunal such as myself. He said that to the relevant skilled person with even a basic understanding of the GSM roaming procedure these steps would be elementary.
  173. In the end, despite Mr Wilson's forceful argument, I was not persuaded that the invention was obvious in the light of common general knowledge for a number of reasons.
  174. Firstly, as Mr Wilson recognised, the first step is to appreciate that it could be done at all. I do not think that the skilled team would assume that this was so, far less proceed through the long list of steps without knowing it was so. An important purpose of GSM had been to make the system more secure, by the use of TMSI and encryption. It is not self-evident that one would be able to break into GSM at all.
  175. Secondly, the skilled team would know that, with analogue networks, the method of getting access to the system had been a passive, listening one. That simply would not be possible with GSM. There was therefore no logical model to adapt for the purpose of tackling the new task. Far from provoking the skilled team into tackling the problem in the way Mr Wilson suggests, I think this reinforces the view that the invention was not obvious.
  176. Thirdly, the notion of the false base station did not form part of the common general knowledge. I accept that test machines were, in a sense, false base stations, but there is a world of difference between these, and the sort of false base station in the real network necessary for the purpose of the invention.
  177. Fourthly, the common knowledge does not supply the notion that one should actively provoke the mobile into handing over its IMSI or IMEI.
  178. Fifthly, the use of a changed LAC to provoke an immediate contact from the mobile phone is not an obvious use of that feature. The reason that the mobile phone contacts the network when it receives a new LAC is because it needs to re-register into the new area into which it has moved. The idea of using an out-of-area LAC for the purpose identified in the Patent, when the mobile phone is not in that area, is an entirely different and non-obvious use of the LAC.
  179. Sixthly, given that the analogue system had to wait for a call to be made by the mobile phone, there is significant hindsight involved in assuming that the skilled person would not be satisfied with a system based on the periodic update.
  180. For all those reasons the allegation of obviousness over common general knowledge does not succeed.
  181. Obviousness over GA900 prior use

  182. I have held that if any information was conveyed non-confidentially by the sale of the GA900, it is not established that it disclosed the method of claim 1. The evidence did not address the question of what would be rendered obvious from the machine alone. Mr Wilson did not really press this attack as one which could succeed if all others failed. He was right not to do so.
  183. Obviousness over the Fox article

  184. The Dirk Fox article appeared in a publication called DUD (Datenschutz und Datensicherheit) and is dated 7th October 1997.
  185. The article records the fact that the German Federal Government had revealed that it planned to operate IMSI catchers. Under the heading "Background" the article explains:
  186. "In GSM mobile telephone systems, the encrypted transmission to the air interface (between device and base station) prevents mobile phones from being directly tapped. Due to the use of temporary, alternating subscriber identities (TMSI), which is a kind of technical "pseudonym", it is not possible to identify the mobile phone subscriber (or his telephone number)."
  187. Under the heading "Functionality":
  188. "IMSI Catchers" are devices that affect a subscriber located in the vicinity like a terrestrial mobile telephone network base station system. Every mobile phone that is switched on within the footprint is automatically registered for this "IMSI Catcher". Subscribers are not aware of such a "disguised" device, because GSM involves only one-way authentication (from the mobile phone to the mobile telephone network). A two-way authentication protocol would prevent this type of masqueraded breach, although this is not part of the GSM specification.
    To identify a telephone number assigned to a mobile phone, the worldwide unique identity number (International Mobile Subscriber Identity - IMSI) of the mobile phone must be known. The "IMSI Catcher" therefore requires the mobile phone to use the IMSI instead of a TMSI. "
  189. Under the heading "Availability" the article continues:
  190. "Rohde & Schwarz (Munich) has developed an "IMSI Catcher" under the name of "GA 900", which enables an IMSI to be identified…. Other manufacturers may now have developed similar devices. "
  191. The article goes on to explain that encryption can be turned off so that telephone calls can be logged unencrypted.
  192. The skilled person would understand from the Fox article that an IMSI catcher was possible and had been apparently achieved by more than one company. The skilled person would also understand that the device operated as a disguised base station.
  193. What the article does not explain is how the device gets the mobile phone to use its IMSI instead of its TMSI. There is no explanation of which real base station the fake base station is imitating. There is also no explanation of the use of an out-of-area LAC code to trigger a location update or (much less significantly) the BA list.
  194. Would the skilled person be able, without invention, to proceed from the disclosure of Dirk Fox to a method within claim 1? Certainly this is a more promising starting point than common general knowledge alone, as the skilled team would know that the target was achievable. It is also true that the Fox article gives the reader the notion of a false base station which takes active steps to require the mobile to hand over its IMSI. This is, as Mr Wilson submitted, a significant step forward. On the other hand the skilled person would not know how difficult it was going to be: Mr Timson knew of the R&S machine when he designed the MMI one, yet he still found the overall "opportunity" a difficult one.
  195. Mr Anderson's evidence was that filling in the gaps in the disclosure of Fox would be obvious to the skilled GSM engineer. I found his evidence that the skilled person would know how to insert a false base station into the network convincing. He could, after all, not go wrong if he made the false base station as similar as possible to a real one.
  196. Dr Maile's evidence was that the Fox article was at too high a level to make the invention obvious. He was cross examined with great skill along the lines of the argument which I have set out in the section of this judgment dealing with obviousness over common general knowledge.
  197. In the end I was not persuaded that the method of claim 1 was obvious in the light of Fox. Firstly, there is nothing inherent in the idea of using a false base station to lead one to the idea of an out-of-area LAC. Although the use of LAC in the roaming capability of the mobile phone would be known to the skilled team, its use for the purpose indicated in the Patent involves the different idea of an out-of-area LAC, and is not obvious. Secondly, there is nothing in the article to indicate how quickly the device intercepts the IMSI. It follows that the device may wait for a call to be made, as in the analogue system, or use the periodic update facility. Neither leads the skilled person to a device within the claim. Thirdly, the prior analogue systems operated on the basis that a call had to be made: there is nothing in the article to indicate that this is not the case with the devices described.
  198. Obviousness over Nokia

  199. Nokia was published on 4th March 1998. In broad terms its disclosure is concerned with authentication procedures performed as part of methods for protecting mobile telephone communications. For present purposes the relevant disclosure may be found between column 3 line 14 and column 4 line 44 and Figures 3 and 4, which relate to a phone tapping arrangement which the main idea of the Nokia patent might be used to frustrate.
  200. The phone tapping arrangement includes a network simulator, 23. This may be a test device which simulates a mobile network, or a base station specially modified for the purpose (see column 3 lines 36-46). The simulator is connected to a mobile phone 24 containing a SIM card registered to a subscriber and having an IMEI number (lines 32-36). The overall set up looks like this, 21 identifying the target phone and BS the base station in the real network:
  201. Picture 1
  202. The arrangement is set up to simulate a neighbouring cell of the cell in which the target is situated. The field strength of the simulated cell is maintained at a stronger value than the field strength of the authentic network cells detected by the mobile to be tapped. When the mobile to be tapped begins to set up a call, the false cell, as the most powerful station, receives a request for a channel. Because the network controls events after the first signals have been received, the network simulator is in control, and may skip authentication and disable ciphering (column 3 line 47 to column 4 line 8). The genuine mobile connected to the base station is able to complete the connection to other parts of the network.
  203. Nokia does not disclose the use of the arrangement described in columns 3 and 4 for the purpose of obtaining the IMSI and IMEI from a mobile telephone.
  204. There is no express disclosure in Nokia concerning the method by which the test system discovers the frequency on which to transmit so as to simulate a base station on the real network. Obtaining the BA list is not the only way in which this could be done. The operative of the Nokia system might have access to the maps of the cell network, and use these to find a suitable cell to emulate.
  205. There is also no disclosure in Nokia of the way in which the virtual base station obtains the IMSI and IMEI from the target mobile. Again, provoking a location update by changing the LAC is only one way in which this could be done. The system could wait for the periodic update. Or the system could simply request the identity of the phone once it has attached.
  206. The evidence establishes that the skilled team would appreciate from reading Nokia that one obvious way of obtaining the channel on which to communicate with the mobile would be the BA list. Whilst there are other ways, these would not always be available to the operative. The skilled team would know that it is possible to obtain this data by means of a test phone.
  207. The test equipment described in columns 3 and 4 of Nokia could be any of the mobile phone test systems which I have described above: Agilent, Rohde & Schwarz etc. As I have indicated these test equipments had the ability to cause the mobile phone to reveal its IMSI and IMEI by performing a location update procedure using the LAC.
  208. Mr Anderson advanced the case of obviousness over Nokia in his first report in the following way:
  209. "60. Since the tapping device described in the Nokia Patent Application is a fake base station (and Nokia specifically suggest that it can be made by adapting standard base station equipment), it seems to me obvious that it could also be used for IMSI catching by the use of the standard base station procedures described in previous sections of this report. Trying again to put myself in the position of an investigator using the device described by Nokia, it seems to me obvious the investigator would want to know the IMSI and IMEI for the evidential purposes mentioned above. The first time a call from a target mobile was intercepted, the connection with the fake base station would be initiated by the target mobile (as always happens when a mobile makes a call) and, in the course of the call, the fake base station could issue an instruction to the mobile to disclose its IMSI and IMEI, using the standard commands. "
    "61. But investigators do not (I imagine) generally confine themselves to recording just one mobile phone call from a person under investigation. … Obviously, as I see it, the investigator would like to know in advance of calls being intercepted whether the target phone is actually in range of the fake base station. Assuming a target phone's IMSI is already known to from earlier interceptions, it would be desirable to know that the target phone is still in range. Any GSM engineer would know that the target mobile will not respond unprompted to the tapping device, unless the tapping device gives out a signal indicating it is in a different Location Area. This is elementary. So if the user of the tapping equipment described by Nokia wished to use it in the manner I have described, it would have to be operated in the manner described in the Patent".
  210. I think the multi-stage logic of these paragraphs is asking too much of the skilled person. I can accept that in order for the false base station to be capable of intercepting a call from a mobile phone in its target area it must have obtained a suitable channel, and that the obvious way to do that is to obtain the BA list. I can even accept that it is obvious that once a mobile phone has initiated a call to the base station, it would be obvious in the course of that call to request the mobile to return its IMSI and IMEI. However, I can see nothing in Nokia, or indeed in the common general knowledge, to suggest that achieving the further functions described in paragraph 61 of Mr Anderson's evidence was obvious, or that the manner of doing so by use of an out-of-area LAC code would occur to the skilled person.
  211. The primary case that was put to Dr Maile in cross examination was along slightly different lines. Having got Dr Maile to accept that there was nothing in obtaining the BA list, Mr Wilson pursued the suggestion in Nokia to adapt a test equipment to fulfil the function of the false base station. He then pointed out that such a test equipment, at least if it were the Agilent or R&S machines, would have a feature for testing the response of phones to changes in LAC. Those machines return the IMSI immediately upon the change in LAC. So, it was suggested that the skilled person would find it very easy to collect the IMSI and IMEI as soon as the phones became attached to the base station, without the need to wait for an outgoing call from the mobile phone.
  212. Despite the skilful way in which this cross-examination was conducted, I was not persuaded that it showed that the invention was obvious. To adapt Nokia from a device which might be used to obtain IMSI and IMEI numbers when it responds passively to an incoming call to the device in which active steps are taken to collect the IMSI and IMEI numbers of all phones in the target area is not obvious. I am not satisfied that the skilled person would come up with that idea at all: the mere presence of the LAC testing facility does not get him there. But even if he did contemplate using that facility, the test equipment has only one channel. That does not matter when testing a mobile phone on the bench, but does matter if the system is expanded so as to cause all phones in the target area to be captured. As Mr Anderson accepted, one would have to think through how to make the unwanted phones go back to the real network. The Patent teaches a method of doing so, which is the subject of claim 2. Nevertheless, unless the skilled person can see his way through this further step, I do not think he would arrive at the inventive concept of claim 1.
  213. Obviousness over HP8922 GSM test sets

  214. Although this was maintained as a separate starting point, I do not see how it can succeed if the attack based on Nokia fails.
  215. The allegation of lack of inventive step therefore fails as well.
  216. Liability of Mr Timson

  217. Mr Timson is alleged in the particulars of claim to have been one of the controlling minds of the first and second defendants, taking decisions and participating in all of the first and second defendants' business. In particular he is said to have been the creator of the DX918 system alleged to infringe, and has undertaken business dealings on at least the second defendant's behalf.
  218. In his defence Mr Timson accepts that he did the overall design work for the DX918. He denies that he has ever been one of the controlling minds behind the CellXion companies. He states that he owns no share of either CellXion company and is not a director. Although he accepts discussing commercial matters with Mr Brumpton, all important commercial decisions are taken by Mr Brumpton. He maintains that his position is that of consultant.
  219. Mr Timson's cross examination went mainly to the question of whether he was responsible for the software, a fact which he accepted. Mr Brumpton confirmed that Mr Timson was responsible for the software: that was what he paid him for.
  220. I was not addressed on the principles applicable to holding an individual jointly liable with a company for acts of the company. For present purposes I take the principle to be that an individual will be so liable if, sharing a common design with the company, he intends and procures that the acts complained of by way of infringement take place.
  221. I think it is clear on the facts of this case that Mr Timson shared a common design with the CellXion companies to market the DX918, and intended and procured the sales which are the subject of the allegation of infringement. He actively participated in the sales effort. Above all others he knew exactly how the device operated, and that, at least some of the time, it would operate so that real power caused the device to re-select the DX918. He is jointly liable with the CellXion companies.
  222. Conclusion

  223. The Patent is valid and is infringed by the DX918. Mr Timson is jointly liable with the CellXion companies.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ew/cases/EWHC/Patents/2009/418.html