Internet tycoon Kim Dotcom recently claimed via Twitter that he is the inventor and patent-holder of a two-step authentication method employed by social media sites such as Facebook, Twitter, and Google. Two-step authentication is a security system that enables websites to prevent unwanted access to their users’ accounts. These systems detect a user’s attempts to log in from an unrecognized source and, in response, supply the user, through a secure source, with an authorization code that may be used to verify the user’s identity. In an apparently novel move that appears to be more out of desperation than hostility or greed, Dotcom threatened to sue these major social media companies, along with dozens of other supposedly infringing companies, if they do not agree to help alleviate his mounting legal fees resulting from his impending criminal case on unrelated grounds.

Dotcom was born as Kim Schmitz and legally changed his name in 2005.  His other known aliases include Kimble (referring to the lead character in “The Fugitive”) and Kim Tim Jim Vestor.

Dotcom owns the online file hosting and sharing company Megaupload.  He faces several U.S. criminal charges related to online copyright infringement. Megaupload enabled its users to upload links to files for viewing or editing. It is alleged that Megaupload users uploaded copyrighted material to the Megaupload cloud storage system, allowing other users to download that content freely despite not having permission from the copyright-holder. The Department of Justice (“DOJ”) has accused Dotcom and his partners of adopting a business model “designed to promote uploading of the most popular copyrighted works,” and that Megaupload executives discouraged use of the site for extended, personal storage and instead provided incentives to upload copyrighted content.

Based on these alleged business practices and the millions of illegal downloads associated with Megaupload, Dotcom and the others involved are facing charges for engaging in a racketeering conspiracy, conspiracy to commit money laundering, conspiracy to commit copyright infringement, and two substantive counts of criminal copyright infringement.

A search of the U.S. Patent and Trademark Office (USPTO) database reveals that Dotcom does, in fact, hold U.S. Patent No. 6,078,908, entitled “Method for Authorizing in Data Transmission Systems,” under his name at the time of filing, Kim Schmitz.  A reading of the claims suggests that the patent granted to Dotcom generally covers a method in which a user first inputs a form of identification (e.g., name or email) into a computer, which then requests authorization from an authorizing computer. That authorizing computer then obtains an authorization code and sends it to a secure data processing device in the possession of the user (e.g., a cell phone). The user may then input the authorization code into their computer, which then sends the code to the authorizing computer for verification. In short, if ready broadly, it appears that the claims of this patent cover the two-step verification system employed by dozens, if not hundreds, of companies across the globe.

For example, Facebook refers to its two-step verification system as “Login Approvals,” which functions by sending an authorization code to a user’s cell phone via text message each time the user attempts to log into Facebook from an unrecognized source. After an initial authentication, the user may elect to save a particular computer to avoid the authentication process in subsequent login attempts on that device.

Twitter and Google use similar two-factor methods, but both incorporate the verification system as an optional account setting. If activated on Twitter, a user is prompted to enter a six-digit code sent to the user’s cell phone each time that user attempts to log into Twitter. Similarly, Google sends a code to the user’s cell phone following each login attempt, but like Facebook, a Google user can choose to forego the authorization process in future logins on a particular computer.

Thus, at first glance, it appears that Dotcom may have a viable case against these companies for infringement of his patent. Particularly notable is the fact that the USPTO allowed outright and without comment Dotcom’s independent claim 1, the broadest claim in his patent, following the filing of the original patent application. As most patent prosecutors know, the claims of an originally filed application tend to be written very broadly in an attempt to afford the inventor the greatest protection.  These broad claims usually result in the amending and narrowing of those claims to achieve an allowance of the patent. Thus, the allowance without rejection or comment (or prosecution estoppel due to responsive amendments or remarks) of Dotcom’s first independent claim further supports his contention that he invented the two-factor authentication system.

Significantly, and perhaps unfortunately for Dotcom, is the fact that he was granted a very similar patent (EP 0875871) in the European Patent Office (“EPO”) that was subsequently cancelled in 2009 and affirmed as being revoked in 2011 following an appeal of that cancellation. While in-depth review of the voluminous documents related to those cancellation/revocation proceedings is beyond the scope of this piece, it can be inferred from the filings associated with those proceedings over the course of nearly eight years that Dotcom fought the opposition vigorously, but was nevertheless defeated.

Furthermore, a review of the filings associated with the cancellation/revocation proceedings suggest that Dotcom’s European patent was cancelled based on prior art, which could potentially prove detrimental to the status of his US patent should Dotcom pursue his threat to assert the patent (or in the event his threats of assertion inspire one or more of those companies to institute a declaratory judgment for invalidity or a review of that patent in an Inter Partes Review proceeding.)  Dotcom has claimed through his Twitter feed that his EU patent was cancelled because it “had broader [and] different claims” and was not specific enough, whereas his “U.S. [two-factor authentication] patent has no prior art because it specifies the use of a mobile phone & SMS.” Whether or not his statements are accurate is unclear. A search of Dotcom’s US 6,078,908 patent on Google Patents indicates that it was “also published as” EP 0875871, and the machine translation provided by Google Patents of EP 0875871 (originally in German) results in claim language that is very similar to US 6,078,908. In particular, translated claim 1 of EP 0875871 appears to be almost identical to claim 10 of US 6,078,908.

If Dotcom’s threats are taken seriously, companies like Facebook and Google will probably take a closer look at the EPO proceedings and may find that they have a strong invalidity challenge to his U.S. patent. While Dotcom seeks assistance in alleviating the mounting legal fees in his criminal matters, he may find that threatening to sue or actually suing any of the large social media companies will result in even greater burdens than he presently faces.