Cyber security technology: patenting cyber security inventions in Europe
The shutdown of Genesis Market, one of the world’s biggest criminal online marketplaces, has been recently reported. The site offered for sale stolen, sensitive information to fraudsters, including login, browser history and IP address information.
With the growing distribution of sensitive information across global computer networks there is a constant need for innovation in the field of cyber security.
Can cyber security inventions be patented at the EPO?
Inventions relating to cyber security are often based on complex mathematical techniques implemented using computers. Such computer-implemented inventions are examined in a particular way at the European Patent Office (EPO).
First, it is determined whether the claimed subject matter falls into any of the exclusions to patentability defined under European patent law. To avoid falling into such an exclusion (such as those relating to mathematical methods) it can be ensured that the use of technical means (for example, as a computer) is defined in the claims.
Second, it is determined whether the claimed invention provides a technical effect (rather than, for example, merely providing a commercial benefit). Importantly, the technical effect must be above and beyond the mere implementation of the method using technical means. A technical effect of a claimed feature must be demonstrated in order for that feature to contribute to an inventive step at the EPO.
Technical application or implementation
Under European practice, a computer-implemented mathematical method, such as those which might underpin new cyber security technology, can contribute to the technical character of an invention due to:
- its application to a particular field of technology, and/or
- being adapted to a specific technical implementation.
Point 1: application
Regarding (1), features of a mathematical method may contribute to an inventive step if it is defined in the claims that those features are directed to a specific technical purpose. A sufficient link must therefore be established between this technical purpose and the claimed mathematical steps. Helpfully, the EPO Guidelines for Examination list certain cyber security-related concepts, such as encrypting or signing electronic communications, and generating cryptographic keys, as examples of such a technical purpose. This suggests that explicitly directing a claim to a specific cyber security purpose can help demonstrate there is a technical application of the technology.
Point 2: implementation
Regarding (2), features of a mathematical method may also contribute to an inventive step if they take into account the functioning of the technical system on which they are implemented, and improve this functioning in some way. For example, a security process might satisfy these requirements if it is designed to be particularly computationally efficient on the computer system on which it is implemented.
It is therefore helpful to have information in a patent application which shows at least one of these criteria are met. Demonstrating they are both met may further increase the chances of success. For example, if an EPO examiner disagrees that the application to which the claims are directed is technical, but the description nonetheless shows an improved specific technical implementation is provided, it may still be possible to convince the examiner that the claimed features contribute to an inventive step.
Patent protection and secrecy
For new cyber security technology, some secrecy may be necessary to ensure potential fraudsters do not circumvent it. However, filing a patent application necessarily results in the contents being publicly disclosed when it is published.
One alternative to seeking patent protection is to instead keep the technology as a trade secret. However, this can be risky. In the event of a leak, or someone reverse-engineering the invention, the technology becomes public knowledge and can be copied by competitors.
A potential solution is to obtain a patent which covers the essential features of the invention without disclosing specific implementation details that a potential fraudster could use to evade the security system.
For example, the patent may disclose all features essential for carrying out the invention in sufficient detail that a person skilled in the field would understand how to put it into practice generally, but certain specific implementation details (such as specific cryptographic keys) can be kept secret.
Innovation in cyber security technology is increasingly important. It is possible for such technology to be patented at the EPO if it can be demonstrated that a technical effect is present.
Writing the patent application to support the presence of a technical effect and to provide sufficient information without compromising security is highly desirable.