Was Apple's use of complex URLs public disclosure?
18 October 2017
Just before the release of their latest iPhone, Apple suffered a major information leak. Two news sites were given access to an unreleased version of the iOS operating system. This code included details of some new facial recognition technology developed by Apple.
Apple’s leaked URLs
This type of leak has happened to many other manufacturers. However, in this case the person leaking the information provided a list of URLs to the news sites where the code was located. A URL is the internet address where the code was located. Therefore, by putting the URL into a web browser, the news sites were taken straight to the code.
Securing against brute force attacks
Although it appears the code was not encrypted, these URLs were very long and complex and so could not be guessed.
The very long and complex URL was the mechanism Apple used to conceal the code from the public.
This type of mechanism for hiding sensitive information is becoming increasingly common. A URL is randomly generated and blocked to search engines. The random nature and the complexity of the URL is such that a person would not be able to guess the URL and, as the URL is blocked to search engines, the URL should not appear in web search results.
This method is also very secure against a so-called “brute force” attack, where a computer program automatically tries every possible combination of letters and numbers. This is because to “guess” a simple URL such as www.dyoung.com would take a computer around 55 million years!
Whilst this mechanism seems quite secure, in theory anyone can access the information; it is on the Internet and is not secure so if found can be accessed by anyone. This raises an important question: Is data stored in this manner actually disclosed to the public and so not novel from a patent point of view?
Website and email prior art in T1553/06
The leading case in Europe for the public availability of documents on the Internet is T1553/06, which was issued in 2012.
This was a test case and information was intentionally put onto the Internet. The way in which the information was put onto the Internet was carefully controlled to test the various mechanisms by which information is normally placed onto the Internet and subsequently searched.
The Board of Appeal held in this case that “the mere theoretical possibility of having access to a disclosure does not make it become available to the public within the meaning of [the EPC]”. The threshold required is that one or more members of the public must have “direct and unambiguous access” to the information.
The Board of Appeal examined several scenarios regarding the meaning of “direct and unambiguous access”.
In the case of information being stored on the Internet which can be only accessed by guessing the URL, “direct and unambiguous access” is possible only in exceptional cases. The Board of Appeal held that an exceptional case may be that the URL is so straightforward or so predictable that it can be readily guessed.
Of course, users do not typically find information on the Internet by simply guessing URLs. Instead, most people use publicly available search engines such as Google, Bing or Microsoft Edge to provide search results identifying URLs containing information.
In the case where the information was found using an Internet search, the Board of Appeal held that even if the information could be found by entering keywords into a search engine, this was not enough to satisfy the “direct and unambiguous access” test.
Instead, what was needed was that the keywords all related to the essence of the information. In particular, if the information was found as a result of a search containing words completely unrelated to the content of the information, that would not provide the requisite “direct and unambiguous access”.
The Board of Appeal also reviewed the time period for which that information must be located at that URL as the Board of Appeal appreciated that it is possible to store information at a URL for a very short period of time. In this regard, however, the Board of Appeal did not define a specific period of time. Instead, the Board of Appeal held that the period of time must remain accessible at that URL for a period of time required to allow “direct and unambiguous access” to the information. This should be determined on a case-by-case basis.
As yet, a time period for which that information must remain at that URL has yet to be defined in other case-law.
Board of Appeal test for disclosure of a document on the Internet
As a conclusion, the Board of Appeal set out a test to determine whether information was made available to the public. In order to have been made available, all conditions of the test have to be met.
The wording of the test is defined as follows:
If, before the filing or priority date of the patent or patent application, a document stored on the World Wide Web and accessible via a specific URL
(1) could be found with the help of a public web search engine by using one or more keywords all related to the essence of the content of that document and
(2) remained accessible at that URL for a period of time long enough for a member of the public, i.e. someone under no obligation to keep the content of the document secret, to have direct and unambiguous access to the document, then the document was made available to the public in the sense of [the EPC].
So, in the case that the URL at which the information resides is random in nature and is long and complex, and that the URL is blocked to search engines, it is unlikely that the first condition of the test is met and the information is not made available to the public in the sense of the EPC.
There has been no test of this case-law in respect of this particular method of hiding information in plain sight. However, as it is becoming an increasingly common method, it will be undoubtedly tested at some point in the future.
Related case T 1553/06
Jurisdiction: European Patent Office
Decision level: Boards of Appeal
Parties: Koninklijke Philips Electronics N.V. (patentee), DSM IP Assets B.V. (opponent)
Date: 12 March 2012
Citation: T 1553/06