Biz & IT —

Patent suits target Google, Intel, hundreds more for encrypting web traffic

Unknown company's four-year campaign involving SSL is only gathering steam.

A figure from the patent that has been asserted against Intel, Google, and hundreds of other companies providing SSL and TLS on their websites.
Enlarge / A figure from the patent that has been asserted against Intel, Google, and hundreds of other companies providing SSL and TLS on their websites.

An unknown company's four-year campaign to sue hundreds of companies for offering encryption on their websites shows no signs of abating, with Intel, Yelp, and MovieTickets.com being targeted in the past month, court records show.

The patent infringement complaints, which have also named Google, Apple, eBay, and Expedia, claim that Marshall, Texas-based TQP Development is entitled to royalties for the companies' use of the secure sockets layer and transport layer security protocols. Together, SSL and TLS form the basis for virtually all encryption used to authenticate websites and to encrypt data traveling between them and end users. The lawsuits assert US Patent No. 5,412,730, which is titled "Encrypted data transmission system employing means for randomly altering the encryption keys."

Court records indicate that TQP has sued hundreds of companies since 2008. At least 100 of those organizations have been named in the past 12 months, indicating that the campaign is only gaining steam. A variety of them, including one against Apple, were later dismissed after reaching confidential settlements. A separate case, filed against TD Ameritrade, was dismissed on August 28, two weeks before a jury trial was scheduled to begin.

The strategy is common among "patent trolls," a term critics apply to people or companies who extract money by asserting questionable patents covering widely used technologies.

"Their business model is not to go to trial and potentially risk the validity of the patent for any one particular defendant," Jim Denaro, a Washington, DC-based attorney for the CipherLaw Group, told Ars, referring to TQP. "The business model is based on the fact that the cost of defending a lawsuit and the risk of a large damages award as a result of being found to infringe a patent is so high that it's worth paying a perhaps substantial sum of money in order to extricate yourself from that lawsuit. When you scale that up to hundreds of companies there's quit a bit of money to be made." Denaro said he isn't representing any parties involved in any of the cases.

A complaint filed on Friday against Intel, Wind River Systems, and Hertz Corporation calls out the use of the RC4 encryption cipher in combination of the SSL or TLS protocols. Over the past 14 months, Google, Twitter, and a variety of other companies sued by TQP have begun favoring the use of RC4 because it is immune to a recently unveiled attack that can silently decrypt encrypted data that's passing between a Web server and an end-user browser. Unlike AES and many alternative algorithms, RC4 doesn't rely on cipher block chaining, an encryption mode that's exploited in the so-called BEAST attacks.

"If there is some kind of attack that is known and there is some kind of vulnerability to the alternative ciphers, that would make them perhaps completely unsuitable for continued commercial use," Denaro, who recently blogged about the patent infringement cases here, said. "That would be a good argument to suggest that there really are no practical alternatives to RC4 and that would increase the value of the patents going forward once that vulnerability becomes known."

Attorneys for TQP didn't respond to a phone call seeking comment for this post.

Listing image by Qualys SSL Labs

Channel Ars Technica