Security

Sued for using HTTPS: Big brands told to cough up in crypto patent fight

Sony, Macy's, GoPro, hotels, insurance giants, anyone with money accused of infringement

Scores of big brands – from AT&T and Yahoo! to Netflix, GoPro and Macy's – are being sued because their HTTPS websites allegedly infringe an encryption patent.

It appears in May this year CryptoPeak Solutions, based in Longview, Texas, got its hands on US Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems."

CryptoPeak reckons TLS-secured websites that use elliptic curve cryptography are infringing the patent – so it's suing owners of HTTPS websites that use ECC. Top tip: loads of websites use ECC these days to securely encrypt their traffic.

Starting in July, CryptoPeak began pursuing companies through the courts in the eastern district of Texas. Just in the past week or so, the patent-holding biz filed infringement claims against AT&T, Priceline, Pinterest, Hyatt Hotels, Best Western, and Experia.

CryptoPeak has almost 70 cases in play now. It wants damages, royalties, and its legal bills paid. Here's the paperwork [PDF] it filed against insurance giant Progressive on November 25, as an example.

"The defendant has committed direct infringement by its actions that comprise using one or more websites that utilize Elliptic Curve Cryptography Cipher Suites for the Transport Layer Security protocol," CryptoPeak alleged in its lawsuit against Progressive.

"A representative example of a website owned, operated and/or controlled by the defendant that utilizes ECC Cipher Suites for TLS is progressive.com."

According to Qualys' SSL Labs, progressive.com does indeed support elliptic curve Diffie-Hellman key exchanges among other cipher suites.

The patent in question was crafted by crypto gurus Dr Adam Young and Dr Marcel "Moti" Yung, and granted in 1997. Its outline states:

This invention relates to cryptosystems, and in particular to the escrowing and recovering of cryptographic keys and data encrypted under cryptographic keys. The escrow and recovery process assures that authorized entities like law-enforcement bodies, government bodies, users, and organizations, can when allowed or required, read encrypted data. The invention relates to cryptosystems implemented in software, but is also applicable to cryptosystems implemented in hardware.

Perhaps crucially, it describes a means for "generating public keys" and "publishing public keys", and it's certainly true that ECC does involve generating public keys and using them.

But the patent is focused on "a key recovery agent to recover the user's private key or information encrypted under said user's corresponding public key" – which is really not the point of ECC. Yet, CryptoPeak seems to think there's some overlap between today's ECC implementations and the patent it holds.

It is not clear just what else, if anything, the outfit does. The company has little in the way of an online footprint outside of the litigation related to the '150 patent. Some people might even call it a "patent troll."

The wealthy giants being sued also seem to have a less-than-favorable view of CryptoPeak. Netflix has filed a motion for dismissal [PDF] of the case on the grounds that the infringement claims are invalid and do not clearly show infringement.

"The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims," Netflix's legal eagles wrote in their filing.

Tadlock, the Texan law firm representing CryptoPeak, told us: "We are not in a position to comment on the pending cases."

El Reg also contacted a bunch of the organizations accused of infringing the patent; all were not immediately available for comment, except AT&T – which told us: "We cannot comment on pending litigation." ®

Sponsored: 2016 Cyberthreat defense report