DotGNU Project - GNU Freedom for the Net








Analysis of McAfee patent #6,266,774

Rhys Weatherley, .
Copyright © 2001 Rhys Weatherley. All rights reserved.
Permission to distribute unmodified copies of this work is hereby granted.

Last Modified: 10 August 2001

1. Introduction

This document is an analysis of the McAfee patent #6,266,774, explaining what it does and does not cover. We hope to dispel the myth that this covers all application service providers.

This document was prepared in part to assist the DotGNU project, http://www.dotgnu.org/, a free software initiative under the auspices of the GNU project, http://www.gnu.org/ and FreeDevelopers, .

We concentrate on the claims in the patent, not the description or McAfee's press releases. Only the claims have legal weight.

Nothing in this document should be construed as legal advice. It is an independent review by a computer programmer, not a patent attorney.

If you discover any issues with this document, or other examples of prior art, please e-mail the author.

2. Overview of the patent

The patent was filed on December 8, 1998, and granted July 24, 2001. The abstract is as follows:

A system, method, and computer program product for delivery and automatic execution of security, management, or optimization software over an Internet connection to a user computer responsive to a user request entered via a web browser on the user computer. In a preferred embodiment, the user directs the Internet browser to a Internet clinical services provider web site computer and logs in to the site using an identifier and a secure password and optionally makes a selection of the type of servicing desired, wherein an automatically-executing software package encapsulated within a markup language communication unit deliverable across the Internet is delivered, to the user computer, the automatically-executing software package being adapted to perform security, management, or optimization functions on the user computer. User identifiers and passwords enabling the downloads may be provided on a per-download basis or on a subscription basis.

Essentially, the patent covers a system for automatically downloading security patches and virus scanner updates over the Internet. This is hardly an earth-shattering achievement: any competent Internet programmer could devise such a scheme. As we will see, the claims are obvious to a practitioner of computer programming.

3. The main claims

All patents contain two kinds of claims: main and re-statements. The main claims are the core of the patent. The re-stated claims modify the main claims to cover extensions or variations. There are three main claims in this patent: 1, 12, and 14.

1. A method for automatically performing one or more maintenance tasks on a remotely located computer connected to a server computer via a data network, said method comprising the steps of:
  • directing an Internet browser on the remotely located computer to form a logical connection with the server computer;
  • delivering a software package to the remotely located computer across said logical connection, said software package being encapsulated within a markup language communication unit deliverable across said logical connection, said software package comprising scripts for performing said one or more maintenance tasks on the remotely located computer; and
  • automatically executing the scripts for performing said one or more maintenance tasks on the remotely located computer.

This claim describes the software and activities on the "remotely located computer", which is the user's machine. The machine is directed to connect to the server, download a set of maintainence tasks as a "markup communication unit", and execute the maintainence tasks.

Prior art for this isn't hard to find: any system that downloads a shell script from a server for automatic execution on a client would be sufficient. Unix systems in the early 1990's regularly used the technique of loading shell scripts via NFS from a remote server.

More recently, Red Hat Linux systems use RPM files to automatically apply security patches consisting of both software updates, and commands to be executed. RPM files can be downloaded by the user with a Web browser, or via direct connection to a HTTP server.

Claim 1 attempts to make things different by using an Internet browser and a markup language. But these are just recent incarnations of a very old, and obvious, idea. Namely, administration is more efficient if it can be centralized.

This claim is vague as to who or what performs the "directing". Is it the user themselves? An automated process installed on user's machine? Or the server computer? The first interpretation is no different than regular Web traffic. The second interpretation is no different than a Unix machine using NFS to download a shell script at pre-determined times.

The patent description is also vague, but the third would seem to be the most likely interpretation. That is, the server sends some information to the user's Web browser to cause it to accept the download of the software package on a secondary connection.

There are two sources of prior art for this: FTP and HTTP redirects. FTP servers negotiate with their clients to set up a secondary connection to exchange data files. HTTP redirects can also be used to force a Web browser to visit a secondary Web site that performs data transfer.

12. A computer program product for execution by a server computer for enabling the maintenance of a remote user computer coupled to the server computer over a network, comprising:
  • computer code for receiving a user request from the remote user computer, said user request being entered by the user via a web browser;
  • computer code for instantiating a download of a maintenance software package to a storage medium connected to the user computer via the web browser; and
  • computer code for causing said maintenance software to automatically execute on the user computer subsequent to downloading;
  • whereby, responsive only to said user-entered request via said web browser, advanced maintenance routines may be performed on said user computer without requiring local maintenance commands from said user.

This describes the Web server that is providing the service to the user machine described in claim 1. It is obvious that any gadget that conforms to the description of claim 1 will need to talk to a gadget that conforms to the description of claim 12. Otherwise the claim 1 gadget cannot function successfully.

All known Web servers that existed one year prior to the patent filing date provide the above functionality. The more usual name for the client part of the mechanism is "browser plug-ins", which are activated by information supplied by the server upon user request.

If the third interpretation of "directing" in claim 1 is the correct one, then existing Web servers provide all of the functionality except the establishment of the secondary connection. Such functionality is more common to FTP servers. The patent has combined the functionality of HTTP and FTP in the most obvious manner possible.

14. A computer-readable medium, comprising:
  • means for directing a server computer to encapsulate a self-executing software maintenance program into a markup language communication unit deliverable across the Internet;
  • means for directing the server computer to receive a user command over the Internet, said user command being received from a user via a web browser installed on a remote user computer;
  • means for transmitting said encapsulated self-executing software maintenance program to said user remote computer responsive to said user command, whereby said software maintenance program is executed responsive only to commands entered from the user into the web browser.

This refers to the mechanism used to represent and deliver the software updates as the "markup language communication unit". Packaging software for download is not new: the ZIP format has existed since the early 1990's for precisely this purpose. Incorporating additional script commands is also quite common: the shar archive format was doing this in the late 1980's, and the RPM format is a more recent example from the mid-1990's. All of these predate the patent filing date by at least a year.

The first part of this claim is vague as to when the unit is generated. Is it generated once for all users and stored for download? If so, then claim 14 is precisely the same as ZIP, shar, and RPM in functionality.

Alternatively, the unit may be generated "on the fly" in the server. The unit can thus be customized to the specific maintainence tasks required by the user's machine. Previous systems did not normally do this, because it is inefficient. However, if an administrator of a previous system wanted to build such a system, it would be quite obvious how to do so. Packaging software is fully automatable and configurable.

There is some prior art for packaging software "on the fly" in a server. The wu-ftpd FTP server can automatically package the contents of a directory as a "tar" file for download to a user's machine. Because the server does not know ahead of time which directories the user may wish to download, it must perform the task upon request.

4. Restating the obvious

With any system that uses the Internet, there are various practical considerations that must be taken into account: security, transaction logging, dynamic notification, etc. Claims 2 through 11, and 13 enumerate these, just in case the reader was unable to figure them out for themselves.

2. The method of claim 1, said step of directing including a registering step, said registering step comprising the steps of:
  • downloading a web page located on the server computer using the Internet browser;
  • entering an identifier and a secure password on said web page; and
  • selecting an option presented on the web page to send the identifier and password to the server computer;
  • wherein said step of delivering the software package is enabled only if a user has provided a valid identifier and password.

This claim adds an extra Web page to the start of the process, to allow the user to login to the server that supplies the security updates. Since the server is providing security updates for particular machines, some way is needed to identify those machines. A username/password scheme is an obvious way of achieving this, if not a particularly secure one.

3. The method of claim 2, further comprising the steps of:
  • creating a transaction log on the server computer; and
  • recording information related to said steps of registering and delivering in the said transaction log.

This claim says that the server records every security update transaction in a log of some kind. Since Web servers normally keep logs of every request anyway, this claim is just restating the normal functions of a Web server.

We will note here that keeping logs of every update made to a machine is probably a violation of the user's privacy.

4. The method of claim 3, further comprising the step of generating a periodic activity report for the remotely located computer.

To compound the privacy concerns, this claim says that the server has some mechanism to summarize the activities of the user. In any case, it is a normal function of Web servers to provide some way to summarize the logs according to various criteria.

However, this analysis may be incorrect. Perhaps claim 4 does not refer to summa rising the user's activity for the server administrators. It may refer to summa rising the activity for the user themselves to view. It is fairly obvious that a way to summarize activity for the administrator can be trivially turned into a way for the user to access the same information.

5. The method of claim 4, further comprising the step of transmitting an electronic message in an e-mail format from the server computer to the remotely located computer indicating that a new product or a new application is available for download.

It is quite common for Web sites to automatically e-mail registered users about updates or new offerings. This claim is not adding anything new.

6. The method of claim 5, said logical connection with the server computer being a secure network connection.

This claim says that the patent still holds if the information is sent over a secure connection. That is, the user accesses the server and downloads the software package using SSL rather than a raw connection. It is obvious to anyone familiar with Internet protocols that any information that is sent via an insecure channel can also be sent by a secure channel.

7. The method of claim 6, said software package including a program to detect computer viruses on the remotely located computer.

Previous claims have left it fairly open as to the type of software that was being transferred, except to say that the software is performing maintainence operations. Should the previous claims be found to be too broad, then this claim is engaged to say that the particular case of virus scanning programs is still covered.

This claim is really what the patent is all about: automatic downloading of virus scanners and updates. Thus, vendors of virus scanning software may have something to fear from this patent, but few other companies will.

We will state though that it is pretty obvious that the Internet can be used to distribute programs and program updates of any kind. This has been one of its primary functions since its earliest days. Virus scanners and updates are no different to any other kind of software in this regard.

8. The method of claim 2, further comprising the steps of:
  • before or during registering the remotely located computer, creating an account for a user of the remotely located computer on the server computer; and
  • identifying said identifier and password as valid if the user has a current subscription or a positive fund balance in said user account.

The first part of this claim says that an account should be automatically created for new users. This is a common feature of most Web sites that require user registration.

The second part of this claim says that the user should only be authorized by the login mechanism if they are properly subscribed and if sufficient funds are available in their personal account. The fundamental requirement of e-commerce, that no service shall be supplied without payment, makes it pretty obvious that such a check needs to be performed at some point.

9. The method of claim 8, further comprising the step of transmitting payment information from the remotely located computer to the server computer in an electronic mail message format, wherein said account may reflect a current subscription or an increased fund balance upon receipt of said payment information.

This claim says that payment information may be sent to the server in an e-mail message. Presumably this information would include credit card details, or some other form of payment. Obviously, some means is needed to communicate to the server how payment should be achieved.

Interestingly, the patent only mentions sending payment information via e-mail, and not by direct entry on a Web page. This oversight makes it very easy for competitors to avoid infringing this aspect of the patent. They need only require their users to access a Web page to provide payment information. Since Web pages are easier to secure using SSL than e-mail, this will result in a better system for the users.

10. The method of claim 9, further comprising the steps of:
  • generating an electronic receipt on the server computer; and
  • transmitting the receipt to the remotely located computer.

This claims says that a receipt is generated and transmitted after the payment information is supplied. This is an obvious requirement for any e-commerce system.

11. The method of claim 1 wherein said one or more maintenance tasks comprise at least one of the following: compression of software, compression of data, search for software that needs to be upgraded, search for data that needs to be upgraded, upgrade of software, upgrade of data, search for obsolete software, search for obsolete data, deletion of obsolete software, deletion of obsolete data, archival of software, archival of data, hardware diagnostics, and software diagnostics.

This claim attempts to enumerate all of the tasks that may need to be performed during software maintainence. This list is hardly surprising: every system administrator since the dawn of computing has performed these tasks, or written automated scripts to perform the tasks for them.

13. The computer program product of claim 12, further comprising computer code for receiving payment or subscription information from the user, whereby said maintenance software package is downloaded to the user computer only upon receiving valid payment information or current subscription information from the user.

This modifies claim 12 to include the ability to process the user's payment or subscription information. This is an obvious requirement for communicating with any client that conforms to claim 8.

5. Prior art

Symantec's HealthyPC program may be sufficient prior art. The following is from a CNET news article, dated April 28, 1997:

During the quarter, Symantec and ZDNet launched HealthyPC.com, a Web site that emphasizes PC maintenance. It offers two separate services: a free advice and consultation area maintained by ZDNet and a subscription-based service with access to Symantec's antivirus, utility, and LiveUpdate software. [http://news.cnet.com/news/0-1003-200-318512.html].

If HealthyPC is not sufficient prior art, then any Unix machine from the early 1990's that downloaded a shell script via NFS and executed it should be sufficient. RPM is also sufficient, and is even closer to the patent than shell/NFS. Automatic shell script download and execution is basically all this patent is about: the technologies have changed slightly, but the concept is identical. The USPTO guidelines on this are quite clear:

Even if the subject matter sought to be patented is not exactly shown by the prior art, and involves one or more differences over the most nearly similar thing already known, a patent may still be refused if the differences would be obvious. The subject matter sought to be patented must be sufficiently different from what has been used or described before that it may be said to be nonobvious to a person having ordinary skill in the area of technology related to the invention. For example, the substitution of one material for another, or changes in size, are ordinarily not patentable. [http://www.uspto.gov/web/offices/pac/doc/general/novelty.htm].

Using the Internet instead of NFS and a markup language instead of shell scripts or RPM packages, is obvious to practicioners of computer programming.

6. Avoiding the patent

If the prior art is not sufficient to overturn the patent, then there are a number of ways to avoid infringing the patent.

Claim 1 refers to an Internet browser being directed to upload the user's credentials and download the security patches. This is a very inefficient way to accomplish this task, especially if it is to be performed without user intervention. The overhead of loading the browser GUI and associated code is much greater than is required.

It is better for the maintainence program to make a direct HTTP or HTTPS connection to the server, and to negotiate over this direct connection. There is no need for the involvement of a full Internet browser. Thus, a competing system need only avoid using a browser to contact the server, and would thereby deliver a superior user experience.

The patent description attempts to justify this complexity because then users don't need to understand how to manually install the maintainence system. An alternative mechanism that is installed by OEM's on user computers, or is distributed as part of some standard software package, would provide the same level of functionality without confusing users.

Some concern has been expressed that this patent covers all manner of "application service providers" (ASP's). This concern is based on the final paragraph of the patent description:

The foregoing describes a new and useful method and system for automatically downloading and remotely executing software applications over a secure Internet connection. Those skilled in the art may make numerous modifications and departures from the specific embodiments without departing from the spirit and scope of the claimed invention. For example, the server computer can comprise a distributed computing system or a cluster of networked computers; the database may comprise a distributed database or several databases. Additionally, web pages may comprise an interface that is not specified herein. Other embodiments may include a network connection other than the Internet between the server computer and the user computer; and the software downloaded may be intended to perform tasks such as database management, word processing, spread sheet, games, or other tasks that are not specified herein.

Since the patent description carries no legal weight, this is just wishful thinking. Claims 7 and 11 make it quite clear what type of maintainence operations are being performed, and the bulk of the patent description makes no mention of other application types. ASP's that provide access to ordinary applications will rarely, if ever, need to perform maintainence tasks. For example, an online ticket reservation ASP does not need to access the user's machine to compress files, scan for viruses, etc.

Even if the description was accepted as legal, it overlaps very heavily with technologies such as Java that were already deployed one year prior to the filing date. One cannot patent the download of non-maintainence software well after such software was being widely downloaded and deployed. This claim has no merit whatsoever.

Claim 9 was a serious oversight. Payment information is sent via e-mail. To avoid infringement, competitors can instead use a Web browser or a direct HTTP or HTTPS connection. The result is likely to be a better user experience.

As claim 1 is vague as to the method for "directing" the user's machine to download the software package, it is safer to use straightforward download mechanisms, rather than unnecessarily clever secondary connections.

Claim 14 is ambiguous as to when the software package is generated. It may be safer to use methods that package the software ahead of time rather than on the fly. However, the example of wu-ftpd demonstrates that on the fly packaging is obvious.

Your comments please...

You are invited to add your comments concerning this at the appropriate page of the DotGNU Wiki




Verbatim copying and distribution of this entire article are permitted in any medium or format, provided this notice is preserved.

This page is maintained by Norbert Bollow <nb@SoftwareEconomics.biz> with support from the DotGNU Developers mailing list.