Deal Ends Suit Alleging Microsoft’s Message Encryption Tool Violated Virtru Patents
Virtru and Microsoft settled a three-year-old patent rights infringement lawsuit this week centered on Virtru’s patents for data protection technology for messaging.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
The Washington D.C.-based data-centric security vendor accused the Seattle-area software and cloud computing giant’s Purview Message Encryption product of infringing upon Virtru’s patented method for enabling secure data sharing without requiring recipients to create new credentials. The case was resolved through a confidential settlement and a dismissal of the lawsuit.
“Founding a startup is a big risk, but challenging a tech giant in court for patent infringement? That’s a real test of courage,” Virtru CEO John Ackerly wrote in a blog. “After more than three years of litigation, Virtru successfully concluded its case today. This outcome demonstrates what my brother, Will, and I knew to be true when we founded this company: That we have something special here at Virtru.”
Virtru last month raised $50 million on a $500 million valuation to capitalize on emerging opportunities in unstructured data governance and AI. The money will help Virtru enable persistent, granular control of sensitive data even as it flows beyond the network perimeter, said CMO Matt Howard. Virtru, founded in 2012, employs 215 people and has raised $190 million in seven rounds of outside funding (see: Virtru Gets $50M at $500M Valuation to Boost Data Governance).
Microsoft didn’t immediately respond to Information Security Media Group’s request for comment.
What Virtru Said Microsoft Did Wrong
Virtru alleged that Microsoft copied key elements of its patented system after engaging in extensive partnership discussions between 2015 and 2017, with the former disclosing how its technology allows users to share encrypted data without creating new credentials. Then in 2017, Microsoft began offering a similar feature that Virtru said directly replicated its approach and violated claims for three patents.
Virtru said the companies signed a non-disclosure agreement in 2015, and then met with Microsoft’s executives and engineering leads in December 2016 and 2017, when they shared confidential architecture documents and technical demonstrations. After talks about potential integrations, Virtru said Microsoft cut communications, only to launch a competing encryption service months later.
“On Dec. 6, 2016, John and [Chief Architect] Will Ackerly met with senior Microsoft executives,” Virtru wrote in a May 2022 amended complaint. “Will described in detail how federated identity works, how an access control management system works and demonstrated how a company like Microsoft could use these features in a wide variety of applications and end uses, such as Office 365.”
Virtru accused Microsoft of direct infringement by developing and deploying encryption technologies that use federated access systems, as well as induced infringement by encouraging clients to use the accused products in a matter that violated Virtru’s patents. The company sought monetary damages, enhanced damages for willfulness and injunctive relief to prevent further use of its patented methods.
“While most cyber vendors today are focused on ‘locking data down’ and preventing it from being lost or stolen, our innovation is uniquely focused on ‘setting data free,” Howard wrote on LinkedIn Monday. “Specifically, we allow users to share encrypted data seamlessly, leveraging existing identity providers without requiring recipients to create new credentials. Simple in concept, powerful in execution and now recognized for its value.”
How Microsoft Responded to Virtru’s Allegations
Microsoft argued its message encryption feature didn’t perform the patented steps described by Virtru since the identity provider is automatically selected by Microsoft’s server rather than explicitly selected by the sender, which Virtru’s patent allegedly required. Additionally, Microsoft’s encryption process is triggered by user-level action rather than back-end authentication flow as outlined in Virtru’s patent diagram.
“The OME feature allows users to access encrypted email messages with authenticated recipients, where authentication can be performed using an identity provider,” Microsoft wrote in a May 2022 answer to Virtru’s amended complaint. “Microsoft denies any alleged infringement.”
Microsoft in February unsuccessfully filed a motion for summary judgement, arguing that Purview Message Encryption’s workflow did not involve access control systems as described in Virtru’s patents. Microsoft also said Virtru’s patents relied on “well-understood, routine and conventional” steps performed by identity providers that Microsoft said should not be eligible for patent protection.
“The ACMS [server in the middle does not send any authentication request to the selected identity provider, only redirecting the user’s browser to the third-party identity provider website, such as Yahoo, and then Microsoft is out of the loop and the user requests authentication by providing their username and password to the identity provider,” Microsoft wrote in February.