DCT

2:24-cv-00855

Qprivacy USA LLC v. Cisco Systems Inc

Log In
Key Events
Amended Complaint
amended complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:24-cv-00855, E.D. Tex., 02/03/2026
  • Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant Cisco has regular and established places of business in the District, including facilities in Richardson and Allen, and maintains a comprehensive work-from-home policy for its employees there.
  • Core Dispute: Plaintiff alleges that Defendant’s Encrypted Traffic Analytics (ETA) technology, used in its networking products, infringes patents related to the dynamic management of private data in network communications without decryption.
  • Technical Context: The technology concerns methods for analyzing encrypted network traffic to identify security threats or policy violations by examining traffic metadata and patterns, rather than decrypting the content, thereby preserving data privacy.
  • Key Procedural History: This First Amended Complaint follows an original complaint filed on October 21, 2024. The complaint alleges that Plaintiff's CEO introduced the patented technology to Cisco representatives in a meeting on March 6, 2018. It also states that infringement contentions have been served on Defendant.

Case Timeline

Date Event
2017-04-09 Priority Date for ’824 and ’249 Patents
2018-03-06 Plaintiff alleges its CEO met with Defendant's representatives
2021-08-31 U.S. Patent No. 11,106,824 Issued
2023-11-14 U.S. Patent No. 11,816,249 Issued
2024-10-21 Original Complaint Filing Date
2026-02-03 First Amended Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 11,106,824 - "System and Method for Dynamic Management of Private Data"

  • Patent Identification: U.S. Patent No. 11,106,824 (“the ’824 Patent”), “System and Method for Dynamic Management of Private Data,” issued August 31, 2021.

The Invention Explained

  • Problem Addressed: The patent addresses the problem that during network communications, various types of data are "automatically (and uncontrollably) shared, sometimes without the knowledge of the user," making it difficult to enforce privacy agreements ʼ824 Patent, col. 1:22-29
  • The Patented Solution: The invention proposes a system that manages private data by determining the "type" or "pattern" of a data packet based on its characteristics, without reading its actual content ʼ824 Patent, abstract ’824 Patent, col. 12:35-43 It then compares this determination to a user's pre-defined privacy preferences and, if the packet is non-compliant, modifies it before allowing communication to proceed, thereby enforcing privacy rules in real-time ʼ824 Patent, col. 2:3-19 ’824 Patent, Fig. 5
  • Technical Importance: This approach allows for the enforcement of data sharing policies on network traffic without requiring full decryption, which can be computationally expensive and may itself raise privacy concerns.

Key Claims at a Glance

  • The complaint asserts at least independent claim 17 Compl. ¶34
  • The essential elements of independent claim 17 include:
    • A system for dynamic management of private data during communication between a remote server and at least one user's device, the system comprising: a memory;
    • a communication data type database;
    • a privacy preference database, comprising a list of allowed types of data packets for sharing;
    • a communication module; and
    • a processor, coupled to the databases, configured to instruct the remote server to determine at least one data type for a data packet that is compatible with the allowed list;
    • wherein the data type is determined in accordance with characteristics of the communication data packet; and
    • wherein the content of the data packet is not read by the remote server for continued real-time operation.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 11,816,249 - "System and Method for Dynamic Management of Private Data"

  • Patent Identification: U.S. Patent No. 11,816,249 (“the ’249 Patent”), “System and Method for Dynamic Management of Private Data,” issued November 14, 2023.

The Invention Explained

  • Problem Addressed: Similar to the ’824 Patent, the ’249 Patent addresses the uncontrollable sharing of data with external remote servers ʼ249 Patent, col. 1:25-28
  • The Patented Solution: The patent describes a method where a remote server analyzes incoming encrypted data packets. It determines the "content" (i.e., type or pattern) of a packet by its observable "characteristics"—not by decrypting it ʼ249 Patent, abstract ’249 Patent, col. 17:1-12 This determination is then compared against a "preference list." If there is a mismatch, the server modifies the packet before sharing the modified communication, all performed in real-time during the session ʼ249 Patent, abstract
  • Technical Importance: This invention provides a framework for inspecting and managing encrypted network traffic for policy compliance while maintaining end-to-end encryption.

Key Claims at a Glance

  • The complaint asserts at least independent claim 1 Compl. ¶52
  • The essential elements of independent claim 1 include:
    • A method of dynamic management of encrypted data, comprising:
    • receiving, by a remote server, a communication with encrypted data packets;
    • determining, by the remote server, a content of a data packet based on its characteristics, without decrypting it, in real time;
    • storing, by the remote server, a preference list;
    • determining, by the remote server, based on a comparison of the determined content and the preference list, whether to modify the data packet, and if so, modifying it; and
    • sharing, by the remote server, the modified communication.
  • The complaint does not explicitly reserve the right to assert dependent claims.

III. The Accused Instrumentality

  • Product Identification: The accused instrumentalities are Cisco networking devices (switches, routers, etc.) and software that implement "Encrypted Traffic Analytics" (ETA) technology Compl. ¶3 Specific product families named include Cisco Catalyst Series, Cisco Meraki, and Cisco ISR Series Routers, among others Compl. ¶25
  • Functionality and Market Context:
    • The accused ETA technology is designed to "monitor activity and detect malicious threats in encrypted traffic without decrypting the traffic" Compl. ¶23 It functions by extracting metadata and telemetry from network flows, such as the "Sequence of Packet Lengths and Times (SPLT)," "Initial Data Packet (IDP)," "Byte distribution," and "TLS-specific features" Compl. ¶36 Compl. p. 10 A visual from a Cisco document, included in the complaint, illustrates this extraction of four main data elements from traffic flows (Compl. ¶36, p. 10).
    • This extracted telemetry is processed by products like Cisco Secure Network Analytics, which use "multilayer machine learning" to analyze the data, establish a baseline of normal behavior, and detect anomalies that may indicate a threat Compl. ¶26 Another visual provided in the complaint depicts this process of creating a baseline and using it to alarm on anomalous behavior (Compl. ¶37, p. 14). The analysis and response are alleged to occur in real-time Compl. ¶38

IV. Analysis of Infringement Allegations

’824 Patent Infringement Allegations

Claim Element (from Independent Claim 17) Alleged Infringing Functionality Complaint Citation Patent Citation
a system for dynamic management of private data during communication between a remote server and at least one user's device The Accused Products implement ETA technology and are alleged to contain a system for dynamic management of private data between a server and a user device. ¶36 col. 4:1-4
a memory; ... and a processor The Accused Products contain memory (DRAM) and processors (e.g., Intel x86, UADP ASIC) to perform their functions. ¶39 col. 4:9-11
a communication data type database The ETA technology extracts and analyzes telemetry data (SPLT, IDP, etc.), which is collected and used to build behavioral models that function as a database of communication data types. ¶37 col. 4:1-4
a privacy preference database, comprising a list of allowed types of data packets for sharing The Accused Products operate according to "security policies" and use machine learning to create a "baseline of normal behavior," which allegedly functions as a privacy preference database defining allowed traffic patterns. ¶¶26, 37 col. 4:5-9
a processor... configured to instruct the remote server to determine at least one data type for sharing of data packet that is compatible with the list of allowed patterns Cisco Secure Network Analytics, a server product, uses machine learning to analyze telemetry and determine if traffic is anomalous or malicious by comparing it to the established behavioral baseline and security policies. ¶¶37-38 col. 4:11-16
wherein the at least one data type is determined in accordance with characteristics of the communication data packet The ETA technology determines the nature of the traffic by analyzing its characteristics, such as packet lengths, timing, and TLS metadata, without decryption. ¶36 col. 4:16-18
and wherein the content of the at least one data packet is not read by the remote server The complaint alleges that the core feature of ETA is that it operates "without any decryption," thus not reading the encrypted content of the data packet. ¶36 col. 4:19-22
  • Identified Points of Contention:
    • Architectural Question: Claim 17 recites a "processor" that is "configured to instruct the remote server to determine" a data type. The complaint appears to allege that Cisco's Secure Network Analytics platform (a remote server) performs the determination itself. A potential issue for litigation is whether the accused system’s architecture, where the server itself determines the data type, maps onto the claim’s language suggesting one component "instructs" another.
    • Scope Question: The patent describes a "privacy preference database," with examples like managing sharing of contact names or location ʼ824 Patent, Fig. 3C The accused system uses "security policies" to detect malware Compl. ¶26 The case may turn on whether a security policy for detecting malicious activity can be construed as a "privacy preference database" for managing "private data" as contemplated by the patent.

’249 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving, by the remote server, a communication comprising encrypted data packets Cisco Secure Network Analytics, alleged to be a "gatekeeper remote server," receives and collects enhanced network telemetry from encrypted traffic. ¶¶54, 56 col. 17:1-3
determining, by the remote server, a content of at least one data packet... in accordance with characteristics... and wherein the content... is not decrypted ETA technology analyzes encrypted traffic by extracting characteristics like SPLT and IDP to determine its nature ("content") without performing decryption. ¶54 col. 17:4-12
storing, by the remote server, a preference list The Accused Products use machine learning to "create a baseline of normal behavior" and apply security policies, which allegedly function as a stored preference list. ¶55 col. 17:13-13
determining, by the remote server, based on a comparison... whether to modify the at least one data packet, and if so, modifying the at least one data packet The system compares traffic against the baseline to "detect anomalous behavior" and, upon detection, takes a responsive action, such as quarantining the host, which is alleged to be a modification. ¶¶55, 57 col. 17:14-18
and sharing, by the remote server, the modified communication The complaint alleges that actions like quarantining a host or modifying packets based on security policies constitute sharing a modified communication. ¶¶26, 60 col. 17:18-19
  • Identified Points of Contention:
    • Technical Question: The claim requires "modifying the at least one data packet" and "sharing... the modified communication." The complaint provides evidence of responsive actions like "quarantine the suspected host" Compl. p. 13 A central dispute may be whether an action like quarantining a device—effectively blocking its communication—constitutes "modifying" and "sharing" a packet as required by the claim, or if it is a different function altogether.
    • Definitional Scope: The term "content" is determined "in accordance with characteristics" of the packet. The case will likely involve debate over whether the "content" as claimed refers to the substantive data inside the packet (which is encrypted) or if it can be construed to mean the classification of the packet (e.g., "malicious," "benign") derived from its external characteristics.

V. Key Claim Terms for Construction

  • The Term: "privacy preference" (’824 Patent) / "preference list" (’249 Patent)

  • Context and Importance: These terms define the rules against which network traffic is judged. The infringement case hinges on equating Cisco's "security policies" and machine-learning "baselines" for malware detection with the patents' concept of a user-defined list for managing private data. Practitioners may focus on this term because the patent's examples suggest user-centric choices (e.g., sharing location), while the accused product's function is network security.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The patents do not explicitly limit the preferences to user-configurable settings. The specification for the ’824 patent states the system can "manage sharing of data packets... according to a predefined privacy preference," which could be interpreted to include administratively set security policies ’824 Patent, col. 13:2-4
    • Evidence for a Narrower Interpretation: The ’824 patent's specification includes a "Privacy Preference Table" with examples like "Contact Name" and "Password," and modification strategies like "Random change - from list of dummy contacts," suggesting user-level data privacy choices, not network-level threat detection (’824 Patent, Fig. 3C).

  • The Term: "modifying" (’824 and ’249 Patents)

  • Context and Importance: This is the core enforcement action in the claimed inventions. The viability of the infringement allegation depends on whether the actions taken by Cisco's system, such as quarantining a host, fall within the scope of "modifying" a data packet.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The specifications list "blocking" as a potential modification. For example, the ’824 patent states the modification can be selected from a group including "blocking, data randomization, content modification," and more ’824 Patent, col. 15:8-13 This suggests blocking a flow entirely could be a form of modification.
    • Evidence for a Narrower Interpretation: Both patents distinguish between determining whether to modify and then, if so, modifying the packet (e.g., ’249 Patent, claim 1). This structure might suggest that "modifying" is an action performed on a packet that is subsequently shared, as distinct from simply blocking it. The flowchart in Figure 5 of the ’824 patent shows "BLOCK" (510) and "MODIFY" (530) as separate paths, which could support a narrower reading that they are distinct actions.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges that Cisco induces infringement by providing "user manuals and online instruction materials" that instruct customers on how to use the Accused Products in ways that allegedly infringe the patents Compl. ¶42 Compl. ¶60
  • Willful Infringement: The complaint alleges both pre-suit and post-suit willfulness. Pre-suit knowledge is based on a meeting on March 6, 2018, where QPrivacy's CEO allegedly introduced the technology to Cisco Compl. ¶28 Post-suit knowledge is based on the filing of the original complaint on October 21, 2024 Compl. ¶46 Compl. ¶64

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the patents' concept of a "privacy preference" for managing the sharing of user data be construed to cover the accused system's use of "security policies" and behavioral baselines for detecting malware?
  • A second key question will be one of functional equivalence: does the primary responsive action of the accused system—quarantining a device to stop a threat—constitute "modifying the at least one data packet" and "sharing the modified communication" as required by the claims, or is this a fundamentally different technical operation?
  • For the ’824 patent specifically, a potential architectural question arises: does the accused system, where an analytics server appears to perform the analysis directly, align with the claim 17 language requiring a processor to "instruct the remote server to determine" the data type, which may imply a more distributed architecture?