2:25-cv-00901
Headwater Research LLC v. Charter Communications Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Headwater Research LLC (Texas)
- Defendant: Charter Communications, Inc., et al. (Delaware)
- Plaintiff's Counsel: Russ August & Kabat
- Case Identification: 2:25-cv-00901, E.D. Tex., 08/27/2025
- Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendants operate regular and established places of business within the district, including Spectrum retail stores, and have committed acts of infringement in the district.
- Core Dispute: Plaintiff alleges that Defendant's mobile electronic devices, cellular networks, and services that utilize embedded SIM (eSIM) technology infringe seven U.S. patents related to automated device provisioning, activation, credential porting, and security for device-assisted services.
- Technical Context: The technology at issue addresses the management and security of mobile devices on wireless networks, a field of increasing importance with the rapid growth of mobile data consumption and the industry shift from physical SIM cards to eSIMs.
- Key Procedural History: The complaint alleges that the technology of the Asserted Patents was licensed by ItsOn Inc., a company founded by the inventor Dr. Raleigh, and that ItsOn software included patent marking notices listing certain patents-in-suit, which may be relevant to the question of pre-suit knowledge.
Case Timeline
| Date | Event |
|---|---|
| 2009-01-28 | U.S. Patent No. 11,096,055 Priority Date |
| 2009-02-10 | U.S. Patent No. 8,639,935 Priority Date |
| 2009-10-15 | U.S. Patent No. 11,405,429 Priority Date |
| 2009-10-15 | U.S. Patent No. 11,966,464 Priority Date |
| 2010-09-09 | U.S. Patent No. 9,973,930 Priority Date |
| 2010-09-21 | U.S. Patent No. 11,985,155 Priority Date |
| 2013-03-14 | U.S. Patent No. 9,609,510 Priority Date |
| 2014-01-28 | U.S. Patent No. 8,639,935 Issued |
| 2017-03-28 | U.S. Patent No. 9,609,510 Issued |
| 2018-05-15 | U.S. Patent No. 9,973,930 Issued |
| 2021-08-17 | U.S. Patent No. 11,096,055 Issued |
| 2022-08-02 | U.S. Patent No. 11,405,429 Issued |
| 2024-04-23 | U.S. Patent No. 11,966,464 Issued |
| 2024-05-14 | U.S. Patent No. 11,985,155 Issued |
| 2025-08-27 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,639,935 - "Automated device provisioning and activation", issued January 28, 2014
The Invention Explained
- Problem Addressed: The patent describes a market with a proliferation of mass-market digital devices and network types, creating a need for a system that can provide flexible service plan offerings and efficiently manage network service usage across this complex ecosystem '935 Patent, col. 5:40-62
- The Patented Solution: The invention is a method performed by a network system for securely communicating with software "agents" on an end-user device. The system establishes a secure "service control link" to the device, receives a message intended for a specific agent on that device, generates an encrypted message containing the payload and an identifier for that agent, and sends the encrypted message over the secure link '935 Patent, abstract '935 Patent, col. 16:15-22 This allows a network to securely direct instructions to, and manage the behavior of, specific software components on a remote device.
- Technical Importance: This server-driven, agent-specific communication method provides a secure and structured way for network operators to provision services and enforce policies on a diverse range of end-user devices Compl. ¶15
Key Claims at a Glance
- The complaint asserts independent claim 1 Compl. ¶47 Compl. Ex. 8, p. 2
- The essential elements of claim 1 include:
- Establishing, in cooperation with an end-user device, a service control link between a network system and the device, where the device has at least two device agents, including a particular device agent.
- Receiving a server message from a server, the message comprising a message payload for delivery to the end-user device.
- Generating an encrypted message that includes at least a portion of the message payload and an identifier for the particular device agent.
- Sending the encrypted message to the end-user device over the service control link.
U.S. Patent No. 9,609,510 - "Automated Credential Porting For Mobile Devices", issued March 28, 2017
The Invention Explained
- Problem Addressed: The patent addresses the challenge users face when needing to update their wireless device credentials, such as when porting a phone number to a new device, a process that traditionally could be complex and require manual intervention '510 Patent, col. 1:15-41
- The Patented Solution: The invention is a wireless device that automates the credential update process. The device obtains a user request to replace an existing credential with a new "target credential." It then detects a "network-provisioning state change," such as a loss of service. This detection triggers the device to automatically determine its current credential is now invalid, initiate a programming session with a network element, obtain the new credential, and store it in memory, thereby completing the porting or update process without further user action '510 Patent, abstract '510 Patent, col. 2:24-40
- Technical Importance: This technology streamlines the user experience for common but often difficult events like changing devices or carriers, reducing the need for customer support and minimizing service interruptions Compl. ¶15
Key Claims at a Glance
- The complaint asserts independent claim 1 Compl. ¶59 Compl. Ex. 9, p. 2
- The essential elements of claim 1 include:
- A wireless device comprising a user interface, memory, and one or more processors.
- The processors are configured to obtain a user request to replace a particular credential with a target credential.
- The processors are also configured to detect a network-provisioning state change.
- Based on this change, the processors automatically determine the particular credential does not match the target, initiate a programming session with a network element, obtain an updated credential, and assist in storing it.
U.S. Patent No. 9,973,930 - "End user device that secures an association of application to service policy with an application certificate check", issued May 15, 2018
Technology Synopsis
This patent describes a wireless device that stores service policy data, including credential information for a specific application. Device agents on the device are configured to receive this information from a network, perform an "application credential check" to verify the application's authenticity, and, upon successful verification, apply the service policy instructions to the application's use of the wireless network Compl. ¶66 Compl. Ex. 10 This creates a secure link between a specific, verified application and its authorized network service policies.
Asserted Claims
The complaint asserts independent claim 1 Compl. ¶71 Compl. Ex. 10, p. 2
Accused Features
The complaint accuses Defendants' eSIM-enabled devices and services, which allegedly use service policies tied to specific applications and perform credential checks to enforce them Compl. ¶70 Compl. Ex. 10
U.S. Patent No. 11,096,055 - "Automated device provisioning and activation", issued August 17, 2021
Technology Synopsis
This patent discloses a wireless end-user device with a Wireless Wide-Area Network (WWAN) modem and secure memory. The memory stores at least two different service profiles, each with its own set of network service policies. A connection manager selects one of the profiles, and an adaptive service policy agent enforces the policies associated with the selected profile, including policies enforced at the application level on the device '055 Patent, abstract '055 Patent, claim 1 This architecture supports dual-SIM or multi-carrier functionality.
Asserted Claims
The complaint asserts independent claim 1 Compl. ¶83 Compl. Ex. 11, p. 2
Accused Features
The complaint targets Defendants' eSIM-enabled devices that support dual-SIM functionality, which by nature store and manage multiple service profiles (e.g., one physical SIM and one eSIM, or two eSIMs) and apply different network policies based on the user's selection Compl. ¶82 Compl. Ex. 11
U.S. Patent No. 11,405,429 - "Security techniques for device assisted services", issued August 2, 2022
Technology Synopsis
The patent describes a method for operating a wireless device that establishes two separate secure communication channels. The first is from a secure modem subsystem to a network service controller. The second is from a "secure execution environment" (distinct from the modem) to the same network service controller. The device then receives and stores service policy settings via the second channel and enforces them '429 Patent, abstract '429 Patent, claim 1 This dual-channel architecture enhances security by separating low-level modem communication from higher-level policy control.
Asserted Claims
The complaint asserts independent claim 1 Compl. ¶95 Compl. Ex. 12, p. 2
Accused Features
The complaint alleges that Defendants' eSIM-enabled devices, which rely on secure modems and secure execution environments (e.g., in compliance with GSMA standards), practice this dual-channel security method for provisioning and managing services Compl. ¶94 Compl. Ex. 12
U.S. Patent No. 11,966,464 - "Security techniques for device assisted services", issued April 23, 2024
Technology Synopsis
This patent claims a device apparatus corresponding to the method of the '429 Patent. It describes a device comprising a secure modem, a secure execution environment, a secure memory partition, and a processor. The processor is configured to establish a connection from the modem, establish a secure control channel from the execution environment, receive settings over that channel, store them in the secure partition, and control the device accordingly '464 Patent, abstract '464 Patent, claim 11
Asserted Claims
The complaint asserts independent claim 11 Compl. ¶107 Compl. Ex. 13, p. 2
Accused Features
As with the '429 patent, the complaint accuses Defendants' eSIM-enabled devices that utilize secure modems and separate secure execution environments to manage network services Compl. ¶106 Compl. Ex. 13
U.S. Patent No. 11,985,155 - "Communications device with secure data path processing agents", issued May 14, 2024
Technology Synopsis
This patent describes a communications device with a secure execution environment that is inaccessible to user applications. Within this secure environment, a "secure data path processing agent" executes to perform several steps: it generates a unique identifier for communication with a network element, stores that identifier in secure memory, generates a data record, associates the identifier with the record, and sends the identifier over a trusted communication link '155 Patent, abstract '155 Patent, claim 1 This creates a verifiable and secure method for a device to generate and report usage or event data.
Asserted Claims
The complaint asserts independent claim 1 Compl. ¶119 Compl. Ex. 14, p. 2
Accused Features
The complaint alleges that Defendants' devices, particularly their security architecture for managing eSIMs and reporting data, employ such secure agents in a secure environment to generate and transmit unique identifiers and associated data records for service management Compl. ¶118 Compl. Ex. 14
III. The Accused Instrumentality
Product Identification
The accused instrumentalities are a combination of hardware and services, including mobile phones, tablets, and other eSIM-enabled devices sold or supplied by Defendants; Defendants' cellular networks, servers, and services; and specifically the "Spectrum Mobile" mobile virtual network operator (MVNO) service Compl. ¶1 Compl. Ex. 8, p. 2
Functionality and Market Context
The core accused functionality is the support for eSIM technology, which allows users to activate and manage cellular plans on their devices without a physical SIM card Compl. Ex. 8, p. 3 The complaint alleges this functionality complies with industry-wide GSMA eSIM standards (e.g., SGP.21/SGP.22) Compl. Ex. 8, p. 2 A screenshot provided in the complaint's exhibits describes a three-step process for instant activation: selecting a device, customizing a plan, and activating the account through an online portal Compl. Ex. 8, p. 3 Defendants market this as a way to "instantly activate a Spectrum Mobile line with an eSIM-enabled device" Compl. Ex. 8, p. 3 Spectrum is a major communications provider operating in 41 states, serving over 57 million homes and businesses Compl. ¶25
IV. Analysis of Infringement Allegations
'935 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| establishing, in cooperation with an end-user device... a service control link between the network system and the end-user device, the service control link secured at least in part by at least one security protocol, the service control link for supporting control-plane communications..., the end-user device comprising two or more device agents, the two or more device agents including a particular device agent; | The accused system establishes a secure, control-plane communication link to support eSIM activation, consistent with GSMA standards that define secure channels (e.g., ES8+) between the network (SM-DP+) and agents on the device (e.g., LPA on the eUICC). | ¶47 | col. 16:15-22 |
| receiving a server message from a particular server of a plurality of servers..., the server message comprising a message payload, at least a portion of the message payload for delivery to the end-user device; | The network system (e.g., SM-DP+ server) receives a message from an operator to prepare a profile package, which contains the payload for delivery to the end-user device's eUICC. | ¶47 | col. 17:1-6 |
| generating an encrypted message comprising the at least a portion of the message payload and an identifier identifying the particular device agent, the identifier configured to assist in delivering the at least a portion of the message payload to the particular device agent, the identifier distinguishing the particular device agent from all other device agents...; and | The network system generates a "Bound Profile Package" which is encrypted and cryptographically bound to the target device's eUICC (the particular device agent), ensuring it can only be installed on that specific device. | ¶47 | col. 17:7-17 |
| sending the encrypted message to the end-user device over the service control link. | The encrypted Bound Profile Package is downloaded to the end-user device over the secure service control link for installation on the eUICC. A screenshot from an Android Authority article shows the process of activating a Spectrum Mobile eSIM, which involves downloading the cellular plan (Compl. Ex. 8, p. 8). | ¶47 | col. 17:18-20 |
Identified Points of Contention
- Scope Questions: The case may turn on whether the term "service control link for supporting control-plane communications" can be construed to read on the channel used for a one-time or infrequent eSIM profile download. Defendants may argue the patent contemplates a more persistent link for ongoing device management, as suggested by specification examples involving heartbeat messages '935 Patent, col. 37:25-39, rather than a temporary provisioning channel.
- Technical Questions: A factual question may be whether a single "network system" under Defendants' control performs all the recited steps. The complaint alleges infringement by a distributed system of servers (e.g., operator systems, SM-DP+ servers) that operate according to GSMA standards; it may be disputed whether this collection of entities constitutes the singular "network system" required by the claim.
'510 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| obtain, through the user interface, an indication of a user request to replace a particular credential of the one or more credentials with the target credential, | The user interface on the accused devices allows a user to initiate the process of activating an eSIM, which constitutes a request to replace a placeholder or old credential with a new, active service credential. A screenshot shows the user selecting a device and customizing a plan to begin this process Compl. Ex. 9, p. 3 | ¶59 | col. 1:45-56 |
| detect a network-provisioning state change, | The device detects a change in its provisioning state, such as when a user switches from a physical SIM to an eSIM or receives a notification that a new cellular plan is ready to be installed. | ¶59 | col. 2:24-30 |
| and based on the detected network-provisioning state change, automatically determine that the particular credential does not match the target credential, initiate a programming session with a network element..., obtain an updated credential from the network element, and assist in storing, in memory, the updated credential as the particular credential. | Upon detecting the state change (e.g., receiving the "Spectrum Cellular Plan Ready to be Installed" notification), the device automatically initiates a session with the network to download and install the new eSIM profile, which contains the updated credential, and stores it in secure memory Compl. Ex. 9, p. 8 | ¶59 | col. 2:31-40 |
Identified Points of Contention
- Scope Questions: A central issue may be the construction of "automatically determine." Defendants may argue that the process is not "automatic" because it requires user interaction, such as tapping a "Get Started" button or a notification to install the plan, as shown in the complaint's own evidence Compl. Ex. 9, p. 8 Plaintiff may counter that "automatically" refers to the device handling the underlying technical steps without further user input once the process is initiated.
- Technical Questions: The specific event that constitutes the "network-provisioning state change" will likely be a key factual dispute. Plaintiff may argue it is the arrival of a new profile or a loss of service with an old SIM, while Defendants may argue the process is entirely user-driven, raising a question of whether the device itself "detects" a change or simply responds to user commands.
V. Key Claim Terms for Construction
For U.S. Patent No. 8,639,935
- The Term: "device agent"
- Context and Importance: The claim requires the encrypted message to include an identifier for a "particular device agent" out of "two or more device agents." The definition of this term is critical because the accused functionality involves the GSMA-defined Local Profile Assistant (LPA), which interacts with profiles on an embedded Universal Integrated Circuit Card (eUICC). The court's interpretation will determine whether these standardized software components qualify as the claimed "device agents."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes agents as "program/functional elements" that can perform a wide variety of functions, including service measurements, policy control, and service usage reporting '935 Patent, col. 39:1-30 This broad functional description may support construing the term to cover software components like the LPA and eUICC profiles.
- Evidence for a Narrower Interpretation: The patent's detailed figures show "agents" as distinct software blocks within a "Service Processor" architecture, such as a "Policy Control Agent" and "Billing Agent" '935 Patent, Fig. 16 Defendants may argue this implies a specific, proprietary architecture rather than the standardized components of the GSMA eSIM ecosystem.
For U.S. Patent No. 9,609,510
- The Term: "network-provisioning state change"
- Context and Importance: This "change" is the legally operative event that triggers the claimed "automatic" determination and programming session. Whether the accused device functionality-typically initiated by a user affirmative action-meets this limitation will be a core issue. Practitioners may focus on this term because its definition dictates the required level of device autonomy for infringement.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent describes a use case where a user who has been "denied access to the wireless network" then has their device initiate reprogramming '510 Patent, col. 10:9-14 This suggests that a "state change" could be as straightforward as a failed network authentication attempt.
- Evidence for a Narrower Interpretation: The claim links the "state change" to the device's ability to "automatically determine that the particular credential does not match the target credential." This may suggest the state change must be an event that makes the credential mismatch objectively determinable by the device, rather than merely being the user's decision to activate a new plan.
VI. Other Allegations
Indirect Infringement
The complaint alleges that Defendants induce infringement by providing customers with eSIM-enabled devices and instructions on how to activate and use them, which allegedly causes the customers' devices to perform the patented methods (Compl. ¶46, Compl. ¶49; Compl. ¶¶58, Compl. ¶61).
Willful Infringement
Willfulness is alleged based on both pre- and post-suit knowledge. The complaint asserts pre-suit knowledge on the grounds that software licensed by an entity related to the inventor ("ItsOn software") contained patent marking notices listing some of the asserted patents, and that patents assigned to Defendants cite family members of the asserted patents Compl. ¶48 Compl. ¶72 Compl. ¶84 Post-suit knowledge is alleged based on the filing and service of the complaint itself Compl. ¶48
VII. Analyst's Conclusion: Key Questions for the Case
- Definitional Scope: A core issue will be one of definitional scope: can terms rooted in the patents' specific architectures, such as "service control link" and "device agent," be construed to cover the standardized, multi-party components and protocols of the GSMA eSIM ecosystem, such as the SM-DP+ and the device's LPA?
- Automation vs. User Action: A key question of claim interpretation will be the degree of autonomy required by terms like "automatically determine." The case may turn on whether these terms can read on a process that, while technically automated in its backend steps, is fundamentally initiated and advanced by explicit user actions, as is typical in the accused eSIM activation process.
- System Infringement: An evidentiary question will be whether Plaintiff can demonstrate that a single cognizable entity-either a singular "network system" or a single "wireless device"-performs all steps of any given asserted claim. Defendants may argue that the required steps are split across distinct and independent entities (the user, the device OEM, the MVNO, and the underlying network operator), thereby defeating a claim of direct infringement.