In the high court of justice chancery division patents court

Download 110.42 Kb.
Size110.42 Kb.
  1   2   3

Neutral Citation Number: [2009] EWHC 418 (Pat)

Case No: HC 2006 C02649



Royal Courts of Justice

Strand, London, WC2A 2LL
Date: 11/03/2009
Before :

- - - - - - - - - - - - - - - - - - - - -

Between :



- and -








- - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - -
Martin Howe QC and Henry Ward (instructed by Charles Russell LLP) for the Claimant

Alastair Wilson QC and Simon Malynicz (instructed by Edwin Coe LLP) for the Defendants
Hearing dates: February 11th-13th, 16th-18th and 20th, 2009

- - - - - - - - - - - - - - - - - - - - -

Approved Judgment

I direct that pursuant to CPR PD 39A para 6.1 no official shorthand note shall be taken of this Judgment and that copies of this version as handed down may be treated as authentic.


Mr Justice Floyd:


1.The Global System for Mobile Communications (GSM) was intended to increase the security of mobile phone communications from unauthorised tracking of users and tapping of their conversations. Law enforcement authorities may nevertheless wish to break through the security thus provided in order to track the movement of telephones and their owners. This case is about a patent for a method of breaking through the GSM security so that the identification numbers of a mobile telephone and its user can be obtained.

The Parties

2.The claimant, MMI Research Limited (“MMI”), is a co-owner with the fifth defendant, Rohde & Schwarz GmbH & Co. KG (“R&S”), of European Patent (UK) No. 1 051 053 (“the Patent”). R&S, a German company and the original patentee, has taken no active part in the proceedings beyond giving disclosure of documents. It is a party because section 66(2) of the Patents Act 1977 requires it to be one.

3.In 2004 R&S deployed the Patent to sue MMI in Germany in respect of MMI’s product. MMI contended that the Patent was invalid, relying, amongst other things, on R&S’s prior sales. The proceedings between R&S and MMI were settled in October 2005, whereupon MMI entered into a co-ownership agreement with R&S. In the present proceedings, MMI contend that the Patent is valid and sue CellXion for infringement.

4.The first defendant, CellXion Limited (“CellXion”), sells a product called variously the DX918 or GX918 which is alleged to infringe the Patent. The second defendant, CellXion Networks LLC (“CellXion US”), is the CellXion company which operates in the United States.

5.The third defendant, Mark Brumpton, owns 100% of CellXion US and (with his wife) 100% of CellXion. He is a director of both companies. The sixth defendant, Anthony Timson is a consultant to CellXion and CellXion US. Both Mr Brumpton and Mr Timson are former employees of MMI. Mr Timson was also a director and shareholder of MMI. Both Messrs. Brumpton and Timson left MMI at the end of 2003. Mr Timson is not a director or shareholder of, but is a paid consultant to, CellXion. There is an issue about whether Mr Timson is personally liable for the acts of the CellXion companies.

6.The fourth defendant, Datong Electronics plc (“Datong”), is a distributor of the products of CellXion and CellXion US in the United Kingdom, including the alleged infringing products.

7.I will refer to the defendants (other than the fifth defendant) together as “CellXion” except when it is necessary to distinguish between them. Mr Alastair Wilson QC appeared for CellXion with Mr Simon Malynicz; Mr Martin Howe QC appeared for MMI with Mr Henry Ward.

The Patent in suit

8.The Patent is entitled “Method for identifying a mobile phone user or for eavesdropping on outgoing calls”. It has a priority date of 3rd May 1999.

9.The text of the Patent is in the German language. The trial has been conducted on the basis of an English translation, and page references in this judgment are to that translation.

10.At page 1 lines 6 to 12 the specification says the following:

"In the case of modern public digital cellular mobile telephony networks, there is frequently a need, in the public interest, to identify the user of a mobile telephone by ascertaining his/her IMSI (International Mobile Subscriber Identity) or the IMEI (International Mobile Station Equipment Identity) of the mobile telephone used by him/her, or even to intercept the calls of that user."

11.Having discussed a number of items of prior art not relied on in this action, at page 3 lines 1 to 6, the specification explains the object of the invention in the following terms:

"It is therefore the object of the invention to make available to the thus authorised public services such as, for example, the police, a method by which, in a digital cellular mobile telephony network, any users of mobile telephones can be identified..."

12.The specification goes on to explain at page 4 lines 11 onwards that, in order to capture the IMSI and IMEI, a virtual base station [VBTS] is used. The virtual base station is said to be, preferably, a mobile device constructed like an ordinary network base station. The virtual base station is connected to a test mobile telephone [TMS]. The virtual base station is set up as spatially close as possible to the target mobile telephone [MS], so that approximately the same cellular environment prevails in respect of the virtual base station as for the target mobile.

13.A mobile phone network provides all mobiles with a BA list. The BA list is a list of all the base stations operated in the vicinity of the mobile, together with the associated channel information. The test mobile phone is used to obtain the BA list prevailing in the area where the target mobile is situated. The virtual base station then selects a base station from the BA list obtained for it by the test mobile. The virtual base station now has the information it needs in order to "pretend" that it is a neighbouring base station to the target mobile and can broadcast on an appropriate channel.

14.The virtual base station needs, however, not only to pretend to be a base station, but also to cause the target mobile to attach to it, rather than to any of the other base stations on the target mobile’s BA list. At page 5 lines 24 to 29, the specification says this:

"The [transmission] power of the VBTS received at the location of the MS must be greater than that of the base station [to which the target mobile is attached], in order to fulfil the radio criterion C1 for a cell reselection. This is achieved through appropriate transmission power of the VBTS and/or through spatial proximity of the VBTS to the MS to be identified.”

15.The next step is to cause the mobile to give up its IMSI and IMEI numbers. As explained at page 6 line 1 onwards, in the GSM network, groups of spatially adjacent base stations are combined by the network operator into groups identified by local area code, or LAC. When a mobile telephone moves into a new group identified by a new LAC, it has to re-inscribe itself onto the network. In the method according to the invention, although the virtual base station may be in the same LAC as the target mobile, it transmits a different (“out-of-area”) LAC, in order to persuade the mobile that it has moved to a different group of cells (when in fact it has not). As the specification explains at page 6 line 13:

“This has the result that, upon the inscription in the VBTS of the MS which is to be identified, the MS also actually transmits its relevant parameters such as IMSI, IMEI and such identifications to the VBTS, which can then be appropriately evaluated in the latter.”

16.Only claim 1 is relevant. Claim 4 is also alleged to be infringed and relates to tapping of conversations, but it is accepted not to be independently valid. Claim 1 is in the following form:

"Method for identifying a mobile telephone (MS) in a public digital cellular mobile telephony network,

a virtual base station (VBTS) with a test mobile telephone (TMS) connected thereto being operated in spatial proximity to the mobile telephone (MS),

the network base station (BTS1), assigned to the selected location, having the highest power being used to ascertain, through a cell monitoring by means of the test mobile telephone (TMS), the list (BA) of all base stations adjacent to the location,

there being selected therefrom a base station (BTS2), which is adjacent to the base station (BTS1) of highest power assigned to the selected location,

and the virtual base station (VBTS) being then operated on its channel frequency (BCCH) with a power which, at the mobile telephone (MS), is greater than that of the network base station (BTS1) associated with the location,

and with an area code which differs from the area code (LAC) associated with the location,

and the mobile telephone (MS) being thereby caused to reselect to the virtual base station (VBTS) and exchange its parameters (IMSI, IMEI) with the latter.”

The witnesses

17.MMI called a number of factual witnesses, and an expert. With the exception of Mr Stokes (dealt with below) the factual witnesses gave their evidence fairly. For some reason MMI adduced a lengthy witness statement of Mr Slatter which traversed previous litigation between the parties which had been settled. It was said to go to Mr Timson’s credibility: but in the end no real attack on his credibility was made. It should not have been prepared, let alone adduced. Patent litigation is complex and costly enough as it is.

18.MMI’s expert, Dr Maile is a qualified engineer who has acted as a consultant to numerous telecommunications operators. He was directly involved in looking at the potential for GSM interception from 1995 to 1998 as a consultant to a network operator.

19.CellXion also called factual witnesses and an expert. All their witnesses, including Mr Timson and Mr Brumpton, gave their evidence fairly. Their expert was Mr Mark Anderson, a software engineer with practical GSM experience. From 1998 to 2000 he worked as a senior member of one of the software development teams at Nokia.

20.Both sides also called witnesses with practical experience of the use of the devices in question. MMI called Mr Kenneth McDonald and CellXion called Mr Jack Crosley. Their evidence may have at times crossed the boundary into expert evidence, but neither side took objection to this. I found their evidence helpful as well.

The person skilled in the art

21.The Patent is addressed to an engineer with the hardware and software skills necessary to build and operate a virtual base station for collecting the IMSIs and IMEIs of mobile telephones within its footprint. In practice this would be a GSM engineer concerned with the security aspects of the GSM system.

22.Mr Wilson submitted that the skilled person would be someone familiar with “Mobility Management”. Whilst I accept that the skilled person would be familiar with the basic technology which allows a mobile phone to roam in a network, there is a danger in supposing that the skilled person has too close a focus on mobility management, which is not really what the Patent is concerned with.

The common general knowledge

23.All of the following would be part of the common general knowledge of the skilled person.


24.An important feature of GSM is the subscriber identity module or SIM. The SIM is a smart card which stores data personal to the subscriber, including a unique International Mobile Subscriber Identity or IMSI. GSM also provides that each handset is separately identified by a unique number, called the International Mobile Equipment Identity or IMEI.

Network security

25.Prior to the advent of GSM, mobile telephone networks could be easily tapped simply by listening on the correct frequency. In these prior analogue systems, as soon as a mobile telephone was used to make a call, it could be intercepted by any listening device which was in range. These devices were passive, depending as they did on intercepting an outgoing call from the mobile.

26.GSM set out to provide a greater measure of security both to network providers and to subscribers: the former because they wished to be protected against the misuse of subscriber data so as to make free calls; the latter because they wished to ensure that their conversations and data transmissions were private.

27.GSM introduced two major changes to assist with security. The first was the introduction of the Temporary Mobile Subscriber Identity or TMSI. The TMSI is supplied by the network and is used, once the phone is logged on to the network, for all communications thereafter with the network. The TMSI changes regularly (unlike the IMSI which does not change), so it is of limited use to anyone seeking to misuse it. The second security feature introduced by GSM was encryption. In the course of ordinary communication, if encryption is enabled, all voice and data traffic is encrypted. For practical purposes in 1999 this meant that it was impossible to listen to a call by decrypting the signal. Not all networks use encryption. Where encryption is used, the network is able to turn encryption off.

Location updates

28.When a mobile telephone is in idle mode it will perform periodic location updates by communicating with the network. In order to save battery, these updates are relatively infrequent. The frequency will vary between networks, from as little as 6 minutes to as much as 180 minutes or even 240 minutes. Although called a location “update”, a phone which has not moved between updates will obviously be returning the same location information each time it reports.

29.The mobile phone must also perform a location update when it enters a new location area. A location area is a group of base stations, sharing a location area code or LAC. The mobile phone does not perform a location update when it merely changes base stations within a location area. Thus the network will know which location area a phone is in, but not which base station in the area it is camped to.

30.Finally a location update is performed when the mobile phone is switched on, provided that the network requires it to do so by setting a flag (ATT).

31.When the location update is performed in this way, the mobile uses its TMSI and not its IMSI. The base station can then perform an identification request and obtain the IMSI. It can also turn off the encryption.

32.However, when switched on and in idle mode, the mobile phone only performs a location update on the periodic basis or when moving from one location area to another.

The BA List and Roaming

33.In order to have access to a network, the caller’s IMSI must be registered on that network. Some networks also require the phone to give its IMEI: this can be used as a means of preventing that phone from being used on other networks.

34.All mobiles which are camped on a particular base station will receive from that base station the Broadcast Control Channel (BCCH). One of the pieces of information broadcast on that channel is the BA (BCCH Allocation) List. This is a list of a number of neighbouring base stations which the network designer considers appropriate and which the mobile might encounter as it proceeds to move through the network. The BA List gives the channel number of the neighbouring stations included on it. If a channel is not on the BA list, the mobile phone will not listen to radio transmissions on it.

35.The mobile constantly scans the frequencies of the base stations on the BA list for the purpose of selecting, on the basis of the C1 parameter, the most powerful base stations. The C1 parameter is based on the actual received power.

36.The six most powerful stations based on the C1 parameter are then examined by the mobile phone to determine, using the C2 parameter, whether they are more attractive as base stations. The C2 parameter not only takes account of actual power, but also of an offset called the Cell Reselection Offset or CRO. The CRO boosts the apparent power of the base station (but not the real power). This is done, for example, when it is desired to cause all phones in a particular area to camp on to a temporary base station, such as one erected at a pop concert or sporting event. If a base station is found to be more attractive, the mobile will reselect to that base station. Once camped to the new base station, the mobile phone will take a new BA List from that base station and discard the old one.

Mobile phone test systems

37.Systems engineers would be familiar with test equipment for mobile telephones and base stations. Such test equipment is capable of simulating a base station with a very small footprint, and can be used to check the operation of mobile phones. Normally such a test equipment would transmit at very low power to mobiles situated on the test bench in close proximity to it.

38.Test equipment of this kind includes settable parameters, including Mobile Country Code, Mobile Network Code and Local Area Code. The effect of changing any of these parameters on a test equipment of this kind would be to cause a location update procedure in the mobiles within its range.

39.An example of a test equipment of this kind was the Agilent 8922 marketed by Hewlett Packard. Rohde & Schwarz marketed comparable machines before the priority date called the CMD 52 and CMD 55. They also sold a device called the CTD go/no go tester. All these devices can be used to obtain the IMSI from the mobile under test by performing a location update procedure.

Was an IMSI catcher possible with GSM?

40.It is common ground that there was a natural desire, of which the skilled team would be aware, for a device capable of catching IMSIs in 1999. There was, however, a widely held belief that GSM security was unbreakable, and that accordingly tapping of conversations and the obtaining of identities would be very difficult or impossible. The perceived difficulty was created by the fact that the procedures which had been possible in analogue were prevented by the fact that GSM was (a) almost always protected by the use of the TMSI and (b) encrypted.

41.Mr Shivtiel, an engineer who worked for Datong in the relevant time period gave evidence about this:

“Well, I have to say, at the time, you know, the analogue method was easy. There was not much to it because you could use a scanner and listen in to cell phones on the analogue side. It was the fact they said it was GSM that I did not believe they could do it, because there were a lot of people at the time who were saying they could do it and nobody had actually proved it and, of course, the obvious way to prove it is prove it on a cell phone that you do not have anything to do with.

Q. So your perception at the time, though we do not know the exact date, was that it was a very difficult task to achieve?

A. Correct, yes.”

42.Mr Shivtiel also said:

“I knew at the time, you know, I have got to say it was definitely something that was considered to be very difficult to do because there was no physical way of matching the phone -- you know, the actual phone handset -- to the actual thing you were listening to. And then there was also talk about encryption and you had to manage to decrypt it and to decrypt it in real time off air was something that was going to be quite difficult to do because you would have to have an understanding of where the cell phone was in comparison. Those were the things that, as I recall, at the time I would have known.”

43. Mr Timson confirmed the perceived difficulty in cross-examination:

“Q. It was the perception, was it not, in 1998 that cracking GSM, even to the point of getting identities, getting IMSIs, was a very difficult task?

A. That is a fair statement, yes.”

44.Mr Timson later explained that he was surprised at how easy it had been for him, whilst working at MMI, to achieve a device which obtained the IMSI. He said that:

“the opportunity was the difficult part actually understanding the opportunity rather than necessarily the technical side of it”.

45.Even Mr Anderson, CellXion’s expert said, in relation to the Dirk Fox citation:

“It may be that the most important part of this article, which really gives the whole game away, is its disclosure that there is a working device which is actually capable of recovering IMSI numbers. Without the benefit of this article it is possible that some people might have thought the task was impossible, because of the widespread confidence in the security of the GSM system.”

46.In my judgment the notion that the task was regarded as a difficult or impossible one would form part of the mental approach of the skilled team. That is not to say that, if faced with a disclosure of a device which claimed to catch the IMSI, the skilled person would not believe it. The perceived technical difficulty is, however, a factor when considering whether the invention is obvious from some of the starting points relied on here.


47.There was no dispute as to the approach to be taken to the construction of a patent specification. The task for the court is to determine what the person skilled in the art would have understood the patentee to have been using the language of the claim to mean: see Kirin Amgen v TKT [2005] RPC 9 [30]-[35].

virtual base station”

48.CellXion contended that the claim was limited to use of a base station built around test apparatus rather than a “real base station”. They contended that numerous things pointed towards this conclusion. Firstly they pointed to the absence of any discussion in the specification of the TMSI. Secondly they pointed to the fact that the specification did not refer to any positive steps to require the mobile to transmit its IMSI or IMEI. Thirdly they drew attention to the fact that the test machines of which evidence had been given appeared to operate by returning the IMSI in response to a LAC change, without the need for any intervention. Fourthly they point to the fact that the final words of the claim (“the mobile telephone being thereby caused to reselect”) suggest direct causation, which would be the case in the test machine, but not, so they contended, in a machine built around a real base station.

49.I reject these submissions. They involve reading into the claims a limitation which is not present. There is no difficulty with the term “virtual base station”. It is merely a false base station introduced into the network. There is no restriction in the claim to base stations built around test apparatus, or any basis for distinguishing these from any other type of false base station. The “thereby” clause at the end of the claim does not imply that no further step is necessary to cause the mobile to give up its IMSI or IMEI.

with a power which … is greater than that of the network base station”

50.There was, in the end, no issue as to the correct construction of this phrase. It means real power (as measured at the mobile telephone) as opposed to the power after taking into account CRO. Although there was plainly scope for an argument that, taking into account the technical purpose, the skilled person would understand power to include virtual power (i.e. power adjusted taking into account CRO), Mr Howe expressly disclaimed the latter construction as unnecessary.

in spatial proximity”

51.CellXion contends that this phrase is unclear. Two passages in the specification are relevant. First, at page 4 line 23:

“… the VBTS is set up as spatially close as possible to the mobile telephone MS, so that approximately the same cellular environment prevails in respect of the VBTS as for the MS to be identified, as represented schematically in Figure 1.”

Figure 1 shows the VBTS in a neighbouring cell to the target mobile.

52.Second, at page 5 lines 24-29:

"The [transmission] power of the VBTS received at the location of the MS must be greater than that of the base station BTS1, in order to fulfil the radio criterion C1 for a cell reselection. This is achieved through appropriate transmission power of the VBTS and/or through spatial proximity of the VBTS to the MS to be identified.”

53.It is possible that the most powerful network base station both at the virtual base station and at the mobile is the same (say BTS1). Where this is the case, the virtual base station will know that it must transmit at a greater power than BTS1. It is clear, however, that the Patent contemplates that the virtual base station may be in a different cellular environment from that of the mobile. If so, its BA list may not show BTS1 as the strongest: it may show a different base station (say BTS2) as the strongest. There is therefore no guarantee that, when the virtual base station transmits as, and with a power greater than, BTS2, it will be reselected by the mobile. Nevertheless, if it transmits on a frequency chosen from its BA list and does attract the mobile by using a power greater than BTS1, I see nothing to prevent the method falling within the claim.

54.CellXion’s real objection to this aspect of the claim is that it does not specify what degree of proximity is required. I think that all that is required is that the VBTS is sufficiently close that it can transmit with enough real power to be re-selected by the target mobile. If the claim were to be read as limited to the case where the virtual base station and target mobile were in an identical cellular environment, the claims would be inconsistent with the description and drawings.

55.CellXion did not suggest that, if I was able to reach a conclusion as to a meaning of the phrase, this point on construction would have any further significance to the issues in the case.

public network”

56.This question arises because an early demonstration of the CellXion system was performed on a private network. It is alleged that this constituted a use of the method of claim 1. The issue is of relatively minor significance in view of the other conclusions I have reached.

57.MMI submitted that the phrase extended to any public network, and any private network set up to function in the relevant respects like a public network. It submitted that the skilled reader would understand that the term “public” was being used in a technical rather than a legal sense. CellXion submitted that the method was only infringed when used on a public network, in the sense of a network to which the public at large can have access.

58.On balance I prefer MMI’s submissions. The underlying purpose of the method is the detection of IMSIs and IMEIs of telephones operating in a network consisting of a number of base stations. I cannot conceive of any reason why the skilled reader would understand that the patentee wished to exclude from its claim to networks which have all the technical features of the claim but which are not open to the public.

Download 110.42 Kb.

Share with your friends:
  1   2   3

The database is protected by copyright © 2022
send message

    Main page