CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Is an unsecured FTP server publicly accessible?

A recent Federal Circuit case discusses the accessibility of FTP servers.

Unlike other areas of the law where doing something in public can land you in a lawsuit (or at least a courtroom with a nice, slightly used orange jumpsuit), sometimes in patent law doing things in public can get you out of a lawsuit.

When a company finds itself in court defending against a patent lawsuit, it will usually assert two major defenses. First, the company will say "I don't practice (or produce) what is claimed in this patent." Second, a defendant in a patent lawsuit will also attempt to "invalidate" the claims of the patent by showing that "prior art" described the claims in the patent prior to the application date of the patent. While this defense can take multiple forms (see, for example, 35 U.S.C. § 102), a defendant must often show that the prior art relied upon was in fact publicly known or publicly used. So now its time for a pop quiz--which one of three options would you consider not being "publicly accessible" for the purposes of United States patent law:

A: The use of a centrifuge in a secure laboratory at the National Institute for Health;

B: The posting of a paper on an unsecured FTP server; or

C: Indexing a dissertation in a paper file and placing it on a Germany.

Out of those three options, the U.S. Court of Appeals for the Federal Circuit has only questioned the public accessibility of an FTP server. In SRI, Intl. v. Internet Security Systems, Inc.the Federal Circuit held that:

"The FTP server directory structure (/pub/emerald/) of a well-known institution in the intrusion detection community and the acronym of "" might have hinted at the path to the Live Traffic paper; however, an unpublicized paper with an acronym file name posted on an FTP server resembles a poster at an unpublicized conference without a conference index of the location of the various poster presentations."

The emphasis of the analysis focused on the extent to which the public could search and navigate FTP servers. However, it seems to me that analogizing an FTP server to a poster at an unpublicized conference may not quite be the proper analogy to make, as is discussed in the dissent in the case:

"The evidence showed that: (1) the inventor publicized the FTP server to the cybersecurity community (hence the conference was publicized), and (2) the FTP server was widely known and frequently used in the cybersecurity community (there were lots of attendees), in direct contrast to an "unpublicized conference with no attendees."

Today, there are FTP search sites that function much like Internet search sites. And there is little doubt that a paper posted on the Internet using http qualifies as publicly accessible. In fact, the United States Patent Office has officially addressed Internet publications: "An electronic publication, including an online database or Internet publication, is considered to be a "printed publication" within the meaning of 35 U.S.C. 102(a) and (b) provided the publication was accessible to persons concerned with the art to which the document relates." (Manual of Patent Examination Procedure § 2128)

So it seems curious to me that posting a paper on an unprotected FTP site in 1997 would not qualify as per se publicly accessible. Just how publicly accessible/searchable/navigable were FTP sites in 1997?