Amazon Awarded Cookie Patent

theodp writes "On Tuesday, the USPTO granted Amazon.com a patent for the Use of browser cookies to store structured data, which covers the storing of data structures and non-character data within browser cookies. In a February SEC filing (pdf), Amazon reiterated that they expect that they may license certain patents to third parties in the future."

That's good news

I wanted to implement a cookie-driven Web site for a long time, but was clueless as for who I had to pay for using the technology.

Now I can finally download and install HTTP Cookie Library and send my license check to Amazon.

Patent the function of an object 'eh?

[endrek]

I think I'll go and patent a type of apple tree that grows apples.

CSV, etc?

[Joff_NZ]

wouldn't something like storing comma seperated values count as "structured"??

Re:CSV, etc?

[FFFish]

Better yet would be Python's pickle serialization library, which stores anything from strings to classes, all in printable ASCII... ie. a freakin' cookie.

Re:CSV, etc?

[Fweeky]

Even php's serialize() (also available for Ruby<plug>) does that; but this patent also talks about checksums, encryption, and back/forward compatability, so.. say.. like XML + schema + crypto of your choice.

TBH you can put anything you like in a cookie, binary or not; you just base64 encode it or so. After that, well, people have been making file formats like this for years, and Amazon get a patent just for putting one in a cookie? Lame.

Bogus, but specific

[spRed]

So the patent looks silly on the face, but the opening claims are easy to work around and make it hard for them to sue:

a method of incorporating at least one data structure from the database into a browser cookie to reduce accesses to the database

Okay, the stuff I'm storing in the cookie isn't the same as a structure in my database. FOAD. You think it is? I say it is half a structure from my database. Or one item from each of five structures in my database.

They could drown you in lawsuits, but they didn't need a patent to do that anyway.

Prior Art

I don't know man, Cheech and Chong have been putting some pretty wild shit in their cookies for decades!

Multiple reactions, pick the one you like.

[SmallFurryCreature]

• The optimist

  Geez again? TIMING you idiots April fool starts on the 1st of april. Not on 31st of march. Geez. Is it that hard to read a calendar? And a good april fools joke is funny because people are tricked into thinking something that clearly couldn't be true. USPTO passing a silly patent does not qualify.

• The evolutionist

  What kind of insect could possibly not see the bloody obviousness off this one. Use a cookie to store data. Well fucking duh. What next? Patent the use of an engine to power something? A trunk to carry luggage? A shovel to dig with? Outsourcing is bad enough but hiring lower lifeforms goes to far!

• The pessimist with a gun

  This story only goes to show patent reform is impossible. Nothing will help here anymore but the old "put them against the wall" at the revolution. Going to be really crowded too. What will all the lawyers, ceo's, outsources, alcohol free beer inventors and people who talk in caps on the web.

• The European

  Anyone else find it slightly odd that all the idiot patent stories come from america? Wonder why the USPTO is unable to hire any smart people. Is the USPTO banned from hiring non-americans?

Come on you weren't expecting any serious response were you? Feeble jokes for a feeble joke of an institution.

Give Amazon.com the finger

[kherr]

I worked at a company doing cutting-edge stuff and we were always looking for stuff to patent. Our intent was to create a defensive portfolio that would also look enticing to VCs. But we never, ever thought of pursuing patents on the patently obvious (pun intended).

One-click could be argued as a novel business practice. But crap like this is ridiculous. It's like the old joke of adding "with a computer" to anything and calling it novel. I've already moved to Powells for books, but I'll have to intensify my efforts to get others to stop shopping with Amazon.com.

Shot in the foot.

[Oncogene]

You know, the US Patent Office's website uses cookies that would violate this patent.

key value

[Visigothe]

ok, I am stating this up front. I didn't read the entire patent article. My apologies.

That said, isn't the idea of a cookie, in fact, a structure? In this case, a key/value pair??

So

[dtfinch]

Their method appears to be for storing a binary copy of the entire customer record, encoded (base64 or similar), encrypted, and checksummed, into a cookie. As prior-art as the title of the patent may appear, I haven't seen it done in exactly this fashion.

If you do it without encryption or without a checksum then you're probably not infringing. Same if you avoid binary encoding. If you save a textual representation of the record, and use a form of encryption that works on plain text, you can achieve the same effect without infringing.

And if someone tries to patent my idea, I'll make business very hard for them.

Re:So

[greppling]

If you do it without encryption or without a checksum then you're probably not infringing. Same if you avoid binary encoding.

That's not how I read the claims. The basic claims are 1, 10, 18, 26, 35, 40. Adding encryption or checksums to storing the data structures as cookies are covered by separate claims, always listed in addition to the basic claims.

The whole point of this patent is IMO what they call "schema data". By this they mean having a separate file that describes the data structure used in the cookies, so that the way the data structures can be changed without changing the code en/de-crypting the cookie. (Claim 1.) Unless someone is using such a metafile describing the data structure, and has written a generic cookie parser that is controlled by this metafile, I am pretty sure he will not be infringing the patent. This is, of course, not revolutionary, but it's definitely much better software design than the typical PHP/MySQL web site.

Adding versioning of the data structures is claim 7. Claim 26 is then about using this data to generate personalized web pages from the cookie data without any database lookups.

So, IMHO this patent isn't that silly. You most likely don't have to "work around" it just because you are storing some structured user data in cookies, it is to the contrary very unlikely that you are infringing it. Definitely, all posts here have missed the "schema data" aspect so far. Maybe there is prior art for this, but if there is, noone has pointed out any so far.

I think the only good reason to be against this patent is to be against software patents in general. Which I am, btw:)

Courts didn't like all of Morse's claims either

[pdcryan]

Morse (the telegraph guy) was awarded a patent claim for:

"electro magnetism, however developed for marking or printing intelligible characters, signs, or letters, at any distances."

Sound a little over-broad? The Supreme Court thought so too(1853). Broad claims get through the patent office sometimes. That's what courts are for. Will Amazon get some money out of this? Probably. Would I give them any money for it? No.

*WHY*?

[jonadab]

Isn't it considered to be better practice (in terms of security and privacy and
all that jazz) to only use the cookie as a unique ID, an index into your DB
table(s) containing all the other information? What is the advantage to
storing more stuff on the client side?

Cookie madness, anyone?

[Futurepower(R)]

I've often thought it would be interesting to write a program that caused stored cookies to be returned with with slight changes. You could load the program, browse Amazon, and see what happened.

They can store cookies if you allow them to store them. However, what you return is entirely your decision. It's your computer.

Re:Cookie madness, anyone?

[HalfFlat]

I'm wondering how it is faster to pull a cookie from the browser, compute its checksum, compair, if they match, decrypt, then decode. Surely that can't be faster than a properly cached local database query.

Given that the limiting resource is server resources as opposed to customer waiting time or network bandwidth, and given how much seriously faster CPU is over disk access, it looks like a win to me.

Once your data gets larger than 8k or so, you begin to seriously annoy people on modem connections, so I'm assuming the cookie is smaller than this. Checksumming and decrypting 8kbytes of data on a modern machine really ought to be very quick indeed. For order of magnitude estimates, I'd guess the process takes about 15 clock cycles per byte of cookie as an upper bound, coming to significantly less than a milisecond on a modern CPU. This is much less than the cost of a disk access.

I did this too

[samjam]

The second revision of the second generation of Ananova email alerts (anyone remember this?) had two such encrypted addresses, the From address and the Reply-To address, which included an encrypted checksummed version of the customers address-id and the story-id of the message that was sent.

This was so that we could tell in bounced OR replied messages which customer sent the message and for which story, and it would loosely authenticate the user for performing "safe" operations on their email alert account.

Around the same time we started using cookies to store the number of times users visited each section of the Ananova website for the last 7 days in which they visited the site at all. This was to give us a vague idea of where their interests lay but we never used this data, and it wasn't checksummed, but it was binary packed and then based 62 encoded (couldn't find 64 characters ALL of which would not be url encoded, wasting cookie space)

Plenty of other web based projects use encrypted password tokens to show a user has authenticated without having to store or repeatedy transmit the password in replay-able form over the web.

Sam

Re:Patent Everything!!

[jpop32]

I shall patent the method of respiration, and all shall pay me a $.07 license fee with every breath they take!!

Clever, but can be taken further. How about getting a patent on every move you make, every bond you break and every step you take?

Although, somehow I sense that there's a prior art somewhere...

Prior Art

[kerfuffle]

The main ingredients of this "patent" seem to be using a cookie for structured data to avoid DB overhead, with the inclusion of some internal "checksum/session" keys.

The HSBC Australia online trading platform publicly launched in Nov 1999 and implemented in Python, used cookies to pass serialised Python structures between client and server to avoid needless per request DB lookups (and to allow simple horizontal scaling, since instead of requiring a "session DB" one only required HTTP servers capable of decrypting the cookie data, i.e. the requests could go to any server). The serialised Python structures were strongly encrypted and contained internal session key info which was used to provide an additional check on the data consistency. This would appear to match exactly what this patent claims to be novel (it seemed pretty intuitive at the time). The system is still live, and the codebase is largely untouched. I would expect that a large amount of internal documentation exists on the history of this project (including at least one presentation to an Open Source conference).

What do I do if *I* made Prior Art?

[Hank+Reardon]

I know that I developed something to store data structures in Cookies prior to the filing date of January 31, 2000.

In the course of one of my contracts, I needed a nice way to impliment a next/previous page functionality without the use of a session table (long story as to why). I ended up using a cookie as a stack for that functionality.

The problem is that this code was written for a private, in-house data warehousing system, and I don't have the code.

Could I file a "friend of the court" or some other such brief on this matter describing how I implimented (for profit!) this technology before the patent date?