IBM Wants Patent For Regex SSN Validation

theodp writes "What do you get when you combine IBM contributors with the Dojo Foundation? A patent for Real-Time Validation of Text Input Fields Using Regular Expression Evaluation During Text Entry, assuming the newly-disclosed Big Blue patent application passes muster with the USPTO. IBM explains that the invention of four IBMers addresses a 'persistent problem that plagues Web form fields' — e.g., 'a social security number can be entered with or without dashes.' A non-legalese description of IBM's patent-pending invention can be found in The Official Dojo Documentation. While IBM has formed a Strategic Partnership With the Dojo Foundation which may protect one from a patent infringement lawsuit over validating phone numbers, concerns have been voiced over an exception clause in IBM's open source pledge."

Prior Art so Prior It Hurts

[eldavojohn]

Application Patent Date: November 20, 2007
Online Prior Art at the Regex Library from 2004:

^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

Put that into your favorite Javascript regular expression object and write a stupid onChange reference to it in your HTML and ... tada! Too complicated? Here's some more prior art. Or here. A little bit of Googling must be too much for the USPTO.

Are we suddenly shocked to discover one line of code can be patented when a whole mess of code can be patented?

Re:Prior Art so Prior It Hurts

[Rei]

The amazing part is that IBM is wasting this kind of money applying for a patent that has no chance of standing up in court, if they're even dumb enough to grant it in the first place. I'm in the process of applying for a software patent myself (I know, summon the chorus of boos; but having it could be the difference between being able to raise VC and not being able to raise VC for my starting business; loans, too, are often secured against your IP). These things don't come cheap -- mostly in terms of legal costs. As in a $5k retainer, $5-10k total for a single patent, more if it takes multiple patents to ensure sufficient protection, and if you want international protection, it can go up to $100k or so. Also, from discussions with my attorney, it's really hard to get away with the "bloody obvious" software patents anymore after all of the blowback from things like the Amazon 1-click patent.

I'm surprised they'd waste the money trying. Perhaps their legal department didn't have enough work to do but they didn't want to cut staff.

Re:Prior Art so Prior It Hurts

[EvanED]

I'm in the process of applying for a software patent myself (I know, summon the chorus of boos; but having it could be the difference between being able to raise VC and not being able to raise VC for my starting business; loans, too, are often secured against your IP). These things don't come cheap -- mostly in terms of legal costs. As in a $5k retainer, $5-10k total for a single patent, more if it takes multiple patents to ensure sufficient protection, and if you want international protection, it can go up to $100k or so.

IBM has staff lawyers; they aren't paying standard retainer fees like you are.

Re:Prior Art so Prior It Hurts

[JWSmythe]

    It's not trivial, but not impossible.

    The first 3 digits are the area (state) code.

    The next 2 digits are the group.

    The last 4 digits are the serial number.

    There is no check digit, so no further math is required to validate it.

    State codes are listed here http://www.socialsecurity.gov/employer/stateweb.htm

    The highest issued group as of May 01 2009 is listed here: http://www.socialsecurity.gov/employer/ssns/highgroup.txt

    You can pull the high group file back to November 2003 from the SSA site here: http://www.socialsecurity.gov/employer/ssnvhighgroup.htm

    The group numbers are used out of order for "administrative" reasons.

    The groups are assigned as:

    ODD 01 -> 09
    EVEN 10 -> 98
    EVEN 02 -> 08
    ODD 11 -> 99

    Area 000 is never issued.
    Group 00 is never issued.
    Serial 0000 is never issued.

    The Area (state) code is based on where the card is issued, not where the person was born. If you were born in NYC, but your number was issued in California, you would have a California area (state) code.

    Now, the SSN is generally requested by the hospital, so if you have a baby born in the US, part of the stack of paperwork includes the SSN request form. In those cases, obviously the birth state and SSN state should match, unless for some odd reason the request is sent to another state.

    When I was born, there was no requirement to get a SSN issued immediately, and my family moved when I was 5, so my SSN was issued by the second state.

    The logic to test if a SSN has been issued is pretty easy with a couple tables in a DB, or a whole lot of hard coded crud that has to be updated monthly.

Re:Prior Art so Prior It Hurts

[Chandon+Seldon]

If it gets granted, how much lawyer time will it take to get overturned later?

This is a setup for a denial of service attack on the budgets / legal resources of smaller companies in future legal engagements.

Re:Prior Art so Prior It Hurts

[Zordak]

If you trace the history of software patents

This is the trap lots of people fall into when discussing software patents. They see obvious software patents and use those as an argument against all software patents. I have seen reasonable and logical arguments both for and against software patents as a class. But obviousness is not one of them. KSR was not about software patents. It was about a brake pedal. The point of KSR was to strengthen the obviousness standard overall. I happen to agree with the conclusion (and that's certainly not herd mentality---most patent attorneys are very critical of KSR). But it has no bearing on whether software is patentable subject matter. If you think software patents should be categorically prohibited, you can have that opinion. Just find a different reason. On the other hand, if your problem with Amazon 1-click is that it was obvious, then your problem is with section 103, not section 101.

Care to provide some evidence to backup your claim that the USPTO went through all the work to find the prior art and research your invention only to fall short on the analysis and do a knee jerk rejection?

Ah, young grasshopper, if only you knew. I see lazy, sloppy rejections on an almost daily basis. But no, you're not going to see me specifically criticize a sitting examiner on a public message board. I'll complain about the way the place is run, but the examiner I criticize today may be the one I have to ask for a notice of allowance tomorrow (to any examiner who may be reading this: you, obviously, are one of those diamonds in the rough who issues only clear, well-reasoned office actions). And to be fair, if you ask an examiner, he'll probably tell you that he sees lazy, sloppy responses from attorneys on an almost daily basis.

The real problem is the fact that the examiners are evaluated on a stupid "count" system that encourages them to breeze through an office action without taking the time to understand the application or the prior art. So he reads the claims, pulls out a couple of key words, searches his patent database, finds a couple of references that look promising, and shoots off a quick 103 (obviousness) rejection. And then he ticks one off his list and breathes a sigh of relief, because the application is somebody else's problem now. Ironically, this system of over-burdened examiners is just as bad for those who aren't a fan of patents. With so little time, it's hard for the examiner to find and understand the best art. So he just tosses out whatever looks good and leaves it on the attorney to convince him. This means that often the examiner and the attorney are arguing about junk that doesn't even matter, while real, relevant art is sitting out there unexamined. Believe me, I would LOVE it if I could count on the examiners to understand what's going on with the application and find the very best art. That would mean that whatever claims got allowed would be very nearly bullet-proof in court.

Real time is the key claim

[wiredlogic]

The first claim mentions the real time nature of the validation. The example regexes are for validating a completed string. This is still silly and obvious but you may have a harder time finding specific prior art for this case.

Re:Real time is the key claim

[radtea]

I assume that most Javascript validation waits until all of the text has been entered.

Your assumption is false. It's called an OnChange event: http://www.w3schools.com/jsref/jsref_onchange.asp

I am not a "Web programmer" but anyone with even a passing familiarity with JavaScript has seen this.

The first claim in the patent is: "1. A system for providing real-time validation of text input fields in a Web page comprising:a validation-enhanced text input element configured to contain an attribute for a validation expression for a text field in a rendered Web page, wherein the validation-enhanced text input element is contained within a source code document corresponding to the rendered Web page; andan input text validator configured to validate a user-entered character of the text field against the validation expression in real-time and visually indicate invalid user-entered characters."

So these losers have filed a patent application in which the first claim is exactly nothing but a completely standard bit of JavaScript code. People have been doing this kind of real-time validation and response for years and years and years. JavaScript is designed to do it.

This is by far the most egregiously stupid patent application we have seen on /. in a long time.

Why IBM is doing this is a complete mystery, although "never assume venality where stupidity will do" comes forcibly to mind.

Re:Real time is the key claim

[bluej100]

True, but onkeypress works.

Awesome

[Trails]

I'd like to assert that I've personally written prior art.

Not just regex, but real-time regex.

If you read the patent application, they aren't patenting just validation of a text field. They are patenting the idea of validating a string, one character at a time, as it is entered by the user. As the string is entered, when invalid characters are found using regex, a "visual change" is made to the input to let the user know they made a mistake.

An example they give is that in an email input field, as soon as the user enters a comma, the comma would change colors.

It's still not groundbreaking, but it's not quite as trivial as it sounds.

Have you read the patent application?

[dzfoo]

You didn't read the patent application, did you?

They are not patenting a regular expression to validate social-security numbers, they are patenting an entire validation system for web application, in which there is an API for a developer to specify a regular expression, and the framework will then validate the user input in real-time, while the front-end highlights the specific characters that caused the failure. The particular problem they are trying to solve is the user confusion when they submit a form which tells them that a field was rejected without telling them what's wrong with the input.

This is not to say that there isn't prior art for that, but as you can see it is much more than just a patent on a simple reg-exp pattern.

        -dZ.

Slashdot true to form

[thethibs]

Wow! All this steam and no one read the patent. It's been a while since the Slashdotter stereotype was so well validated.

The patent is for incremental validation as the characters come in. The text input widget is primed with the regex and validates each character as it is keyed, and reacts immediately if it gets an invalid-in-context character. The effect is that it's not possible to enter an invalid string.

Whether you think this is novel or not, it's not ordinary.

Re:Slashdot true to form

[CorporateSuit]

Whether you think this is novel or not, it's not ordinary.

One of the first forms I programmed for a commercial company would delete non-numeric characters and commas onKeyUp. It's extremely ordinary, and the practice is probably a day younger than javascript.

Re:Slashdot true to form

good grief! I wrote code that validated input as each character was entered back in 1981 as part of my very first programming job.

Re:Slashdot true to form

[radtea]

Whether you think this is novel or not, it's not ordinary.

Handling a JavaScript OnChange event is not ordinary? What about a button click event?

Can I patent "1. A system for providing real-time information in a Web page comprising:a retrieval-enhanced button input element configured to contain an attribute for a retrieval expression for a button in a rendered Web page, wherein the retrieval-enhanced button input element is contained within a source code document corresponding to the rendered Web page; and an document retriever configured to retrieve a document real-time and visually display it."?

Also known as "a help button".

My fanciful claim above is a minuscule edit to the first claim in this idiotic application. If you can patent OnChange event handling for realtime validation (that being one of the purposes for which the event was added to the standard!) you can certainly patent any specific use of button handling. Closing a window, opening a window, displaying a document, changing a background colour... any specific use that is "non-obvious" to someone completely ignorant of software development.

Re:More to it than that.

[QuoteMstr]

Strictly speaking, it does, but it might be large. As a quick and dirty test, here's the result of evaluating (regexp-opt (loop for x from 0 to 700 collect (format "%d" x )) nil) in Emacs:

"1\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|2\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|3\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|4\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|5\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|6\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|7\\(?:00\\|[0-9]\\)\\|8[0-9]\\|9[0-9]\\|[0-9]"

What regular expressions can't do is match strings that aren't described by a regular language. Roughly speaking, if what you're trying to match has a maximum length, you can match it with a regular expression. (For a more formal description, see the Pumping Lemma.)

Highlighting invalid characters inside text field

[nkovacs]

I disagree philosophically with our current legal system allowing software patents. However it never ceases to amaze me how the internets take a patent, don't read it or understand it and then complain about things that don't even make sense in regards to the patent in question.

If you read the actual patent, it is talking about validating the text input as the characters are being typed in and highlighting the specific characters that don't match the regular expression. For example if you type in a SSN as: 1112-113-1111, then the 2 and 3 within the text field would be highlighted (e.g. highlighted red) as not matching the regular expression for a SSN. I think the key is that the error highlighting is done inside the text field. The highlighting of the text wouldn't occur until some timer expired (e.g. 200 ms without any new typing). This makes it so that the error highlights don't show up as you are typing but as soon as you stop. This is definitely more novel than the comments on this article make it out to be.

Should this or other software algorithms be patentable? No. However companies like IBM are forced to patent because if they don't then other patent troll companies sue them and win because they have trouble proving prior art. It is not illogical for companies like IBM to simultaneously pursue patent reform and continue to patent as much as possible under the current legislation. This is just taking advantage of the broken system while talking about how broken it is.