IBM Wants Patent For Regex SSN Validation

theodp writes "What do you get when you combine IBM contributors with the Dojo Foundation? A patent for Real-Time Validation of Text Input Fields Using Regular Expression Evaluation During Text Entry, assuming the newly-disclosed Big Blue patent application passes muster with the USPTO. IBM explains that the invention of four IBMers addresses a 'persistent problem that plagues Web form fields' — e.g., 'a social security number can be entered with or without dashes.' A non-legalese description of IBM's patent-pending invention can be found in The Official Dojo Documentation. While IBM has formed a Strategic Partnership With the Dojo Foundation which may protect one from a patent infringement lawsuit over validating phone numbers, concerns have been voiced over an exception clause in IBM's open source pledge."

Prior Art so Prior It Hurts

[eldavojohn]

Application Patent Date: November 20, 2007
Online Prior Art at the Regex Library from 2004:

^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

Put that into your favorite Javascript regular expression object and write a stupid onChange reference to it in your HTML and ... tada! Too complicated? Here's some more prior art. Or here. A little bit of Googling must be too much for the USPTO.

Are we suddenly shocked to discover one line of code can be patented when a whole mess of code can be patented?

Re:Prior Art so Prior It Hurts

[Rei]

The amazing part is that IBM is wasting this kind of money applying for a patent that has no chance of standing up in court, if they're even dumb enough to grant it in the first place. I'm in the process of applying for a software patent myself (I know, summon the chorus of boos; but having it could be the difference between being able to raise VC and not being able to raise VC for my starting business; loans, too, are often secured against your IP). These things don't come cheap -- mostly in terms of legal costs. As in a $5k retainer, $5-10k total for a single patent, more if it takes multiple patents to ensure sufficient protection, and if you want international protection, it can go up to $100k or so. Also, from discussions with my attorney, it's really hard to get away with the "bloody obvious" software patents anymore after all of the blowback from things like the Amazon 1-click patent.

I'm surprised they'd waste the money trying. Perhaps their legal department didn't have enough work to do but they didn't want to cut staff.

Re:Prior Art so Prior It Hurts

[JWSmythe]

    It's not trivial, but not impossible.

    The first 3 digits are the area (state) code.

    The next 2 digits are the group.

    The last 4 digits are the serial number.

    There is no check digit, so no further math is required to validate it.

    State codes are listed here http://www.socialsecurity.gov/employer/stateweb.htm

    The highest issued group as of May 01 2009 is listed here: http://www.socialsecurity.gov/employer/ssns/highgroup.txt

    You can pull the high group file back to November 2003 from the SSA site here: http://www.socialsecurity.gov/employer/ssnvhighgroup.htm

    The group numbers are used out of order for "administrative" reasons.

    The groups are assigned as:

    ODD 01 -> 09
    EVEN 10 -> 98
    EVEN 02 -> 08
    ODD 11 -> 99

    Area 000 is never issued.
    Group 00 is never issued.
    Serial 0000 is never issued.

    The Area (state) code is based on where the card is issued, not where the person was born. If you were born in NYC, but your number was issued in California, you would have a California area (state) code.

    Now, the SSN is generally requested by the hospital, so if you have a baby born in the US, part of the stack of paperwork includes the SSN request form. In those cases, obviously the birth state and SSN state should match, unless for some odd reason the request is sent to another state.

    When I was born, there was no requirement to get a SSN issued immediately, and my family moved when I was 5, so my SSN was issued by the second state.

    The logic to test if a SSN has been issued is pretty easy with a couple tables in a DB, or a whole lot of hard coded crud that has to be updated monthly.

Have you read the patent application?

[dzfoo]

You didn't read the patent application, did you?

They are not patenting a regular expression to validate social-security numbers, they are patenting an entire validation system for web application, in which there is an API for a developer to specify a regular expression, and the framework will then validate the user input in real-time, while the front-end highlights the specific characters that caused the failure. The particular problem they are trying to solve is the user confusion when they submit a form which tells them that a field was rejected without telling them what's wrong with the input.

This is not to say that there isn't prior art for that, but as you can see it is much more than just a patent on a simple reg-exp pattern.

        -dZ.