IBM Wants Patent For Regex SSN Validation

theodp writes "What do you get when you combine IBM contributors with the Dojo Foundation? A patent for Real-Time Validation of Text Input Fields Using Regular Expression Evaluation During Text Entry, assuming the newly-disclosed Big Blue patent application passes muster with the USPTO. IBM explains that the invention of four IBMers addresses a 'persistent problem that plagues Web form fields' — e.g., 'a social security number can be entered with or without dashes.' A non-legalese description of IBM's patent-pending invention can be found in The Official Dojo Documentation. While IBM has formed a Strategic Partnership With the Dojo Foundation which may protect one from a patent infringement lawsuit over validating phone numbers, concerns have been voiced over an exception clause in IBM's open source pledge."

Prior Art so Prior It Hurts

[eldavojohn]

Application Patent Date: November 20, 2007
Online Prior Art at the Regex Library from 2004:

^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

Put that into your favorite Javascript regular expression object and write a stupid onChange reference to it in your HTML and ... tada! Too complicated? Here's some more prior art. Or here. A little bit of Googling must be too much for the USPTO.

Are we suddenly shocked to discover one line of code can be patented when a whole mess of code can be patented?

Re:Prior Art so Prior It Hurts

[Rei]

The amazing part is that IBM is wasting this kind of money applying for a patent that has no chance of standing up in court, if they're even dumb enough to grant it in the first place. I'm in the process of applying for a software patent myself (I know, summon the chorus of boos; but having it could be the difference between being able to raise VC and not being able to raise VC for my starting business; loans, too, are often secured against your IP). These things don't come cheap -- mostly in terms of legal costs. As in a $5k retainer, $5-10k total for a single patent, more if it takes multiple patents to ensure sufficient protection, and if you want international protection, it can go up to $100k or so. Also, from discussions with my attorney, it's really hard to get away with the "bloody obvious" software patents anymore after all of the blowback from things like the Amazon 1-click patent.

I'm surprised they'd waste the money trying. Perhaps their legal department didn't have enough work to do but they didn't want to cut staff.

Re:Prior Art so Prior It Hurts

[Zordak]

Also, from discussions with my attorney, it's really hard to get away with the "bloody obvious" software patents anymore after all of the blowback from things like the Amazon 1-click patent.

Somebody mod parent up. The days of the patent office just rubber stamping software patents (if there ever were such days) are over. Those guys have gone absolutely freakin' nuts with KSR. Seriously, you could send them an application for a working FTL drive, and they'd just shoot back an obviousness rejection combining one of Einstein's publications with an episode of Star Trek. I'm not saying it's bad to treat obviousness as a hard fact question where we have to actually use our heads rather than mechanically use the Teaching/Suggestion/Motivation test. But these guys have gone totally the other way. They don't use their heads. They just mechanically reject everything as obvious if they can find the pieces in any prior art, regardless of whether it was obvious to put them together (and for those who think this is a good thing, the result of this line is there's no such thing as an invention, because everybody builds on what's already there).

And now with Bilski, the examiners are all hot to reject any software claim as not patentable subject matter. Really, the landscape has changed. Anybody sitting around posting on Slashdot and grousing about the USPTO rubber stamping software patents really has no idea what they're talking about.

Re:Prior Art so Prior It Hurts

[ttyRazor]

More true than you know. A friend of mine started working for the the patent office not too long ago with the explicit instruction to reject everything that comes across his desk.

Re:Prior Art so Prior It Hurts

[Zordak]

My post is flamebait and yours is "funny"? [Shakes head in disbelief]. This isn't a flame or a joke. It's absolutely true. I've seen a former examiner say, on the record in a deposition, that he had to get permission from his boss's boss to allow an application on the first action. The assumption is that you will reject all applications at least once (and preferably at least twice so you can draw an RCE with those yummy fees).

Re:Prior Art so Prior It Hurts

[radtea]

as long as he doesn't sue anyone over the patent no puppies have been harmed.

And when the company gets bought out and the puppy-torturing plans get put into action by the new owners, and he screams, "But I didn't mean this to happen!" he will not be forgiven.

Re:Prior Art so Prior It Hurts

[JWSmythe]

    It's not trivial, but not impossible.

    The first 3 digits are the area (state) code.

    The next 2 digits are the group.

    The last 4 digits are the serial number.

    There is no check digit, so no further math is required to validate it.

    State codes are listed here http://www.socialsecurity.gov/employer/stateweb.htm

    The highest issued group as of May 01 2009 is listed here: http://www.socialsecurity.gov/employer/ssns/highgroup.txt

    You can pull the high group file back to November 2003 from the SSA site here: http://www.socialsecurity.gov/employer/ssnvhighgroup.htm

    The group numbers are used out of order for "administrative" reasons.

    The groups are assigned as:

    ODD 01 -> 09
    EVEN 10 -> 98
    EVEN 02 -> 08
    ODD 11 -> 99

    Area 000 is never issued.
    Group 00 is never issued.
    Serial 0000 is never issued.

    The Area (state) code is based on where the card is issued, not where the person was born. If you were born in NYC, but your number was issued in California, you would have a California area (state) code.

    Now, the SSN is generally requested by the hospital, so if you have a baby born in the US, part of the stack of paperwork includes the SSN request form. In those cases, obviously the birth state and SSN state should match, unless for some odd reason the request is sent to another state.

    When I was born, there was no requirement to get a SSN issued immediately, and my family moved when I was 5, so my SSN was issued by the second state.

    The logic to test if a SSN has been issued is pretty easy with a couple tables in a DB, or a whole lot of hard coded crud that has to be updated monthly.

Re:Prior Art so Prior It Hurts

[Rei]

So if your VCs wanted you to torture puppies to death before they'd give you money, would the "chorus of boos" have any effect on your actions?

I assure you that my company, Puppy Waterboards, LLC, does care about your concerns about our patent, "Method and apparatus for puppy euthanasia utilizing superheated corkscrews", and will direct them to the appropriate staff.

There are many ways to get money. Some of them are right, and some of them are wrong. People with consciences know there's a difference.

On a more serious note, you don't even know what my patent is about, and yet you're positive it's "wrong". People with consciences try to find out the facts before they criticize.

Re:Prior Art so Prior It Hurts

[Zordak]

Haha, how clever you are. Seriously, I'm stunned at your masterful retort. But here's the problem. The patent office rejecting an application is GREAT for my business. Every time the patent office sends me a rejection, whether it's legitimate and well-reasoned or flat-out crap, the client has to respond. That means I keep getting paid. So it's not like KSR put patent attorneys out of business.

My entire point, which you seemed to have missed, is that this notion that the USPTO rubber stamps patent applications (and especially software patent applications) is absolutely, demonstrably false. Now, that said, yes, it would be great for my clients if the USPTO only issued legitimate rejections. And I wouldn't really mind seeing it either, because maybe then I could help more people get patents. But in the end, even the most craptastic, infuriating rejections aren't harming my personal interests.

Re:Prior Art so Prior It Hurts

[Zordak]

Aaah. I see my error now. I was responding to your inane publicly-visible post instead of your secret invisible post where you said something insightful. The publicly-visible post just said, "Awww, do you want us to cry because you actually have to work hard to get a patent? Let me call the waaahmbulance for you." Next time, I'll be sure to remotely hack your computer and locate and decrypt "SuperSecretInsightfulPost.html" so I can be sure to respond to all of your brilliant points.

Re:Prior Art so Prior It Hurts

[Chandon+Seldon]

If it gets granted, how much lawyer time will it take to get overturned later?

This is a setup for a denial of service attack on the budgets / legal resources of smaller companies in future legal engagements.

Re:Prior Art so Prior It Hurts

[Ninja+Programmer]

The initial rejections are just a smoke screen. The USPTO just does that to try to disincentivise appliers from doing "blanket patents". They are forced to come back and justify the patent a second time, which costs lawyer money, which the applying corporation (rarely is it a person) will have to consider before they try to push through their patent.

But in the end, as long as the applying company has the money (like IBM) and people willing to explain the spin on their patent, the USPTO is basically powerless to stop them. The USPTO does not hire talented people who can actually assess patents and understand what is obvious and what is not (such people would rather be working for a start-up or a big corporation or whatever). I know this because of the questions on the patent I applied for as principle (and got). They asked the wrong questions -- where I was being innovative they challenged me on prior art (clearly not the case) rather than obviousness.

Nothing changes the fact that the USPTO is in way over their heads. All because they allow software patents in the first place, and there are too many cynical software engineers trying to get their little bonus incentive to file the patent and throw it on their resume. (I should know, that's what I did.)

What bullshit?

[Pig+Hogger]

What is this buillshit? "A persistent problem is dashes in SSNs"???

How fucking hard is it to strip non-numeric characters from a string?

I cannot believe there could be such programmer incompetence; no, it has to be some managerial cluelessness and hard-headness.

Re:What bullshit?

[mckinleyn]

A persistent problem that plagues Web programmers is the proper formatting of data into text fields. Fixed that for you, IBM.

Re:What bullshit?

[fizzup]

Maybe if we put it in a format IBM can understand:

SOCIAL-SECURITY-NUMBER PIC 99-999-9999

Re:What bullshit?

[SQLGuru]

I'd say this was funny, but you got the format wrong.....999-99-9999

Re:What bullshit?

[TheRaven64]

Sorry, your post was in ASCII, so we couldn't understand it. Could you try resubmitting it in EBCDIC please?

Thanks,
IBM

Re:What bullshit?

[idontgno]

Exactly.

Being mostly a Perl hacker now, I'm as guilty as most in trying to find the perfect regex solution to a blindingly simple problem. It's seductive, it's cool, it's mystical, it's insider cant and sacred dweomer and secret handshake all rolled together.

I have, posted on my cube wall, a particularly good quote from Jamie Zawinski:

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

Real time is the key claim

[wiredlogic]

The first claim mentions the real time nature of the validation. The example regexes are for validating a completed string. This is still silly and obvious but you may have a harder time finding specific prior art for this case.

Re:Real time is the key claim

[radtea]

I assume that most Javascript validation waits until all of the text has been entered.

Your assumption is false. It's called an OnChange event: http://www.w3schools.com/jsref/jsref_onchange.asp

I am not a "Web programmer" but anyone with even a passing familiarity with JavaScript has seen this.

The first claim in the patent is: "1. A system for providing real-time validation of text input fields in a Web page comprising:a validation-enhanced text input element configured to contain an attribute for a validation expression for a text field in a rendered Web page, wherein the validation-enhanced text input element is contained within a source code document corresponding to the rendered Web page; andan input text validator configured to validate a user-entered character of the text field against the validation expression in real-time and visually indicate invalid user-entered characters."

So these losers have filed a patent application in which the first claim is exactly nothing but a completely standard bit of JavaScript code. People have been doing this kind of real-time validation and response for years and years and years. JavaScript is designed to do it.

This is by far the most egregiously stupid patent application we have seen on /. in a long time.

Why IBM is doing this is a complete mystery, although "never assume venality where stupidity will do" comes forcibly to mind.

More to it than that.

[gurps_npc]

The numbers in your social security number mean things. By State originally. I am sure, IBM is at least including double-checking that information, to make sure that you can't type in 741-99-0000 and have the machine mistakenly think it is a valid social security number. How do I know this? Because the numbers mean things, you can tell that certain things are obviously bad social security numbers. For example, no field can have all 0. 111-00-1111 has never been assigned. Similarly, no number above 740-##-#### has ever been assigned.

You can read more about it here

Re:More to it than that.

[QuoteMstr]

Strictly speaking, it does, but it might be large. As a quick and dirty test, here's the result of evaluating (regexp-opt (loop for x from 0 to 700 collect (format "%d" x )) nil) in Emacs:

"1\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|2\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|3\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|4\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|5\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|6\\(?:0[0-9]\\|1[0-9]\\|2[0-9]\\|3[0-9]\\|4[0-9]\\|5[0-9]\\|6[0-9]\\|7[0-9]\\|8[0-9]\\|9[0-9]\\|[0-9]\\)\\|7\\(?:00\\|[0-9]\\)\\|8[0-9]\\|9[0-9]\\|[0-9]"

What regular expressions can't do is match strings that aren't described by a regular language. Roughly speaking, if what you're trying to match has a maximum length, you can match it with a regular expression. (For a more formal description, see the Pumping Lemma.)

Re:Even bigger problem

[Shakrai]

put a damned example on your site, like this: nnn-nn-nnnn

You can put as many examples on your site as you want but your users will still find a way to fuck it up. You need code that checks for this and either corrects their stupidity or kicks it back and makes them re-enter it.

What if We Assume They *Are* Idiots?

[eldavojohn]

Program Manager: What the hell is happening?! Why is the website down?!
Web Programmer: It's the users, sir, one of them put dashes in their SSN on the form!
Program Manager: I don't have time for this mumbo jumbo geek jargon ... what are you trying to tell me? This is an emergency, accounting said our money is leaving!
Web Programmer: Well, you see the dashes are inside the string.
Program Manager: Inside? How is this possible?
Web Programmer: Well, the user must have paused to push the dash key, sir.
Program Manager: So if the dashes are inside the string, we have to get them out. Is there someone we can pay for this service?
Web Programmer: I'm afraid it's too complicated for that. But maybe if we had it write to a file and one of us kept refreshing a text editor on that file ... we could remove it and then it could read back the file after waiting for a few seconds. We would have to hope that more users don't come while we are performing emergency dash extraction.
Program Manager: Goddamnit! Why didn't testing find this?!
Web Programmer: Well, they did but to fix this bug we just removed the dash keys on their keyboards.
Program Manager: Can we do that to each of the users?
*IBM employee enters with massive box labeled "Enterprise SSN Dash Extractor"*
IBM Sales Rep: Gentlemen, let IBM solve all your SSN problems for a mere $2,000 per site license!

Revolutionary Patent Idea!!!1!

[serutan]

Patent Application 973255489

"Method of enhancing sarcasm through the intentional introduction of typographical errors within multiple exclamation marks."

Within a set of not fewer than four (4) and not more than eight (8) Exclamation Marks ("!"), an Erroneous Character from the set of characters [1, 2, @, #, ~, `] is inserted after the third or fourth Exclamation Mark. The Erroneous Character is perceived by the reader as a typographical error consistent with hurried, careless typing, reinforcing any sarcasm contained in the textual comment preceding the Exclamation Marks.

Heck Why not....

[gabrieltss]

Heck a lawyer patented the method for swinging on a swing
  Why not IBM patenting something stupid like this! Maybe enough of these will bring the patenet system into reform or it's destruction...

Ref:
http://www.google.com/patents?vid=6368227
http://www.freepatentsonline.com/6368227.html
http://en.wikipedia.org/wiki/Reexamination

Actually

[Zordak]

Actually, they're trying to patent "A system for providing real-time validation of text input fields in a Web page comprising:a validation-enhanced text input element configured to contain an attribute for a validation expression for a text field in a rendered Web page, wherein the validation-enhanced text input element is contained within a source code document corresponding to the rendered Web page; andan input text validator configured to validate a user-entered character of the text field against the validation expression in real-time and visually indicate invalid user-entered characters," and "A method for providing real-time validation of text input fields in a Web page comprising:receiving a user-entered character in a text field displayed in a Web page;immediately validating the user-entered character against a validation expression contained within a validation-enhanced text input element associated with the text field, wherein the validation expression defines a set of acceptable characters and character positions for the text field; andwhen the user-entered character is determined invalid, visually marking the user-entered character," and "An input text validator for validating a text field of a Web page in real-time comprising:a partial input expression generator configured to generate an expanded version of a validation expression, wherein the expanded version of the validation expression defines a set of acceptable characters and character positions for a text field of a Web page; andan invalid text highlighter configured to visually highlight a user-entered character in the text field when the user-entered character is determined as invalid for the expanded validation expression."

Remember, patents are all about the claims. You don't know what they're "trying to patent" until you have read and understand the claims.

Have you read the patent application?

[dzfoo]

You didn't read the patent application, did you?

They are not patenting a regular expression to validate social-security numbers, they are patenting an entire validation system for web application, in which there is an API for a developer to specify a regular expression, and the framework will then validate the user input in real-time, while the front-end highlights the specific characters that caused the failure. The particular problem they are trying to solve is the user confusion when they submit a form which tells them that a field was rejected without telling them what's wrong with the input.

This is not to say that there isn't prior art for that, but as you can see it is much more than just a patent on a simple reg-exp pattern.

        -dZ.

Slashdot true to form

[thethibs]

Wow! All this steam and no one read the patent. It's been a while since the Slashdotter stereotype was so well validated.

The patent is for incremental validation as the characters come in. The text input widget is primed with the regex and validates each character as it is keyed, and reacts immediately if it gets an invalid-in-context character. The effect is that it's not possible to enter an invalid string.

Whether you think this is novel or not, it's not ordinary.

Are you pondering what I'm pondering?

[dword]

Why don't we try to get USPTO's attention over to Slashdot? Then, if they think they don't understand what's going on with a patent, they can find other peoples' interpretation of it over here. They're bound to understand at least one of a hundred different wordings of that patent in Slashdot's comments.

Any ideas?