[UPDATE] Calls to push back UPC sunrise period as 89% have not been able to obtain/authenticate security devices needed to access Case Management System

http://ipkitten.blogspot.com/2022/11/update-calls-to-push-back-upc-sunrise.html

Last week the AmeriKat posted a survey on the IPKat to check how many people have been able to obtain a security device that is necessary to access the Unified Patent Court’s (UPC’s) Case Management System (CMS) via strong authentication.  This was triggered by in-house counsel flagging to the AmeriKat the struggle of getting their paws on security devices needed for authentication and to sign documents being uploaded to the CMS.  As previously explained, the CMS is important in these pre-launch days because companies will be using the system to lodge their opt-outs (i.e. opting their classical European Patents out of the UPC’s jurisdiction) at the start of the sunrise period on 1 January 2023 (some 33 days away). The UPC has brought in a strong authentication procedure for users to access the CMS, which requires two certificates – one for authentication to log in and one for electronically signing documents you want to upload.  The authentication certificate has to be stored on a physical security device (smart card or USB stick).  

The survey has been running for almost a week and garnered several comments and emails on the topic.  Here is the break down (as of the date of the post):

• There were 134 respondents to the IPKat survey.  
• 89.6% of respondents (120) have not been able to access the UPC CMS via the strong authentication process.
• 8.2% of respondents (11) have been able to access the UPC CMS via the strong authentication process.
• 3 respondents entered additional information in the “other box” which is detailed below. 
• There were 24 comments on the IPKat post (and more by email).  

Now on to the comments. The AmeriKat has separated these between procedural (obtaining a security device, mechanisms for access, providers, etc) and substantive (what this means for the sunrise period and general system).  The IPKat, being a cat, has not tested the below providers himself but is merely reporting the experiences of readers below.  Merpel is taking a nap.

Procedural Issues

Here are the procedural headlines:

• LuxTrust experience:  Claus Beckmann applied for a LuxTrust card and installed a LuxTrust app on his mobile.  His identity was checked by video link the same day (with no need to provide a notarized/legalized copy of his passport).  The card arrived a few days later, software installed and the card was able to be read on the same reader as his EPO Patent Attorney Card.  The test on the UPC authentication test page worked immediately (after virus protection was temporarily disabled, which he flags may be a stumbling block others encountered).  Claus does have a question on e-signature requirements (which was a recurring theme in the e-mails and comments – see below).  Check out his question in the comments (@Claus Beckmann on 28 November at 11:47).

• Mixed success so far with UK providers:  @bloombsuryboy commented that they tried to use a UK based supplier who “had been assured they were doing the right thing by the UPC and have now found that their system is incompatible and they don’t know when it might work. I have since tried Luxtrust and been through the online identification procedure but all has now gone silent. It seems that there are problems under the bonnet and this could delay the start of the Court if this is not sorted out soon.”  The AmeriKat received an email from DigiCert stating that they are one of the companies “that the UPC has advised as having a viable certification” and they are “in the process of beta testing with several patent law firms in the UK and have been able to successfully authenticate“.  

• Switzerland:  It was reported that there was no Trust Service Provider offering a SmartCard being interoperable with the CMS in Switzerland (@Anonymous at 25 Nov at 8:32). That commenter also had difficulty in Germany, but Claus’s experience above shows that it is possible.

• Italian provider:  For Italy, a commenter said that InfoCert was the vendor that has been providing functional certificates (@Anonymous on 26 November at 11:33). 

• Belgian success:  A survey respondent who successfully obtained a security device said that they used a Belgian ID card with authentication certificate contained on the card and smart card reader. No identification of the provider yet.  If that was you, please let us know in the comments below!

• Even with access to a security device, there are still problems:   One anonymous commenter (25 Nov at 8:32) said they obtained a SmartCard from a Trust Service Provider in Luxembourg which allowed for successful access to the input page of the CMS, including with a signature that complied with the eIDAS Regulation from another Service Trust Provider from Austria.  However, there were still unsolvable problems being, the commenter explained,:  (1) No clear statements on the interpretation of Rule 4 Rules of Procedure in relation to signature requirements (there are IP Service Providers offering an application to opt out for EUR 20 or EUR 50 per patent and saying that they will take care of the signature or that a qualified signature compliant to the eIDAS Regulation is not required); (2) No practical information on an application programming interface (API) for handling hundreds of applications to opt out; (3) The response time from IT UPC being more than 4 weeks (if any response at all); (4) No updated FAQs or forms.

• Beware of your browser/middleware and new EPO authentication solutions:  One supplier (no name) said that certificates that they propose will only work with Windows, Firefox and certain older versions of macOS.  They also conflict with the EPO smartcard certificates, so those have to be removed before declaring the UPC compatible one.  Thus, the commenter wrote, if you work in a Chromebook environment or Linux/Unix workstation other than macOS v11 or  v12, you may not be able to get this to work (@SurprisedNotReally on 23 Nov at 18:26).  @Anonymous on 27 Nov at 17:56 stated that they doubted there were conflicts between different certificates but “there may be conflicts between different middlewares (software required to use the smartcards) or card-reader drivers used by these middlewares. For instance, the EPO’s middleware and LuxTrust’s middleware have conflicting drivers. Since one only needs the EPO middleware to unlock the EPO smartcard, this is not a major issue. Also, the EPO plans to roll out a new authentication solution next years, which will replace the smart cards, so that problem is basically solved.” @SuprisedNotReally responded that:  “The documentation provided by CertEurope for setting up the certificate in Firefox indicates that you have to unload any PKCS11 device that uses a Gemalto library prior to setting up and pointing to their own dynamic library and importing their certificate into the browser. CertEurope use the SafeNet authentication token management software produced by Thalès for managing system-wide integration of the cert into the OS.”  Merpel is still taking a nap.  

Substantive Issues

Here are the substantive headlines:

• The UPC knows there are issues:  At the UPC Mock Trial held last Monday in Paris, Judge Klaus Grabinski (the UPC’s Chief Judge) was reported as mentioning that the UPC is working on a “preferred supplier” list, as they were ware of the difficulties and that this list would be published as soon as possible. As of today, the AmeriKat has not seen such a list.  

• Delay to the sunrise period is required:  There were reports that a suggested 2-3 week delay might be under consideration (as reported at the UPC Mock Trial in Paris last week).  But there has been no independent confirmation of that (see @Anonymous at 23 Nov 17:59).  However, what is clear from the comments received by the AmeriKat is that industry are welcoming (and some are demanding) a delay to the sunrise period in order to buy back the time needed to get to grips with CMS and iron out any technical issues before the sunrise period commences on 1 January 2023. With the majority of users responding to the IPKat survey having not been able to access the security devices and/or CMS to verify the security devices, the time between then (which is uncertain) and 1 January is only a matter of a few weeks.  The risk being that companies are sorting out these technical and procedural issues while the sunrise period’s “opt out” countdown clock is running down.

• Clearer communication and engagement needed:  From digesting all the comments over the last week, it is clear that the there is a significant need for urgent, updated, clear and frequent communication on the operation of the CMS, deadlines and interpretive questions for, e.g.,  over Rule 4 of the Rules of Procedure regarding signature requirements (which one commentator said “may be the hiding the next nightmare for those wanting to file opt-outs” and generated several questions, including in relation to e-signature requirements for opt-outs via API).  It would be useful if there was a User Guide to the CMS, FAQ and/or a video showing exactly how to lodge an opt out that is compliant with all of the procedural rules and requirements (and in what order) so that users do not get “undone” by issues that could be addressed now.  Even those who managed to get a security device and successfully test it on the CMS, supported this call for action (@Claus Beckmann on 28 Nov at 11:47).  As @Proof of the pudding on 27 Nov at 19:16 stated:

Content reproduced from The IPKat as permitted under the Creative Commons Licence (UK).