Datawing disavows CSP nonce legal offensive

UK firm Datawing has backtracked after sending letters alleging patent infringement

UPDATED A UK firm has backtracked after sending letters alleging patent infringement to a set of small businesses who had enabled the CSP nonces web security feature.

Content Security Policy (CSP) in general is a technology geared towards mitigating cross-site scripting (XSS) attacks.

CSP nonces offer an extension to the technology, introduced five years ago with CSP version 2, and supported by the Nginx web server and Cloudflare Workers, among others.

Patent trolling?

UK firm Datawing claims that the technology is covered by US and UK patents it holds.

The UK patent had lapsed but was renewed in May 2021 just weeks before Datawing sent out a legal nastygram to small UK-based companies, a small subset of the organizations that it claims were violating its patent.

Websites turning on security features in the browser are being informed of alleged patent infringement and told they ought to license Datawing’s Scriptlock product, software designed to prevent the unauthorised execution of JavaScript.

A copy of the contentious letter can be found here.

Catch up on the latest security-related legal news

The legal offensive was spotted by prominent UK security researcher Scott Helme, who questioned the applicability of the patent to a broadly used web security technology. Helme did not receive a letter himself but does run a website, Report URI, that uses CSP nonces.

Helme slammed Datawing as acting like a patent troll in a detailed blog post on the topic.

The security researcher told The Daily Swig that Datawing had set about targeting “smaller organizations that are likely to be intimidated by these letters and pay the license fee”.

Meanwhile the Public Interest Patent Law Institute offered support to organizations that had received letters from Datawing, a move that greatly reduced its prospects of extracting a licensing fee from letter recipients.

Datawing takes fright

In the face of this opposition, Datawing decided to abandon its licensing campaign, admitting that its letters were “ill advised” and apologizing for any upset it had caused.

William Coppock, managing director of Datawing, told The Daily Swig: “In short I was ill advised, and the letters were a complete error in judgement.

“I’m truly sorry to have caused upset over this. I’ll be writing to the 25 companies concerned to apologise for the upset caused.”

Datawing bristles at criticism that its letters were threatening.

Coppock concluded: “I did not intend for my letters to be interpreted as a threat. The intention was only to explain the situation in an open and neutral manner and ask for support.”

Alex Moss of the Public Interest Patent Law Institute welcomed Datawing’s decision while warning that the whole incident is part of a wider problem rooted in poorly issued patents.

“Datawing’s decision to drop its demands is a victory for internet users everywhere as well as those wrongly accused,” Moss told The Daily Swig. “But things like this happen too often, and rarely end so well."

Moss concluded: "This will only stop when patent offices stop issuing overbroad software patents that take far more out of the public domain than they contribute.”

This story was updated to add comment from the Public Interest Patent Law Institute.

READ Citrix quietly restores vulnerability credits to Positive Technologies researchers after Russian infosec firm’s erasure