Original post of this article
Datawing disavows CSP nonce legal offensive
A UK firm has backtracked after sending letters alleging patent infringement to a set of small businesses who had enabled the CSP nonces web security feature.
CSP nonces offer an extension to the technology, introduced five years ago with CSP version 2, and supported by the Nginx web server and Cloudflare Workers, among others.
UK firm Datawing claims that the technology is covered by US and UK patents it holds.
The UK patent had lapsed but was renewed in May 2021 just weeks before Datawing sent out a legal nastygram to small UK-based companies, a small subset of the organizations that it claims were violating its patent.
A copy of the contentious letter can be found here.
The legal offensive was spotted by prominent UK security researcher Scott Helme, who questioned the applicability of the patent to a broadly used web security technology. Helme did not receive a letter himself but does run a website, Report URI, that users CSP nonces.
Helme slammed Datawing as acting like a patent troll in a detailed blog post on the topic.
The security researcher told The Daily Swig that Datawing had set about targeting “smaller organizations that are likely to be intimidated by these letters and pay the license fee”.
Meanwhile the Public Interest Patent Law Institute offered support to organizations that had received letters from Datawing, a move that greatly reduced its prospects of extracting a licensing fee from letter recipients.
Datawing takes fright
In the face of this opposition, Datawing decided to abandon its licensing campaign, admitting that its letters were “ill advised” and apologizing for any upset it had caused.
William Coppock, managing director of Datawing, told The Daily Swig: “In short I was ill advised, and the letters were a complete error in judgement.
“I’m truly sorry to have caused upset over this. I’ll be writing to the 25 companies concerned to apologise for the upset caused.”
Datawing bristles at criticism that its letters were threatening.
Coppock concluded: “I did not intend for my letters to be interpreted as a threat. The intention was only to explain the situation in an open and neutral manner and ask for support.”
The Daily Swig also approached the Public Interest Patent Law Institute for comment. We’ll update this story as and when more information comes to hand.