DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is response to communication: RCE filed on 10/31/2025.
Claims 1-5, 8-13, 15, 18, 19, and 22 are currently pending in this application. Claim 20 has been cancelled. Claim 22 is new.
No new IDS has been filed for this application.
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/02/2025 has been entered.
Response to Arguments
Applicant’s arguments have been fully considered but are not found persuasive.
Applicants argue that the prior references do not teach the amended limitations. However, this is not persuasive. Applicants have amended the claims to include to determine whether to automatically grant third-party entity access to contents defined in permission policy based on i) whether the permissions policy falls within user-defined guidelines and ii) without using an identity of the third party entity in the determination. Although applicants specifically argue that Kruse does not teach such limitations, such limitations would have been obvious over the Modani and Barkley references. Barkley is directed toward the combination of RBAC (role based access control) with particular object access control (see col. 3 lines 25-35, col. 3 lines 44-53, and col. 4 lines 18-25). As seen in col. 3 lines 35-53 of Barkley, by utilizing role based access control, permissions are granted via roles instead of individual identifiers. Thus, such limitations would have been obvious over the Barkley and Kruse references. Further, and more particularly, the modification renders the claimed limitation obvious. For example, Barkley teaches determine whether to automatically grant third-party entity access to contents defined in the permission policy ) based on whether the permissions policy falls within the guidelines and ii) without using an identity of the third party entity in the determination (col. 9 lines 8-45 with administrator/user setting permissions to particular objects based on roles; see col. 12 lines 35-50 wherein parties associated with the roles are able to access all the data provided to that role)
Applicant’s arguments are thus not found persuasive. See amended rejection below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-7, 10-13, and 15-17 are rejected under 35 U.S.C. 103 as being obvious over Modani et al. US Patent Application Publication 2021/0056184 (Modani), in view of Barkley et al. US Patent No. 6,202,066 (Barkley), and further in view of Kruse et al. US Patent No. 10,122,757 (Kruse).
As per claim 1, Modani teaches a system comprising: one or more processors configured to: receive a request to add one or more permissions for a third-party entity to access a privacy vault associated with a user (paragraph 22-25 with SDM determining which third parties to allow access to user data; paragraph 33 with access control list and whitelist; see paragraph 36 with third parties generating authorization request), determine one or more types of contents that are stored by the privacy vault and that the third-party entity intends to access, the determination based on identification, by the third party entity, of the one or more types of content (paragraphs 23-24 with SDM recognizing third parties via the identification such as by registered/authorized vendors or relationships; see paragraph 36 with access request of particular content;); define a permissions policy, applicable to the third-party entity, defining permissions relating to access of contents and that encompasses at least permissions relating to access of the one or more types of content (paragraph 37 with authorization request including particular resource being requested by third party); determine whether the permissions falls for automatic acceptance (paragraph 37, claim 1, and throughout with determining whether request for particular access controls falls within prior user configured access controls put in place by user;); and present the permissions for acceptance or modification (paragraph 37, claim 4, and throughout wherein when prior permissions are not provided, a consent request is generated and sent to user).
Modani does not explicitly teach define user-defined guidelines, wherein the defining of the user-defined guidelines includes identifying one or more security levels for the one or more types of contents; wherein the defining of the permissions policy includes limiting the access of contents at a security level of the one or more security levels, and wherein the access of contents at the security level is limited to one or more specific types of contents of the one or more types of contents. However, utilizing security levels and having permissions policy including limiting the access of content to different types of security levels is well known in the art. For example, see Barkley (col. 4 line 45-55; col. 9 lines 8045, and throughout, with role based access control on different types of objects). Barkley further teaches determine whether to automatically grant the third-party access to contents defined in the permission policy i) based on whether the permissions policy falls within the user-defined guides and ii) without using an identity of the third party entity in the determination; and automatically grant the third-party entity access to the contents defined in the permission plicy, responsive to the permissions policy falling within the user-defined guidelines and without using the identity of the third party entity in the determination (see col. 3 lines 25-35, col. 3 lines 44-53, and col. 4 lines 18-25 with role based access control which does not use identity of user; col. 9 lines 8-45 with administrator/user setting permissions to particular objects based on roles; see col. 12 lines 35-50 wherein parties associated with the roles are able to access all the data provided to that role)
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Modani with Barkley. One of ordinary skill in the art would have been motivated to perform such an addition to provide a convenient way to implement access control (col. 4 lines 25-35).
Although the Modani combination teaches determining whether permissions fall within guidelines, the combination does not explicitly teach present the permissions policy to the user for acceptance, denial, or modification, responsive to the permissions policy falling outside the user-defined guideliens. However, this would have been obvious. For example, see Kruse (col. 14 liens 5-25 with permission modifications may require additional approval by a user before being applied; see also col. 14 lines 27-50).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Modani combination with Kruse. One of ordinary skill in the art would have been motivated to perform such an addition to better manage user privileges (col. 1 lines 30-58).
As per claim 2, it would have been obvious over the Modani combination wherein the identification of the one or more types of contents is provided in an entity usage agreement provided by the third-party entity and wherein the one or more processors are further configured to analyze the usage agreement to determine the one or more types of content. Modani teaches wherein certain third parties are authorized based on relationships and registration (see paragraph 24). See also paragraph 26 wherein some third parties may be recognized as service partners. Paragraph 26 further shows an example of a third party as a smart thermostat would be able to access resources in regards to a smart thermostat, but not a smart doorbell. Paragraph 26 also teaches that “in other words, the whitelist 232 allows the SDM 200 to not grant access to user resources that are unrelated to the services of third parties 150; thus providing user resources with some degree of an initial safeguard from potential abuse by third parties.” Although the term “usage agreement” is not explicitly cited, it would have been obvious, if not inherent, over Modani as Modani teaches registration of third parties and also service parties, which heavily applies some type of agreement. It would have been obvious to one of ordinary skill in the art to utilize usage agreements for information as such agreements generally recite explicit details on what information may/may not be accessed.
As per claim 3, Modani teaches wherein the identification of the one or more types of contents is provided via the entity by a representative contents request provided by the third-party entity (Modani paragraph 37 with authorization request including a user identifier).
As per claim 4, Modani teaches wherein the identification of the one or more types of contents is provided via the third-party entity by express identification of specific contents elements the third-party entity intends to access (Modani paragraph 36 with request for particular resources)
As per claim 5, Modani teaches wherein the identification of the one or more types of contents is provided via a predefined packet identifying specific contents elements that the third-party entity intends to access defined in a predefined format recognizable by the one or more processors (see Modani paragraph 38 with sending a URI for particular data and access controls; also see paragraph 34 wherein access control may be arranged in tuples with particular access to different groups/content/etc).
As per claim 6, Modani teaches wherein the determination of whether the permissions policy falls within user-defined guideliens is based at least in part on one or more characteristics of the third-party entity correlated to a user-defined guidelines defined automatically acceptable new permissions policies for third-party entities having the one or more characteristics (see Modani paragraphs 26-27 with whitelist and also associating third parties with the industry; see further paragraph 28, 30, 34, and throughout with trait groups).
As per claim 7, Modani does not explicitly teach wherein the one or more characteristics include a type of business of the third-party entity. However, this would have been inherent, if not obvious. As seen in paragraph 26, certain access to user resources depends on the third party’s “competency.” Modani provides the example of a third party that develops functionality for a smart thermostat would be provided resources to a smart thermostat because of its competency, and not to other resources such as a smart doorbell. Thus, As Modani teaches the use of a party’s “competency’s” and its related business, it would have been obvious, if not inherent, to include a “business” of the third party as it makes the guidelines more clear to a system to grant access to a third party.
As per claim 10, Modani does not explicitly teach wherein the user-defined guidelines identify types of contents accessible by types of business associated with third-party entities, and wherein definition of the permission policy includes access limited to the specific one or more types of contents identified by the third-party entity. However, this would have been inherent, if not obvious. As seen in paragraph 26, certain access to user resources depends on the third party’s “competency.” Modani provides the example of a third party that develops functionality for a smart thermostat would be provided resources to a smart thermostat because of its competency, and not to other resources such as a smart doorbell. Thus, Modani already teaches utilizing some type of guideline to allow access to third parties based on the business type. Although Modani does not explicitly teach that such relations are included in the user-defined guidelines, Modani already implements and associates such data with the third party’s business, and would have been obvious to one of ordinary skill in the art further include a user to define such guidelines as it gives the user more control and input to which data to access.
Claim 11 is rejected using the same basis of arguments used to reject claim 1 above.
Claim 12 is rejected using the same basis of arguments used to reject claim 2 above.
Claim 13 is rejected using the same basis of arguments used to reject claim 3 and 4 above.
Claim 15 is rejected using the same basis of arguments used to reject claim 5 above.
Claim 16 is rejected using the same basis of arguments used to reject claim 6 above.
Claim 17 is rejected using the same basis of arguments used to reject claim 7 above.
Claim(s) 8, 9, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over the Modani combination as applied above, in view of Apostolopoulos US Patent Application Publication 2006/0090082 (Aposto)
As per claim 8, the Modani combination teaches having varied security levels associated therewith (see Modani paragraph 26 with party-specific level of access), but does not explicitly teach identifying classes of contents having the varied security levels, and wherein definition of the permissions policy includes access to contents at or below a most-secure level associated with at least one of the one or more types of content. However, classifying contents at different security levels and providing appropriate access based on those levels is notoriously well known in the art. For example, see Aposto (abstract, paragraphs 23-24, and throughout).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Modani combination with Aposto. One of ordinary skill in the art would have been motivated to perform such an addition to allow the secure transmission of data to a variety of users who have different access privileges in a secure and computationally efficient manner (paragraph 9 of Aposto).
As per claim 9, the Modani combination teaches having varied security levels associated therewith (see Modani paragraph 26 with party-specific level of access), but does not explicitly teach identifying classes of contents having the varied security levels, and wherein definition of the permissions policy includes access to contents at or below a most-secure level associated with at least one of the one or more types of content and further includes access to specific contents at the most-secure level limited to specific types of contents based on the identification of the one or more types of contents. However, classifying contents at different security levels and providing appropriate access based on those levels is notoriously well known in the art. For example, see Aposto (abstract, paragraphs 23-24, and throughout).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Modani combination with Aposto. One of ordinary skill in the art would have been motivated to perform such an addition to allow the secure transmission of data to a variety of users who have different access prvileges in a secure and computationally efficient manner (paragraph 9 of Aposto).
Claim 18 is rejected using the same basis of arguments used to reject claim 8 above.
Claim 19 is rejected using the same basis of arguments used to reject claim 9 above.
Allowable Subject Matter
Claim 22 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: Although the references above teach multiple aspects of the claims, including to a denial of a permissions policy, the new/amended limitations of claim 22 would not have been obvious, as a whole, over the combined references cited above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431. The examiner can normally be reached on Monda-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/JASON K GEE/Primary Examiner, Art Unit 2495