METHODS AND GRAPHICAL USER INTERFACES FOR SCANNING APPLICATION CODE TO DETECT AND CLASSIFY SDK DATA INTO DATA CATEGORIES

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Rejections under 35 U.S.C. §101 … "analyzing the application code using a detector specification comprising one or more mappings between one or more source code identifiers and one or more data categories associated with the set of data processing activity components, wherein the one or more data categories associated with the set of data processing activity components are determined based on the one or more mappings in the detector specification." This limitation demonstrates that the claimed method improves code analysis efficiency by utilizing predefined mappings to automatically categorize detected components. … Applicant’s arguments, see pg. 12, last partial par., filed 11/21/25, with respect to claims 1-5, 7-13 and 15-20 have been fully considered and are persuasive. The 101 rejection of claims 1-5, 7-13 and 15-20 has been withdrawn. Rejections und 35 U.S.C. §102 Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-8, and 11-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 11,025,675 to Barday et al. (Barday) in view of US 2022/0156383 to Schwarzbauer et al. (Schwarzbauer). Claims 1, 11 and 16: Barday discloses a computer-implemented method comprising: receiving, in response to an application code scan, a set of data processing activity components identified within an application code by analyzing the application code and determining mappings between one or more source code identifiers and one or more data categories associated with the set of data processing activity components (col. 70, lines 3-5 “the system may identify Gusto as a primary asset and recognize the Gusto stores expense information “, col. 80, lines 30-33 “searching for particular data fields comprising one or more pieces of information that may include personal data”, col. 52, lines 57-62 “a list of the privacy-related attributes … relates to a privacy assessment standard”), wherein the one or more data categories associated with the set of data processing activity components are determined based on the one or more mappings (col. 52, 19-25 “analyzes the computer code to determine a plurality of privacy-related attributes … the types of personal information the computer code collects and/or accesses”); based on the set of data processing activity components, providing, for display within a graphical user interface, a data processing activity component from the set of data processing activity components (col. 52, lines 52-64 “display to the user a list of the privacy-related attributes related to the computer code”); and based on the one or more data categories, providing, for display within the graphical user interface, a data category indicating one or more data types or one or more data processing purpose types represented in the set of data processing activity components (col. 56, lines 26-30 “display … a list of the attributes related to … a privacy assessment standard”, see e.g. Fig. 20B, 2035). Barday does not explicitly disclose: using a detector specification comprising one or more mappings. Schwarzbauer teaches: using a detector specification comprising one or more mappings (par. [0193] “a vulnerable library identifiers list 722, containing identifiers for all libraries containing the vulnerable APIs”). It would have been obvious before the effective filing date of the claimed invention to Use a detector specification comprising mappings. Those of ordinary skill in the art would have been motivated to do so for “fast and efficient lookup” of the vulnerable data accesses (see e.g. Schwarzbauer par. [0193]). Claims 2, 12 and 17: Barday and Schwarzbauer teach claims 1, 11 and 16, further comprising providing, for display within the graphical user interface, the data processing activity component by displaying software development kit (SDK) components, application programming interface (API) components, or function call components present within the application code (col. 56, lines 13-23 “third party software (e.g., libraries, SDKs)”). Claim 3: Barday and Schwarzbauer teach the computer-implemented method of claim 1, further comprising providing, for display within the graphical user interface, the data category indicating the one or more data types by displaying one or more of location data, cookie data, camera data, computing device data, demographic data, hit-level data, device usage data, and/or personal identifiable information data processed within the application code (e.g. col. 56, lines 13-23 “location-based services … tracking (e.g., cookies) … IP address”). Claim 4: Barday and Schwarzbauer teach the computer-implemented method of claim 1, further comprising providing, for display within the graphical user interface, the data category indicating the one or more data processing purpose types by displaying an application function category, an analytics, category, a digital advertisement targeting category, a data aggregation category, or a debugging category (col. 40, lines 55-63 “displays … the purpose of the campaign … to bill appropriately, manage against quotas, and run analytics”). Claim 5: Barday and Schwarzbauer teach the computer-implemented method of claim 1, further comprising providing, for display within the graphical user interface, the data category by displaying a source for a data processing activity component from the set of data processing activity components, wherein the source comprises an owner entity or a developer for the data processing activity component (col. 7, lines 49-51 “display a heading indicative of the source of the personal data”). Claims 6 and 14: Barday and Schwarzbauer teach claims 1 and 11, further comprising: : receiving, within the graphical user interface, a user interaction with a selectable element for the displayed data category (col. 40, lines 8-10 “a filter tool … Filters 1545”); and based on the user interaction with the selectable element, displaying one or more data processing activity components, from the application code, that correspond to the displayed data category (col. 40, lines 8-10 “to display only the campaigns having certain information associated with them”). Claims 7 and 15: Barday and Schwarzbauer teach claims 1, 11 and 16, further comprising: receiving data processing activity component modifications or data category modifications detected between the application code and an updated version of the application code, wherein the data processing activity component modifications comprise an addition or removal of one or more data processing activity components or the data category modifications comprise an addition or removal of one or more data categories (col. 55, lines 24-31 “analyze the computer code … present the user with a list of differences between the obtained instance of computer code and the previous assessed version … attributes that have … been added”); and providing, for display within the graphical user interface, the data processing activity component modifications or the data category modifications (col. 55, lines 24-31 “analyze the computer code … present the user with a list of differences between the obtained instance of computer code and the previous assessed version … attributes that have … been added”). Claim 8: Barday and Schwarzbauer teach the computer-implemented method of claim 7, further comprising providing, for display within the graphical user interface, a flagging element associated to a display of the data processing activity component to indicate the data processing activity component modifications or to a display of the data category to indicate the data category modifications (fig. 20B, 2035). Claim 13: Barday and Schwarzbauer teach the non-transitory computer-readable medium of claim 11, wherein the operations further comprise determining the data processing activity component modifications between the first version of the input application code and the second version of the input application code by identifying an addition or removal of a data processing activity component between the set of detected data processing activity components and the additional set of detected data processing activity components (col. 55, lines 24-31 “analyze the computer code … present the user with a list of differences between the obtained instance of computer code and the previous assessed version … attributes that have … been added”). Claim 18: Barday and Schwarzbauer teach the system of claim 17, wherein the processing hardware is configured to cause the system to determine the data categories for the one or more data processing activity components by: identifying a data type corresponding to a data processing activity component from the one or more data processing activity components, wherein the data type comprises location data, cookie data, camera data, computing device data, demographic data, hit-level data, device usage data, or personal identifiable information data (e.g. col. 56, lines 13-23 “location-based services … tracking (e.g., cookies) … IP address”); and utilizing the data type to assign the data processing activity component with a data category (col. 52, 19-25 “analyzes the computer code to determine a plurality of privacy-related attributes … the types of personal information the computer code collects and/or accesses”). Claim 19: Barday and Schwarzbauer teach the system of claim 17, wherein the processing hardware is configured to cause the system to determine the data categories for the one or more data processing activity components by: identifying a data processing purpose type corresponding to a data processing activity component from the one or more data processing activity components, where the data processing purpose type comprises utilization for application function, analytics, digital advertisement targeting, data aggregation, or debugging (col. 40, lines 55-63 “displays … the purpose of the campaign … to bill appropriately, manage against quotas, and run analytics”); and utilizing the data processing purpose type to assign the data processing activity component with a data category (col. 40, lines 55-63 “displays … the purpose of the campaign … to bill appropriately, manage against quotas, and run analytics”). Claim 20: Barday and Schwarzbauer teach the system of claim 17, wherein the processing hardware is configured to cause the system to determine data categories for the one or more data processing activity components by: determining a first data category associated with a first set of data processing activity components from the one or more data processing activity components grouped by a first data type (col. 52, 19-25 “analyzes the computer code to determine a plurality of privacy-related attributes … the types of personal information the computer code collects and/or accesses”); and determining a second data category associated with a second set of data processing activity components from the one or more data processing activity components grouped by a second data type (col. 52, 19-25 “analyzes the computer code to determine a plurality of privacy-related attributes … the types of personal information the computer code collects and/or accesses”). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 9-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 11,025,675 to Barday et al. (Barday) in view of US 2022/0156383 to Schwarzbauer et al. (Schwarzbauer)in view of US 2018/0276103 to Woulfe et al. (Woulfe). Claim 9: Barday and Schwarzbauer teach the computer-implemented method of claim 1, but do not explicitly teach: providing, for display within a development application graphical user interface presenting the application code, an indicator locating the data processing activity component within the application code. Woulfe teaches: providing, for display within a development application graphical user interface presenting the application code, an indicator locating a data processing activity component within the application code (par. [0053] “a line … highlighted as potentially buggy … The buggy code 122b … can be displayed”, see e.g. Fig. 1c). It would have been obvious at the time of filing to display an indicator locating the data processing activity component within the application code. Those of ordinary skill in the art would have been motivated to do so as a known means of communicating information about problematic code which would have produced only the expected results. Claim 10: Barday, Schwarzbauer and Woulfe teach the computer-implemented method of claim 1, further comprising providing, for display within a development application graphical user interface presenting the application code, an indicator flagging a portion of code from the application code as part of the data category (Woulfe par. [0053] “a line … highlighted”, see e.g. Fig. 1c). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 11,757,907 to Berger et al. and US 2022/0222351 to Levin et al. each teach alternate “detector specifications”. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JASON D MITCHELL/Primary Examiner, Art Unit 2199