MANAGING DIFFERENTIAL PRIVACY ON DATABASE SYSTEM USING POLICIES

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Claim Objections The previously raised objections to claims 1, 19 and 20 have been overcome by Applicant’s amendment and are therefore withdrawn. The Rejection of Claims Under § 102/103 Applicant's arguments filed on 1/28/2026 have been fully considered but they are not persuasive. Applicant argues the following: PNG media_image1.png 550 908 media_image1.png Greyscale (Remarks, page 3) The Examiner respectfully responds: Chitnis clearly discloses a differential privacy policy associated with a specified entity (such as a table or view) (see [0019] and Fig. 2: “the server 120 includes a differential privacy (DP) engine 215 that includes …a policy checker 226….” And see [0022]: “validation of the query 210 can be performed by the policy checker 226. … the policy checker 226 utilizes a whitelist including a set of queries and/or query types/formats that are permitted to be performed based on a given policy. For example, a whitelist may include portions or particular operations of a set of queries that correspond to aggregate functions such as respective functions for determining the smallest value in a particular column, the largest value in a particular column, the average value in a particular column, the standard deviation of the values in a particular column, the number of values in a particular column, and/or the number of records in the table being searched”. The Examiner interprets “the table being searched” as a specified entity (such as a table or view). Because the policy checker 226 utilizes a whitelist including permitted portions or particular operations of a set of queries that correspond to aggregate functions such as respective functions for determining …the number of records in the table being searched based on a differential privacy policy, Chitnis teaches a differential privacy policy associated with a specified entity (such as a table or view)) where the executable logic of the differential privacy policy is evaluated during the query to decide DP applicability (see [0019] and Fig. 2: “the server 120 includes a differential privacy (DP) engine 215 that includes several components corresponding to a DP application programming interface (API)/framework 220”. And see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.” Chitnis inherently teaches deciding DP applicability during a query because the DP API/framework 220 would not be provided to perform queries without deciding that DP is applicable) and to select a particular privacy budget (see [0026]: “the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study. If the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.” The “sufficient budget for performing the query 210” is the selected particular privacy budget). Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 6-11, 13, 16, 19 and 20 are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Chitnis (US 2021/0173856). Regarding claims 1, 19 and 20, Chitnis teaches A system (server 120, see Fig. 1 and [0018]) comprising: at least one hardware processor; and at least one memory storing instructions that cause the at least one hardware processor to perform operations comprising (see Fig. 1 and [0018]: “portions of the computing architecture 200 are described as being implemented by the server 120 and the server 122 of FIG. 1, such as by a processor and/or memory of the server 120 and the server 122”): receiving a select query to be executed on a set of entities of a database system (see [0020] and Fig. 2: “As illustrated, a query 210 can be received by the server 120.” And see [0019] and Fig. 2: “the server 120 includes a memory 255, which could be implemented as any appropriate memory device, and user data 250. In an example, the user data 250 is included in a blob store (e.g., storing encrypted binary data corresponding to large objects or chunks of data) which acts as a storage layer that may be accessed by the query engine 228 when performing queries.”), the set of entities comprising a specified entity, the specified entity being either a table or a view of a database of the database system (see [0022] and Fig. 2: “validation of the query 210 can be performed by the policy checker 226. … In an example, the policy checker 226 utilizes a whitelist including a set of queries and/or query types/formats that are permitted to be performed based on a given policy. For example, a whitelist may include portions or particular operations of a set of queries that correspond to aggregate functions such as respective functions for determining the smallest value in a particular column, the largest value in a particular column, the average value in a particular column, the standard deviation of the values in a particular column, the number of values in a particular column, and/or the number of records in the table being searched”. The Examiner interprets “the table being searched” as a specified entity.); and during execution of the select query: determining that a select differential privacy policy is associated with the specified entity (see [0012]: “a client device can query aggregate user data and receive differentially private user data from any particular server without having the ability to learn/access the underlying aggregate user data. Such implementations provide differential privacy techniques which, when utilized in conjunction with query budgets, can reduce resource requirements while providing provable guarantees regarding privacy and utility/usefulness.” And see [0026]: “In an implementation, the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study.” When a given health study for performing queries on the user data 250 has a specific query budget, it is determined that a select differential privacy policy is associated with the specified entity); evaluating the select differential privacy policy for at least a portion of the select query involving the specified entity, the select differential privacy policy comprising logic configured to be executed and cause the following operations to be performed during evaluation of the select differential privacy policy (see [0026]: “the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study. If the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.”): determining whether differential privacy is to be applied for execution of the select query (see [0012]: “a client device can query aggregate user data and receive differentially private user data from any particular server without having the ability to learn/access the underlying aggregate user data. Such implementations provide differential privacy techniques which, when utilized in conjunction with query budgets, can reduce resource requirements while providing provable guarantees regarding privacy and utility/usefulness.” And see [0026]: “In an implementation, the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study.” When a given health study for performing queries on the user data 250 has a specific query budget, it is determined that differential privacy is to be applied for execution of the select query); and determining a select differential privacy budget to be used for execution of the select query in response to determining that differential privacy is to be applied (see [0026]: “the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study. If the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.” The Examiner interprets “a sufficient budget for performing the query 210” as a select privacy budget to be used for execution of the select query); and in response to determining that differential privacy is to be applied for execution of the select query and that the select differential privacy budget is to be used for execution of the select query (see [0026]: “the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study. If the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.”): generating a differentially private query result by causing execution of at least the portion of the select query on the specified entity as a differentially private query that uses the select differential privacy budget (see [0030]: “The query engine 228, as mentioned above, can receive the query 210 and perform the query on a database including the user data 250. A set of results from the query 210 can be received by the query engine 228. In an implementation, the results can be stored in the memory 255. Depending on the type of query (e.g., based on the query operation) corresponding to the query 210, the DP noise generator 230 can select a particular differential privacy algorithm to privatize the set of results by including statistical noise in the set of results (e.g., one or more of a Gaussian noise transform and/or a Laplace transform may be used to add statistically calibrated noise).”); and responding to the select query with a select query result that is based on the differentially private query result (see [0030]: “The DP API/framework 220 can provide the set of results with the noise to the electronic device 110 that originally sent the query 210.”). Regarding claim 6, Chitnis further discloses wherein the execution of at least the portion of the select query on the specified entity as the differentially private query that uses the select differential privacy budget comprises: determining whether the select differential privacy budget has sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity; and in response to determining that the select differential privacy budget has sufficient remaining budget: executing at least the portion of the select query on the specified entity as a non-differentially private query (see [0029]: “the budget manager 224 can determine how many resources are utilized in an operation included in the query 210 and whether such an operation is permitted in view of a query budget. … Alternatively, if the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.”); receiving an intermediate query result in response to execution of at least the portion of the select query on the specified entity; generating the differentially private query result by applying differential privacy to the intermediate query result (see [0030]: “The query engine 228, as mentioned above, can receive the query 210 and perform the query on a database including the user data 250. A set of results from the query 210 can be received by the query engine 228. In an implementation, the results can be stored in the memory 255. Depending on the type of query (e.g., based on the query operation) corresponding to the query 210, the DP noise generator 230 can select a particular differential privacy algorithm to privatize the set of results by including statistical noise in the set of results (e.g., one or more of a Gaussian noise transform and/or a Laplace transform may be used to add statistically calibrated noise).”); and adjusting the select differential privacy budget based on the execution of at least the portion of the select query on the specified entity (see [0026]: “the budget manager can utilize advanced composition techniques to deplete the budget in a nonlinear manner after each query is executed.”). Regarding claim 7, Chitnis further discloses wherein the select differential privacy budget comprises a budget limit that indicates a limit to privacy spending for the select differential privacy budget, wherein the select differential privacy budget comprises a current privacy spend that indicates how much of the select differential privacy budget is currently spent, and wherein the determining of whether the select differential privacy budget has sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity comprises: determining whether executing at least the portion of the select query on the specified entity would cause the current privacy spend to exceed the budget limit (see [0029]: “the budget manager 224 can determine how many resources are utilized in an operation included in the query 210 and whether such an operation is permitted in view of a query budget.”); and in response to determining that executing at least the portion of the select query on the specified entity would not cause the current privacy spend to exceed the budget limit, determining that the select differential privacy budget has sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity (see [0029]: “if the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.”). Regarding claim 8, Chitnis further discloses wherein the select differential privacy budget comprises a budget limit that indicates a limit to privacy spending for the select differential privacy budget, wherein the select differential privacy budget comprises a current privacy spend that indicates how much of the select differential privacy budget is currently spent, and wherein the determining of whether the select differential privacy budget has sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity comprises: determining whether executing at least the portion of the select query on the specified entity would cause the current privacy spend to exceed the budget limit (see [0029]: “the budget manager 224 can determine how many resources are utilized in an operation included in the query 210 and whether such an operation is permitted in view of a query budget.”); and in response to determining that executing at least the portion of the select query on the specified entity would cause the current privacy spend to exceed the budget limit, determining that the select differential privacy budget does not have sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity (see [0029]: “If the query budget is not sufficient for performing the query 210, then no results are returned.”). Regarding claim 9, Chitnis further discloses wherein the select differential privacy budget comprises a budget limit that indicates a limit to privacy spending for the select differential privacy budget, wherein the select differential privacy budget comprises a current privacy spend that indicates how much of the select differential privacy budget is currently spent, and wherein the determining of whether the select differential privacy budget has sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity comprises: determining whether the current privacy spend already exceeds the budget limit (see [0029]: “the budget manager 224 can determine how many resources are utilized in an operation included in the query 210 and whether such an operation is permitted in view of a query budget.”); and in response to determining that the current privacy spend already exceeds the budget limit, determining that the select differential privacy budget does not have sufficient privacy budget remaining to execute at least the portion of the select query on the specified entity (see [0029]: “If the query budget is not sufficient for performing the query 210, then no results are returned.”). Regarding claim 10, Chitnis further discloses wherein the applying of differential privacy to the intermediate query result comprises: applying differential privacy to the intermediate query result based on a set of settings provided by the select differential privacy policy (see [0030]: “The query engine 228, as mentioned above, can receive the query 210 and perform the query on a database including the user data 250. A set of results from the query 210 can be received by the query engine 228. In an implementation, the results can be stored in the memory 255. Depending on the type of query (e.g., based on the query operation) corresponding to the query 210, the DP noise generator 230 can select a particular differential privacy algorithm to privatize the set of results by including statistical noise in the set of results (e.g., one or more of a Gaussian noise transform and/or a Laplace transform may be used to add statistically calibrated noise). For example, a first differential privacy algorithm may be selected for a query operation for a count, another type of differential privacy algorithm may be selected for a query operation for an average, and yet another type of differential privacy algorithm may be selected for a query operation for a GROUP BY operation. In an implementation, an amount of statistical noise generated by the DP noise generator 230 can be based on the type of query and the available query budget.”). Regarding claim 11, Chitnis further discloses wherein the operations comprise: using a privacy budget store to manage one or more differential privacy budgets for use by one or more differential privacy policies, the select differential privacy policy being included by the one or more privacy budgets, the select differential privacy policy being included by the one or more differential privacy policies (see [0026]: “the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study. … the budget manager can utilize advanced composition techniques to deplete the budget in a nonlinear manner after each query is executed.”). Regarding claim 13, Chitnis further discloses wherein the select differential privacy budget comprises a select budget time window that indicates when a current privacy spend of the select differential privacy budget is reset, wherein the privacy budget store is configured to reset the current privacy spend of the select differential privacy budget based on the select budget time window, and wherein the current privacy spend indicates how much of the select differential privacy budget is currently been spent (see [0026]: “budget manager 224 may replenish the query budget after a period of time thereby enabling the user to perform additional queries on the user data 250.”). Regarding claim 16, Chitnis further discloses wherein the specified entity comprises one of a table or a view (see [0022] and Fig. 2: “validation of the query 210 can be performed by the policy checker 226. … In an example, the policy checker 226 utilizes a whitelist including a set of queries and/or query types/formats that are permitted to be performed based on a given policy. For example, a whitelist may include portions or particular operations of a set of queries that correspond to aggregate functions such as respective functions for determining the smallest value in a particular column, the largest value in a particular column, the average value in a particular column, the standard deviation of the values in a particular column, the number of values in a particular column, and/or the number of records in the table being searched”. The Examiner interprets “the table being searched” as a specified entity.). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over Chitnis (US 2021/0173856) as applied to claim 1 above, and further in view of Sun (US 8,516,604). Regarding claim 2, Chitnis further discloses wherein the select query is associated with a first user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to teach wherein the operations comprise: receiving, from a second user, a command to associate the select differential privacy policy with either the specified entity or a set of rows of the specified entity; and in response to the command: determining whether the second user has a privilege to associate the select differential privacy policy with either the specified entity or a set of rows of the specified entity; and in response to determining that the second user has the privilege, associating the select differential privacy policy with either the specified entity of a database system or the set of rows based on the command. However, Sun discloses receiving, from a second user, a command to associate the select (see Claim 16: “wherein the QoS configuration authority authentication circuit is further configured to determine whether a count of QoS policies configured by the user exceeds a threshold of a QoS configuration authority previously provided to the user by the upper-level supplier if the total bandwidth for the QoS guarantees configured by the user does not exceed the total QoS bandwidth, and determine that the user is permitted to configure a QoS policy if the count of QoS policies configured by the user does not exceed the threshold of the QoS configuration authority, indicate that the user has an authority to continue configuring a new QoS policy.”). Both Chitnis and Sun disclose associating a policy with an entity. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the operations comprise: receiving, from a second user, a command to associate the select policy with either the specified entity; and in response to the command: determining whether the second user has a privilege to associate the select policy with either the specified entity; and in response to determining that the second user has the privilege, associating the select policy with either the specified entity based on the command, as taught by Sun. It would have been obvious because doing so predictably achieves the commonly understood benefit of providing flexibility and adaptability to a system by allowing its rules to be changed by authorized users. When Chitnis is modified in view of Sun as described above, they would teach wherein the operations comprise: receiving, from a second user, a command to associate the select differential privacy policy with either the specified entity or a set of rows of the specified entity; and in response to the command: determining whether the second user has a privilege to associate the select differential privacy policy with either the specified entity or a set of rows of the specified entity; and in response to determining that the second user has the privilege, associating the select differential privacy policy with either the specified entity of a database system or the set of rows based on the command. Regarding claim 3, Chitnis further discloses wherein the select query is associated with a first user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to teach wherein the operations comprise: receiving, from a second user, a command to create the select differential privacy policy; and in response to the command :determining whether the second user has a privilege to create the select differential privacy policy; and in response to determining that the second user has the privilege, generating the select differential privacy policy based on the command. However, Sun discloses receiving, from a second user, a command to create the select (see Claim 16: “wherein the QoS configuration authority authentication circuit is further configured to determine whether a count of QoS policies configured by the user exceeds a threshold of a QoS configuration authority previously provided to the user by the upper-level supplier if the total bandwidth for the QoS guarantees configured by the user does not exceed the total QoS bandwidth, and determine that the user is permitted to configure a QoS policy if the count of QoS policies configured by the user does not exceed the threshold of the QoS configuration authority, indicate that the user has an authority to continue configuring a new QoS policy.”). Both Chitnis and Sun disclose associating a policy with an entity. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the operations comprise: receiving, from a second user, a command to create the select policy; and in response to the command :determining whether the second user has a privilege to create the select policy; and in response to determining that the second user has the privilege, generating the select policy based on the command, as taught by Sun. It would have been obvious because doing so predictably achieves the commonly understood benefit of providing flexibility and adaptability to a system by allowing its rules to be changed by authorized users. When Chitnis is modified in view of Sun as described above, they would teach wherein the operations comprise: receiving, from a second user, a command to create the select differential privacy policy; in response to the command :determining whether the second user has a privilege to create the select differential privacy policy; and in response to determining that the second user has the privilege, generating the select differential privacy policy based on the command. Claims 4, 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Chitnis (US 2021/0173856) as applied to claim 1 above, and further in view of Li (CN 118153084 A). Regarding claim 4, Chitnis further discloses wherein the select query is associated with a user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to disclose wherein the determining of whether differential privacy is to be applied for execution of the select query is based on at least one of a role associated with the user, an identifier of the user, an organization associated with the user, or an account associated with the user. In the same field of endeavor, Li teaches wherein the determining of whether differential privacy is to be applied for execution of the select query is based on at least one of a role associated with the user, an identifier of the user, an organization associated with the user, or an account associated with the user (see Abstract: “The method comprises the steps that roles corresponding to users are allocated based on an RBAC model, and the total privacy budget of the users is determined according to the roles of the users.”). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the determining of whether differential privacy is to be applied for execution of the select query be based on at least one of a role associated with the user, an identifier of the user, an organization associated with the user, or an account associated with the user, as taught by Li. It would have been obvious because Li states the following: “based on the RBAC model, the user privacy budget can be conveniently managed.” (see Li Abstract, last sentence). Regarding claim 5, Chitnis further discloses wherein the select query is associated with a user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to disclose wherein the determining of the select differential privacy budget is based on at least one of a role associated with the user, an identifier of the user, an organization associated with the user, or an account associated with the user. In the same field of endeavor, Li teaches wherein the determining of the select differential privacy budget is based on at least one of a role associated with the user, an identifier of the user, an organization associated with the user, or an account associated with the user (see Abstract: “The method comprises the steps that roles corresponding to users are allocated based on an RBAC model, and the total privacy budget of the users is determined according to the roles of the users.”). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the determining of the select differential privacy budget be based on at least one of a role associated with the user, an identifier of the user, an organization associated with the user, or an account associated with the user, as taught by Li. It would have been obvious because Li states the following: “based on the RBAC model, the user privacy budget can be conveniently managed.” (see Li Abstract, last sentence). Regarding claim 12, Chitnis further discloses wherein the current privacy spend indicates how much of the select differential privacy budget is currently spent (see [0026]: “the budget manager can utilize advanced composition techniques to deplete the budget in a nonlinear manner after each query is executed.”). Chitnis fails to teach wherein the privacy budget store is configured to track a current privacy spend of the select differential privacy budget at either a user level, a role level, an account level, or an organization level. In the same field of endeavor, Li teaches wherein the privacy budget store is configured to track a current privacy spend of the select differential privacy budget at either a user level, a role level, an account level, or an organization level (see Abstract: “The method comprises the steps that roles corresponding to users are allocated based on an RBAC model, and the total privacy budget of the users is determined according to the roles of the users.”). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the privacy budget store be configured to track a current privacy spend of the select differential privacy budget at either a user level, a role level, an account level, or an organization level, as taught by Li. It would have been obvious because Li states the following: “based on the RBAC model, the user privacy budget can be conveniently managed.” (see Li Abstract, last sentence). Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Chitnis (US 2021/0173856), further in view of Hockenbrocht (US 2020/0250335), and further in view of Sun (US 8,516,604). Regarding claim 14, Chitnis further discloses wherein the select query is associated with a first user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to teach wherein the operations comprise: receiving, from a second user, a command to apply a budget refund to the select differential privacy budget; and in response to the command: However, Hockenbrocht discloses receiving, from a second user, a command to apply a budget refund to the select differential privacy budget; and in response to the command: applying the budget refund to the select differential privacy budget based on the command (see [0020]: “Administrators use the clients 104 to access the DP system 102 and/or database 106 to perform administrative functions such as provisioning other users and/or clients 104, and configuring, maintaining, and auditing usage of the system and/or database. The administrators may access the DP system 102 and database 106 directly via administrative interfaces that allow users with appropriate credentials and access rights to perform the administrative functions.” And see Abstract: “The differentially private security system records the worst-case privacy spend and the query at a log and determines a privacy budget refund based on queries recorded in the log. The differentially private security system applies the determined privacy budget refund to the privacy budget associated with the client.”). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the operations comprise: receiving, from a second user, a command to apply a budget refund to the select differential privacy budget; and in response to the command: applying the budget refund to the select differential privacy budget based on the command, as taught by Hockenbrocht. It would have been obvious because Hockenbrocht states: “The amount of privacy spend added back to the client's 104 privacy budget is the privacy budget refund. In this manner, use of the database 106 is improved, as privacy budgets are more precise, enabling more accurate handling of queries by the DP system 102.” (see [0049]). Chitnis modified in view of Hockenbrocht fails to teach determining whether the second user has a privilege to apply However, Sun discloses determining whether the second user has a privilege to apply (see Claim 16: “wherein the QoS configuration authority authentication circuit is further configured to determine whether a count of QoS policies configured by the user exceeds a threshold of a QoS configuration authority previously provided to the user by the upper-level supplier if the total bandwidth for the QoS guarantees configured by the user does not exceed the total QoS bandwidth, and determine that the user is permitted to configure a QoS policy if the count of QoS policies configured by the user does not exceed the threshold of the QoS configuration authority, indicate that the user has an authority to continue configuring a new QoS policy.”). Both Sun and Chitnis modified in view of Hockenbrocht disclose applying a change. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis modified in view of Hockenbrocht by letting the operations comprise: determining whether the second user has a privilege to apply a change; and in response to determining that the second user has the privilege, applying the change, as taught by Sun. It would have been obvious because doing so predictably achieves the commonly understood benefit of increasing security by allowing only changes made by authorized users. When Chitnis modified in view of Hockenbrocht is further changed in view of Sun, they would teach wherein the operations comprise: receiving, from a second user, a command to apply a budget refund to the select differential privacy budget; and in response to the command: determining whether the second user has a privilege to apply the budget refund to the select differential privacy budget; and in response to determining that the second user has the privilege, applying the budget refund to the select differential privacy budget based on the command. Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Chitnis (US 2021/0173856), further in view of Yang (CN 108537055 A), and further in view of Sun (US 8,516,604). Regarding claim 15, Chitnis further discloses wherein the select differential privacy budget comprises a budget limit that indicates a limit to privacy spending for the select differential privacy budget, wherein the select differential privacy budget comprises a current privacy spend that indicates how much of the select differential privacy budget is currently spent (see [0026]: “the budget manager 224 may provide a specific query budget for a given health study for performing queries on the user data 250 corresponding to the same health study. If the query budget indicates a sufficient budget for performing the query 210, then the query engine may perform the query 210.”), wherein the select query is associated with a first user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to teach wherein the operations comprise: receiving, from a second user, a command to adjust the budget limit of the select differential privacy budget; and in response to the command: However, Yang discloses receiving, from a second user, a command to adjust the budget limit of the select differential privacy budget; and in response to the command: adjusting the budget limit of the select differential privacy budget based on the command (see Abstract: “The privacy budget allocating and data publishing method includes steps of firstly, setting privacy budget parameters, to be more specific, giving privacy budgets of data by data administrators according to importance degrees of the data, denoting the privacy budgets of the data asepsilon.”). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the operations comprise: receiving, from a second user, a command to adjust the budget limit of the select differential privacy budget; and in response to the command: adjusting the budget limit of the select differential privacy budget based on the command, as taught by Yang. It would have been obvious because doing so predictably achieves the commonly understood benefit of making the differential privacy policy flexible by enabling a user to adjust the select differential privacy budget. Chitnis modified in view of Yang fails to teach determining whether the second user has a privilege to adjust the determining that the second user has the privilege, adjusting the However, Sun discloses determining whether the second user has a privilege to adjust the (see Claim 16: “wherein the QoS configuration authority authentication circuit is further configured to determine whether a count of QoS policies configured by the user exceeds a threshold of a QoS configuration authority previously provided to the user by the upper-level supplier if the total bandwidth for the QoS guarantees configured by the user does not exceed the total QoS bandwidth, and determine that the user is permitted to configure a QoS policy if the count of QoS policies configured by the user does not exceed the threshold of the QoS configuration authority, indicate that the user has an authority to continue configuring a new QoS policy.”). Both Sun and Chitnis modified in view of Yang disclose applying a change. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis modified in view of Yang by letting the operations comprise: determining whether the second user has a privilege to apply a change; and in response to determining that the second user has the privilege, applying the change, as taught by Sun. It would have been obvious because doing so predictably achieves the commonly understood benefit of increasing security by allowing only changes made by authorized users. When Chitnis modified in view of Yang is further changed in view of Sun, they would teach wherein the operations comprise: receiving, from a second user, a command to adjust the budget limit of the select differential privacy budget; and in response to the command: determining whether the second user has a privilege to adjust the budget limit of the select differential privacy budget; and in response to determining that the second user has the privilege, adjusting the budget limit of the select differential privacy budget based on the command. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Chitnis (US 2021/0173856), further in view of Official Notice 1, and further in view of Sun (US 8,516,604). Regarding claim 17, Chitnis further discloses wherein the select query is associated with a first user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to teach wherein the operations comprise: receiving, from a second user, a command to clone the specified entity; and in response to the command: The Examiner takes Official Notice 1 that it is a well-known technique to receive, from a second user, a command to clone the specified entity; and in response to the command: to clone the specified entity to generate a cloned entity; and to associate the select differential privacy policy with the cloned entity. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the operations comprise: receiving, from a second user, a command to clone the specified entity; and in response to the command: cloning the specified entity to generate a cloned entity; and associating the select differential privacy policy with the cloned entity, as taught by Official Notice 1. It would have been obvious because cloning a table predictably achieves the commonly understood benefit of facilitating recovery in case of data loss. Chitnis modified in view of Official Notice 1 fails to teach determining whether the second user has a privilege to However, Sun discloses determining whether the second user has a privilege to (see Claim 16: “wherein the QoS configuration authority authentication circuit is further configured to determine whether a count of QoS policies configured by the user exceeds a threshold of a QoS configuration authority previously provided to the user by the upper-level supplier if the total bandwidth for the QoS guarantees configured by the user does not exceed the total QoS bandwidth, and determine that the user is permitted to configure a QoS policy if the count of QoS policies configured by the user does not exceed the threshold of the QoS configuration authority, indicate that the user has an authority to continue configuring a new QoS policy.”). Both Sun and Chitnis modified in view of Official Notice 1 disclose performing an action. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis modified in view of Official Notice 1 by letting the operations comprise: determining whether the second user has a privilege to perform an action; and in response to determining that the second user has the privilege, perform the action, as taught by Sun. It would have been obvious because doing so predictably achieves the commonly understood benefit of increasing security by allowing only actions performed by authorized users. When Chitnis modified in view of Official Notice 1 is further changed in view of Sun, they would teach wherein the operations comprise: receiving, from a second user, a command to clone the specified entity; and in response to the command: determining whether the second user has a privilege to clone the specified entity; and in response to determining that the second user has the privilege: cloning the specified entity to generate a cloned entity; and associating the select differential privacy policy with the cloned entity. Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Chitnis (US 2021/0173856), further in view of Official Notice 2, and further in view of Sun (US 8,516,604). Regarding claim 18, Chitnis further discloses wherein the select query is associated with a first user (see [0020]: “the DP API/framework 220 can provide an implementation of such APIs to provide one or more sets of functions that can be exposed to third party users (e.g., analysts) to perform queries on the user data 250.”). Chitnis fails to teach wherein the operations comprise: receiving, from a second user, a command to clone a specified schema that comprises the specified entity and the select differential privacy policy; and in response to the command: The Examiner takes Official Notice 2 that it is a well-known technique to receive, from a second user, a command to clone a specified schema that comprises the specified entity and the select differential privacy policy; and in response to the command: cloning the specified schema to generate a cloned schema, the cloned schema comprising a cloned entity that is a clone of the specified entity, the cloned schema comprising a cloned differential privacy policy that is a clone of the select differential privacy policy, the cloned entity being associated with the cloned differential privacy policy, the cloned differential privacy policy being configured to use a different differential privacy budget in place of the select differential privacy budget. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis by letting the operations comprise: receiving, from a second user, a command to clone a specified schema that comprises the specified entity and the select differential privacy policy; and in response to the command: cloning the specified schema to generate a cloned schema, the cloned schema comprising a cloned entity that is a clone of the specified entity, the cloned schema comprising a cloned differential privacy policy that is a clone of the select differential privacy policy, the cloned entity being associated with the cloned differential privacy policy, the cloned differential privacy policy being configured to use a different differential privacy budget in place of the select differential privacy budget, as taught by Official Notice 2. It would have been obvious because cloning a schema predictably achieves the commonly understood benefit of facilitating recovery in case of data loss. Chitnis modified in view of Official Notice 2 fails to teach determining whether the second user has a privilege to However, Sun discloses determining whether the second user has a privilege to (see Claim 16: “wherein the QoS configuration authority authentication circuit is further configured to determine whether a count of QoS policies configured by the user exceeds a threshold of a QoS configuration authority previously provided to the user by the upper-level supplier if the total bandwidth for the QoS guarantees configured by the user does not exceed the total QoS bandwidth, and determine that the user is permitted to configure a QoS policy if the count of QoS policies configured by the user does not exceed the threshold of the QoS configuration authority, indicate that the user has an authority to continue configuring a new QoS policy.”). Both Sun and Chitnis modified in view of Official Notice 2 disclose performing an action. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Chitnis modified in view of Official Notice 2 by letting the operations comprise: determining whether the second user has a privilege to perform an action; and in response to determining that the second user has the privilege, perform the action, as taught by Sun. It would have been obvious because doing so predictably achieves the commonly understood benefit of increasing security by allowing only actions performed by authorized users. When Chitnis modified in view of Official Notice 2 is further changed in view of Sun, they would teach wherein the operations comprise: receiving, from a second user, a command to clone a specified schema that comprises the specified entity and the select differential privacy policy; and in response to the command: determining whether the second user has a privilege to clone the specified schema; and in response to determining that the second user has the privilege, cloning the specified schema to generate a cloned schema, the cloned schema comprising a cloned entity that is a clone of the specified entity, the cloned schema comprising a cloned differential privacy policy that is a clone of the select differential privacy policy, the cloned entity being associated with the cloned differential privacy policy, the cloned differential privacy policy being configured to use a different differential privacy budget in place of the select privacy budget. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ZHIMEI ZHU/Examiner, Art Unit 2495