DETAILED ACTION
The present application is being examined under the pre-AIA first to invent provisions.
This Final Office Action is responsive to Applicant's amendment filed on 16 January 2026. Applicant’s amendment on 16 January 2026 amended Claims 1, 2, 8, 9, 12 and 13. Claims 12 and 13 are newly presented. Currently Claims 1, 2, 8, 9, 12, and 13 are pending and have been examined. Claims 3-7, 10, and 11 has been withdrawn. The Examiner notes that the 101 rejection has been withdrawn and further notes that the Double Patenting rejection has been withdrawn necessitated by amendment.
Examiner’s Note
The Examiner notes that upon consultation with the quality group and based on the current guidance from the USPTO, the fact that there is no definition of what the “action” is in the claim leads this to be incredibly broad. Furthermore, the fact that the two entities can be any of a very large number of options also leads to the incredible breadth of the claim. For instance, it looks like a user (first computing element) trying to access a webpage (second computing element) that has permission will be able to access the webpage. Accordingly, it looks like pretty standard abstract authorization techniques using generic computing implementation. However, it has been determined that with more specificity this can be modified to be seen as being an unconventional way of authenticating users in a particular technological environment.
Response to Arguments
Applicant's arguments filed 16 January 2026 have been fully considered but they are not persuasive.
The Applicant argues on pages 1-2 that “The Office Action asserts in item 6 on page 4 that the claimed invention is directed to non-statutory subject matter because the claim(s) 1-11 as a whole, considering all claim elements both individually and in combination, do not amount to significantly more than an abstract idea. The Office Action asserts that “the claim(s) 1-11 is/are directed to the abstract idea of improving security control by organizing management control without significantly more than the judicial exception itself.
Applicant respectfully asserts that the pending claims are directed towards statutory subject matter and do not wholly embrace a judicially recognized exception. In particular, Applicant asserts that the claims do not recite an abstract idea and are not directed to an abstract idea. Even if, arguendo, the claims are “improving security control by organizing management control” that is considered an abstract idea, the elements of the claims when considered, both individually and as an ordered combination, transform the nature of the claims into a patent-eligible application of significantly more than the abstract idea alone. Accordingly, Applicant traverses the position taken in the Office Action for a variety of reasons”.
The Examiner respectfully disagrees.
In response to the arguments in the Examiner notes that the Applicant's argument that the claims do not recite or are not directed to an abstract idea is not persuasive. The abstract idea identified by the Office is not merely "improving security control by organizing management control" as a generalized business concept, but rather the specific concept of: receiving an action request from a computing element, identifying the parties and the requested action, determining whether a direct or multi-step relationship exists between the requesting element and the target element, evaluating authorization based on that identified relationship, and allowing or routing the action accordingly. This is precisely the type of concept that falls within the "mental activity" grouping specifically, managing relationships and interactions of people between computing entities acting on behalf of people, as the core operations of identifying parties, determining relational authority, and deciding whether an action is permitted are evaluations, judgments, and determinations that can practically be performed in the human mind or with pen and paper. Indeed, organizational managers have performed this exact function for centuries determining whether an employee or subordinate has the authority to take a particular action on a particular resource based on their position or relationship within an organizational hierarchy long before computers existed. The fact that these steps are now recited as being performed by a "networked system controller" "without human intervention" does not transform the underlying concept, which remains anchored in the abstract idea of relationship-based authorization. See Alice Corp. v. CLS Bank; In re Killian, (collecting and understanding information to make determinations and identifications remains a mental process even when performed on a computer).
Applicant's alternative argument that even assuming the claims are directed to an abstract idea, the elements as an ordered combination transform the claims into patent-eligible subject matter is similarly unpersuasive. To satisfy Step 2A, Prong Two, the additional elements beyond the abstract idea must integrate the judicial exception into a practical application, such as by improving the functioning of the computer itself or effecting a transformation or reduction of a particular article. Here, the additional elements are: a "networked system controller," a "networked computing system environment," and generic computer functions described at a high level of generality receiving, identifying, determining, and allowing all performed "without human intervention," "dynamically and automatically," and "in real time." The specification itself, at paragraphs [0063], [0104], [0105], [0107], and [0108], expressly characterizes the system as utilizing "conventional computer components," including "a processor, memory storage devices," "remote file Servers, computer Servers and memory storage devices," and notes that the user device and server "generally conform to conventional general purpose computing devices." These characterizations, made by Applicant in the specification, affirmatively establish that the computing elements are generic and conventional, precisely the type of disclosure that precludes a finding that those elements integrate the abstract idea into a practical application. See TLI Communications LLC v. AV Automotive LLC, (specification's description of components as generic and conventional supported a finding that additional elements did not integrate the exception). The qualifiers "without human intervention," "dynamically," "automatically," and "in real time" describe nothing more than standard capabilities of any general-purpose computing system and do not impose a meaningful limitation on the scope of the claim; they are the functional equivalent of the words "apply it on a computer." See Alice Corp., 573 U.S. at 223. Because the claims do not improve computer functionality, do not recite a specific technical solution to a technical problem in the computing arts, and do not describe a non-conventional arrangement of computing components, the abstract idea is not integrated into a practical application, and the claims remain directed to the judicial exception under Step 2A, Prong Two. For these same reasons, the additional elements, considered both individually and in combination, do not amount to significantly more than the abstract idea under Step 2B, and the rejection is therefore maintained.
The Applicant argues on pages 2-3 that “The specification and the claims describe a specific, concrete, practical application of the improving security control by organizing management control that drives improvement in the technological field(s) of computing functionality and more specifically computing/cyber security thus providing improved security control in the field. This improvement in this technological field cannot be performed in the human mind. In particular, the claims implement an unconventional and particular form of control based on the application of a particular control technology that is significantly different from the conventional identity-based and role-based control technology that was conventional at the time of the invention. The invention is a technological improvement in the way networked computers operate, allowing for better control by a computer that was not possible under then-conventional technology.
The claim(s) do not recite mental processes as the specification clearly does not describe the underlining claimed invention as a concept performed in the human mind and the broadest reasonable interpretation (BRI) of the claims in light of the specification does not include a mental process. In particular the claimed invention does not use a computer as a tool to perform conventional mental processes. There is no parallel between the system and the way that human minds control access to resources or make security decisions. Thus, the claimed inventions are not a mental process that can be performed in the human mind as the human mind is not equipped to perform the claim limitations as it is incapable of completing the required networked system monitoring tasks in a practical, accurate, or timely matter.
That the BRI of the claims in light of the specification does not include a mental process is further confirmed by the inclusion of claim language including multiple uses of the language “by a networked system controller, without human intervention” which precludes the identifying, analyzing, and determining steps from being performed in the human mind and/or with the aid of a pen and paper. As amended, the claims require a networked system controller and the limitation that the access control determination is made without human intervention. This captures one of the important benefits of the invention, which is that access control decisions can be made automatically by the networked system controller using the claimed invention, even for a large organization, with a large number of assets and users, and complex security relationships. That was not possible with the conventional identity based and role-based access control technology available at the time of the invention, which required extensive human intervention to maintain and update and thus, did not scale or allow for automation.
As a result, the claims cover inventions that are concrete and provide important improvements to the operation of computers, allowing for new and improved computer management of access to networked resources, and are not directed to abstract subject matter, conventional practices, or human mental activity.”.
The Examiner respectfully disagrees.
In response to the arguments in the Examiner notes that the rejection under 35 U.S.C. 101 is maintained as to all pending claims. Applicant raises two related arguments: first, that the claimed invention cannot be performed in the human mind and therefore does not recite a mental process; and second, that the claims reflect a technological improvement over conventional identity-based and role-based access control (IBAC/RBAC) that integrates the judicial exception into a practical application. The Office addresses each argument in turn.
Regarding the mental process argument, the Office acknowledges the current USPTO guidance consistent with the Federal Circuit's reasoning in SRI International, Inc. v. Cisco Systems, Inc., that claims do not recite a mental process when they contain limitations that cannot practically be performed in the human mind because the human mind is not equipped to perform them. The Office further acknowledges Applicant's argument that the inclusion of "by a networked system controller, without human intervention" in the claims is meaningful. However, this concession regarding the mental processes grouping does not resolve the 101 rejection, because the abstract idea identified by the Office is not premised solely on the mental processes grouping. The core abstract idea receiving a request from one computing element involving another, identifying the parties and the action, determining whether a direct or multi-step relationship exists between them, evaluating authorization based on that relationship, and acting on the determination falls independently within "mental activity". The concept of determining whether an actor has authority over a resource by evaluating the actor's organizational relationship to that resource is a foundational principle of organizational management and governance that has been practiced by humans in structured organizations long before computers existed. The claim's recitation of a "networked system controller" performing this evaluation "without human intervention" automates that organizational concept but does not remove its abstract character; automating a method of organizing human activity does not transform it from a "certain method of organizing human activity" into patent-eligible subject matter. See Alice Corp., ("the mere recitation of a generic computer cannot transform a patent-ineligible abstract idea into a patent-eligible invention").
Regarding the technological improvement argument, the Office has carefully reviewed the specification in accordance with the improvements consideration set forth in MPEP 2106.05(a) and the Kim Memorandum (August 4, 2025). The Office agrees that evaluation of the improvements consideration requires first consulting the specification to determine whether a technological improvement is described, and then evaluating whether the claim itself reflects that disclosed improvement. See Intellectual Ventures I LLC v. Symantec Corp.,; Ex Parte Desjardins, (PTAB Sept. 26, 2025) (precedential). Applying this two-step evaluation, while the specification at paragraphs [0068], [0099]–[0101] describes the Snowflake Platform's rules-based authority hierarchy and security model, and while Applicant characterizes this as an improvement over conventional IBAC/RBAC systems, the critical failing is that the claims themselves do not reflect any particular technical solution to that problem. The claims recite the concept of the improvement at a result-oriented level of abstraction identifying parties, determining relationships, evaluating authorization based on those relationships without reciting the specific components, data structures, algorithms, or technical mechanisms by which the claimed system achieves the asserted improvement over IBAC/RBAC. There is no claim limitation that specifies how the networked system controller traverses, stores, or processes relationships differently from conventional systems; the claims would read on any system that performs relationship-based authorization checking regardless of its internal technical architecture. This is precisely the distinction the court drew in Intellectual Ventures I v. Capital One, where the specification described improvements but the claims themselves lacked limitations that addressed the asserted technical improvement, and in Electric Power Group, LLC v. Alstom S.A., where claims that merely recited the idea of a solution or outcome without specifying how that solution was technically achieved did not integrate the exception into a practical application. Contrast this with SRI Int'l v. Cisco, where the claims specifically recited network monitors analyzing network packets in a particular technical way that could not be practically replicated by the human mind and that improved network security technology through a specific technical mechanism. Here, by contrast, the claims recite only the high-level concept of relationship-based authorization the idea of the solution not a particular technical way of achieving it. Accordingly, the claims do not reflect the technological improvement described in the specification in a manner sufficient to integrate the abstract idea into a practical application under Step 2A, Prong Two, and do not amount to significantly more under Step 2B. The rejection is therefore maintained.
The Applicant argues on pages 3-4 that “Even if, arguendo, the claims recite the Office Action’s proposed judicial exception, the elements of the claims when considered, both individually and as an ordered combination, transform the nature of the claims into a specific patent-eligible practical application of the exception that provides a technical improvement in the crucial security element of computer functionality/capabilities and the technical field of computing/cyber security.
Particularly in view of the amendments made in response to the Examiner’s suggestion, the claims, taken as a whole, include numerous elements that meaningfully limit the scope to a particular, concrete, implementation that is very different from the then-conventional identity and role-based access control technology and that provides the concrete benefits of the inventions, including enabling computers to automatically made fine-grained access control decisions without human intervention and allowing for efficient and scalable control over a wide-range of assets in a secure and complex networked environment. The specificity of the claims as to the context (accessing networked resources and processes) and the particulars of how access determinations are made imposes substantial and meaningful limitations that avoid preemption or monopolization of the broad field of “improving security control by organizing management control” and that differentiate conventional technologies, such as role based or identity-based methods.
There are many ways of “improving security control by organizing management control” and the claims describe a particular, specific and limited method within a practical application.
For example, Claim 1 recites a combination of elements that all take place within a computing environment/system including receiving from a first computing system element an action request that involves a second computing environment element wherein the first and second computing system elements are selected from specific groups and the actions are selected from an identified group. The system controller then identifies the requested action. It then identifies the first and second computing system elements as well and automatically and dynamically without human intervention, determines if there is at least one direct or multi-step relationship between the first computing system element and the second computing system element without being instructed what relationship to look for by the action request. Then the system dynamically and automatically without human intervention determines in real time if the first computing system element is authorized to perform the action, based on the identified at least one direct or multi-step relationship between the first computing system element and the second computing system element, by a computing system controller, without human intervention, analyzing the identified at least one direct or indirect/multi-step relationship between the first computing system element and the second computing system element. The claim, taken as a whole and as an ordered combination of its limitations, thus provides a specific, inventive and unconventional practical application that improves the computer’s functionality and a computer system’s security.
These limitations, including the requesting and obtaining access by a particular first element to a particular second element are not insignificant extra-solution activity. This is because, the invention is based in part on assigning particular relationships to the particular elements and then using those relationships to make access determinations. The specific requesting element and requested element are, therefore, integral to the invention”.
The Examiner respectfully disagrees.
In response to the arguments in the Examiner notes that The rejection under 35 U.S.C. 101 is maintained. Applicant's third argument presents, in substance, four distinct sub-arguments: (1) that the preemptive scope of the claims is narrow and therefore the claims are eligible; (2) that the specificity of the ordered combination of claim limitations transforms the claims into a patent-eligible practical application; (3) that the particular first and second computing system elements are integral to and not extra-solution activity; and (4) that the claims as a whole describe an unconventional implementation different from IBAC/RBAC. Each sub-argument is addressed below.
Regarding preemption, Applicant's observation that "there are many ways of improving security control by organizing management control" and that the claims cover only one specific method is an argument about the narrowness of the claims, which is an argument about lack of complete preemption. The Office acknowledges this argument but notes that preemption is not a standalone test for eligibility and that the absence of complete preemption does not demonstrate that a claim is eligible. See Ariosa Diagnostics, Inc. v. Sequenom, Inc.); MPEP 2106.04(a). The Supreme Court explicitly rejected the proposition that because not all possible uses of a concept are preempted, the claim is patent-eligible. Diamond v. Diehr; Parker v. Flook. Eligibility must be determined under the full Alice/Mayo framework, not by measuring the breadth of preemption, and the Office has done so here.
Regarding the specificity and ordered combination argument, the Office is mindful of its obligation not to oversimplify claim limitations and has carefully evaluated the claims as an ordered combination. However, the critical problem with Applicant's argument is that every element Applicant identifies as rendering the claims specific and inventive receiving a request from a particular first computing element involving a particular second computing element, identifying the action and parties, determining a direct or multi-step relationship, and evaluating authorization based on that relationship is the abstract idea itself, not an additional element beyond the abstract idea. As the Federal Circuit made clear in In re Board of Trustees of Leland Stanford Junior University, and as reiterated in the 2024 Federal Register guidance at page 58136, an improvement in the judicial exception itself is not an improvement in the technology. The claims describe the concept of relationship-based authorization that is the abstract idea in increasing detail, but specificity of an abstract idea, however detailed, does not transform it into patent-eligible subject matter. A narrow abstract idea is still an abstract idea. Synopsys, Inc. v. Mentor Graphics Corp. Applicant has not identified any claim limitation that constitutes a technical element beyond the abstract idea that integrates that idea into a practical application; Applicant's argument merely elaborates on the steps of the abstract idea itself and characterizes those steps as a specific implementation, which is precisely the type of argument the Supreme Court rejected in Alice Corp., where the Court noted that the detailed steps of performing intermediated settlement on a computer system did not escape abstraction simply by virtue of their specificity.
Regarding the argument that the specific first and second computing system elements are integral and not insignificant extra-solution activity, the Office agrees that these elements are central to the claims. However, being central to the claims and being sufficient to integrate an abstract idea into a practical application are two different things. The "first computing system element" is drawn from a broad category (a user or a computer process) and the "second computing system element" is drawn from an equally broad category (a network accessible resource or a network accessible process). These are the broadest possible categories of actors and targets in any networked computing system they do not constrain the claims to any particular technical implementation or architecture. The claim would read equally on any system that determines relationship-based authorization, regardless of how it is technically structured, which is precisely the problem identified in Electric Power Group, LLC v. Alstom S.A.: claims that cover any mode of accomplishing a result without restriction on how that result is technically achieved reciting the effect rather than the mechanism do not integrate the judicial exception into a practical application. As the Memorandum (August 4, 2025) instructs, the central question is whether the claim covers a particular solution to a problem or a particular way to achieve a desired outcome, as opposed to merely claiming the idea of a solution or outcome. Here, the claims claim the idea of the outcome automated relationship-based authorization without specifying the particular technical mechanism, data structure, algorithm, or architectural arrangement by which the networked system controller identifies and traverses relationships in a manner different from any other access control system. Accordingly, the rejection is maintained.
The Applicant argues on page 4 that “The additional elements cannot be characterized as simply “Apply It” because they are specific and unique steps and details as to how to implement this specific solution to access control problems, particularly in a networked environment, and a particular way to achieve a desired outcome and improve existing technology. They are not using the computer merely as a tool to perform an existing or human mental process, and the unconventional combination of claim steps confines the claim to a particular practical and useful application that overcomes disadvantages of the prior art by providing dynamic, fine grained real-time resource instance level security and control, without requiring human intervention.
The specification clearly describes the improvement in sufficient detail such that one of ordinary skill in the art would recognize the claimed invention as providing an improvement. And the claims include the components and steps of the invention that provide the improvement described in the specification. The improvement results in previously unavailable dynamic, real time, resource instance level security & control, as can be recognized by the type of relationships and system operation described in the specification.
As one of skill in the art and the inventor, the undersigned, recognizes the improvement described in the specification as the improvement was necessary because no other method known at that time was able to control the type of systems described in the specification. If it would assist the Office in evaluating the application I, the undersigned, will provide a declaration under 1.132 providing testimony on how one of ordinary skill in the art would interpret the disclosed invention as improving technology and the underlying factual basis for that conclusion. Thus, the claims are directed to eligible subject matter and not a judicial exception.”
The Examiner respectfully disagrees.
With respect to the Argument the Examiner notes that The rejection under 35 U.S.C. 101 is maintained. Applicant's fifth argument raises three primary sub-arguments: (1) the additional elements constitute specific and unique steps that represent a particular way of achieving the desired outcome and therefore are not mere "apply it" instructions; (2) the specification describes the technological improvement in sufficient detail that one of ordinary skill in the art would recognize it; and (3) an offer to submit a declaration under 37 C.F.R. 1.132 from the inventor. Each is addressed below.
Regarding the "apply it" argument, the Office has carefully re-examined the claims in the manner instructed by the August 4, 2025 Memorandum, specifically considering whether the claims recite a particular solution to a problem or a particular way to achieve a desired outcome as opposed to merely claiming the idea of a solution or outcome, and has taken care not to oversimplify the limitations. However, upon this careful review, the claims still fail the test. Applicant describes the outcome produced by the claimed method "dynamic, fine-grained, real-time resource instance level security and control, without requiring human intervention" in persuasive terms, but the critical inquiry is not what outcome the claims produce, but whether the claims recite the specific technical mechanism by which that outcome is achieved. The Federal Circuit in Internet Patents Corp. v. Active Network, Inc., held that a claim "describes 'the effect or result dissociated from any method by which it is accomplished'" and does not provide meaningful limitation when it "merely states that the abstract idea should be applied to achieve a desired result." Evaluating the most critical step of Claim 1 "determining, dynamically and automatically by the networked system controller without human intervention, if there is at least one direct or multi-step relationship between the first computing system element and the second computing system element" and "determining in real time...if the first computing system element is authorized to perform the networked action...by analyzing the identified at least one direct or indirect/multi-step relationship" these limitations state what result is to be achieved (identification and analysis of relationships to determine authorization) without reciting any technical mechanism, data structure, or algorithm by which the networked system controller carries out this determination. Compare this to McRO, Inc. v. Bandai Namco Games Am. Inc., where the claims recited the specific use of particular rules to set morph weights and transitions through phonemes a specific way not merely the desired animated result. The claims here are analogous to a claim to "the desired outcome" rather than to "the specific way the outcome is achieved." Additionally, the qualifiers "dynamic," "automatic," and "real time" do not supply the missing technical mechanism they describe the speed and automation characteristics of the process, and where such characteristics flow solely from the capabilities of the generic computer hardware executing the steps, they do not provide the meaningful limitation required. See FairWarning IP, LLC v. Iatric Sys., Inc.
Regarding the specification argument, the Office has again thoroughly reviewed the specification and acknowledges that paragraphs [0068], [0099] – [0102], [0363]–[0386] describe with some technical detail the "Snowflake Platform" authority hierarchy, the rule-based management system, and the specific authority rules governing manager pages, team managers, and task managers. The Office further acknowledges, as required by MPEP 2106.05(a) and as reinforced by Ex Parte Desjardins, that the specification need not explicitly state the improvement so long as it describes the invention in sufficient detail that the improvement would be apparent to one of ordinary skill in the art. However, even accepting arguendo that the specification adequately describes a technological improvement, the second required step remains unmet: the claim itself must reflect the disclosed improvement. See Intellectual Ventures I LLC v. Symantec Corp. The specific technical elements that could reflect the improvement in the specification the hierarchical Snowflake data structure, the authority rule-sets (manager pages having authority over sub-pages and direct reports, team managers having authority over team members, task managers having authority over task performers), the specific relationship types defined in the specification are conspicuously absent from the claims. The claims are drafted at a level of generality that would encompass any system that performs relationship-based authorization, not specifically the technical architecture described in the specification. In Enfish, the claims specifically recited a self-referential table data structure the specific technical element that constituted the improvement. In Desjardins, the claims specifically recited adjusting values of parameters to optimize performance on a second task while protecting performance on a first task the specific technical mechanism constituting the improvement. Here, the claims do not recite the specific data structure or rule architecture of the Snowflake Platform; they recite only the functional result of that system's operation. The specification describes a more specific invention than what the claims capture, and it is that gap between the specific technical improvement in the specification and the functionally-recited claims that sustains the rejection.
Regarding the offer to submit a declaration under 37 C.F.R. 1.132, the Office notes and acknowledges this offer. Consistent with MPEP 2106.05(a) and the applicable case law, a properly submitted declaration under 1.132 providing testimony on how one of ordinary skill in the art would interpret the disclosed invention as improving technology and the underlying factual basis for that conclusion may be considered by the Office in its evaluation. However, Applicant is cautioned that any such declaration must establish what the specification conveys to one of ordinary skill in the art and cannot be used to supplement the specification itself. See MPEP 716.09. Further, whether the claims reflect the technological improvement described in the specification the core deficiency identified by the Office remains a legal question of claim scope grounded in the language of the claims as written, and a declaration alone will not resolve the disconnect between the specific technical architecture disclosed in the specification and the functionally-oriented claim language presently before the Office. Applicant may submit such a declaration together with any further response, and it will be considered on its merits at that time. The rejection is therefore maintained.
The Applicant argues on pages 4-5 that “With respect to Step 2B, the Office Action states on Page 10 that the additional elements in the claim amount to no more than mere instructions to using a generic computer component. However, the use of the computer is integral to key concepts of the invention which use the specific relationships between elements to enable the computer to make fine-grained access control decisions without human intervention, even in a complex and dynamically changing system. Thus, capturing the benefits of the invention requires the inclusion of the computer, whose functionality and operation is improved in an unconventional way by the claimed invention.
As discussed above, the claims recite new combinations of specific steps in a process that makes the claimed invention a particular new method of providing security and control for a computing system that is unconventional and an inventive concept in the field of computer security and that was not routine or known in the field. This inventive concept is at least a non-conventional and non-generic arrangement of pieces resulting in a new combination of unique steps in the process and thus a new method. The claims as a whole, thus, provide significantly more and an inventive concept by specific limitations that alter how the process steps of computing system access control are performed and integrate the exception into an improved and inventive process for providing security and control within computing systems.
Additionally, if these steps were to be considered extra-solution, they would have to be considered not well-understood, routine or conventional and therefore the claim would be eligible on those grounds even if it was not integrated into a practical application. In summation, Applicant respectfully submits that the claims do not recite an abstract idea. Instead, they provide inventive concepts that provide a technological improvement to the operation of computers in the field of computing security.”
The Examiner respectfully disagrees.
With respect to the Argument the Examiner notes that he rejection under 35 U.S.C. 101 is maintained as to all pending claims. Applicant raises three primary sub-arguments under Step 2B: (1) that the computer's use is integral and its functionality is improved unconventionally; (2) that the ordered combination of steps constitutes a non-conventional, non-generic arrangement amounting to an inventive concept under BASCOM; and (3) that even if the steps constitute extra-solution activity, they are not well-understood, routine, or conventional, and the claim would therefore be eligible on those grounds. The Office addresses each in turn.
Regarding the integral computer argument, the Office acknowledges that the networked system controller is functionally central to the claims and that the "without human intervention" automation is an important benefit of the described system. However, the legal question at Step 2B is not whether the computer is integral or necessary to the claimed process, but whether the combination of additional elements amounts to significantly more than the abstract idea itself. The Supreme Court in Alice Corp. expressly rejected the argument that a computer's indispensability to the process saves the claim, stating that "the mere recitation of a generic computer cannot transform a patent-ineligible abstract idea into a patent-eligible invention," and that even where "a computer is necessary to perform the claimed functions," that alone does not supply the required inventive concept. Alice Corp. Further, the Federal Circuit in Intellectual Ventures I LLC v. Capital One Bank, expressly held that "claiming the improved speed or efficiency inherent with applying the abstract idea on a computer" does not amount to significantly more. The fact that the claimed method allows for faster, automated, large-scale authorization decisions benefits that Applicant attributes to the use of a computer describes improvements in the speed and scale of implementing the abstract idea, not an improvement to the computer's functionality as a technological artifact. The specification itself acknowledges at paragraph [0063] that the processes utilize "conventional computer components" and may be performed using a "heterogeneous distributed computing environment" with "remote file Servers, computer Servers and memory storage devices" all general-purpose computing infrastructure further confirming that the computer here is the tool through which the abstract idea is applied, not a transformed machine.
Regarding the BASCOM-type non-conventional combination argument, the Office has carefully reconsidered the claims as an ordered combination under the framework articulated in BASCOM Global Internet Services v. AT&T Mobility LLC, as required by MPEP 2106.05(d). The Office agrees that an inventive concept can, in principle, be found in a non-conventional and non-generic arrangement of known, conventional pieces, even when each individual component is generic. BASCOM. However, the critical distinction between BASCOM and the present claims must be understood clearly. In BASCOM, the inventive concept was the specific, technically-described architectural arrangement of computing components: the installation of an Internet content filtering tool at a specific location remote from end-users namely at the ISP server with customizable filtering features specific to each individual user account. That arrangement was technically specific because it identified where in the network architecture the filter resided, how it was individualized, and how it interacted with specific account identification to override the conventional sequence of events. The present claims contain no analogous technically-specific arrangement of computer components. The ordered sequence receiving an action request, identifying the requesting and target elements, determining whether a direct or multi-step relationship exists, analyzing that relationship to determine authorization, and allowing or routing the action is a functional sequence that describes the abstract idea itself in ordered steps. Applicant has not identified any limitation in the claims that describes a specific, non-conventional technical architectural arrangement of the networked system controller, its relationship-data store, or any other computing component that is analogous to the specific installation location and customization architecture that provided the inventive concept in BASCOM. The combination of abstract idea steps, even when ordered, does not create a non-conventional technical arrangement of computer components it creates a more detailed description of the abstract idea itself. As the MPEP expressly states and the Supreme Court made clear in Mayo, the "judicial exception alone cannot provide the improvement" and an "inventive concept cannot be furnished by the unpatentable... abstract idea itself." Genetic Techs. Ltd. v. Merial LLC.
Regarding Applicant's final sub-argument that even if the steps constitute extra-solution activity, they would have to be characterized as not well-understood, routine, or conventional, and the claim would therefore be eligible on those grounds this argument misapplies the Step 2B framework in a fundamental way. The well-understood, routine, and conventional (WURC) analysis under Step 2B applies to the additional elements beyond the abstract idea, not to the steps that constitute the abstract idea itself. The abstract idea identifying parties, determining relationships, evaluating authorization based on those relationships is not analyzed under the WURC consideration; rather, the additional computer-implemented elements (the networked system controller, the acts of receiving, identifying, determining, allowing) are what must be evaluated for WURC. Those elements receiving data over a network, identifying data elements, determining outcomes based on comparisons, allowing or routing are precisely the types of generic computer functions that courts have consistently recognized as well-understood, routine, and conventional. See MPEP 2106.05(d), subsection II (identifying as WURC: receiving or transmitting data over a network; performing repetitive calculations; electronic recordkeeping; storing and retrieving information in memory). Applicant's characterization of these elements as novel or unconventional conflates the novelty of the abstract concept (which may indeed be novel as a type of access control method) with the conventionality of the computer functions used to implement it. As the Federal Circuit and the MPEP are explicit: "a claim for a new abstract idea is still an abstract idea. The search for a 101 inventive concept is thus distinct from demonstrating 102 novelty." Synopsys, Inc. v. Mentor Graphics Corp. The novelty or unconventionality of the access control concept itself cannot be transposed onto the conventional computer functions used to implement it, and those conventional computer functions, individually or in combination, do not supply the inventive concept required to render the claims eligible. Accordingly, the 101 rejection is maintained.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 2, 8, 9, 12 and 13 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter because the claim(s) 1, 2, 8, 9, 12 and 13 as a whole, considering all claim elements both individually and in combination, do not amount to significantly more than an abstract idea. The claim(s) 1, 2, 8, 9, 12 and 13 is/are directed to the abstract idea of improving security control by organizing management control without significantly more than the judicial exception itself.
Step 1
Regarding Step 1 of the Subject Matter Eligibility Test for Products and Processes, claim(s) (1, 2, 8, 9, 12 and 13) is/are directed to a method and therefore the claims recites a series of steps and, therefore the claims are viewed as falling in statutory categories.
Step 2A Prong 1
The claimed invention is directed to an abstract idea without significantly more. The claim(s) 1-11 recite(s) mental process. Specifically, the independent claims 1, and 8 recite a mental process as drafted, the claim recites the limitation of improving security control by organizing management control by analyzing and determining which is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting a device, server and processor, nothing in the claim precludes the determining step from practically being performed in the human mind. For example, but for a device, server and processor language, the claim encompasses the user determining the management of devices. The mere nominal recitation of a device, server, and processor does not take the claim limitation out of the mental processes grouping. It has been established by ongoing guidance that claims that contain a generic processor are still viewed as mental process when they contain limitations that can practically be performed in the human mind, however this is different for instance when the human mind is not equipped to perform the claim limitations (network monitoring, data encryption for communication, and rendering images). Therefore, these limitations are viewed a mental process. Additionally, with regard to the instant application the Examiner has reviewed the disclosure and determined that the underlying claimed invention is described as a concept that is performed in the human mind and/or with the aid of a pen and paper, and thus it is viewed that the applicant is merely claiming that concept performed 1) on a generic computer, 2) in a computer environment or 3) is merely using a computer as a tool to perform the concept, and therefore is considered to recite a mental process.
Step 2A Prong 2
Specifically, the determined judicial exception is not integrated into a practical application because the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer and additionally that data gathering steps required to use the correlation do not add a meaningful limitation to the method as they are insignificant extra-solution activity (including post solution activity).
The claim recites the additional element(s): that a processor is used to perform both the analyzing and determining steps. The processor in both steps is recited at a high level of generality, i.e., as a generic processor performing a generic computer function of processing data (improving security control by organizing management control). This generic processor limitation is no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to the abstract idea.
The claim recites the additional element(s): requesting elements, receiving the request, identifying the request, identifying the action requested, identifying the first element, identifying the second element, identify a relationship, completing the request performs the analyzing and determining steps. The requesting, receiving, identifying and completing steps are recited at a high level of generality (i.e., as a general means of gathering managing data for use in the analyzing and determining steps), and amounts to mere data management, which is a form of insignificant extra-solution activity. The device, server, and processor that performs the analyzing and determining steps are also recited at a high level of generality, and merely automates the analyzing and determining steps. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component (the device, server, and processor).
The Examiner has further determined that the claims as a whole does not integrate a judicial exception into a practical application in order to provide an improvement in the functioning of a computer or an improvement to other technology or technical field. It has been determined that based on the disclosure does not provide sufficient details such that one of ordinary skill in the art would recognize the claimed invention as providing an improvement. It has not been provided clearly in the disclosure that the alleged improvement would be apparent to one of ordinary skill in the art, but is instead in a conclusory manner (i.e., a bare assertion of an improvement without the detail necessary to be apparent to a person of ordinary skill in the art, and therefore does not improve the technology. Second, in the instance, which in this case it is not clear that the specification sets forth an improvement in technology, the claim must not reflect the disclosed improvement (the claims must include components or steps of the invention that provide the improvement described in the specification).
For further clarification the Examiner points out that the claim(s) 1, 2, 8, 9, 12 and 13 recite(s) requesting elements, receiving the request, identifying the request, identifying the action requested, identifying the first element, identifying the second element, identify a relationship, analyzing the relationship, and determining authorization and completing the request which are viewed as an abstract idea in the form of a mental process. This judicial exception is not integrated into a practical application because the use of a computer for requesting, receiving, identifying, analyzing, determining and completing which is the abstract idea steps of valuing an idea (improving security control by organizing management control) in the manner of “apply it”.
Thus, the claims recites an abstract idea directed to a mental process (i.e. to improve security control by organizing management control). Using a computer to requesting, receiving, identifying, analyzing, determining and completing the data resulting from this kind of mental process merely implements the abstract idea in the manner of “apply it”.
The dependent claims recite elements that narrow the metes and bounds of the abstract idea but do not provide ‘something more’.
The dependent claims do not remedy these deficiencies.
No dependent claims recite limitations which further limit the claimed analysis of data.
Claims 2 and 9 recites limitations directed to claim language viewed insignificantly extra solution activity.
Using a computer to perform the data processing as claimed is merely implementing the abstract idea in the manner of “apply it” and does not provide significantly more. Additionally with respect to the Berkheimer the Examiner points out that the steps of the claim are viewed to be to nothing more than spell out what it means to apply it on a computer and cannot confer patent-eligibility as there are no additional limitations beyond applying an abstract idea, restricted to a computer. As the claims are merely implementing the abstract idea in the manner of “Apply It” the need for a Berkheimer analysis does not apply and is not required with respect to the currently filed claims the implementing steps can be found in Delany which discloses how the claims alone and in combination are viewed to be well understood, routine and conventional based on point 3 of the Berkheimer memo and subsequent evidence, complying with and providing evidence.
Claims 12 and 13 recites limitations directed to claim language viewed non-functional data labels.
Thus, the problem the claimed invention is directed to answering the question based on gathered and analyzed information about the security management is to be provided to the user. This is not a technical or technological problem but is rather in the realm of business or management of system security and therefore an abstract idea.
Step 2B
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because as discussed with respect to Step 2A Prong Two, the additional element in the claim amounts to no more than mere instructions to apply the exception using a generic computer component.
The same analysis applies here in 2B, i.e., mere instructions to apply an exception using a generic computer component cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. This is the case because in order for the claims to be viewed as significantly more the claims must incorporate the integral use of a machine to achieve performance of a method, in contrast to where the machine is merely an object on which the method operates, which does not provide significantly more in order for a machine to add significantly more, it must play a significant part in permitting the claimed method to be performed, rather than function solely as an obvious mechanism for permitting a solution to be achieved more quickly. Whether its involvement is extra-solution activity or a field-of-use, i.e., the extent to which (or how) the machine or apparatus imposes meaningful limits on the claim. Use of a machine that contributes only nominally or insignificantly to the execution of the claimed method (e.g., in a data gathering step or in a field-of-use limitation) would not provide significantly more. Additionally, another consideration when determining whether a claim recites significantly more is whether the claim effects a transformation or reduction of a particular article to a different state or thing. "[T]ransformation and reduction of an article ‘to a different state or thing’ is the clue to patentability of a process claim that does not include particular machines. All together the above analysis shows there is not improvement in computer functionality, or improvement to any other technology or technical field. The claim is ineligible.
Additionally, with respect to the Berkheimer as noted above the same analysis applies to the 2B where the claims are viewed as applying it and as such no further analysis is required. However, with respect to the current claims requesting, receiving, identifying, and completing that are viewed as extra solution or post solution activity the Examiner notes that the claims are viewed as well-understood, routine, and conventional because a citation to a publication that demonstrates the well-understood, routine, conventional nature of the additional element(s). An appropriate publication such as the currently cited prior art Delany provides those extra solution activities and is viewed as a form of publication which also includes a book, manual, review article, or other source that describes the state of the art and discusses what is well-known and in common use in the relevant industry. The claim is ineligible.
The dependent claims recite elements that narrow the metes and bounds of the abstract idea but do not provide ‘something more’. Specifically, the dependent claims do not remedy these deficiencies of the independent claims.
With respect to the legal concept of prima facie case being a procedural tool of patent examination, which allocates the burdens going forward between the examiner and the applicant. MPEP § 2106.07 discusses the requirements of a prima facie case of ineligibility. In particular, the initial burden was on the Examiner and believed to be properly provided as to explain why the claim(s) are ineligible for patenting because of the above provided rejection which clearly and specifically points out in accordance with properly providing the requirement satisfying the initial burden of proof based on the Guidance from the United States Patent and Trademark Office and the burden now shifts to the applicant.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hoffberg (U.S. Patent Publication 9,818,136 B1) discloses a system and method for determining contingent relevance.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN S SWARTZ whose telephone number is (571)270-7789. The examiner can normally be reached Mon-Fri 9:00 - 6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Boswell Beth can be reached at 571 272-6737. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.S.S/Examiner, Art Unit 3625
/BETH V BOSWELL/Supervisory Patent Examiner, Art Unit 3625