ENTITY-LEVEL PRIVACY IN AGGREGATION CONSTRAINTS

Detailed Action The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Office action is in response to Applicant’s amendment submitted on December 16, 2025. Claims 1-30 are pending in the application. Response to Arguments/Remarks Claim Rejections - 35 USC § 102 Claims 1-2, 6-9, 11-12, 16-18, 20-22, 26-29 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Beekman et al. US Patent Publication No. 2022/0277107 (“Beekman”). Applicant argued to features that are not found in the claims. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Applicant argued that there is no disclosure of SQL-like query semantics, aggregation groups, or a query compiler enforcing constraints on a shared dataset. In response, the claims do not comprise features of “SQL-like query semantics, aggregation groups, or a query compiler enforcing constraints on a shared dataset.” Therefore, Beekman is not required to disclose the features. Applicant argued that Beekman’s entities (application objects, users objects) are policy subjects; there are not the “distinct entities” (e.g., customers/households/users in a dataset) identified by unique entity identifiers used in aggregation privacy analysis. In response, the claims do not define the “entities” such that the claimed entities are distinct from Beekman’s entities. Furthermore, Beekman discloses that “user object 120” can represent a user who can be authorized to access data objects (see para. [0034]) and discloses “entities” as users or applications (para. [0040]). Applicant argued that there is no teaching of an entity-level privacy constraint that is "based on unique entity identifiers" and dynamically enforced as queries run-e.g., counting distinct entities in each aggregation group and suppressing outputs failing a minimum-entity threshold. Beekman's "entities" (approvers, application objects) are policy principals, not unique entity identifiers drawn from dataset columns. In response, the claims do not comprise features of “counting distinct entities in each aggregation group and suppressing outputs failing a minimum-entity threshold.” Furthermore, the claims do not specify that the entity identifiers drawn from dataset columns. Beekman’s discloses data policy that constrains access to a dataset, wherein the data policy includes a quorum policy, which requires a threshold number of approving entities (users or applications) from a specified group (para. [0040]). Beekman does not expressly recite “identifiers;” however, Beekman’s quorum policy requires a number of approving entities, such as a set of approving users (para. [0043]), which would require distinctly identifying individual entities, i.e., entity identifiers.” Applicant argued that Beekman is silent on "independently of external transformations" (e.g., masking/projection). Applicant argued that the amendment further includes computing the minimum distinct-entity threshold from original identifier column values, regardless of masking/projection, which is a feature expressly taught in the specification and absent from Beekman. In response, the claims do not comprise features of computing the minimum distinct-entity threshold from original identifier column values, regardless of masking/projection. The claim also not specify how the minimum number of entities are computed nor does not claim specify the “external transformations.” Beekman discloses that the data policy is defined by a provider of a data object (para. [0017]). Beekman does not specify that the data policy is determined on unspecified “external transformations” such as masking/projection. Applicant argued that Beekman's enforcement applies to whether an application can access a data object or be executed in a secure enclave, not enforcement "on the query." Applicant argued that there is no disclosure of rejecting non-aggregated queries, restricting permitted aggregate functions, suppressing small groups, assigning NULL group-by keys, or otherwise altering query outputs based on an entity-level threshold. In response, the examiner respectfully disagrees. Firstly, the claims do not comprise features of “rejecting non-aggregated queries, restricting permitted aggregate functions, suppressing small groups, assigning NULL group-by keys, or otherwise altering query outputs based on an entity-level threshold.” As such, Beekman is not required to disclose the features. Secondly, Beekman describes access as an example use of data objects (para. [0034]) and accessing data objects require query of the data objects. (For example, see para. [0034],[0061]). The enforcement of policies applies to access, i.e., query, of the data object and the constraint access is determined based on threshold number of approving entities Applicant argued that there is no mechanism described to maintain entity privacy across multiple rows/datasets by adjusting query results. Beekman's "output" is the application's execution behavior conditioned on policy authorization; it is not a database query result that has been privacy-filtered by an aggregation constraint. In response, the argued features “mechanism… to maintain entity privacy across multiple rows/datasets by adjusting query results and a database query result that has been privacy-filtered by an aggregation constraint” are not found in the claims and thus are not required by Beekman. Applicant argued that Beekman’s “threshold number of approving entities” is about authorization to access a data object, not computing whether an aggregation group contains a minimum number of distinct dataset entities identified by “unique entity identifiers.” In response, the claims do not specify the entities are “distinct dataset entities” or “computing whether an aggregation group contains a minimum number of distinct dataset entities.” Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-2, 6-9, 11-12, 20-22, 26-29 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Beekman et al. US Patent Publication No. 2022/0277107 (“Beekman”). Regarding claim 1, Beekman teaches the invention as claimed including a method comprising: receiving a query directed towards a shared dataset, the shared dataset comprising one or more data entries associated with one or more distinct entities, each entity of the one or more distinct entities being identifiable by one or more unique entity identifiers (para. [0026] data objects 106 associated with the account are available to users or devices that have access to the account. para. [0034] user object 120 can represent a user, such as a human user, who can be authorized to use (e.g., access) data objects 106); implementing, by at least one hardware processor, an entity-level privacy constraint, the entity-level privacy constraint comprising a dynamic aggregation constraint based on the one or more unique entity identifiers (para. [0040] each data policy 126 may specify one or more conditions (or other instructions) for the use of one or more associated data objects 106. para. [0042] policy 182 may include workflow policies, application policies, node policies, cryptographic policies, user policies…); determining that the one or more unique entity identifiers satisfy a threshold condition, the threshold condition comprising a minimum number of entities that are computed independently of external transformations (para. [0017] provider of a data object can define a data policy. para. [0040] data policy can further specify a quorum policy, in which case use of the associated data object 106 requires approval from at least a threshold number of approving entities); enforcing the entity-level privacy constraint on the query based on determining the one or more unique entity identifiers satisfy the threshold condition (para. [0040] specify cryptography-related properties that can be enforced by the workflow system 102 specify authorized node objects 116, application objects 114, user objects 120, and/or device objects 122 that are permitted to use the associated data objects 106. para. [0042] policy 182 may include… application policies, node policies, cryptographic policies, user policies… para. [0047] user policy); and generating an output to the query based on the entity-level privacy constraint and the dynamic aggregation constraint while maintaining entity-level privacy associated with the one or more distinct entities (para. [0049] data policy can have usage constraints. permission can be granted to a specific user account, and permission can be one-time, number of uses, or during a period of time. dataset can share the dataset with other users, but access to the dataset by other users is constrained by the data policy associated with the dataset and the credentials needed to access the dataset). Regarding claim 11, Beekman teaches a system comprising: one or more hardware processors of a machine; and at least one memory storing instructions that, when executed by the one or more hardware processors, cause the system to perform operations comprising: receiving a query directed towards a shared dataset, the shared dataset comprising one or more data entries associated with one or more distinct entities, each entity of the one or more distinct entities being identifiable by one or more unique entity identifiers (para. [0026] data objects 106 associated with the account are available to users or devices that have access to the account. para. [0034] user object 120 can represent a user, such as a human user, who can be authorized to use (e.g., access) data objects 106); implementing, by at least one hardware processor, an entity-level privacy constraint, the entity-level privacy constraint comprising a dynamic aggregation constraint based on the one or more unique entity identifiers (para. [0040] each data policy 126 may specify one or more conditions (or other instructions) for the use of one or more associated data objects 106. para. [0042] policy 182 may include workflow policies, application policies, node policies, cryptographic policies, user policies…); determining that the one or more unique entity identifiers satisfy a threshold condition, the threshold condition comprising a minimum number of entities that are computed independently of external transformations (para. [0017] provider of a data object can define a data policy. para. [0040] data policy can further specify a quorum policy, in which case use of the associated data object 106 requires approval from at least a threshold number of approving entities); enforcing the entity-level privacy constraint on the query based on determining the one or more unique entity identifiers satisfy the threshold condition (para. [0040] specify cryptography-related properties that can be enforced by the workflow system 102 specify authorized node objects 116, application objects 114, user objects 120, and/or device objects 122 that are permitted to use the associated data objects 106. para. [0042] policy 182 may include… application policies, node policies, cryptographic policies, user policies… para. [0047] user policy); and generating an output to the query based on the entity-level privacy constraint and the dynamic aggregation constraint while maintaining entity-level privacy associated with the one or more distinct entities (para. [0049] data policy can have usage constraints. permission can be granted to a specific user account, and permission can be one-time, number of uses, or during a period of time. dataset can share the dataset with other users, but access to the dataset by other users is constrained by the data policy associated with the dataset and the credentials needed to access the dataset). Regarding claim 21, Beekman teaches a machine-storage medium embodying instructions that, when executed by a machine, cause the machine to perform operations comprising: receiving a query directed towards a shared dataset, the shared dataset comprising one or more data entries associated with one or more distinct entities, each entity of the one or more distinct entities being identifiable by one or more unique entity identifiers (para. [0026] data objects 106 associated with the account are available to users or devices that have access to the account. para. [0034] user object 120 can represent a user, such as a human user, who can be authorized to use (e.g., access) data objects 106); implementing, by at least one hardware processor, an entity-level privacy constraint, the entity-level privacy constraint comprising a dynamic aggregation constraint based on the one or more unique entity identifiers (para. [0040] each data policy 126 may specify one or more conditions (or other instructions) for the use of one or more associated data objects 106. para. [0042] policy 182 may include workflow policies, application policies, node policies, cryptographic policies, user policies…); determining that the one or more unique entity identifiers satisfy a threshold condition, the threshold condition comprising a minimum number of entities that are computed independently of external transformations (para. [0017] provider of a data object can define a data policy. para. [0040] data policy can further specify a quorum policy, in which case use of the associated data object 106 requires approval from at least a threshold number of approving entities); enforcing the entity-level privacy constraint on the query based on determining the one or more unique entity identifiers satisfy the threshold condition (para. [0040] specify cryptography-related properties that can be enforced by the workflow system 102 specify authorized node objects 116, application objects 114, user objects 120, and/or device objects 122 that are permitted to use the associated data objects 106. para. [0042] policy 182 may include… application policies, node policies, cryptographic policies, user policies… para. [0047] user policy); and generating an output to the query based on the entity-level privacy constraint and the dynamic aggregation constraint while maintaining entity-level privacy associated with the one or more distinct entities (para. [0049] data policy can have usage constraints. permission can be granted to a specific user account, and permission can be one-time, number of uses, or during a period of time. dataset can share the dataset with other users, but access to the dataset by other users is constrained by the data policy associated with the dataset and the credentials needed to access the dataset). Regarding claim 2, Beekman teaches the method of claim 1, further comprising: determining the one or more unique entity identifiers fails to comply with the dynamic aggregation constraint; and in response to the determining, excluding the one or more unique entity identifiers from the output to the query (para. [0017] prevents use of a data object if the data policy associated with the data object is not satisfied. para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 6, Beekman teaches the method of claim 1, further comprising: determining whether the query is a valid query based, at least in part, on a minimum number of the one or more unique entity identifiers; and rejecting the query based on determining that the query is invalid (para. [0017] prevents use of a data object if the data policy associated with the data object is not satisfied. para. [0042] quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 7, Beekman teaches the method of claim 1, wherein the dynamic aggregation constraint ensure that the one or more unique entity identifiers contains a predetermined minimum number of unique entities (para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 8, Beekman teaches the method of claim 1, further comprising: providing an entity key user interface to enable a user to specify an attribute to identify the one or more distinct entities within the shared dataset, wherein the attribute is at least one of an identifier attribute or a quasi-identifier attribute (para. [0020] composition user interfaces can also enable users to associate policies with objects. para. [0035] workflow composer UI can present a workflow as an interactive diagram depicting the data objects 106 and one or more of the entity objects 110 of the workflow). Regarding claim 9, Beekman teaches the method of claim 1, wherein determining that the one or more unique entity identifiers satisfy the threshold condition further comprises: determining that the one or more unique entity identifiers are equal to or greater than a predefined minimum number of entities in an aggregation group (para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 12, Beekman teaches the system of claim 11, the operations further comprising: determining the one or more unique entity identifiers fails to comply with the dynamic aggregation constraint; and in response to the determining, excluding the one or more unique entity identifiers from the output to the query (para. [0017] prevents use of a data object if the data policy associated with the data object is not satisfied. para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 20, Beekman teaches the system of claim 11, wherein determining that the one or more unique entity identifiers satisfy the threshold condition further comprises: determining that the one or more unique entity identifiers are equal to or greater than a predefined minimum number of entities in an aggregation group (para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 22, Beekman teaches the machine-storage medium of claim 21, the operations further comprising: determining the one or more unique entity identifiers fails to comply with the dynamic aggregation constraint; and in response to the determining, excluding the one or more unique entity identifiers from the output to the query (para. [0017] prevents use of a data object if the data policy associated with the data object is not satisfied. para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 26, Beekman teaches the machine-storage medium of claim 21, the operations further comprising: determining whether the query is a valid query based, at least in part, on a minimum number of the one or more unique entity identifiers; and rejecting the query based on determining that the query is invalid (para. [0017] prevents use of a data object if the data policy associated with the data object is not satisfied. para. [0042] quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 27, Beekman teaches the machine-storage medium of claim 21, wherein the dynamic aggregation constraint ensure that the one or more unique entity identifiers contains a predetermined minimum number of unique entities (para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Regarding claim 28, Beekman teaches the machine-storage medium of claim 21, the operations further comprising: providing an entity key user interface to enable a user to specify an attribute to identify the one or more distinct entities within the shared dataset, wherein the attribute is at least one of an identifier attribute or a quasi-identifier attribute (para. [0020] composition user interfaces can also enable users to associate policies with objects. para. [0035] workflow composer UI can present a workflow as an interactive diagram depicting the data objects 106 and one or more of the entity objects 110 of the workflow). Regarding claim 29, Beekman teaches the machine-storage medium of claim 21, wherein determining that the one or more unique entity identifiers satisfy the threshold condition further comprises: determining that the one or more unique entity identifiers are equal to or greater than a predefined minimum number of entities in an aggregation group (para. [0042] policy 182 may include workflow policy, application policies, node policies, cryptographic policies, user policies… quorum approval policy can also be specified for a workflow policy so that requests to execute the workflow are approved conditionally). Allowable Subject Matter Claims 3-5, 10, 13-19, 23-25, 30 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Joshua Joo whose telephone number is 571 272-3966. The examiner can normally be reached on Monday-Friday 7am-3pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached on 571 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JOSHUA JOO/Primary Examiner, Art Unit 2445