DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a final office action in response to communications received 02/24/2026. Claims 1, 8, 12, 19 have been amended. Claims 9, 11, 20 have been cancelled. Claims 21-22 are added. Therefore, claims 1-8, 10, 12-19, 21-22 are pending and addressed below.
Response to Amendment
Applicant’s amendments and response to the claims are sufficient to overcome the 35 USC 101 rejection in regards to claims 1-8, 10, 12-19, 21, however the added claim 22 is rejected under 35 USC 101 rejection.
Response to Arguments
Applicant’s arguments filed 03/13/2018 have been fully considered but they are moot in regards to newly added claim 22 base of new grounds of rejections.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 22 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Claim 22 recites in part process steps which, under the broadest reasonable interpretation, are a series of mental processes including an observation, evaluation, judgment or opinion that could be performed in the human mind or with the aid of pencil and paper. If a claim, under its broadest reasonable interpretation, covers a mental process or a mathematical concept but for the recitation of generic computer components, then it falls within the "Mental Process" grouping of abstract ideas. Therefore, claim 22 recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites – at least one processor; and memory storing computer instructions…the processor is recited at a high-level of generality (i.e., as a generic processor to receive a request for access to row and column data, apply a policy, and provide a read access to the data, such that it amounts no more than mere instructions to apply the exception using a generic computer component. As described in MPEP 2106.0S(g), limitations that amount to merely adding insignificant extra-solution activity to a judicial exception cannot integrate a judicial exception into a practical application. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, claim 22 is directed to a judicial exception.
Claim 22 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above, the additional elements of processor to receive a request for access to row and column data, apply a policy, and provide a read access to the data to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Claim 22 is not patent eligible.
Allowable Subject Matter
Claims 1-8, 10, 12-19, 21 are allowed.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Kats et al (Pat. No. US 11941156) in view of Miel et al (Pub. No. US 2024/0250942).
As per claim 1, Kats discloses a method of detecting inconsistencies between privacy policy disclosures and practices, comprising the steps of: generating dashboard disclosure privacy statements based on dashboard disclosure data for an extension
(…managing privacy policy violations…to extract a privacy policy in natural language from a website…parse the privacy policy, thereby generating an intermediate representation that denotes a formal policy…compare behavior of the website against the intermediate representation, thereby detecting at least one violation of the formal policy…enforce the formal policy at least in part by taking a security action in response to the violation…see col.2 line 60-col.3 line 5); generating privacy policy statements based on privacy policy data for the extension (…an extracted privacy policy may correspond to natural language contents copied from one or more privacy notifications and/or contents of a privacy policy contained in one or more documents located at one or more pages of a website…an intermediate representation may correspond to a compiled set of triples (e.g., subject, action, object) extracted from the natural language security policy using natural language processing, pattern recognition, and/or one or more classifiers…see col. 5 lines 50-55); determining privacy contradiction data between the dashboard disclosure privacy statements and the privacy policy statements (see fig. 5, col.10, lines 24-48); generating extension use data for the extension based on data collected during operation of the extension, wherein the generation includes automatically triggering extension behaviors by emulating user interactions and utilizing honeypages to elicit data flows (…the web browser extension may perform the enforcement by enforcing one or more of the triples in the intermediate representation by comparing them against attempted website behavior…for example, the web browser extension may deny requests to ad networks if they are not listed in the policy…the web browser extension may deny requests to third parties if they are not listed in the policy…these violations may be surfaced to the user if found, together with a confidence level…see col.10 lines 5-20); and determining inconsistencies between extension data practice and an extension privacy policy based on the dashboard disclosure privacy statements, the privacy policy statements, and the extension use data (…the touchscreen of the smartphone displays a webpage having a website menu of links…the webpage also displays various informational links to additional information, including a link to a privacy policy…the link is labeled “privacy,” so a browser extension of the computing device may retrieve documents at the link and generate an intermediate representation (generate an intermediate representation that denotes a formal policy makes it possible to automatically detect violations by comparing behavior of the website against the intermediate representation, see col.4 lines 14-17)…the browser extension may fetch the intermediate representation from a server…the user may select a link in the menu that redirects to a website of a third party not listed in the privacy policy…the browser extension may detect this violation and perform various security actions, such as preventing navigation to the third party website and displaying a notification informing the user of the private policy violation…the level of confidence may be predefined for the type of violation…the level of confidence may be based on a confidence level associated with the parsing of the privacy policy…as the confidence level is high in this example, the browser extension may automatically fill a form for reporting the violation to a relevant regulatory authority…see col.10 lines 24-48). Kats does not explicitly disclose wherein the generation includes automatically triggering extension behaviors by emulating user interactions and utilizing honeypages to elicit data flows. However Miel discloses wherein the generation includes automatically triggering extension behaviors by emulating user interactions and utilizing honeypages to elicit data flows (…an attack that may exploit certain MFA factors is “Passcode Phishing” (also known as adversary-in-the-middle). Passcode phishing may occur when a bad actor sets up a fake site (e.g., a web portal mimicking the look of a real service portal site) that looks like a legitimate passcode prompt to collect passcodes from users and reuse them to gain fraudulent access. The attacker sends a user through a proxy and retrieves credentials and/or session tokens by manipulating the end user into thinking they are authenticating into a legitimate resource or application…see par. 29). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Miel in Kats for including the above limitations because one ordinary skill in the art would recognize it would further improve techniques for identifying attacks with attempts to thwart multi-factor authentication and provide alternatives to continue authentication that mitigates the risk associated with the attack…see Miel, par. 24.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to detecting inconsistencies in data privacy policies.
Chechik et al (Pub. No. US 2023/0231878); “Detecting Phishing Attacks”;
-Teaches phishing pages may attempt to manipulate a user to believe that they are accessing a page of a legitimate digital asset that the user trusts, with which the user shares sensitive information, or the like, in order to obtain sensitive data from the user…see par. 37.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499