DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: a classification model configured to…; a privacy risk determination system configured to…; a recommendation system configured to…in claims 1, 3.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11531765. Although the claims at issue are not identical, they are not patentably distinct from each other because Claims of patent application contain every element of claims above instant application or vice versa, and as such they anticipate or anticipated by Instant Application. As to Claims 1, 8, 15, of the Pat. *765 anticipates the claims of the instant application. By way of illustration, consider the respective claim 1 from each disclosure:
Claim 1 of the instant application
Claim 1 of the ‘765 Patent
1. A computing system comprising: a classification model configured to associate a service deployed in a computing environment with a class of services using information related to one or more characteristics of the service and; a privacy risk determination system configured to configured to determine a risk metric indicative of a type of data collected by the service based on the class of services using a risk metric application; and a recommendation system configured to determine a recommendation for an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service.
1. A method comprising: retrieving, via one or more computing devices and over a network, information related to one or more characteristics of a particular application stored or executing on the one or more computing devices; associating, via the one or more computing devices and based on the information, the particular application with a class of applications; determining, for one or more application in the associated class, a type of personal data collected; determining, for the particular application, a risk metric indicative of a type of personal data collected by the particular application in relation to the type of personal data collected by other applications in the associated class; and recommending, via the one or more computing devices and based on the risk metric, an additional application that collects the type of personal data collected by the particular application and has a lower risk than the particular application.
Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites a classification model configured to associate a service deployed in a computing environment with a class of services using information related to one or more characteristics of the service….
The limitation of a classification model configured to associate a service deployed in a computing environment with a class of services using information related to one or more characteristics of the service, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. Similarly, the limitation of a privacy risk determination system configured to configured to determine a risk metric indicative of a type of data collected by the service based on the class of services using a risk metric application; and a recommendation system configured to determine a recommendation for an additional service using the risk metric…, as drafted, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Claims 1-20 are not patent eligible.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Anderson et al (Pub. No. US 2009/0234683) in view of Belfiore, JR, et al (Pub. No. US 2020/0042716).
As per claim 1, Anderson discloses a computing system comprising: a classification model configured to associate a service deployed in a computing environment with a class of services using information related to one or more characteristics of the service (…the Statistical Model scores individual transactions…credit card transactions are exemplary transactions, but other types of transactions may be scored, such as applications for credit, Internet transactions, payments, checks, debits, etc…each transaction has data fields associated with it…the content of these data fields may be understood as being provided in one of three levels, or types, of representation: Numerical, Low Categorical, and High Categorical…see par. 37); and a privacy risk determination system configured to configured to determine a risk metric indicative of a type of data collected by the service based on the class of services using a risk metric application (see a risk detection system includes a transaction processing component determines likelihood of fraud (the degree of risk) for each transaction by feeding data from various sources into Statistical Model… the Statistical Model scores individual transactions…each transaction has data fields associated with it…the content of these data fields may be understood as being provided in one of three levels, or types, of representation: Numerical, Low Categorical, and High Categorical…when applicable, it creates a record in a profile database and it updates the appropriate record in profile database…par. 37, 44-45). Anderson does not explicitly disclose a recommendation system configured to determine a recommendation for an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service. However Belfiore discloses a recommendation system configured to determine a recommendation for an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service (…the cyber control evaluation module determines a target control performance which can be based on the threat profile…the vulnerability assessment can be calculated across each of the predetermined security domains as the predetermined security domains relate to a specific threat to a technology asset identified in the threat profile…the cyber control evaluation module determines target control performance based in part upon the threat scores related to each threat identified within the threat profile…fewer resources may be allocated to protection of low priority assets of the client technology infrastructure…see par. 43-44). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Belfiore in Anderson for including the above limitations because one ordinary skill in the art would recognize it would further improve on cybersecurity risk assessment to identify vulnerabilities in the organization’s computing environment to an assortment of cybersecurity threats…see Belfiore, JR, par. 15.
As per claim 8, Anderson discloses a method comprising: retrieving, via a privacy risk determination system and over a network, information related to one or more characteristics of a service deployed in a computing environment; associating, via a classification model, the service with a class of services using the information (…see a risk detection system includes a transaction processing component determines likelihood of fraud (the degree of risk) for each transaction by feeding data from various sources into Statistical Model… the Statistical Model scores individual transactions…each transaction has data fields associated with it…the content of these data fields may be understood as being provided in one of three levels, or types, of representation: Numerical, Low Categorical, and High Categorical…when applicable, it creates a record in a profile database and it updates the appropriate record in profile database…par. 37, 44-45); determining, via the privacy risk determination system, a risk metric indicative of a type of data collected by the service based on the class of services using a risk metric application (…the Statistical Model scores individual transactions…credit card transactions are exemplary transactions, but other types of transactions may be scored, such as applications for credit, Internet transactions, payments, checks, debits, etc…each transaction has data fields associated with it…the content of these data fields may be understood as being provided in one of three levels, or types, of representation: Numerical, Low Categorical, and High Categorical…see par. 37, 44-45). Anderson does not explicitly disclose recommending, via a recommendation system, an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service. However Belfiore discloses recommending, via a recommendation system, an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service (…the cyber control evaluation module determines a target control performance which can be based on the threat profile…the vulnerability assessment can be calculated across each of the predetermined security domains as the predetermined security domains relate to a specific threat to a technology asset identified in the threat profile…the cyber control evaluation module determines target control performance based in part upon the threat scores related to each threat identified within the threat profile…fewer resources may be allocated to protection of low priority assets of the client technology infrastructure…see par. 43-44). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Belfiore in Anderson for including the above limitations because one ordinary skill in the art would recognize it would further improve on cybersecurity risk assessment to identify vulnerabilities in the organization’s computing environment to an assortment of cybersecurity threats…see Belfiore, JR, par. 15.
As per claim 15, Anderson discloses one or more non-transitory computer-readable media storing instructions that, when executed by a computing device, cause the computing device to: retrieve information related to one or more characteristics of a service deployed in a computing environment; associate, via a classification model, the service with a class of services using the information (…see a risk detection system includes a transaction processing component determines likelihood of fraud (the degree of risk) for each transaction by feeding data from various sources into Statistical Model… the Statistical Model scores individual transactions…each transaction has data fields associated with it…the content of these data fields may be understood as being provided in one of three levels, or types, of representation: Numerical, Low Categorical, and High Categorical…when applicable, it creates a record in a profile database and it updates the appropriate record in profile database…par. 37, 44-45); determine a risk metric indicative of a type of data collected by the service based on the class of services using a risk metric application (…the Statistical Model scores individual transactions…credit card transactions are exemplary transactions, but other types of transactions may be scored, such as applications for credit, Internet transactions, payments, checks, debits, etc…each transaction has data fields associated with it…the content of these data fields may be understood as being provided in one of three levels, or types, of representation: Numerical, Low Categorical, and High Categorical…see par. 37, 44-45). Anderson does not explicitly disclose recommend an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service. However Belfiore discloses recommend an additional service using the risk metric, the additional service collecting the type of data collected by the service and has a lower risk than the service (…the cyber control evaluation module determines a target control performance which can be based on the threat profile…the vulnerability assessment can be calculated across each of the predetermined security domains as the predetermined security domains relate to a specific threat to a technology asset identified in the threat profile…the cyber control evaluation module determines target control performance based in part upon the threat scores related to each threat identified within the threat profile…fewer resources may be allocated to protection of low priority assets of the client technology infrastructure…see par. 43-44). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Belfiore in Anderson for including the above limitations because one ordinary skill in the art would recognize it would further improve on cybersecurity risk assessment to identify vulnerabilities in the organization’s computing environment to an assortment of cybersecurity threats…see Belfiore, JR, par. 15.
As per claims 2, 9, 16, the combination of Anderson and Belfiore discloses wherein the classification model utilizes one or more machine learning tools (Anderson: see par. 128).
As per claims 3, 10, 17, the combination of Anderson and Belfiore discloses wherein the privacy risk determination system is configured to communicate with a central server infrastructure to retrieve the information (Belfiore: see 78-79). The motivation for claims 3, 10, 17 is the same motivation as in claims 1, 8, 15 above.
As per claims 4, 11, 18, the combination of Anderson and Belfiore discloses wherein the service includes at least one of an electronic communication service, a health service, or a financial service (Anderson: see par. 37).
As per claims 5, 12, 19, the combination of Anderson and Belfiore discloses wherein the type of data includes at least one of personal data or location data (Anderson: see par. 43).
As per claims 6, 13, 20, the combination of Anderson and Belfiore discloses wherein the one or more characteristics include at least one of whether the service enables sharing over a network, whether the service incorporates opportunities to purchase the additional service (Anderson: see par. 120-121), whether the service enables an offering of an advertisement, or a content rating for the service.
As per claim 7, the combination of Anderson and Belfiore discloses wherein the recommendation is output via a computing device (Belfiore: see par. 89). The motivation for claim 7 is the same motivation as in claim 1 above.
As per claim 14, the combination of Anderson and Belfiore discloses outputting, via a computing device, the additional service (Belfiore: see par. 89). The motivation for claim 7 is the same motivation as in claim 8 above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to identify applications or services with a low privacy risk profile.
Zhu et al (Pat. No. US 10474827); “Application Recommendation Method and Application Recommendation Apparatus”;
-Teaches rank multiple applications according to security risk values and popularity values of the multiple applications of an application distribution platform, thereby performing recommendation of applications to the user based on the popularity and the security risk…see col.14 lines 25-30.
Bar Joseph et al (Pub. No. US 2018/0330100); “Privacy Risk Assessments”;
-Teaches assigning a privacy risk score to each of the privacy risks based on an analysis of the privacy risk information…see par. 38.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499