DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant(s) Response to Office Action
The response filed on 11/25/2025 has been entered and made of record.
Response to Amendment/Remarks
Claims 1-20 remain pending in the application. Applicant elects group 1 claims 1-7 with traverse.
Examiner thanks applicant for their thoughtful remarks which have been fully considered. The examiner and applicant agree on the overlapping sections within the claims in the analysis for unity of invention. The examiner and applicant disagree on whether or not these overlapping claim elements constitute “special technical features”. Applicant alleges that they do. Examiner is guided by MPEP Rule 1.475 which states, “The expression "special technical features" shall mean those technical features that define a contribution which each of the claimed inventions, considered as a whole, makes over the prior art”. The examiner alleges that the previous restriction requirement and further rejections below provide evidence that the overlapping features do not make a contribution over the prior art. Accordingly, the restriction requirement is final.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1 and 3-5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunjic (CA 3,056,394 A1), in view of Joshipura (US 2021/0165899 A1).
Regarding claim 1, Dunjic teaches:
“A method comprising: receiving a request (Dunjic, ¶ 21 and 74 third party application requests private data causing application server 180 to communicate with access control server 140) associated with an application that is executing on a client computing system (Dunjic, ¶ 74 third party application is running on client device 110) and requesting access to a dataset comprising a plurality of data records (Dunjic, ¶ 68 teaches protected data for a plurality of accounts) handled by a storage computing system (Dunjic, ¶ 71 and 74 teaches protected data resource 150), wherein each data record of the plurality of data records comprises a plurality of data elements (Dunjic, ¶ 69-70 and 75 secure data includes historical banking transactions, personal information, and account balance); identifying, based on the application, the application requesting access to the dataset (Dunjic, Abstract and ¶ 35 teaches identifying an application state of the application requesting access to determine an access pattern of the application attempting to gain access to the protected data. Dunjic ¶ 75 secure data includes historical banking transactions, personal information, and account balance and an indication of consent that the application server is permitted to access); referencing, based on the purpose, an applicable purpose-based access-control policy to identify an authorization token (Dunjic, ¶ 75-76, access control server 140 provides the access token representing the authorization necessitated by the secure data request and the communication between the application server and the access server to facilitate various functionalities); and providing the authorization token to at least one of the client computing system or the storage computing system (Dunjic, ¶ 75 access control server sends the access token to the application server), wherein the storage computing system provides, based on the authorization token, the client computing system with a view of the dataset having a data element of the plurality of data elements returning modified data in a manner that is compliant with the applicable purpose-based access-control policy (Dunjic, ¶ 64, 74, 76 and 163 protected data resource 150 provides the requested information based on the access token in an access pattern to only display specific parts of the data)”.
Dunjic does not, but in related art, Joshipura teaches:
“identifying, based on the application, a purpose for the application requesting access to the dataset (Joshipura, Fig. 5, ¶ 6, and 38-40 teaches determining the purpose of an access request based on the functions invoked with an application)”.
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Dunjic and Joshipura, to modify the token access control system of Dunjic to include the process to determine purpose of access request for an application as taught in Joshipura. The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Regarding claim 3, Dunjic and Joshipura teaches:
“The method of Claim 1 (Dunjic and Joshipura teaches the limitations of the parent claims as discussed above), wherein identifying the purpose of the application requesting access to the dataset comprises: accessing a data model for the client computing system, wherein the data model identifies a plurality of processing activities executing on the client computing system and involving the dataset (Dunjic, Abstract and ¶ 35 teaches identifying an application state of the application requesting access to determine an access pattern of the application attempting to gain access to the protected data. Dunjic ¶ 75 secure data includes historical banking transactions, personal information, and account balance and an indication of consent that the application server is permitted to access); identifying the application as a particular processing activity of the plurality of processing activities (Joshipura, Fig. 5, ¶ 6, and 38-40 teaches determining the purpose of an access request based on the functions invoked with an application); and identifying the purpose based on an attribute defined in the data model for the particular processing activity (Joshipura, Fig. 5, ¶ 6, and 38-40 teaches determining the purpose of an access request based on the functions invoked with an application)”.
Regarding claim 4, Dunjic and Joshipura teaches:
“The method of Claim 1 (Dunjic and Joshipura teaches the limitations of the parent claims as discussed above) further comprising: accessing a plurality of data sources used on the storage computing system for handling the dataset (Dunjic, ¶ 69-70 and 75 secure data includes historical banking transactions, personal information, and account balance); identifying that the data element of the plurality of data elements is used for a type of data that is subject to the applicable purpose-based access-control policy (Dunjic, Abstract and ¶ 35 teaches identifying an application state of the application requesting access to determine an access pattern of the application attempting to gain access to the protected data. Dunjic ¶ 75 secure data includes historical banking transactions, personal information, and account balance and an indication of consent that the application server is permitted to access. Dunjic, ¶ 69-70 and 75 secure data includes historical banking transactions, personal information, and account balance); generating the view of the dataset to have the data element containing the modified data in the manner that is compliant with the applicable purpose-based access-control policy (Dunjic, ¶ 64, 74, 76 and 163 protected data resource 150 provides the requested information based on the access token in an access pattern to only display specific parts of the data); and generating the authorization token for the view of the dataset (Dunjic, ¶ 64, 74, 76 and 163 protected data resource 150 provides the requested information based on the access token in an access pattern to only display specific parts of the data)”.
Regarding claim 5, Dunjic and Joshipura teaches:
“The method of Claim 4 (Dunjic and Joshipura teaches the limitations of the parent claims as discussed above), wherein generating the view of the dataset comprises providing the storage computing system with instructions to construct the view of the dataset on the storage computing system (Dunjic, ¶ 64, 74, 76 and 163 protected data resource 150 provides the requested information based on the access token in an access pattern to only display specific parts of the data)”.
Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunjic in view of Joshipura in view of Curbera (US 2018/0082024 A1).
Regarding claim 2, Dunjic and Joshipura teaches:
“The method of Claim 1 (Dunjic and Joshipura teaches the limitations of the parent claims as discussed above)”.
Dunjic and Joshipura does not, but in related art Curbera teaches:
“wherein returning modified data in the manner that is compliant with the applicable purpose-based access-control policy comprises generating the modified data by at least one of anonymizing data returned for the data element, truncating the data returned for the data element, or obfuscating the data returned for the data element (Curbera, ¶ 24 and 134 teaches both anonymizing and obfuscating patient information that was requested based on the access policy)”.
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Dunjic, Curbera and Joshipura, to modify the token access control system of Dunjic and Joshipura to include the process to obfuscate data as taught in Curbera. The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Claim(s) 6-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunjic in view of Joshipura in view of Dunjic (US 2022/0247753 A1) hereinafter Dujic-2.
Regarding claim 6, Dunjic and Joshipura teaches:
“The method as recited in claim 1 (Dunjic and Joshipura teaches the limitations of the parent claims as discussed above)”.
Dunjic and Joshipura does not, but in related art, Dunjic-2 teaches”
“further comprising providing a second authorization token to the at least one of the client computing system or the storage computing system, wherein the storage computing system provides, based on the second authorization token, the client computing system with a second view of the dataset that differs from the view of the dataset (Dunjic-2, Figs. 7, 8, ¶ 105-108 and 111-115 teaches receiving a second request, necessitating a second token which modifies a presentation based on the new token)”.
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Dunjic, Dunjic-2 and Joshipura, to modify the token access control system of Dunjic and Joshipura to include the process use multiple tokens with multiple presentation views as taught in Dunjic-2. The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Regarding claim 7, Dunjic and Joshipura and Dunjic-2 teaches:
“The method as recited in claim 6 (Dunjic and Joshipura teaches the limitations of the parent claims as discussed above), wherein the second view excludes one or more data records that are present in the view of the dataset (Dunjic-2, Figs. 7, 8, ¶ 105-108 and 111-115 teaches receiving a second request, necessitating a second token which modifies a presentation based on the new token)”.
Conclusion
In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Stephen T Gundry whose telephone number is (571) 270-0507. The examiner can normally be reached Monday-Friday 9AM-5PM (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/STEPHEN T GUNDRY/Primary Examiner, Art Unit 2435