Distributed Privacy Budgets on Per-Group Basis

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detail Action This office action is response to the application 18/867,089 filed on 11/19/2024. Claims 1-5, 7, and 12-23 are pending in this communication while claims 6 and 8-11 have been canceled. Priority This application is a 371 of PCT/US23/86511 12/29/2023 and PRO 63/478,140 12/31/2022. Priority date has been accepted. Claim Rejections - 35 USC § 103 The following is a quotation of AIA 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-5, 12 & 16 are rejected under AIA 35 U.S.C. 103 as being unpatentable over BENALOH; Josh D. et al. (US 2019/0147188 A1) in view of ROHLOFF; Kurt Ryan et al. (US 2015/0271153 A1). Regarding Claim 1, BENALOH discloses a method in one or more servers for managing privacy budgets, the method comprising: … executing a query to determine, for a group included in the one or more groups, whether there is sufficient privacy budget to store results of analyzing the group, wherein the privacy budget for the group corresponds to a number of times the group can be analyzed, wherein the executing of the query includes {Fig. 6 elements 602, 604, 606, 608 & [0090], “Method 600 continues at block 606, where a query is received. For example, the untrusted telemetry processing code 114 may request that the differential privacy code 117 perform a specific query” … [0091], “Method 600 continues at block 608, where stored values of the counter and privacy budget are obtained” … [0094], “at block 614, where the trusted counter and privacy budget are updated. For example, the trusted counter can be incremented and the privacy budget can be updated”. Examiner’s note: query on data based on privacy budget threshold and updates a counter, to keep number of times data has been queried. [0058] provides a general overview of privacy budget and [0102] provides how a group of data (enclaves) is acted on}: transmitting, to a first privacy budget service, a first request to consume the privacy budget for the group; receiving, from the first privacy budget service, a first response indicating whether there is sufficient privacy budget to consume the privacy budget for the group {[0050], “These concerns can be addressed by having the verification device 150 and/or … verify the functionality of the differential privacy code 117, enclave code 118, and/or enclave executable 119. For example, the verification module 151 can obtain a copy of the enclave executable and analyze and/or observe execution of the enclave executable. In addition, the verification module can also obtain source or binary versions of the differential privacy code and/or enclave code for individual analysis”. Examiner’s note: Cited verification device 150 serves as claimed ‘first privacy budget service’ to verify privacy budget data. Enclave is for a group of data being queried and further processed to verify privacy budget}; transmitting, to a second privacy budget service, a second request to consume the privacy budget for the group; receiving, from the second privacy budget service, a second response indicating there is sufficient privacy budget to consume the privacy budget for the group {[0051], “a user that considers sharing their telemetry data with the differential privacy code 117 can be assured that their telemetry values will be handled in a secure fashion … The enclave executable 119 can provide a digital certificate with the request that includes a hash of the enclave executable. The client device(s) can provide the digital certificate to the attestation device 140, which can either confirm or deny the validity of the digital certificate. The client device(s) can also confirm that the hash calculated by the verification service matches the hash included in the digital certificate. This allows the client device(s) to confirm that the enclave executable is the same code referenced in the report produced by the verification device 150”. Examiner’s note: Cited attestation device 140 is the claimed second privacy budget service to further attest privacy budget service. As mentioned before ‘enclave data is executed, again enclave data is queried and processed for privacy budget by attesting a hash with a certificate}; and determining, based on whether both the first response and the second response indicate that there is sufficient privacy budget, whether there is sufficiency privacy budget {Fig. 6 elements 620, 606, 622 & [0097], “Method 600 continues at block 620, where the privacy budget is checked. If privacy budget remains, the method continues back to block 606 to process further queries. Otherwise, the method moves to block 622 where the secure enclave 116 is terminated and no further queries are processed”}. BENALOH, however, does not explicitly disclose receiving a plurality of datasets, each of the datasets including respective encrypted data and respective metadata; sorting the plurality of datasets into one or more groups of datasets based on the respective metadata; and … In an analogous reference ROHLOFF discloses receiving a plurality of datasets, each of the datasets including respective encrypted data and respective metadata; sorting the plurality of datasets into one or more groups of datasets based on the respective metadata {[0074], “Referring to FIG. 5B, when the intermediary pub-sub instance 130 receives encrypted data with associated metadata, the intermediary pub-sub instance 130 identifies particular consumers (C1, C2, . . . , Cn) whose needs (e.g., whose sets of tags) match with the associated metadata in accordance with a plurality of rules”. Examiner’s note: encrypted data is received with associated metadata for make set/group of data to be further analyzed}; and … Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify BENALOH’s technique of ‘monitoring and controlling privacy budget of encrypted data preventing excessive query on private data’ for ‘grouping encrypted data in manageable set by following associated meta data’, as taught by ROHLOFF, in order to maintaining privacy of data. The motivation is - monitoring and controlling the privacy budget of encrypted data, while organizing it into manageable sets via metadata, provides a high-assurance, scalable approach to data privacy. This strategy ensures that even if encrypted data is subjected to multiple, repeated queries (a common attack vector to de-anonymize data), the cumulative privacy loss remains below a predefined, secure threshold. All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined, they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. Regarding Claim 2, BENALOH as modified by ROHLOFF discloses all the features of claim 1. The combination further discloses analyzing, prior to the executing of the query, datasets included in the group to produce an output; and in response to determining that there is sufficient privacy budget for the group, storing the output {BENALOH: Fig. 6 & [0097], “Method 600 continues at block 620, where the privacy budget is checked. If privacy budget remains” … [0152], “storing the encrypted telemetry data on a persistent storage device and, as the individual queries are received, retrieving the encrypted telemetry data from the persistent storage device and processing the individual queries”}. Regarding Claim 3, BENALOH as modified by ROHLOFF discloses all the features of claim 1. The combination further discloses analyzing, prior to the executing of the query, datasets included in the group to produce an output; and in response to determining that there is insufficient privacy budget for the group, refraining from storing the output budget {BENALOH: Fig. 6 elements 620, 606, 622 & [0097], “Method 600 continues at block 620, where the privacy budget is checked. If privacy budget remains, the method continues back to block 606 to process further queries. Otherwise, the method moves to block 622 where the secure enclave 116 is terminated and no further queries are processed” … [0152]}. Regarding Claim 4, BENALOH as modified by ROHLOFF discloses all the features of claim 1. The combination further discloses the executing of the query occurs prior to analyzing the datasets included in the group; the method further comprising: in response to determining that there is sufficient privacy budget for the group: analyzing the datasets included in the group to produce an output, and storing the output {BENALOH: Fig. 6 elements 620, 606, 622 & [0097], “Method 600 continues at block 620, where the privacy budget is checked. If privacy budget remains, the method continues back to block 606 to process further queries” … [0152]}. Regarding Claim 5, BENALOH as modified by ROHLOFF discloses all the features of claim 1. The combination further discloses the executing of the query occurs prior to analyzing the datasets included in the group; the method further comprising: in response to determining that there is insufficient privacy budget for the group, refraining from analyzing the datasets included in the group {BENALOH: Fig. 6 elements 620, 606, 622 & [0097], “Method 600 continues at block 620, where the privacy budget is checked. If privacy budget remains, the method continues back to block 606 to process further queries. Otherwise, the method moves to block 622 where the secure enclave 116 is terminated and no further queries are processed” … [0152]}. Regarding Claim 12, BENALOH as modified by ROHLOFF discloses all the features of claim 1. The combination further discloses the group includes a set of datasets; the method further comprising: generating, using metadata included in the set of datasets, a key representing the group, wherein the executing of the query includes transmitting a request including the key {ROHLOFF: [0006], “The data processing system can generate, responsive to determining that the first identifier corresponds to the second identifier, one identifier key for both the first identifier and the second identifier” … [0036] … [0074], “Referring to FIG. 5B, when the intermediary pub-sub instance 130 receives encrypted data with associated metadata, the intermediary pub-sub instance 130 identifies particular consumers (C1, C2, . . . Cn) whose needs (e.g., whose sets of tags) match with the associated metadata in accordance with a plurality of rules”. Examiner’s note: encrypted data is received with associated metadata for make set/group of data to be further analyzed.} Regarding claim 16, claim 16 is claim to a system using the method of claim 1. Therefore, claim 16 is rejected for the reasons set forth for claim 1. Claims 7 & 17-20 are rejected under AIA 35 U.S.C. 103 as being unpatentable over BENALOH; Josh D. et al. (US 2019/0147188 A1) in view of ROHLOFF; Kurt Ryan et al. (US 2015/0271153 A1) and further in view of SALEK; Mahyar et al. (US 2017/0026345 A1). Regarding Claim 7, BENALOH as modified by ROHLOFF discloses all the features of claim 1. The combination, however, does not explicitly disclose for each dataset, the metadata for the dataset includes a timestamp; and sorting the plurality of datasets into the one or more groups includes sorting the plurality of datasets based on the respective plurality of timestamps corresponding to the plurality of datasets. SALEK further discloses for each dataset, the metadata for the dataset includes a timestamp; and sorting the plurality of datasets into the one or more groups includes sorting the plurality of datasets based on the respective plurality of timestamps corresponding to the plurality of datasets {[0024], “the third-party entity can similarly prepare the data for exchange by determining a second hash value for each record by applying a second hash function to a two-tuple formed of the second identifier and the timestamp” … [0072], “prior to exchanging the data for a merchant location, the data processing system 120 can apply a per-store privacy threshold. For example, the data processing system 120 may compare the number of identifiers or entries in the data set with a threshold (e.g., 100, 500, or 1000) or the threshold over a time interval (e.g., 24 hours, 48 hours, 72 hours, 1 week, 30 days, or 60 days), and block the exchange if the number of entries is less than or equal to the threshold”}. Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify BENALOH’s as modified by ROHLOFF, technique of ‘monitoring and controlling privacy budget of encrypted data preventing excessive query on private data for grouping encrypted data in manageable set by following associated meta data’ to ‘associate time-stamp of received encrypted data for processing privacy budget, as taught by SALEK, in order to maintaining privacy of data. The motivation is - monitoring and controlling the privacy budget of encrypted data, while organizing it into manageable sets using data timestamp via metadata, provides a high-assurance, scalable approach to data privacy. This strategy ensures that even if encrypted data is subjected to multiple, repeated queries (a common attack vector to de-anonymize data), the cumulative privacy loss remains below a predefined, secure threshold. All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined, they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. Regarding claim 17, claim 17 is claim to a method using the method of claim 1. Therefore, claim 17 is rejected for the reasons set forth for claim 1. The combination, however, does not explicitly disclose … sorting the plurality of datasets based on the respective plurality of timestamps corresponding to the plurality of datasets … In an analogous reference SALEK discloses … sorting the plurality of datasets based on the respective plurality of timestamps corresponding to the plurality of datasets {[0024], “the third-party entity can similarly prepare the data for exchange by determining a second hash value for each record by applying a second hash function to a two-tuple formed of the second identifier and the timestamp” … [0072], “prior to exchanging the data for a merchant location, the data processing system 120 can apply a per-store privacy threshold. For example, the data processing system 120 may compare the number of identifiers or entries in the data set with a threshold (e.g., 100, 500, or 1000) or the threshold over a time interval (e.g., 24 hours, 48 hours, 72 hours, 1 week, 30 days, or 60 days), and block the exchange if the number of entries is less than or equal to the threshold”} … Regarding claim 18, claim 18 is a dependent claim of claim 17, claim 18 is claim to method using the method of claim 3. Therefore, claim 18 is rejected for the reasons set forth for claim 3. Regarding claim 19, claim 19 is a dependent claim of claim 17, claim 19 is claim to method using the method of claim 5. Therefore, claim 19 is rejected for the reasons set forth for claim 5. Regarding claim 20, claim 20 is a dependent claim of claim 17, claim 20 is claim to method using the method of claim 12. Therefore, claim 20 is rejected for the reasons set forth for claim 12. Allowable subject matter Claims 13-15 will be allowable if written in independent form with base method claim 1 and claims 21-23 will be allowable if written in independent form with base method claim 17. For allowability, the independent system Claim 16 is required to be in same scope with equivalent limitations of claims 13-15 as proposed for amended claim 1. Reasons of allowance: what is missing from the prior arts is: generating the key by applying a hashing operation to at least a portion of the metadata included in the set of datasets, wherein the at least a portion of the metadata included in the set of datasets indicates a domain from which the set of datasets was received, and wherein, for a dataset of the plurality of datasets, the encrypted data is representative of an interaction of a user with an online resource. Therefore, claims 13-15 and 21-23 are objected. Conclusion Following prior art has been consulted but is not applied: GODEFROID; Patrick et al. (US 12,095,796 B1) – Instruction level threat assessment: “Such descriptive attributes may include, for example, a file name for the package, a hash or other identifier for the package, or other metadata describing the package” … “Clients within the datacenter variously connect to the S3 service using one of five fully qualified domains (listed in region 230). Contact with any of the domains is aggregated as contact with S3 (as indicated in region 231)” … “Such models can also be used forensically, e.g., helping an investigator visualize various aspects of a network and activities that have occurred, and to attribute particular types of actions (e.g., network connections or file accesses) to specific users”. Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUAZI FAROOQUI whose telephone number is (571) 270-1034 or Quazi.farooqui@USPTO.GOV. The examiner can normally be reached on Monday-Friday 9:00 am to 5:30 pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bill Korzuch can be reached on (571) 272-7589 or William.Korzuch@USPTO.GOV. The fax phone number for Examiner Farooqui assigned is 571-270-2034. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-flee). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /QUAZI FAROOQUI/ Primary Examiner, Art Unit 2491