METHOD FOR PROTECTING, BY LEVEL OF SENSITIVITY, PRIVACY OF PERSONAL LOCATION INFORMATION AND EFFICIENTLY RECOVERING SOURCE LOCATION

§103 §112

DETAILED ACTION This communication responsive to the Application No. 18/919,004 filed on October 17, 2024. Claims 1-16 are pending and are directed towards METHOD FOR PROTECTING, BY LEVEL OF SENSITIVITY, PRIVACY OF PERSONAL LOCATION INFORMATION AND EFFICIENTLY RECOVERING SOURCE LOCATION. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 10/17/2024 was Acknowledge. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 4-14 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 4 recites the limitation “generating a secret key…” which is vague and not clear if this secret key is the same key used in the independent claim or a different secret key. Claims 8-9, 11 recite the limitation "the error range …". There is insufficient antecedent basis for this limitation in the claim. Claim 8 recites the limitation “wherein information used to generate the secret key in addition to the confidential key generation information stored in a safe storage is stored in the error range of the sensitive information” which is vague and not clear. it is not understood how information used to generate the secret key is stored in the error range of the sensitive information. Claims 10 and 14 recite the limitation “the noise range set to the error range of the location information…”. There is insufficient antecedent basis for this limitation in the claim. Claim 10 recites undefined acronym “DMS” which is indefinite. Claims 5-7, 12-13 rejected by dependency. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1-4 and 9-16 are rejected under 35 U.S.C. 103 as being unpatentable over Olumofin et al. US 2017/0053282 A1 (hereinafter “Olumofin”) in view of Krishnan et al. US 2014/0075493 A1 (hereinafter “Krishnan”) As per claims 1 and 16, Olumofin teaches a sensitive information protection and recovery method performed by a privacy control system (cryptographic techniques of private information retrieval (PIR) and homomorphic encryption are used to protect consumer location information. Olumofin, para [0005]), the sensitive information protection and recovery method comprising: performing privacy protection processing for sensitive information of a user adjusted based on a privacy level that is selected according to a service that requests sensitive information (if in step 42 it is determined that the fraud risk score exceeds the threshold, then the server 20 will utilize the location information of the cardholder 12 to adjust the fraud risk score. Olumofin, para [0015])( protects the privacy of the cardholder's location and transaction information from the service providers 16 (recall that the service provider only receives the payment location in encrypted form. Olumofin, para [0016])( the service provider 16 generates a private/public key pair using an additive homomorphic cryptosystem as previously described, and provides the public key to the server 20 of issuer bank 10. In step 82, foe server 22 of service provider id encrypts each location in its location data set (the current location of each mobile device 14 on its network) using the public key. Whenever a mobile subscriber changes location, an encryption of the new location is used to update the data set. Olumofin, para [0017]); and recovering the privacy-protected sensitive information of the user using a secret key that is generated based on the sensitive information (Private Information Retrieval (PIR) and homomorphic encryption are used to provide strong privacy guarantees for cardholders location information. Private Information Retrieval (PIR), as is known in the art, helps to provide access privacy by preventing sensitive information in client queries from being disclosed to a service host during data lookup. Olumofin, para [0016])( the server 22 decrypts the response using the private key to obtain a yes/no answer to the query of whether the payment location is the same as the cardholder location. Olumofin, para [0019]). Olumofin does not explicitly teach the sensitive information of the user adjusted based on the privacy level. However, Krishnan teaches the sensitive information of the user adjusted based on the privacy level (The metadata may include user-clearance level, data sensitivity level, geographic limitations of the data access and/or data storage, where the decryption keys may be stored, and so forth. The metadata may be stored on the enterprise server and may be sent along with the files to client device 160 so that it can store the metadata in an appropriate encrypted store. Data being retrieved from an enterprise may be automatically tagged with metadata for a sensitivity level and placed in the appropriate volume of the encrypted storage in client device 160, based on the sensitivity level… The data may be tagged with sensitivity level and may be stored separately based on sensitivity level. Based on the policies that may include factors like geographic location of access, sensitive data may or may not be provided to client device 160. In some situations (e.g., a distress situation), fake data may be generated and provided to client device 160. For access to data on client device 160, the keys for decrypting the storage corresponding to sensitive data may or may not be provided to client device 160. The enterprise may also tag the data with metadata (e.g., in storage, during transit, based on clearance level needed for access, etc.) for sensitivity levels and the metadata tags may be used by mobile device software for placement in appropriate encrypted storage. The data may also be tagged with metadata to include respective expiration dates for use by an automatic deletion process. Krishnan, para [0043-0044]) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Olumofin in view of Krishnan. One would be motivated to do so, to enhance the security of the system by adjusting the sensitive information based on privacy level. As per claim 2, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 1. Olumofin does not explicitly teach wherein the performing of the privacy protection processing comprises setting a privacy protocol registered to the service that requests the sensitive information and adjusting the privacy level for the sensitive information of the user using the set privacy protocol. However, Krishnan teaches wherein the performing of the privacy protection processing comprises setting a privacy protocol registered to the service that requests the sensitive information and adjusting the privacy level for the sensitive information of the user using the set privacy protocol (if data to be securely stored is generated by server 110, the data may be pre-tagged in server 110 with metadata of the data, e.g., by use of content analysis techniques in server 110. If the data is generated locally (e.g., local email), the user may be prompted to indicate whether the local data is personal data or enterprise data. The user may then be prompted for a security level of the data. Higher security levels may be available for enterprise data than for personal data. Alternatively, a cloud-based or enterprise-based service may be provided keywords or a content digest of the data, and be configured to analyze a sensitivity level of the data and provide an appropriate tag. Krishnan, para [0036]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Olumofin in view of Krishnan. One would be motivated to do so, to enhance the security of the system by adjusting the sensitive information based on privacy level. As per claim 3, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 2, wherein the performing of the privacy protection processing comprises degrading accuracy of location information of the user by reducing the privacy level for the location information of the user when the sensitive information of the user is the location information of the user (that is response=E(r(locp−locc)), where r is a random non-zero integer. The variable r is utilized to blind the result of (locp−locc). Without r, it would be possible for the issuer bank 10 to indiscriminately determine the location of any customer at any time by making a request to the service provider 16, even if the customer was not doing any transaction. Note that the server 22 is able to carry out this computation only having the encrypted value of locp, and therefore is never actually provided with the location of the purchase made by the cardholder 12. Olumofin, para [0015]). As per claim 4, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 1, wherein the performing of the privacy protection processing comprises generating a secret key for the sensitive information of the user using confidential key generation information and public key generation information based on a key generation mechanism every time the privacy level for the sensitive information of the user is adjusted (the service provider 16 generates a private/public key pair using an additive homomorphic cryptosystem as previously described, and provides the public key to the server 20 of issuer bank 10. In step 82, foe server 22 of service provider id encrypts each location in its location data set (the current location of each mobile device 14 on its network) using the public key. Whenever a mobile subscriber changes location, an encryption of the new location is used to update the data set. Olumofin, para [0017]). As per claim 9, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 1, wherein the sensitive information of the user is location information of the user (cryptographic techniques of private information retrieval (PIR) and homomorphic encryption are used to protect consumer location information even as it is used to enhance fraud risk scores. Olumofin, para [0005]), and the performing of the privacy protection processing comprises adjusting accuracy of the location information of the user using an encryption technique for the error range set to the location information of the user (the server 20 of the issuer bank 10 decrypts the response using the private key. The result of decrypting E(r(locp−locc)) is either zero or any other random integer. In step 54 the server 20 determines if the payment location and cardholder location are the same or spatially proximal. Locations are spatially proximal if they are located in the same grid. A spatial grid structure having a plurality of cells is utilized to quantize and index locations. A grid can be defined in many ways, provided that each location with a given latitude/longitude is associated with a unique cell of the grid. Olumofin, para [0015]). As per claim 10, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 9, wherein the performing of the privacy protection processing comprises selecting the noise range set to the error range of the location information of the user at latitude and longitude expressed as an integer in a DMS or a decimal digital (DD) representation and performing encryption or an XOR operation with a key given to the error range of the location information of the user (the server 20 of the issuer bank 10 decrypts the response using the private key. The result of decrypting E(r(locp−locc)) is either zero or any other random integer. In step 54 the server 20 determines if the payment location and cardholder location are the same or spatially proximal. Locations are spatially proximal if they are located in the same grid. A spatial grid structure having a plurality of cells is utilized to quantize and index locations. A grid can be defined in many ways, provided that each location with a given latitude/longitude is associated with a unique cell of the grid… The longitude and latitude of a user's current location will determine the grid used to situate the user. It should be understood, of course, that the cell size need not be limited to the example provided above, and could be any size and shape, e.g., hexagonal, as desired. When the result from step 52 is zero, if means the locp is the same as locc, e.g., is within the same grid, (a “yes” determination); otherwise the locations are not the same, e.g., they are in different grids (a “no” determination). The difference is hidden (blinded with r). If in step 54 it is determined that the payment location (locp) and cardholder location (locc) are the same, then in step 56 the server 20 of the issuer bank 10 uses a negative location score to reduce the fraud risk score, whereas if in step 54 it is determined that the payment location and cardholder location are not the same, then in step 58, it uses a positive location score to increase the fraud risk score. Olumofin, para [0015]). As per claim 11, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 1, wherein the sensitive information of the user is location information of the user (cryptographic techniques of private information retrieval (PIR) and homomorphic encryption are used to protect consumer location information even as it is used to enhance fraud risk scores. Olumofin, para [0005]), and the recovering comprises recovering the user's location information of which accuracy is adjusted using the error range of the location information of the user and a key given to the error range of the location information of the user (The longitude and latitude of a user's current location will determine the grid used to situate the user. It should be understood, of course, that the cell size need not be limited to the example provided above, and could be any size and shape, e.g., hexagonal, as desired. When the result from step 52 is zero, if means the locp is the same as locc, e.g., is within the same grid, (a “yes” determination); otherwise the locations are not the same, e.g., they are in different grids (a “no” determination). The difference is hidden (blinded with r). If in step 54 it is determined that the payment location (locp) and cardholder location (locc) are the same, then in step 56 the server 20 of the issuer bank 10 uses a negative location score to reduce the fraud risk score, whereas if in step 54 it is determined that the payment location and cardholder location are not the same, then in step 58, it uses a positive location score to increase the fraud risk score. Olumofin, para [0015]). As per claim 12, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 11, wherein the recovering comprises restoring the location information of the user with the adjusted accuracy to accuracy of original location information at a preset privacy level for the location information of the user (cryptographic techniques of private information retrieval (PIR) and homomorphic encryption are used to protect consumer location information even as it is used to enhance fraud risk scores. Olumofin, para [0005])( the server 20 uses PIR to encode the mobile number of the cardholder into a PIR query, which it forwards to the server 22 of the service provider 16. In step 100, the server 22 encodes a result containing the cardholder location, (locc) using the received query in conjunction with its list of encrypted locations to determine the location of the user. In step 102, the server 22 returns the encoded result, i.e., an encryption of locc, back to the server 20 of the issuer bank 20. Note that because PIR is utilized, the service provider 16 does not learn any information about the mobile number included in the query or the corresponding encrypted cardholder location (locc) that was returned back to the issuer bank 10. In step 104, the server 20 of the issuer bank 10 uses the public key received from the service provider 16 to compute a response that is a homomorphically-blinded encryption of the difference between the payment location (locp) and the cardholder location (locc), that is response=E(r(locp−locc)), where r is a random non-zero integer. Olumofin, para [0019]). As per claim 13, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 11, wherein the recovering comprises restoring the accuracy of the location information to accuracy lower than accuracy of original location information but higher than the adjusted accuracy through partial decryption within an encrypted area using an encryption technique for the error range of the location information of the user (the server 20 of the issuer bank 10 uses the public key received from the service provider 16 to compute a response that is a homomorphically-blinded encryption of the difference between the payment location (locp) and the cardholder location (locc), that is response=E(r(locp−locc)), where r is a random non-zero integer. It does this without learning locc. In step 106, the server 20 sends the computed response to the server 22 of the service provider 16. In step 108, the server 22 decrypts the response using the private key to obtain a yes/no answer to the query of whether the payment location is the same as the cardholder location (as described above with respect to FIG. 2), which it returns to the server 20 of the issuer bank 10. The issuer bank 10 can then use the result to enhance the fraud risk score for the transaction. In step 110 the server 20 determines, using the answer from the service provider 16, if the payment location and cardholder location are the same. If in step 110 it is determined that the payment location (locp) and cardholder location (locc) are the same, then in step 112 the server 20 of the issuer bank 10 uses a negative location score to reduce the fraud risk score, whereas if in step 110 it is determined that the payment location and cardholder location are not the same, then in step 114, it uses a positive location score to increase the fraud risk score. That is, the issuer bank 10 uses a negative location score to reduce the fraud risk score if a “yes” response if received in step 108 and a positive location score to increase the fraud risk score if “no” response is received in step 108. In step 116, the server 20 of the issuer bank 10 utilizes the adjusted fraud risk score to determine if the transaction will be approved or not. Thus, using the processing as described in FIGS. 3A and 3B, the service provider 16 is unable to learn or link any information (mobile number or location data) with any cardholder, thereby guaranteeing cardholder privacy. Olumofin, para [0019]). As per claim 14, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 11, wherein the recovering comprises restoring location information including latitude and longitude through decryption or an XOR operation using the noise range set to the error range of the location information of the user and a key given to the error range of the location information of the user (the server 20 of the issuer bank 10 decrypts the response using the private key. The result of decrypting E(r(locp−locc)) is either zero or any other random integer. In step 54 the server 20 determines if the payment location and cardholder location are the same or spatially proximal. Locations are spatially proximal if they are located in the same grid. A spatial grid structure having a plurality of cells is utilized to quantize and index locations. A grid can be defined in many ways, provided that each location with a given latitude/longitude is associated with a unique cell of the grid. Olumofin, para [0015]). As per claim 15, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 1, wherein a privacy protocol or confidential key generation information stored in a safe storage is stored using an asymmetric key or a symmetric key (the service provider 16 generates a private/public key pair using an additive homomorphic cryptosystem as previously described, and provides the public key to the server 20 of issuer bank 10. In step 82, foe server 22 of service provider id encrypts each location in its location data set (the current location of each mobile device 14 on its network) using the public key. Whenever a mobile subscriber changes location, an encryption of the new location is used to update the data set. Olumofin, para [0017]). Claim(s) 5-8 are rejected under 35 U.S.C. 103 as being unpatentable over Olumofin et al. US 2017/0053282 A1 (hereinafter “Olumofin”) in view of Krishnan et al. US 2014/0075493 A1 (hereinafter “Krishnan”) and further in view of Martins et al. US 2024/0259212 A1 (hereinafter “Martins”) As per claim 5, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 4. Olumofin does not explicitly teach wherein the secret key is generated in a trusted execution environment (TEE). However, Martins teaches wherein the secret key is generated in a trusted execution environment (TEE) (A permanent encryption key pair (including a permanent public key and a permanent private key) is generated for the tracking device. The permanent encryption key pair can be generated during the manufacture of the tracking device, upon activation of the tracking device, upon registration of the tracking device with a central tracking system, or at any other suitable time. The permanent encryption key pair can be generated by the manufacturer, by an owner device associated with the tracking device, by the central tracking system, or by any other suitable entity. Martins, para [0091]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Olumofin in view of Martins. One would be motivated to do so, to enhance the security of the system by generating the secret key in a TEE. As per claim 6, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 4. Olumofin does not explicitly teach wherein the confidential key generation information is stored in a safe storage to which access is impossible other than an authorized user, software module, or hardware module, and the public key generation information is stored in a partial area that constitutes the location information as situational information including the service that requests random information or sensitive information. However, Martins teaches wherein the confidential key generation information is stored in a safe storage to which access is impossible other than an authorized user, software module, or hardware module (The community mobile device then provides the hashed identifier, the encrypted location data, and the encrypted temporary private key to the central tracking system for storage. Martins, para [0007])( The secure storage manager may be responsible for storage of secure data, including information such as passwords and private data that would be accessed through this sub-system. Martins, para [0048]), and the public key generation information is stored in a partial area that constitutes the location information as situational information including the service that requests random information or sensitive information (A permanent encryption key pair (including a permanent public key and a permanent private key) is generated for the tracking device. The permanent encryption key pair can be generated during the manufacture of the tracking device, upon activation of the tracking device, upon registration of the tracking device with a central tracking system, or at any other suitable time. The permanent encryption key pair can be generated by the manufacturer, by an owner device associated with the tracking device, by the central tracking system, or by any other suitable entity. The owner device (such as a mobile device associated with an owner of the tracking device and configured to communicate with the tracking device) can store the permanent public key and the permanent private key. The owner device can provide the permanent public key to the central tracking system for storage in association with an identifier of the tracking device. Although the permanent public key is transmitted to the central tracking system, the permanent public key can be kept confidential, since the permanent public key may otherwise be used to uniquely identify the tracking device. Martins, para [0091]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Olumofin in view of Martins. One would be motivated to do so, to enhance the security of the system by securely saving the confidential keys. As per claim 7, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 4. Olumofin does not explicitly teach wherein the performing of the privacy protection processing comprises generating a randomly generated salt and a master key stored in a safe storage as a single bitstream and generating an obfuscation key for the generated bitstream using a hash function. However, Martins teaches wherein the performing of the privacy protection processing comprises generating a randomly generated salt and a master key stored in a safe storage as a single bitstream and generating an obfuscation key for the generated bitstream using a hash function (A tracking device (such as the tracking device 106 of FIG. 1) can be configured to generate a hash value identifying the tracking device. The hash value can be dependent on one or more parameters associated with the tracking device, including but not limited to one or more of the following: a key stored by the tracking device, the MAC address of the tracking device (random or assigned to the tracking device by a tracking server, such as the tracking system 100 of FIG. 1), a device identifier (such as a persistent identifier that uniquely identifies the tracking device), a time at which the hash value is generated, or any other suitable parameters. By generating a hash value based on a time at which the hash value is generated, the hash value can expire after a threshold amount of time elapses, or after the passage of a pre-defined time interval, as described below. Martins, para [0056]) (The received diversified public encryption key can be selected based on the hashed identifier, the hash key used to generate the hashed identifier, a current time, or randomly. The community mobile device accesses location data representative of a location of the community mobile device and encrypts 1110 the location data using the diversified public encryption key. The encrypted location data is then provided 1112 to the central tracking system for storage. Martins, para [0113]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Olumofin in view of Martins. One would be motivated to do so, to enhance the security of the system by generating an obfuscation key using a hash function. As per claim 8, Olumofin and Krishnan teach the sensitive information protection and recovery method of claim 4. Olumofin does not explicitly teach wherein information used to generate the secret key in addition to the confidential key generation information stored in a safe storage is stored in the error range of the sensitive information. However, Martins teaches wherein information used to generate the secret key in addition to the confidential key generation information stored in a safe storage is stored in the error range of the sensitive information (The community mobile device then provides the hashed identifier, the encrypted location data, and the encrypted temporary private key to the central tracking system for storage. Martins, para [0007])( The secure storage manager may be responsible for storage of secure data, including information such as passwords and private data that would be accessed through this sub-system. Martins, para [0048]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Olumofin in view of Martins. One would be motivated to do so, to enhance the security of the system by securely saving the confidential keys. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. A. Mhaske et al. US 10,783,728 B1 directed to systems and methods for controlling access. B. Padhye et al. US 2012/0324228 A1 directed to platform that facilitates preservation of user privacy. C. Webb et al. US 2013/0326223 A1 directed to methods for increasing the security of private keys. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached at (571)272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Respectfully submitted /KHALID M ALMAGHAYREH/Primary Examiner, Art Unit 2492