Prosecution Insights
Last updated: July 17, 2026
Application No. 18/991,844

SYSTEMS AND METHODS FOR DATA ACCESS CONTROL OF PERSONAL USER DATA USING A SHORT-RANGE TRANSCEIVER

Non-Final OA §103§112
Filed
Dec 23, 2024
Priority
Apr 30, 2020 — continuation of 11/030,339 +1 more
Examiner
DOAN, TRANG T
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Capital One Services LLC
OA Round
1 (Non-Final)
83%
Grant Probability
Favorable
1-2
OA Rounds
1y 9m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 83% — above average
83%
Career Allowance Rate
519 granted / 626 resolved
+24.9% vs TC avg
Strong +17% interview lift
Without
With
+17.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
20 currently pending
Career history
655
Total Applications
across all art units

Statute-Specific Performance

§101
5.0%
-35.0% vs TC avg
§103
63.3%
+23.3% vs TC avg
§102
16.2%
-23.8% vs TC avg
§112
10.5%
-29.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 626 resolved cases

Office Action

§103 §112
CTNF 18/991,844 CTNF 81329 DETAILED ACTION 07-06 AIA 15-10-15 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This Office Action is in response to the communication filed on 2/26/2025. 12-151-10 AIA 12-51-10 Claim s 1-20 have been canceled. Claims 21-40 are pending for consideration. Notice of Pre-AIA or AIA Status 07-03-aia AIA 15-10-aia The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. Information Disclosure Statement An applicant’s duty of disclosure of material information is not satisfied by presenting a patent examiner with “a mountain of largely irrelevant data from which he is presumed to have been able, with his expertise and with adequate time, to have found the critical data. It ignores the real world conditions under which examiners work.” Rohm & Haas Co. v. Crystal Chemical Co., 722 F.2d 1556, 1573, 220 U.S.P.Q. 289 (Fed. Cir. 1983), cert. denied, 469 U.S. 851 (1984). An applicant has a duty to not just disclose pertinent prior art references but to make a disclosure in such way as not to “bury” it within other disclosures of less relevant prior art. See Golden Valley Microwave Foods Inc. v. Weaver Popcorn Co. Inc., 24 U.S.P.Q.2d 1801 (N.D. Ind. 1992); Molins PLC v. Textron Inc., 26 U.S.P.Q.2d 1889, 1899 (D. Del. 1992); Penn Yan Boats, Inc. v. Sea Lark Boats, Inc. et al., 175 U.S.P.Q. 260, 272 (S.D. Fl. 1972). It is unreasonable for Examiner to review all of the cited references thoroughly. By signing the accompanying 1449 forms, Examiner is merely acknowledging the submission of the cited references and indicating that only a cursory review has been made. Examiner notes that Therasense, Inc. v. Becton, Dickinson and Co., 649 F.3d 1276 (Ct. App. 2011) (en banc) has significantly restricted the infringement defense of inequitable conduct. A defendant must show that the patent in question would not have been issued but for undisclosed information, and that the patentee had the intent to deceive. Examiner suggests that future Information Disclosure Statements cite only the most relevant/inclusive references or portions thereof. Specification 06-31 AIA The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification. Claim Rejections - 35 USC § 112 07-30-02 AIA The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 07-34-01 Claims 22 and 36 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. 07-34-05 Claim 22 recites the limitation "the contactless card". There is insufficient antecedent basis for this limitation in the claim. 07-34-05 Claim 36 recites the limitation "the contactless card". There is insufficient antecedent basis for this limitation in the claim. Double Patenting 08-33 AIA The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg , 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman , 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi , 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum , 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel , 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington , 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA/25, or PTO/AIA/26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 08-34 AIA Claim s 21 and 34 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim s 1 and 11 of U.S. Patent No. 11030339 . Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application recite a corresponding method and system of claims 1 and 11 of the patent application. For example, see the table below for a claim comparison between the instant application and patent application . Furthermore, Examiner notes that each and every limitation of the instant claims appear to be substantially anticipated by the corresponding claims of the patent application. Therefore, Examiner respectfully submits that the instant claims and the claims of the patent application are not directed to patentably distinct inventions; thus, properly rejected on the grounds of nonstatutory double patenting, as further outlined below. Instant Application 18991844 Patent Application 11030339 Claim 34: A method for controlling data access, comprising: retrieving, by a server comprising a processor and a memory, a user key and a service provider key from a database; generating, by the server, the data access key based on the user key and the service provider key; and transmitting, by the server, the data access key to a client device. Claim 11: A method for controlling data access, comprising: establishing a database storing information comprising a user identifier and a user key associated with a user, and a service provider identifier and a first service provider key associated with a service provider; receiving from a first client device associated with the service provider, via a network, a service provider token and a request for a data access key to access personal user data stored on a contactless card associated with the user, the personal user data encrypted using the user key, the request generated in response to a tap action between the contactless card and the first client device, the request accompanied by a user token stored on the contactless card; identifying the service provider based on the service provider token; identifying the user based on the user token; verifying that the service provider is authorized to receive access to personal user data stored on the contactless card; retrieving the user key from the database; generating the data access key based on the user key ; and transmitting to the first client device the data access key . Claim 21: A data access control server, comprising: a processor; and a memory, wherein, in response to r eceipt of a user token, a service provider token, and a request for a data access key , the server is configured to: retrieve a user key and a service provider key from a database, generate the data access key based on the user key and the service provider key, and t ransmit the data access key to a client device. Claim 1: A data access control system, comprising: a database storing information comprising a user identifier and a user key associated with a user, and a service provider identifier and a service provider key associated with a service provider; a server configured for data communication with a client device associated with the service provider via a network; a contactless card associated with the user, the contactless card comprising a communications interface, a processor, and a memory, the memory storing an applet, a user token, and personal user data associated with the user, wherein the personal user data is encrypted using the user key; a client application comprising instructions for execution on the client device, the client application configured to: in response to a tap action between the contactless card and the client device: receive the user token from the contactless card, and transmit to the server a service provider token, the user token, and a request for a data access key, wherein the service provider token is associated with the service provider; receive from the server the data access key; receive from the contactless card the encrypted personal user data; and using the data access key, decrypt the encrypted personal user data; and, a processor in data communication with the server and the database, the processor configured to: receive from the client device the service provider token, the user token, and the request fo r the data access key; identify the service provider based on the service provider token; identify the user based on the user token; verify that the service provider is authorized to receive access to the personal user data; retrieving, by the processor, the user key from the database; generate the data access key from the user key ; and t ransmit to the client device the data access key . 08-34 AIA Claim s 21, 34 and 39 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim s 1, 10 and 18 of U.S. Patent No. 12174991 . Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application recite a corresponding method and system of claims 1, 10 and 18 of the patent application. For example, see the table below for a claim comparison between the instant application and patent application . Furthermore, Examiner notes that each and every limitation of the instant claims appear to be substantially anticipated by the corresponding claims of the patent application. Therefore, Examiner respectfully submits that the instant claims and the claims of the patent application are not directed to patentably distinct inventions; thus, properly rejected on the grounds of nonstatutory double patenting, as further outlined below. Instant Application 18991844 Patent Application 12174991 Claim 34: A method for controlling data access, comprising: retrieving, by a server comprising a processor and a memory, a user key and a service provider key from a database; generating, by the server, the data access key based on the user key and the service provider key ; and transmitting, by the server, the data access key to a client device. Claim 1: A method for controlling data access, comprising: receiving, from a first client device via a network, a user token, a service provider token, and a request for a data access key to decrypt encrypted personal user data stored on a contactless card associated with a user; identifying a service provider based on the service provider token; identifying the user based on the user token; verifying that the service provider is authorized to receive access to personal user data stored on the contactless card; retrieving a user key associated with the user and a first service provider key a ssociated with the service provider from a database; generating the data access key based on the user key and the first service provider key; and transmitting the data access key to the first client device , wherein the request for the data access key is generated in response to a tap action between the contactless card and the first client device. Claim 21: A data access control server, comprising: a processor; and a memory, wherein, in response to receipt of a user token, a service provider token, and a request for a data access key, the server is configured to: retrieve a user key and a service provider key from a database , generate the data access key based on the user key and the service provider key , and t ransmit the data access key to a client device. Claim 18: A data access control server, comprising: a processor; and a memory, wherein the processor is in data communication with a database and a first client device, and wherein, in response to receipt of a user token, a service provider token, and a request for a data access key to decrypt encrypted personal user data stored on a contactless card associated with a user, the processor is configured to: identify the user based on the user token, verify the service provider is authorized to receive access to the personal user data, retrieve a user key and a service provider key from the database, generate the data access key based on the user key and the service provider key, and transmit the data access key to the first client device, wherein the request for the data access key is generated in response to a tap action between the contactless card and the first client device. Claim 39: A data access control system, comprising: a server, comprising a processor and a memory, wherein, in response to receipt of a user token, a service provider token, and a request for a data access key , the server is configured to: retrieve a user key and a service provider key from a database, generate the data access key based on the user key and the service provider key , and transmit the data access key to a client device. Claim 10: A data access control system, comprising: a server comprising a processor and a memory, the server in data communication with a database and a client device; and a contactless card associated with a user, the contactless card comprising a processor, a memory, and a communications interface, the memory of the contactless card storing a user token and encrypted personal user data associated with the user, wherein the server is configured to: receive, from the client device via a network, the user token, a service provider token, and a request for a data access key to decrypt the encrypted personal user data, identify the user based on the user token, verify the service provider is authorized to receive access to the personal user data, retrieve a user key and a service provider key from the database, generate the data access key based on the user key and the service provider key , and t ransmit the data access key to the client device, wherein the request for the data access key is generated in response to a tap action between the contactless card and the client device . Claim Rejections - 35 USC § 103 07-20-aia AIA The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 07-21-aia AIA Claim s 21-40 are rejected under 35 U.S.C. 103 as being unpatentable over Gosalia (US 20200387904) (hereafter Gosalia) in view of Shablygin et al. (US 20130208893) (hereinafter Shablygin) . Regarding claim 21, Gosalia discloses a data access control server, comprising: a processor; and a memory, wherein, in response to receipt of a user token, a service provider token, and a request for a data access key (Gosalia: paragraphs 0040-0041, and 0047-0048, “physical computing card 208 sends an authorization request to a service provider server 210”… “entity device 206 sends transaction information to a payment network 214. In some embodiments, the transaction information may include transaction details, the user identifier, and/or location data for the entity, entity devices 206 and 212, and/or user device 204.”), the server is configured to: retrieve a user key (Gosalia: paragraphs 0041-0043 and 51, “service provider server 210 sends to physical computing card 208 one or more identifiers corresponding to one or more authorized users associated with physical computing card”… “entity device 206 may provide an indication of successful authentication and/or authorization to the user. For example, the indication may be a receipt for a purchase of goods or services. The indication may be displayed on entity device 206, where the indication may a successful authorization message”) and a service provider key from a database (Gosalia: paragraphs 0042-0043 and 0051, “physical computing card 208 sends the authorization grant and the one or more identifiers corresponding to one or more authorized users associated with the card to an entity device 212. Entity device 212 is configured to communicate with entity device 206”… “payment network 214 sends a confirmation for the transaction to entity device 206 indicating successful completion of authentication and/or authorization”), and transmit the data access key to a client device (Gosalia: paragraphs 0013 and 0041-0043, “physical computing card 208 sends the authorization grant and the one or more identifiers corresponding to one or more authorized users associated with the card to an entity device 212. Entity device 212 is configured to communicate with entity device 206. The authorization grant authorizes any of the one or more authorized users associated with card 208 to access resources associated with card”). Gosalia does not explicitly disclose the following limitations which are disclosed by Shablygin, generate the data access key based on the user key and the service provider key (Shablygin: see figure 2A PNG media_image1.png 1204 1088 media_image1.png Greyscale and paragraphs 0068 and 0077, “both the user 26 and the service provider 20 must provide their keys 28 and 22 which, when combined, generate a unique data container identifier 14 that enables access to the data stored in the data container 10.”). Gosalia and Shablygin are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Gosalia and Shablygin before him or her, to modify the system of Gosalia to include generating a data access key based on a user key and a service provider key of Shablygin. The suggestion/motivation for doing so would have been protect data from unauthorized access (Shablygin: paragraph 0002). Regarding claim 34, claim 34 discloses a system claim that is substantially equivalent to the server of claim 21. Therefore, the arguments set forth above with respect to claim 21 are equally applicable to claim 34 and rejected for the same reasons. Regarding claim 39, claim 39 discloses a server claim that is substantially equivalent to the server of claim 21. Therefore, the arguments set forth above with respect to claim 21 are equally applicable to claim 39 and rejected for the same reasons. Regarding claims 22 and 36, Gosalia as modified discloses wherein: the contactless card is associated with a user, and the request for the data access key is to decrypt encrypted personal user data associated with the user stored on the contactless card (paragraphs 0069 and 0074, “The tokens can, for example, take the form of a portable device such as a dongle or a keycard or be incorporated in another device such as a mobile phone. Token 27 includes, among other information, identity information in the form of a user ID 28. Similarly, the service provider token 21 includes, among other information, identity information in the form of a service provider ID”… “For example the token 27 can include cryptographic information and the data encryption can occur on the token 27. This method allows the data to be encrypted without the cryptographic information being communicated outside of the token, thus increasing the security of the cryptographic information.”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claims 23 and 37, Gosalia as modified discloses wherein, prior to retrieving the user key and the service provider key, the server is further configured to: identify the user based on the user token, and verify a service provider is authorized to receive access to the personal user data (Shablygin: paragraphs 0069 and 0097-0099, “Prior to allowing access to the information in the data container 10, both the user 26 and the service provider 20 are authenticated by an authentication system (not shown) based on information provided via their respective tokens 27, 21. The authentication system authenticates not only the user 26 but also the service provider 20 before allowing access to the secured data in the data container 10. While the user ID 28 and the service provider ID 22 become known to the authentication system during the authentication process, they are retained in the authentication system for a limited length of time”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claims 24 and 38, Gosalia as modified discloses wherein the access by the service provider to the personal user data is limited by one or more data control parameters (Shablygin: paragraphs 0077 and 0088, “Since the A&DDS system cannot create this encryption key without the presence of the authenticated user and of the authenticated service provider, during the absence of either party the stored data cannot be decrypted.”… “, a user has multiple, different data containers 91a and 91b with access to each of the data containers being restricted to a particular service provider (e.g., access to data container 91a is limited to the user and service provider A and access to data container 91b is limited to the user and service provider B). In the example to follow the user ID 96, the service provider ID 94a, and the service provider ID 94b are described as a string of 5 numeric digits for simplicity”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 25, Gosalia as modified discloses the one or more data control parameters are stored in the database (Shablygin: paragraphs, 0068, 0072, and 0087-0088 “because keys are needed from both the service provider 20 and the user 26 to determine the location of the data, access to the data stored in the data container 10 is restricted to the authorized user/service provider pair. Requiring keys from both the service provider 20 and the user 26 additionally can provide the advantage of providing a system in which the storage provider 20 has no access to data except when the authenticated user 26 is present.”… “This can provide the advantage of convenience for the user and encourage the user to take appropriate actions to protect the device/information used in the authentication process. For example, a user can have multiple, different data containers with access to each of the data containers being restricted to a particular service provider.”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 26, Gosalia as modified discloses wherein the one or more data control parameters permit access by the service provider to the personal user data for a limited period of time (Shablygin: paragraphs 0113-0114 and 0155, “One advantageous feature of the system is that every act of user/service provider authentication involves the generation of a temporary transaction identifier ("ticket") which is unique in time and space. The ticket allows the system to associate a user with a service provider during a given transaction. The system knows to whom it issued the ticket and learns the identity of party that returns the ticket to the system. A ticket's life cycle starts when either side (user or service provider agent 220) requests a new ticket and ends when the other side (service provider agent 220 or user respectively) produces this ticket back to the system. The association between the service provider and the user is established when the ticket circulates through the system.”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 27, Gosalia as modified discloses wherein the one or more data control parameters limit access by the service provider to the personal user data to a single use (Shablygin: paragraphs 0113-0114 and 0180, “One advantageous feature of the system is that every act of user/service provider authentication involves the generation of a temporary transaction identifier ("ticket") which is unique in time and space”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 28, Gosalia as modified discloses wherein the one or more data control parameters permit access by the service provider to the personal user data when the contactless card is within a communication field of the client device (Shablygin: paragraphs 0118-0119, “If the token 27 is an embedded token, it preferably takes the form of a cell phone; a personal digital assistant; a watch; a computer; computer hardware; or the like. The token 27 preferably includes an input/output support element or a device interface that may take the form of any number of different apparatuses, depending upon the particular application in which it is used and depending upon the type of device with which it interacts. In embodiments, the input/output interface includes a port, such as a wireless communications port (e.g., Near Field Communication (NFC) interface), a serial port, a USB port, a parallel port, or an infrared port, or some other physical interface for communicating with an external electronic apparatus, whether by contact or contactless method”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 29, Gosalia as modified discloses wherein the server is further configured to verify the service provider is authorized to receive access to the personal user data by prompting a tap of the contactless card on the client device (Gosalia: paragraphs 0039-0040, “the action performed on physical computing card 208 may be one or more physical touches detected by a sensor device of physical computing card 208. The one or more physical touches may include, for example, swipes, pinches, taps, holds, and/or clockwise/counterclockwise finger movement”). Regarding claim 30, Gosalia as modified discloses wherein the server is further configured to verify the service provider is authorized to receive access to the personal user data based on a pre-approval by the user (Shablygin: paragraphs 0006, 0068 and 0097, “Verifying the service provider is authorized to verify that the user has membership in the group may include obtaining an access control list associated with the group, obtaining an entry in the access control list associated with the service provider, and verifying that the entry includes permissions that permit the service provider to request verification that the user has membership in the group. Verifying that the user has membership in the group may include obtaining a membership list associated with the group and verifying that the membership list includes an entry associated with the user.”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 31, Gosalia as modified discloses wherein the personal user data comprises personal health data (Shablygin: paragraphs 0401 and 0260, “For example, a medical records data base may want to verify that a user is a member of a licensed medical professionals group before allowing the user to access medical records. Similar to the process described above with respect to FIG. 12B, the authentication process begins when a user requests access to a service. Verifying that a user is a member of a group requires an additional one or two step process. First, in some implementations, the system verifies that the service provider is entitled to be informed as to whether the user is a member of the group, and second the system verifies that the user is a member of the group”… “personal healthcare information management and access;”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 32, Gosalia as modified discloses wherein the service provider comprises at least one selected from the group of a first responder, an emergency team member, an emergency health care provider, and an emergency health care technician (Shablygin: paragraphs 0386 and 0401, “As discussed above, the group container represents a list of users, identified by their respective PUIDs, who have been grouped together for some purpose. For example, the group may be employees of a company, medical professionals, social club members, etc. The group container 3300 includes an access control list (ACL) 3302. The access control list 3302 includes one or more entries (for example, entries 3306a, 3306b). Each entry includes a public user ID 3308, a membership type 3310, file rights 3312, and may include an encrypted group key, the group key being used to encrypt file encryption keys. key 3316. The public user ID 3308 is the publicly available identifier for the member of the group. For example, entry 3306a identifies a user ID of "PUID 1" and another entry 3306b identifies a user ID of "PUID 2".”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claim 33, Gosalia as modified discloses wherein: the service provider is associated with a service entity, and the service entity comprises at least one selected from the group of a fire department, an ambulance department, a police department, and a hospital (Shablygin: paragraphs 0386 and 0401, “As discussed above, the group container represents a list of users, identified by their respective PUIDs, who have been grouped together for some purpose. For example, the group may be employees of a company, medical professionals, social club members, etc. The group container 3300 includes an access control list (ACL) 3302. The access control list 3302 includes one or more entries (for example, entries 3306a, 3306b). Each entry includes a public user ID 3308, a membership type 3310, file rights 3312, and may include an encrypted group key, the group key being used to encrypt file encryption keys. key 3316. The public user ID 3308 is the publicly available identifier for the member of the group. For example, entry 3306a identifies a user ID of "PUID 1" and another entry 3306b identifies a user ID of "PUID 2".”). The same motivation to modify Gosalia in view of Shablygin, as applied in claim 21 above, applies here. Regarding claims 35 and 40, Gosalia as modified discloses wherein the request for the data access key is generated in response to a tap action between a contactless card and the client device (Gosalia: paragraphs 0039-0040, “the action performed on physical computing card 208 may be one or more physical touches detected by a sensor device of physical computing card 208. The one or more physical touches may include, for example, swipes, pinches, taps, holds, and/or clockwise/counterclockwise finger movement”). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TRANG T DOAN/Primary Examiner, Art Unit 2431 Application/Control Number: 18/991,844 Page 2 Art Unit: 2431
Read full office action

Prosecution Timeline

Dec 23, 2024
Application Filed
Feb 26, 2025
Response after Non-Final Action
Jun 16, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683773
CONTROL DEVICE, QUANTUM CRYPTOGRAPHIC COMMUNICATION SYSTEM, CONTROL METHOD, AND COMPUTER PROGRAM PRODUCT
2y 10m to grant Granted Jul 14, 2026
Patent 12671996
UPGRADING CONTROL PLANE NETWORK FUNCTIONS WITH PROACTIVE ANOMALY DETECTION CAPABILITIES
2y 8m to grant Granted Jun 30, 2026
Patent 12664294
CONTROL OF ACCESS TO RESOURCES OF DATA OBJECTS
3y 9m to grant Granted Jun 23, 2026
Patent 12665738
APPARATUS AND METHOD FOR CRYPTOGRAPHY SECURE AGAINST SIDE-CHANNEL ATTACKS
2y 5m to grant Granted Jun 23, 2026
Patent 12665875
NETWORKING AND SECURITY SPLIT ARCHITECTURE
1y 11m to grant Granted Jun 23, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
83%
Grant Probability
99%
With Interview (+17.2%)
3y 4m (~1y 9m remaining)
Median Time to Grant
Low
PTA Risk
Based on 626 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month