DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is responsive to application 19/315,250 that the Applicant filed on August 29, 2025 and presented claims. After the response to the restriction of January 26, 2026, claims 1-5, 9-11, 13-14, and 31 remain open for examination.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Independent claims 1 and 9 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The claims recite “the transformation including….” As claimed, each and every limitation listed must occur. Perhaps this is the intent of Applicant, or perhaps the more appropriate limitation is “at least one of.” This rejection may be overcome by an amendment or clarifying the actual intent of the language employed. Dependent claims 2-5, 10-11, 13, and 31 are similarly rejected under § 112(b) because they don’t remedy the issue of indefiniteness.
Dependent claim 5 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The claim recites “other information regarding the user.” This limitation is indefinite, as there’s virtually no boundary associated with “other,” it can be anything.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The following conventions apply to the mapping of the prior art to the claims:
Italicized text – claim language.
Parenthetical plain text – Examiner’s citation and explanation.
Citation without an explanation – an explanation has been previously provided for the respective limitation(s).
Quotation marks – language quoted from a prior art reference.
Underlining – language quoted from a claim.
Brackets – material altered from either a prior art reference or a claim, which includes the Examiner’s explanation that relates a claim limitation to the quoted material of a reference.
Braces – a limitation taught by another reference, but the limitation is presented with the mapping of the instant reference for context.
Numbered superscript – a first phrase to be moved upwards to the primary reference analysis.
Lettered superscript – a second phrase to be moved after the movement of the first phrase from which it was lifted, or more succinctly, move numbered material first, lettered material last.
A. Claims 1-2, 4-5, 9-10, and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Margolin (US 8,782,392, “Margolin”) in view of Scotney et al. (US 11,416,874, “Scotney”), and further in view of Kurian et al. (US 2021/0234673, “Kurian”).
Regarding Claim 1
Margolin discloses
A data security system for protecting private data…1 (Col. 4:62-5:6, “In some embodiments, the privacy proxy [as part of a data security] system 106 is implemented as a web proxy server system, with additional functionality related to the processing of documents [data] with portions marked as private (e.g., document content encryption and decryption, encryption key and decryption key management, etc.).”), the data security system comprising:
at least one data access proxy communicatively coupled with…2 (Fig. 1, Col. 5:42-54, “The server system 114 stores the encrypted document 113 in memory or some storage medium (e.g., non-volatile storage, such as a hard disk drive [and the private database as disclosed by Scotney 6:8-21 below]).”; and Fig. 1, Col. 5:59-6:5, “The server system [hosting the private database] 114 sends [communicatively coupled] the partially encrypted document 113, through network(s) 112, in a data transmission 118. The data transmission 118 is sent to the privacy [data access] proxy system 106.”),
the at least one data access proxy further communicatively coupled with at least one server (Fig. 1, Col. 5:59-6:5, “The server system 114 sends [communicatively coupled] the partially encrypted document 113, through network(s) 112, in a data transmission 118. The data transmission 118 is sent to the privacy [data access] proxy system 106.”),
3 …:
identify a user and a request from the user to access at least one data item stored in the at least one private database (Col. 7:12-37, “The application 104, recognizing [identifying] that the user has full rights to the document [one data item] (e.g., by comparing the user's login credentials at the client 102 or other authentication credentials to the document's rights metadata),...”; Col. 7:12-37, “For example, in some embodiments, if a user with full rights to the entire document makes a request for the document [data item] 111 at a client 102,...”; and Scotney Col. 6:8-21 for private database);
validate the user and the request, the validation including inspecting the user's identity, …4, and evaluating permissions and restrictions associated with the user and the at least one data item (Col. 7:12-37, “The application 104, recognizing that the user has full rights [evaluating permissions and restrictions associated with the user upon validating the request] to the document [one data item] (e.g., by comparing the user's login credentials [validating by inspection of the user’s identity] at the client 102 or other authentication credentials to the document's rights metadata),...”);
access the private database to retrieve the at least one data item (Col. 15:38-53, “In response to a request from the client system for the document, the privacy proxy system retrieves a partially encrypted document [stored in the private database] corresponding to the requested document from the server system [that possesses the private database that is accessed to retrieve the data item].”);
inspect one or more security attributes related to the at least one data item (Col. 17:1-24, “In some embodiments, the privacy proxy system 106, when encrypting a document 111, may add additional metadata [security attributes] to the document [data item]. For example, the privacy proxy system 106 may add metadata indicating the version of the key used to encrypt the document. As another example, the privacy proxy system 106 may add additional rights metadata (e.g., corporate-wide special rights policies) to the document.”; and “In some embodiments, a marked document includes metadata indicating the portions that are marked, where the metadata follows a protocol. The application 104 and/or the plug-in 202 are configured to understand and follow the protocol with respect to generating the data indicating the marked portions and determining whether a document has marked portions and the locations of those marked portions within the document. The privacy proxy system 106 is configured to understand [upon inspection] and follow the protocol,...”); and
transform the at least one data item based on one or more privacy rules (Col. 11:58-12:7, “In some embodiments, in response to the request for the document 600, the privacy proxy system 106 decrypts [transforms] the marked portion 604 regardless of whether the requesting user has the rights [according to privacy rules] to read the marked portion 604. The application 104 controls how the marked portions are displayed in accordance with the user's rights.”),
the transformation including: redacting information from the at least one data item, deleting information from the at least one data item, substituting information from the at least one private data item with other information, adding information to the at least one data item, providing synthetic data as a private data item, and providing proxy data for the at least one data item (Col. 16:20-31, “In some embodiments, the replacement element or other content is alternative text, obscured text, a graphic, or a blank area (826). The marked portions, when they are not displayed in the clear, may be replaced with one or more replacement elements, on the display, for display purposes. The replacement may be alternative text (e.g., a message informing the user that the content in the marked portions is private), obscured text (the text in the marked portions blacked out or obscured by a mosaic effect, to resemble redacted text), a blank area, or a graphic (e.g., an icon giving visual indication that the marked portions are restricted).”).
Margolin doesn’t disclose
1 … within a database,…
2 … at least one private database,…
3 the at least one server configured to operate the at least one data access proxy to:
4 …, evaluating the user's activity history,…
Scotney, however, discloses
1 … within a database,… (Col. 6:8-21, “The local data storage 122 and cloud data storage 132 represent devices that physically store data (e.g., hard disk drives, solid state drives, memory, etc.) as well as any necessary database management software and hardware to access the stored data.”)
2 … at least one private database,… (Fig. 1, Col. 4:26-47, “The local network 100 and the remote networks 105 can host data storage containing sensitive [private] data, or other data potentially subject to regulatory compliance, accessible to client devices 110 through a proxy server, which may be implemented on a gateway 120 or compliance server 140.”; and Col. 6:8-21, “The local data storage 122 and cloud data storage 132 represent devices that physically store data (e.g., hard disk drives, solid state drives, memory, etc.) as well as any necessary database management software and hardware to access the stored data.”)
3 the at least one server configured to operate the at least one data access proxy (Col. 11:63-12:5, “With reference to FIG. 3A, a user of a client device accesses data (e.g., by viewing a patient record containing protected health information) through one or more of a gateway 120, a cloud server 130, or a compliance server 140 [that serves as and operates the data access proxy] as described with FIG. 1 (310).”) to:
Regarding the combination of Margolin and Scotney, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify data security system of Margolin to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the data security system of Margolin, upon which the claimed invention can be seen as an “improvement” through the use of a database and server feature;
2) the prior art contained a “comparable” system, namely the data system of Scotney, that has been improved in the same way as the claimed invention through the database and server feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the database and server feature to the base data security system of Margolin, and the results would have been predictable to one of ordinary skill in the art.
Kurian, however, discloses
4 …, evaluating the user's activity history, … (¶ [0033], “The pre-authorization data 128 generally includes default permissions indicating the contents of the data store 102 that the user 122 a,b is provisionally permitted to access. Rather than relying on these default permissions alone, however, the adaptive authorization token 120 a,b may check [evaluate] for any anomalies in the user's [history] activities or usage of the data store 102 before the token 120 a,b, becomes ac (or “awake”) and provides authorization instructions 132 in order to access requested file(s) 108, 112, 114, 118 of the data store 102.”)
Regarding the combination of Margolin-Scotney and Kurian, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify data security system of Margolin-Scotney to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the data security system of Margolin-Scotney, upon which the claimed invention can be seen as an “improvement” through the use of a user activity history feature;
2) the prior art contained a “comparable” system, namely the data system of Kurian, that has been improved in the same way as the claimed invention through the user activity history feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the user activity history feature to the base data security system of Margolin-Scotney, and the results would have been predictable to one of ordinary skill in the art.
Regarding Claim 2
Margolin in view of Scotney, and further in view of Kurian (“Margolin-Scotney-Kurian”) discloses the data security system of claim 1, and Margolin further discloses
wherein the at least one server is further configured to provide a response to the user (Col. 15:38-46, “In some embodiments, the client system receives a copy of the document from the intermediary system (810), where the copy of the document is transmitted from the destination system [as a server that provides a response to the user] to the intermediary system prior to the receiving, the copy of the document transmitted from the destination system include the encrypted marked portions (812).”),
the response comprising a transformed version of the requested data item (Col. 15:38-53, “In response to a request from the client system for the document, the privacy proxy system retrieves a partially encrypted document [transformed version] corresponding to the requested document [data item] from the server system.”),
the transformed version being accessible to the user by way of the data access proxy (Col. 15:38-46, “In some embodiments, the client system [user] receives a copy of the document [transformed version being accessible] from the intermediary system [data access proxy] (810), where the copy of the document is transmitted from the destination system to the intermediary system prior to the receiving, the copy of the document transmitted from the destination system include the encrypted [transformed] marked portions (812).”).
Regarding Claim 4
Margolin-Scotney-Kurian discloses the data security system of claim 1, and Margolin further discloses
wherein the user is identified by comparing the user's identity with information from a user database (Col. 7:12-37, “The application 104, recognizing that the user has full rights to the document (e.g., by comparing the user's login credentials [that maps to a user’s identity for user identification, and the “credentials” are information retrieved from a user database, i.e., a common example is a user ID and password combination that are stored in a user database] at the client 102 or other authentication credentials to the document's rights metadata),...”).
Regarding Claim 5
Margolin-Scotney-Kurian discloses the data security system of claim 4, and Margolin further discloses
wherein the user database stores one or more of: the identity of the user, a query history of the user, an activity history of the user, and other information regarding the user (Col. 7:12-37, “The application 104, recognizing that the user has full rights to the document (e.g., by comparing the user's login credentials [that maps to and uniquely identifies the identity of the user] at the client 102 or other authentication credentials to the document's rights metadata),...”).
Regarding Independent Claim 9 and Dependent Claims 10 and 13-14
With respect to claims 9-10 and 13-14, a corresponding reasoning as given earlier for claims 1-2 and 4-5 applies, mutatis mutandis, to the subject matter of claims 9-10 and 13-14. Therefore, claims 9-10 and 13-14 are rejected, for similar reasons, under the grounds set forth for claims 1-2 and 4-5.
B. Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Margolin in view of Scotney and Kurian, and further in view of Shimony (US 10,963,583, “Shimony”).
Regarding Claim 3
Margolin-Scotney-Kurian discloses the data security system of claim 1, and Margolin further discloses
wherein the server (Fig. 1, Col. 5:59-6:5) is further configured to operate the data access proxy (Fig. 1, Col. 5:42-54) to…1.
Margolin-Scotney-Kurian doesn’t disclose
1 … provide schemas of introducing misinformation as part of the response, the misinformation functioning as a tracker for tracing a flow of information and identifying a malicious user.
Shimony, however, discloses
1 … provide schemas of introducing misinformation as part of the response, the misinformation functioning as a tracker for tracing a flow of information and identifying a malicious user (Col. 11:57-12:14, “For example, in some embodiments, privilege escalation monitor 120 may create a honeypot [that introduces misinformation] for detecting [identifying] potential malicious activity [user]. For example, privilege escalation monitor 120 may plant [thereby providing a schema] vulnerable privileged code and may monitor [for tracing a flow of information] the code to track potential malicious actions. This may involve creating a honeypot within privileged file system 224 by planting privileged code on computing system 130. The privileged code may be susceptible to attacks using DLL files or symbolic links as described above. Privilege escalation monitor 120 may then monitor the planted privileged code to detect an instance of an identity performing a file operation using the planted privilege code.”, and Col. 7:35-61, “In some embodiments, privilege escalation monitor 120 may be implemented as an intermediary device (e.g., a proxy server or service) and may be configured to monitor communications between client identity 110 and computing system 130.”).
Regarding the combination of Margolin-Scotney-Kurian and Shimony, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify data security system of Margolin-Scotney-Kurian to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the data security system of Margolin-Scotney-Kurian, upon which the claimed invention can be seen as an “improvement” through the use of a maliciousness tracking feature;
2) the prior art contained a “comparable” system, namely the file system of Shimony, that has been improved in the same way as the claimed invention through the maliciousness tracking feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the maliciousness tracking feature to the base data security system of Margolin-Scotney-Kurian, and the results would have been predictable to one of ordinary skill in the art.
Regarding Dependent Claim 11
With respect to claim 11, a corresponding reasoning as given earlier for claim 3 applies, mutatis mutandis, to the subject matter of claim 11. Therefore, claim 11 is rejected, for similar reasons, under the grounds set forth for claim 3.
C. Claim 31 is rejected under 35 U.S.C. 103 as being unpatentable over Margolin in view of Scotney and Kurian, and further in view of Kandel et al. (US 10,135,835, “Kandel”).
Regarding Claim 31
Margolin-Scotney-Kurian discloses the data security system of claim 1, and Margolin further discloses
wherein the at least one data access proxy (Fig. 1, Col. 5:42-54) is communicatively coupled to {the at least one private database (Scotney Col. 6:8-21)} via…1
Regarding the combination of Margolin and Scotney, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter of claims 1 and 31.
Margolin-Scotney-Kurian doesn’t disclose
1 … a reverse tunneling infrastructure comprising a secure tunnel over an encrypted authenticated connection.
Kandel, however, discloses
1 … a reverse tunneling infrastructure comprising a secure tunnel over an encrypted authenticated connection (Col. 17:8-15, “As discussed above, this may involve opening a secure communication channel (e.g., tunnel, reverse tunnel, encrypted session, etc.) between the identity and the secure resource, proxying a connection between the identity and the secure resource, or other techniques.”).
Regarding the combination of Margolin-Scotney-Kurian and Kandel, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify data security system of Margolin-Scotney-Kurian to arrive at the claimed invention. KSR establishes that a rationale for obviousness is proven by showing a “use of [a] known technique to improve similar devices in the same way.” See MPEP § 2143(I)(C).
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base system, namely the data security system of Margolin-Scotney-Kurian, upon which the claimed invention can be seen as an “improvement” through the use of a reverse tunneling feature;
2) the prior art contained a “comparable” system, namely the network system of Kandel, that has been improved in the same way as the claimed invention through the reverse tunneling feature; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the reverse tunneling feature to the base data security system of Margolin-Scotney-Kurian, and the results would have been predictable to one of ordinary skill in the art.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WILLIAM KORZUCH can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/D'Arcy Winston Straub/Primary Examiner, Art Unit 2491
Prosecution Insights