PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 12/955,825
Filing Date: 29 Nov 2010
Appellant(s): Jakobsson et al.



__________________
Christopher J. Bezak (Registration No. 63,241)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed August 11, 2020 (“Brief”).
Every ground of rejection set forth in the Office action dated March 12, 2020 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument
35 U.S.C. § 101
Appellant argues: 
Here, the claims expressly recite a “computer-implemented method for controlling access to a resource” (claim 1), “a method for controlling access to a resource” (claim 9), and a “computing device for controlling access to a resource” (claim 17) using “contextual data”.
Providing access to a (secured) resource, much less by using “contextual data,” is not an abstract concept because the foregoing is not a “building block[ ] of human ingenuity,” Alice, 134 S. Ct. at 2354, or a “basic tool[ ] of scientific and technological work, Benson, 409 U.S. at 67, “part of the storehouse of knowledge of all men ... free to all men and reserved exclusively to none,” Funk Brothers Seed Co., 333 U.S. at 130. Nor is providing access to a (secured) resource a “preexisting, fundamental truth,” Le Roy v. Tatham, 14 How. 156, 175 (1853), and providing access to a (secured) resource is dissimilar to organizing human activity, ideas ‘of itself,’ or mathematical relationships and/or formulas, Alice, 134 S. Ct. at 2355-56,2 for example an abstract idea similar to the abstract ideas of mitigating risk settlement and risk hedging (e.g., economic activities) found in Alice and Bilsk'r, nor do the claims “‘tie up’ the excepted subject matter and pre-empt others from using the law of nature, natural phenomenon, or abstract idea” (79 Fed. Reg. 241 at 74622 citing Mayo, 132 S. Ct. at 1301, quoting Benson, 409 U.S. at 67; contra Recognicorp v. Nintendo, 855 F.3d 1322 (Fed Cir. 2017)4 Instead, providing access to data or a resource by using “contextual data” is a mechanism to provide secured access to the requested data or resource (see e.g.. Specification at ¶¶ 3, 5), for example by “performing an authorization or authentication operation of a user or a transaction” (Specification at ]} 24).

See Brief, pgs. 17-18.  

The Examiner, however, respectfully disagrees. 
First, the Examiner notes that the claims do not appear to reflect any technical details regarding the “mechanism to provide secured access to the requested data or resource.” 
Second, the claims (e.g. claim 1) recites series of steps for controlling/providing access to a resource (e.g. by monitoring/managing social/legal interactions), which falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas (e.g. managing/monitoring social/legal interactions). These steps include:
 
receiving […] a request to access the resource from a client device associated with a user; 
obtaining a rule for adjusting a user behavior measure of the user based on contextual data associated with the user, 
wherein the user behavior measure indicates a correlation between recent behavior of the user and historical behavior patterns of the user,
obtaining from one or more client devices associated with the user the contextual data associated with the user,
 adjusting the correlation between the recent behavior of the user and the historical behavior patterns of the user indicated by the user behavior measure according to the rule based on the contextual data associated with the user; 
outputting authentication information for determining to grant or deny the request to access the resource based on an updated correlation between the 
wherein the contextual data associated with the user indicates a behavior of the user.

The noted above steps above (receiving, obtaining, adjusting and outputting data) are directed to collecting/manipulating of data for managing/monitoring social/legal interactions of the user in order to output authentication information, which is an a abstract idea. 
Furthermore, the steps noted above can also be performed mentally and/or manually by a human (e.g. using a pen and a paper) without the use of a machine. A human can obtain receive data regarding contextual social/behavior data of the user, correlate these contextual  data  with historical behavior data, adjust the correlation measure (e.g. score) based on the correlation and use the adjusted measure make a decision regarding authentication. 

Appellant argues: 
In the Final Office Action, the rejection distills the limitations of the claims as the abstract idea (“concept”) of “Certain Methods of Organizing Human Activity” (Office Action at If 9) because the claims “can be performed manually by a human using a pen and paper” (Office Action at ]f 10). Appellant respectfully submits the characterization in the Final Office Action misrepresents the actual words in the claims, as would have been understood by any artisan of ordinary skill. Rather, the claims are “directed to” the technical field of providing access to a (secured) resource (see Specification at fflf 2, 6, 21, supra), which is “like thousands of others that recite processes to achieve a desired outcome, e.g., methods of producing things, or methods of treating disease.” Rapid Litig. Mgmt. Ltd. v. CellzDirect, Inc., 827 F.3d 1042, 1048-49 (Fed. Cir. 2016). 



The Examiner, however, respectfully disagrees. 
The steps noted above can also be performed mentally and/or manually by a human (e.g. using a pen and a paper) without the use of a machine. A human can obtain receive data regarding contextual social/behavior data of the user, correlate these contextual data with historical behavior data, adjust the correlation measure (e.g. score) based on the correlation and use the adjusted measure make a decision regarding authentication. 

Appellant argues: 
For example, claim 1 at least recites “obtaining, from one or more client devices associated with the user, the contextual data associated with the user.” The artisan of ordinary skill would have understood that contextual data is not simply obtained from client devices with a pen and paper. See e.g., Specification at fflf 26-36 (describing “implicit authentication”). “This concludes the eligibility analysis.” 84 Fed. Reg. 4 at 52.
See Brief, pg. 18.  

See Brief, pg. 19.  
The Examiner, however, respectfully disagrees. 
The act of obtaining can be obtained by a human by reading/observing data off of the user’s devices. Therefore, the act of obtaining does not require a machine. 

Appellant argues: 
Even if, in arguendo, the claims could somehow be interpreted as reciting an abstract concept, Appellant respectfully submits that the claims are directed to a practical application of providing access to a (secured) resource (see e.g, 


See Brief, pg. 20. 

The Examiner, however, respectfully disagrees. 
First, the Examiner notes that the claims do not appear to reflect any technical details regarding the “providing access to a (secured) resource.” 
Second, the claim elements in addition to the abstract idea are:  
a computing device,
The computing device is recited at a high level of generality, and comprises only a microprocessor and memory to simply perform the generic computer functions of e.g. receiving a request to access a resource, obtaining a rule that adjust a user behavior measure, obtaining user contextual data from one or more user devices, adjusting correlation between user recent behavior measure and the historic behavior measure based on the rule, outputting authentication information to deny/grant access to a resource. 

Additionally, ¶ [0026] of the application as published, indicates that the computing device (e.g. authentication server 110) is a general purpose computer: 

(Authentication server 110 can be any type of computational device capable of performing an authorization or authentication operation of a user or a transaction).

Generic computers performing generic computer functions, alone, do not amount to significantly more than the abstract idea. 

Third, the use of the computing device noted above as a tool to implement/automate the abstract idea does not render the claim patent eligible because it does not provide meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment and requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea. See MPEP 2106.05.

Fourth, the Examiner is not persuaded that the claims here are like those at issue in Bascom Holdings.  Unlike the situation in Bascom Holdings, Appellants do not identify any problem particular to remote content filtering in a computer network that claim 1, for example, allegedly overcomes.  
Instead, the Examiner determines, based on the current record, that claim 1 uses computing device as a tool to implement/automate the functions such as generating receiving a request to access a resource, obtaining a rule that adjust a user behavior measure, obtaining user contextual data from one or more user devices, adjusting correlation between user recent behavior measure and the historic behavior measure 

Appellant argues: 
Specification at]}]} 2, 6, 21 (emphasis added). Therefore, claim 1 provides a technical solution for “implicitly authenticating a user to access a controlled resource without the need for entering passwords or answering any authentication questions based on contextual data indicating the user's behavior.” Ibid. And, claim 1, in fact, recites limitations emblematic of the technical solution to the technical problem (emphasis added):
receiving, by a computing device, a request to access the resource from a client device associated with a user;
obtaining a rule for adjusting a user behavior measure of the user based on contextual data associated with the user, wherein the user behavior measure indicates a correlation between recent behavior of the user and historical behavior patterns of the user, the recent behavior of the user corresponding to at least one of recent activities of the user and a recent environment of the user and the historical behavior patterns of the user corresponding to at least one of historical activities of the user or and a historical environment of the user;
obtaining, from one or more client devices associated with the user, the contextual data associated with the user;
adjusting the correlation between the recent behavior of the user and the historical behavior patterns of the user indicated by the user behavior measure according to the rule based on the contextual data associated with the user; and
outputting authentication information for determining to grant or deny the request to access the resource based on an updated correlation between the recent behavior of the user and the historical behavior patterns of the user indicated by the adjusted user behavior measure,
wherein the contextual data associated with the user indicates a behavior of the user.


See Brief, pgs. 23-24.  

The Examiner, however, respectfully disagrees. 
First , the examiner further notes that the following limitations have been considered but are not giving patentable weight because the limitations have been interpreted as intended use limitations that are not positively claimed:
for adjusting…as recited by at least claim 1.
for controlling access… as recited by at least claim 1.
to access the resource from a client device associated with a user … as recited by at least claim 1.
to access the resource based on an updated correlation… as recited by at least claim 1.
for determining to grant or deny the request… as recited by at least claim 1.
to grant or deny the request… as recited by at least claim 1.
A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is capable of performing the intended use, then it meets the claim. See MPEP 2114 and Ex parte Masham, 2 USPQ2d 1647 (Bd. Pat. App. & Inter. 1987).  

	
Second, the steps noted above can also be performed mentally and/or manually by a human (e.g. using a pen and a paper) without the use of a machine. A human can obtain/ receive data regarding contextual social/behavior data of the user, correlate these contextual  data  with historical  behavior data, adjust the correlation measure 
Third, the claims (e.g. claim 1) does not appear to recite any technical details beyond the general mental steps of receiving, obtaining, adjusting and outputting data. There is no Improvements to the functioning of a computer, or to any other technology or technical field. 

35 U.S.C. § 103
As an initial manner,  the examiner further notes that the following limitations have been considered but are not giving patentable weight because the limitations have been interpreted as intended use limitations that are not positively claimed:
for adjusting…as recited by at least claim 1.
for controlling access… as recited by at least claim 1.
to access the resource from a client device associated with a user … as recited by at least claim 1.
to access the resource based on an updated correlation… as recited by at least claim 1.
for determining to grant or deny the request… as recited by at least claim 1.
to grant or deny the request… as recited by at least claim 1.
A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is Ex parte Masham, 2 USPQ2d 1647 (Bd. Pat. App. & Inter. 1987).  


Appellant argues: 
Thus. French is even worse than the conventional methods described in the background of the Specification of the present application because the user must input two different forms of passwords or authentication data.
Similarly deficient, at most, Constable describes the use of co-location to perform authentication. See e.g., Constable at If 7. For example, information about a device and/or the location of the device are validated (see e.g.. Constable at fflf 29-32), and then the location of the user is also referenced (see e.g. Constable at If 33) to determine “whether the requester and the device are in the same location.” Constable at If 35 (emphasis added).

See Brief, pg. 28.  
The Examiner, however, respectfully disagrees. 
First, the Examiner notes that the claims (e.g. claim 1) is silent as to whether a password is required. 
Second, claim 8 recites “prompting the user to perform an authentication-related action…” This is clear evidence that the Appellant’s embodiment requires a user to provide some type of authentication data such as a password.
Second, in additional to password authentication schemes, French also discloses “various non-password schemes … that perform some level of authentication before authorizing transactions or permitting access to data (¶ [0005]). 
Third, Constable also discloses an implicit authentication without requiring an authentication input (e.g. password) from a user by comparing user’s behavior data such as past and current location/travel information (¶ [0007], [0042], [0046]). 
That is, Constable discloses a dynamic access evaluation system which receives a service request from a device seeking access to a network. The system receives information about the requester, the device from which the request is made and/or the location of the requester and the device. The system authenticates the requester based on a comparison of authorization information to information about the requester received in the request. The system authenticates the device by comparing device information in the request to historical device information. Furthermore, the system receives location information for both the device and the requester and compares them to determine whether the locations are the same or similar. After granting access, the system continues to monitor information about the requester, device, or location and can terminate device access based on a change in the monitored information (Constable: abstract; fig. 3 & related text).

Therefore, the combination (French/ Constable) discloses limitations as claimed. 


Appellant argues: 
Thus, French is merely describing a field comparison. There is no suggestion of any “behavior” of a user, much less “recent behavior” and “historical behavior patterns,” and further much less than a “correlation” therebetween….


French is, therefore, not considering “a correlation between recent behavior of the user and historical behavior patterns of the user, the recent behavior of the user corresponding to at least one of recent activities of the user and a recent 


See Brief, pgs. 31-32.  

The Examiner, however, respectfully disagrees. 
First the examiner notes that a person of ordinary skill in the English language would interpret “behavior” to be: the way in which someone conducts oneself or behaves. 
Second French discloses some forms of user’s behavior such as credit history, credit, score, current and past address, current and former phone numbers (¶¶ [0026], [0124], fig. 35). 
French further discloses detecting irregularities of inconsistencies in order to detect possible fraudulent events  (¶¶ [0125], [0137]).
French further discloses deriving an authentication score based on user behavior from different sources such as credit database, Mail database and phone database (¶¶ [0063], [0124], [0127]; fig. 15)   
Therefore, French discloses correlating between recent and historical user behavior  (e.g. transaction/credit requests, credit score,  current mailing address,  current/former address information, time period at the current address, time period with 


Appellant argues: 
The What Logic 155 makes a determination about the authenticity of the device that is allegedly making the request in step 320.” Constable at ]} 30 (emphasis added). Behavior of a user is nowhere disclosed in Constable.

See Brief, pg. 34.  

The Examiner, however, respectfully disagrees. 
Constable also discloses an implicit authentication without requiring an authentication input (e.g. password) from a user by comparing user’s behavior data such as past and current location/travel information (¶ [0007], [0042], [0046]). 
That is, Constable discloses a dynamic access evaluation system which receives a service request from a device seeking access to a network. The system receives information about the requester, the device from which the request is made and/or the location of the requester and the device. The system authenticates the requester based on a comparison of authorization information to information about the requester received in the request. The system authenticates the device by comparing device information in the request to historical device information. Furthermore, the system receives location information for both the device and the requester and compares them 

For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/MAMON OBEID/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        

Conferees:
/PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3685                                                                                                                                                                                                        
/STEVEN S KIM/
Primary Examiner, Art Unit 3685                                                                                                                                                                                                        Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.