DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to the correspondence filed on 03/05/19.  Claims 1-10 are still pending and have been considered below.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 4 recites the limitation "the privacy information" in line 3.  There is insufficient antecedent basis for this limitation in the claim.  Examiner notes that the preceding claim language establishes a first instance of “privacy information” in addition to a separate instance of “specified privacy information” (see line 5 of Claim 3; and line 2 of Claim 4); thus, renders the claim indefinite in that it is unclear as to which one the limitation in question should be in reference to.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. 
The claim(s) recite a technique for configuring an authority of a user according to response information of a privacy information acquisition request.
The limitation of sending a privacy information acquisition request to the user when a user logs in a system is a process that, under the broadest reasonable interpretation, covers performance of the limitation in the mind because nothing in the claim precludes the step from practically being performed in the mind (ie. the privacy information acquisition request can be verbally and/or visually provided to the user).
The limitation of configuring an authority of the user according to response information is also a process that, under the broadest reasonable interpretation, covers performance of the limitation in the mind (ie. the authority of the user can be manually/mentally configured based on the user’s response information which can also be conveyed verbally and/or visually).
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claims only recite one additional element – using a device/system to perform the aforementioned steps. The device/system in the steps is recited at a high-level of generality (i.e., as a generic processor 
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional element of using the device/system to perform the claimed steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept; thus, the claims are not patent eligible.
Furthermore, the additional acts found in the remaining claims also do not result in the claims as a whole amounting to significantly more than the judicial exception because when considered separately, each of the dependent claims are merely directed to various conventional activities well known by one of ordinary skill in the art and/or would qualify as insignificant extra-solution activity.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-4, 6-9 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Nelson et al. (8,793,509).
Claim 1:  Nelson et al. discloses an authority configuration method, comprising:
when a user logs in a system, sending a privacy information acquisition request to the user(first time user accesses web page at relying party…relying party requests an authorization token) [column 5, lines 1-10]; and
configuring an authority of the user according to response information of the privacy information acquisition request(relying party receives and stores authorization token from user which is used to verify access to user data) [column 5, lines 40-50].
Claim 2:  Nelson et al. discloses the method as claimed in claim 1, wherein the response information comprises: privacy information(authorization token) [column 5, lines 40-50]; configuring the authority of the user according to the response information of the privacy information acquisition request comprises: configuring the authority of the user according to the privacy information(according to scope of token) [column 10, lines 25-35 & 50-60].
Claim 3:  Nelson et al. discloses the method as claimed in claim 1, wherein the response information comprises: an access authority of a third-party system(data provider) [figure 1 | column 4, lines 55-65]; configuring the authority of the user according to the response information of the privacy information acquisition request comprises: acquiring privacy information of the user according to the access authority of the third-party system [column 4, lines 55-65]; and configuring the authority of the user according to the privacy information of the user [column 10, lines 25-35 & 50-60].
Claim 4:  Nelson et al. discloses the method as claimed in claim 3, wherein the response information further comprises: specified privacy information [column 5, lines 40-50]; acquiring the privacy information of the user according to the access authority of the third-party system comprises: acquiring the specified privacy information from the third-party system according to the access authority(data provider may also be the authorization agent which creates/issues the tokens) [column 4, lines 50-60 | column 5, lines 25-35].
Claim 6:  Nelson et al. discloses an authority configuration device, comprising:
a request sending component, configured to send, when a user logs in a system, a privacy information acquisition request to the user [column 5, lines 1-10]; and
an authority configuration component, configured to configure an authority of the user according to response information of the privacy information acquisition request [column 5, lines 40-50].
Claim 7:  Nelson et al. discloses the device as claimed in claim 6, wherein the response information comprises: privacy information [column 5, lines 40-50]; the authority configuration component is configured to configure the authority of the user according to the privacy information [column 10, lines 25-35 & 50-60].
Claim 8:  Nelson et al. discloses the device as claimed in claim 6, wherein the response information comprises: an access authority of a third-party system [figure 1 | column 4, lines 55-65]; the authority configuration component comprises: an information acquisition element, configured to acquire privacy information of the user according to the access authority of the third-party system [column 4, lines 55-65]; and an authority configuration element, configured to configure the authority of the user according to the privacy information of the user [column 10, lines 25-35 & 50-60].
Claim 9:  Nelson et al. discloses the device as claimed in claim 8, wherein the response information comprises: specified privacy information [column 5, lines 30-40]; the information acquisition element is further configured to acquire the specified privacy information from the third-party system according to the access authority [column 4, lines 50-60 | column 5, lines 25-35].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 5 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. (8,793,509) in view of Hadjinikitas et al. (7,024,556).
Claim 5:  Nelson et al. discloses the method as claimed in claim 1, but does not explicitly disclose further comprising: within a preset time period after sending the privacy information acquisition request, when no response information is received, configuring the authority of the user according to a default setting.
However, Hadjinikitas et al. discloses a similar invention [column 4, lines 30-40] and further discloses further comprising: within a preset time period after sending the privacy information acquisition request(timeout value) [column 6, lines 50-60], when no response information is received(reach maximum allowable idle time without receiving any user activity) [column 9, lines 10-20], configuring the authority of the user according to a default setting(set access level of authenticated user to default value) [column 9, lines 25-35].
Nelson et al. with the additional features of Hadjinikitas et al., in order to minimize the overall time required for performing user authentication, as suggested by Hadjinikitas et al. [column 2, lines 15-25].
Claim 10:  Nelson et al. discloses the device as claimed in claim 6, but does not explicitly disclose further comprising: a default setting component, configured to configure, within a preset time period after sending the privacy information acquisition request, the authority of the user according to a default setting when no response information is received.
However, Hadjinikitas et al. discloses a similar invention [column 4, lines 30-40] and further discloses further comprising: a default setting component, configured to configure, within a preset time period after sending the privacy information acquisition request [column 6, lines 50-60], the authority of the user according to a default setting [column 9, lines 25-35] when no response information is received [column 9, lines 10-20].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the disclosure of Nelson et al. with the additional features of Hadjinikitas et al., in order to minimize the overall time required for performing user authentication, as suggested by Hadjinikitas et al. [column 2, lines 15-25].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686.  The examiner can normally be reached on Monday-Friday 9AM-5PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571)272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/EDWARD ZEE/Primary Examiner, Art Unit 2435