DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 10/02/2020 has been considered by the examiner.

Claim Objections
Claim 12 is objected to because of the following informalities:   the claim recites “based on a trusted site determination”.  It is suggested to amend to “based on a trusted alternative site determination”.

Claim 20 is objected to because of the following informalities:   the claim recites “based on a trusted site determination”.  It is suggested to amend to “based on a trusted alternative site determination”.
 Appropriate corrections are required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 5-6 and 13-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 5 and 13 recite the limitation "the entity”.  There is insufficient antecedent basis for this limitation in the claims.

Claims 6 and 14 recite the limitation "the one or more alternative entities”.  There is insufficient antecedent basis for this limitation in the claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Cameron et al. US2008/0289020 hereinafter referred to as Cameron, in view of Bjones et al. US2013/0276087 hereinafter referred to as Bjones, and Krstulich et al. US2009/0119182 hereinafter referred to as Krstulich.
As per claim 1, Cameron teaches an apparatus, comprising: a processor; a memory unit storing computer-executable instructions, which when executed by the processor, cause the apparatus to: receive a login request to perform a transaction between a user and a requesting site, the logon request comprising a token request (Cameron paragraph [0048], [0061]-[0063], request an identity token); 
generate a token based on the received logon request (Cameron paragraph [0064]-[0065], generate identity token).
Cameron does not explicitly disclose verify identity of user of transaction; 
based on identity verification of the user, transmit generated token to requesting site.  

based on identity verification of the user, transmit generated token to requesting site (Bjones paragraph [0099]-[0100], [0113]-[0114], [0119], [0121], [0137], authenticate user, generate token and transmit token to relying party).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Cameron with the teachings of Bjones to include authenticating the requesting user before issuing and transmitting a token in order to issue and release tokens for authorized users.
Cameron in view of Bjones does not explicitly disclose determine if requesting site is a trusted site; and 
based on a trusted site determination, transmit generated token to the requesting site.  
Krstulich teaches determine if requesting site is a trusted site (Krstulich paragraph [0018], [0022]-[0023], determine trusted path to send token)(It is obvious to one of ordinary skill in the art that if a trusted path exists the site is trusted and if a trusted path does not exist the site is not trusted); and 
based on a trusted site determination, transmit generated token to the requesting site (Krstulich paragraph [0018], [0021]-[0023], transmit token over trusted path).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Cameron in view of Bjones with the teachings of Krstulich to include determining and sending a token via a trusted path in order to prevent illegitimate sites from receiving the token.

As per claims 9 and 17, the claims claim a method and a non-transitory computer readable media essentially corresponding to the apparatus claim 1 above, and they are rejected, at least for the same reasons.

Claims 2-7, 10-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cameron in view of Bjones and Krstulich, and further in view of Kuehr-McLaren et al. US2005/0102195 hereinafter referred to as Kuehr-McLaren.
As per claim 2, Cameron in view of Bjones and Krstulich teaches the apparatus of claim 1.
Cameron in view of Bjones and Krstulich does not explicitly disclose wherein computer-executable instructions, when executed by processor, further cause apparatus to: compare a privacy preference of user and a privacy policy of requesting resource; and based on a determination that the privacy policy is not compatible with the privacy preference of the user, determine one or more alternative resources for completing transaction and transmit a response indicating the one or more alternative resources.  
Kuehr-McLaren teaches wherein computer-executable instructions, when executed by processor, further cause apparatus to: compare a privacy preference of user and a privacy policy of requesting resource; and based on a determination that the privacy policy is not compatible with the privacy preference of the user, determine one or more alternative resources for completing transaction and transmit a response indicating the one or more alternative resources (Kuehr-McLaren paragraph [0039], [0041], [0046], [0053], show resources that match the users privacy preference).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Cameron in view of Bjones and Krstulich with the teachings of Kuehr-McLaren to include comparing privacy policy to user’s preference and showing alternatives that matches user’s preference in order to enhance the user’s control of their own data and to indicate to the user the sites privacy use information.

As per claim 3, Cameron in view of Bjones, Krstulich and Kuehr-McLaren teaches the apparatus of claim 2, wherein the computer-executable instructions, when executed by the processor, further cause the apparatus to: after sending the response indicating the one or more alternative sites for completing the transaction, receive a second request comprising an alternative login request to perform a transaction between a user and an alternative requesting site (Cameron paragraph [0048], [0061]-[0063], request access; Kuehr-McLaren paragraph [0039]-[0040], [0053], user selects one of the alternative resources).  

As per claim 4, Cameron in view of Bjones, Krstulich and Kuehr-McLaren teaches the apparatus of claim 3, wherein the computer-executable instructions, when executed by the processor, further cause 
generate a token based on the received alternative logon request (Cameron paragraph [0064]-[0065]; Kuehr-McLaren paragraph [0039]-[0040], [0053]); 
determine if the alternative requesting site is an alternative trusted site (Cameron paragraph [0048], [0061]-[0063]; Krstulich paragraph [0018], [0022]-[0023], determine trusted path to send token; Kuehr-McLaren paragraph [0039]-[0040], [0053]); and 
based on a trusted alternative site determination and identity verification of the user, transmit the generated token to the alternative requesting site (Cameron paragraph [0048], [0061]-[0063], [0065], transmit token; Krstulich paragraph [0018], [0021]-[0023], transmit token over trusted path; Bjones paragraph [0099]-[0100], [0113]-[0114], [0119], [0121], [0137], authenticate user, generate token and transmit token to relying party; Kuehr-McLaren paragraph [0039]-[0040], [0053]).  

As per claim 5, Cameron in view of Bjones, Krstulich and Kuehr-McLaren teaches the apparatus of claim 2, wherein the computer-executable instructions, when executed by the processor, cause the apparatus to determine the one or more alternative sites for completing the transaction, by causing the apparatus to: retrieve, from storage, indications of the one or more alternative sites, wherein the storage comprises an association between the entity and the one or more alternative sites (Cameron paragraph [0061]; Kuehr-McLaren paragraph [0033], [0038]-[0039], retrieve from storage a list of resources).  

As per claim 6, Cameron in view of Bjones, Krstulich and Kuehr-McLaren teaches the apparatus of claim 2, wherein the response comprises, for each of the one or more alternative entities, an indication of a relative compatibility of a corresponding privacy policy with the privacy preference (Kuehr-McLaren Fig. 8, paragraph [0053]).  

As per claim 7, Cameron in view of Bjones, Krstulich and Kuehr-McLaren teaches the apparatus of claim 6, wherein the indication of the relative compatibility comprises an indication associated with each of a plurality of privacy categories (Kuehr-McLaren Fig. 8, paragraph [0053]).  

As per claims 10-15 and 18-20, the claims claim a method and a non-transitory computer readable media essentially corresponding to the apparatus claims 2-7 above, and they are rejected, at least for the same reasons.

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Cameron in view of Bjones, Krstulich and Kuehr-McLaren, and further in view of Tsai US2017/0193624.
As per claim 8, Cameron in view of Bjones, Krstulich and Kuehr-McLaren teaches the apparatus of claim 7, wherein the plurality of privacy categories comprises a data collected category, a data sharing category, an opt in/out category (Kuehr-McLaren Fig. 3, Fig. 8).  
Cameron in view of Bjones, Krstulich and Kuehr-McLaren does not explicitly disclose privacy category comprises a data deletion category.
Tsai teaches privacy category comprises a data deletion category (Tsai Fig. 2, paragraph [0027], [0030], data deletion).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Cameron in view of Bjones, Krstulich and Kuehr-McLaren with the teachings of Tsai to include a privacy data deletion policy in order to enhance the user’s control of their own data and to indicate how long user’s data are retained and if the data can be deleted.

As per claim 16, the claim claims a method essentially corresponding to the apparatus claim 8 above, and is rejected, at least for the same reasons.




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959.  The examiner can normally be reached on M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HENRY TSANG/Primary Examiner, Art Unit 2495