DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 26, 28, 30-35, 37, 39-43, 45 and 47-50 have been examined.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/13/2020 has been entered.

Response to Amendment
Claims 1-25, 27, 29, 36, 38, 44 and 46 have been cancelled.
Claims 26, 35, 43 and 47-50 have been amended. 
Applicant’s arguments with respect to claims 26, 35 and 43 regarding the new limitations: “obtain a request from a content provider to execute an application using the TEE; verify that the application is safe to execute within the TEE; in response to verification that the application is safe to execute, execute the application to sanitize first user data to de-identify or uncorrelate the first user data from the user, prior to transmission of the first user data to the content provider”, have been considered but are moot because the new ground of rejection presented in the current rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 26, 35 and 43 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 26 recites the limitations: “obtain a request from a content provider to execute an application using the TEE; verify that the application is safe to execute within the TEE; in response to verification that the application is safe to execute, execute the application to sanitize first user data to de-identify or uncorrelate the first user data from the user, prior to transmission of the first user data to the content provider”. The examiner has not found support for these limitations in the specification of the instant application. Paragraphs [0025], [0040] and [0044] of the pg-pub specification of the instant application describe sanitizing feedback to remove private and/or confidential user data from the feedback. [0044]: “A determination may then be made in operation 830 as to whether the feedback comprises private and/or confidential user data. If in operation 830 it is determined that the feedback comprises private and/or confidential user data, then in operation 834 the feedback may be filtered and/or sanitized to remove private and/or confidential user data”, i.e., the specification recites that the TEE module sanitizes feedback to remove private and/or confidential user data from the feedback. However, the examiner did not find any part of the description that supports: “obtain a request from a content provider to execute an application using the TEE; verify that the application is safe to execute within the TEE; in response to verification that the application is safe to execute, execute the application to sanitize first user data”. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 26, 28, 30-33, 35, 37, 39-41, 43, 45 and 47-49 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20110282964 to Krishnaswamy et al (hereinafter Krishnaswamy), prior art of record US 20100293049 to Maher et al (hereinafter Maher), prior art of record US 20140274031 to Jose Menendez (hereinafter Menendez), prior art of record US 9589149 to Livshits et al (hereinafter Livshits), US 20130152180 to Nair et al (hereinafter Nair) and US 20140006140 to Craig Pisaris-Henderson (hereinafter Henderson).
As per claims 26, 35 and 43, Krishnaswamy teaches:
A device configured for privacy enforcement, comprising: communication circuitry to receive messages from content providers; user interface circuitry to present content to a user; and a trusted execution environment (TEE) comprising secured memory circuitry and secured processing circuitry (Krishnaswamy: [0068]-[0069]: the present disclosure can provide a variety of solutions to deliver targeted content to wireless access terminals (W-ATs), e.g., cellular phones, while paying attention to privacy concerns. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that cellular phones include communication and user interface circuitry. [0220] An exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium), the TEE being to: 
sanitize first user data to de-identify or uncorrelate the first user data from the user, prior to transmission of the first user data to the content provider (Krishnaswamy: [0116]: Before a request is received by a profile attribute processor 270, synthesized profile attributes may be gathered at the relevant W-AT, and sent to the profile attribute processor 270. [0117]: In order to maintain user privacy, some form of data scrambling, e.g., a hashing function and a number of other tools may be employed via a device, such as the one-way hash function generator. In operation, it is possible to use a hash function at a W-AT to hide the user's identity from the rest of the M-TCM-PS network. [0118] In various operations, a hashing function employed in a W-AT can generate a predictable and unique, but anonymous, value associated with a particular user. Such an approach can enable the W-AT to query external servers without compromising on the privacy of the user. [0120] Once a hashed value is generated, the hashed value may be used as an alternate user identifier for the W-AT and provided, along with geographic information or some or items of information from a user profile to a remote apparatus, i.e., the user’s data is uncorrelated with the user’s identity prior to being transmitted to the remote apparatus); 
transfer a message received from the content provider via the communication circuitry to the secured memory circuitry, the message including content and further including metadata comprising public routing data and encrypted private criteria (Krishnaswamy: [0077]: The message delivery infrastructure 150 can provide the W-AT 100 with the appropriate TCMs, and metadata for the TCMs. [0036] TCM--Targeted-Content-Message. An advertisement can be an example of a Targeted-Content-Message. [0060] Advertisement Targeting Rules--These may include rules to target an advertisement towards a particular segment of users. Advertisement Targeting Rules are an example of TCM Targeting Rules. Also, [0171]. Including public routing data in the metadata of a message was well known to one of ordinary skill in the art before the effective filing date of the claimed invention): 
determine, via the secured processing circuitry and based at least in part on one or more of the decrypted private criteria and second user data previously stored via the secured memory circuitry, relevance of the content to the user (Krishnaswamy: [0044]-[0045], [0133], [0137]: New content as it arrives on the mobile device could be accordingly filtered, so that relevant information can be presented to the user. The learning and/or prediction engines could utilize meta-data. [0147]: This user preference model is used as an input to prediction engine 520 which also receives information, including meta-data, related to new information, and correlates the meta-data/information with the learned user preference model, to output a predicted user match indicator for the new information); 
Krishnaswamy teaches determining relevance of content to the user based on metadata and user preferences and displaying content that is within a threshold of acceptance but does not teach: a trusted execution environment (TEE) comprising secured memory circuitry and secured processing circuitry; obtain a request from a content provider to execute an application using the TEE; verify that the application is safe to execute within the TEE; in response to verification that the application is safe to execute, execute the application to sanitize first user data to de-identify or uncorrelate the first user data from the user; transfer a message received from a content provider via the communication circuitry to the secured memory circuitry; further including metadata comprising encrypted private criteria: wherein the encrypted private criteria include criteria for matching content to the user based on second user data that is not shared external to the TEE; decrypt the encrypted private criteria via the secured processing circuitry; determine, via the secured processing circuitry and based at least in part on one or more of the decrypted private criteria and second user data previously stored via the secured memory circuitry, relevance of the content to the user; personalize the content based on personalization criteria included in at least a portion of the second user data previously stored via the secured memory circuitry; and2 cause the personalized content to be presented to the user via the user interface circuitry based on the determined relevance. However, Maher teaches:
a trusted execution environment (TEE) comprising secured memory circuitry and transfer a message received from a content provider via the communication circuitry to the secured memory circuitry (Maher: [0048]: system 200 might comprise an embodiment of an end user's device 101. [0051]: For example, cryptographic mechanisms such as encryption, digital signatures, digital certificates, message authentication codes, and the like can be employed, e.g., as described in the '693 application, to protect the DRM engine, host application, and/or other system software or hardware from tampering and/or other attack, as could structural and/or tactical security measures such as software obfuscation, self-checking, customization, watermarking, anti-debugging, and/or other mechanisms. In addition, physical security techniques (e.g., the use of relatively inaccessible memory, secure processors, secure memory management units, hardware-protected operating system modes, and/or the like) can be used to further enhance security. [0052]: For example, a device or application may be required to implement the DRM engine in a way that is compatible with other implementations in the environment, and/or may be required to provide a certain type or level of tamper resistance or other security. [0208] Ads and Media may be streamed, with only the trusted DRM objects delivered to the client depending on the local storage constraints. These objects may be pre-parsed and pre-verified and cached in a secure storage or database locally in order to optimize the performance).
wherein the encrypted private criteria include criteria for matching content to the user based on second user data that is not shared external to the TEE (Maher: [0069] Finally, devices may collect other attributes from various user events, which can, for example, include metrics or attributes derivable from the user's history of interactivity with ads, purchasing history, browsing history, content rendering history, etc. In addition, a variety of environmental attributes may also be available, such as time of day, geographic location, etc. In some embodiments, this information is not made available outside of the device. [0088]: In another example, user John Doe decides to play a content clip consisting of highlights from a sporting event. The clip defines two ad slots. When the clip is selected to play, the client platform performs local ad matching and identifies a number of ads from its local ad repository that match the rendering criteria (which might include, e.g., demographic, geographic, behavioral, contextual and past transactional information, etc.). The controls representing the rules associated with the selected ads are chosen and evaluated by the underlying runtime engine. [0049]: In some embodiments, DRM engine 232 may comprise, interoperate with, and/or control a variety of other modules, such as a virtual machine 222 for executing control programs. [0218] In one embodiment, the User Categories are stored in the DRM engine's secure state database, and have the PUBLIC_READ flag set for them to provide read only access to all other Control programs to this data, i.e., the user data is not shared outside the DRM engine. [0509]-[0510], [0514]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Maher in the invention of Krishnaswamy to include the above limitations. The motivation to do so would be to enable the monetization of content distribution by efficiently matching user-targeted ads at the time and/or point of content consumption (Maher: [0005]).
Krishnaswamy in view of Maher teaches criteria for matching content to the user based on user data but does not teach: metadata comprising encrypted private criteria; decrypt the encrypted private criteria via the secured processing circuitry and determine, via the secured processing circuitry and based at least in part on one or more of the decrypted private criteria and second user data previously stored via the secured memory circuitry, relevance of the content to the user. However, Menendez teaches:
further including metadata comprising encrypted private criteria (Menendez: [0040]: metadata within the broadcast signals may be encrypted, encoded, or otherwise obscured); 
decrypt the encrypted private criteria via the secured processing circuitry (Menendez: [0040]: Mobile devices may decode, decrypt, or validate obscured information based on stored tables); 
determine, via the secured processing circuitry and based at least in part on one or more of the decrypted private criteria and second user data previously stored via the secured memory circuitry, relevance of the content to the user (Menendez: [0051]: the mobile device may process the received signal, evaluate any included metadata, and determine whether the signal includes passive data relevant to the mobile device. [0102]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Menendez in the invention of Krishnaswamy in view of Maher to include the above limitations. The motivation to do so would be so that identification information may not be spoofed (Menendez: [0040]).
Krishnaswamy in view of Maher and Menendez does not teach: personalize the content based on personalization criteria included in at least a portion of the second user data previously stored via the secured memory circuitry; and2 cause the personalized content to be presented to the user via the user interface circuitry based on the determined relevance. However, Livshits teaches:
personalize the content based on personalization criteria included in at least a portion of the second user data previously stored via the secured memory circuitry; and2 cause the personalized content to be presented to the user via the user interface circuitry based on the determined relevance (Livshits: column 9, lines 49-65: For example, to achieve automatic personalization, the WINDOWS PHONE C# framework may be altered to reorder lists in the application UI, based on the persona weights. For legacy applications such as news readers, this has the effect of not only reordering the order in which stories are displayed (e.g., stories more relevant to the user's interests are shuffled to the top), but also reordering entire categories of subjects such that the "technology news" category page of a news reader app appears earlier in the menu than the "arts section" for a technophile. Column 15, lines 15-55: FIGS. 5a-5c depict example user views of example personalized presentations of Rich Site Summary (RSS) feeds. For example, FIG. 5a illustrates an example device 502 displaying RSS feed text portions 504a, 504b, 504c, 504d, with no personalization applied. In FIG. 5b, the same set of stories is sampled according to the interests of a soccer mom persona column (row) of the built-in table, which places an emphasis on Health and Entertainment stories, resulting in a display of RSS feed text portions 510a, 510b, 510c, 510d, with personalization applied. Similarly, FIG. 5b shows the same set of stories sampled by the interests of a "technophile" column (row), resulting in a display of RSS feed text portions 512a, 512b, 512c, 512d, with personalization applied. Column 11, lines 12-57: These signals demonstrate an advantage of performing signal capture at the Operating System level: since the OS and framework have a high level of privilege, the user may already trust these components to handle personal data. As such, the signal capture mechanisms are already within the user's trusted computing base. Also, column 5, lines 21-34: store the user profile attributes 110 in a memory 114).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Livshits in the invention of Krishnaswamy in view of Maher and Menendez to include the above limitations. The motivation to do so would be to provide techniques for maintaining user data on a user device (e.g., a mobile device), under the control of the user (Livshits: column 3, lines 64-66).
And, Nair teaches:
obtain a request from a content provider to execute an application using the TEE; verify that the application is safe to execute within the TEE; in response to verification that the application is safe to execute, execute the application (Nair: [0019]: The DRM client is distributed as firmware and resides in flash memory of the device 12. The device manufacturer uses a private key PrK to generate a signature of the firmware in the factory. This signature is verified at each boot. The DRM client is verified as part of the firmware. [0020]: The DRM agent 48 uses client-certificates for mutual authentication when talking to the backend 10 for verifying trust and obtaining rights object containing licenses pertaining to the specific device and the media selected. [0027] 4. Use the verified first boot code to load DRM client code (portions 42 and 50 as well as DRM agent 48) from the flash memory to a secure location and verify its signature. This verification may use a similar digital signature scheme, but in this case using a secondary PuK that is stored in the first boot code. This verification is trusted because the first boot code performing this operation was verified in the preceding step. A match of digital signatures indicates that the DRM client code is authentic and not tampered with. Also, claim 1);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Nair in the invention of Krishnaswamy in view of Maher, Menendez and Livshits to include the above limitations. The motivation to do so would be to establish trust between a computerized device (also called a "client device") and a server system for digital rights management (DRM) (also referred to as a DRM server or "backend") (Nair: [0001]).
And, Henderson teaches:
execute the application to sanitize first user data to de-identify or uncorrelate the first user data from the user (Henderson: [0032]: the software embedded in the delivered advertisement may include instructions that allow the tracking and reporting of cursor position, such as to the advertising server 110. This client computer may provide data regarding cursor coordinates, time stamps, and the like, which are readily accessible parameters on a typical graphical user interface in a client computer or mobile device. This information can be sent to a cursor metrics analytics engine 145 residing in the advertising server 110, or other computer server, without requiring personal identifying information (PII) and still provide useful feedback regarding the performance of the advertisement. Claim 1: sending instruction code from a server to a user device, the instruction code operable to collect cursor information related to a cursor position and dwell time on a display of the user device. Claim 3: further comprising the step of removing personal identifying information before receiving from the user device the cursor information to protect personal identity).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Nair in the invention of Krishnaswamy in view of Maher, Menendez and Livshits to include the above limitations. The motivation to do so would be to protect personal identity (Henderson: claim 3).

As per claims 28, 37 and 45, Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson teaches:
The device of claim 26, wherein the private criteria comprises dimension matching criteria including instructions for determining the relevance of the content (Krishnaswamy: [0147]: This user preference model is used as an input to prediction engine 520 which also receives information, including meta-data, related to new information, and correlates the meta-data/information with the learned user preference model, to output a predicted user match indicator for the new information. This user match indicator can then be used as a factor in determining whether or not the information is presented to the user. Menendez: [0051]: the mobile device may process the received signal, evaluate any included metadata, and determine whether the signal includes passive data relevant to the mobile device. [0102]).

As per claims 30, 39 and 47, Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson teaches:
The device of claim 26, wherein the TEE is further to cause additional content to be presented via the user interface circuitry based on counter offer criteria included in the private criteria, the counter offer criteria including instructions for presenting additional content based on the interaction between the user and the presented content (Krishnaswamy: [0066] TCM Telescoping--A display or presentation function for a TCM whereby additional presentation material may presented to a user in response to a user request. [0067] Advertisement Telescoping--An advertisement display or presentation function whereby additional presentation material may be presented to a user in response to a user request. Advertisement Telescoping is an example of TCM telescoping. [0127] By monitoring the user's "click" response in relation to a general population or even a targeted population of advertisements/messages/TCMs, an initial assessment of the user's interests can be obtained. [0130] In various exemplary embodiments, a "keyword correlation engine" embedded on a message delivery system and/or W-AT may track the total number of times a particular message/advertisement/TCM may presented (or forwarded) to a user with a particular keyword (for example, N_total-keyword) along with the total number of clicks for that keyword (for example, N_click-keyword). [0134] In step 470, those targeted "messages" deemed to match within a threshold of acceptance may be forward and/or displayed to the user.). 

As per claims 31, 40 and 48, Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson teaches:
The device of claim 26, wherein the private criteria comprises feedback criteria including instructions for collecting the feedback data based on at least one of the user data and interaction between the user and the presented content, the TEE being further to: cause the feedback data to be collected based on the interaction; and cause the feedback data to be transmitted to at least the content provider (Krishnaswamy: [0075]: Some of the collected metrics/data may be transferred to the metric reporting agent 126 and/or to the W-AT's data service layer 130 (via the metric collection agent 120), without exposing individually identifiable customer information, for further distribution to the rest of the M-TCM-PS. [0076] The transferred metrics/data may be provided through the RAN 190 to the message delivery infrastructure 150. The message delivery infrastructure 150 can receive the metrics/data at a data service layer 180, which in turn may communicate the received metrics/data to a number of metrics/data collection servers (here metric collection agent 178) and/or software modules. [0216] Accordingly, a feedback mechanism with various sources and levels of "processed" information can be devised for determining what information is to be disseminated to the user). 

As per claims 32, 41 and 49, Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson teaches:
The device of claim 31, wherein the feedback data comprises at least privacy protected data resulting from the interaction and sanitized user data, the TEE being further to cause the communication circuitry to transmit the privacy protected data to the content provider and to transmit the sanitized user data to an anonymous data accumulator (Krishnaswamy: [0116]: Before a request is received by a profile attribute processor 270, synthesized profile attributes may be gathered at the relevant W-AT, and sent to the profile attribute processor 270. [0117]: In order to maintain user privacy, some form of data scrambling, e.g., a hashing function and a number of other tools may be employed via a device, such as the one-way hash function generator. In operation, it is possible to use a hash function at a W-AT to hide the user's identity from the rest of the M-TCM-PS network. [0118] In various operations, a hashing function employed in a W-AT can generate a predictable and unique, but anonymous, value associated with a particular user. Such an approach can enable the W-AT to query external servers without compromising on the privacy of the user. [0120] Once a hashed value is generated, the hashed value may be used as an alternate user identifier for the W-AT and provided, along with geographic information or some or items of information from a user profile to a remote apparatus). 

As per claim 33, Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson teaches:
The device of claim 26, further comprising data collection circuitry to collect the user data from at least one of user interaction with the device, sensors in the device or data sources outside of the device (Krishnaswamy: [0107]: For example, multiple clicks on the same advertisement may indicate to a user profile agent an interest level associated with the associated keywords and advertisement. On the same lines, games and music of interest to the user can be maintained at the W-AT. [0122] One of the potential inputs in a match indicator calculation described above may be a correlation value derived between the previous messages viewed, i.e. a "viewing history" of the user and new messages. Also, [0127]-[0128]).

Claims 34, 42 and 50 are rejected under 35 U.S.C. 103 as being unpatentable over Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson as applied to claims 26, 35 and 43 above, and further in view of prior art of record US 20130263018 to Xiong et al (hereinafter Xiong).
As per claims 34, 42 and 50, Krishnaswamy in view of Maher, Menendez and Livshits does not teach: wherein the TEE is further to cause the user interface circuitry to present a notification informing the user regarding availability of the content. However, Xiong teaches:
wherein the TEE is further to cause the user interface circuitry to present a notification informing the user regarding availability of the content (Xiong: [0063]: In some implementations, the social networking dashboard application can provide a visual or audio alert to indicate incoming new media content).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Xiong in the invention of Krishnaswamy in view of Maher, Menendez, Livshits, Nair and Henderson to include the above limitations. The motivation to do so would be to extracting media content from social networking services and presenting the extracted content to an IPTV user in a personalized and easy-to-consume manner (Xiong: [0002]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359.  The examiner can normally be reached on 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438