DETAILED ACTION
Acknowledgements
Claims 1-19 are pending.
Claims 3-12 and 14-15 are withdrawn.
Claims 1-2, 13, and 16-19 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Claims 3-12 and 14-15 are withdrawn from further consideration pursuant to 37 CFR 1.142(b), as being drawn to a nonelected species, there being no allowable generic or linking claim. Applicant timely traversed the restriction (election) requirement in the reply filed on 1/15/2020.
Applicant's election with traverse of Species E in the reply filed on 1/15/2020 is acknowledged.  The traversal is on the ground that applicant does not believe that consideration of Species A-D and the unelected claims would result in an undue burden.  This is not found persuasive because each of the species is directed to different characteristics that would require a different field of search (e.g., searching different classes/subclasses or electronic resources, or employing different search queries), and the prior art applicable to one species would not likely be applicable to another species. For example, species A and its corresponding claims recite features 
The requirement is still deemed proper and is therefore made FINAL.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-2, 13, and 16-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
In the instant case, claims 1-2 and 13 are directed to a system comprising a server and a processor and claims 18-19 are directed to a method. Therefore, these claims fall within the four statutory categories of invention. Claims 16-17 are directed to a system comprising a server and a virtual machine. As further described in the separate rejection below, these claims do not fall within the four statutory categories of invention because the claims read on a transitory signal. However, the remainder of the analysis below is also applied to these claims because it would be applicable if the claims were amended to fall within the four statutory categories of invention.
The claims recite using a token to control access to personal identifiable information, which is an abstract idea. Specifically, the claims recite “receive the PII of the user, a token key, an authorized time frame identifier for a request of service, and service provider identifier from the user,” “generate a secure system token based upon the received PII, token key, authorized time frame identifier and service provider identifier,” “wherein: . . . sends the token to the user, and . . . receiving the token, the token key and a request for service from the service provider . . . in response to a request for service which includes the token and the token key received from the service provider. . . based upon the request for service requested by the user from the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because it describe a process for protecting sensitive information by providing permission for a service provider to access certain portions of a customer’s personal identifiable information when providing a service to the customer, which is a commercial or legal interaction. Accordingly, the claims recite an abstract idea (See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional elements of the claims such as a server, a processor, a service provider computing device, and a virtual machine merely use a computer as a tool to perform an abstract idea and/or generally link the use of a judicial exception to a particular technological environment. Specifically, these additional elements perform the steps or functions of “receive the PII of the user, a token key, an authorized time frame identifier for a request of service, and service provider identifier from the user,” “generate a secure system token based upon the received PII, token key, authorized time frame 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), the additional elements of using a server, processor, service provider computing device, and a virtual machine to perform the steps amounts to no more than using a computer or processor to automate and/or implement the abstract idea of using a token to control access to personal identifiable information. As discussed above, taking the claim elements separately, the server, processor, service provider computing device, and virtual machine perform the steps or functions of “receive the PII of the user, a token key, an authorized time frame identifier for a request of service, and service provider identifier from the user,” “generate a secure system token based upon the received PII, token key, authorized time frame identifier and service provider identifier,” “wherein: . . . sends the token to the user, and . . . receiving the token, the token key and a request for service from the service provider . . . in response to a request for service which includes the token and the token key received from the service provider. . . based upon the request for service requested by the user from the service provider” “. . . reverse engineering the PII based upon the received request for service from the service provider . . .,” “and . . . sending the reverse engineered PII to the authorized PII entity or back to the service provider . . . to complete the request for service.” These functions correspond to the actions required to perform the abstract idea. Viewed as a whole, the combination of elements recited in 
Dependent claims 2, 13, 17, and 19 further describe the abstract idea of using a token to control access to personal identifiable information. The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea. Therefore, the dependent claims are also not patent eligible.

Claims 16-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because the claims read on a transitory signal.
Claim 16 is directed to a transitory signal as it recites “[a] secure processing system . . . comprising: the virtual machine.” Because a virtual machine is software, and it is recited as an element of system without any non-transitory medium on which the software is stored, the virtual machine is a transitory. Additionally, because the claim as a whole only exists when all of its elements exist, and the claim includes a transitory element (i.e., “the virtual machine”), the claim as a whole is transitory.
In re Nuijten, Docket no. 2006-1371 (Fed. Cir. Sept. 20, 2007)(slip. op. at 18).
Claim 17 is also rejected as it depends on claim 16.

	
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-2, 13, 16-17, and 18-19 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the 

Lack of Algorithm
Claims 1, 16, and 18 recite “the processor reverse engineering the PII based upon the received request for service from the service provider computing device.” Claim 13 also recites “the processor reverse engineers the original PII using the encrypted token data and the proprietary data.” However, the specification does not disclose the particular steps or algorithm that “reverse engineering” comprises. The specification states that “[t]he decoding algorithm 249 asks the database server 250 for the encrypted token data 252. The decoding algorithm 249 will then ask the storage server 270 to retrieve the proprietary data 272. The decoding algorithm 249 will then decrypt the token encrypted data using the encrypted token data key 257 along with decrypting the proprietary data 272 using the proprietary data key 258 and use this information along with the token 212 to reverse engineer the PII 112” (PGPub of specification Fig. 9, ¶ 39). This disclosure states that the token encrypted data and the proprietary data are used along with the token to reverse engineer the PII, but does not describe what it means to “reverse engineer” the PII, or what the algorithm or steps for reverse engineering the PII are. (MPEP 2161.01)
Claims 2, 13, 17, and 19 are also rejected as each depends on either claim 1, 16, or 18.
Claim 13 recites “encodes the reversed engineered original PI to generate the new token.” However, the specification does not disclose the steps or algorithm involved 
Claims 2, 17, and 19 recite “the secure processing system never stores the PII.” Although the specification repeats this statement in paragraphs 8-9 of the PGPub, the specification also states that the database of the secure processing system stores encrypted token data that is decrypted and used to obtain the PII (See PGPub of Specification ¶¶ 31, 37-39). This contradicts the statement that “the secure processing system never stores the PII,” because if the encrypted token data can be decrypted to obtain the PII, then the PII is stored in the system in encrypted form. The specification does not provide a description of the particular steps or algorithm by which the system would never store the PII, but at the same time be able to obtain the PII based on the stored data. (MPEP 2161.01)


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-2, 13, 16-17, and 18-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Lack of Antecedent Basis
Claims 1, 16, and 18 recite the limitation "the request for service requested by the user" in line 12, 13, and 11 of each claim, respectively.  There is insufficient antecedent basis for this limitation in the claim. Each claim previously recites “a request of service,” as well  as “a request for service from the service provider,” and “a request for service which includes the token . . .,” However, the claim does not previously recite a request for service requested by the user. Therefore, it is unclear which request for service this limitation refers to.
Claims 2, 13, 17, and 19 are also rejected as each depends on either claim 1, 16, or 18.
Claim 18 recites the limitation "the servier" in line 8 of the claim.  There is insufficient antecedent basis for this limitation in the claim.
Claim 19 is also rejected as it depends on claim 18.

Unclear Language
Claim 1 recites “a processor to generate a secure system token based upon the received PII, token key, authorized time frame identifier, and service provider identifier” and claim 16 recites “the virtual machine to generate a secure system token based upon the received PII, token key, authorized time frame identifier, and service provider identifier.” However, each claim previously recites “server to receive the PII of the user, a token key, an authorized time frame identifier for a request of service, and service provider identifier from the user.” Thus, the claim recites that the PII, token key, authorized time frame identifier, and service provider identifier are received by the server, and then recites that they are used by the processor (in claim 1) or virtual machine (in claim 16) to generate a secure system token. However, the claims do not recite that the processor and virtual machine receive these items from the server, or that the processor and virtual machine are part of the server. Therefore, the claim is unclear, because the processor and virtual machine cannot use the PII, token key, authorized time frame identifier, and service provider identifier, as the processor and virtual machine would not have access to these items if they are not provided to the processor by the server.
Claims 2, 13, and 17 are also rejected as each depends on either claim 1 or 16.
Claim 1 and 16 recite “the server receiving the token, the token key and a request for service from the service provider computing device in response to a request for service . . . received from the service provider computing device.” Claim 18 recites “receiving, using the server, the token, the token key and a request for service from the 
Claims 2, 13, 17, and 19 are also rejected as each depends on either claim 1, 16, or 18.
Claims 1, 16, and 18 recite “in response to a request for service.” It is unclear whether this describes “the server sends the token to the user,” “the server receiving the token,” or both of these acts.
Claims 2, 13, 17, and 19 are also rejected as each depends on either claim 1, 16, or 18.
Claims 1, 16, and 18 recite “based upon the request for service requested by the user from the service provider computing device.” It is unclear whether this describes “the server receiving the token” based upon the request for service, or whether it describes “received from the service provider computing device” based upon the request for service.
Claims 2, 13, 17, and 19 are also rejected as each depends on either claim 1, 16, or 18.
An essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed (In re Zletz, 13 USPQ2d 1320 (Fed. Cir. 1989)).

Hybrid Language
Claims 1 and 16 make reference to multiple statutory classes of invention. A claim that purports to be within multiple statutory classes is ambiguous and is properly rejected under U.S.C. 112, second paragraph, for failing to particularly point out and distinctly claim the invention (MPEP 2173.05(p) (II), In re Katz Interactive Call Processing Patent Litigation, 97 USPQ2d 1737 (Fed. Cir. 2011); Rembrandt Data Technologies LP v. AOL LLC, 98 USPQ2d 1393 (Fed. Cir. 2011); IPXL Holdings LLC v. Amazon.com Inc., 77 USPQ2d 1140 (CA FC 2005); Ex Parte Lyell, 17 USPQ2d 1548 (B.P.A.I. 1990)).
Here, claims 1 and 16 are directed to “a secure processing system.” However, the claims also recite steps or acts that are performed by a user. Specifically, claims 1 and 16 recite “the request for service requested by the user.” The claims are indefinite under 112(b) because it is unclear whether infringement occurs when one possesses the claimed system (e.g. “a secure processing system”) or when the user uses the secure processing system to request a service. See MPEP 2173.05(p) (II), In re Katz Interactive Call Processing Patent Litigation, 97 USPQ2d 1737 (Fed. Cir. 2011).	
Claims 2, 13, and 17 are also rejected as each depends on either claim 1 or 16.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1 and 18 are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Nagasundaram, et al. (US 2015/0112870) (“Nagasundaram”).
Regarding claims 1 and 18, Nagasundaram discloses a secure processing system to protect personal identifiable information (PII) issued by an authorized PII entity to a user seeking to conduct a service with a service provider computing device of a service provider already registered with the secure processing system, comprising a server and a processor, and a method comprising:
receiving, through a server of the secure processing system, the PII of the user, a token key, an authorized time frame identifier for a request of service, and a service provider identifier from the user (Nagasundaram ¶¶ 71, 78-79, 88-90, 97, 101-104, 106, 107-108), 
generating, using a processor of the secure processing system, a secure system token based upon the received PII, token key, authorized time frame identifier and service provider identifier (Nagasundaram ¶¶ 78, 88-90, 97, 105-111);

reverse engineering, using the processor, the PII based upon the received request for service from the service provider computing device (Nagasundaram ¶¶ 125-129, 189), and 
sending, using the server, the reverse engineered PII to the authorized PII entity or back to the service provider computing device to complete the request for service (Nagasundaram ¶¶130, 190-197).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claims 2, 16-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Nagasundaram in view of Rodriguez (US 2017/0286765).
Regarding claims 2, 17, and 19, Nagasundaram does not specifically disclose that the secure processing system never stores the PII.
Rodriguez discloses that the secure processing system never stores the PII (Rodriguez ¶¶ 101, 105-107, 116-119).
Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Nagasundaram to include the secure processing system not storing the PII, as disclosed in Rodriguez, in order to allow for authenticating PII without the risk of the PII being stolen or misused (Rodriguez ¶¶ 2-3, 101).
Regarding claim 16, Nagasundaram discloses a secure processing system to protect personal identifiable information (PII) issued by an authorized PII entity to a user seeking to conduct a service with a service provider computing device of a service provider already registered with the secure processing system, service provider computing device comprising a machine, the secure processing system comprising:
a server to receive the PII, a token key, an authorized time frame identifier for a request of service, and a service provider identifier from the user (Nagasundaram ¶¶ 71, 78-79, 88-90, 97, 101-104, 106, 107-108), 
the machine to generate a secure system token based upon the received PII, token key, authorized time frame identifier and service provider identifier (Nagasundaram ¶¶ 78, 88-90, 97, 105-111);

the server sends the token to the user, and the server receiving the token, the token key and a request for service from the service provider computing device in response to a request for service which includes the token and the token key received from the service provider computing device based upon the request for service requested by the user from the service provider computing device (Nagasundaram ¶¶ 50-51, 88-90, 97, 112, 122-125), 
the machine reverse engineering the PII of the user based upon the received request for service from the service provider computing device (Nagasundaram ¶¶ 125-129, 189), and 
the server sending the reverse engineered PII to the authorized PII entity to complete the request for service (Nagasundaram ¶¶130, 190-197).
Nagasundaram does not specifically disclose that the machine is a virtual machine.
	Rodriguez discloses the use of a virtual machine to perform the functions of a server (Rodriguez ¶¶ 35, 38, 50).
	Therefore, it would have been obvious to one of ordinary skill to modify the server of Nagasundaram to perform the functions using a virtual machine, because doing so only involves simple substitution of one known method for running software on a server for another to yield a predictable result (KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)), and also in order to allow the server to execute multiple operating systems to perform multiple functions (Rodriguez ¶ 50).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Nagasundaram in view of Grier, Sr. et al. (US 2017/0286765) (“Grier”).
Regarding claim 13, Nagasundaram discloses the processor determines if the user wants to create a new token based upon an existing token which represents the PII already registered with the secure processing system or create a new token which represents new PII that has not been registered with the secure processing system (Nagasundaram ¶¶ 71, 78-79, 88-90, 97, 101-104, 106, 107-108); if the processor determines that the user wants to create the new token representing new PII: the processor receives the new PI, encodes the new PII to generate the new token representing the new PII (Nagasundaram ¶¶ 78, 88-90, 97, 105-111).
Nagasundaram does not specifically disclose determining if the user wants to create a new token based upon an existing token which represents the PII already registered with the secure processing system, and if the processor determines that the user wants to create the new token based upon the existing token: the processor contacts a database server of the secure processing system to look up the existing token, and the database server returns encrypted token data, the processor contacts a data storage system of the secure processing system for proprietary data, and retrieves the proprietary data, the processor reverse engineers the original PII using the encrypted token data and the proprietary data, and encodes the reversed engineered original PI to generate the new token.
Grier discloses determining if the user wants to create a new token based upon an existing token which represents the PII already registered with the secure processing system, and if the processor determines that the user wants to create the new token 
Therefore, it would have been obvious to one of ordinary skill to modify the method of Nagasundaram to include creating a new token based upon an existing token, as disclosed in Grier, in order to allow the use of a different token for each request for service to prevent the unauthorized reuse of tokens (Grier ¶¶ 8, 62).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mohammad A. Nilforoush whose telephone number is (571)270-5298.  The examiner can normally be reached on Monday-Friday 12pm-7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W. Hayes can be reached on 571-272-6708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/Mohammad A. Nilforoush/Primary Examiner, Art Unit 3685