DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 16431786 filed on 06/05/2019.
Claims 1-20 have been examined and are pending in this application. 
This Office Action is made Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/05/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: Specification Summary missing. Appropriate correction is required. See MPEP § 608.01(a).

	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new 
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-15 and 17-20	are rejected under 35 U.S.C. 103 as being unpatentable over Hosp et al. (“Hosp,” US 20150332276, published on 11/19/2015) in view of Cockerill et al. (“Cockerill,” US 20180359244, published on 12/13/2018)
Regarding Claim 1; 

Hosp discloses a server comprising: a communications module; a processor coupled to the communications module (par 0141; a user interface module and a third party interface module [] modules executing on at least one hardware processor); and a memory coupled to the processor, the memory storing processor-executable instructions which, when executed, configure the processor to (par 0030; the memories can contain appropriate applications. The processors can be operative to execute one or more method steps): 
receive, from a remote computing device and via the communications module, a signal representing an indication of consent for an authenticated entity to share data with a third party server (par 0005; fig. 5; a user interface which presents the at least one entity which makes payments with the payment network with at least one selection providing consent to sharing of at least a portion of the transaction data with at least one third party; par 0057; a consumer's raw transaction data (with appropriate consents) can be provided from PNO to site); 
in response to receiving the indication of consent, issue an access token to the third party server (par 0057; fig. 5; a consumer's raw transaction data (with appropriate consents) can be provided from PNO to site; par 0099; after a cardholder approves an entity for data sharing or access to data, web server generates a secure token [] the entity sends a message with the secure token to web server),
the access token for accessing data associated with the authenticated entity (par 0099; the secure token is stored in a table in association with the cardholder's card number and is shared with the entity for use by the entity when requesting data from the data sharing platform).
Hosp discloses all the limitations as recited above, but do not explicitly disclose monitor a risk parameter associated with at least one of the third party server and the authenticated entity to detect a change in the risk parameter; determine, based on input received from the authenticated entity, that data sharing 
	However, in an analogous art, Cockerill discloses use of device risk evaluation system/method that includes:
 monitor a risk parameter associated with at least one of the third party server and the authenticated entity to detect a change in the risk parameter (Cockerill: par 0079; the service may be dynamically reconfigured periodically and/or in real-time as subsequent security evaluations are performed for mobile device. Also, if the risk state fails a threshold determination, then the user of mobile device may be alerted by a display or other communication on mobile device that the service is blocked);
determine, based on input received from the authenticated entity (Cockerill: par 0074; the security evaluation is based on data received from the mobile device; par 0080; if it is determined by evaluation server in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device exceeds a threshold or is otherwise un-trusted, then an open session of the user with the service from service provider can be closed), 
that data sharing with the third party server is to be modified based on the change in risk parameter (Cockerill: par 0074; the security evaluation is based on data received from the mobile device; par 0079; the service may be dynamically reconfigured periodically and/or in real-time as subsequent security evaluations are performed for mobile device; par 0080; if it is determined by evaluation server in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device exceeds a threshold or is otherwise un-trusted, then an open session of the user with the service from service provider can be closed); and 
modify the data sharing for the authenticated entity with the third party server by at least one of revoking the access token and modifying an access permission associated with the access token (Cockerill: par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level [] denying access to certain services, revoking a token already in use by the device).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Cockerill with the method/system of Hosp to include monitor a risk parameter associated with at least one of the third party server and the authenticated entity to detect a change in the risk parameter; determine, based on input received from the authenticated entity, that data sharing with the third party server is to be modified based on the change in risk parameter; modify the data sharing for the authenticated entity with the third party server by at least one of revoking the access token and modifying an access permission associated with the access token. One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 2;
Hosp in combination with Cockerill disclose the server of claim 1, 
(Hosp: par 0057; fig. 5; a consumer's raw transaction data (with appropriate consents) can be provided from PNO to site), store a score associated with the third party server (Hosp: par 0093; the cardholder selected parameters allowing only the merchant name be shared, the table is populated with a "1" in association the "merchant name parameter" and a "0" is populated in association with each other parameter); wherein determining that the data sharing with the third party server is to be modified (Hosp: par 0045; the consumer may decide to configure what subset of transactions he or she wishes to be posted to site [] the user is allowed to turn each category on or off with an associated button. The final choices can be saved with button or cleared to start again with button; par 0049; the consumer may change his or her preferences as to what types of transactions will be shared, where they will be shared, or whether they are to be shared at all). 
Hosp discloses determining that the data sharing with the third party server is to be modified as recited above, but do not explicitly disclose modified based on the change in risk parameter comprises comparing a difference between the stored score and a current score to a threshold, the threshold based on the input received from the authenticated entity.  
However, in an analogous art, Cockerill discloses use of device risk evaluation system/method that includes:
modified based on the change in risk parameter comprises comparing a difference between the stored score and a current score to a threshold (Cockerill: par 0079; the service may be dynamically reconfigured periodically and/or in real-time as subsequent security evaluations are performed for mobile device; par 0080; if it is determined by evaluation server in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device exceeds a threshold or is otherwise un-trusted, then an open session of the user with the service from service provider can be closed; par 0126; the result may be compared with a threshold which is configured, or may be compared with a threshold percentile level for a comparable group of users or devices, for example this device's risk level is higher than a predetermined percentage of all peer group users); the threshold based on the input received from the authenticated entity (Cockerill: par 0074; the security evaluation is based on data received from the mobile device; par 0077; the security evaluation determines that a risk configuration of mobile device passes a security threshold).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Cockerill with the method/system of Hosp to include modified based on the change in risk parameter comprises comparing a difference between the stored score and a current score to a threshold, the threshold based on the input received from the authenticated entity. One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 3; 
Hosp in combination with Cockerill disclose the server of claim 1, 
Hosp further discloses wherein the instructions further configure the processor to: receive the input from the authenticated entity, the input including a preference (Hosp: par 0057; fig. 5; a consumer's raw transaction data (with appropriate consents) can be provided from PNO to site; par 0045; the consumer may decide to configure what subset of transactions he or she wishes to be posted to site [] the user is allowed to turn each category on or off with an associated button); store the preference in the memory (Hosp: par 0045; the user is allowed to turn each category on or off with an associated button. The final choices can be saved with button); receive a further input from the authenticated entity, the further input including an updated preference (Hosp: par 0045; the consumer may decide to configure what subset of transactions he or she wishes to be posted to site [] the user is allowed to turn each category on or off with an associated button. The final choices can be saved with button or cleared to start again with button; par 0049; the consumer may change his or her preferences as to what types of transactions will be shared, where they will be shared, or whether they are to be shared at all), and wherein determining, based on input received from the authenticated entity, that data sharing with the third party server is to be modified (Hosp: par 0045; the consumer may decide to configure what subset of transactions he or she wishes to be posted to site [] the user is allowed to turn each category on or off with an associated button. The final choices can be saved with button or cleared to start again with button; par 0049; the consumer may change his or her preferences as to what types of transactions will be shared, where they will be shared, or whether they are to be shared at all). 
Hosp discloses data sharing with the third party server is to be modified as recited above, but do not explicitly disclose modified based on the change in risk parameter comprises determining that a risk profile associated with the third party server is not compliant with the updated preference.  

modified based on the change in risk parameter comprises determining that a risk profile associated with the third party server is not compliant with the updated preference (Cockerill: par 0074; the security evaluation is based on data received from the mobile device; par 0079; the service may be dynamically reconfigured periodically and/or in real-time as subsequent security evaluations are performed for mobile device; par 0080; if it is determined by evaluation server in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device exceeds a threshold or is otherwise un-trusted, then an open session of the user with the service from service provider can be closed). 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Cockerill with the method/system of Hosp to include modified based on the change in risk parameter comprises determining that a risk profile associated with the third party server is not compliant with the updated preference. One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 4;
Hosp in combination with Cockerill disclose the server of claim 1, 
Cockerill further discloses wherein the determining that data sharing with the third party server is to be modified includes at least one of: determining that a data breach associated with the third party server has occurred; determining that (Cockerill: par 0039; the evaluation determines that the configuration is not secure, and the action is blocking access by the first computing device to the service; par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level [] denying access to certain services; par 0125; determining of a risk result that is higher or lower than a threshold. This determination may be used to allow greater or fewer degrees of freedom regarding access to the service; par 0113; prior risk state determination that falls within a predetermined time period; par 0126; for example this device's risk level is higher than a predetermined percentage of all peer group users).  
One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 5;
Hosp in combination with Cockerill disclose the server of claim 1, 
Cockerill further discloses wherein the instructions further configure the processor to: after detecting the change in the risk parameter, send, to the remote computing device (Cockerill: par 0080; determined by evaluation server in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device exceeds a threshold or is otherwise un-trusted [] identity provider can be notified of the change by evaluation server), a selectable option to modify a data sharing option associated with the third party server (Cockerill: par 0080; identity provider can be notified of the change by evaluation server. A level of access to the service can be decreased based on the newly-determined risk level); and receive a signal indicating selection of the selectable option (Cockerill: par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level, various actions may be taken. For example, mobile device may be instructed to take a photo that is uploaded to server), and wherein the signal indicating selection of the selectable option is the input received from the authenticated entity that is used to determine that data sharing with the third party server is to be modified (Cockerill: par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level, various actions may be taken. For example, mobile device may be instructed to take a photo that is uploaded to server, acquire a device location and upload to server, and/or erase sensitive data on mobile device. Other examples include disabling login credentials, instructing the user how to remediate the problem, allowing login by the user, but denying access to certain services, revoking a token already in use by the device, and/or changing a password for the service).
One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 7;
Hosp in combination with Cockerill disclose the server of claim 1, 
wherein determining that data sharing with the third party server is to be modified comprises retrieving a stored risk profile for the authenticated entity (Cockerill: par 0202; where applications and data/information from mobile devices are shared via peer to peer communication connections; par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level, various actions may be taken; par 0103; the network can consult a third-party risk service to retrieve the latest risk information about mobile device). 
One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 8;
Hosp in combination with Cockerill disclose the server of claim 1, 
Cockerill further discloses wherein modifying the sharing of data with the third party server comprises revoking the access token (Cockerill: par 0202; where applications and data/information from mobile devices are shared via peer to peer communication connections; par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level [] denying access to certain services, revoking a token already in use by the device).
  One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 9;
Hosp in combination with Cockerill disclose the server of claim 1, 
Cockerill further discloses wherein modifying the sharing of data with the third party server comprises modifying the access permission associated with the access token (Cockerill: par 0202; where applications and data/information from mobile devices are shared via peer to peer communication connections; par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level [] denying access to certain services, revoking a token already in use by the device).
One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 10;  
Hosp in combination with Cockerill disclose the server of claim 1, 
Cockerill further discloses wherein the instructions further configure the processor to: determine, based on a type associated with a detected condition, whether access to data is to be revoked or reduced (Cockerill: par 0119; the service provider can configure a policy regarding the type of data that is sent by evaluation server; par 0081; if it is determined by evaluation server that mobile device is not configured correctly or adequately as determined by a risk level, various actions may be taken. For example, mobile device may be instructed to take a photo that is uploaded to server, acquire a device location and upload to server, and/or erase sensitive data on mobile device. Other examples include disabling login credentials, instructing the user how to remediate the problem, allowing login by the user, but denying access to certain services, revoking a token already in use by the device). 
One would have been motivated to perform a security evaluation associated with access or attempted access by a computing device to a service (Cockerill: par 0004).

Regarding Claim 11;
This Claim recites a method that perform the same steps as system of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

	
Regarding Claim 12;
This Claim recites a method that perform the same steps as system of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 13;
This Claim recites a method that perform the same steps as system of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 14;
This Claim recites a method that perform the same steps as system of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 15;
This Claim recites a method that perform the same steps as system of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Regarding Claim 17;
This Claim recites a method that perform the same steps as system of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  

Regarding Claim 18;
This Claim recites a method that perform the same steps as system of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.  

Regarding Claim 19;
This Claim recites a method that perform the same steps as system of Claim 9, and has limitations that are similar to Claim 9, thus are rejected with the same rationale applied against claim 9.  

Regarding Claim 20;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as system of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  


Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Hosp et al. (US 20150332276) in view of Cockerill et al. (US 20180359244) and further in view of Caldwell et al. (“Caldwell,” US 20190116172, published on 04/18/2019)
Regarding Claim 6;  
Hosp in combination with Cockerill disclose the server of claim 1, 
Cockerill further discloses wherein the instructions further configure the processor to: after detecting the change in the risk parameter (Cockerill: par 0080; determined by evaluation server in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device exceeds a threshold or is otherwise un-trusted [] identity provider can be notified of the change by evaluation server); 
Hosp in combination with Cockerill disclose all the limitations as recited above, but do not explicitly disclose identify, based on category data associated with the third party server, an alternative third party server; and send, to the remote computing device, a notification, the notification suggesting replacement of the third party server with the alternative third party server.
	However, in an analogous art, Caldwell discloses aggregation platform filter system/method that includes:
(Caldwell: par 0026; operational data may be identified and illustrated herein within modules; par 0064; a filter module may provide a user with fine grained controls over access to data downloaded and/or stored by an aggregation module. For example, a filter module may allow a user to individually grant, revoke, and/or adjust access permissions for data from different third-party service providers to other third-party service providers, for different data elements from certain third-party service providers); and send, to the remote computing device, a notification, the notification suggesting replacement of the third party server with the alternative third party server (Caldwell: par 0127; the route module may access a server of a third-party service provider from a different, available hardware device of the user and/or account, may provide one or more notifications or other alerts on a different, available hardware device, or the like).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Caldwell with the method/system of Hosp and Cockerill to include identify, based on category data associated with the third party server, an alternative third party server; and send, to the remote computing device, a notification, the notification suggesting replacement of the third party server with the alternative third party server. One would have been motivated to share, with multiple third-party service providers, the same data downloaded by a hardware computing device from a same third-party service provider with similar electronic credentials using a same session identity (Caldwell: abstract).



Regarding Claim 16;
This Claim recites a method that perform the same steps as system of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-




/C.W./Examiner, Art Unit 2439 



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439