Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Remarks
2.	The Examiner will like to thank Tim Wyckoff for considering the Examiner’s proposed amendments.

Response to Arguments
3.	Applicant’s arguments filed on 03/09/2021, with respect to the 35 U.S.C 103 rejection of claims 1-4, 6-13, 21, and 22 stand rejected as allegedly being unpatentable over Shankar in view of Boliek, Arulambalam, and Robinson have been fully considered.  However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

4.	Applicant’s arguments filed on 03/09/2021, with respect to the 35 U.S.C 101 rejection of claims 1-7 have been fully considered and are persuasive.  The 101 rejection of claims 1-7 has been withdrawn.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

5.	Claims 1 -4, 6-13, 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8,601,263 hereinafter Shankar in view of U.S. Publication No. 20120159518 hereinafter Boliek, and further in view of U.S. Publication No. 20070058814 hereinafter Hayton.

As per claim 1, Shankar discloses:
A system (Fig. 1, la), comprising: one or more processors (Col. 23 Lines 1-5); and
comprising a first data storage service comprising a first web service interface, the first web service interface operating as a proxy to the first data storage service (Col. 4 Lines 1-7 “In some implementations, a hosted storage service 120 can provide access to stored data by applications running on computing devices geographically separate from each other, provide offsite data backup and restore functionality, provide data storage to a computing device with limited storage capabilities, and/or provide storage functionality not implemented on a computing device.” Col. 4 Lines 40-43 “The hosted storage service 120 can be implemented such that client applications such as a client application 103 can store, retrieve, or otherwise manipulate data resources in the hosted storage service 120.”)
by at least:
obtaining, in connection with a first request from one or more computing devices, the request submitted to the first web service interface to store data, the (Fig. 2, Col. 11 Lines 54-63 “A request is received by the interface frontend 106 from the client application 103 to store a resource (202). The request can include a HTTP PUT or POST request, an authentication credential that authenticates the principal (entity) making the request, a data resource, and a target for the resource consisting of a bucket and data resource name. In some examples, the authentication credentials can include an interoperable authentication header, token, or cookie. The interface frontend can make a RPC to the backend 108 including the request headers.””); analyzing the data to make a determination whether the data satisfies one or more criteria of a data loss prevention policy (Fig. 2, Col. 11 Lines 64-65 “The interface backend 108 can examine and validate the authentication credentials (204).” Col. 12 Lines 4-6 “The interface backend 108 can query the request's target bucket's ACL 118 to determine if the authenticated principal is permitted to create a resource in the bucket (206).”);
processing the first request in accordance with the determination by at least, the determination indicating that the data satisfies the at least one criterion (Col. 11 Lines 55-63 “The request can include a HTTP PUT or POST request, an authentication credential that authenticates the principal (entity) making the request, a data resource, and a target for the resource consisting of a bucket and data resource name. In some examples, the authentication credentials can include an interoperable authentication header, token, or cookie. The interface frontend can make a RPC to the backend 108 including the request headers.” Col. 12 Lines 6-11 “For example, the principal or a group the principal 
using a key maintained inaccessible to a second data storage service to encrypt the data to produce encrypted data, key used in a device that is inaccessible to the second data storage service the second data storage service: including a second web service interface that receives web service requests transmitted to the second data storage service (Fig. la, Col. 4 Lines 62-67 “An interface frontend 106 can receive messages from the client 102 and parse the request into a format usable by the hosted storage service 120, such as a remote procedure call (RPC) to an interface backend 108. The interface frontend 106 writes responses generated by the hosted storage service 120 for transmission to the client 102.” Col. 6 Lines 25-39 “The interface backend 108 can expose an interface usable by both the interface frontend 106 and other systems. In some examples, some features of the interface backend 108 are accessible only by an interface frontend (not shown) used by the owners of the hosted storage service 120 (internal users). Such features can include those needed for administrative tasks (e.g., resolving a resource reference to a low level disk address.) The interface backend 108 can handle request authentication (e.g., ensuring a user's credentials are valid) and authorization (e.g., verifying that a requested operation is permitted.) The interface backend can also provide encryption and decryption services to prevent unauthorized access to data, even by internal users.” Col. 10 Lines 28-39 “The scheme 150 provides for a system of cryptographic keys that are secret and inaccessible to the hosted storage service 120, which stores the wrapped keys. Wrapped keys are encrypted and thus unusable in their base state. Wrapped keys are useful for granular access control.” The client application (first web service) gets in contact with the interface frontend (second web service) which formats the requests for the interface backend (third web service) that gets in contact with a keystore that stores encryption keys that are inaccessible by the interface frontend. Col. 12 Lines 41-50 “The interface backend 108 generates a new resource key request to the keystore 109 for a wrapped key for the newly-uploaded resource (212). The keystore 109 generates and encrypts a wrapped key (214) and can provide the wrapped key to the interface backend 108. The wrapped key can include the resource encryption key, resource identifier, and user identifier in the request from the interface backend 108.”) and 
operating to process, using a plurality of data storage devices, the web service requests transmitted to the second web service interface (Col. 4 Lines 43-49 “The hosted storage service 120 can be implemented by one or more server devices, which can be implemented using a computing device, such as the computing device 800 or mobile device 850 described with respect to FIG. 8. For example, the hosted storage service 120 can be implemented by multiple server devices operating in the same, or different, data centers.” Col. 4 Lines 53-55 “In general, the interface frontend 106 may receive requests from and send responses to the client device 102. For instance, the hosted storage 
and transmitting the data to the second data storage service (Col. 12 Lines 12-14 “Otherwise, the interface backend 108 uploads the resource to the target bucket with the target data resource name to a datastore 112 (208).” Col. 12 Lines 23-35 “The interface backend 108 can encrypt the resource using a resource encryption key. In some examples, the interface backend 108 can perform this encryption before or after uploading the resource
to the target bucket.)

Shankar does not disclose:
at least in part, a data object comprising the data encrypted by the key and an encrypted version of the key
transmitting an encrypted data to the first data storage service by submitting a second request to the first web service interface

Boliek discloses:
transmitting the encrypted data to the first data storage service by submitting a second request to the first web service interface (para 0016 “Multiple embodiments are described herein that involve executables or other program code, which when executed, acquire data directly
from user actions such as from the action of requesting a file transfer, from
executable programs such as a multimedia player or game, and from analytical programs running in the background or in parallel to other programs.” Para 0040 “Referring to FIG. 3, the process includes performing the data collection function after determining whether a trigger has occurred. The data collection functions may be triggered by many different types of events including, but not limited to, one or more of the following: connection with a host 310, launch of an executable on the PMD 311, access to the content or data 312, transfer of content or data to and from the PMD 313, a timing function that periodically launches the data collection 314, a specific call from an executable 315 (e.g., the multimedia player might trigger the data collection when a movie is paused), and other triggers 316.” Para 0042 “Once the trigger is activated, the data collection software collects data according to the rules described in the data collection rules 320. Once the data is collected, it is encrypted 321 in a manner well-known in the art using encryption software stored on (or alternatively off, e.g., on a host device) the PMD 323. If, according to the data collection rules, the data is ready for transfer 324, then the file is put in the transfer queue 325.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the method of storing encrypted resource on a hosted storage application of Shankar to include transmitting the encrypted data to the first data storage service by 
The motivation would have been to proper trigger the transfer of encrypted content.

Shankar in view of Boliek does not disclose:
at least in part, a data object comprising the data encrypted by the key and an encrypted version of the key

Hayton discloses:
at least in part, a data object comprising the data encrypted by the key and an encrypted version of the key (Fig. 3, para 0121 “At step 310, a message may be transmitted to access a particular data file, such as a request by a process to access a file (e.g., process 21). In some arrangements, the process may be an untrusted process. At step 314, the message may be intercepted, such as by a security agent in communication with the process (e.g., security agent 22). At step 318, the data file identified by the message may be encrypted by the security agent using an encryption key. At step 320, the encryption key may be encrypted (e.g., by the security agent) with a shared key, resulting in an encrypted encryption key. In some arrangements, encrypting the encryption key may allow for control (e.g., by a centralized service or bilaterally between two security agents) over whether another security agent is permitted to decrypt the encryption key. In some variations, the shared key may be maintained by a centralized service. At step 324, the encrypted file and/or the encrypted first encryption key may be provided to a location accessible to the process (or otherwise transmitted to the process.” Though no a storage request, the request requirements a location i.e. storage to access the content, which further requires encrypted data and encrypt key which encrypted key is sent to the process. On paragraph 0098 discloses the process can be a program.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the method of storing encrypted resource on a hosted storage application of Shankar in view of Boliek to include at least in part, a data object comprising the data encrypted by the key and an encrypted version of the key, as taught by Hayton.
The motivation would have been to properly protect access to content by selected encrypted key.

As per claim 2, Shankar in view of Boliek and Hayton discloses:
The system of claim 1, wherein processing the first request in accordance with the determination further includes, as a result of the determination indicating that the one or more criteria of the data loss prevention policy are unsatisfied by the data (Shankar Col. 12 Lines 6-11),
submitting a third request to web service interface that causes the data to be persistently stored by the first data storage service such that the data 

As per claim 3, Shankar in view of Boliek and Hayton discloses:
The system of claim 1, wherein the data loss prevention policy is configurable via the first web service interface (Boliek para 0056 and 0059).

As per claim 4, Shankar in view of Boliek and Hayton discloses:
The system of claim 1, the first web service interface has at least one public Internet protocol address (Shankar Col. 6 Lines 2-16 and Col. 6 Lines 28-34).

As per claim 6, Shankar in view of Boliek and Hayton discloses:
The system of claim 5, wherein the cryptography service utilizes a hardware security module that manages cryptographic keys on behalf of a customer (Arulambalam Figs. 5 and 6, Col. 8 Line 63 - Col. 9 Line 5).

As per claim 7, Shankar in view of Boliek and Hayton discloses:
The system of claim 1, wherein the second data storage service further operates to: obtain, at the second web service interface, a third request to retrieve the data; and process the third request by at least: obtaining the encrypted data from the first data storage service by submitting a fourth request to the first web service interface; using the key to decrypt the encrypted 

As per claim 8, the implementation of the system of claim 1 will execute the computer-implemented method of claim 8 (unencrypted and plaintext are the same) including encrypting the key, used to produce the encrypted data, to generate an encrypted key, the key encrypted using another key provided at least in part to cause producing the encrypted data (Hayton para 0121). The claim is analyzed with respect to claim 8.

As per claim 9, Shankar in view of Boliek and Hayton discloses:
The computer-implemented method of claim 8, wherein obtaining the data includes receiving the storage request at a web service interface that operates as a proxy to the first service (Shankar Col. 4 Lines 1 -7 and Col. 4 Lines 40-43).

As per claim 10, Shankar in view of Boliek and Hayton discloses:
The computer-implemented method of claim 8, wherein the second service includes a web service interface that receives web service requests transmitted to the second service (Shankar Fig. la, Col. 4 Lines 62-67 “An interface frontend 106 can receive messages from the client 102 and parse the request into a format usable by the hosted storage service 120, such as a remote procedure call (RPC) to an interface backend 108. The interface frontend 106 writes responses generated by the hosted storage service 120 for transmission to the client 102.” Col. 6 Lines 25-39 “The interface backend 108 can expose an interface usable by both the interface frontend 106 and other systems. In some examples, some features of the interface The interface backend can also provide encryption and decryption services to prevent unauthorized access to data, even by internal users.” Col. 10 Lines 28-39 “The scheme 150 provides for a system of cryptographic keys that are secret and inaccessible to the hosted storage service 120, which stores the wrapped keys. Wrapped keys are encrypted and thus unusable in their base state. Wrapped keys are useful for granular access control.” The client application (first web service) gets in contact with the interface frontend (second web service) which formats the requests for the interface backend (third web service) that gets in contact with a keystore that stores encryption keys that are inaccessible by the interface frontend. Col. 12 Lines 41-50 “The interface backend 108 generates a new resource key request to the keystore 109 for a wrapped key for the newly-uploaded resource (212). The Kev store 109 generates and encrypts a wrapped key (214) and can provide the wrapped key to the interface backend 108. The wrapped key can include the resource encryption key, resource identifier, and user identifier in the request from the interface backend 108”).

As per claim 11, Shankar in view of Boliek and Hayton discloses:
The computer-implemented method of claim 9, wherein a zone in which the first service operates is associated with the data loss prevention policy (Shankar Col. 2 Lines 47-50 “The group of users can be managed by a provider of the hosted storage service for reasons other than storage permissions and existed prior to the storage of the encrypted resource at the hosted storage service.” Fig. la, Col. 4 Lines 62-67 “An interface frontend 106 can receive messages from the client 102 and parse the request into a format usable by the hosted storage service 120, such as a remote procedure call (RPC) to an interface backend 108. The interface frontend 106 writes responses generated by the hosted storage service 120 for transmission to the client 102. In some implementations, multiple interface frontends 106 are implemented, for example to support multiple access protocols.” Col. 5 Lines 3-10 “The interface frontend 106 can include a graphical front end, for example to display on a web browser for data access. T3he interface frontend 106 can include a sub-system to enable managed uploads and downloads of large files (e.g., for functionality such as pause, resume, and recover from time-out). The interface frontend 106 can monitor load information and update logs, for example to track and protect against denial of service (DOS) attacks.”) and (Boliek para 0034 “Data collection software 280 operates according to a set of rules that specify what data to collect and when to collect that data. Data collection rules 282 are shown as separate in memory; however, in one embodiment, these rules are incorporated directly into data collection software 280 or other executable programs.”)

As per claim 12, Shankar in view of Boliek and Hayton discloses:
The computer-implemented method of claim 7, wherein providing the encrypted data to the second service includes transmitting the encrypted data to the second service by submitting a second request to a web service interface
(Boliek para 0016, 0040 and 0042).

As per claim 13, Shankar in view of Boliek and Hayton discloses:
The computer-implemented method of claim 7 further comprising obtaining a request to retrieve the data from the second service (Shankar Col.
13 Lines 19-27, 35-42, and 48-56 and Col. 16 Lines 55-67).

As per claim 21, Shankar in view of Boliek and Hayton discloses:
The system of claim 1, wherein analyzing the data identifies the data has a data type and to make a determination whether the data, based on the data
type, satisfies the one or more criteria of the data loss prevention policy (Hayton para 0121).

As per claim 22, Shankar in view of Boliek and Hayton discloses:
The computer-implemented method of claim 8, wherein the key is selected at least based on a requirement of the data loss prevention policy (Hayton para 0121).

5 is rejected under 35 U.S.C. 103 as being unpatentable over Shankar in view of Boliek, and further in view of Hayton, and further in view of U.S. Publication No. 20120173664 hereinafter Kammerer.

As per claim 5, Shankar in view of Boliek and Hayton discloses:
The system of claim 1, further comprising a cryptography service that maintains the key (Shankar Col. 6 Lines 25-39 and Col. 10 Lines 28-39 “The interface backend 108 can expose an interface usable by both the interface frontend 106 and other systems. In some examples, some features of the interface backend 108 are accessible only by an interface frontend (not shown) used by the owners of the hosted storage service 120 (internal users). Such features can include those needed for administrative tasks (e.g., resolving a resource reference to a low level disk address.) The interface backend 108 can
handle request authentication (e.g., ensuring a user's credentials are valid) and authorization (e.g., verifying that a requested operation is permitted.) The interface backend can also provide encryption and decryption services to prevent unauthorized access to data, even by internal users.”)

Shankar in view of Boliek and Hayton does not disclose:


Kammerer discloses:
maintains the key in a political jurisdiction outside of another legal jurisdiction in which the first data storage service is located (para 0014 “Depending on the transaction type the one or more keys which are required to decrypt data related to the transactions may be required to be maintained or stored at a particular control node, i.e. at the first control node or the second control node, but may be required not to be accessed by any other control node.” Para 0016, 0017 and 0019 “In other embodiments, the first user node, in particular a geographical location of the first user node and/or a jurisdiction or political country of the first user node may influence the selection performed by the intermediary node to transmit the anonymous user request selectively to the first control node or to the second control node.” Para 0090 “Referring to FIG. 3, one group of users (309) may accept that app SCx is centrally enabled by Cx, while another group (311) may not accept this. If e.g. Cl was located in the European Union, EU users may accept this, while non-EU users may not consider this acceptable. In particular in cases where the clearing facility stores keys or other transactional information (example: SWIFT), jurisdiction and therefore access may become critical.”)

The motivation would have been to manage access to keys stored in a particular political jurisdiction outside of another legal jurisdiction in which the first data storage service is located.

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/GARY S GRACIA/Primary Examiner, Art Unit 2491