Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/8/2021 has been entered.
Claims 1-3, 5-6 and 8-12 are pending.


Response to Arguments
Applicant’s arguments received on 6/8/2021, are respectfully addressed as follows:
Regarding the 112 a rejection the rejection is withdrawn in response to the amendments.
Regarding the prior art rejection, Applicant argues:
Applicant argues “The Examiner admits that Hartung does not explicitly disclose "exchanging encryption keys between first and second devices of the plurality of devices" but contends that Hartung implicitly discloses this recitation. Hartung, in FIG. 1 shown below with emphasis added, teaches one device D2 sending one, singular, 
 The examiner respectfully disagrees: 
Hartung discloses content is encrypted by a key, the key itself encrypted by a key encryption key, symmetric (i.e. shared) or asymmetric ([0016]); when asymmetric, the recipient sends his public key to the sender as a key encryption key or via a PKI server ([0047]); the recipient verifies the sender’s signature using the the sender ‘s public key ([0073],[0074]), meaning the sender public's key is also provided to the recipient. Hartung also discloses sending the content to a plurality of recipients ([0033]), meaning exchanging public keys between the sender and the plurality of recipients.
Therefore, Hartung implicitly discloses exchanging encryption keys between first and second devices of the plurality of devices.  
The applicant also argues: “In addition, the Examiner contends that Hartung, in paragraph [0068] teaches "encrypting the data to be transmitted and the selected digital rights management features using at least one distinct key."... and that Hartung teaches away from that  limitation.
The examiner respectfully disagrees: The data to be transmitted in Hartung is : the content including usage rights ([0068]), encrypted by a CEK, the CEK encrypted by the recipient’s public key and integrity information (see Fig. 1), sent in a single message ([0069]). Therefore Hartung teaches "encrypting the data to be transmitted and the 
Furthermore, Applicant argues “ the Examiner contends that Hartung, in paragraphs [0033] and [0070], teaches "transmitting the encrypted data and the selected DRM features at the same time to the second device and a third device of the plurality of devices." That limitation has been amended to  “transmitting the encrypted data and the selected DRM features to the second device of the plurality of devices." Hartung teaches a plurality of recipient devices ([0033]) and sending the data to at least  one recipient of the plurality (Fig. 1). 
Moreover, Applicant argues “the Examiner contends that Hartung, in FIG. 1 and in paragraphs [0050], [0051], [0063], [0079], [0081], teaches "decrypting the encrypted data on the second device using the exchanged encryption keys and displaying the data according to the selected DRM features." 
The examiner respectfully disagrees: after the recipient receives the data, which is composed of the content embedding usage rights ([0068]), encrypted by a CEK, the CEK encrypted by the recipient’s public key and integrity information encrypted with the private key of the sender (see Fig. 1), sent in a single message ([0069]), the public key of the sender is used to decrypt the integrity information to reveal the hash and verify the hash, that public key of the sender was exchanged between the sender and the recipient. Therefore the exchange key is used in the decryption of the received data.
More, the Applicant argues “amended claim 1 recites that both the data and the selected DRM features are encrypted together and decrypted together. Hartung does not teach encrypting content and integrity protection information together and decrypting content and integrity protection information together”; however, the claim recites “decrypting the encrypted data on the second device using the exchanged encryption keys and displaying the data according to the selected DRM features”. Hartung also teaches the usage rights are embedded in the content and encrypted and decrypted together.
It is noted that according to the specifications, the exchanged keys are public keys, and in that case, the recipient’s public key which is exchanged is used for the encryption and the private key held by the recipient is used for the decryption, as known in the art. Therefore, the examiner questions the decryption using the “exchanged keys” (sic). Furthermore, the specification teaches using one key for decryption, the key being symmetric (see Original Specs of the application, paragraphs 0025, 0038) or asymmetric ( 055, 092, 095, 096, 0105). 
Applicant also argues “Claim 1 is amended to recite "encrypting the data and the selected ORM features using a distinct key for audit purposes" and "transmitting the encrypted data and the selected DRM features using the distinct key for audit purposes concerning the same to a third device of the plurality of devices when an audit requirement exists." It is respectfully submitted that Hartung in view of Liu, Garcia, and Hotti does not teach these recitations”. 


The new limitations are addressed in the present Office Action.

Objection
Claim 1 and its dependent claims are objected to because of a typographic error i.e “decrypting the encrypted data on the second device using the exchanged encryption keys” (plural). It is believed the correct limitation is “decrypting the encrypted data on the second device using the exchanged encryption key” (singular). The specification teaches using one key for decryption, the key being symmetric (see Original Specs of the application, paragraphs 0026, 0039) or asymmetric ( 056, 093, 096, 097, 0106). Correction is kindly requested.
Invitation
The examiner has invited the Attorney of Record Jerry Joseph to contact her in order to discuss the rejections, in particular what particular embodiment is being claimed, and find a way to move forward.


Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to 

Claims 1-3, 5-6 and 8-12 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claims 1-3, 5-6 and 8-12 recite “the third device is an auditor device that accesses, decrypts, and displays the received encrypted data using the distinct key for the audit purpose”. 
While the disclose teaches encrypting the data using a distinct key and for audit purposes (see original application [0058], below), the specification does not explicitly teach the decrypting with the distinct key. Using a distinct key for encryption does not inherently mean the key is symmetric.
[0058]... The security messaging application also includes encrypting those messages which meet audit requirements using a distinct key/keys for audit purposes, transmitting the encrypted messages which meet audit requirements to a distinct, non-mobile, repository for viewing by auditors without the limits imposed by the Digital Rights Management Features selected by the sender, and decrypting messages which met audit requirements and were placed in an external repository as needed when such action is initiated by an auditor, administrator or other responsible party. 


Clarification is required.


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.




Claims 1-3, 5-6 and 8-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

The claims  recite “exchanging encryption keys between first and second devices”, ... “encrypting data  ... using at least one distinct key of the second device, the at least one distinct key including at least one of a phone number, ...”, “transmitting the encrypted data ... to the second device”, “decrypting the encrypted data on the second device using the exchanged keys (sic) ...”
Since exchanged keys are used to decrypt the data, and the data is encrypted using a key such as a phone number or IMEI ..., it follows the phone number, IMEI ... are exchanged between the first and second devices according to the claims. 
However, the specification presents an embodiment in which the data is encrypted by phone number for instance, but does not explicitly mention the phone number is exchanged. The specification also presents a second embodiment where public keys are exchanged between the devices, the data encrypted with the recipient 
Therefore, the limitations in the claims are rejected as lacking clarity and being inconsistent with the specifications.
Correction or clarification is kindly requested.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-3, 5-6, 8-11 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over US. 20070079381 to Hartung et al., hereinafter Hartung  Hartung, in view of NPL titled “An Efficient Key Distribution Method Applying to OMA DRM 2.0 with Device Identifier”, by Liu et al., 2008, IEEE, p. 3-7, hereinafter Liu, in view of US 7139775 to Hotti et al., hereinafter Hotti, and further view of US7380120 to Garcia, hereinafter Garcia.
Regarding claim 1, Hartung discloses a method for securing data to be transmitted between a plurality of devices, the method comprising:selecting digital rights management (DRM) features for the data which is to be transmitted from the first device to the second device ([0051][0067], Fig. 1, step 125: define usage rights for content);encrypting the data to be transmitted and the selected digital rights management features using at least one distinct key ([0068]: encrypt media including rights with CEK)transmitting the encrypted data and the selected DRM features to the second device of the plurality of devices (Fig. 1  content embedding rights ([0068]), encrypted with CEK, plus the CEK encrypted by the recipient public key plus the integrity data encrypted with the sender private key, all sent in a single message ([0069]) is sent to D2 (Fig. 1), a plurality of recipients may be used  [0033]);decrypting the encrypted data on the second device using the exchanged encryption keys ([0079] : decrypt the content with CEK, the CEK provided to recipient encrypted with a key encryption key or public key of the recipient which was exchanged [0050]) and displaying the data according to the selected DRM features ([0081], Fig. 1, step 175, 180: use content as specified in usage rights ([0051],[0063]); encrypting the data and the selected DRM features using a distinct key and transmitting the encrypted data and the selected DRM features using the distinct key concerning the same to a third device of the plurality of devices ([0033][0068]: a plurality of devices can receive the data associated with the rights, encrypted, the public key of ; wherein the third device is an auditor device that accesses, decrypts, and displays the received encrypted data using the distinct key for audit purposes (([0079]-[0081] : the distinct key if the public key of the recipient, used to decrypt the content key to allow decrypting the content).
The difference between the prior art and the claimed invention is that the prior art does not explicitly teach the key exchange between the first and second devices. However, Hartung suggests such key exchange: the content is encrypted by a key, the key itself encrypted by a key encryption key, symmetric (i.e. shared) or asymmetric ([0016]); for asymmetric key encryption key, the recipient sends his public key to the sender as a key encryption key or via a PKI server ([0047]); the sender ‘s public key is also provided to the recipient in order to verify the hash value encrypted with the private key of the sender and received at the recipient, and  ([0073],[0074]), meaning devices exchange their public key. Therefore, Hartung implicitly discloses exchanging encryption keys between first and second devices of the plurality of devices.  Hartung teaches decrypting the encrypted data on the second device using the exchanged encryption keys i.e use recipient public key to decrypt CEK and decrypt content.  
Hartung does not explicitly teach encrypting the data with a distinct key of the second device, the at least one distinct key including at least one of a phone number, IMEI number, MAC address, IP address.
However using a device identifier to encrypt content is well-known, as evidenced by Liu, who, in an analogous art, discloses using a device identifier such as an IMEI which is unique to a device as a symmetric encryption key (under 4.1.). It would have 
The combination of Hartung and Liu does not explicitly teach: encrypting ... for audit purposes ..., transmitting ... for audit purposes ... to a third device when an audit requirement exists.
In an analogous art Hotti  discloses determining whether an audit requirement exists, sends a common audit package encrypted to a plurality of replica databases (Fig. 2, 3, col. 7, lines 38-56); Therefore Hotti teaches sending data to at least one auditor, when an audit requirement exists, wherein the auditor device is able to access the sent data. It would have been obvious to a skilled artisan at the time of the invention to modify the teachings of the prior arts such that the encrypted data in Hartung/Liu is transmitted to an auditor device when an audit requirement exists as taught by Hotti, in order to fulfill the auditing process and verify the data correctness.
Hartung  in view of Liu and Hotti does not teach: wherein the third device is an auditor device that accesses, decrypts, and displays the received encrypted data using the distinct key for audit purposes, without being limited by the selected DRM features.
In an analogous art, Garcia discloses controlling usage of content at a recipient by creating a secure document 208 (Fig. 2A, col. 11, lines 16-50). The secure document access is also governed by access privilege of users (col. 7, lines 44-52) defined at multiple levels in a hierarchy (col. 16, lines 59-67 to col. 17, lines 1-5). A user executive or branch supervisor (user A) can have all the access privileges to any secure without being limited by the selected DRM features”. In an analogous art, Garcia discloses controlling usage of content at a recipient. A document is created encrypted with a file key, access rules that define how the document can be accessed are included in the document header as a part of a security information, the security information including the file key is encrypted by a user key and attached to the encrypted document forming a secured document 208 (Fig. 2A, col. 11, lines 16-50). The secured document access is also governed by access privilege of users (col. 7, lines 44-52) defined at multiple levels in a hierarchy (col. 16, lines 59-67 to col. 17, lines 1-5). A user executive or branch supervisor (user A) can have all the access privileges to any secure documents, a user B has more limited privileges. User A has B’s permissions (Open, Print …) and other privileges including accessing the secured document from more than one location, altering the access privileges for other users (col. 22, lines 34-43, Fig. 5B.1). Therefore, the secure document embedding the access rules (rights) such as the one depicted in Fig. 2A, sent to a group of recipients (col. 12, lines 53-64) including a user with highest privileges (user A) and a user B, would be accessed by B according to the access rules, but would without being limited by the selected DRM features”. Garcia also teaches a server assisted process for accessing a secure document, the user sends the header with the security information to the server, which accesses, verifies the rules pertinent to the user, before forwarding the file key to the user so the user can decrypt and access the document (Fig. 5B.4, col. 26, lines 6-49); therefore a user of the secure document at the server has the capability to access the data without being limited by the selected DRM features.
 It would have been obvious to a skilled artisan at the time of the invention to associate DRM features embedded in a secure content as taught by Hartung/Liu/Hotti, with access privileges governing the use of the DRM and allowing an executive or branch administrator or auditor user capable to access, decrypt, and display the received encrypted data without modifying and without being limited by the DRM features, as taught by Garcia because it would facilitate the monitoring of protected content by specific users and would control data exchange.

Regarding claim 2, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 1, wherein the data includes text data, picture data, audio data, video data, SMS data, and MMS data (Hartung, [0049]).

Regarding claim 3, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 1, wherein the DRM features comprise data expiration time, limit on number of times data is viewable, limits on data export rights, and limits on data forwarding rights (Hartung, [0052]-[0063]).

Regarding claim 5, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 1, wherein the audit requirement occurs when the data transmitted between the first and second devices is subject to regulatory compliance (Hotti, Fig. 2, determining an audit is needed, in order to ensure validity of synchronized  data (col. 5, lines 35-47); the audit package sent to the replicas can also be considered to be subjected to regulatory compliance, as it is encrypted and signed, and must be verified to detect tampering (col. 8, lines 32-49) i.e detect if it is compliant with regard to data integrity).

Regarding claim 6, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 4, wherein the third device is a non mobile database (Hartung: [0070],[0083]: right server DS).

Regarding claim 8, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 1, wherein the encrypted data is stored within an encrypted database on both the first and second devices (Hartung, Fig. 1, step 115: data 

Regarding claim 9, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 1, wherein the exchanged encryption keys between the first and second devices are accessed, maintained, and modified through a key server (Hartung, [0047]: use of a PKI server to facilitate keys exchange).

 Regarding claim 10, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 9; in addition, Garcia discloses: wherein the key server can revoke the exchanged keys between the first and second device (col. 23, lines 10-30: expire terminated user key). It would have been obvious to revoke the keys exchanged between users in order to make the data unavailable to a user when there the owner does not want to share the content any longer, thus protecting the content from unapproved access.

Regarding claim 11, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 9, wherein the key server can verify whether the first and second device are authorized to communicate with each other (Hartung, [0087]).

Claim 12 is rejected under under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Hartung, Liu, Hotti and Garcia, in view of US 20030105812 to Flowers et al., hereinafter Flowers.
Regarding claim 12, the combination of Hartung, Liu, Hotti and Garcia discloses the method of claim 9, but does not teach: wherein the key server can request status updates from the first and second device to verify whether the devices authorized to communicate with each other.
In an analogous art, Flowers discloses a peer server enabling communications between peer devices over a network ( [0021],[0029]). The peer server maintains information as to which peer devices are on-line at a given time based on the on-line status ( [0024]).  It would have been obvious to a person with ordinary skills in the art at the time of the invention to include in the PKI server of Hartung the functionalities to manage the on-line status of the communicating peers in order to implement the claim. A peer sever enabling communication between peer devices would allow nodes to be aware of the status of other nodes they want to communicate with and would prevent failed communication attempts.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Lee et al “A DRM Framework for Secure Distribution of Mobile Contents”, ICOIN 2004 Information Networking. Networking Technologies for Broadband and Mobile Networks pp 905-914
Cha et al 20080046758 disclose OMA DRM 1.0 where content and rights objects are delivered in a single message,  OMA DRM 2.0 which improves the delivery method using PKI.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        7/2/2021