Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 02/14/2020.
Claims 1-20 are under examination.
The Information Disclosure Statements filed on 02/14/2020 has been entered and considered.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7-8, 10-14, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1) and Dotan-Cohen et al. (US 2019/0171845 A1).
Regarding claim 1, Canning et al. discloses A server [par. 0038, “a policy enforcement point (PEP) 406… and the PEP is implemented as a TSPM plug-in to application server, such as IBM WebSphere.RTM. Application Server”] comprising: a communications module; a processor coupled to the communications module; and a memory coupled to the processor, the memory storing processor-executable instructions which, when executed, configure the processor to: receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data [par. 0046, “The security policy enforcement agent 504 is a software program (e.g., Java-based code) that executes in a user mobile device 510 operating environment”, par. 0049, “the security policy enforcement agent 504 is responsible for notifying the user that one or more additional security constraint(s) are (or may then be) required”, par. 0052, “the authorization server 502 may contact the security policy enforcement agent 504 on the device 510 to make sure that the security policy associated with the authorization scope bound to the authorization token and current application being used is still enforced”, par. 0055, “The approach described above allows the user to modify the risk profile of the device easily but ensures that the actual risk profile that is evaluated (by the PEP) is fine-grained in that it takes in consideration the applications installed on the device, the services they are accessing, and the operations the user has granted authorization to perform”]; generate a risk profile for a user based at least on the on-device application data [par. 0044, “a technique to enforce mobile device security policy is based on a "risk profile" of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account the actual mobile application(s) installed on the device (and those actively in use), the service(s) (typically one or more back-end applications supported in or in association with the enterprise) those mobile applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied”]; 
Canning et al. does not explicitly disclose configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user; and share the data based on the data sharing configuration option.
However Dotan-Cohen et al. teaches receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data [par. 0058, “user-data collection component 210 determines static user information and/or dynamic user information by monitoring user data and/or bot data for information that may be used for determining user activity information”]; configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user; and share the data based on the data sharing configuration option [par. 0004, “Aspects of the present disclosure provide for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner In various embodiments, interfaces are managed over which user information is provided to the bots to facilitate the bots performing automated tasks. The user information is shared using trust levels associated with the bots. This can include using a trust level to determine whether to engage with a bot for performance of an automated task and/or whether to share the user information with the bot. The trust level can also be used to determine the content of user information in order to determine what is shared with the bot”, fig. 3, official notice: it is well known in the art such that risk profile is correspond to the trust level, see par. 0080 of Malliah (US 2020/0106780)].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 2, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses the data sharing configuration option is for sharing the data with a third-party application not being represented by the on-device application data [par. 0044, “bot 232 can be a third party application hosted on an external computing platform as other components in FIG. 2…”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 3, the rejection of claim 2 is incorporated.
Dotan-Cohen et al. further discloses wherein the processor-executable instructions, when executed, further configure the processor to: share the data with the third-party application based on the data sharing configuration option [par. 0044, “service manager 272 can enforce constraints on sharing user information 278, where the constraints may be provided by bot interface manager 220 in association with the user information and/or user session. It is contemplated that bot 232 does not typically have access to user data from user-data collection component 210, such as in user profile 252. For example, bot 232 can be a third party application hosted on an external computing platform as other components in FIG. 2 without permissions to access storage 250. Thus, user information 278 can include a specific subset of user information captured by user-data collection component 210 for a particular user, and that subset is specifically provided to bot 232 by bot interface manager 220 for performance a particular automated task”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 4, the rejection of claim 1 is incorporated.
Canning et al. further discloses the on-device application data includes at least one of a list of applications installed on the remote computing device and levels of permission granted to the installed applications [par. 0044, “where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account the actual mobile application(s) installed on the device (and those actively in use), the service(s) (typically one or more back-end applications supported in or in association with the enterprise) those mobile applications are accessing, and the scope of operations the user has granted the device authorization to perform”].
Regarding claim 7, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses the data sharing configuration option specifies one or more types of data to be shared [par. 0108, “method 300 includes determining user information to provide to the bot. For example, service information determiner 228 can determine user information of the user to provide to bot 232 for the performing of the automated task. Content of the user information is based on the bots associated trust level (e.g., trust level 264) and service parameters (e.g., determined from service requirements 260, service options 262, service types 266, and/or shared information 268) for completing the automated task”, par. 0109, “the information can be provided via a chat user interface of bot 232, non-conversational interface, a non-user interface, and the like. Further, the information can be provided in a conversational form, a non-conversational form, or a tokenized form, as examples”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between [Dotan-Cohen et al.: par. 0014].
Regarding claim 8, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses wherein configuring the data sharing configuration option for sharing data associated with the user based on the risk profile for the user [par. 0017, “the bot interface manager manages interfaces over which user information is provided with bots to facilitate the bots performing automated tasks. The user information can be shared using trust levels associated with the bots”] comprises: sending, via the communications module and to the remote computing device, a recommended data sharing configuration option; receiving, via the communications module and from the remote computing device, confirmation of the recommended data sharing configuration option; and configuring the recommended data sharing configuration option [par. 0089, “bot interface manager 220 could monitor communications from bot 232 and/or the user in the user interface of bot 232 to determine whether to provide at least some user information to bot 232”, par. 0090, “This could include bot interface manager 220 determining bot 232 has requested information from the user (e.g., based on identifying a question, prompt, and/or information request in the user interface). Optionally based on detecting the prompt for information, bot interface manager 220 could present a prompt/option to the user to allow the user to selectably permit or deny bot interface manager 220 from providing the information to bot 232”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the [Dotan-Cohen et al.: par. 0014].
Regarding claim 10, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses the data is from a data record associated with the user [par. 0108, “Shared information 268 generally refers to a record or log of information (e.g., user information) that was shared with the bot... In various implementations, shared information can comprise static user information and/or dynamic user information, such as static user information 244 and dynamic user information 246”, pars 0052-0056].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 11, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1) and Dotan-Cohen et al. (US 2019/0171845 A1) as applied to claims 1-4, 7-8, 10-14, 17-18 and 20 above, and further in view of Draper et al. (US 2009/0276257 A1).
Regarding claim 5, the rejection of claim 1 is incorporated.
Canning et al. discloses generating the risk profile comprises obtaining at least a plurality of applications in the list of applications and generating the risk profile from the list.
They do not explicitly disclose generating the risk profile comprises obtaining a score for at least a plurality of applications in the list of applications and generating the risk profile from the scores.
However Draper et al. teaches generating the risk profile comprises obtaining a score for at least a plurality of applications in the list of applications and generating the risk profile from the scores [par. 0092, “where the risk scores for each individual application may be aggregated to determine the overall risk score for the enterprise as a whole”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Draper et al. into the [Draper et al.: abs.].
Regarding claim 15, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.

Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1) and Dotan-Cohen et al. (US 2019/0171845 A1) as applied to claims 1-4, 7-8, 10-14, 17-18 and 20 above, and further in view of Hecht (US 2021/0234875 A1).
Regarding claim 6, the rejection of claim 1 is incorporated.
Canning et al. discloses generating the risk profile comprises obtaining at least a plurality of applications in the list of applications and generating the risk profile from the list.
They do not explicitly disclose generating the risk profile comprises obtaining a score for at least a plurality of the levels of permission and generating the risk profile from the scores.
However Hecht teaches generating the risk profile comprises obtaining a score for at least a plurality of the levels of permission and generating the risk profile from the scores [par. 0071, “As an example, certain categories of permissions (e.g., "read") may be accorded relatively low risk scores, while other permissions (e.g., "create" or "delete") may be accorded higher risk scores”, par.0072, “Based on the risk scores for each service and permission, a composite or overall risk score (e.g., "9") may be generated”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hecht into the teaching of Canning et al. and Dotan-Cohen et al. with the motivation of identifying, at the centralized [Hecht: par. 0031].
Regarding claim 16, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
 
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1) and Dotan-Cohen et al. (US 2019/0171845 A1) as applied to claims 1-4, 7-8, 10-14, 17-18 and 20 above, and further in view of Sartor (US 10,498,769 B2).
Regarding claim 9, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. discloses configuring the data sharing configuration option for sharing data associated with the user based on the risk profile for the user.
They do not explicitly disclose configuring a default data sharing configuration option; comparing a risk level of the default data sharing configuration option with the risk profile of the user; and when the risk level of the default data sharing configuration option exceeds the risk profile of the user, sending, via the communications module and to the remote computing device, an indication to the user indicating that the default data sharing configuration option exceeds the risk profile.
However Sartor teaches configuring a default data sharing configuration option; comparing a risk level of the default data sharing configuration option with the risk profile of the user; and when the risk level of the default data sharing configuration option exceeds the risk profile of the user, sending, via the communications module and to the remote computing device, an indication to the user indicating that the default data sharing configuration option [abs, “the interactions comprising use of computing device functionality or personal information; for each difference previously associated with a particular level of privacy risk, retrieving the particular level from a database; for each difference not previously associated with the particular level: generating a respective level of privacy risk associated with particular interactions of the application or website corresponding to the difference; associating the respective level to the difference; and storing in the database the difference and the respective level associated with the difference; generating a current privacy risk score based on each of the particular levels and on each of the respective levels associated with the one or more differences; determining if there was a privacy risk change; and if so, notifying the user”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sartor into the teaching of Canning et al. and Dotan-Cohen et al. with the motivation such that application activity can be monitored and compared against an associated policy to determine compliance and take default actions, such as obfuscating personal information transmitted by an application. Additionally, policies associated with applications can be monitored to identify changes and users can be alerted of policy changes that may affect the privacy rating of an application as taught by Sartor [Sartor: col. 3, lines 8-15].
 Regarding claim 19, it recites limitations similar to claim 9. The reason for the rejection of claim 9 is incorporated herein.

 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20140082738 A1		DYNAMIC RISK MANAGEMENT
US 20130227683 A1		QUANTIFYING THE RISKS OF APPLICATIONS FOR MOBILE DEVICES
US 20130340086 A1		METHOD AND APPARATUS FOR PROVIDING CONTEXTUAL DATA PRIVACY
US 20200287793 A1		DEVELOPING SECURITY POLICIES FOR DEPLOYMENT TO MOBILE DEVICES
US 10572680 B2		Automated personalized out-of-the-box and ongoing in-application settings
US 8925092 B1		Risk assessment for software applications
US 20130276124 A1		SYSTEMS, METHODS, APPARATUSES AND COMPUTER PROGRAM PRODUCTS FOR PROVIDING MOBILE DEVICE PROTECTION
US 20150269391 A1		PRIVACY UTILITY TRADE OFF TOOL
US 20210258321 A1		Dynamic User Access Control Management
US 20130111592 A1		MOBILE APPLICATION SECURITY AND MANAGEMENT SERVICE

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JASON CHIANG/Primary Examiner, Art Unit 2431