DETAILED ACTION

This non-final office action is in response to claim 1-40 (Claims 1-20 were canceled by the applicant) filed June 19, 2020 for examination. Claims 21-40 are being examined and pending. 
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Preliminary Amendment

Preliminary amendment to the specification and claims, filed June 19, 2020 has been acknowledged. 
Information Disclosure Statement

The information disclosure statement filed June 19, 2020 and February 9, 2021 has been placed in the application file and the information referred to therein has been considered as to the merits. 
Drawings

The drawings filed on June 19, 2020 have been accepted.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim either is anticipated by, or would have been obvious over, the reference claim. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the 
The USPTO Internet website contains terminal disclaimer forms, which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 21-40 are rejected on the ground of non-statutory obviousness-type double patenting rejection as being unpatentable over claims 1-20 of US Patent 10,742,414 B1. 
The subject matter claimed in the instant application is fully disclosed in the referenced issued US Patent and would be covered by any patent granted on this application (Since all the claims recited similar limitations, examiner only shows independent claim 1 of instant application and claims 1 of US patent 9,203,823 as example in the claim comparison table):
Instant Application (S/N# 16,906,653)
US Patent # 10,742,414 B1 




a contactless card comprising a communications interface, a processor, and a memory, the memory storing a user token, wherein the user token comprises a user key; a client application comprising instructions for execution on a client device, the client application configured to: 


in response to a tap action between the contactless card and the client device, receive the user token from the contactless card, and transmit the user token and a request for a data storage key; 
receive, in response to the request, the data storage key, wherein the data storage key is generated from the user key; create a secure memory block in a memory of the client device; and encrypt the secure memory block using the data storage key.
1. A data access control system, comprising: a server configured for data communication with a client device associated with a user; 
a contactless card associated with the user, the contactless card comprising a communications interface, a processor, and a memory, the memory storing an applet and a user token, wherein the user token comprises a user key; a client application comprising instructions for execution on the client device, the client application configured to: 
in response to a tap action between the contactless card and the client device, receive the user token from the contactless card, and transmit to the server the user token and a request for a data storage key; receive from the server the data storage key, wherein the data storage key is generated from the user key; create a secure memory block in a memory of the client device; and encrypt the secure memory block using the data storage key; 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 21, 28-29, 31-33, and 36-39 are rejected under 35 U.S.C. 103 as being unpatentable over US 2015/0188896 A to Slick et al. (“Slick”) in view of US 5,862,220 to Perlman et al. (“Perlman”), US 2002/0122553 A1 to Kao et al. (“Kao”), and US 2017/0242802 to Yang et al. (“Yang”).
Regarding claim 21, Slick taught a data access control system, comprising: 
a contactless card comprising a communications interface, a processor, and a memory, the memory storing a user token, wherein the user token comprises a user key (Para. 0016. A contactless smart card that contains the user-ID information of the user. A smart card such as government CAS, PIV, proximity card etc., has processor and communication interface. Para. 0014); a client application comprising instructions for execution on a client device (Para. 0014. The image-forming device include a card reader that read data content recorded on a smart card), the client application configured to: 
Para. 0016. The user may input the user-ID information by holding a contactless smart card over a card reader), and 
Slick did not but the analogous art Perlman taught transmit the user token and a request for a data storage key; receive, in response to the request, the data storage key, wherein the data storage key is generated from the user key; (Col. 10, lines 41-60. In processing block 1510, private server 820 receives a request from WebTV server 620 for the encryption key (i.e. data storage key) associated with a particular client identified by a client box number and a client network address. The encryption key generation logic 912 of private server 820 then uses the client box number and client network address (i.e. user token/key) provided by the WebTV server 620 to obtain the encryption key for the identified client (processing block 1514). This client encryption key is retrieved from storage area 912 by private server 820 and transferred to WebTV server 620 in a secure message in processing block 1518.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Slick by including the idea of as transmit the user token and a request for a data storage key; receive, in response to the request, the data storage key, wherein the data storage key is generated from the user key taught by Perlman in order to improve the performance and increase the functionality of network transactions (Perlman, Summary of the invention section).
Perlman disclosed the encryption key generation logic 912 of private server 820 then uses the client box number and client network address (i.e. user token/key) provided by the WebTV server 620 to obtain the encryption key which is interpreted above as the data storage key is generated from the user key, however, the analogous art Kao explicitly taught the data storage key Para. 0019, 0056. A new storage key for the user is generated from the user’s minor key and the new master key).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the Slick-Perlman combination by including the idea of the data storage key is generated from the user key as taught by Kao which is efficient across all of the user’s because a user’s storage key needs to be modified for each user (Kao, Para, 0019).
Slick-Perlman-Kao combination did not but the analogous art Yang disclosed create a secure memory block in a memory of the client device; and encrypt the secure memory block using the data storage key (Para 0021, Secured and encrypted storage area).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the combined invention of Slick, Perlman, and Kao by including the idea of creating a secure memory block in a memory of the client device; and encrypt the secure memory block using the data storage key as taught by Yang so the security of data in the encrypted storage area is effectively protected (Yang, Para. 0009).
Claim 39 recites similar limitations to claim 21, mutatis mutandis, the subject matter of claim 39, which is therefore, also considered to be taught by Slick-Perlman-Kao-Yang combination as above.
Regarding claim 28, Slick further taught the data access control system of claim 21, wherein the client application is further configured to store personal user data in the secure memory block (Para. 0016. The user-ID information is stored in the image-forming device).
Regarding claim 29, Slick further taught the data access control system of claim 28, wherein the personal user data comprises a digital driver's license (Para. 0014. Smart card such as Government CAC, PIV. Driver’s license is a known government ID.).
Regarding claim 31, Slick-Perlman-Kao-Yang combination further taught the data access control system of claim 21, wherein the user token comprises a user key, and wherein the client application is further configured to: in response to a tap action between the contactless card and the client device, receive the user token from the contactless card; (Slick, Para. 0016. Receive user-ID from contactless smart card) verify that a user associated with the user token is authorized to access the secure memory block in the client device (Slick, Para. 0016: user authentication); generate a data access key based on the user key (Kao, Para, 0019, 0056); and decrypt the secure memory block using the data access key (Yang, Para. 0021).
Regarding claim 32, Slick further taught the data access control system of claim 30, wherein the user token further comprises a user identifier (Para. 0014).
Regarding claim 33, Slick taught a method for controlling data access, comprising: providing a contactless card comprising a communications interface, a processor, and a memory, the memory storing a user token, the user token comprising a user key (Para. 0016. A contactless smart card that contains the user-ID information of the user. A smart card such as government CAS, PIV, proximity card etc., has processor and communication interface. Para. 0014); providing a client application comprising instructions for execution on a client device (Para. 0014. The image-forming device include a card reader that read data content recorded on a smart card), the client application configured to: in response to a tap action between the contactless card and the client device, receive the user token from the contactless card, (Para. 0016. The user may input the user-ID information by holding a contactless smart card over a card reader); identifying the user based on the user token; verifying that the user is authorized to access the secure memory block in the client device; (Para. 0016. The image-forming device B may communicate with a server (e.g., an authentication server) to authenticate the user A according to the input user-ID information. If the user A is authenticated, the user A is allowed to access the image-forming device B,)
Slick did not but the analogous art Perlman taught transmit the user token and a request for a data access key, receiving from the client device the user token and the request for the data access key, transmitting to the client device the data access key, receive the data access key, wherein the data access key is generated based on the user key (Col. 10, lines 41-60. In processing block 1510, private server 820 receives a request from WebTV server 620 for the encryption key (i.e. data storage key) associated with a particular client identified by a client box number and a client network address. The encryption key generation logic 912 of private server 820 then uses the client box number and client network address (i.e. user token/key) provided by the WebTV server 620 to obtain the encryption key for the identified client (processing block 1514). This client encryption key is retrieved from storage area 912 by private server 820 and transferred to WebTV server 620 in a secure message in processing block 1518.)
Perlman disclosed the encryption key generation logic 912 of private server 820 then uses the client box number and client network address (i.e. user token/key) provided by the WebTV server 620 to obtain the encryption key which is interpreted above as the data access key is generated based on the user key, however, the analogous art Kao explicitly taught the data access key is generated based on the user key (Para. 0019, 0056. A new storage key for the user is generated from the user’s minor key and the new master key).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the Slick-Perlman combination by including the idea of the data access key is generated based on the user key as taught by Kao which is efficient across all of the user’s because a user’s storage key needs to be modified for each user (Kao, Para, 0019).
Yang disclosed the client device having an encrypted secure memory block storing personal user data (Para 0021, Secured and encrypted storage area), and decrypt the secure memory block using the data access key (Para. 0021 decrypting the storage area); 
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the combined invention of Slick, Perlman, and Kao by including the idea of the client device having an encrypted secure memory block storing personal user data, and decrypt the secure memory block using the data access key as taught by Yang so the security of data in the encrypted storage area is effectively protected (Yang, Para. 0009).
Regarding claim 36, Slick-Perlman-Kao-Yang combination further taught the method for controlling data access of claim 33, further comprising providing a server, the server configured to: receive the user token and the request for the data access; identify a user based on the user token; verify that the user is authorized to access the secure memory block in the client device (; and transmit to the client device the data access key (Slick, Para. 0016).
Regarding claim 37, Slick further taught the method of claim 36, wherein the server is further configured to authenticate the user based on the user key (Para. 0016).
Regarding claim 38, Slick further taught the method of claim 33, wherein the client application is further configured to receive biometric information prior to decrypting the secure memory block (Slick, Para. 0014. Biometrics authentication).
Allowable Subject Matter
Claims 22, 30, 34-35, and 40 would be allowable if rewritten/filed TD to overcome the rejection(s) under double patenting rejection, set forth in this Office action and to include all of the limitations of the base claim (claims 21, 33, 39) and any intervening claims (claims 28, 30).

The following is a statement of reasons for the indication of allowable subject matter: None of the prior arts on the record taken alone or in combination teaches the following claim limitation if they are incorporate into base claims along with intervening claims as a whole.
Claim 22. The data access control system of claim 21, further comprising a server configured for data communication with the client device, wherein the server is configured to: receive from the client device the user token and the request for the data storage key, identify a user based on the user token, verify that the user is authorized to create the secure memory block in the client device, and transmit to the client device the data storage key.
Claim 30. The data access control system of claim 28, wherein the client application is further configured to permit a second application on the client device to access the personal user data.
Claim 34. The method of claim 33, wherein the client application is further configured to re-encrypt the secure memory block upon receipt of a re-encryption instruction.
Claim 35. The method of claim 33, wherein decrypt the secure memory block using the data access key comprises combining the data access key with data received from the contactless card to generate a new key used for performing the decryption.
Claim 40. The non-transitory machine-readable medium of claim 39, wherein the user token comprises a user key, and wherein the application is further configured to, when executed, perform procedures comprising: in response to a tap action between the contactless card and the client device, receiving the user token from the contactless card; verifying that a user associated with the user token is authorized to access the secure memory block in the client device; generating a data access key based on the user key; decrypting the secure memory block using the data access key; and re-encrypting the secure memory block using the data storage key.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471. The examiner can normally be reached Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Shawnchoy Rahman/Primary Examiner, Art Unit 2438