DETAILED ACTION

1.	This Office Action is in response to an application filed on Oct. 14, 2020. The original filing includes claims 1-15. Therefore, Claims 1-15 are presented for examination. Now claims 1-15 are pending.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Drawings
3.	The drawings filed on Oct. 14, 2020 are accepted.

Priority
4.	Acknowledgment is made of domestic priority data as claimed by applicant application is a 371 of PCT/US2018/037458 has been filed 06/14/2018.
 
Oath/Declaration
5.	For the record, the Examiner acknowledges that the Oath/Declaration submitted on Oct. 14, 2020 has been accepted.

Information Disclosure Statement
6.	The information disclosure statements (IDS) submitted on 10/14/2020 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto. 

Claim Rejections - 35 USC § 101
7.	35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

8.	Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 
Independent claim 1 is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is not directed towards an apparatus/a system/a machine claim as it recites "A device comprising: ..." without at least one hardware component in the body of the claim as part of the device, thus claim 1 as a whole is interpreted to be software per se. An attempt to claim a device (i.e. a machine or a system) with no tangible structural component in the body of the claim is not patent eligible. See New Interim Patent Subject Matter Eligibility Examination Instructions 35 USC 101, August 24, 2009 (http://www.uspto.gov/patents/law/comments/2009-08- 25_interim_101_instructions.pdf). Although a computer may be patent eligible if it "is programmed to perform particular functions pursuant to instructions from program software," In 
Claims 2-5 are being rejected since they do not remedy the deficiencies of claim upon which it depends.
Independent claim 6 is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is not directed towards an apparatus/a system/a machine claim as it recites "A network component comprising: ..." without at least one hardware component in the body of the claim as part of the component, thus claim 6 as a whole is interpreted to be software per se. An attempt to claim a component (i.e. a machine, device, or a system) with no tangible structural component in the body of the claim is not patent eligible. See New Interim Patent Subject Matter Eligibility Examination Instructions 35 USC 101, August 24, 2009 (http://www.uspto.gov/patents/law/comments/2009-08- 25_interim_101_instructions.pdf). Although a computer may be patent eligible if it "is programmed to perform particular functions pursuant to instructions from program software," In re Alappat, 33 F.3d 1526, 1545 (Fed. Cir. 1994), here, there is no hardware in the body of the claim that executes the claimed limitation.
Claims 7-10 are being rejected since they do not remedy the deficiencies of claim upon which it depends.
Independent claim 11 is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is not directed towards an apparatus/a system/a machine claim as it recites "An authorization server comprising: ..." without at least one hardware component in the body of the claim as part of the server, thus claim 11 as a whole is interpreted to be software per se. An attempt to claim a server (i.e. a machine, device, or a system) with no tangible structural  eligible if it "is programmed to perform particular functions pursuant to instructions from program software," In re Alappat, 33 F.3d 1526, 1545 (Fed. Cir. 1994), here, there is no hardware in the body of the claim that executes the claimed limitation.
Claims 12-15 are being rejected since they do not remedy the deficiencies of claim upon which it depends.
Examiner note: Examiner propose to add “hardware” processor in all the independent claims in order to overcome the 101 rejections above. Since applicant’s disclosure does not squarely (the disclosure in defining the interface and processor as “may” be) disclose the structure of the modules (interface, processor, …) led to above 101 rejections. 

Claim Rejections - 35 USC § 102
9.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

10.	Claims 1, 5-9, 11-12, and 14 are rejected under 35 U.S.C. 102 (a) (2) as being anticipated by Srinivasan et al. U.S. 2016/0028737 hereinafter “Srinivasan” Published Jan. 28, 2016.

Regarding claim 1, Srinivasan teaches: A device (Srinivasan, see FIG. 16 items 1602, 1604, and 1606 along with ¶ [0144]), comprising: 
a communications interface to communicate data with a network (Srinivasan, ¶¶ [0049-0050 and 0174]); and
a processor connected to the communications interface (Srinivasan, first see ¶ [0184], then see ¶¶ [0186-0187]), 
the processor to generate an access request and communicate the access request to an authorization service via the communications interface (Srinivasan, first see ¶ [0053], “Client application 308 includes an OAuth client API 310. OAuth client 320 includes an OAuth client engine 322, a resource registry 324, a local application registry 326, and a token registry 328. Resource server 304 and OAuth authorization server 306 interact with each other. Resource server 304 and OAuth client 320 interact with each other”, then see ¶¶ [0054, 0059 and 0186-0187], “enabling client application 308 to interact with a variety of different resource servers. Resource registry can indicate, for example, the different sets of scopes recognized by each different type of resource server. Consequently, client application 308 is able to request access corresponding to a particular scope recognized by resource server 304”),
the access request including a requested scope of access to a resource available on the network (Srinivasan, see ¶ [0054], “Consequently, client application 308 is able to request access corresponding to a particular scope recognized by resource server 304, and this particular scope may be specified in the consent request that OAuth authorization server 306 sends to resource owner 302 on behalf of client application 308”, then see ¶ [0066], “The OAuth authorization server can use this identity domain prefix in order to determine which particular OAuth service profile, from the multiple sets of OAuth service profiles that the server maintains, applies to a particular client application”), 
the processor further to receive an access token from the authorization service (Srinivasan, see ¶¶ [0142-0143], “the OAuth authorization server sends, to the service from which the mobile application previously received the device token, both the device token and a notification that specifies a first encrypted part of the client registration token. The service subsequently can verify the authenticity of the device token and push the notification, including the first encrypted part of the client  
the access token containing a scope expression indicative of a personal data policy of an authorized scope of access to the resource, the processor further to request access to the resource with the access token containing the scope expression indicative of the personal data policy (Srinivasan, see ¶¶ [0142-0143]). 

Regarding claim 5, Srinivasan teaches all the limitations of claim 1, Srinivasan further in previous claims teaches user interface and processor display at user interface. Further Srinivasan teaches: wherein the processor is further to display a representation of the personal data policy at the user interface (Srinivasan, see ¶¶ [0046 and 0118], “if client application 204 requests access to a particular resource ( or a particular scope including that resource) from resource server 210, then resource server 210 may redirect the request to OAuth authorization server 220. OAuth authorization server 220 may invoke user consent orchestration 226 in order to ask resource owner 202 to verify that client application 204 should be granted access to the particular resource ( or particular scope)”; “from a user, permission for the application to access personal information that the website maintains about the user, such as the user's contact list”, see also claim 5 of Srinivasan). 

Regarding claim 6, Srinivasan teaches: A network component (Srinivasan, see ¶ [0039]), comprising: 
a communications interface to communicate data with a network (Srinivasan, ¶¶ [0049-0050 and 0174]); and
a processor connected to the communications interface (Srinivasan, first see ¶ [0184], then see ¶¶ [0186-0187]), 
the processor to enforce personal data policy on request received via the communications interface (Srinivasan, see ¶¶ [0054, 0118 and 0186-0187], “enabling client application 308 to interact with a variety of different resource servers. Resource registry can indicate, for example, the different sets of scopes recognized by each different type of resource server. Consequently, client application 308 is able to request access corresponding to a particular scope recognized by resource server 304”),
the request including an access token generated by an authorization service to provide access by a client application to a resource via the network (Srinivasan, see ¶ [0039], “Inasmuch as certain embodiments may include multiple different or separate resource servers, token scope registry 114 can store mapping between different resource servers and different scopes. Furthermore, in one embodiment of the invention, each scope is mapped to a separate token within token-scope registry 114. Thus, by reference to token-scope registry 114, resource server 122 can determine the set of operations and the set of resources that are mapped to a particular token presented to resource server 122 by client application 104”), 
the processor further to receive an access token from the authorization service (Srinivasan, see ¶ [0049], “When client application 204 makes a request of OAuth authorization server 220, OAuth authorization server 220 makes responsive calls to the APIs related to that request. These calls may involve calls to customer-coded components that generate access tokens and provide those access tokens to client application 204”), 
the access token containing a scope expression indicative of the personal data policy (Srinivasan, see ¶¶ [0039 and 0118], “resource server 122 stores, in token-scope registry 114, indications of the scopes that resource server 122 recognizes. Each such scope can be indicative of a different set of operations … performed relative to a different set of resources stored on resource server 122”; also see claim 1 of Srinivasan). 
Regarding claim 7, Srinivasan teaches all the limitations of claim 6. Further Srinivasan teaches: wherein the processor is to allow or deny the request based on the scope expression indicative of the personal data policy (Srinivasan, see ¶¶ [0046 and 0118], “the scope to which client application 204 is seeking access, and provides resource owner 202 with the opportunity to consent to or decline access of that scope … OAuth authorization server 220 may ask resource owner 220 to verify that client application 204 should be granted access specified by the particular scope (as indicated in resources & scopes registry 224), including the particular resource”). 

Regarding claim 8, Srinivasan teaches all the limitations of claim 7. Further Srinivasan teaches: wherein the processor is to allow or deny the request further based on a region of the request (Srinivasan, first see ¶ [0110], “Sometimes, a tenant might want users defined within its identity domain to be authenticated based on information that is more dynamic that just a static identity and password. For example, a tenant might want its users to be authenticated based on current geographical locations from which those users are seeking access, or the Internet Protocol (IP) address from which those users are seeking access, or the time of day at which those users are seeking access. The use of such dynamic information in order to perform authentication is the basis of adaptive access”, then see ¶¶ [0046 and 0118]). 

Regarding claim 9, Srinivasan teaches all the limitations of claim 1. Further Srinivasan teaches: wherein the processor executes a policy rule to evaluate the personal data policy (Srinivasan, first see ¶ [0081], “The policy engine can then select, from the set of policies determined to be pertinent to the authorization token request, policies that are applicable to the service specified in the authorization token request. These selected policies can specify various scopes of access relative to 

Regarding claim 11, Srinivasan teaches: An authorization server (Srinivasan, see ¶ [0043]), comprising: 
a communications interface to communicate data with a network (Srinivasan, ¶¶ [0049-0057, 0144, and 0174]); and
a processor connected to the communications interface (Srinivasan, first see ¶ [0184], then see ¶¶ [0186-0187]), 
the processor to generate an access token in response to a request received from a client application via the network (Srinivasan, see ¶ [0039], “resource server 122 stores, in token-scope registry 114, indications of the scopes that resource server 122 recognizes …”), 
the request including a requested scope of access by the client application to a resource available on the network (Srinivasan, see ¶¶ [0039 and 0054], “Consequently, client application 308 is able to request access corresponding to a particular scope recognized by resource server 304, and this particular scope may be specified in the consent request that OAuth authorization server 306 sends to resource owner 302 on behalf of client application 308”), 
the processor further to generate the access token to contain a scope expression indicative of a personal data policy of an authorized scope of access to the resource, the processor further to communicate the access token to the client application via the network (Srinivasan, see ¶¶ [0039], “Resource server 122 can limit the operations performed by client application 104 relative to resources maintained by resource server 122 to those operations specifically indicated by the set of operations mapped to the particular token”).

Regarding claim 12, Srinivasan teaches all the limitations of claim 11. Further Srinivasan teaches: wherein the scope expression augments a scope with a policy string indicative of the personal data policy (Srinivasan, first see¶ [0078], “In response to locating, in the domain service profile for the identity domain to which a particular client belongs, a particular client-to service binding that specifies both the client ( or user thereof) and the service specified within an authorization token request, cloud-wide OAuth authorization server 502 determines the service callback URL for the particular resource server that provides that service. Cloud-wide OAuth authorization server 502 then forwards the authorization token request over Internet 514 to the resource server having that service callback UR”, then see ¶ [0081 and 0118], “The policy engine can then select, from the set of policies determined to be pertinent to the authorization token request, policies that are applicable to the service specified in the authorization token request. These selected policies can specify various scopes of access relative to various client or user attributes. The policy engine can evaluate the selected policies relative to the attributes that are associated with the identity read from the user identity store”). 

Regarding claim 14, Srinivasan teaches all the limitations of claim 12. Further Srinivasan teaches: wherein the processor is to insert the policy string into the scope expression of the access token (Srinivasan, see ¶¶ [0046 and 0118], “OAuth authorization server 220 to grant an access token to client application 204. For example, if client application 204 requests access to a particular resource (or a particular scope including that resource) from resource server 210, then resource server 210 may redirect the request to OAuth authorization server 220. OAuth authorization server 220 may invoke user consent orchestration 226 in order to ask resource owner 202 to verify that client application 204 should be granted access to the particular resource (or particular scope). In an embodiment, user consent orchestration 226 indicates, to resource owner 202, the scope to which client application 204 is seeking access, and provides resource owner 202 with the opportunity to consent to or decline access of that scope”; “an application that is integrated with a website, such as a social media . 

Claim Rejections - 35 USC § 103
11.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
12.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


13.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
14.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as .

15.	Claims 2-3, 10, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan et al. U.S. 2016/0028737 hereinafter “Srinivasan” Published Jan. 28, 2016 in view of Mathew et al. US 7,685,206 hereinafter “Mathew” Patented Mar. 23, 2010. 

Regarding claim 2, Srinivasan teaches all the limitations of claim 1. Srinivasan does not explicitly teaches: wherein the scope expression augments a scope with a policy string that is selected from a set of predefined policy strings indicative of different personal data policies 
However Mathew teaches: wherein the scope expression augments a scope with a policy string that is selected from a set of predefined policy strings indicative of different personal data policies 
(Mathew, see col. 23 lines 38-58, “GrantRole binds a role, specified by scope name and governed by a specified policy, to a source scope for the specified target scope … The caller possesses ClaimEnumRoles on the source scope and the resulting BindingListXML is filtered to only include those involving resources for which the caller possesses ClaimEnumBindings. EnumSourcesByRole returns an XML document containing the list of Source Scopes assigned the specified role. The caller owns ClaimEnumRoles on the target scope”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Srinivasan with the teaching of Mathew because the use of Mathew’s idea (Mathew, abstract) could provide Srinivasan (Srinivasan, abstract) the ability to perform binding expression scope via different personal data, “the source scope and the resulting BindingListXML is filtered to only include 

Regarding claim 3, the combination of Srinivasan and Mathew teach all the limitations of claim 2. Further Srinivasan teaches: wherein the different personal data policies include two or more of personal identifiable information, personal credit information, personal health information, and personal financial information (Srinivasan, see ¶ [0081], “a particular policy engine has access to the user identity store of each tenant that subscribes to a service that is provided by the resource server that executes that particular policy engine. Thus, the policy engine can obtain, from the user identity store, the attributes of the client or user specified in the authorization token request … These selected policies can specify various scopes of access relative to various client or user attributes. The policy engine can evaluate the selected policies relative to the attributes that are associated with the identity read from the user identity store”; then see ¶ [0118-0119]).

Regarding claim 10, this claim defines an apparatus claim that corresponds to device claim 2 and does not define beyond limitations of claim 2. Therefore, claim 10 is rejected with the same rational as in the rejection of claim 2. 

Regarding claim 13, this claim defines an apparatus claim that corresponds to device claim 2 and does not define beyond limitations of claim 2. Therefore, claim 13 is rejected with the same rational as in the rejection of claim 2. 
16.	Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan et al. U.S. 2016/0028737 hereinafter “Srinivasan” Published Jan. 28, 2016 in view of Lorenzo et al. US 2014/0040993 hereinafter “Lorenzo” Published Feb. 6, 2014. 

Regarding claim 4, Srinivasan teaches all the limitations of claim 1. Srinivasan does discloses access token is OAuth authorization throughout the specification, but Srinivasan does not explicitly teaches: wherein the access token is an OAuth 2.0 token
However Mathew teaches: wherein the access token is an OAuth 2.0 token (Lorenzo, see ¶¶ [0012-0017]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Srinivasan with the teaching of Lorenzo because the use of Lorenzo’s idea (Lorenzo, ¶ [0001]) could provide Srinivasan (Srinivasan, abstract) the ability to provide access token that is an OAuth 2.0 token, “the flow starts with the Authorization Request to the Service. In this request, instead of including the Request Token, the consumer identification is sent, as it will be shown in FIG. 2. There are several OAuth 2.0” (Lorenzo, see ¶ [0012).


Regarding claim 15, this claim defines an apparatus claim that corresponds to device claim 4 and does not define beyond limitations of claim . Therefore, claim 15 is rejected with the same rational as in the rejection of claim 4. 
 
Examiner note:
17.	In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.131(b), (c), (d), and (h) and therefore held not fully responsive. Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.

Conclusion
17.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Cigdem Sengul 2017 IEEE Conference on Innovations in Clouds, Internet and Networks (ICIN), “Privacy, Consent and Authorization in IoT” disclose the privacy policies are at the heart of the authorization process. These policies need to be easy to set but expressive enough to represent the context of permissions and consent.  Solutions that manage consent need to interface with authorization systems to enable dynamic authorization in IoT systems, providing with sufficient granularity of access to personal data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALIL NAGHDALI whose telephone number is (571) 272-9884. The examiner can normally be reached on M-F 8AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, KRISTINE L KINCAID can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications 
/KHALIL NAGHDALI/Primary Examiner, Art Unit 2437