DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-24 are presented for examination.
EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Jason W. Croft (Reg. No. 65,195) on January 4th, 2022.
The application has been amended as follows:
9.  (Currently Amended)  A non-transitory computer readable storage medium embodying instructions that, when executed by a machine, cause the machine to perform operations comprising:
providing a first party data in a first account in a network-based data system;
providing a second party data in a second account in the network-based data system;
executing a secure function using the first party data to generate a first result, including creating links to the first party data and anonymizing identification information in the first party data;

generating dummy matching information in the second result for an instance of no match; and
generating a cross reference table with the first and second results, the cross reference table providing anonymized matches of the first and second results the cross reference table being accessible via the network-based data system for performing analysis of overlapping first party and second party data.
10. The non-transitory computer readable storage medium of claim 9, further comprising: restricting the second account from accessing a code of the secure function.
11. The non-transitory computer readable storage medium of claim 10, further comprising: restricting the second account from logs related to execution of a first portion of the secure function.
12. The non-transitory computer readable storage medium of claim 9, further comprising: generating a summary report of the anonymized matches.
13. The non-transitory computer readable storage medium of claim 12, further comprising: restricting access to the number of anonymized matches when the number of anonymized matches is below a minimum threshold.
14. The non-transitory computer readable storage medium of claim 9, wherein providing the first party data includes:

setting access restrictions for the data from the load file based on control information.
15. The non-transitory computer readable storage medium of claim 9, further comprising:
receiving a query request;
based at least on the first party data and the cross reference table, executing a first portion of the query request;
generating an interim table based on executing the first portion of the query request;
generating a secure query request, including instructions related to executing a second portion of the query request; and
sharing the secure query request and the interim table with the second account.
16. The non-transitory computer readable storage medium of claim 15, further comprising:
at the second account, executing the secure query request and joining results of the secure query requests with information from the interim table to generate final results of the query request.
Information Disclosure Statement
The information disclosure statement (IDS) filed on 07/28/2021 has been considered by the Examiner and made of record in the application file.
Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Fisse et al. discloses a system has an anonymized profile identifier datastore (124-1) that stores anonymized profile identifier, provider's profile identifier and profile consumer's profile identifier. A permissions profile datastore (124-2) stores permissions profile information for identified user. A permitted use gatekeeper application (126-1) is operatively coupled to provider system and a privacy services application (122). A server device executes privacy services application that receives profile search response that includes a search result list of users from the permitted use gatekeeper application.
Roullier et al. teaches partner encoding of anonymous links to protect consumer privacy.  Specifically, the method involves constructing an anonymous link for each received consumer record associated with match partner servers and reading a partner-specific encryption key associating with match partner servers. The anonymous link for each consumer record is encrypted using the partner-specific encryption key and concatenated with a partner ID to produce partner-encoded link (50). The partner-encoded link is stored with each record from the match partner server associated with the partner ID of partner-encoded link in a partitioned safe area associated only with match partner server.
Eibach et al. teaches a system and method for configuration of access rights to sensitive information handled by a sensitive Web-Service. In a case of requested configuration changes initiated by the client system the Web-Server system provides a configuration data file to the client system preferably using a SOAP-communication protocol. The changes of the configuration data file are exclusively performed offline at the client side and the updated configuration data file is signed with authentication information and sent as a part of a SOAP-request to the Web-Server system. The Web-Server system provides a filter component for identifying and discarding non-SOAP requests as well as an access control manager for providing authentication examination for incoming SOAP-requests. After successful passing these components the SOAP-request is used for updating the existing configuration data file.
Choudhury et al. teaches anonymizing data for preserving privacy during use for federated machine learning.  Specifically, the prior art discloses a computer-implemented method for training a global federated learning model using an aggregator server includes training multiple local models at respective local nodes. Each local node selects a set of attributes from its training dataset for training its local model. Each local node generates an anonymized training dataset by using a syntactic anonymization method, and by selecting quasi-identifying attributes from training attributes, and generalizing the quasi-identifying attributes using a syntactic algorithm. Further, each local node computes a syntactic mapping based on equivalence classes produced in the anonymized training dataset. The aggregator server computes a union of 
Kwon et al. discloses a device to extract sensitive information included in original content to be shared, to perform anonymization on the sensitive information to create anonymized content corresponding to the original content, to control the communicator to transmit the anonymized content to a second device, to perform, based on a request for the original content being received from the second device through the communicator, authentication in response to the request, and transmit the original content to the second device based on the authentication being completed.
Kukreja et al. teaches a method includes determining to share access to a directory between a first web services account and a second web services account that lacks access to the directory, wherein the directory is managed by a directory service that executes within a first on-demand configurable pool of shared computing resources, and wherein the second web services account is associated with a second on-demand configurable pool of shared computing resources. The method includes generating a virtual directory for the second web services account, wherein the virtual directory comprises one or more virtual resources that are representations of resources on the directory, and wherein the virtual directory further comprises a reference to the directory. The method 
Ortiz et al. discloses a system comprises a computer readable memory having a protected memory region that is encrypted such that it is inaccessible to both an operating system and kernel system. The protected memory region includes at least a data storage region and a data processing subsystem storage region maintaining the isolated data processing subsystem. A secure enclave data processor is configured to provide a partner data receiver configured to separately receive data sets from multiple corresponding partner computing devices. The partner data receiver configured to load a portion of the protected memory region into the computer readable cache memory. A data processing subsystem interaction engine is configured transmit a query data message to the data processing subsystem and to receive an output data structure generated by the data processing subsystem.
Deutschmann et al. teaches two user-authenticated sessions are compared between two different servers or users of two different financial institutions. Based on comparisons of sanitized key press timings, position or motion-related inputs, and other inputs it is determined that the sessions were/are with a same user. When this user is identified as a fraudulent actor or malfeasant with one server or banking institution, this data is shared, without sharing confidential information, with the other server or financial institution so that despite a lack of identifying the user himself/herself, the second server or 
Schwed et al. secure data analysis in multitenant applications.  Specifically, the prior art involves anonymizing first tenant data (0721) at a first microservice (0720) by protecting identifying information in the first tenant data. The anonymized first tenant data is sent from the first microservice to a second microservice. The anonymized first tenant data is stored in a second database by the second microservice, where the second database stores data from a set of tenants sent to the second microservice. Anonymized tenant data of the set of tenants stored in the second database is analyzed at the second microservice to generate a result (0729). The result is sent to the first microservice.
Baron teaches a file vault and cloud based document notary service.  Specifically, the prior art teaches a trusted cloud service such as an “electronic vault” may store records of a consumer's electronic data file history. These documents may come from disparate providers and include financial statements and the like. The trusted vault cloud may act as an online notary to certify documents are legitimate and may be trusted. For example, a retailer may dispute whether the consumer paid a debt. To resolve the issue the retailer may access the cloud vault to retrieve a bank statement for the consumer, whereby the bank statement is electronically notarized by the vault cloud and is thus credible to the retailer. The retailer may then see proof the consumer had indeed paid a past debt to the retailer.
Nagel et al. discloses methods and apparatus for the analysis, manipulation formatting, templating, styling and/or publishing of data collected from a plurality of sources are provided. In one embodiment, a centralized web application is accessed by an administrative user to create and distribute a standardized chart of accounts for normalization, collection, and storage of data from units associated with the multi-unit organization. The stored standardized chart of accounts data is selectively identified, filtered, anonymized, excluded/hidden from view, manipulated and/or other various calculations are performed in order to carry out data analyses and other operations. Such apparatus and methods enable abstraction of useful information from the collected and stored chart of accounts data across a range of units having similar and varying characteristics. Methods and apparatus for generation of a stylized reporting structure for data that is, for example, arbitrary or indeterminate are also disclosed.
Wardman teaches anonymous account security exchange.  Specifically, the prior art teaches an anonymous account security exchange for receiving anonymized user account information for a first user account identified as a security risk from a first organization associated with the first user account, receiving anonymized user account information for a second user account from a second organization associated with the second user account, determining that the anonymized account identifier associated with the first user account matches the anonymized account identifier associated with the second user account, and providing a notification to the second organization indicating that the second user 
Mawdsley et al. teaches a private information storage system.  Specifically, the prior art involves determining a deviation of each data item in data records relative to reference data items in a reference record for a subset of data items in data records, and assigning deviation identifiers to each of determined deviations in data records to anonymize data items in subset of data items in data records. A translation table mapping data items in subset to deviation identifiers is generated. The translation table is stored. The deviation identifiers defining anonymized data items for data records are stored remotely to translation table.
Kratsch teaches a system for collection and longitudinal analysis of anonymous student data.  Specifically, the prior art teaches aggregating and anonymizing student data.  A method includes receiving from an educational institution a set of student data records, each student data record associated with a student and including a unique identifier, and lacking information rendering the record personally identifying of a student. The method further includes, for each student data record, extracting the unique identifier associated with the student data record, and encrypting the unique identifier. The method also includes associating the encrypted unique identifier with the student data record to form an anonymized student data record and storing the anonymized student data record in a database containing aggregated student data.
Brown teaches a network interface for receiving publication-restricted data and non-publication-restricted data. A processor generates multiple correlations useable for predictive models, where no trace of personal identifying information (PII) e.g. name, in the publication-restricted data exists in the correlations. The non-publication-restricted data includes attribute data of multiple persons, where the attribute data comprises demographic attributes of the persons. An encoding/decoding device decodes the publication-restricted data and the non-publication-restricted data.
Blum et al. (filed after the instant specification) teaches provides a data clean room allowing secure data analysis across multiple accounts, without the use of third parties. Each account may be associated with a different company or party. The data clean room may provide security functions to safeguard sensitive information. For example, the data clean room may restrict access to data in other accounts. The data clean room may also restrict which data may be used in the analysis and may restrict the output. The overlap data may be anonymized to prevent sensitive information from being revealed.
Allowable Subject Matter
Claims 1-24 are allowed.
The following is an examiner’s statement of reasons for allowance:
The claims are considered allowable since when reading the claims in light of the specification, as per, MPEP §2111.01 or Toro Co. v. White Consolidated Industries Inc., 199 F.3d 1295, 1301,53 USPQ2d 1065, 1069 (Fed. Cir. 1999), none of the references 
When taken into context the claim as a whole were not uncovered in the prior art, even further the dependent claims 2-8, 10-16 and 18-24 are allowed as they depend upon the allowable independent claims 1, 9 and 17.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusions/Points of Contacts
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JORGE A CASANOVA whose telephone number is (571)270-3563. The examiner can normally be reached M-F: 9 a.m. to 6 p.m. (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is 
/JORGE A CASANOVA/Primary Examiner, Art Unit 2165