Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are pending in this application.


Claim Rejections - 35 USC § 112

Claims 1 and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Independent claims 1 and 18 recite, in part, “a risk mitigation engine that iteratively targets configured risks within the one or more synthetic datasets and mitigates the targeted risks via modification of the one or more synthetic datasets.”  However, the scope of the iteration is unclear from the claim limitation.  For example, the claim limitation does not disclose what triggers the iteration or what condition(s) stop the iteration.


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 7-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over LaFever et al., US 2015/0128285 (hereinafter LaFever) in view of Martin et al., US 2014/0007244 (hereinafter Martin).

For claims 1, 18, LaFever teaches a system for generating one or more synthetic datasets with privacy and utility controls, the system comprising:
an input/output (IO) interface for receiving at least one dataset (see [0016], [0314] – [0315], receiving “data elements,” [0367], “a user (2) may indicate that they are interested in using the system to create a privatized/anonymized version of a data set that the user has which contains personal information about Data Subjects”) and a set of privacy controls to be applied to the at least one dataset (see [0016], [0065], [0341], “capabilities of mobile devices to aggregate a user's personal preference information gathered from across a variety of unrelated and disparate sources,” [0367], [0430], “The dynamic data obscuring capabilities of Dynamic Anonymity DDIDs combined with the dynamic data privacy/anonymity control capabilities of a ‘Circle of Trust,’ where gathering of user’s personal preference information with respect to a received data set represents privacy controls);
at least one privacy controller that receives the set of privacy controls and provides a set of fine-grained privacy and utility controls based on the received privacy controls for the at least one dataset (see [0016], “facilitate sharing information in a dynamically controlled manner that enables delivery of temporally-, geographically-, and/or purpose-limited information to the receiving party,” [0143] – [0150] “Data Privacy/Anonymity Control,” [0341], “Mobile applications interacting with the privacy client may provide the controlling entity with control over both the timing and level of participation in location and time sensitive applications, and the degree to which information is shared with third parties in an anonymous--rather than personally identifiable--manner. Mobile devices implementing one or more aspects of the present disclosure may also leverage the unique capabilities of mobile devices to aggregate a user's personal preference information gathered from across a variety of unrelated and disparate sources (whether they be mobile devices, more traditional computer systems or a combination of both) and--only with the users' approval--share a user's information (on an anonymous or personalized basis) with vendors to facilitate time- and/or location-sensitive personalized commercial opportunities,” [0430], “The dynamic data obscuring capabilities of Dynamic Anonymity DDIDs combined with the dynamic data privacy/anonymity control capabilities of a ‘Circle of Trust,’ maximize both data privacy/anonymity and value to support personalized medicine/medical research,” [0479], “graphical user interface” allows user to adjust privacy controls for associated data set);
a data modeling engine to learn the analytical relationships of the received at least one dataset (see [0109], [0120], [0357], analyze relationships in order to “continue obfuscation of data relationships,” [0468], learning “Relationship information between and among time periods/stamps, DDIDs, attribute combinations, Data Subjects and associated profiles may be stored, updated or deleted as applicable in the maintenance module of the privacy server. This may include, in one example, storing or updating all relationship information between all time periods/stamps, DDIDs, attribute combinations, Data Subjects, and profiles within the secure database(s) in the aggregated data profile for the Data Subject”) and to generate a risk and utility profile of the received at least one dataset (see [0432] – [0433], “AMS may be used to correlate mathematically derived levels of certainty pertaining to the likelihood that personally sensitive and/or identifying information may be discernible by third parties to tiered levels and/or categories of anonymity,” [0440] - [0441], “Aggregated AMS scores are the likelihood of multi data point re-identification expressed through AMS scores as compounded together to express the level of uniqueness of combined data points” and “the AMS score could be broken into Categories A, B and C. Where category A is data with a single or aggregated score of 75 or more may be used only with current, express and unambiguous consent of the Data Subject. Category B may represent a single or aggregated AMS score of 40 to 74.9 that would mean the data set could be used with (i) where aggregated AMS score for associated dataset represents risk and utility profile);
a data generation engine to apply learned models in accordance with the provided set of fine-grained privacy and utility controls from the privacy controller to produce one or more synthetic datasets (see [0151] – [0168], “Replacing Data with DDIDs...data managed by these operations, then, is a two-way mapping from each cleartext value to the DDID that replaced it, and from the DDID back to the original value,” [0193] – [0195] obscure relevant data to create synthetic dataset, [0432] – [0441] “In Step (3), a calculation may be performed, e.g., by means of a mathematical function/algorithm (e.g., the mathematical function/algorithm whose output is reflected in FIG. 1J) to calculate an AMS that correlates to the likelihood that the identity of the Data Subject to which said data attributes pertain may be discernible by third parties after Disassociation/Replacement with DDIDs” where applied algorithm represents at learned model and where data set replaced with DDIDs represents at least one synthetic dataset); and
a risk mitigation engine that iteratively targets configured risks within the one or more synthetic datasets and mitigates the targeted risks via modification of the one or more synthetic datasets (see Fig. 1I, [0106], “The Dynamic Anonymity system dynamically segments and applies re-assignable dynamic de-identifiers (DDIDs) to data stream elements at various stages,” [0339], “In one example, the configurable control may include automatic and/or manual decisions and updates made on a timely, case-by-case manner by providing each controlling entity with the ability to dynamically change the composition of information comprised of data attributes at any time,” [0357], “privacy server may then associate various attribute combinations back with particular Data Subjects, as well as update and store the attribute combinations in the aggregated data profile for the Data Subject in the secure database(s). At this time, the DDID assigned to the attribute combinations may be re-assigned with respect to other actions, activities, processes or traits, or Data Subjects to continue obfuscation of data relationships, in one example,” [0432] – [0441], where dynamic modification of data set based on changing circumstances represents iteratively targeting configured risk and modification of dataset),
wherein the IO interface outputs the one or more synthetic datasets with known privacy and utility characteristics (see [0367], “a user (2) may indicate that they are interested in using the system to create a privatized/anonymized version of a data set that the user has which contains personal information about Data Subjects...resulting modified data set would represent output from the system containing dynamically changing DDIDs in lieu of personal information about Data Subjects,” [0432] – [0441]).

Martin teaches “outputs a risk profile for the one or more synthetic datasets” (see [0007], “processor is configured to transmit the at least one risk assessment score for display,” [0016]).  It would have been obvious to one skilled in the art at 

For claim 2, the combination teaches the system of claim 1 wherein the IO interface outputs the risk profile for the one or more synthetic datasets (see Martin, [0007], [0016], “processor is configured to transmit the at least one risk assessment score for display”).

For claim 3, LaFever teaches the system of claim 1 wherein the data modeling engine learns the analytical relationships of the received at least one dataset and generates a risk and utility profile of the received at least one dataset by extracting the relevant distributions from all columns in the dataset and calculating statistical relationships and correlations on the data (see [0026], “reveal the relationship between and among various DDIDs, Data Subjects, data attributes(s),” [0207], “masking and/or statistically-based manipulations are applied,” [0435] – [0436], “Anonymity Measurement Score (AMS) measurement schema ties statistical probabilities of re-identification,” [0442], [0468], learning “Relationship information between and among time periods/stamps, DDIDs, attribute combinations, Data Subjects and associated profiles may be stored, updated or deleted as applicable in the maintenance module of the privacy server. This may include, in one example, storing or updating all relationship 

For claim 4, LaFever teaches the system of claim 1 wherein the data modeling engine outputs the extracted distributions to determine if correlations are permitted in the outputs the one or more synthetic datasets (see [0436] – [0441], analyze statistical distribution of data elements and scoring to determine risk of re-identification represents determining if correlations are permitted).

For claim 7, LaFever teaches the system of claim 1 wherein the data generation engine applies learned models in accordance with the provided set of fine-grained privacy and utility controls from the privacy controller to produce one or more synthetic datasets by checking the specification for the required output dataset, including number of rows, specific columns, and desired correlations (see [0032], “embodiments of the present invention may enable a Data Subject or other controlling entity to send to one or more desired third parties only those data attributes (which the system knows relate to the Data Subject by virtue of the tracking/logging/recording functions of the system) that specifically pertain to a specific action, activity, process or trait,” [0035], “and modify required attributes relevant to or necessary for a given action, activity, process or trait,” [0171], associated with “table and column in which data to be obscured will reside,” [0193] – [0195], exemplary table with specific columns and desired correlations).

For claim 8, LaFever teaches the system of claim 1 wherein the data generation engine applies the permitted correlation models to generate correlated subsets of output data (see [0109], [0120], [0357], analyze relationships in order to “continue obfuscation of data relationships,” [0468], learning “Relationship information between and among time periods/stamps, DDIDs, attribute combinations, Data Subjects and associated profiles may be stored, updated or deleted as applicable in the maintenance module of the privacy server. This may include, in one example, storing or updating all relationship information between all time periods/stamps, DDIDs, attribute combinations, Data Subjects, and profiles within the secure database(s) in the aggregated data profile for the Data Subject” where generation of relationship information among data set represents correlated subsets).

For claim 9, LaFever teaches the system of claim 1 wherein the data generation engine applies the given distribution models to generate independent un-correlated subsets of output data (see [0016] – [0017] “de-identifiers,” [0030], [0168], “Replacing Data with DDIDs...data managed by these operations, then, is a two-way mapping from each cleartext value to the DDID that replaced it, and from the DDID back to the original value,” where de-identifiers represents generated independent un-correlated output data).

anonymity level for each potential kind of exposure for data associated with a Data Subject, action, activity, process and/or trait,” [0150], [0435], “For instance looking at single data points, a social security number is highly unique and therefore more easily re-identifiable than a single data point such as sex, since each person has an approximate 1:1 probability of being male or female. Since gender is less unique as an identifier than a social security number, gender is significantly less likely on an independent basis to re-identify someone than a social security number” where gender represents a hidden re-identification risk).

For claim 11, LaFever teaches the system of claim 1 wherein the risk mitigation engine finds overt risks by searching through the generated dataset to find overt re-identification risks (see [0144], “A system for determining a privacy/anonymity level for each potential kind of exposure for data associated with a Data Subject, action, activity, process and/or trait,” [0150], [0435], “For instance looking at single data points, a social security number is highly unique and therefore more easily re-identifiable than a single data point such as sex, since each person has an approximate 1:1 probability of being male or female. Since gender is less unique as an identifier than a social security number, gender is significantly less likely on an independent basis to re-identify someone than a social security number” where social security number represents an overt risk).

For claim 12, LaFever teaches the system of claim 11 wherein the re-identification risks include potential risks specified in the privacy controls (see [0432] – [0435], “level/type of consent required before data can be used” represents privacy control).

For claim 13, LaFever teaches the system of claim 1 wherein the risk mitigation engine compares the original and generated datasets to identify hidden risks that may occur in the generated dataset (see [0144], “A system for determining a privacy/anonymity level for each potential kind of exposure for data associated with a Data Subject, action, activity, process and/or trait,” [0150], [0435], [0492], “re-aggregation of attribute combinations is performed through application by the maintenance module of relationship information between and among DDIDs and attribute combinations by means of association keys (AKs) and (DKs) residing at the privacy server. In the example, this would mean that the original or modified TDRs return to the privacy server, which may then modify or add the new information”).

For claim 14, LaFever teaches the system of claim 1 wherein the risk mitigation engine applies mitigation techniques to the generated dataset based on the privacy controls (see [0127], “Dynamic Anonymity-defined procedures to obscure, encrypt, and/or segment data”).

obscure, encrypt, and/or segment data” where obscure or encrypt represent fuzzing).

For claim 16, LaFever teaches the system of claim 1 wherein the at least one privacy controller is configurable to set exact specification for privacy requirements for the dataset based on the privacy controls (see [0029], “Anonymity to enable Data Subjects to directly or indirectly control use of their data in accordance with their personal privacy/anonymity preferences can support disparate treatment of data in disparate jurisdictions notwithstanding different data use/privacy/anonymity requirements in such jurisdictions”).

For claim 17, LaFever teaches the system of claim 1 wherein the at least one privacy controller is configurable to set exact specification for analytical utility requirements for the dataset via utility controls (see [0029], “Anonymity to enable Data Subjects to directly or indirectly control use of their data in accordance with their personal privacy/anonymity preferences can support disparate treatment of data in disparate jurisdictions notwithstanding different data use/privacy/anonymity requirements in such jurisdictions,” [0430], “The dynamic data obscuring capabilities of Dynamic Anonymity DDIDs combined with the dynamic data privacy/anonymity control capabilities of a ‘Circle of Trust,’ maximize both data privacy/anonymity and value to support personalized medicine/medical research”).


Claims 5 and 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over LaFever et al., US 2015/0128285 (hereinafter LaFever) and Martin et al., US 2014/0007244 (hereinafter Martin) in view of Romatka et al., US 2015/0066870 (hereinafter Romatka).

For claim 5, Romatka teaches the system of claim 1 wherein a full correlation model is performed in the data modeling engine (see [0023], “identification of perfect matches between rows and data therein” represents full correlation model).  It would have been obvious to one skilled in the art at the time of the invention to modify the teachings of LaFever and Martin with the teachings of Romatka to provide correlation analysis of data sets to account for differences in accurate comparison or similar comparison (see Romatka, [0008], [0023]).

For claim 6, Romatka teaches the system of claim 1 wherein a partial correlation model is performed in the data modeling engine (see [0023], “identification of perfect matches between rows and data therein as well as promote identification of partial matches” where partial match identification represents partial correlation).  It would have been obvious to one skilled in the art at the time of the invention to modify the teachings of LaFever with the teachings of Romatka to . 


Claims 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over LaFever et al., US 2015/0128285 (hereinafter LaFever) and Martin et al., US 2014/0007244 (hereinafter Martin) in view of El Emam et al., US 2010/0077006 (hereinafter El Emam).

For claim 19, El Emam teaches performing a threshold check on the output risk profile (see [0019], “a selection of a risk threshold acceptable for the dataset from a user...and determining if the re-identification risk meets the selected risk threshold”).  It would have been obvious to one skilled in the art at the time of the invention to modify the teachings of LaFever and Martin with the teachings of El Emam so the user may customize the level of risk tolerated for the de-identified data set (see El Emam, [0021], level or risk “acceptable for the dataset from a user”).

For claim 20, El Emam teaches the method of claim 19, further comprising re-targeting configured risks if the threshold check are not under configured limits (see [0041], “If the threshold is exceeded, NO at 512, the dataset can be further de-identified at 504”).



Response to Arguments

Applicant's arguments filed 10/21/2021 have been fully considered but they are not persuasive. 

With respect to claims 1 and 18 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite, the applicant argues “the configured risks that are targeted are defined by a threshold” and furthermore “these configured risks are iteratively targeted until the risk falls below a threshold and are no longer configured risks.”  The examiner respectfully points out that the express claim language does not provide a defined scope of iterations.  While the specification may define thresholds, the claim itself must clearly describe what risks are targeted and how the iterations are controlled.  Accordingly, the outstanding rejections at issue still stand.

With respect to claims rejected under 35 U.S.C. 103, the applicant argues the prior art does not teach “a set of privacy controls to be applied to the at least one dataset and a set of fine-grained privacy and utility controls.  The set of fine-grained privacy and utility controls is provided by the privacy controller based on the received set of privacy controls to be applied to the at least one dataset.”  Specifically, the applicant contends “by citing to the same portions of LaFever in 

As cited in the corresponding rejection above, LaFever teaches an input/output (IO) interface for receiving at least one dataset (see [0016], [0314] – [0315], receiving “data elements,” [0367], “a user (2) may indicate that they are interested in using the system to create a privatized/anonymized version of a data set that the user has which contains personal information about Data Subjects”) and a set of privacy controls to be applied to the at least one dataset (see [0016], [0065], [0341], “capabilities of mobile devices to aggregate a user's personal preference information gathered from across a variety of unrelated and disparate sources,” [0367], [0430], “The dynamic data obscuring capabilities of Dynamic Anonymity DDIDs combined with the dynamic data privacy/anonymity control capabilities of a ‘Circle of Trust,’ maximize both data privacy/anonymity and value to support personalized medicine/medical research” where gathering of user’s personal preference information with respect to a received data set represents privacy controls).  Specifically, the received user’s personal preference information represents receiving a set of privacy controls to be applied to be applied to the at least one dataset.  Next, LaFever teaches at least one privacy controller that receives the set of privacy controls and provides a set of fine-grained privacy and utility controls based on the received privacy controls for the at least one dataset (see [0016], “facilitate sharing information in a dynamically controlled manner that enables delivery of temporally-, geographically-, and/or purpose-limited information to the receiving party,” [0143] – [0150] “Data Privacy/Anonymity Control,” [0341], “Mobile applications interacting with the privacy client may provide the controlling entity with control over both the timing and level of participation in location and time sensitive applications, and the degree to which information is shared with third parties in an anonymous--rather than personally identifiable--manner. Mobile devices implementing one or more aspects of the present disclosure may also leverage the unique capabilities of mobile devices to aggregate a user's personal preference information gathered from across a variety of unrelated and disparate sources (whether they be mobile devices, more traditional computer systems or a combination of both) and--only with the users' approval--share a user's information (on an anonymous or personalized basis) with vendors to facilitate time- and/or location-sensitive personalized commercial opportunities,” [0430], “The dynamic data obscuring capabilities of Dynamic Anonymity DDIDs combined with the dynamic data privacy/anonymity control capabilities of a ‘Circle of Trust,’ maximize both data privacy/anonymity and value to support personalized medicine/medical research,” [0479], “graphical user interface” allows user to adjust privacy controls for associated data set).  Here, at least paragraph [0341] shows that the received user’s personal preference information received is then utilized to provide a set of fine-grained privacy and utility controls by teaching “Mobile devices implementing one or more aspects of the present disclosure may also leverage the unique capabilities of mobile devices to aggregate a user's personal preference information gathered from across a variety of unrelated and disparate sources (whether they be mobile devices, more traditional computer systems or a combination of both) and--only with the users' approval--share a user's information (on an anonymous or personalized basis) with vendors to facilitate time- and/or location-sensitive personalized commercial opportunities,” (see LaFever, [0341]).  In other words, given the user’s personal preferences for data security received by the LaFever, the user is then provided fine-grained privacy and utility controls based on the user’s personal preferences to “with the users' approval--share a user's information (on an anonymous or personalized basis) with vendors to facilitate time- and/or location-sensitive personalized commercial opportunities.”  The user is provided fine-grain control to share his or her personal information with specific vendors based on his or her provided preferences.  This includes fine-grained control with respect to “control over both the timing and level of participation in location and time sensitive applications, and the degree to which information is shared with third parties in an anonymous--rather than personally identifiable--manner” (see LaFever, [0341]).

The applicant argues that the prior art does not teach, in part, “a risk mitigation engine that iteratively targets configured risks within the one or more synthetic datasets” because “as claimed in claim these configured risks are iteratively until the risk falls below a threshold and are no longer configured risks.”  The examiner respectfully disagrees.  The applicant is arguing aspects that are not present in the express claim limitations.  Original claim 1 does not reference or define a “threshold.”


Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENSEN HU whose telephone number is (571)270-3803. The examiner can normally be reached Monday - Friday 9-5 PT.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JENSEN HU/Primary Examiner, Art Unit 2169