DETAILED ACTION
This action is in response to new application filed 8/10/2020 titled “PROOF OF INFORMATION NOTICE IN CLIENT-SERVER SETTINGS”. Claims 1-20 were received for considerations.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/10/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 17, 18 and 20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being antisapated by Lindskog et al (US 2006/0075122).
With respect to claim 17 Lindskog teaches a system comprising
one or more hardware processors with memory coupled thereto; 
computer-readable media storing instructions executable by the one or more haedware processors, the instructions comprising:
first instructions to receive data from a service provider corresponding to an asset of the service provider that is selectively accessible via an application of a user device (see Lindskog paragraph 0046 i.e. The user agent 100 associated with the user's user equipment 300 transmits, in response to the resource request, a request 400 for a privacy policy reference file associated with the URL of the cookie-associated resource. This reference file states what privacy policy, or sometimes policies that apply to a specific resource (URL or set of URLs) provided by the content provider 300); 
second instructions to adjust functionality of the application to deny access to the asset until an information statement is provided for access by a user of the user device (see Lindskog paragraph 0046 i.e. The reference file typically specifies the URL where a policy file is found, URLs or regions of URL-space covered (and/or not covered) by the policy, cookies that are (and/or are not) covered by the policy, etc. The policy reference file is preferably located in a predefined "well-known" location, but a document could indicate the location of the policy reference file through an HyperText 
third instructions to determine whether the data includes a link to an information statement associated with the asset (see Lindskog paragraph 0046 i.e. The reference file typically specifies the URL where a policy file is found, URLs or regions of URL-space covered (and/or not covered) by the policy, cookies that are (and/or are not) covered by the policy, etc. The policy reference file is preferably located in a predefined "well-known" location, but a document could indicate the location of the policy reference file through an HyperText Markup Language (HTML) link tag, eXtensible HTML (XHTML) link tag or an HyperText Transfer Protocol (HTTP) header); 
fourth instructions to maintain the adjusted functionality of the application to deny access to the asset under a first condition in which the data is determined to not include the link (see Lindskog paragraph 0100 i.e. If the policy as checked in step S33 is positive, the content provider transmits the requested cookie-associated resource in step S34. In addition, a cookie is provided or set in step S35. However, if the receipt is negative, the content provider could provide an non-cookie-associated version, if available, of the resource in step S36. No cookie should be set. In addition, the content provider may transmit a note, specifying that since the user rejected that a cookie is set, no resource or only a non-optimal version thereof can be provided. The method then ends); 
fifth instructions to present the link to the user under a second condition in which the data is determined to include the link; sixth instructions to retrieve, via the link, and present the information statement under the second condition responsive to detecting a 
seventh instructions to sign the information statement and send the signed information statement to the service provider under the second condition (see Lindskog paragraph 0077 i.e. A security operation or authenticating unit 130 may optionally be provided in the user agent 100 for authenticating or signing the cookie receipt, allowing the content provider to identify from whom the receipt is derived. The authenticating unit 130 may append an authentication tag to the receipt. The tag could be a digital signature added to the receipt using a private signing key 135 of an asymmetric key pair. The associated public verification key together with a certificate on the public key is stored at a trusted party. Also message authentication, e.g. using symmetric keys 135, may be used to authenticate and identity the origin of the cookie receipt. A hash function value of the request resource message, or a portion thereof, possibly also including additional data, e.g. URL of the resource, the present date, could be used for signing purposes); and 
eighth instructions to further adjust the functionality of the application to allow access of the asset responsive to sending the signed information statement to the service provider under the second condition (see Lindskog paragraph 0100 i.e.  The 

With respect to claim 18 Lindskog teaches the system of claim 17, wherein the link is displayed in a user-configurable location in the application (see see Lindskog paragraph 0050-0053).

With respect to claim 20 Lindskog teaches the system of claim 17, further comprising ninth instructions to send a notification to the service provider of a denial of access to the asset under the first condition (see Lindskog paragraph 0097i.e. However, if the policy does not fulfill the preferences, a negative cookie receipt could be generated in step S19).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lindskog et al (US 2006/0075122) in view of Suraski (US 2005/0050319).


receiving a request from a user device to access an asset of a service provider through an application of the user device (see Lindskog paragraph 0046 i.e. The user agent 100 associated with the user's user equipment 300 transmits, in response to the resource request, a request 400 for a privacy policy reference file associated with the URL of the cookie-associated resource. This reference file states what privacy policy, or sometimes policies that apply to a specific resource (URL or set of URLs) provided by the content provider 300);
sending, to a statement tracking module of the user device, data corresponding to an information statement associated with the asset (see Lindskog paragraph 0096 i.e. In step S1, a user agent associated with user equipment receives a privacy policy from a content provider. The policy includes the content provider's policy regarding usage of cookies and privacy data in connection with a cookie-associated resource or service that the user has requested);
receiving, from the statement tracking module of the user device, a response including an indication of user accessibility to the information statement (see Lindskog paragraph 0096 i.e. user agent generates a cookie receipt in step S2. This receipt specifies whether the user associated with the user agent accepts the policy and, thus, accepts that a cookie is set. This cookie receipt is transmitted to the content provider in step S3);
storing the response from the statement tracking module (see Lindskog paragraph 0073 i.e. If the user accepts the (cookie) privacy policy and that a cookie is 
selectively allowing access to the asset through the application of the user device based on the response, wherein the access to the asset is allowed responsive to the response including signed data, the signed data including the information statement and a user identifier (see Lindskog paragraph 0100 i.e. If the policy as checked in step S33 is positive, the content provider transmits the requested cookie-associated resource in step S34. In addition, a cookie is provided or set in step S35. However, if the receipt is negative, the content provider could provide an non-cookie-associated version, if available, of the resource in step S36. No cookie should be set. In addition, the content provider may transmit a note, specifying that since the user rejected that a cookie is set, no resource or only a non-optimal version thereof can be provided. The method then ends and paragraph 0077).
Linkskog does not teach the signed data including a timestamp.
Suraski teaches the signed cookie data including a timestamp (see Suraski paragraph 0058 i.e. Such a cookie would have been issued to this client upon an earlier access request, and would typically include a valid cookie ID and a timestamp indicating when the cookie was issued).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Linkskog in view of Surask to have including a timestamp in the cookie as a way to indicating when the cookie was issued 

	
With respect to claim 2 Lindskog teaches the computer-implemented method of claim 1, wherein the service provider asset includes a web page (see Lindskog paragraph 0017 i.e. The resource could be a Web page, video, picture or audio file), the application of the user device comprises a web browser (see Lindskog paragraph 0018  i.e. Such procedure, generally starts with the user desiring a resource from a content provider, e.g. by clicking on a link on a Web site or entering an Universal Resource Location (URL) of the resource on a Web browser on his/her user equipment), and the statement tracking module comprises an addon for the web browser, a modified version of the web browser, or a standalone application executed on the user device (see Lindskog figure 2 and paragraph 0075 i.e. user agent).

With respect to claim 3 Lindskog teaches the computer-implemented method of claim 2, wherein the request from the user device comprises a Hypertext Transfer Protocol (HTTP) request (see Lindskog paragraph 0046 i.e. The P3P agreement procedure generally starts when a user requests a cookie-associated resource from a content provider 200, e.g. by clicking on a link on a Web site presented on the Web browser of the user equipment 300 or by entering, using a keyboard or similar user input interface, the URL of the resource on the Web browser), and 
wherein the data corresponding to the information statement includes a link to the information statement (see Lindskog paragraph 0046 i.e. The reference file typically 

With respect to claim 4 Lindskog teaches the computer-implemented method of claim 3, wherein the link is included in an HTTP header field (see Lindskog paragraph 0046 i.e. The reference file typically specifies the URL where a policy file is found, URLs or regions of URL-space covered (and/or not covered) by the policy, cookies that are (and/or are not) covered by the policy, etc. The policy reference file is preferably located in a predefined "well-known" location, but a document could indicate the location of the policy reference file through an HyperText Markup Language (HTML) link tag, eXtensible HTML (XHTML) link tag or an HyperText Transfer Protocol (HTTP) header).
	
With respect to claim 5 Lindskog teaches the computer-implemented method of claim 1, wherein selectively allowing access to the asset includes denying access to the asset responsive to the response including a notification of an issue preventing user accessibility to the information statement (see Lindskog paragraph 0100 i.e. If the policy as checked in step S33 is positive, the content provider transmits the requested cookie-associated resource in step S34. In addition, a cookie is provided or set in step S35. However, if the receipt is negative, the content provider could provide an non-cookie-

With respect to claim 6 Lindskog teaches the computer-implemented method of claim 5, wherein the notification is an anonymous notification that does not identify the user device or does not identify a user of the user device requesting access to the asset (see Lindskog paragraph 0096 i.e. user agent generates a cookie receipt in step S2. This receipt specifies whether the user associated with the user agent accepts the policy and, thus, accepts that a cookie is set. This cookie receipt is transmitted to the content provider in step S3).

With respect to claim 7 Lindskog teaches the computer-implemented method of claim 1, wherein the data corresponding to the information statement includes a full version of the information statement (see Lindskog paragraph 0096 i.e. In step S1, a user agent associated with user equipment receives a privacy policy from a content provider. The policy includes the content provider's policy regarding usage of cookies and privacy data in connection with a cookie-associated resource or service that the user has requested).

With respect to claim 8 Lindskog teaches the computer-implemented method of claim 1, wherein the information statement included in the signed data comprises a full 

With respect to claim 9 Lindskog teaches the computer-implemented method of claim 1, wherein the information statement comprises a privacy statement or a notification of terms and conditions associated with the asset (see Lindskog paragraph 0096 i.e. In step S1, a user agent associated with user equipment receives a privacy policy from a content provider. The policy includes the content provider's policy regarding usage of cookies and privacy data in connection with a cookie-associated resource or service that the user has requested).


detecting a user request to access an asset of a service provider via an application of a user device (see Lindskog paragraph 0046 i.e. The user agent 100 associated with the user's user equipment 300 transmits, in response to the resource request, a request 400 for a privacy policy reference file associated with the URL of the cookie-associated resource. This reference file states what privacy policy, or sometimes policies that apply to a specific resource (URL or set of URLs) provided by the content provider 300); 
determining whether an information statement associated with the asset is accessible by the user (see Lindskog paragraph 0096 i.e. In step S1, a user agent associated with user equipment receives a privacy policy from a content provider. The policy includes the content provider's policy regarding usage of cookies and privacy data in connection with a cookie-associated resource or service that the user has requested); 
during a first condition in which the information statement is determined to be accessible by the user, sending a first notification to the service provider and allowing access to the asset via the application of the user device (see Lindskog paragraph 0100 i.e.  The policy receipt is investigated in step S33. If the policy as checked in step S33 is positive, the content provider transmits the requested cookie-associated resource in step S34), the first notification including a signed information statement and a user identifier for a user requesting to access the asset (see Lindskog paragraph 0077 i.e. A 
during a second condition, in which the information statement is determined to not be accessible by the user, sending a second notification to the service provider and denying access to the asset via the application of the user device, the second notification including an indication of an issue with user accessibility to the information statement (See Lindskog paragraph 0100 i.e i.e. However, if the receipt is negative, the content provider could provide an non-cookie-associated version, if available, of the resource in step S36. No cookie should be set. In addition, the content provider may transmit a note, specifying that since the user rejected that a cookie is set, no resource or only a non-optimal version thereof can be provided. The method then ends and paragraph 0097).
Lindskog does not teach the first notification includes a timestamp.
Suraski teaches the first notification includes a timestamp (see Suraski paragraph 0058 i.e. Such a cookie would have been issued to this client upon an earlier 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Linkskog in view of Surask to have including a timestamp in the cookie as a way to indicating when the cookie was issued as a way to invalid old cookies (see Suraski paragraph 0058). Therefore one would have been motivated to have including a timestamp in the signed cookie.

With respect to claim 11 Lindskog teaches the one or more computer-readable media of claim 10, wherein the actions further comprise generating the signed information statement by signing the information statement using a private key owned by the user requesting the access the asset (see Lindskog paragraph 0077 i.e. A security operation or authenticating unit 130 may optionally be provided in the user agent 100 for authenticating or signing the cookie receipt, allowing the content provider to identify from whom the receipt is derived. The authenticating unit 130 may append an authentication tag to the receipt. The tag could be a digital signature added to the receipt using a private signing key 135 of an asymmetric key pair. The associated public verification key together with a certificate on the public key is stored at a trusted party. Also message authentication, e.g. using symmetric keys 135, may be used to authenticate and identity the origin of the cookie receipt. A hash function value of the request resource message, or a portion thereof, possibly also including additional data, e.g. URL of the resource, the present date, could be used for signing purposes).



With respect to claim 13 Lindskog teaches the one or more computer-readable media of claim 10, wherein the asset includes a webpage managed by the service provider (see Lindskog paragraph 0017 i.e. The resource could be a Web page, video, picture or audio file) and 
wherein denying access to the asset includes altering or prohibiting display of content for the webpage (See Lindskog paragraph 0100 i.e i.e. However, if the receipt is negative, the content provider could provide an non-cookie-associated version, if available, of the resource in step S36. No cookie should be set. In addition, the content provider may transmit a note, specifying that since the user rejected that a cookie is set, no resource or only a non-optimal version thereof can be provided. The method then ends).

With respect to claim 14 Lindskog teaches the one or more computer-readable media of claim 10, wherein denying access to the asset includes prohibiting interactions 

With respect to claim 15 Lindskog teaches the one or more computer-readable media of claim 10, wherein denying access to the asset further includes prohibiting the service provider from collecting personal data for the user (See Lindskog paragraph 0100 i.e i.e. However, if the receipt is negative, the content provider could provide an non-cookie-associated version, if available, of the resource in step S36. No cookie should be set. In addition, the content provider may transmit a note, specifying that since the user rejected that a cookie is set, no resource or only a non-optimal version thereof can be provided. The method then ends).

With respect to claim 16 Lindskog teaches the one or more computer-readable media of claim 10, wherein determining whether an information statement associated with the asset is accessible by the user comprises determining whether a link to the information statement is received from the service provider and determining whether the information statement is retrieved from the link (see Lindskog paragraph 0046 i.e. The reference file typically specifies the URL where a policy file is found, URLs or regions of URL-space covered (and/or not covered) by the policy, cookies that are (and/or are not) 
	
With respect to claim 19 Lindskog teaches the system of claim 17, wherein signing the information statement includes cryptographically signing the information statement with a private key owned by the user, wherein sending the signed information statement further includes sending a user identifier of a user requesting access to the asset and a timestamp associated with the presentation of the information statement, and wherein the user identifier and the timestamp are signed using the private key owned by the user (see Lindskog paragraph 0077 i.e. A security operation or authenticating unit 130 may optionally be provided in the user agent 100 for authenticating or signing the cookie receipt, allowing the content provider to identify from whom the receipt is derived. The authenticating unit 130 may append an authentication tag to the receipt. The tag could be a digital signature added to the receipt using a private signing key 135 of an asymmetric key pair. The associated public verification key together with a certificate on the public key is stored at a trusted party. Also message authentication, e.g. using symmetric keys 135, may be used to authenticate and identity the origin of the cookie receipt. A hash function value of the request resource message, or a portion thereof, possibly also including additional data, e.g. URL of the resource, the present date, could be used for signing purposes).
Lindskog does not teach the first notification includes a timestamp.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Linkskog in view of Surask to have including a timestamp in the cookie as a way to indicating when the cookie was issued as a way to invalid old cookies (see Suraski paragraph 0058). Therefore one would have been motivated to have including a timestamp in the signed cookie.

Prior Art
Torres et al (US 8,316,451) titled “Presenting Privacy Policy In A Network Environment Responsive To User Preference” 
Pearson et al (US 2016/0112456) titled “POLICY-BASED DATA MANAGEMENT”
Ganapathi et al (US 2016/0148006) titled “Privacy User Interface For Websites”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492