DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 10/04/2019. Claims 1-20 have been filed.

Priority
No priority has been claimed for this application.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/04/2019 and 12/02/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Note on Subject Matter Eligibility (Software per se Analysis)
Per claim 1, although a “processor” may indicate either one of a software or hardware and a “database”, absent of an explicit recitation of a “memory/storage device”, may indicate a collection of related data, i.e., data structure, it is nonetheless noted that BRI of the limitation “receive a service request over a public network” requires a hardware “network interface” with an associated network address accessible in the public network. As such, claims 1-7 are determined subject matter eligible.

Examiner’s Note on Patent Eligibility (Abstract Idea Analysis) 
Per 2019 Revised PEG for Electrical Arts:

Step 1: Claims 1, 8 and 15 are directed to one of the four categories of invention and therefore are subject matter eligible.
Step 2A- prong one: Claims 1, 8 and 15 do not recite any limitation that per defined groupings may be reasonably construed as “Abstract Idea”. 
As such, claims 1-20 are determined patent eligible.

Claim Objections
Claims 1-2, 5-6, 8-9, 12-13, 15-16 and 19-20 are objected to because of the following informalities:  
Claims 1, 8 and 15, first recite “a single-use token value”, then next recitations in 1-2, 5-6, 8-9, 12-13, 15-16 and 19-20 is recited as “the token value”. As examples, the next recitations may be amended to disclose “the single-use token value” or the first recitation may be amended to read “a token value, wherein the token value is single-use”.
Appropriate correction/clarification is required.

Examiner’s Note
Claims 5, 12 and 19 are read “wherein the service request is received from an interface computing device in response to the interface computing device receiving the token value from a user computing device.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1, 4-8, 11-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Steinberg, US2020/0211002A1 in view of Bhott, US2019/0087825A1 further in view of Khalil, US2019/0044940A1.

Per claim 1, Steinberg discloses an identity authority computing device comprising a processor in communication with a database, wherein the database stores a plurality of persistent user identifiers associated with a plurality of users, the processor programmed to: 
receive a service request over a public network, the service request including a service provider identifier and a single-use token value associated with one of the users (The role of transaction capture computer system (110) is to provide an entry point for the Authorization Token and other such information as is necessary to request the transaction… In an – Steinberg: par. 0039 and 0041);
determine at least one persistent user identifier associated in the database with the token value (Authorization Tokens are cryptographically signed strings that may contain letters, numbers, and other characters to authenticate a user, verify the user's association with an identifier such as an account or SSN, and indicate a limited authorization to make use of the identifier in one or more transactions… When the transaction comprises gaining access, such as by a third-party, to an account such as a bank account or medical records or the like, the transaction processor may comprise the service provider's computer system such as a bank computer system or a medical provider computer system – Steinberg: par. 0038 and 0042); 
Steinberg is not relied on to explicitly disclose but Bhatt discloses generate an updated service request including the at least one persistent user identifier (in compiling the authorization request, the POS terminal 118 is configured to append the government ID number for the user 112, or a part thereof, to the authorization request at a specific data element and/or sub-element, or at any vacant part of the request message. In addition, the POS terminal 118 is configured to append various details of the transaction to the  – Bhatt: par. 0030).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Steinberg in view of Bhatt to include generate an updated service request including the at least one persistent user identifier.
One of ordinary skill in the art would have been motivated because it would allow to “confirming biometric authentication of a user in connection with a payment account transaction by the user” – Bhatt: par. 0014.

Steinberg-Bhatt is not relied on to explicitly disclose but Khalil discloses generate an encrypted service request using a public encryption key associated with the service provider identifier (the authorization request can be signed by the first service provider and/or can be encrypted using a public key associated with the second service provider – Khalil: par. 0110); and 
transmit the encrypted service request to a service provider computing device associated with the service provider identifier (…the native client SDK on user device 210 can provide the authorization request to identity management server device 240…identity management server device 240 can provide the authorization request to the SDK for service provider 2 – Khalil: par. 0110-0111).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Steinberg-Bhatt further in view of Khalil to include generate an encrypted service request using a public encryption key associated with 
One of ordinary skill in the art would have been motivated because it would allow to “improve[s] use of information related to the individual's identity with multiple entities by reducing or eliminating a need for each of the multiple entities to be in communication with each other” – Khalil: par. 0010.

Per claim 8, it recites a computer-implemented method for secure transmission of user identifiers, said method implemented using an identity authority computing device including a processor in communication with a database, wherein the database stores a plurality of persistent user identifiers associated with a plurality of users, said method comprising performing functions as claimed in the identity authority computing device of claim 1. 
Therefore, claim 8 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 15, it recites a non-transitory computer readable storage media having computer-executable instructions embodied thereon, wherein when executed by an identity authority computing device having a processor coupled to a database, the database storing a plurality of persistent user identifiers associated with a plurality of users, the computer-executable instructions cause the processor to perform functions as claimed in the identity authority computing device of claim 1. 
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 4, 11 and 18, Steinberg-Bhatt-Khalil discloses features of Claims 1, 8 and 15, respectively, wherein the service request is received from a user computing device in temporary local data communication with an interface computing device (The Authorization Tokens may also take other forms.  For example, an Authorization Token may be represented by a bar code or a QR code – Steinberg: par. 0035 – Note: a disclosed barcode or QR code inherently discloses an interface computing device, i.e., bar code/QR code reader – par. 0070 of the instant specification discloses “Encoded service request 504 may be received using temporary (e.g., 'ad hoc', decentralized, self- configuring) local data communication. For example, user computing device may scan a quick read (QR) code, or receive a Bluetooth low energy transmission”).

Per claims 5, 12 and 19, Steinberg-Bhatt-Khalil discloses features of Claims 1, 8 and 15, respectively, wherein the service request is received from an interface computing device in response to receipt by the interface computing device (Bhatt: Fig. 1 and 4 – Biometric Reader) of the token value from a user computing device (Bhatt: Fig. 1 and 4 – Card Device).
The same motivation to modify Steinberg in view of Bhatt applied to claim 1 above applies here.

Per claims 6, 13 and 20, Steinberg-Bhatt-Khalil discloses features of Claims 1, 8 and 15, respectively, wherein the token value is a one-time password generated by a user computing device based on a token secret generated by the identity authority computing device (When the user wishes to authorize use of an identifier (e.g., a credit card number, SSN or an account number) for a transaction, the user generates an Authorization Token through the steps  – Steinberg: par. 0051 – Note: wherein in an embodiment, the Identifier is hashed and transmitted from generator (105) to validator (120) and used to further confirm the matched record, thereby substantially reducing the possibility of multiple records matching due to "hash collisions," i.e., two or more different input data strings resulting in a same hashed data string.).

Per claims 7 and 14, Steinberg-Bhatt-Khalil discloses features of Claims 1 and 8, wherein the at least one persistent user identifier is at least one of a social security number and a driver's license number (Authorization Tokens are cryptographically signed strings that may contain letters, numbers, and other characters to authenticate a user, verify the user's association with an identifier such as an account or SSN, and indicate a limited authorization to make use of the identifier in one or more transactions – Steinberg: par. 0038).
(in compiling the authorization request, the POS terminal 118 is configured to append the government ID number for the user 112, or a part thereof, to the authorization request at a specific data element and/or sub-element, or at any vacant part of the request message – Bhatt: par. 0030 – Note: both SSN and Driver’s License Number are government-issued IDs).
The same motivation to modify Steinberg in view of Bhatt applied to claim 1 above applies here.

2.	Claims 2-3, 9-10 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Steinberg, US2020/0211002A1, Bhott, US2019/0087825A1 and US2019/0044940A1 as applied to claims 1, 8 and 15 above, and further in view of Lo, US2019/0281036A1.

Per claims 2, 9 and 16, Steinberg-Bhatt-Khalil discloses features of Claims 1, 8 and 15, respectively. Steinberg-Bhatt-Khalil is not relied on to wherein the processor is further programmed to: 
receive a service response from the service provider computing device, the service response including response data and the at least one persistent user identifier (The result data is preferably in a serialized data format such as JSON. The result data is preferably applied to a card template – Lo: par. 0048 – Note: result data contains personal or sensitive information, 
filter the at least one persistent user identifier from the service response (sensitive data may be removed and non-sensitive data of the result card still presented. Enforcing the permissions may be used such that result cards may be used for retrieving personal or sensitive information that would not be appropriate for displaying to other viewers of a collection. In one exemplary application, a result card may be tied to an outside service account of the author of the collection – Lo: par. 0068); and 
transmit the filtered service response and the token value to an interface computing device (The result data is preferably in a serialized data format such as JSON. The result data is preferably applied to a card template... Rendering the result data into a result card preferably generates HTML that is transmitted to a client device – Lo: par. 0048).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Steinberg-Bhatt-Khalil further in view of Lo to include generate an encrypted service request using a public encryption key associated with the service provider identifier; and transmit the encrypted service request to a service provider computing device associated with the service provider identifier.
One of ordinary skill in the art would have been motivated because it would allow “[e]nforcing the permissions … such that result cards may be used for retrieving personal or sensitive information that would not be appropriate for displaying to other viewers of a collection” – Lo: par. 0068.

(Service identifiers may alternatively be tied to outside namespaces such as a mapping against provided services and DNS… Query links 126 of a preferred embodiment are preferably link elements that function to provide link-like UI elements to initiate a query. Query links 126 may be used throughout the query platform, and may additionally be used outside of the query platform by other applications or websites using a standard link protocol – Lo: par. 0029 and 0033 – Note: outside services, represented by applications and websites, may include insurance companies and credit history providers allowing querant to query and view result data). 
The same motivation to modify Steinberg-Bhatt-Khalil further in view of Lo applied to claim 2 above applies here.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Lacey (US2017/0140174A1) discloses a client device receiving an authorization request. The client device then prompts the user to partially or fully authorize or deny access to the requested information (e.g., with the request handling module 242) or provide authorization or consent. If the client device receives authorization from the user (Fig. 5C, 532), it sends an authorization to the server (e.g., to release the authorized information to the requestor) (534, FIG. 

Kesselman (US2019/0147170A1) discloses query encryptor generating a search query that encrypts the Social Security Number data to be used as a search parameter instead of transmitting the Social Security Number in the clear to prevent sensitive data, i.e., social security number, from being intercepted in transit between application server and data store.

Lebron (US2013/0318348A1) discloses a server sending sensitive information and a request to a service provider. The server communicates with the service provider over an SSL connection to request that the service provider provide to the server a transaction token, an identifier comprising a string of characters utilized to refer to the sensitive information sent with the request, wherein the transaction token is only valid for a single transaction. A response function clears the sensitive information received from the user and sets an encrypted transaction token as an entry in the form data of the authorization request page.

Kumar (US11055727B1) discloses an auditor providing a name attribute and a social security number attribute to an external data source, and request for verification that the provided name matches the provided social security number. The name attribute or the social security attribute may be from a suspicious new client data record or from a suspicious user profile. The 

Chan (US2008/0313088A1) discloses an identification verification system having several applications is disclosed. First, a sender sends a person an offer that requests information. The person replies to the sender, who forwards the reply to a verifying entity. If the sender is legitimate, the verifying entity forwards the reply to a UDID service, which requests authorization from the person to send the information to the sender. Second, a passenger can only access a boarding pass online after entering in a UDID and password. A code string is also generated in a document verification field that is decoded to determine information. Third, an online shopper requests verification from a merchant. The merchant then asks a credit card company for a token. If the merchant has a merchant account with the company, the merchant receives the token that generates a certificate for the shopper, who sends the certificate to the company to verify it is valid.

Maman (US2013/0133059A1) discloses a reverse proxy featuring translating database queries across a plurality of different database platforms, wherein the reverse proxy analyzes the response to determine whether sensitive information is included in the response; and if so, removing the sensitive information before the response is transferred to the accessing application.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Primary Examiner, Art Unit 2494