DETAILED ACTION
This office action is in response to the correspondence filed on 12/28/2021. Claims 1, 3-9, 11-17, and 19-23 are still pending and are examined. Claims 1, 5, 9, 13, and 21, are amended, claims 2, 10, and 18, are canceled, claims 21-23 have been added

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Kirk Wong (Reg. No. 43284) on 03/01/2022.
The application has been amended as follows: 
Please replace claim set 1-23 as follows:
1. 	(Currently Amended) A method, comprising:
receiving, by a device proxy executing on a user device, data from an application server via a network;
determining, by the device proxy, whether a of the device proxy is in a certificate authority chain of trust in a certificate of the application server[[’s]] 
based on a determination that the of the device proxy is in the certificate of the application server[[’s]] 
based on a determination that the device proxy’s certificate authority is not in the certificate authority chain of trust in the application server’s certificate:
decrypting the data with a session key;
inspecting cleartext data in the decrypted data;
[[re-]]encrypting the decrypted data with the session key;
sending the [[re-]]encrypted data to an application program executing on the user device.

2. 	(Canceled) 

3.  	(Original) The method as recited in Claim 1, wherein the inspecting the cleartext data in the decrypted data further comprises: 
detecting whether malware is present in the cleartext data;
based on detecting that malware is present in the cleartext data, blocking the data from reaching the application program.

4.  	(Original) The method as recited in Claim 1, wherein the inspecting cleartext data in the decrypted data further comprises: 
detecting whether restricted data is present in the cleartext data;
based on detecting that restricted data is present in the cleartext data, blocking the data from reaching the application program.

wherein the based on a determination that the device proxy’s certificate authority is not in the certificate authority chain of trust in the application server’s certificate further comprises 
receiving, by the device proxy, second data from the application program;
decrypting, by the device proxy, the second data with the [[a]] session key;
inspecting, by the device proxy, second cleartext data in the decrypted second data;
[[re-]]encrypting, by the device proxy, the decrypted second data with the session key;
sending, by the device proxy, the [[re-]]encrypted second data to the application server.

6. 	(Original) The method as recited in Claim 1, wherein each device proxy among a plurality of device proxies has a unique private key and public key pair and an associated public key certificate.

7. 	(Original) The method as recited in Claim 1, wherein an institution deploying the device proxy is issued its own proxy certificate authority so the device proxy does not trust other device proxies belonging to another institution. 

8. 	(Original) The method as recited in Claim 1, wherein the device proxy uses one or more certificate authorities unique to the device proxy.

9. 	(Currently Amended) One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more 
receiving, by a device proxy executing on a user device, data from an application server via a network;
determining, by the device proxy, whether a of the device proxy is in a certificate authority chain of trust in a certificate of the application server[[’s]] 
based on a determination that the of the device proxy is in the certificate authority chain of trust in the certificate of the application server[[’s]] 
based on a determination that the device proxy’s certificate authority is not in the certificate authority chain of trust in the application server’s certificate:
decrypting the data with a session key;
inspecting cleartext data in the decrypted data;
[[re-]]encrypting the decrypted data with the session key;
sending the [[re-]]encrypted data to an application program executing on the user device.

10. 	(Canceled) 

11.  	(Original) The one or more non-transitory computer-readable storage media as recited in Claim 9, wherein the inspecting the cleartext data in the decrypted data further comprises: 
detecting whether malware is present in the cleartext data;
based on detecting that malware is present in the cleartext data, blocking the data from reaching the application program.

12.  	(Original) The one or more non-transitory computer-readable storage media as recited in Claim 9, wherein the inspecting cleartext data in the decrypted data further comprises: 
detecting whether restricted data is present in the cleartext data;
based on detecting that restricted data is present in the cleartext data, blocking the data from reaching the application program.

13.  	(Currently Amended) The one or more non-transitory computer-readable storage media as recited in Claim 9, wherein the based on a determination that the device proxy’s certificate authority is not in the certificate authority chain of trust in the application server’s certificate further comprises 
receiving, by the device proxy, second data from the application program;
decrypting, by the device proxy, the second data with the [[a]] session key;
inspecting, by the device proxy, second cleartext data in the decrypted second data;
[[re-]]encrypting, by the device proxy, the decrypted second data with the session key;
sending, by the device proxy, the [[re-]]encrypted second data to the application server.

14. 	(Original) The one or more non-transitory computer-readable storage media as recited in Claim 9, wherein each device proxy among a plurality of device proxies has a unique private key and public key pair and an associated public key certificate.

15. 	(Original) The one or more non-transitory computer-readable storage media as recited in Claim 9, wherein an institution deploying the device proxy is issued its own proxy 

16. 	(Original) The one or more non-transitory computer-readable storage media as recited in Claim 9, wherein  the device proxy uses one or more certificate authorities unique to the device proxy.

17. 	(Currently Amended) An apparatus, comprising:
a device proxy executing on a user device, implemented at least partially in hardware, configured to receive data from an application server via a network;
wherein the device proxy is further configured to determine whether a of the device proxy is in a certificate authority chain of trust in a certificate of the application server[[’s]] 
wherein the device proxy is further configured to, based on a determination that the of the device proxy is in the certificate authority chain of trust in the certificate of the application server[[’s]] 
wherein the device proxy is further configured to, based on a determination that the device proxy’s certificate authority is not in the certificate authority chain of trust in the application server’s certificate:
decrypt the data with a session key;
inspect cleartext data in the decrypted data;
[[re-]]encrypt the decrypted data with the session key;


18. 	(Canceled) 

19.  	(Original) The apparatus as recited in Claim 17, wherein the inspect the cleartext data in the decrypted data further comprises: 
detect whether malware is present in the cleartext data;
based on detecting that malware is present in the cleartext data, block the data from reaching the application program.

20.  	(Original) The apparatus as recited in Claim 17, wherein the inspect cleartext data in the decrypted data further comprises: 
detect whether restricted data is present in the cleartext data;
based on detecting that restricted data is present in the cleartext data, block the data from reaching the application program.

21.  	(Currently Amended) The apparatus as recited in Claim 17, wherein the device proxy based on a determination that the device proxy’s certificate authority is not in the certificate authority chain of trust in the application server’s certificate is further configured to: 
receive second data from the application program;
decrypt the second data with the [[a]] session key;
inspect second cleartext data in the decrypted second data;
second data with the session key;
send the [[re-]]encrypted second data to the application server.

22. 	(Previously Presented) The apparatus as recited in Claim 17, wherein an institution deploying the device proxy is issued its own proxy certificate authority so the device proxy does not trust other device proxies belonging to another institution. 

23. 	(Previously Presented) The apparatus as recited in Claim 17, wherein the device proxy uses one or more certificate authorities unique to the device proxy.


---------------------------------END OF EXAMINER’S AMENDMENT--------------------------------




Response to Arguments
The amendments and/or arguments submitted by Applicants for the objection(s)/rejection(s)) listed below have been considered and are persuasive; thus, they have been withdrawn:
35 U.S.C. §103 Rejection(s)


Allowable Subject Matter
Claims 1, 3-9, 11-17, and 19-23  allowed.
The following is an examiner’s statement of reasons for allowance: the present claim amendments and/or arguments resolve all outstanding issues related to the clarity of the claim scope; thus, places the claims in to condition for allowance.

According to MPEP 1302.14 (I): “In most cases, the Examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” provision of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b).  Thus, when the Examiner's actions clearly point out the reasons for rejection and the applicant's reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary." 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The listed references disclose relevant inventions of encrypted data inspection.
Li; Xiaoning et al.	US-PGPUB	US 20140115702 A1
Chen; Kuo-Chun et al.	USPAT		US 11265303 B2
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435