Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Arguments
In communications filed on 4/5/2022, claims 1-20 are presented for examination. Claims 1, 8, and 15 are independent.
Amended claim(s): 1, 4, 8, 11, 15, and 18.
Applicants’ arguments, see Applicant Arguments/Remarks filed 4/5/22, with respect to claim(s) rejected under 35 USC 112 have been fully considered and are not persuasive. Claims 4, 11, and 18 continue to recite subject matter that renders the claim scope unclear. Claims recite identifying the data types associated with requests made by the application, however, the application is not installed per the claim language. It is not clear how an application that is not installed has made requests.  
Applicants’ arguments, see Applicant Arguments/Remarks 4/5/22, with respect to claim(s) rejected under prior art have been considered but are unpersuasive. Contrary to Applicant’s arguments, Barday explicitly discloses performing a software code analysis is performed to determine the type of data (i.e., sensitive or other type) the software would collect when it is executed prior to the software actually being launched (Barday: “[0028] In particular embodiments, the system may also, or alternatively, be adapted to scan predetermined software code to automatically determine whether the code, when executed, collects or otherwise uses personal information (e.g., sensitive personal information) and, if so, what types of personal information are being collected. In various embodiments, in response to determining that the code collects certain predetermined types of personal information, the system may associate a particular risk level with the code (and/or a privacy campaign associated with the code) and/or flag the code (and/or a privacy campaign associated with the code) to indicate that, before the code is placed into use (e.g., publically launched and/or a non-testing version of the software version of the software is launched), the code needs to: (1) be modified to not collect one or more types of personal information; and/or (2) be reviewed and approved by an appropriate individual or group (e.g., the individual or group must approve the code including the attribute))  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4 and dependent claims 5-6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 4, in pertinent part, recites: “wherein determining whether an application can be installed based on content of the potentially sensitive data and on elections of respective individuals associated with the potentially sensitive data comprises: identifying data types that are associated with requests made by the application.” It is unclear how an application that is not yet installed has made requests wherein the requests have associated data types. It is not clear how an application not yet installed (therefore not executing/running) has made request(s) such that the request can be used to identify the data types, thus rendering the claim scope unclear. Dependent claims are rejected for incorporating the aforementioned deficiency of the base claim. Note claim 4 recites multiple instances of “an application” although the base claim recites “an application” and “the application” further rendering the claim scope unclear as it is not clear if the various recited “an application” refers to the same or different instance of “an application.”   
Claims 11 and dependent claims 12-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 11, in pertinent part, recites: wherein the program instructions to determine whether an application can be installed based on content of the potentially sensitive data and on elections of respective individuals associated with the potentially sensitive data comprise: program instructions to identify data types that are associated with requests made by the application. It is unclear how an application that is not yet installed has made requests. It is not clear how an application not yet installed (therefore not executing/running) is made request(s) such that the request can be used to identify the data types, thus rendering the claim scope unclear. Dependent claims are rejected for incorporating the aforementioned deficiency of the base claim. 
Claims 18 and dependent claims 19-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 18, in pertinent part, recites: “wherein the program instructions to determine whether an application can be installed based on content of the potentially sensitive data and on elections of respective individuals associated with the potentially sensitive data comprise: program instructions to identify data types that are associated with requests made by the application.” It is unclear how an application that is not yet installed has made requests that have associated data types. It is not clear how an application not yet installed (therefore not executing/running) has made request(s) such that the requests can be used to identify the data types, thus rendering the claim scope unclear. Dependent claims are rejected for incorporating the aforementioned deficiency of the base claim.   

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  Claim(s) 1, 8, and 15 is/are directed to a method and system (apparatus). The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more. Based upon consideration of all of the relevant factors with respect to the claims as a whole, claims are held to claim an unpatentable abstract idea, and are therefore rejected as ineligible subject matter under 35 U.S.C. § 101. When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (i.e., Step 1). If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) and determine whether the recited abstract idea is integrated into a practical application in the claims (i.e., Step 2A, prongs 1-2), and it must additionally be determined whether the claim contains any additional elements that transform the exception into patent-eligible subject matter. If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea itself (i.e., Step 2B). See 2019 Revised Patent Subject Matter Eligibility Guidance published in the
Federal Register on 01/07/2019 and Alice Corporation Pty. Ltd. i/. CLS Bank International, et al., 573 U.S._ (2014).Step 1: Identifying Statutory Categories              In the present case, claim(s) is/are directed to method/system for identifying locations of potentially sensitive data; identifying a set of individuals associated with the potentially sensitive data; and determining whether an application can be installed based on content of the potentially sensitive data currently stored on a user device and on elections of respective individuals associated with the potentially sensitive data – falls into one of the four statutory categories (i.e., method and system). Nevertheless, the claims fall within the judicial exception of an abstract idea.
Step 2A (prong 1): Identifying a Judicial Exception
The Supreme Court and Federal Circuit have identified abstract ideas in patent claims by making comparisons to concepts found in past decisions to be judicial exceptions to eligibility. July 2015 Update on Subject Matter Eligibility, 80 Fed. Reg. 45429 (July 30, 2015) (“IEG Update”). The July Update summarizes concepts the courts have considered to be abstract ideas by associating eligibility decisions with judicial descriptors (e.g., “an idea of itself,” “certain methods of organizing human activities”, “mathematical relationships and formulas”) based on common characteristics. These associations define the judicial descriptors in a manner that stays within the confines of the judicial precedent, with the understanding that these associations are not mutually exclusive, i.e., some concepts may be associated with more than one judicial descriptor.
The abstract functions of the claims in the case are claim(s) is/are directed to system and method of identifying locations of potentially sensitive data; identifying a set of individuals associated with the potentially sensitive data; and determining whether an application can be installed based on content of the potentially sensitive data currently stored on a user device and on elections of respective individuals associated with the potentially sensitive data. 
As such, the abstract idea is data recognition (identifying locations of potentially sensitive data; identifying a set of individuals associated with the potentially sensitive data) and making a mental observation identifying an option (determining whether an application can be installed based on content of the potentially sensitive data currently stored on a user device and on elections of respective individuals associated with the potentially sensitive data) as defined by the claimed steps listed above. As such, the claims fall under at least the category of “an idea of itself” and “certain methods of organizing human activity”. The phrase “an idea of itself is used to describe an idea standing alone such as an instantiated concept, plan or scheme, as well as a mental process (thinking) that “can be performed in the human mind, or by a human using a pen and paper." Looking at the steps of the claims, for each of the claims, data is simply being analyzed/identified to determine an option which was ruled abstract in: 
         a. Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning);
         b. Tailoring content based on information about the user  (Int. Ventures v. Cap One Bank ‘382 patent);
While the specific facts of the case differ from these cases, the claims are still directed to analyzing data to make an observation i.e., mental process. Further, each and every step can be performed mentally and with pen and paper. A computer is not necessary to determine an option by making mental observations.
Step 2A (prong 2) Identifying an integrated practical application
Under step 2A (prong 1) of the 101 analysis, claims recite abstract idea of data recognition (identifying locations of potentially sensitive data; identifying a set of individuals associated with the potentially sensitive data) and making a mental observation identifying an option (determining whether an application can be installed based on content of the potentially sensitive data currently stored on a user device and on elections of respective individuals associated with the potentially sensitive data). Claims do not integrate a practical application of the abstract idea in the claims (step 2A, prong 2)
Finding the claims to be directed toward an abstract idea, however, is not the end of the inquiry. See Mayo Collaborative Servs. v. Prometheus Labs. Inc., 132 S. Ct. 1289, 1297 (2012). Rather, the second step requires determining whether additional substantive limitations narrow, confine, or otherwise tie down the claim so that, in practical terms, it does not cover the full abstract idea itself. Another way of stating the test is whether the claim language provides “significantly more” than the abstract idea itself.                    
 Step 2B: Considering Additional Elements
The considerations are whether the claim includes:
•    Improvements to another technology or technical field;
•    Improvements to the functioning of the computer itself;
•    Applying the judicial exception with, or by use of, a particular machine;
•    Effecting a transformation or reduction of a particular article to a different state or thing;
•    Adding a specific limitation other than what is well-understood, routine and conventional in the field, or adding unconventional steps that confine the claim to a particular useful application;
•    Other meaningful limitations beyond generally linking the use of the judicial exception to a particular technological environment. 
Applying the test to the claims in the application, the structural elements of the claims, which include a generic storage media, processors when taken in combination with the functional elements claim(s) is/are directed to system and method for data recognition (identifying locations of potentially sensitive data; identifying a set of individuals associated with the potentially sensitive data) and making a mental observation identifying an option (determining whether an application can be installed based on content of the potentially sensitive data currently stored on a user device and on elections of respective individuals associated with the potentially sensitive data), together do not offer “significantly more” than the abstract idea itself because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of any computer itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment (a general purpose device). When considered as an ordered combination, the Examiner does not find any combination of the additional elements that amounts to more than the sum of the parts. The Examiner finds that the Individual elements of the claims are performing their intended roles and functions. In most cases, the additional elements are applied merely to carry out data processing, as discussed above, which fall under well-understood, routine, and conventional functions of generic computers – in our common day-to-day interactions. Note: Applicant’s disclosure states a generic computer processor or machine is used to execute the algorithms (¶18-¶19, ¶76-¶85); note also cited art of record also discloses processors; devices, programs (see, e.g., Barday: ¶38). Therefore, the claimed interactions of the various generically recited methods / devices lacks an unconventional step that confines the claim to a particular useful application in the sense that the result is equivalent to purely mental activity. Dependent claims are rejected based on the aforementioned rationale discussed in the rejection of the independent claims because the claims merely recite variations of rules for making the mental observations and/or performing routine, common every day computing functions such as deleting, sending, receiving data without integrating the model into a practical application.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1, 2, 7, 8, 9, 14, 15, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20170359387 A1 (hereinafter ‘Barday’) in view of US 20110047597 A1 (hereinafter ‘Mahaffey’).

As regards claim 1, Barday (US 20170359387 A1) discloses: A computer-implemented method comprising: identifying locations of potentially sensitive data; (Barday: ¶45, i.e., identification of the location, content, and type of the sensitive data)
identifying a set of individuals associated with the potentially sensitive data; and (Barday: ¶25-¶28, ¶45, i.e., identification of the location, content, and type of the sensitive data and the owners/entity associated with the data)
determining whether an application can be installed based on content of the potentially sensitive data currently stored on a user device and on elections of respective individuals associated with the potentially sensitive data. (Barday: ¶25-¶28, ¶45, ¶64-¶66, i.e., identification of the location, content, and type of the sensitive data and the owners/entity associated with the data wherein the owner/group must approve whether the software can used based)
However, Barday does not explicitly disclose the implicit/inherent feature of installing a software. In analogous art, Mahaffey (US 20110047597 A1) teaches performing an assessment of an application based on the location, type of data, resources used by the application and provides the assessment to the pertinent user to decide to install the application (Mahaffey: ¶30-¶36, ¶146-¶147), thus teaching: installed.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Barday to include installing an application based on an assessment of the application as taught by Mahaffey with the motivation to prevent or allow installing an application on a device (Mahaffey: ¶30-¶36, ¶103, ¶146-¶147)

Claims 8 and 15 recite substantially the same features recited in claim 1 above, and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 2, Barday et al combination discloses the computer-implemented method of claim 1, further comprising: in response to determining that the application cannot be installed, preventing installation of the application. (Barday: ¶25-¶28, ¶45, ¶64-¶66. See also, Mahaffey: ¶30-¶36, ¶103, ¶146-¶147)

Claims 9 and 16 recite substantially the same features recited in claim 2 above, and are rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 7, Barday et al combination discloses the computer-implemented method of claim 1, further comprising: receiving data; (Barday: ¶23, ¶45) determining whether the received data is sensitive; and in response to determining that the received data is sensitive, processing the received data based on elections of a user. (Barday: ¶23, ¶45-¶46, ¶64-¶66)

Claim 14 recites substantially the same features recited in claim 7 above, and is rejected based on the aforementioned rationale discussed in the rejection.

Claim 3, 10, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barday in view of Mahaffey in view of US 20060212593 A1 (hereinafter ‘Patrick’).

As regards claim 3, Barday et al combination discloses the computer-implemented method of claim 1, further comprising: in response to receiving a request to access the potentially sensitive data, determining whether a user associated with a device requesting access has permission to access the potentially sensitive data; (Mahaffey: ¶26, ¶83) However, Barday et al do not but in analogous art, Patrick (US 20060212593 A1) teaches: in response to determining that the user associated with the device requesting access does not have permission, deleting the potentially sensitive data. (Patrick: Fig. 7, ¶103, i.e., removing i.e., deleting, data when the requester is not authorized to see or access the data)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Barday et al to include removing i.e., deleting, data when the requester is not authorized to see or access the data as taught by Patrick with the motivation to removing data the requester is not authorized to access (Patrick: Fig. 7, ¶103)

Claims 10 and 17 recite substantially the same features recited in claim 3 above, and are rejected based on the aforementioned rationale discussed in the rejection.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432