DETAILED ACTION
This Non-Final Office Action is in response to the request for continued examination filed on 04/29/2022.  	Claims 1-20 are being considered on the merits.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/29/2022 has been entered.
Response to Arguments
3.	Applicant's arguments filed 04/29/2022 have been fully considered but they are not persuasive. Applicant argues that claims 1-20 are distinct over the claims of Application No. 15/819,338 (U.S. Patent No. 10,657,229). 
With respect to this argument, the claimed sampling in claim 1 corresponds to the extracting step of claim 1 in 10,657,229 and the claimed eliminating and replacing steps correspond with the removal and replacement in claim 6 of the ‘229 patent. Further mapping regarding corresponding features in the claims are shown in the rejection. Therefore, the double patenting rejection is maintained. 
Further arguments are moot because they do not apply to the newly cited reference below.


Double Patenting
4.	Claims 1-20 of this application is patentably indistinct from claims 1-20 of Application No. 15/819,338. Pursuant to 37 CFR 1.78(f), when two or more applications filed by the same applicant or assignee contain patentably indistinct claims, elimination of such claims from all but one application may be required in the absence of good and sufficient reason for their retention during pendency in more than one application. Applicant is required to either cancel the patentably indistinct claims from all but one application or maintain a clear line of demarcation between the applications. See MPEP § 822.
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,657,229. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims disclose a method and system for constructing a computing model that preserves use rights for data. The method of claim 1 and the system of claims 8 and 15 include the same limitations of the method and system of claims 1, 8 and 15 disclosed in U.S. Patent No. 10,657,229. 
Likewise regarding dependent claims:
Claims 2-7, 9-14 and 16-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 2-7, 9-14 and 16-20 of U.S. Patent No. 10,657,229.

As indicated in the table below, these dependent claims of the instant application are anticipated by the corresponding claims of U.S. Patent No. 10,657,229, because the subject matter claimed in the following dependent claims of the instant application is fully disclosed and covered by the corresponding claims of US Patent No. 10,657,229.

Instant application. Application No. 16/852,280
U.S Patent No. 10,657,229
Claim 1: A method for constructing an improved computing model that preserves use rights for data utilized by the model, the method comprising: 
accessing a first dataset to build a computing model, the first data set being subject to terminable usage rights provisions; 
sampling the first dataset to generate a second dataset, the first dataset having a first set of data points and the second dataset having a second set of data points; 
discretizing vectors present in both the first dataset and the second dataset; 
in response to determining that the usage rights associated with the primary dataset have been terminated, computing a coverage depletion for the second dataset based on the usage rights termination associated with the first dataset; 
determining an estimated mean time to coverage failure for the first dataset based on the depletion coverage determined for the second dataset; 
eliminating at least one data points from the second dataset due to the termination of usage rights associated with a first data record in the first dataset; 
replacing the at least one eliminated data point with a surrogate data point associated with a second data record in the first dataset.
Claim 1: A method of building a decision or prediction model used for analyzing and scoring behavioral transactions, wherein a customer dataset in a model development store used to build an original model is subject to a data right usage withdrawal, the original model having coverage over the customer dataset, the method comprising:
extracting, by one or more processors using data sampling, a portion of the customer dataset to generate a model surrogate dataset that has a distribution of values with a first degree of similarity to the distribution of values of the customer dataset;
discretizing, by the one or more processors, vectors present in both the model surrogate dataset and the customer dataset;
receiving, by the one or more processors, data representing the data right usage withdrawal from the customer dataset;
determining, by the one or more processors, a depletion of the model surrogate dataset according to the data right usage withdrawal;
computing, by the one or more processors, an estimated mean time to coverage failure of the original model based on the depletion of the model surrogate dataset according to the data right usage withdrawal; and
tracking, by one or more processors, a consent validity of a customer associated with the customer dataset, the consent validity representing the customer's continued consent validity for use in the original model.
Claim 2: wherein determining the estimated mean time to coverage failure comprises measuring a mean and an expected model validity failure time based on the depletion of the second dataset.
Claim 2: wherein computing an estimated mean time to coverage failure further includes measuring, by the one or more processors, a mean and an expected model validity failure time based on the depletion of the model surrogate data according to the data right usage withdrawal.
Claim 3: wherein the first dataset is stored as a set of key values in a database, at least a first key value having a primary key to uniquely identify a first entity associated with first data included in the first dataset.
Claim 3: storing, by the one or more processors, the customer dataset as a set of key values in an in-memory database, at least one key value having a primary key to uniquely identify a customer of the customer dataset.
Claim 4: wherein the first entity has the right to terminate usage rights associated with the first data included in the first dataset, and a 2Via EFSDocket No. 035006-794C01US Customer No. 76615 secondary key is associated with the primary key, the secondary key corresponding to a transaction data point for the first entity.
Claim 4: generating, by the one or more processors, a secondary key associated with at least one primary key, the secondary key corresponding to a transaction data point for the customer of the customer dataset.
Claim 5: wherein a one-way hash function is applied on the primary key to generate a hashed value to identify the first entity.
Claim 5: applying, by the one or more processors, a one-way hash function on the primary key to generate a hashed value to identify the customer of the customer dataset.
Claim 6: wherein a consent validity of the first entity is tracked to determine the first entity's continued consent for use of data associated with the first entity in the first model.
Claim 13: tracking a consent validity of a customer associated with the customer dataset, the consent validity representing the customer's continued consent validity for use in the original model; and
replacing customer data points removed due to removal of consent for use in the original model and replacing with similar surrogate data points from the model surrogate dataset.
Claim 7: wherein the second data record has an identical distribution of values as the first data record.
Claim 8: extracting, using data sampling, a portion of the customer dataset to generate a model surrogate dataset that has a distribution of values with a first degree of similarity to the distribution of values of the customer dataset;

Claim 8: A system for constructing an improved computing model that preserves use rights for data utilized by the model, the system comprising computer hardware configured to perform operations comprising: accessing a first dataset to build a computing model, the first data set being subject to terminable usage rights provisions; 
sampling a portion of the first dataset to generate a second dataset, the first dataset having a first set of data points and the second dataset having a second set of data points; 
discretizing vectors present in both the first dataset and the second dataset; 
in response to determining that the usage rights associated with the primary dataset have been terminated, computing a coverage depletion for the second dataset based on the usage rights termination associated with the first dataset; 
determining an estimated mean time to coverage failure for the first dataset based on the depletion coverage determined for the second dataset; and 
eliminating at least one data points from the second dataset due to the termination of usage rights associated with a first data record in the first dataset; 3Via EFSDocket No. 035006-794C0 IUS Customer No. 76615 replacing the at least one eliminated data point with a surrogate data point associated with a second data record in the first dataset
Claim 8: A system for building a decision or prediction model used for analyzing and scoring behavioral transactions, wherein a customer dataset in a model development store used to build an original model is subject to a data right usage withdrawal, the original model having coverage over the customer dataset, the system comprising computer hardware configured to perform operations comprising:
extracting, using data sampling, a portion of the customer dataset to generate a model surrogate dataset that has a distribution of values with a first degree of similarity to the distribution of values of the customer dataset;
discretizing vectors present in both the model surrogate dataset and the customer dataset;
receiving data representing the data right usage withdrawal from the customer dataset;
determining a depletion of the model surrogate dataset according to the data right usage withdrawal; and
computing an estimated mean time to coverage failure of the original model based on the depletion of the model surrogate dataset according to the data right usage withdrawal.
Claim 9: wherein determining the estimated mean time to coverage failure comprises measuring a mean and an expected model validity failure time based on the depletion of the second dataset.
Claim 9: wherein the operations further comprise computing an estimated mean time to coverage failure further includes measuring a mean and an expected model validity failure time based on the depletion of the model surrogate data according to the data right usage withdrawal.
Claim 10: wherein the first dataset is stored as a set of key values in a database, at least a first key value having a primary key to uniquely identify a first entity associated with first data included in the first dataset.
Claim 10: wherein the operations further comprise storing the customer dataset as a set of key values in an in-memory database, at least one key value having a primary key to uniquely identify a customer of the customer dataset.
Claim 11: wherein the first entity has the right to terminate usage rights associated with the first data included in the first dataset, and a secondary key is associated with the primary key, the secondary key corresponding to a transaction data point for the first entity.
Claim 11: wherein the operations further comprise generating a secondary key associated with at least one primary key, the secondary key corresponding to a transaction data point for the customer of the customer dataset.
Claim 12: wherein a one-way hash function is applied on the primary key to generate a hashed value to identify the first entity.
Claim 12: applying, by the one or more processors, a one-way hash function on the primary key to generate a hashed value to identify the customer of the customer dataset.
Claim 13: wherein a consent validity of the first entity is tracked to determine the first entity's continued consent for use of data associated with the first entity in the first model.
Claim 13: tracking a consent validity of a customer associated with the customer dataset, the consent validity representing the customer's continued consent validity for use in the original model; and
replacing customer data points removed due to removal of consent for use in the original model and replacing with similar surrogate data points from the model surrogate dataset.
Claim 14: wherein the second data record that has an identical distribution of values as the first data record
Claim 8: extracting, using data sampling, a portion of the customer dataset to generate a model surrogate dataset that has a distribution of values with a first degree of similarity to the distribution of values of the customer dataset;

Claim 15: A system comprising: a programmable processor; and 4Via EFSDocket No. 035006-794C01US Customer No. 76615a non-transitory machine-readable medium storing instructions that, when executed by the processor, cause the at least one programmable processor to perform operations to: 
extract, using data sampling, a portion of a first dataset to generate a second dataset, the first dataset having a first set of data points and the second dataset having a second set of data points; 
discretize vectors present in both the first dataset and the second; 
receive data representing the data right usage withdrawal from the first dataset; 
determine a depletion of the second dataset according to the data right usage withdrawal; and 
compute an estimated mean time to coverage failure of a computing model based on the depletion of the second dataset according to the data right usage withdrawal; and 
eliminate at least one data points from the second dataset due to the termination of usage rights associated with a first data record in the first dataset; 
replacing the at least one eliminated data point with a surrogate data point associated with a second data record in the first dataset.  
Claim 15: A system comprising:
a programmable processor; and
a machine-readable medium storing instructions that, when executed by the processor, cause the at least one programmable processor to perform operations comprising:
extract, using data sampling, a portion of the customer dataset to generate a model surrogate dataset;
discretize vectors present in both the model surrogate dataset and the customer dataset;
receive data representing the data right usage withdrawal from the customer dataset;
determine a depletion of the model surrogate dataset according to the data right usage withdrawal;
compute an estimated mean time to coverage failure of the original model based on the depletion of the model surrogate dataset according to the data right usage withdrawal; and
track, by one or more processors, a consent validity of a customer associated with the customer dataset, the consent validity representing the customer's continued consent validity for use in the original model.

Claim 16: wherein the operations further comprise computing an estimated mean time to coverage failure by measuring a mean and an expected model validity failure time based on the depletion of the second dataset according to the data right usage withdrawal.
Claim 16: wherein the operations further comprise compute an estimated mean time to coverage failure further includes measuring a mean and an expected model validity failure time based on the depletion of the model surrogate data according to the data right usage withdrawal.
Claim 17: wherein the operations further comprise storing the first dataset as a set of key values in a database, at least one key value having a primary key to uniquely identify a customer in the first dataset.
Claim 17: wherein the operations further comprise store the customer dataset as a set of key values in an in-memory database, at least one key value having a primary key to uniquely identify a customer of the customer dataset.
Claim 18: wherein the operations further comprise generating a secondary key associated with the primary key, the secondary key corresponding to a transaction data point for the customer.  

Claim 18: wherein the operations further comprise generate a secondary key associated with at least one primary key, the secondary key corresponding to a transaction data point for the customer of the customer dataset.
Claim 19: The system in accordance with claim 17, further comprising applying a one-way hash function on the primary key to generate a hashed value to identify the customer.
Claim 19: applying, by the one or more processors, a one-way hash function on the primary key to generate a hashed value to identify the customer of the customer dataset.
Claim 20: wherein the operations further comprise tracking a consent validity of the customer representing the customer's continued consent validity for use in the original model.
Claim 13:  tracking a consent validity of a customer associated with the customer dataset, the consent validity representing the customer's continued consent validity for use in the original model; and
replacing customer data points removed due to removal of consent for use in the original model and replacing with similar surrogate data points from the model surrogate dataset.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



5. 	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2017/0243028 A1 to LaFever, (hereinafter, “LaFever”) in view of US Pub. No. US 2014/0006347 A1 to Qureshi, (hereinafter, “Qureshi”).

As per claim 1, LaFever teaches a method for constructing an improved computing model that preserves use rights for data utilized by the model, the method comprising: 
accessing a first dataset to build a computing model, the first data set being subject to terminable usage rights provisions (LaFever, para. [0017] “systems, methods and devices that create, access, use (e.g., collecting, processing, copying, analyzing, combining, modifying or disseminating, etc.), store and/or erase data with increased privacy, anonymity and security, thereby facilitating availability of more qualified and accurate information. And, when data is authorized to be shared with third parties, embodiments of the present invention may facilitate sharing information in a dynamically controlled manner that enables delivery of temporally-, geographically-, and/or purpose-limited information to the receiving party.”);
sampling the first dataset to generate a second dataset, the first dataset having a first set of data points and the second dataset having a second set of data points (LaFever, para. [0056] “the term "policy" may mean, without limitation, a way or ways to programmatically enforce mathematical, logical, sampling, or other functions against a data set (e.g., a data set of any number of dimensions) that is equal to or greater than enforcement mechanisms for enabling any Privacy-Enhancing Technology ("PET") including, but not limited to, public key encryption, k-anonymity, 1-diversity, introduction of "noise," differential privacy, homomorphic encryption, digital rights management, identity management, suppression and/or generalization of certain data by row, by column, by any other dimension, by any combination of dimensions, by discrete cell, by any combination of discrete cells and by any combination of rows, columns, and discrete cells or any portion thereof.” And para. [0115] “FIG. 6 shows an example of a process (from a sample controlling entity and system perspective) to select attribute combinations, generate TDRs to abstract or anonymize the data, and then re-associate or de-anonymize the data”); 
discretizing vectors present in both the first dataset and the second dataset (LaFever, para. [0057] “the term "Non-Attributing Data Element Value" (NADEV) may mean, without limitation, the value revealed when an A-DDID is re-identified or the value which would be revealed if a given A-DDID were to be re-identified. A NADEV may be produced by creating a derived or related version or subset of one or more elements of a data set to reflect the application of one or more PETs or other privacy and/or security enhancing methodologies to the data set to limit access to all of a data set, or at least to a selected portion of the data set.”);
in response to determining that the usage rights associated with the primary dataset have been terminated, computing a coverage depletion for the second dataset based on the terminated usage rights associated with the first dataset (LaFever, para. [0498] “FIG. 1M compares the impact of other approaches to data protection (security and privacy) on the preservation of data value versus the preservation (or expansion) of data value in the present invention, i.e., JITI, and on other inventions contained herein. Column 1 of FIG. 1M represents the effect of binary alternatives (e.g., encryption) wherein the top black sphere shows the value of original data (in unprotected form) and the dotted sphere represents the loss of data value when that data is in a protected form, rendering it unusable. Column 2 of FIG. 1M represents the reduction in data value due to removing data from the ecosystem in response to concerns over use of data for purposes other than the primary intended purpose ("Data Minimization") and from using traditional static approaches to obfuscating data in order to achieve de-identification, which reduce data value. Column 3 of FIG. 1M shows that 100% of data value is retained with JITI. Last, Column 4 of FIG. 1M represents the possibility of positive data fusion due to using JITI.”); and 
eliminating one or more data point from the second dataset due to the terminated usage rights associated with a first data record in the first dataset; replacing the one or more eliminated data point with a surrogate data point associated with a second data record in the first dataset (LaFever, para. [0036] “"R-DDID" or "Replacement DDID": refers to a DDID that may be used to replace an identifying data element and de-reference (e.g., point) to the value of the data element.” And para. [0055] “the phrase "temporally unique" means that the time period of assignment of a DDID to a data subject, action, activity, process or trait is not endless. The initial assignment of a DDID to a data subject, action, activity, process or trait starts at a point in time, and information concerning the time of assignment is known and, in certain implementations of the present invention, may be used to identify relationships or connections between the DDID and said data subject, action, activity, process or trait. If the period of assignment of a DDID to a data subject, action, activity, process or trait ends at a discrete point in time, information concerning the time of termination (termination of usage rights) of assignment is known and, in certain implementations of the present invention, may be used to identify relationships or connections between the DDID and said data subject, action, activity, process or trait.” And para. [0059] “the method may also include re-associating the selected DDID with one or more other data attributes or attribute combinations following expiration of the association between the DDID and one or more initial data attributes.” And para. [0060] “the expiration of the DDID occurs at a predetermined time, or the expiration may occur following completion of a predetermined event, purpose or activity. In another example, the DDID may be authorized for use only during a given time period and/or at a predetermined location.”).
the first dataset stored as a set of key values in a database (LaFever, para. [0035] “"A-DDID" or "Association DDID": refers to a DDID that is used to replace an identifying data element and dereference (e.g., point) to the value of the data element, thus conveying a range/association with (or correlation between) the data element and its value, in order to impart informational value in a non-identifying manner, and optionally in accordance with specified grouping rules.” And para. [0046] “Due to the changeable, temporally unique, and re-assignable characteristics of DDIDs paired with data attributes or attribute combinations to create TDRs, recipients of TDRs may make use of information contained in TDRs specifically for intended purposes at intended times. relevant information revealed by means of AKs and/or RKs may change over time to support additional secondary uses of data.”)

	LaFever teaches all the limitations of claim 1 above, however fails to explicitly teach, but Qureshi teaches:
determining an estimated mean time to coverage failure for the first dataset based on the depletion coverage computed for the second dataset (Qureshi, para. [0247] “the meta-application 150 can be configured to create gateway rules 404 based at least partly on the time(s) at which a mobile device 120 was "wiped" (e.g., deletion of some or all data stored on the device or removal of software application(s) from the device).” and para. [0407] “the user determination algorithm compares the time at which the request 2302 was received by the enterprise resource 130 to the time of receipt (by the secure mobile gateway 128) of mobile device access requests 402 having mobile traffic data matching that of the request 2302…if there were no requests 402 received by the gateway 128 within a predefined or dynamically computed time window from (before or after) the time of receipt of the request 2302 and which have the same sender IP address as the request 2302, then the analytics service 414 can compute a relatively low reliability score.” And para. [0409] “the user determination algorithm evaluates the extent to which different access requests 402 associated with a particular user 115 have different mobile traffic data…the analytics service 414 determines a total number of access requests 402 that (1) have user data corresponding to a particular user 115 of interest, (2) have mobile traffic data that does not match the mobile traffic data received within the user determination request 2304, and (3) were received by the secure mobile gateway 128 within a predetermined or dynamically computed time window containing the time of receipt in the user determination request 2304. The analytics service 414 can reduce the computed reliability score (in a confidence level that the request 2302 was from the particular user 115) as the total number of determined access requests 402 increases.” And para. [0426] “The secure document container 336 can serve as a temporary repository for documents and other files sent to the mobile device 120. Remote applications can be configured to send documents to the container 336 (e.g., via application tunnels) on a one-time or periodic basis… The sales-related documents can have document access policies such that the documents will "self-destruct" (e.g., be automatically deleted from the container 336--the deletion being performed by, e.g., the container 336 itself or the enterprise agent 320) at a certain time or at the expiration of a time period beginning at a defined event (e.g., the user's opening of a document). Document distribution policies (e.g., encoded rules) can be provided (e.g., within the mobile device management system 126) to control when and how remote applications (e.g., enterprise resources 130) send documents to the containers 336, to which users 115 the documents are sent, what restrictions (e.g., temporal or geographic restrictions) are placed on the use and availability of the documents (e.g., in the form of document access policies as described above), etc.”).  

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Qureshi’s enterprise data protection into LaFever’s systems and methods for enhancing data protection by anonosizing structured and unstructured data and incorporating machine learning and artificial intelligence in classical and quantum computing environments, with a motivation to detect and address security-related or productivity-related problems (Qureshi, para. [0022]).
As per claims 2 and 9, the combination of LaFever and Qureshi teach the method in accordance with claim 1 and the system in accordance with claim 8, respectively, wherein determining the estimated mean time to coverage failure comprises measuring a mean and an expected model validity failure time based on the depletion of the second dataset (Qureshi, para. [0247] “the meta-application 150 can be configured to create gateway rules 404 based at least partly on the time(s) at which a mobile device 120 was "wiped" (e.g., deletion of some or all data stored on the device or removal of software application(s) from the device).” and para. [0407] “the user determination algorithm compares the time at which the request 2302 was received by the enterprise resource 130 to the time of receipt (by the secure mobile gateway 128) of mobile device access requests 402 having mobile traffic data matching that of the request 2302…if there were no requests 402 received by the gateway 128 within a predefined or dynamically computed time window from (before or after) the time of receipt of the request 2302 and which have the same sender IP address as the request 2302, then the analytics service 414 can compute a relatively low reliability score.” And para. [0409] “the user determination algorithm evaluates the extent to which different access requests 402 associated with a particular user 115 have different mobile traffic data…the analytics service 414 determines a total number of access requests 402 that (1) have user data corresponding to a particular user 115 of interest, (2) have mobile traffic data that does not match the mobile traffic data received within the user determination request 2304, and (3) were received by the secure mobile gateway 128 within a predetermined or dynamically computed time window containing the time of receipt in the user determination request 2304. The analytics service 414 can reduce the computed reliability score (in a confidence level that the request 2302 was from the particular user 115) as the total number of determined access requests 402 increases.” And para. [0426] “The secure document container 336 can serve as a temporary repository for documents and other files sent to the mobile device 120. Remote applications can be configured to send documents to the container 336 (e.g., via application tunnels) on a one-time or periodic basis… The sales-related documents can have document access policies such that the documents will "self-destruct" (e.g., be automatically deleted from the container 336--the deletion being performed by, e.g., the container 336 itself or the enterprise agent 320) at a certain time or at the expiration of a time period beginning at a defined event (e.g., the user's opening of a document). Document distribution policies (e.g., encoded rules) can be provided (e.g., within the mobile device management system 126) to control when and how remote applications (e.g., enterprise resources 130) send documents to the containers 336, to which users 115 the documents are sent, what restrictions (e.g., temporal or geographic restrictions) are placed on the use and availability of the documents (e.g., in the form of document access policies as described above), etc.”).  

As per claims 3 and 10, the combination of LaFever and Qureshi teach the method in accordance with claim 1 and the system in accordance with claim 8, respectively, wherein, at least a first key value having a primary key to uniquely identify a first entity associated with first data included in the first dataset (LaFever, para. [0032] “Keys used by embodiments of the present invention may vary depending on the use of corresponding DDIDs.” And para. [0180] “A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait (e.g. a ZIP code), and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait (e.g. the fact that some encoded value was a ZIP code”).

As per claims 4 and 11, the combination of LaFever and Qureshi teach the method in accordance with claim 3 and the system in accordance with claim 10, respectively, wherein the first entity has the right to terminate usage rights associated with the first data included in the first dataset (LaFever, para. [0515] “possession of a DDID on its own, even if the active user is trusted and correctly authenticated, may be insufficient to unlock any original data element. Every action against the stored data must work in concert with both the DDIDs and an allowable set of one or more valid JITI keys. In all other cases, the "End Session" step results in a "fail close" (i.e., reject the access and stop, shut down, terminate the application, etc.--as appropriate to the particular scenario) and the system will not return any data with value.” And para. [0584] “BigPrivacy also enables data processors the ability to implement a data subject's individual "Right to be forgotten" (e.g., as required under GDPR Article 17), e.g., by removing links to an individual by "deleting" the keys necessary to create the linkage within the de-identification policy engine--without requiring deletion of the data itself. Rather, just the links between the data and the true identity of the data subject need to be deleted from the look-up table or database.”), and 
a secondary key is associated with the primary key, the secondary key corresponding to a transaction data point for the first entity (LaFever, para. [0032] “Keys used by embodiments of the present invention may vary depending on the use of corresponding DDIDs. For example: time keys ("TKs") may be used to correlate the time period of association between a DDID and a Data Subject, action, activity, process and/or trait--i.e., the time period of existence of a TDR; association keys ("AKs") may be used to reveal the association between two or more data elements and/or TDRs that may not otherwise be discernibly associated one with another due to the use of different DDIDs; replacement keys ("RKs") may be used if/when DDIDs are used in replacement of one or more data attributes within a TDR, in which case look-up tables may be referenced to determine the value of the one or more data attributes replaced by the said one or more DDIDs included within the TDR.”).  

As per claims 5 and 12, the combination of LaFever and Qureshi teach the method in accordance with claim 4 and the system in accordance with claim 11, respectively, wherein a one-way hash function is applied on the primary key to generate a hashed value to identify the first entity (LaFever, para. [0525] “a one-way hash function may be used to generate a DDID that obscures each raw value.” And para. [0180] “A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait (e.g. a ZIP code), and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait (e.g. the fact that some encoded value was a ZIP code”).  

As per claims 6 and 13, the combination of LaFever and Qureshi teach the method in accordance with claim 5 and the system in accordance with claim 12, respectively, wherein a consent validity of the first entity is tracked to determine the first entity's continued consent for use of data associated with the first entity in the first model (LaFever, para. [0177] “if allowed by the Trusted Party and with the data owner's consent, offers to modify or grant specific and limited permissions may be presented to, and accepted by, Data Subjects.” And para. [0178] “Dynamic Anonymity may also improve upon existing frameworks by using privacy/anonymity level determinations to prevent inappropriate use of data, which is obscured and only analyzed, whether from inside or outside a Circle of Trust, in a manner consistent with each Data Subject's specified privacy/anonymity levels.” And para. [0505] “prior to rendering the DDIDs, requiring use of multiple JITI keys to ensure the consent of multiple relevant parties”)

As per claims 7 and 14, the combination of LaFever and Qureshi teach the method in accordance with claim 1 and the system in accordance with claim 8, respectively, wherein the second data record has an identical distribution of values as the first data record (LaFever, para. [0471] “As an example of a possible categorical classification schema, the AMS score could be broken into Categories A, B and C. Where category A is data with a single or aggregated score of 75 or more may be used only with current, express and unambiguous consent of the Data Subject. Category B may represent a single or aggregated AMS score of 40 to 74.9 that would mean the data set could be used with (i) current or (ii) prior express consent of the Data Subject. A Category C could represent a single or aggregated AMS score of 39.9 or lower which could allow for use of the data set without requiring consent of the Data Subject.” And para. [0472] “In the example disclosed in FIG. 1J, each of the identifiers other than the Social Security Number discussed above (i.e., Credit Card Number, First Name, Last Name, Birthdate, Age and Sex) are similarly assigned a Non-Disassociated/Replaced AMS rating in the first column. In each of the next two subsequent columns (i.e., Level 1 and Level 2) their AMS scores are adjusted by successive 10% reductions, and in the last columns (i.e., Level 3) their AMS scores are adjusted by a 50% reduction, resulting in decreasing AMS scores as DDID-enabled obfuscation increases by means of permanent assignment (Level 1), ad hoc changeability (Level 2) and dynamic changeability (Level 3).”).  

As per claim 8, LaFever teaches a system for preserving use rights for data utilized by a computing model, the system comprising one or more processors configured to perform operations for constructing an improved computing model that preserves use rights for data utilized by the model, the method comprising: 
accessing a first dataset to build a computing model, the first data set being subject to terminable usage rights provisions (LaFever, para. [0017] “systems, methods and devices that create, access, use (e.g., collecting, processing, copying, analyzing, combining, modifying or disseminating, etc.), store and/or erase data with increased privacy, anonymity and security, thereby facilitating availability of more qualified and accurate information. And, when data is authorized to be shared with third parties, embodiments of the present invention may facilitate sharing information in a dynamically controlled manner that enables delivery of temporally-, geographically-, and/or purpose-limited information to the receiving party.”);
sampling the first dataset to generate a second dataset, the first dataset having a first set of data points and the second dataset having a second set of data points (LaFever, para. [0056] “the term "policy" may mean, without limitation, a way or ways to programmatically enforce mathematical, logical, sampling, or other functions against a data set (e.g., a data set of any number of dimensions) that is equal to or greater than enforcement mechanisms for enabling any Privacy-Enhancing Technology ("PET") including, but not limited to, public key encryption, k-anonymity, 1-diversity, introduction of "noise," differential privacy, homomorphic encryption, digital rights management, identity management, suppression and/or generalization of certain data by row, by column, by any other dimension, by any combination of dimensions, by discrete cell, by any combination of discrete cells and by any combination of rows, columns, and discrete cells or any portion thereof.” And para. [0115] “FIG. 6 shows an example of a process (from a sample controlling entity and system perspective) to select attribute combinations, generate TDRs to abstract or anonymize the data, and then re-associate or de-anonymize the data”); 
discretizing vectors present in both the first dataset and the second dataset (LaFever, para. [0057] “the term "Non-Attributing Data Element Value" (NADEV) may mean, without limitation, the value revealed when an A-DDID is re-identified or the value which would be revealed if a given A-DDID were to be re-identified. A NADEV may be produced by creating a derived or related version or subset of one or more elements of a data set to reflect the application of one or more PETs or other privacy and/or security enhancing methodologies to the data set to limit access to all of a data set, or at least to a selected portion of the data set.”);
in response to determining that the usage rights associated with the primary dataset have been terminated, computing a coverage depletion for the second dataset based on the terminated usage rights associated with the first dataset (LaFever, para. [0498] “FIG. 1M compares the impact of other approaches to data protection (security and privacy) on the preservation of data value versus the preservation (or expansion) of data value in the present invention, i.e., JITI, and on other inventions contained herein. Column 1 of FIG. 1M represents the effect of binary alternatives (e.g., encryption) wherein the top black sphere shows the value of original data (in unprotected form) and the dotted sphere represents the loss of data value when that data is in a protected form, rendering it unusable. Column 2 of FIG. 1M represents the reduction in data value due to removing data from the ecosystem in response to concerns over use of data for purposes other than the primary intended purpose ("Data Minimization") and from using traditional static approaches to obfuscating data in order to achieve de-identification, which reduce data value. Column 3 of FIG. 1M shows that 100% of data value is retained with JITI. Last, Column 4 of FIG. 1M represents the possibility of positive data fusion due to using JITI.”); and 
eliminating one or more data point from the second dataset due to the terminated usage rights associated with a first data record in the first dataset; replacing the one or more eliminated data point with a surrogate data point (LaFever, para. [0036] “"R-DDID" or "Replacement DDID": refers to a DDID that may be used to replace an identifying data element and de-reference (e.g., point) to the value of the data element.” And para. [0055] “the phrase "temporally unique" means that the time period of assignment of a DDID to a data subject, action, activity, process or trait is not endless. The initial assignment of a DDID to a data subject, action, activity, process or trait starts at a point in time, and information concerning the time of assignment is known and, in certain implementations of the present invention, may be used to identify relationships or connections between the DDID and said data subject, action, activity, process or trait. If the period of assignment of a DDID to a data subject, action, activity, process or trait ends at a discrete point in time, information concerning the time of termination (termination of usage rights) of assignment is known and, in certain implementations of the present invention, may be used to identify relationships or connections between the DDID and said data subject, action, activity, process or trait.” And para. [0059] “the method may also include re-associating the selected DDID with one or more other data attributes or attribute combinations following expiration of the association between the DDID and one or more initial data attributes.” And para. [0060] “the expiration of the DDID occurs at a predetermined time, or the expiration may occur following completion of a predetermined event, purpose or activity. In another example, the DDID may be authorized for use only during a given time period and/or at a predetermined location.”).
the first dataset stored as a set of key values in a database (LaFever, para. [0035] “"A-DDID" or "Association DDID": refers to a DDID that is used to replace an identifying data element and dereference (e.g., point) to the value of the data element, thus conveying a range/association with (or correlation between) the data element and its value, in order to impart informational value in a non-identifying manner, and optionally in accordance with specified grouping rules.” And para. [0046] “Due to the changeable, temporally unique, and re-assignable characteristics of DDIDs paired with data attributes or attribute combinations to create TDRs, recipients of TDRs may make use of information contained in TDRs specifically for intended purposes at intended times. relevant information revealed by means of AKs and/or RKs may change over time to support additional secondary uses of data.”)
the first data record having a first distribution of values and the second data record having a second distribution of values (LaFever, para. [0368] “he authentication module can be configured so that decisions as to who sees what information are determined by a controlling entity on a configurable basis. In one example, the configurable control may include automatic and/or manual decisions and updates made on a timely, case-by-case manner by providing each controlling entity with the ability to dynamically change the composition of information comprised of data attributes at any time. The enhanced customization achieved by dynamically changing the composition of data attributes leads to greater relevancy and accuracy of information offered pertaining to a data attribute and/or related party. As disclosed herein, use of DDIDs as a component of privacy, anonymity and security enables each recipient entity receiving information to receive different information as appropriate for each particular purpose, thereby fostering the distribution of fresh, timely and highly relevant and accurate information, as opposed to stale, time burdened, less accurate accretive data such as provided via conventional persistent or static identifiers or other mechanisms.”).
	LaFever teaches all the limitations of claim 8 above, however fails to explicitly teach, but Qureshi teaches:
determining an estimated mean time to coverage failure for the first dataset based on the depletion coverage computed for the second dataset (Qureshi, para. [0247] “the meta-application 150 can be configured to create gateway rules 404 based at least partly on the time(s) at which a mobile device 120 was "wiped" (e.g., deletion of some or all data stored on the device or removal of software application(s) from the device).” and para. [0407] “the user determination algorithm compares the time at which the request 2302 was received by the enterprise resource 130 to the time of receipt (by the secure mobile gateway 128) of mobile device access requests 402 having mobile traffic data matching that of the request 2302…if there were no requests 402 received by the gateway 128 within a predefined or dynamically computed time window from (before or after) the time of receipt of the request 2302 and which have the same sender IP address as the request 2302, then the analytics service 414 can compute a relatively low reliability score.” And para. [0409] “the user determination algorithm evaluates the extent to which different access requests 402 associated with a particular user 115 have different mobile traffic data…the analytics service 414 determines a total number of access requests 402 that (1) have user data corresponding to a particular user 115 of interest, (2) have mobile traffic data that does not match the mobile traffic data received within the user determination request 2304, and (3) were received by the secure mobile gateway 128 within a predetermined or dynamically computed time window containing the time of receipt in the user determination request 2304. The analytics service 414 can reduce the computed reliability score (in a confidence level that the request 2302 was from the particular user 115) as the total number of determined access requests 402 increases.” And para. [0426] “The secure document container 336 can serve as a temporary repository for documents and other files sent to the mobile device 120. Remote applications can be configured to send documents to the container 336 (e.g., via application tunnels) on a one-time or periodic basis… The sales-related documents can have document access policies such that the documents will "self-destruct" (e.g., be automatically deleted from the container 336--the deletion being performed by, e.g., the container 336 itself or the enterprise agent 320) at a certain time or at the expiration of a time period beginning at a defined event (e.g., the user's opening of a document). Document distribution policies (e.g., encoded rules) can be provided (e.g., within the mobile device management system 126) to control when and how remote applications (e.g., enterprise resources 130) send documents to the containers 336, to which users 115 the documents are sent, what restrictions (e.g., temporal or geographic restrictions) are placed on the use and availability of the documents (e.g., in the form of document access policies as described above), etc.”).  

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Qureshi’s enterprise data protection into LaFever’s systems and methods for enhancing data protection by anonosizing structured and unstructured data and incorporating machine learning and artificial intelligence in classical and quantum computing environments, with a motivation to detect and address security-related or productivity-related problems (Qureshi, para. [0022]).

As per claim 15, LaFever teaches a non-transitory machine-readable medium storing instructions that, when executed by the processor, cause the at least one programmable processor to perform (LaFever, para. [0041] “These system modules, and if desired other modules disclosed herein, may be implemented in program code executed by a processor in the privacy server computer, or in another computer in communication with the privacy server computer.”), operations to: 
extract, using data sampling, a portion of a first dataset to generate a second dataset, the first dataset having a first set of data points and the second dataset having a second set of data points (LaFever, para. [0056] “the term "policy" may mean, without limitation, a way or ways to programmatically enforce mathematical, logical, sampling, or other functions against a data set (e.g., a data set of any number of dimensions) that is equal to or greater than enforcement mechanisms for enabling any Privacy-Enhancing Technology ("PET") including, but not limited to, public key encryption, k-anonymity, 1-diversity, introduction of "noise," differential privacy, homomorphic encryption, digital rights management, identity management, suppression and/or generalization of certain data by row, by column, by any other dimension, by any combination of dimensions, by discrete cell, by any combination of discrete cells and by any combination of rows, columns, and discrete cells or any portion thereof.” And para. [0115] “FIG. 6 shows an example of a process (from a sample controlling entity and system perspective) to select attribute combinations, generate TDRs to abstract or anonymize the data, and then re-associate or de-anonymize the data”); 
discretize vectors present in both the first dataset and the second (LaFever, para. [0057] “the term "Non-Attributing Data Element Value" (NADEV) may mean, without limitation, the value revealed when an A-DDID is re-identified or the value which would be revealed if a given A-DDID were to be re-identified. A NADEV may be produced by creating a derived or related version or subset of one or more elements of a data set to reflect the application of one or more PETs or other privacy and/or security enhancing methodologies to the data set to limit access to all of a data set, or at least to a selected portion of the data set.”);
receive data representing the data right usage withdrawal from the first dataset (LaFever, para. [0070] “a device for conducting secure, private activity over a network. In one example, the device may include a processor configured to execute program modules, wherein the program modules include at least a privacy client; a memory connected to the processor; and a communication interface for receiving data over a network; wherein the privacy client is configured to receive temporally unique data representations (TDRs) including DDIDs and associated data attributes necessary for conducting the activity over the network from a privacy server.”);
determine a depletion of the second dataset according to the data right usage withdrawal (LaFever, para. [0040] “these modules may include an abstraction module of the privacy server configured to among other things: dynamically associate at least one attribute with at least one Data Subject, action, activity, process and/or trait; determine and modify required attributes relevant to or necessary for a given action, activity, process or trait; generate, store, and/or assign DDIDs to the at least one data attribute to form a TDR” and para. [0367] “For example, a picture taken at a public bar that includes the face of a Data Subject or related party registered with a system providing DRMD may be modified to block out or `de-tag` the face of the related party on all versions of the photo except those as explicitly authorized by the Data Subject or related party.”); and 
eliminate at least one data point from the second dataset due to the termination of usage rights associated with a first data record in the first dataset; replacing the at least one eliminated data point with a surrogate data point associated with a second data record in the first dataset (LaFever, para. [0035] “"A-DDID" or "Association DDID": refers to a DDID that is used to replace an identifying data element and dereference (e.g., point) to the value of the data element, thus conveying a range/association with (or correlation between) the data element and its value, in order to impart informational value in a non-identifying manner, and optionally in accordance with specified grouping rules.” And para. [0036] “"R-DDID" or "Replacement DDID": refers to a DDID that may be used to replace an identifying data element and de-reference (e.g., point) to the value of the data element.”
And para. [0055] “the phrase "temporally unique" means that the time period of assignment of a DDID to a data subject, action, activity, process or trait is not endless. The initial assignment of a DDID to a data subject, action, activity, process or trait starts at a point in time, and information concerning the time of assignment is known and, in certain implementations of the present invention, may be used to identify relationships or connections between the DDID and said data subject, action, activity, process or trait. If the period of assignment of a DDID to a data subject, action, activity, process or trait ends at a discrete point in time, information concerning the time of termination (termination of usage rights) of assignment is known and, in certain implementations of the present invention, may be used to identify relationships or connections between the DDID and said data subject, action, activity, process or trait.” And para. [0059] “the method may also include re-associating the selected DDID with one or more other data attributes or attribute combinations following expiration of the association between the DDID and one or more initial data attributes.” And para. [0060] “the expiration of the DDID occurs at a predetermined time, or the expiration may occur following completion of a predetermined event, purpose or activity. In another example, the DDID may be authorized for use only during a given time period and/or at a predetermined location.”).
the first dataset stored as a set of key values in a database (LaFever, para. [0035] “"A-DDID" or "Association DDID": refers to a DDID that is used to replace an identifying data element and dereference (e.g., point) to the value of the data element, thus conveying a range/association with (or correlation between) the data element and its value, in order to impart informational value in a non-identifying manner, and optionally in accordance with specified grouping rules.” And para. [0046] “Due to the changeable, temporally unique, and re-assignable characteristics of DDIDs paired with data attributes or attribute combinations to create TDRs, recipients of TDRs may make use of information contained in TDRs specifically for intended purposes at intended times. relevant information revealed by means of AKs and/or RKs may change over time to support additional secondary uses of data.”)
the first data record having a first distribution of values and the second data record having a second distribution of values (LaFever, para. [0368] “he authentication module can be configured so that decisions as to who sees what information are determined by a controlling entity on a configurable basis. In one example, the configurable control may include automatic and/or manual decisions and updates made on a timely, case-by-case manner by providing each controlling entity with the ability to dynamically change the composition of information comprised of data attributes at any time. The enhanced customization achieved by dynamically changing the composition of data attributes leads to greater relevancy and accuracy of information offered pertaining to a data attribute and/or related party. As disclosed herein, use of DDIDs as a component of privacy, anonymity and security enables each recipient entity receiving information to receive different information as appropriate for each particular purpose, thereby fostering the distribution of fresh, timely and highly relevant and accurate information, as opposed to stale, time burdened, less accurate accretive data such as provided via conventional persistent or static identifiers or other mechanisms.”).
	LaFever teaches all the limitations of claim 15 above, however fails to explicitly teach, but Qureshi teaches:
compute an estimated mean time to coverage failure of a computing model based on the depletion of the second dataset according to the data right usage withdrawal (Qureshi, para. [0247] “the meta-application 150 can be configured to create gateway rules 404 based at least partly on the time(s) at which a mobile device 120 was "wiped" (e.g., deletion of some or all data stored on the device or removal of software application(s) from the device).” and para. [0407] “the user determination algorithm compares the time at which the request 2302 was received by the enterprise resource 130 to the time of receipt (by the secure mobile gateway 128) of mobile device access requests 402 having mobile traffic data matching that of the request 2302…if there were no requests 402 received by the gateway 128 within a predefined or dynamically computed time window from (before or after) the time of receipt of the request 2302 and which have the same sender IP address as the request 2302, then the analytics service 414 can compute a relatively low reliability score.” And para. [0409] “the user determination algorithm evaluates the extent to which different access requests 402 associated with a particular user 115 have different mobile traffic data…the analytics service 414 determines a total number of access requests 402 that (1) have user data corresponding to a particular user 115 of interest, (2) have mobile traffic data that does not match the mobile traffic data received within the user determination request 2304, and (3) were received by the secure mobile gateway 128 within a predetermined or dynamically computed time window containing the time of receipt in the user determination request 2304. The analytics service 414 can reduce the computed reliability score (in a confidence level that the request 2302 was from the particular user 115) as the total number of determined access requests 402 increases.” And para. [0426] “The secure document container 336 can serve as a temporary repository for documents and other files sent to the mobile device 120. Remote applications can be configured to send documents to the container 336 (e.g., via application tunnels) on a one-time or periodic basis… The sales-related documents can have document access policies such that the documents will "self-destruct" (e.g., be automatically deleted from the container 336--the deletion being performed by, e.g., the container 336 itself or the enterprise agent 320) at a certain time or at the expiration of a time period beginning at a defined event (e.g., the user's opening of a document). Document distribution policies (e.g., encoded rules) can be provided (e.g., within the mobile device management system 126) to control when and how remote applications (e.g., enterprise resources 130) send documents to the containers 336, to which users 115 the documents are sent, what restrictions (e.g., temporal or geographic restrictions) are placed on the use and availability of the documents (e.g., in the form of document access policies as described above), etc.”).  

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Qureshi’s enterprise data protection into LaFever’s systems and methods for enhancing data protection by anonosizing structured and unstructured data and incorporating machine learning and artificial intelligence in classical and quantum computing environments, with a motivation to detect and address security-related or productivity-related problems (Qureshi, para. [0022]).

As per claim 16, the combination of LaFever and Qureshi teach the system in accordance with claim 15, wherein the operations further comprise computing an estimated mean time to coverage failure by measuring a mean and an expected model validity failure time based on the depletion of the second dataset according to the data right usage withdrawal (LaFever, para. [0540] “the value of the data, e.g., as measured by one or more of a number of factors, such as mean, joint mean, marginal mean, variance, correlation, accuracy, precision, and the like, may be maintained at maximum or optimal levels (i.e., as compared against the value of the original non-transformed data or the input data to a further transformation).”).  

As per claim 17, the combination of LaFever and Qureshi teach the system in accordance with claim 15, wherein, at least one key value having a primary key to uniquely identify a customer in the first dataset  (LaFever, para. [0032] “Keys used by embodiments of the present invention may vary depending on the use of corresponding DDIDs.” And para. [0180] “A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait (e.g. a ZIP code), and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait (e.g. the fact that some encoded value was a ZIP code”).

As per claim 18, the combination of LaFever and Qureshi teach the system in accordance with claim 17, wherein the operations further comprise generating a secondary key associated with the primary key, the secondary key corresponding to a transaction data point for the customer (LaFever, para. [0032] “Keys used by embodiments of the present invention may vary depending on the use of corresponding DDIDs. For example: time keys ("TKs") may be used to correlate the time period of association between a DDID and a Data Subject, action, activity, process and/or trait--i.e., the time period of existence of a TDR; association keys ("AKs") may be used to reveal the association between two or more data elements and/or TDRs that may not otherwise be discernibly associated one with another due to the use of different DDIDs; replacement keys ("RKs") may be used if/when DDIDs are used in replacement of one or more data attributes within a TDR, in which case look-up tables may be referenced to determine the value of the one or more data attributes replaced by the said one or more DDIDs included within the TDR.”).  

As per claim 19, the combination of LaFever and Qureshi teach the system in accordance with claim 17, further comprising applying a one-way hash function on the primary key to generate a hashed value to identify the customer (LaFever, para. [0525] “a one-way hash function may be used to generate a DDID that obscures each raw value.” And para. [0180] “A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait (e.g. a ZIP code), and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait (e.g. the fact that some encoded value was a ZIP code”).  

As per claim 20, the combination of LaFever and Qureshi teach the system in accordance with claim 19, wherein the operations further comprise tracking a consent validity of the customer representing the customer's continued consent validity for use in the original model (LaFever, para. [0177] “if allowed by the Trusted Party and with the data owner's consent, offers to modify or grant specific and limited permissions may be presented to, and accepted by, Data Subjects.” And para. [0178] “Dynamic Anonymity may also improve upon existing frameworks by using privacy/anonymity level determinations to prevent inappropriate use of data, which is obscured and only analyzed, whether from inside or outside a Circle of Trust, in a manner consistent with each Data Subject's specified privacy/anonymity levels.” And para. [0505] “prior to rendering the DDIDs, requiring use of multiple JITI keys to ensure the consent of multiple relevant parties”).

Conclusion
6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20140283031 A1 – Determining trust levels for computing components.
US 20030061482 A1 – Software security control system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ZOHA PIYADEHGHIBI TAFAGHODI/               Examiner, Art Unit 2437