Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/08/2022 has been entered.
Claims 1-2, 4-12 and 14-22 are under examination. Claims 3 and 13 have been canceled.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 7-8, 10-11, 14, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1), Dotan-Cohen et al. (US 2019/0171845 A1) and Altman et al. (US 2013/0217332 A1).
Regarding claim 1, Canning et al. discloses A server [par. 0038, “a policy enforcement point (PEP) 406… and the PEP is implemented as a TSPM plug-in to application server, such as IBM WebSphere.RTM. Application Server”] comprising: a communications module; a processor coupled to the communications module; and a memory coupled to the processor, the memory storing processor-executable instructions which, when executed, configure the processor to: receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data [par. 0046, “The security policy enforcement agent 504 is a software program (e.g., Java-based code) that executes in a user mobile device 510 operating environment”, par. 0049, “the security policy enforcement agent 504 is responsible for notifying the user that one or more additional security constraint(s) are (or may then be) required”, par. 0052, “the authorization server 502 may contact the security policy enforcement agent 504 on the device 510 to make sure that the security policy associated with the authorization scope bound to the authorization token and current application being used is still enforced”, par. 0055, “The approach described above allows the user to modify the risk profile of the device easily but ensures that the actual risk profile that is evaluated (by the PEP) is fine-grained in that it takes in consideration the applications installed on the device, the services they are accessing, and the operations the user has granted authorization to perform”]; generate a risk profile for a user based at least on the on-device application data [par. 0044, “a technique to enforce mobile device security policy is based on a "risk profile" of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account the actual mobile application(s) installed on the device (and those actively in use), the service(s) (typically one or more back-end applications supported in or in association with the enterprise) those mobile applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied”]; 
Canning et al. does not explicitly disclose configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user; and share the data based on the data sharing configuration option.
However Dotan-Cohen et al. teaches receive, via the communications module and from a monitoring application installed on a remote computing device, on-device application data [par. 0058, “user-data collection component 210 determines static user information and/or dynamic user information by monitoring user data and/or bot data for information that may be used for determining user activity information”]; configure a data sharing configuration option for sharing data associated with the user based on the risk profile for the user; and share the data based on the data sharing configuration option [par. 0004, “Aspects of the present disclosure provide for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner In various embodiments, interfaces are managed over which user information is provided to the bots to facilitate the bots performing automated tasks. The user information is shared using trust levels associated with the bots. This can include using a trust level to determine whether to engage with a bot for performance of an automated task and/or whether to share the user information with the bot. The trust level can also be used to determine the content of user information in order to determine what is shared with the bot”, fig. 3, official notice: it is well known in the art such that risk profile is correspond to the trust level, see par. 0080 of Malliah (US 2020/0106780)].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
They do not explicitly disclose sharing from the data with the third-party application resident on the remote computing device.
However, Altman et al. teaches sharing the data from the server with the third-party application resident on the computing device [par. 0339, “the central server may determine whether the user set permissions values that permit information to be shared with registered services, such as third-party merchants or third-party apps executing on the user's mobile device”, fig. 22].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Altman et al. into the teaching of Canning et al. and Dotan-Cohen et al. with the motivation such that permission may have several values that indicate various privacy levels or authorizations regarding the disclosure of user identification information to third-parties as taught by Altman et al. [Altman et al.: par. 0322].
Regarding claim 4, the rejection of claim 1 is incorporated.
Canning et al. further discloses the on-device application data includes at least one of a list of applications installed on the remote computing device and levels of permission granted to the installed applications [par. 0044, “where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account the actual mobile application(s) installed on the device (and those actively in use), the service(s) (typically one or more back-end applications supported in or in association with the enterprise) those mobile applications are accessing, and the scope of operations the user has granted the device authorization to perform”].
Regarding claim 7, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses the data sharing configuration option specifies one or more types of data to be shared [par. 0108, “method 300 includes determining user information to provide to the bot. For example, service information determiner 228 can determine user information of the user to provide to bot 232 for the performing of the automated task. Content of the user information is based on the bots associated trust level (e.g., trust level 264) and service parameters (e.g., determined from service requirements 260, service options 262, service types 266, and/or shared information 268) for completing the automated task”, par. 0109, “the information can be provided via a chat user interface of bot 232, non-conversational interface, a non-user interface, and the like. Further, the information can be provided in a conversational form, a non-conversational form, or a tokenized form, as examples”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 8, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses wherein configuring the data sharing configuration option for sharing data associated with the user based on the risk profile for the user [par. 0017, “the bot interface manager manages interfaces over which user information is provided with bots to facilitate the bots performing automated tasks. The user information can be shared using trust levels associated with the bots”] comprises: sending, via the communications module and to the remote computing device, a recommended data sharing configuration option; receiving, via the communications module and from the remote computing device, confirmation of the recommended data sharing configuration option; and configuring the recommended data sharing configuration option [par. 0089, “bot interface manager 220 could monitor communications from bot 232 and/or the user in the user interface of bot 232 to determine whether to provide at least some user information to bot 232”, par. 0090, “This could include bot interface manager 220 determining bot 232 has requested information from the user (e.g., based on identifying a question, prompt, and/or information request in the user interface). Optionally based on detecting the prompt for information, bot interface manager 220 could present a prompt/option to the user to allow the user to selectably permit or deny bot interface manager 220 from providing the information to bot 232”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 10, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. further discloses the data is from a data record associated with the user [par. 0108, “Shared information 268 generally refers to a record or log of information (e.g., user information) that was shared with the bot... In various implementations, shared information can comprise static user information and/or dynamic user information, such as static user information 244 and dynamic user information 246”, pars 0052-0056].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Dotan-Cohen et al. into the teaching of Canning et al. with the motivation for sharing user information with and between bots in a manner that allows the bots to complete automated tasks on behalf of users in a secure and efficient manner as taught by Dotan-Cohen et al. [Dotan-Cohen et al.: par. 0014].
Regarding claim 11, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.

Claims 2, 12 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1), Dotan-Cohen et al. (US 2019/0171845 A1) and Altman et al. (US 2013/0217332 A1) as applied to claims 1, 4, 7-8, 10-11, 14, 17-18 and 20 above, and further in view of Balestrieri et al. (US 2011/0185231 A1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Canning et al. discloses generating the risk profile comprises obtaining at least a plurality of applications in the list of applications and generating the risk profile from the list.
Altman et al. discloses sharing the data with a third-party application resident on the remote computing device.
They do not explicitly disclose the third-party application is not represented by the on-device application data.
However Balestrieri et al. teaches the third-party application is not represented by the on-device application data [par. 0028, “the testing tools typically generate testing data relating to risk posed by installation of the user-selected software applications on the user devices. In some embodiments, the instrumented version 60 of the user-selected software application 46 is generated by a residual testing tool that incorporates additional code to the core functionality of the user-selected software application 46” (use can select application for the risk profile)].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Balestrieri et al. into the teaching of Canning et al., Dotan-Cohen et al. and Altman et al. with the motivation for a testing tools to collect information about the behavior of the user-selected software application and generate testing data relating to risk posed by installation of the user-selected software applications on the user devices as taught by Balestrieri et al. [Balestrieri et al.: par. 0028].
Regarding claim 12, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 21, the rejection of claim 1 is incorporated.
Canning et al. discloses generating the risk profile comprises obtaining at least a plurality of applications in the list of applications and generating the risk profile from the list.
Altman et al. discloses sharing the data with a third-party application resident on the remote computing device.
They do not explicitly disclose the third-party application is represented by the on- device application data and is ignored or excluded when generating the risk profile for the user.
However Balestrieri et al. teaches the third-party application is represented by the on- device application data and is ignored or excluded when generating the risk profile for the user [par. 0028, “the testing tools typically generate testing data relating to risk posed by installation of the user-selected software applications on the user devices. In some embodiments, the instrumented version 60 of the user-selected software application 46 is generated by a residual testing tool that incorporates additional code to the core functionality of the user-selected software application 46” (use can select application for the risk profile)].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Balestrieri et al. into the teaching of Canning et al., Dotan-Cohen et al. and Altman et al. with the motivation for a testing tools to collect information about the behavior of the user-selected software application and generate testing data relating to risk posed by installation of the user-selected software applications on the user devices as taught by Balestrieri et al. [Balestrieri et al.: par. 0028].
Regarding claim 22, it recites limitations similar to claim 21. The reason for the rejection of claim 21 is incorporated herein.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1), Dotan-Cohen et al. (US 2019/0171845 A1) and Altman et al. (US 2013/0217332 A1) as applied to claims 1, 4, 7-8, 10-11, 14, 17-18 and 20 above, and further in view of Draper et al. (US 2009/0276257 A1).
Regarding claim 5, the rejection of claim 1 is incorporated.
Canning et al. discloses generating the risk profile comprises obtaining at least a plurality of applications in the list of applications and generating the risk profile from the list.
They do not explicitly disclose generating the risk profile comprises obtaining a score for at least a plurality of applications in the list of applications and generating the risk profile from the scores.
However Draper et al. teaches generating the risk profile comprises obtaining a score for at least a plurality of applications in the list of applications and generating the risk profile from the scores [par. 0092, “where the risk scores for each individual application may be aggregated to determine the overall risk score for the enterprise as a whole”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Draper et al. into the teaching of Canning et al., Dotan-Cohen et al. and Altman et al. with the motivation allows the organization to manage risk and compliance processes as taught by Draper et al. [Draper et al.: abs.].
Regarding claim 15, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.

Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1), Dotan-Cohen et al. (US 2019/0171845 A1) and Altman et al. (US 2013/0217332 A1) as applied to claims 1, 4, 7-8, 10-11, 14, 17-18 and 20 above, and further in view of Hecht (US 2021/0234875 A1).
Regarding claim 6, the rejection of claim 1 is incorporated.
Canning et al. discloses generating the risk profile comprises obtaining at least a plurality of applications in the list of applications and generating the risk profile from the list.
They do not explicitly disclose generating the risk profile comprises obtaining a score for at least a plurality of the levels of permission and generating the risk profile from the scores.
However Hecht teaches generating the risk profile comprises obtaining a score for at least a plurality of the levels of permission and generating the risk profile from the scores [par. 0071, “As an example, certain categories of permissions (e.g., "read") may be accorded relatively low risk scores, while other permissions (e.g., "create" or "delete") may be accorded higher risk scores”, par.0072, “Based on the risk scores for each service and permission, a composite or overall risk score (e.g., "9") may be generated”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Hecht into the teaching of Canning et al., Dotan-Cohen et al. and Altman et al. with the motivation of identifying, at the centralized script execution resource and according to the multidimensional analysis, an overall security risk indication as taught by Hecht [Hecht: par. 0031].
Regarding claim 16, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
 
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Canning et al. (US 2014/0157351 A1), Dotan-Cohen et al. (US 2019/0171845 A1) and Altman et al. (US 2013/0217332 A1) as applied to claims 1, 4, 7-8, 10-11, 14, 17-18 and 20 above, and further in view of Sartor (US 10,498,769 B2).
Regarding claim 9, the rejection of claim 1 is incorporated.
Dotan-Cohen et al. discloses configuring the data sharing configuration option for sharing data associated with the user based on the risk profile for the user.
They do not explicitly disclose configuring a default data sharing configuration option; comparing a risk level of the default data sharing configuration option with the risk profile of the user; and when the risk level of the default data sharing configuration option exceeds the risk profile of the user, sending, via the communications module and to the remote computing device, an indication to the user indicating that the default data sharing configuration option exceeds the risk profile.
However Sartor teaches configuring a default data sharing configuration option; comparing a risk level of the default data sharing configuration option with the risk profile of the user; and when the risk level of the default data sharing configuration option exceeds the risk profile of the user, sending, via the communications module and to the remote computing device, an indication to the user indicating that the default data sharing configuration option exceeds the risk profile [abs, “the interactions comprising use of computing device functionality or personal information; for each difference previously associated with a particular level of privacy risk, retrieving the particular level from a database; for each difference not previously associated with the particular level: generating a respective level of privacy risk associated with particular interactions of the application or website corresponding to the difference; associating the respective level to the difference; and storing in the database the difference and the respective level associated with the difference; generating a current privacy risk score based on each of the particular levels and on each of the respective levels associated with the one or more differences; determining if there was a privacy risk change; and if so, notifying the user”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sartor into the teaching of Canning et al., Dotan-Cohen et al. and Altman et al. with the motivation such that application activity can be monitored and compared against an associated policy to determine compliance and take default actions, such as obfuscating personal information transmitted by an application. Additionally, policies associated with applications can be monitored to identify changes and users can be alerted of policy changes that may affect the privacy rating of an application as taught by Sartor [Sartor: col. 3, lines 8-15].
 Regarding claim 19, it recites limitations similar to claim 9. The reason for the rejection of claim 9 is incorporated herein.




Response to Arguments

Applicant’s arguments, filed on 04/08/2022, with respect to rejection under 35 USC § 103 have been fully considered but the arguments are directed towards the newly added limitations. New reference Bostick et al. has been provided to address those limitations, and the rejection is incorporated herein.


Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20140082738 A1		DYNAMIC RISK MANAGEMENT
US 20130227683 A1		QUANTIFYING THE RISKS OF APPLICATIONS FOR MOBILE DEVICES
US 20130340086 A1		METHOD AND APPARATUS FOR PROVIDING CONTEXTUAL DATA PRIVACY
US 20200287793 A1		DEVELOPING SECURITY POLICIES FOR DEPLOYMENT TO MOBILE DEVICES
US 10572680 B2		Automated personalized out-of-the-box and ongoing in-application settings
US 8925092 B1		Risk assessment for software applications
US 20130276124 A1		SYSTEMS, METHODS, APPARATUSES AND COMPUTER PROGRAM PRODUCTS FOR PROVIDING MOBILE DEVICE PROTECTION
US 20150269391 A1		PRIVACY UTILITY TRADE OFF TOOL
US 20210258321 A1		Dynamic User Access Control Management
US 20130111592 A1		MOBILE APPLICATION SECURITY AND MANAGEMENT SERVICE

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JASON CHIANG/Primary Examiner, Art Unit 2431