DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim interpretation – Formal Matters
1.  A double patenting rejection is NOT put forth.
2.  The examiner interprets that the claims are statutory under the requirements and guidelines as set forth in 35 USC 112.  Written support is found and the claims particularly point out the inventive concept(s).
3.  The examiner interprets that the claims are statutory under the requirements and guidelines as set forth in 35 USC 101 (ie. directed to one of the four patent-eligible subject matter categories, no abstract idea, above judicial bar).
	NOTE that the CRM claim (#18) is statutory since it limits the design to 
only be a non-transitory CRM.
4.  The priority claim is perfected as based on the inclusion of the certified foreign patent application.
5.  The preliminary amendment dated 10/02/2020 is ENTERED.
6.  The examiner notes that a more favorable outcome may occur if the applicant amends as follows:
Independent claim  +  claim 3  +  claim 5  +  claim 6  +  claim 7  +  claim 8
	



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 8-9 and 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Perrufel et al. US 2016/0352751 and further in view of Want et al. US 2017/0168135.
As per claim 1, Perrufel et al. US 2016/0352751 teaches a method for determining an access right to a service hosted by a network node (Abstract, Figures, Summary Para’s #2 thru 45), the method comprises: 
receiving, by a network controller, a service request from a terminal device to access the service hosted by the network node (Fig. 4, #400 is a request to access the network which is sent to network controller #100), 
[0070] The terminal 106 sends out a first http request 400 of the GET type in order to download for example a page from an Internet server. The request is intercepted by the server 100 since a default gateway corresponding to the server 100 has been configured on the terminal when it connected to the network according to a conventional address allocation technique
generating, by a network controller, at least one token associated to the service request received from the terminal device, 
[From Para #70]:  When it receives the request 400, the server 100 generates a token for accessing the service according to the step 200 previously described
the at least one token being broadcast by at least one beacon device, 
[From Para #70]:  The token is transmitted to the device 104 for transmission by visible light using a control message 402. This message transits for example via the electrical supply system according to a PLC (Power-Line Communications) technology in order to reach the device 104. The device 104 broadcasts the token within a message 403 using light modulation according to a protocol for visible light transmission conforming for example to the Li-Fi standard. The token may be broadcast to all the terminals located within range of the light beam according to a broadcast technique or else transmitted to one particular terminal according to a conventional unicast addressing technique.
receiving, by the network controller, a message from a terminal device, the message comprising data interpretable as a token (See previous), data from which the at least one beacon device is identifiable (Para #29 teaches  that a beacon is identifiable since the terminal receives the token from the beacon/broadcast and sends it back (which authenticates that the token data was received by the beacon device, “.. the terminal adds the token obtained to it so as to prove to the server that it really is localized within range of a light beam having broadcast the token…” [From Para #70]:  This type of response is well known in the http protocol when accessing a protected resource and invites a terminal to show that it knows a user name and a password authorizing it to access a particular resource. Such a response comprises an identification request in the form of a header “WWW-Authenticate”. The terminal must then respond to this request for identification according to a method defined by the http protocol, such as for example the “Digest” method well known to those skilled in the art, which consists in applying a hash function of the MD5 or SHA type to certain data values present in the invitation from the server to which the terminal adds a secret data value, such as for example a user name and a password. According to one particular embodiment of the invention, the secret data value used for responding to the invitation from the server is included in the token transmitted by modulation of visible light and received by the terminal. Thus, only a terminal present in the light beam within which the token is transmitted can respond to the identification request. The terminal can then send out a new request for accessing the service 406 to which it adds a header “Authorization” constructed by means of the access token received in the message 403. When the identification is valid, in other words when the authentication data is validated according to the step 203, the server re-transmits the request 408 to the destination network and relays the response “200 OK” 409 from the remote service to the terminal by means of the message 410
determining, by the network controller (Para’s 70-71), an access right to the service by: 
determining at least on a basis the data interpretable as the token if the network controller has generated the token for the terminal device, (See Abstract, Figures, Summary and Para’s #70-71 which teach overall authentication of the user via the token generated by the server/network controller) and 
in response to a detection that the network controller has generated the token for the terminal device (See previous above): 
generating, in accordance with a result of a determination if the network controller has generated the token to the terminal device (Previous teaches the user requesting access and receiving a token and then sending back the token information which authenticates the user) 
an indication representing a right to access to the service (Abstract, Figures, Summary and Para’s #70-71 which teach overall authentication of the user via the token generated by the server/network controller to allow the user access to the service/network)
but is silent on
data from which a position of the terminal device is derivable, 
determining the position of the terminal device from data from which the at least one beacon device is identifiable and from the data from which the position of the terminal device is derivable, and 
and the position of the terminal device.
Perrufel does not teach anything relating to the position/location of the user device (other than perhaps the user location could be determined when the user is within an area of the broadcasted visible light).
At least Want et al. US 2017/0168135 teaches that a beacon can be sent that includes information about a) the beacon’s ID and b) the location/position of the beacon device.  This will allow the broadcast to include the beacon ID and its location for use by the user device during the authentication (ie. the user must be located in the general vicinity of the beacon device(s) as an authentication requirement, otherwise the user is denied access – See O’Toole et al. US 2016/0057626, pertinent but not cited, who teaches the user’s location being determined to effectively check them in at a specific place, hence user location is a required parameter for authentication):
 [0036] Each beacon device 102 can be configured to store information associated with that respective beacon device and/or another beacon device. For instance, each beacon device 102 can store beacon-specific information, such as an identification number associated with a beacon device, a name associated with a beacon device, environmental conditions (e.g., humidity, temperature, etc.) around a beacon device, and a location of a beacon device within the building.
It would have been obvious to one skilled in the art at the time of the invention's filing date, to modify Peruffel, such that data from which a position of the terminal device is derivable, determining the position of the terminal device from data from which the at least one beacon device is identifiable and from the data from which the position of the terminal device is derivable, and and the position of the terminal device, to provide the ability to include position of the User Device in the authentication process to ensure the user is proximate the network/system (for added security and prevents long-range hacking).

As per claims 8 and 16, the combo teaches claim 1/9, wherein the service is provided to the terminal device in response to a detection that the generated indication represents an allowance of a service provision (See Peruffel - Abstract, Figures, Summary and Para’s 70-71 cited previously all which teach the ultimate goal is to allow the user to be granted access to a network/internet/cloud, etc..  


As per claim 9, this claim is rejected in its entirety as based on the rejection of claim 1 (see above).  With further regard to “..A network controller comprising: at least one processor; at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the network controller to perform” the method steps outlined, see Peruffel’s Server #100 in Figures 1 and 4:
[0057] FIG. 1 also shows a terminal 106 adapted for accessing a network via a Wi-Fi connection. When it connects to the network, the terminal obtains an IP address in a conventional manner and the address of a default gateway to which the data generated by the terminal will be sent. The default gateway is configured in such a manner that the server 100 can intercept the messages sent via the Wi-Fi interface of the terminal 106.
[0070] The terminal 106 sends out a first http request 400 of the GET type in order to download for example a page from an Internet server. The request is intercepted by the server 100 since a default gateway corresponding to the server 100 has been configured on the terminal when it connected to the network according to a conventional address allocation technique. When it receives the request 400, the server 100 generates a token for accessing the service according to the step 200 previously described.


As per claim 17, this claim is rejected in its entirety as based on the rejection of claim 1 (see above).  With further regard to “..A communication system comprising: at least one network controller, and at least one beacon device, wherein the system the at least one network controller is arranged to..”  perform the steps outined in the claim, see Peruffel figures 1 and 4 which show the controller/server, beacon device, back-end network/cloud/internet, etc..


As per claim 18, this claim is rejected in its entirety as based on the rejection of claim 1 (see above).  With further regard to “..A non-transitory computer-readable medium on which is stored a computer program product for determining an access right to a service wherein the computer program product, when executed by at least one processor, cause a network controller to perform…”,   see Peruffel, figures 2-3 show the pseudo code that is stored in the server #100 (figure 1 or 4) and figures 5-6 which show the user device and server #100’s hardware (with Program/PGR and Memory to store the pseudo code) which performs the steps outlined.
[0051] FIG. 5 shows schematically an access control device* according to one particular embodiment, and
[0052] FIG. 6 shows a simplified view of an access device** according to one particular embodiment.
*Network device such as a base station/access point
**User device









Claims 2-5 and 10-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Perrufel/Want and further in view of O’Toole et al. US 2016/0057626
As per claims 2 and 10, the combo teaches claim 1/9, the method further comprising a generation of a session, by the network controller, (Perrufel teaches the user being granted access to the service/devices/servers (Abstract) which in interpreted as a “session”)  
But is silent on 
	Comprising at least the generated token associated with an identifier of the terminal device.
	At least O’Toole et al. US 2016/0057626 teaches that the network may supply token information that includes at least a password (for use in a session):
	[0042] After check-in information is received from user device 110, administrative device 140 may determine if user device 110 is authorized to access a protected wireless network provided by network access device 134, as will be explained in more detail herein. If user device 110 is authorized to access the network, one or more of wireless beacon 132, network access device 134, and/or administrative device 140 may transmit a credential to user device 110 enabling user device 110 to access the protected wireless network provided by network access device 134. As previously discussed, the credential may be encrypted, hidden, or otherwise obfuscated so that user 102 is unaware of the credential but they still allow access to the network. The credential may comprise a security key or password enabling access to the network. Moreover, the token or information containing the credential passed to user device 110 may be set up to be wiped, removed, or revoked as soon as user device 110 disconnects from wireless beacon 132 and/or the network provided by network access device 134. For example, if user 102 moves sufficiently far away from wireless beacon 134 to disconnect from wireless beacon 134, the credential may be removed from user device 110 by check-in application 120 of user device 110 and/or administrative device 140 over network 160. In other embodiments, when user device 110 disconnects from the network provided by network access device 134 (e.g., actively disconnects based on user 102's input and/or leaves location 130 or a sub-area of location 130 for the network), the credential may be similarly removed from user device 110.
It would have been obvious to one skilled in the art at the time of the invention's filing date, to modify the combo, such that it comprising at least the generated token associated with an identifier of the terminal device, to provide a token that is unique to each user device (which can prevent spoofing/hacking).

	
As per claims 3 and 11, the combo teaches claim 2/10, wherein a determination if the network controller has generated the received token for the terminal device is performed by querying from a data storage if it stores a session comprising the received token (Peruffel teaches generation of the token and storing the token in a table.  Since Peruffel teaches that the token can expire (or be generated periodically), one can see that, by inspection of the database, the controller will be able to determine if a session has been granted (ie. since a valid token has been generated and has not expired), which reads on the claim):
[0060] During a first step 200, the server generates a token for accessing a service. The token may correspond to conventional authentication data such as a user name/password pair, an http cookie, or again for example a security key. This authentication data may be constituted from data pre-configured in a database or a configuration file to which a hash function of the MD5 type is for example applied. According to one particular embodiment, the authentication data is a number or a series of arbitrary nature generated randomly and stored in a memory of the server. The token may be stored in a table of the server in association with the date and the time of the generation and/or an identifier of a terminal for which it has been generated. According to one particular embodiment, access rights to at least one service are associated with the access token. According to one particular embodiment, a new access token is generated periodically in order that a terminal is not able to store and to use a token at a later date while it is no longer in range of the light beam.


As per claims 4 and 12, the combo teaches claim 1/9, but is silent on wherein a validity of the generated token is limited in time.  
The examiner notes that one-time passwords are well known and provide a credential/token to a user that can be used for a limited time.  At least O’Toole teaches a time-limited token:
[0016] The administrative device may push the credential to access the protected wireless network to the user device once an access right and/or access level for the network is determined for the user. The credential may be pushed as encrypted and/or time sensitive data, which may be later removed and/or revoked from the user device. The credential may be removed after a time period expires or after a certain time occurs, such as a closing of a store or business. Additionally, the credential may be removed if the user disconnects from one or more of the wireless beacon and the protected wireless network provided by the network access device.
It would have been obvious to one skilled in the art at the time of the invention's filing date, to modify the combo, such that wherein a validity of the generated token is limited in time, to provide a time limit on each token to close off the possibility of an old token being used by a non-authenticated user/hacker.


As per claims 5 and 13, the combo teaches claim 4/12, wherein a verification of the validity of the token in time is performed in a determination of the access right to the service (O’Toole, Para #16 above, teaches that the token can be limited in time OR even according to a timeline, such as when a store is open (or closed), which reads on the limitation that the verification of the validity of the token is time-based for the user to access the network).  





Claims 6-7 and 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Perrufel/Want and further in view of Pandharipande et al. US 2016/0327629
As per claims 6 and 14, the combo teaches claim 1/9, but is silent on wherein the position of the terminal device is derived from a measurement data transmitted by the terminal device to the network controller in the message.  
At least Pandharipande et al. US 2016/0327629 teaches that signal strength measurements can be taken by the UE and sent to the network so that it’s location can be determined:
[0002] In an indoor positioning system, the location of a wireless device such as a mobile user terminal can be determined with respect to a location network comprising multiple anchor radios. These anchors are wireless nodes whose locations are known a priori, typically being recorded in a location database which can be queried to look up the location of a node. The anchor nodes thus act as reference nodes for location. Measurements are taken of the signals transmitted between the mobile device and a plurality of anchor nodes, for instance the RSSI (receiver signal strength indicator) and/or ToA (time of arrival) of the respective signal. Given such a measurement from three or more nodes, the location of the mobile terminal may then be determined relative to the location network using techniques such as trilateration or multilateration. Given the relative location of the mobile terminal and the known locations of the anchor nodes, this in turn allows the location of the mobile device to be determined in more absolute terms, e.g. relative to the globe or a map or floorplan.
	NOTE that he teaches the User Device can make measurements OR that then network base stations can make measurements (of the user’s signal) in order to determine the user’s location (Para #34-35).    Furthermore, the examiner notes that it is well known and inherent for either the mobile to determine its location OR for the mobile to send the data to the network so that the network can perform the calculations (See figure 2 and Para #35 below):
[0035] If such a signal measurement is available from each of a plurality of the anchor nodes 6, it is possible to determine the location of the mobile device 8 relative to the location network 10 using a technique such as trilateration, multilateration or triangulation. By combining this relative location with a known location of the anchor nodes 6 used in the calculation, it is then possible to determine the “absolute” location of the mobile device 8. The absolute location may for example refer to a geographic location in terms of the location on a globe or a map, or may refer to a location on a floorplan of a building or complex, or any real-world frame of reference having a wider meaning than simply knowing the location relative to the location network 4 alone. In a device centric approach the mobile device looks up the locations of the relevant nodes 6 by querying the location server 14 (e.g. via the wireless access point 12), or alternatively may receive the respective location along with the signal from each node 6. The mobile device 8 then performs the calculation to determine the absolute location at the device 8 itself In a network centric approach on the other hand, the nodes 6 submit the signal measurements they took to the location server 14 (e.g. via the wireless access point 12), and the location server 14 performs the calculation of the absolute location at the server 14. In an example of an assisted or hybrid approach, the mobile device 8 may take the measurements of signals from the nodes 6 but submit them in a raw or partially processed form for the calculation to be performed or completed there.
It would have been obvious to one skilled in the art at the time of the invention's filing date, to modify the combo, such that wherein the position of the terminal device is derived from a measurement data transmitted by the terminal device to the network controller in the message, to provide the ability to determine position from signal strength measurements which can be used by the user device (or network) to calculate the user’s position (for added security).


As per claims 7 and 15, the combo teaches claim 6/9, wherein the measurement data comprises at least one measurement value representing at least one parameter of a signal broadcast by the at least one beacon device experienced by the terminal device (See Pandharipande et al. Para’s #34-#35 previous, who teaches taking signal strength measurements, which reads on a parameter of the beacon device’s signal experienced by the user device).  


Allowable Subject Matter
The examiner notes that a more favorable outcome may occur if the applicant amends as follows:
Independent claim  +  claim 3  +  claim 5  +  claim 6  +  claim 7  +  claim 8

This claim would recite a highly detailed technical design not found in at least the prior art of record, either alone or in combination.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is found in the PTO 892 form.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN M. D'AGOSTA whose telephone number is (571)272-7862. The examiner can normally be reached 8am to 4pm (IFW).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Edan (Dan) Orgad can be reached on 571-272-7884. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/STEPHEN M D AGOSTA/Primary Examiner, Art Unit 2414