Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 6/2/2022. Claims 1-22 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/2/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant’s arguments received on 6/2/2022 are respectfully considered as follows:
Regarding claim 13, the amendments to the claim overcome the 101 rejection. The rejection is withdrawn.
Regarding the prior art rejection:
1)  Applicant argues Murdoch does not teach substantially: “running the program on the first set of data includes running the program in an environment within the respective computing system”. Applicant argues that “Murdoch’s application 620 is not executed on any system that is co-resident with the data used by the program, and therefore fails to describe the features of amended claim 1.
The examiner respectfully disagrees, the environment is interpreted as the data and context of the computing system. Murdoch teaches the environment of the computing device is defined within the computing device and includes the scope of permissions, data allowed to be accessed, frequency of access ... ([0119]-[0121]).; that environment sets the conditions to be satisfied in order for the program to run, and contents of the environment cannot be accessed from outside the environment or context . Therefore, Murdoch teaches “running the program on the first set of data includes running the program in an environment within the respective computing system”. Note Murdoch discloses application permission to access the data include: read, write, make a copy ... ([0119][0139]). Read, copy permissions may be executed in the computing system (hub service).

2) Applicant argues Papachan fails to suggest “running the program in an environment within the respective computing system, wherein contents of the environment cannot be accessed from outside of the environment”, as recited by amended claim 1. 
The examiner agrees, those limitations are taught or suggested  by Murdoch as presented in the office action.

Objection (Informality)
Claims 1-22 recite “the first set of data is stored in associated with a first data access policy “, instead of the first set of data is stored in association with a first data access policy “. Correction is kindly requested.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5, 12-13, 15, 17, 19 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200344237 to Murdoch et al., hereinafter Murdoch.

Regarding claim 1, Murdoch discloses 
A method comprising: at a respective computing system: storing a first set of data, wherein the first set of data is stored in associated with a first data access policy that defines access restrictions for the first set of data (Fig.6, 660, 670, associated with policies 668, 669 ... [0116][0117]); receiving, from outside of the respective computing system, a request to run a program on the first set of data ([0108][0131] Fig 7, 701: entity requests to access Alice’s data in the hub service to be used as input of an application, Alice’s data includes different types of personal data stored in Hub service [0105] Fig. 6, 660), wherein the program includes instructions that define one or more operations to be performed on the first set of data ([0103] example of operation: generate an insurance quote on Alice’s data [0111], read, copy part of the data ([0119][0139]).Although Murdoch does not explicitly teach the application includes instructions that define the operations, an application is a program or set of codes or instructions to perform some actions), in response to receiving the request, determining whether the request to run the program on the first set of data satisfies the access restrictions defined by the first data access policy (Fig. 7, 702 [0133]: determine scope of permission); and in response to determining whether the request to run the program satisfies the access restrictions: in accordance with a determination that the request to run the program satisfies the access restrictions, running the program, including performing the one or more operations, on the first set of data in accordance with the first data access policy (Fig. 7, 704: grant permission to application), wherein running the program on the first set of data includes running the program in an environment within the respective computing system, wherein contents of the environment cannot be accessed from outside of the environment ([0120]: the environment includes allowed days/time to run the application on Alice’s data, and prohibits the execution outside the days/time); and in accordance with a determination that the request to run the program does not satisfy the access restrictions, forgoing running the program on the first set of data ([0118]: deny request to run application if requesting entity in a blacklist of entities unauthorized to access the personal data).  

Regarding claim 2, Murdoch discloses the method of claim 1, wherein the access restrictions define one or more of an entity that is able to access the first set of data, a manner of use for the first set of data, or security requirements for accessing the first set of data ([0118]: restrictions include blacklisted entities unable to access the data).  

Regarding claim 5, Murdoch discloses the method of claim 1, wherein: the first set of data is encrypted with encryption information, running the program on the first set of data comprises decrypting the first set of data ([0078]: party that wants to use the data must decrypt it with owner public key, the data used as input of an application (Fig. 7, 701)); and forgoing running the program on the first set of data comprises forgoing decrypting the first set of data ([0111][0118]: entity is denied access to the data, therefore using the data as input for application, meaning when the data is encrypted ([0078]), the denying access to the data will not allow the decrypting of the data). 

Regarding claim 12, Murdoch discloses the method of claim 1, wherein the first set of data is data associated with a person, and the first data access policy is defined by the person ([00117][0118] permissions defined by owner).  

Regarding claims 13 and 17, the claims recite substantially the same content as claim 1 and are rejected using the rationales for rejecting claim 1.
Regarding claims 15 and 19, the claims recite substantially the same content as claim 5 and are rejected using the rationales for rejecting claim 5.
Regarding claim 22, Murdoch discloses the method of claim 1, wherein running the program in the environment comprises: generating a second set of data as an output of the program, wherein the second set of data is based only on the first set of data stored at the respective computing system when the request to run the program is received ([0143]: generate result, the result being the output of the application using the user data which was stored in the hub service ([0105] Fig. 6, 660)


Claims 3, 14 and 18 are rejected under 35 USC 103 as being unpatentable over Murdoch, in further view of US 8837718 to Lauter et al., hereinafter Lauter.

Regarding claim 3, Murdoch discloses the method of claim 1; Murdoch discloses wherein the first set of data is encrypted in a first manner and stored with the first data access policy in a first data capsule ([0078]: encrypt a subset of the data, stored with the permission (see Fig. 6, 650), and requiring parties to have a specific key to decrypt the data); Murdoch teaches a second set of data stored with a second data access policy in a second data capsule ([0096], Fig. 6, 670), and the second data access policy defines access restrictions for the second set of data, different from the access restrictions for the first set of data([0102]: the data owner specifies the scope of permission to be used, therefore it would have been obvious to have different access restrictions from different users because different users generally have different conditions for their data to be accessed).  Murdoch does not teach a second set of data is encrypted in a second manner.
In an analogous art, Lauter discloses partitioning data based on sensitivity (col.5:50-60); different encryption keys can be used to encrypt/decrypt a first and a second set of data organized in a hierarchical setting (col.6:14-25). It would have been obvious to a skilled artisan before the present application was filed to encrypt set of data using different keys because it would facilitate “user-controlled encrypted data storage with diverse accessibility and hosting of that encrypted data” (Lauter col.1:55-60).
Regarding claims 14 and 18, the claims recite substantially the same content as claim 3 and are rejected using the rationales for rejecting claim 3.


Claim 4 is rejected under 35 USC 103 as being unpatentable over Murdoch and Lauter, in further view of US 20150222606 to Yan, hereinafter Yan.
Regarding claim 4, Murdoch in view of Lauter discloses the method of claim 3, but does not teach: wherein the first data access policy is encrypted in the first manner, and the second data access policy is encrypted in the second manner.
In an analogous art, Yan discloses a data center storing a plurality of data records from different user devices (Fig. 1); data stored by each user in the data center is encrypted according to a attributes-based encryption (ABE) scheme based on trust level of potential recipients ([0031]). The encryption algorithm uses a public encryption key, the data, access policy, public key based on trust level, and key based on validity period ... to encrypt the data ([0051]). Therefore Yan discloses the first data access policy is encrypted in the first manner, and the second data access policy is encrypted in the second manner ([0051]:  access policy and data encrypted with inputs including trust-based public key and time-based key, and access policy encrypted without the time-based key). It would have been obvious to a skilled artisan before the present application was filed to encrypt different access policies as taught by Murdoch/Lauter with different encryption scheme/keys as taught by Yan because it would allow to personalize le encrypting/decrypting of data based on potential recipients’ attributes (Yan [0005]), increasing flexibility in the access control management of the data.

Claims 6, 16 and 20 are rejected under 35 USC 103 as being unpatentable over Murdoch, in further view of US 20140359305 to Pappachan  et al., hereinafter Pappachan.
Regarding claim 6, Murdoch discloses the method of claim 5, but does not teach the rest of the limitations.
In an analogous art, Pappachan discloses a device in which a secure execution environment is instantiated, and stores an application (Fig. 1, 112). Pappachan discloses wherein running the program on the first set of data further comprises: instantiating the environment, which is a secure execution environment, within the respective computing system (Fig. 1, secure execution environment is configured in device); providing the encrypted first set of data, the decryption information and the program to the secure execution environment; and within the secure execution environment: decrypting the encrypted first set of data using the decryption information; and running the program on the decrypted first set of data and generating a second set of data as an output of the program ([0014][0067]: data  encrypted with first encryption protocol is transmitted to the secure execution environment, which also is provided the encryption protocol ([0026]) and the program (Fig. 1, Application 114)); the data is decrypted using the first encryption protocol, and processed by the application to output data). It would have been obvious to a skilled artisan before the present application was filed to have a secure execution environment be provided with the application and the encrypted data, decrypted and processed by the application as taught by Pappachan because it would ensure integrity of the input data and the application, protected from outside interception and alteration (Pappachan [0011]).
Regarding claims 6 and 16, the claims recite substantially the same content as claim 6 and are rejected using the rationales for rejecting claim 6.

Claims 10-11 are rejected under 35 USC 103 as being unpatentable over Murdoch, in further view of publication titled “MeDShare: trust-less medical data sharing among cloud service providers via blockchain”, by Xia  et al., 2017, p. 14757-15767, hereinafter Xia.
Regarding claim 10, Murdoch discloses the method of claim 1; Murdoch also discloses a distributed ledger that records transactions related to the data ([0065]) However, Murdoch does not explicitly teach transmitting a record of the request to run the program on the first set of data for storage on a distributed ledger, outside of the respective computing system.  Recording requests on a ledger is known in the art as evidenced by Xia. Xia in an analogous art teaches a system recording data transitions and sharing from one entity to the other in a tamper-proof manner (see Abstract). Xia discloses transmitting a record of the request to run the program on the first set of data for storage on a distributed ledger, outside of the respective computing system (p. 14762, B. use of smart contracts when an action has been activated, to report the actions to the blockchain, the actions (read, write, duplicate ...) when performed on the data trigger the smart contracts to send a report to the blockchain, which (p.14759, A) is a distributed database). It would have been obvious to a skilled artisan before the present application was filed to record the request on the distributed ledger as taught by Xia because it would monitor “data provenance, auditing and control ... and effectively track the behavior of the data and revoke access to offending entities on detection of violation of permissions on data” (Xia, Abstract), improving the management of user’s data.
Regarding claim 11, Murdoch in view of Xia discloses the method of claim 10, wherein the distributed ledger is a blockchain ledger (Xia p.14759, A).

Claim 21 is rejected under 35 USC 103 as being unpatentable over Murdoch, in further view of publication titled "On the Impossibility of Cryptography Alone for {Privacy-Preserving} Cloud Computing." 5th USENIX Workshop on Hot Topics in Security, 2010, by van Dijk et al.  et al., 2010, p. 1-6, hereinafter van Dijk.

Regarding claim 21, Murdoch discloses the method of claim 1, but does not explicitly teach the rest of the claim.
In an analogous art, van Dijk discloses a cloud computing environment (see Abstract) wherein running the program in the environment comprises generating a second set of data as an output of the program, wherein the environment is a secure execution environment (p.5, 3.3.trustworthy computation environment to compute over the data of the client; p.4, on left:  cloud evaluates function f on private inputs of clients, using access-control policies that indicate whether client data xi can be used as input, xi and the output being encrypted)), and wherein the method further comprises: in response to determining whether the request to run the program satisfies the access restrictions:   in accordance with a determination that the request to run the program satisfies the access restrictions: making available, to the outside of the secure execution environment, the second set of data  , without making available, to the outside of the secure execution environment, the first set of data (p.2, 1.2 on left: only a given client may learn any output; last paragraph in p.1 to first paragraph in p.2:.the input xi is private and not divulged in no case).
It would have been obvious to a person skilled in the art before the instant application was effectively filed to implement the execution of the program in a secure environment and provide the output out of the secure environment while the input remains private because it would efficiently promote data privacy and ensure that “clients trust that a cloud provider will protect the privacy of their data, i.e not leak their data or itself use their data inappropriately” (van Dijk, p.1, first para. on right).


Allowable Matter
Claims 7-9 recite allowable matter.
Regarding claim 7, Murdoch in view of Pappachan discloses the method of claim 6; while Murdoch discloses making available, to outside of the respective computing system, the second set of data (Fig. 3, [0067]: provide output to a user output interface 318, external to the secure execution environment),  Murdoch or Papachan or any other prior art of the record fails to teach without making available, to outside of the secure execution environment, the first set of data.
Therefore claim 7 is found allowable.
Claims 8-9, depending from claim 7 are also found allowable.
Claims 7-9 are being  objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Itani, W., Kayssi, A., & Chehab, A. (2009, December). Privacy as a service: Privacy-aware data storage and processing in cloud computing architectures. In 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing (pp. 711-716). IEEE disclose performing cloud computing in a trusted environment.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        8/12/2022