Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant's submission filed on 6/21/2022 has been entered.   Claims 1-20 are pending.
 Response to Arguments
Applicant's arguments filed on 6/21/2022 have been fully considered but they are not persuasive. 
On pages 7-11 of the Remarks, the Applicants argue that Balakrishnan does not discloses “a query comprising ... privacy metadata indicating a data processing activity for using the data," "wherein executing the transformed query is based at least in part on a data processing permit stored for the database system and applicable to the data processing activity," as recited in independent claim 1.
In response, the Examiner respectfully disagrees and submits that Balakrishnan discloses a system and/or a method that encrypts a database using two or more encryption schemes with each data item in the database at a database system encrypted using at least one of the two or more encryption schemes, performing activity for each data item specified in an input query from an application or a user.  The system and/or the method further includes transforming the input query to an encrypted query using the selected encryption scheme for each data item specified in the query, and executing the encrypted query at the database system without decrypting any of the encrypted data items to plaintext at the database system.  Balakrishnan at least discloses a database proxy intercepts and transforms a query received from an application or a user wherein the query contains the data table wherein the data is located, the sensitive data parameter that the application or the user asks for or indicates in the query operator the activity for using the sensitive data such as updating, deleting, searching or obtaining, and/or username, user group, password to determine whether the application or the user has the permission to access the data or column of data (¶ [0028], [0050]-[0053], [0118], [0121]), for example, a query request to update the salary of an employee “Alice” (¶ [0078]-[0082]).  Balakrishnan also discloses the database system enforces an access control policy that defines which user has access to subset of data items such that the processing activities (updating, deleting, selecting, etc.) in the queries received from the applications and/or users with permission can be performed (¶ [0121]-[0123]).  As such, Balakrishnan discloses “a query comprising ... privacy metadata indicating a data processing activity for using the data," "wherein executing the transformed query is based at least in part on a data processing permit stored for the database system and applicable to the data processing activity."
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-5, 9-17 and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Balakrishnan et al. (US 2013/0191650 hereinafter Balakrishnan).
Regarding claim 1, Balakrishnan discloses a method for data processing at a database system comprising a database proxy and a database, the method comprising: 
receiving, at the database proxy, a query comprising an indication of data associated with the database and privacy metadata indicating a data processing activity for using the data (¶ [0028]-[0033] i.e. a proxy server coupled between the DBMS server and the application server/user device, [0050]-[0053], i.e. the proxy intercepts the query issued by the application or user to access data stored in the DBMS server, the query also includes information regarding data access control, user name, password to access the sensitive data, [0118]-[0128], [0134], i.e. data stored in the DBMS is associated with privacy control and data access permission is determined based on the application or user login information associated with the query); 
transforming, at the database proxy, the query based at least in part on an encryption schema of the database (¶ [0028]-[0029], i.e. the system utilizes user-defined functions UDF to perform cryptographic operations in the DBMS, [0042], i.e. the proxy uses secret keys to encrypt all data inserted or included in queries issued to the DBMS, [0050]-[0053]; i.e. the proxy rewrites the query by anonymizing table and column name and encrypting each constant in the query with an encryption scheme best suited for the database operation); and 
executing, at the database, the transformed query, wherein executing the transformed query is based at least in part on a data processing permit stored for the database system and applicable to the data processing activity (¶ [0050]-[0053]; i.e. the DBMS server executes the encrypted query according to the access control policy and/or rules).
Regarding claim 2, Balakrishnan discloses the method of claim 1, wherein the query comprises a request for the data stored in the database and a user identifier associated with the request for the data (¶ [0075]-[0077]; i.e. the query contains the user identifier of the requested data, [0118]-[0122], i.e. each SQL query involving an annotated data item requires the privilege of the corresponding principal or user identifier/password), and the transforming further comprises: identifying the data processing permit applicable to the data processing activity and the user identifier (¶ [0075]-[0081]); and encrypting the user identifier with a permit key associated with the identified data processing permit ([0118]-[0128] i.e. encrypting the query with the identifier using the user password derived key), wherein the transformed query comprises a select statement indicating the encrypted user identifier (¶ [0075]-[0081]).
Regarding claim 3, Balakrishnan discloses the method of claim 2, further comprising: receiving a legitimizing reason for the user identifier to access the data for the data processing activity (¶ [0126]-[0129]); generating the data processing permit applicable to the data processing activity and the user identifier based at least in part on receiving the legitimizing reason (¶ [0126]-[0129]); encrypting the user identifier with the permit key associated with the data processing permit based at least in part on receiving the legitimizing reason (¶ [0126]-[0129]); and storing, in the database, the encrypted user identifier with a relation to the data stored in the database [0126]-[0129]).
Regarding claim 4, Balakrishnan discloses the method of claim 3, wherein: the encrypted user identifier is stored in a column in the database (¶ [0048], [0050]); the column supports executing the select statement for the query in the database (¶ [0062]); and the encrypted user identifier provides access to a row in the database comprising the data (¶ [0062]).
Regarding claim 5, Balakrishnan discloses the method of claim 2, further comprising: receiving, at the database proxy, a second query comprising a second request for the data stored in the database and second privacy metadata indicating a second data processing activity for using the data and a second user identifier associated with the second request for the data (¶ [0126]-[0129], i.e. only the defined principal may see the private message, [0137]-[0140]; i.e. rules are establish for preventing unauthorized user to access to the data); failing to identify a second data processing permit applicable to both the second data processing activity and the second user identifier (¶ [0126]-[0129], i.e. only the defined principal may see the private message, [0137]-[0140]; i.e. rules are establish for preventing unauthorized user to access to the data); and refraining from retrieving the data in response to the second query based at least in part on failing to identify the second data processing permit (¶ [0126]-[0129], i.e. only the defined principal may see the private message, [0137]-[0140]; i.e. rules are establish for preventing unauthorized user to access to the data).
Regarding claim 9, Balakrishnan discloses the method of claim 1, wherein executing the transformed query further comprises: receiving, at the database proxy, a query result based at least in part on executing the transformed query at the database (FIG. 2, ¶ [0032], [0053]; i.e. the DBMS returns the query result to the proxy); and modifying, at the database proxy, the query result based at least in part on the data processing permit applicable to the data processing activity (FIG. 2, ¶ [0032], [0053], [0121]; i.e. decrypting only data that the user has access to).
Regarding claim 10, Balakrishnan discloses the method of claim 9, wherein the modifying further comprises: filtering the query result based at least in part on the data processing permit (¶ [0121] “the proxy can decrypt only the data the user has access to, based on the access control policy”).
Regarding claim 11, Balakrishnan discloses the method of claim 1, wherein the query comprises an insert query for the data, the method further comprising: identifying a legitimizing reason for storing the data based at least in part on the data processing permit (¶ [0133]), wherein the query is transformed to store the data at the database according to the encryption schema of the database and based at least in part on the legitimizing reason for storing the data (¶ [0050], [0081]).
Regarding claim 12, Balakrishnan discloses the method of claim 1, further comprising: receiving, at the database proxy, a ciphertext query result based at least in part on executing the transformed query at the database (FIG. 2, ¶ [0053]); and decrypting, at the database proxy, the ciphertext query result to obtain a plaintext query result based at least in part on the encryption schema of the database (FIG. 2, ¶ [0053]).
Regarding claim 13, Balakrishnan discloses the method of claim 12, wherein the query is received from a user device, the method further comprising: transmitting, to the user device, the plaintext query result in response to the query (FIG. 2, ¶ [0053]).
Regarding claim 14, Balakrishnan discloses the method of claim 12, wherein: the data is encrypted at rest in the database (¶ [0132]; i.e. the data is encrypted with public key when the user is not available and re-encrypted with symmetric key later); and the data is encrypted in the database during execution of the transformed query (¶ [0032]).
Regarding claim 15, Balakrishnan discloses the method of claim 1, wherein transforming the query further comprises: performing one or more calls to one or more user-defined functions for the database system based at least in part on a clause in the query, an operator in the query, the encryption schema of the database, or a combination thereof (¶ [0048], [0051]).
Regarding claim 16, Balakrishnan discloses the method of claim 1, wherein: the data is stored in the database in a plurality of columns using a plurality of respective encryption schemes (¶ [0050], [0059]); and the database executes the transformed query on a column of the plurality of columns based at least in part on a query function for the transformed query supported by the column according to a respective encryption scheme for the column (¶ [0050], [0059], [0064]).
Regarding claim 17, Balakrishnan discloses the method of claim 1, wherein: the data is stored in the database in a single column using a plurality of layered encryption schemes (¶ [0064]-[0070]); the database decrypts one or more layers of the plurality of layered encryption schemes based at least in part on a query function for the transformed query (¶ [0064]-[0070]); and the database executes the transformed query on the single column based at least in part on the decrypted one or more layers of the plurality of layered encryption schemes (¶ [0064]-[0070]).
Regarding claim 19, Balakrishnan discloses an apparatus for data processing at a database system comprising a database proxy and a database, the apparatus comprising: 
a processor (FIG. 10, ¶ [0160]); 
memory coupled with the processor (FIG. 10, ¶ [0160]); and 
instructions stored in the memory and executable by the processor to cause the apparatus to (FIG. 10, ¶ [0160]): 
receive, at the database proxy, a query comprising an indication of data associated with the database and privacy metadata indicating a data processing activity for using the data (¶ [0028]-[0033] i.e. a proxy server coupled between the DBMS server and the application server/user device, [0050]-[0053], i.e. the proxy intercepts the query issued by the application or user to access data stored in the DBMS server, the query also includes information regarding data access control, user name, password to access the sensitive data, [0118]-[0128], [0134], i.e. data stored in the DBMS is associated with privacy control and data access permission is determined based on the application or user login information associated with the query);
transform, at the database proxy, the query based at least in part on an encryption schema of the database (¶ [0028]-[0029], i.e. the system utilizes user-defined functions UDF to perform cryptographic operations in the DBMS, [0042], i.e. the proxy uses secret keys to encrypt all data inserted or included in queries issued to the DBMS, [0050]-[0053]; i.e. the proxy rewrites the query by anonymizing table and column name and encrypting each constant in the query with an encryption scheme best suited for the database operation); and
execute, at the database, the transformed query, wherein executing the transformed query is based at least in part on a data processing permit stored for the database system and applicable to the data processing activity (¶ [0050]-[0053]; i.e. the DBMS server executes the encrypted query according to the access control policy and/or rules).
Regarding claim 20, Balakrishnan discloses a non-transitory computer-readable medium storing code for data processing at a database system comprising a database proxy and a database, the code comprising instructions executable by a processor to: 
receive, at the database proxy, a query comprising an indication of data associated with the database and privacy metadata indicating a data processing activity for using the data (¶ [0028]-[0033] i.e. a proxy server coupled between the DBMS server and the application server/user device, [0050]-[0053], i.e. the proxy intercepts the query issued by the application or user to access data stored in the DBMS server, the query also includes information regarding data access control, user name, password to access the sensitive data, [0118]-[0128], [0134], i.e. data stored in the DBMS is associated with privacy control and data access permission is determined based on the application or user login information associated with the query); 
transform, at the database proxy, the query based at least in part on an encryption schema of the database (¶ [0028]-[0029], i.e. the system utilizes user-defined functions UDF to perform cryptographic operations in the DBMS, [0042], i.e. the proxy uses secret keys to encrypt all data inserted or included in queries issued to the DBMS, [0050]-[0053]; i.e. the proxy rewrites the query by anonymizing table and column name and encrypting each constant in the query with an encryption scheme best suited for the database operation); and 
execute, at the database, the transformed query, wherein executing the transformed query is based at least in part on a data processing permit stored for the database system and applicable to the data processing activity (¶ [0050]-[0053]; i.e. the DBMS server executes the encrypted query according to the access control policy and/or rules).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Balakrishnan in view of Gkoulalas-Divanis et al. (US 2021/0089678 hereinafter Gkoulalas-Divanis).
Regarding claim 6, Balakrishnan discloses the method of claim 1, wherein the query comprises a request for the data stored in the database (¶ [0062]).
Balakrishnan does not explicitly disclose the executing the transformed query further comprises: identifying, in the database, a consent status for a data field based at least in part on the data processing activity, wherein the consent status is based at least in part on the data processing permit; and retrieving the data from the database based at least in part on the identified consent status.
However, Gkoulalas-Divanis discloses the executing the transformed query further comprises: identifying, in the database, a consent status for a data field based at least in part on the data processing activity, wherein the consent status is based at least in part on the data processing permit (FIG. 4 & 18, ¶ [0053], [0076]); and retrieving the data from the database based at least in part on the identified consent status (FIG. 4 & 18, ¶ [0053], [0076]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Gkoulalas-Divanis’ teaching into Balakrishnan in order to implement all the necessary security and privacy controls to comply to various privacy legal requirements (Gkoulalas-Divanis, ¶ [0049]-[0051]).
Regarding claim 8, Balakrishnan discloses the method of claim 6, further comprising: accessing a table in the database based at least in part on a reference stored with the data, wherein the consent status is identified based at least in part on a value stored in the table, the data processing activity, the data processing permit, or a combination thereof (FIG. 4 & 18, ¶ [0053], [0058], [0076]).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Balakrishnan in view of Gkoulalas-Divanis et al. (US 2021/0089678 hereinafter Gkoulalas-Divanis) and further in view of Upadhyay et al. (US 2020/0117824 hereinafter Upadhyay.
Regarding claim 7, Balakrishnan in view of Gkoulalas-Divanis discloses the method of claim 6, further comprising: filtering a data column of the database, a data row of the database, or a combination thereof based at least in part on a [[hidden]] consent column of the database (Balakrishnan, ¶ [0066]-[0068]; Gkoulalas-Divanis, FIG. 4 & 18, ¶ [0053], [0076]).
Balakrishnan in view of Gkoulalas-Divanis does not explicitly disclose a hidden consent column.
However, Upadhyay discloses a hidden consent column (¶ [0018], [0071]).

Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Upadhyay’ teaching into Balakrishnan in view of Gkoulalas-Divanis in order to improve the ability of organizations to identify and safeguard personal information (Upadhyay, ¶ [0002]-[0013]).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Balakrishnan in view of Trepetin et al. (US 10,936,744 hereinafter Trepetin).
Regarding claim 18, Balakrishnan discloses the method of claim 1.
Balakrishnan does not explicitly disclose installing the database proxy for the database system; determining, at the database proxy, an initial schema of the database; and updating the initial schema of the database to the encryption schema of the database based at least in part on the initial schema of the database and a plurality of data processing permits associated with installing the database proxy.
However, Trepetin discloses installing the database proxy for the database system (col. 138, lines 28-67); determining, at the database proxy, an initial schema of the database (col. 17, line 63-col. 18, line 62, col. 138, lines 28-67); and updating the initial schema of the database to the encryption schema of the database based at least in part on the initial schema of the database and a plurality of data processing permits associated with installing the database proxy (col. 17, line 63-col. 18, line 62, col. 138, lines 28-67).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Trepetin’ teaching into Balakrishnan in order to provide fast near real-time querying of encrypted databases (Trepetin, col. 1, lines 35-67, col. 3, lines 31-67).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311. The examiner can normally be reached Monday-Friday 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-270-8311.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/C.D.N/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435