DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/18/2022 has been entered.
Notice to Applicant
The amendment filed 5/18/2022 has been entered. The following has occurred: Claims 1, 2, and 14 have been amended; No new claims have been added; Claims 6-13 were previously withdrawn; Claims 19 and 20 have been canceled. 
Claims 1-5 and 14-18 are pending.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Effective Filling Date: 11/27/2017.
Response to Amendment
35 U.S.C. 112(a) rejection is withdrawn in light of canceled claim 19. 
35 U.S.C. 103 rejection is maintained in light of the amended claim limitations.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4, 5, and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Montano (US 20140114877 A1) in view of Bilzhause et al. “Position Paper: The Past, Present, and Future of Sanitizable and Redactable Signature”, Pages 1-10, August 29-September 1, 2017, hereinafter “Bilzhause,” and further in view of NPL Content Extraction Signatures by Steinfeld, Bull, and Zheng, published in Feb 20, 2002 < https://www.cs.fsu.edu/~burmeste/zheng1.pdf>” hereinafter “CES” and further in view of Goyal (US 20160307034 A1). 
Claim 1, Montano discloses a method for checking legitimacy of a customer review (Abstract and para. [0007] disclosing systems and methods for authenticating online customer service reviews using unique customer identifiers such as payment data and location data), the method comprising:
receiving, via a service provider device, a verification key (Para. [0022] and [0025] disclosing the receiving, via service provider device (which is employee device used by a service provider) unique customer identifier or payment identifier, which is interpreted to be a verification key. Additionally, in para [0022]-[0030] disclosing the use of unique customer identifier which may be payment identifier, e-wallet, name, credit card number, billing address, location-based identifier, RFID, QR code, unique code, and more can be used to verify the customer in the process of authenticating the customer review. The list above can all be interpreted to be verification key);
receiving, via a customer device, a customer review, a redacted message, and a redacted signature (Claim 1 disclosing receiving a customer service review from the customer in response to the prompt; the redacted message is interpreted to be the customer review prior to publish, which is hidden or censored from public, as motivated in para. [0019], “credibility of the customer service review is therefore significantly higher than a review posted by an anonymous reviewer, and malicious false negative reviews can be prevented by requiring authentication prior to a review being posted.”  Para. [0023], “Another type of unique customer identifier is a location-based identifier which uses location services on the customer's mobile device to determine if the customer is in the same location as the service that was performed, or if the customer is in the same vicinity as the mobile device of the employee that performed the service. In addition to location-based services, the employee could use their mobile device to interact with the customer's mobile device to verify their vicinity with each other and confirm that the customer is the person that the employee is interacting with. The mobile device interactions could be through any wired or wireless communication protocol, such as Bluetooth®, 802.11, near-field communications, RFID, etc. or through an optical recognition procedure such as having the customer take a picture of a QR code displayed on the employee's mobile device.” Disclosing the customer mobile device taking a picture of QR code displayed on employee’s mobile device for verification of service. The receiving of picture of QR code is representative of receiving via a customer device of a redacted signature. This is supported in Applicant’s Drawing, Fig. 1 that redacted signature can be QR code); and
at least one of:
publishing the verification key and the redacted signature on a review website with the customer review such that the legitimacy of the redacted signature is checkable by a user device; or checking, using the verification key, whether the redacted signature is legitimate and, based on the redacted signature being legitimate, marking the customer review as being legitimate (Para. [0025]-[0031] disclosing the verification of unique customer identifier with customer service provided by employee with unique code (i.e. redacted signature) entered, once the review has been authenticated (i.e. legitimate), the review can be published), 
wherein the verification key is bound to the service provider device and is sent to the review server from the service provider device (Para. [0023], “addition to location-based services, the employee could use their mobile device to interact with the customer's mobile device to verify their vicinity with each other and confirm that the customer is the person that the employee is interacting with. The mobile device interactions could be through any wired or wireless communication protocol, such as Bluetooth®, 802.11, near-field communications, RFID, etc. or through an optical recognition procedure such as having the customer take a picture of a QR code displayed on the employee's mobile device.” The QR code displayed on the employee’s mobile device discloses the verification key is bound to the service provider device to confirm the communication and presence of employee at service. The service provider or employee device can also receive other examples of verification key such as payment identifier, location-based identifier of the customer’s mobile device, biometric, gesture recognition or passwords associated with the customer to be transmitted to confirm the identity of the customer, see para. [0022]-[0024]. Para. [0030]-[0032] disclosing the verification key (e.g., customer identifier, unique identifier) is transmitted to the review authentication server to match with unique customer identifier with data stored in a connected authentication database to authenticate the customer, then the customer servicer review can be authenticated in the review website, see Fig. 1).
Under the broadest reasonable interpretation, Montano discloses the above-mentioned limitations. However, Montano does not explicitly teach the receiving of a redacted signature provides a privacy-preserving proof of purchase of a list of goods and services that a customer has purchased, wherein the list of goods and services excludes at least one good or service that was redacted by the customer device from an original list of goods and services provided to the customer device by the service provider device. 
According to Applicant’s Specification in paragraph [0014] and cited in the Applicant in the Information Disclosure Form of 2/26/2018, described in Bilzhause, et al., “Position Paper, The Past, Present and Future of Sanitizable and Redactable Signatures,” ARES (2017), that the use of redactable digital signatures is old and well-known in the field for a signer to mark specific parts of a signed message as redactable and those parts of the signed message can be censored, while still retaining verifiability of the signature.
Specifically, Bilzhause teaches the limitations:
receiving, via a customer device, a customer review, a redacted message, and a redacted signature (Page 1, RSSs allow to remove, i.e., redact, parts of a signed message, while SSSs allow a designated third party, named the sanitizer, to change, i.e., sanitize, signer-chosen parts of a signed message to different bitstrings), wherein the redacted signature provides a privacy-preserving proof of purchase of a list of goods and services that a customer has purchased (Bilzhause page 3, under Unforgeability. “If one does not hold any secret keys, one should not be able to come up with a verifying signature σ∗ for a message m∗ which has neither been authorized by the signer nor the sanitizer.”  Privacy. “An outsider not holding any private keys should not be able to derive any information about sanitized parts of a message.” Accountability. “If it comes to a dispute, the signer must be able to generate a proof which points to the accountable party. Accountability requires that neither the signer nor the sanitizer can generate “false” proofs pointing to the wrong party for a adversarially generated message/signature pair (m∗, σ∗).” Which teaches the redacted signature provides a privacy-preserving proof. Further in page 4, under New Application Scenarios: Receipts. “Assume that you buy two items at a store, e.g., a TV and a toaster. However, at home it turns out that the wrong TV was bought. Normally, one returns to the store, and exchanges the TV for a different one. Then, however, the receipt needs to be changed to prevent fraud. SSSs can help here: if an item is exchanged, the receipt can simply be altered for the new item, without the need to give the customer two different receipts. This kind of idea may be useful in other contexts as well, e.g., supply-chain management” which describes the redacted signature can be used with receipts, which is purchase of a list of goods and services that a customer has purchased);
at least one of:
publishing the verification key and the redacted signature on a review website with the customer review such that the legitimacy of the redacted signature is checkable by a user device; or checking, using the verification key, whether the redacted signature is legitimate and, based on the redacted signature being legitimate, marking the customer review as being legitimate (Page 1, Abstract, Page 2, “Attribute-based signatures [99] allow users to sign messages which are bound to specific attributes. This type of signature scheme requires that the signer holds the corresponding attributes. More precisely, a signature verification only reveals that the signer has a signing key which fulfills the predicate on the claimed attributes. Page 2, under “III. Santizable signature Schemes” teaching sanitizer holds his own public key, the sanitization process requires the corresponding private key, which verifies under the given public keys. Additionally, see Framework of Sanitizable Signature Schemes using algorithms. Page 3, teaches verification takes input of signature for a message w.r.t. the public keys). 
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the systems and methods for authentication online customer service review of Montano to include the authentication or verification process of sanitiable and redactable signatures schemes of Bilzhause for the motivation of providing an improved system and methods of privacy protection and stronger security, see Bilzhause page 4 “Unlinkability”, “Stronger Security Definition”, “Receipts” and “Data loss Prevention”.
While it is suggested, the Examiner would like to introduce Non-patent literature, CES (which is reference [121] in Bilzhause), directed to digital signature for producing an extracted signature on selected extracted portions of the original documents, which can be verified by third party while hiding unextracted (removed) document portions, to specifically teach, wherein the redacted signature provides a privacy-preserving proof of purchase of a list of goods and services that a customer has purchased (Pages 6-8 teaching the user/signer have full control to determine/select which subdocuments signature can be extracted for which is indicating the other portions to be redacted. The document can be intended for any document that can be subdocumented which include receipts with list of goods and service that the customer has purchased); 
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the method of checking legitimacy of a customer review using verification key and redacted signature in Montano and Bilzhause with the feature of key pair of public and private keys as taught in CES, for the motivation and benefit for providing the user/signer the ability to specify allowed extraction of document content and achieving provable security. 
The Applicant’s specification in paragraph [0014] describes the teaching of Bilzhause for the employment of redactable digital signature  to mark specific parts of a signed message as redactable or censored, and it is implied that the same techniques are applied to a customer’s receipt for redacting purchase items to hide one or more purchased goods or services to not be reviewed (see App. specification paragraph [0013]). The limitation, wherein the list of goods and services excludes at least one good or service that was redacted by the customer device from an original list of goods and services provided to the customer device by the service provider device,  is disclosed or at least suggested in Bilzhause in pages 6-8 for user indicating portions of documents or subdocuments can be redacted to hide content. Further in page 4, under New Application Scenarios: Receipts. “Assume that you buy two items at a store, e.g., a TV and a toaster. However, at home it turns out that the wrong TV was bought. Normally, one returns to the store, and exchanges the TV for a different one. Then, however, the receipt needs to be changed to prevent fraud. SSSs can help here: if an item is exchanged, the receipt can simply be altered for the new item, without the need to give the customer two different receipts. This kind of idea may be useful in other contexts as well, e.g., supply-chain management” disclosing such technique is applied to application scenarios for receipts (documents or subdocuments), which is a list of good or service. Specifically, in page 5 under Privacy “An outsider not holding any private keys should not be able to derive any information about redacted parts of a message.” teaching the reason and motivation for redacting parts of message to conceal information to be shared for privacy reasons. 
However, the Applicant asserts the combination does not expressly teach the customer redacting at least one good or service from an original list of goods and services provided to the customer device by the service provider device. 
For the purpose of compact prosecution, the Examiner introduce Goyal, for techniques of recognizing data fields of documents, which specifically teaches the well-known and obviousness of wherein the list of goods and services excludes at least one good or service that was redacted by the customer device from an original list of goods and services provided to the customer device by the service provider device (Para. [0021] and Fig. 8 teaching the user who purchased the items may want to generate a modified copy of receipt can redact or excise certain other fields of the receipt from the modified copy, e.g., the credit card information or the identity of other items purchased on the same shopping trip). 
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the system and method of for authentication online customer service review of Montano with the redactable signatures schemes of Bilzhause and CES to include the feature of redacting a portion of customer receipt as taught in Goyal for the motivation and advantages benefits of preserving privacy (Goyal: Abstract and para. [0021]). 
Claim 2, the combination of Montano, Bilzhause, CES, and Goyal makes obvious of the method of claim 1. Bilzhause teaches wherein the redacted message includes the list of goods and services and/or a serial number (Bilzhause: in page 4, under New Application Scenarios: Receipts. “Assume that you buy two items at a store, e.g., a TV and a toaster. However, at home it turns out that the wrong TV was bought. Normally, one returns to the store, and exchanges the TV for a different one. Then, however, the receipt needs to be changed to prevent fraud. SSSs can help here: if an item is exchanged, the receipt can simply be altered for the new item, without the need to give the customer two different receipts. This kind of idea may be useful in other contexts as well, e.g., supply-chain management.”). 
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the systems and methods for authentication online customer service review of Montano to include the authentication or verification process of sanitiable and redactable signatures schemes of Bilzhause for the motivation of providing an improved system and methods of privacy protection and stronger security, see Bilzhause page 4 “Unlinkability”, “Stronger Security Definition”, “Receipts” and “Data loss Prevention”.
Claim 4, the combination of Montano, Bilzhause, CES, and Goyal makes obvious of the method of claim 1. Montano further discloses further comprising uploading the legitimate customer review to a review website (Para. [0031], “Once the review has been authenticated, the review can be published (step 212) by transmitting the review to the business server 112 or a review website 116 operated by the business, a third party reviewing service or by the system's own review website or application running on a computing device such as a smartphone or tablet”).
Claim 5, the combination of Montano, Bilzhause, CES, and Goyal makes obvious of the method of claim 1. Montano further discloses further comprising storing the customer review in a review database based on the checking determining that the redacted signature is legitimate and not storing the customer review in the database based on the checking determining that the redacted signature is not legitimate (Para. [0031], “the review has been authenticated, the review can be published (step 212) by transmitting the review to the business server 112 or a review website 116 operated by the business, a third party reviewing service or by the system's own review website or application running on a computing device such as a smartphone or tablet. In one example, the review maybe published to the employee's personal profile on a social media service where they advertise their services in addition to on the employer's website in order to further promote their service. The employee could then advertise their own customer service reviews with a card, email advertisement or online advertisement linking to their online review profile. The review may be displayed with an authentication indicator such as a keyword, logo or other symbol indicating that the review has been authenticated (step 214).” Disclosing once authenticated (which the redacted signature is legitimate), the review is transmitted and stored to a business server or review website).
Claim 14, Montano discloses a trustworthy review system for verifying that a customer review is legitimate, the system comprising a review server having one or more processors (Para. [0049] disclosing processor) which, alone or in combination are configured to provide for performance of the following steps (Abstract, Claims 1-18, and para. [0007] disclosing systems and methods for authenticating online customer service reviews using unique customer identifiers such as payment data and location data):
receiving, via a service provider device, a verification key (Para. [0022] and [0025] disclosing the receiving, via service provider device (which is employee device used by a service provider) unique customer identifier or payment identifier, which is interpreted to be a verification key. Additionally, in para [0022]-[0030] disclosing the use of unique customer identifier which may be payment identifier, e-wallet, name, credit card number, billing address, location-based identifier, RFID, QR code, unique code, and more can be used to verify the customer in the process of authenticating the customer review. The list above can all be interpreted to be verification key);
receiving, via a customer device, a customer review, a redacted message, and a redacted signature (Claim 1 disclosing receiving a customer service review from the customer in response to the prompt; the redacted message is interpreted to be the customer review prior to publish, which is hidden or censored from public, as motivated in para. [0019], “credibility of the customer service review is therefore significantly higher than a review posted by an anonymous reviewer, and malicious false negative reviews can be prevented by requiring authentication prior to a review being posted”.  Para. [0023], “Another type of unique customer identifier is a location-based identifier which uses location services on the customer's mobile device to determine if the customer is in the same location as the service that was performed, or if the customer is in the same vicinity as the mobile device of the employee that performed the service. In addition to location-based services, the employee could use their mobile device to interact with the customer's mobile device to verify their vicinity with each other and confirm that the customer is the person that the employee is interacting with. The mobile device interactions could be through any wired or wireless communication protocol, such as Bluetooth®, 802.11, near-field communications, RFID, etc. or through an optical recognition procedure such as having the customer take a picture of a QR code displayed on the employee's mobile device.” Disclosing the customer mobile device taking a picture of QR code displayed on employee’s mobile device for verification of service. The receiving of picture of QR code is representative of receiving via a customer device of a redacted signature. This is supported in Applicant’s drawing, Fig. 1 that redacted signature can be QR code); and
at least one of:
publishing the verification key and the redacted signature on a review website with the customer review such that the legitimacy of the redacted signature is checkable by a user device; or checking, using the verification key, whether the redacted signature is legitimate and, based on the redacted signature being legitimate, marking the customer review as being legitimate (Para. [0025]-[0031] disclosing the verification of unique customer identifier with customer service provided by employee with unique code (i.e. redacted signature) entered, once the review has been authenticated (i.e. legitimate), the review can be published), 
wherein the verification key is bound to the service provider device and is sent to the review server from the service provider device (Para. [0023], “addition to location-based services, the employee could use their mobile device to interact with the customer's mobile device to verify their vicinity with each other and confirm that the customer is the person that the employee is interacting with. The mobile device interactions could be through any wired or wireless communication protocol, such as Bluetooth®, 802.11, near-field communications, RFID, etc. or through an optical recognition procedure such as having the customer take a picture of a QR code displayed on the employee's mobile device.” The QR code displayed on the employee’s mobile device discloses the verification key is bound to the service provider device to confirm the communication and presence of employee at service. The service provider or employee device can also receive other examples of verification key such as payment identifier, location-based identifier of the customer’s mobile device, biometric, gesture recognition or passwords associated with the customer to be transmitted to confirm the identity of the customer, see para. [0022]-[0024]. Para. [0030]-[0032] disclosing the verification key (e.g., customer identifier, unique identifier) is transmitted to the review authentication server to match with unique customer identifier with data stored in a connected authentication database to authenticate the customer, then the customer servicer review can be authenticated in the review website, see Fig. 1).
According to Applicant’s Specification in paragraph [0014] and cited in the Applicant in the Information Disclosure Form of 2/26/2018, described in Bilzhause, et al., “Position Paper, The Past, Present and Future of Sanitizable and Redactable Signatures,” ARES (2017), that the use of redactable digital signatures is old and well-known in the field for a signer to mark specific parts of a signed message as redactable and those parts of the signed message can be censored, while still retaining verifiability of the signature.
Specifically, Bilzhause teaches:
receiving, via a customer device, a customer review, a redacted message, and a redacted signature (Page 1, RSSs allow to remove, i.e., redact, parts of a signed message, while SSSs allow a designated third party, named the sanitizer, to change, i.e., sanitize, signer-chosen parts of a signed message to different bitstrings), wherein the redacted signature provides a privacy-preserving proof of purchase of a list of goods and services that a customer has purchased (Bilzhause page 3, under Unforgeability. “If one does not hold any secret keys, one should not be able to come up with a verifying signature σ∗ for a message m∗ which has neither been authorized by the signer nor the sanitizer.”  Privacy. “An outsider not holding any private keys should not be able to derive any information about sanitized parts of a message.” Accountability. “If it comes to a dispute, the signer must be able to generate a proof which points to the accountable party. Accountability requires that neither the signer nor the sanitizer can generate “false” proofs pointing to the wrong party for a adversarially generated message/signature pair (m∗, σ∗).” Which teaches the redacted signature provides a privacy-preserving proof. Further in page 4, under New Application Scenarios: Receipts. “Assume that you buy two items at a store, e.g., a TV and a toaster. However, at home it turns out that the wrong TV was bought. Normally, one returns to the store, and exchanges the TV for a different one. Then, however, the receipt needs to be changed to prevent fraud. SSSs can help here: if an item is exchanged, the receipt can simply be altered for the new item, without the need to give the customer two different receipts. This kind of idea may be useful in other contexts as well, e.g., supply-chain management” which describes the redacted signature can be used with receipts, which is purchase of a list of goods and services that a customer has purchased);
at least one of:
publishing the verification key and the redacted signature on a review website with the customer review such that the legitimacy of the redacted signature is checkable by a user device; or checking, using the verification key, whether the redacted signature is legitimate and, based on the redacted signature being legitimate, marking the customer review as being legitimate (Page 1, Abstract, Page 2, “Attribute-based signatures [99] allow users to sign messages which are bound to specific attributes. This type of signature scheme requires that the signer holds the corresponding attributes. More precisely, a signature verification only reveals that the signer has a signing key which fulfills the predicate on the claimed attributes. Page 2, under “III. Santizable signature Schemes” teaching sanitizer holds his own public key, the sanitization process requires the corresponding private key, which verifies under the given public keys. Additionally, see Framework of Sanitizable Signature Schemes using algorithms. Page 3, teaches verification takes input of signature for a message w.r.t. the public keys). 
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the systems and methods for authentication online customer service review to include the authentication or verification process of sanitiable and redactable signatures schemes of Bilzhause for the motivation of providing an improved system and methods of privacy protection and stronger security, see Bilzhause page 4 “Unlinkability”, “Stronger Security Definition”, “Receipts” and “Data loss Prevention.” 
While in Bilzhause page 3, under Unforgeability. “If one does not hold any secret keys, one should not be able to come up with a verifying signature σ∗ for a message m∗ which has neither been authorized by the signer nor the sanitizer.”  Privacy. “An outsider not holding any private keys should not be able to derive any information about sanitized parts of a message.” Accountability. “If it comes to a dispute, the signer must be able to generate a proof which points to the accountable party. Accountability requires that neither the signer nor the sanitizer can generate “false” proofs pointing to the wrong party for a adversarially generated message/signature pair (m∗, σ∗).” Which teaches the redacted signature provides a privacy-preserving proof. Further in page 4, under New Application Scenarios: Receipts. “Assume that you buy two items at a store, e.g., a TV and a toaster. However, at home it turns out that the wrong TV was bought. Normally, one returns to the store, and exchanges the TV for a different one. Then, however, the receipt needs to be changed to prevent fraud. SSSs can help here: if an item is exchanged, the receipt can simply be altered for the new item, without the need to give the customer two different receipts. This kind of idea may be useful in other contexts as well, e.g., supply-chain management” which is suggestion for the redacted signature to be used with receipts, which is purchase of a list of goods and services that a customer has purchased. While is suggested in the application, the Examiner would like to introduce Non-patent literature, CES (which is reference [121] of Bilzhause), directed to digital signature for producing an extracted signature on selected extracted portions of the original documents, which can be verified by third party while hiding unextracted (removed) document portions, to specifically teach, wherein the redacted signature provides a privacy-preserving proof of purchase of a list of goods and services that a customer has purchased (Pages 6-8 teaching the user/signer have full control to determine/select which subdocuments signature can be extracted for which is indicating the other portions to be redacted. The document can be intended for any document that can be subdocumented which can include receipts with list of goods and service that the customer has purchased).  
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the method of checking legitimacy of a customer review using verification key and redacted signature in Montano and Bilzhause with the feature of key pair of public and private keys as taught in CES, for the motivation and benefit for providing the user/signer the ability to specify allowed extraction of document content and achieving provable security. 
The Applicant’s specification in paragraph [0014] describes the teaching of Bilzhause for the employment of redactable digital signature  to mark specific parts of a signed message as redactable or censored, and it is implied that the same techniques are applied to a customer’s receipt for redacting purchase items to hide one or more purchased goods or services to not be reviewed (see App. specification paragraph [0013]). The limitation, wherein the list of goods and services excludes at least one good or service that was redacted by the customer device from an original list of goods and services provided to the customer device by the service provider device,  is disclosed or at least suggested in Bilzhause in pages 6-8 for user indicating portions of documents or subdocuments can be redacted to hide content. Further in page 4, under New Application Scenarios: Receipts. “Assume that you buy two items at a store, e.g., a TV and a toaster. However, at home it turns out that the wrong TV was bought. Normally, one returns to the store, and exchanges the TV for a different one. Then, however, the receipt needs to be changed to prevent fraud. SSSs can help here: if an item is exchanged, the receipt can simply be altered for the new item, without the need to give the customer two different receipts. This kind of idea may be useful in other contexts as well, e.g., supply-chain management” disclosing such technique is applied to application scenarios for receipts (documents or subdocuments), which is a list of good or service. Specifically, in page 5 under Privacy “An outsider not holding any private keys should not be able to derive any information about redacted parts of a message.” teaching the reason and motivation for redacting parts of message to conceal information to be shared for privacy reasons. 
However, the Applicant asserts the combination does not expressly teach the customer redacting at least one good or service from an original list of goods and services provided to the customer device by the service provider device. 
For the purpose of compact prosecution, the Examiner introduce Goyal, for techniques of recognizing data fields of documents, which specifically teaches the well-known and obviousness of wherein the list of goods and services excludes at least one good or service that was redacted by the customer device from an original list of goods and services provided to the customer device by the service provider device (Para. [0021] and Fig. 8 teaching the user who purchased the items may want to generate a modified copy of receipt can redact or excise certain other fields of the receipt from the modified copy, e.g., the credit card information or the identity of other items purchased on the same shopping trip). 
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the system and method of for authentication online customer service review of Montano with the redactable signatures schemes of Bilzhause and CES to include the feature of redacting a portion of customer receipt as taught in Goyal for the motivation and advantages benefits of preserving privacy (Goyal: Abstract and para. [0021]). 
Claim 15, the combination of Montano, Bilzhause, CES, and Goyal makes obvious of the system of claim 15. Montano further discloses further configured to store the customer review in a review database based on the checking determining that the redacted signature is legitimate and to not store the customer review in the database based on the checking determining that the redacted signature is not legitimate (Para. [0031], “the review has been authenticated, the review can be published (step 212) by transmitting the review to the business server 112 or a review website 116 operated by the business, a third party reviewing service or by the system's own review website or application running on a computing device such as a smartphone or tablet. In one example, the review maybe published to the employee's personal profile on a social media service where they advertise their services in addition to on the employer's website in order to further promote their service. The employee could then advertise their own customer service reviews with a card, email advertisement or online advertisement linking to their online review profile. The review may be displayed with an authentication indicator such as a keyword, logo or other symbol indicating that the review has been authenticated (step 214).” Disclosing once authenticated (which the redacted signature is legitimate), the review is transmitted and stored to a business server or review website).
Claim 16, the combination of Montano, Bilzhause, CES, and Goyal makes obvious of the method as in claim 1. CES further teaches:
wherein the verification key is from a key-pair, and wherein the key-pair comprises the verification key and a signing key (Pages 8-9, “KeyGen — Takes a security parameter k and generates a secret/public key pair (SK, PK).” teaching a key generation algorithm for generating a secret/public key pair. Wherein the secret key is representative of private and signing key and public key is representative of verification key). Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the method of checking legitimacy of a customer review using verification key and redacted signature in Montano and Bilzhause with the feature of key pair of public and private keys as taught in CES, for the motivation and benefit for providing the user/signer the ability to specify allowed extraction of document content and achieving provable security. 
Claim 17, the combination of Montano, Bilzhause, CES, and Goyal make obvious of the method as in claim 16. CES further teaches:
wherein the redacted signature is generated based on redacting at least a portion of a signature, and wherein the signature is generated using the signing key (Page 8, under section 3.4 Definition of a Content Extraction Signature, “The Extract algorithm allows the user to extract (from a ‘full’ content extraction signature σFull) a signature for the subdocument consisting of the submessages whose indexes are specified by the extraction subset X. The extracted signature σExt can then be forwarded to the verifier along with the extracted subdocument M . The ‘Content Extraction Access Structure’ (CEAS) is an encoding of the subsets of submessage indexes in the original document which the signer can use to specify which extracted subdocuments the user is “allowed” to extract valid signatures for. Therefore the CEAS is an encoding of a collections of subsets of [n], where n = length(M) and M is the signed document. We assume these subsets are encoded as bit strings in {0, 1}n so that if Cl(M ) ∈ CEAS for some document M then length(M ) = n = length(M). Also disclosed in the Abstract in page 1, “we define a new type of digital signature called a ‘Content Extraction Signature’ (CES).A CES allows the owner, Bob, of a document signed by Alice, to produce an ‘extracted signature’ on selected extracted portions of the original document, which can be verified to originate from Alice by any third party Cathy, while hiding the unextracted (removed) document portions.” The content of document only produce a selected extracted portions of the original document (which other portions are redacted) based on extracted signature). Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the method of checking legitimacy of a customer review using verification key and redacted signature in Montano and Bilzhause with the feature of key pair of public and private keys as taught in CES, for the motivation and benefit for providing the user/signer the ability to specify allowed extraction of document content and achieving provable security. 
Claim 18, the combination of Montano, Bilzhause, CES, and Goyal make obvious of the method as in claim 16. CES further teaches:
wherein the verification key is a public key of the key-pair and the signing key is a private key of the key-pair (Pages 8-9, “KeyGen — Takes a security parameter k and generates a secret/public key pair (SK, PK).” teaching a key generation algorithm for generating a secret/public key pair. Wherein the secret key is representative of private and signing key and public key is representative of verification key). Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the method of checking legitimacy of a customer review using verification key and redacted signature in Montano and Bilzhause with the feature of key pair of public and private keys as taught in CES, for the motivation and benefit for providing the user/signer the ability to specify allowed extraction of document content and achieving provable security. 
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Montano (US 20140114877 A1), in view of Bilzhause et al. “Position Paper: The Past, Present, and Future of Sanitizable and Redactable Signature”, Pages 1-10, August 29-September 1, 2017, hereinafter “Bilzhause,” in view of NPL Content Extraction Signatures by Steinfeld, Bull, and Zheng, published in Feb 20, 2002 < https://www.cs.fsu.edu/~burmeste/zheng1.pdf>” hereinafter “CES,” in view of Goyal (US 20160307034 A1) and further in view of Wilson et al. (US 20180204191 A1), hereinafter “Wilson.”
Claim 3, the combination of Montano, Bilzhause, CES, and Goyal makes obvious of the method of claim 2. However, the combination does not expressly teach:
wherein the redacted message includes the serial number, the method further comprising a second check that the customer review is legitimate by checking a database of previously-encountered serial numbers to determine whether the serial number is present.
	Nonetheless, Wilson is directed to system and method for storing and endorsing data describing an entity more efficiently and in particular data describing a person or company, which specifically teaches,
wherein the redacted message includes the serial number, the method further comprising a second check that the customer review is legitimate by checking a database of previously-encountered serial numbers to determine whether the serial number is present (Para. [0188],“key block data may further comprise at least one of: a block number; a time stamp; and/or a hash of the previous block in the block chain.” which is teaching the redacted message can be a block number, time stamp or hash of the previous block in the block chain, are all example of serial number. Also described in para. [0401], “block header 310 comprises a block number 311, a hash of the most recent previous block that appeared in the digital currency ledger 312, a time stamp 314, and optionally an identifier of the oldest active block in the digital currency ledger 313. The block header 310 may optionally also comprise a merkle root for a merkle tree of hashes of sets of operation data and/or the number of sets of operation data contained in the block 300. The block number 311 will uniquely identify the new block 300 and may be set to a value that is one greater than most recent previous block in the digital currency ledger. The hash of the most recent previous block in the digital currency ledger 312 is used to tie the new block 300 to the most recent previous block (i.e., chain them together). The time stamp 314 indicates when the new block 300 was created. The optional identifier of the oldest active block in the digital currency ledger 313 is described in more detail below.” Para. [0407], “verification entity 20 may recognise the chronological order of the blocks in the digital currency ledger using the block number 311 and/or the time stamp 314. The verification entity 20 may set the identifier 313 in the new block 300 by looking at the oldest active block identified in the block header of the most recent previous block in the digital currency ledger. If the sets of operation data 320 in that block no longer identify any active/valid amounts of digital currency, i.e. all amounts identified in that block have been used or spent, as explained earlier (for example, because all of the currency public key hashes in the Output data in that block have appeared in the operation data of subsequent blocks and/or in the sets of operation data 320 of the new block 300), the verification entity 20 will review the digital currency ledger to identify the next oldest active block and set the identifier 313 accordingly. Thus, as old amounts of digital currency are used/spent, the identifier 313 may be updated such that the oldest active block is always identified.” Para. [0426], “The key block data may be added to the key block chain in an analogous manner to the addition of operation data to the digital currency ledger. For example, a block may be created comprising the key block data (and the key block data for any other public keys that the primary authority 50 wishes to put on the key block chain) and a block header. The block header may comprise at least one of a block number, a hash of the previous block in the key block chain and/or a time stamp. The block may then be added to the key block chain by, for example, broadcasting it to all entities in the network 200, using a P2P network, storing it in a location known to, and accessible by, the entities in the network 200, and/or adding it to their copy of the key block chain, which is then supplied to any entity that requests it, etc.” Additionally, in para. [0015], [0018]-[0019], teaching the additional checking of block data with previous block stored in the block chain which is checking a database of previously-encountered serial numbers to determine whether the serial number is present).
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filling of the invention to modify the method of checking legitimacy of a customer review using verification key and redacted signature in Montano, Bilzhause, CES, and Goyal with the feature of second check the customer review is legitimate by checking a database of previously-encountered serial numbers to determine whether the serial number was previously present as legitimate such as checking the hash block data of previous block in block chain as taught in Wilson for the motivation and benefit of verifying the previous block with hash function reduces the risk of tampering of data (para. [0058]) and providing a more trustworthy verification process.
Response
35 U.S.C. 112 Rejections:
	Claim 19 has been cancelled, therefore the corresponding 112 rejection has been withdrawn. 

35 U.S.C. 103 Rejections:
Applicant’s arguments are fully considered however is deemed moot in light of the amended claim limitations. The Office Action has introduced additional reference, Goyal to specifically teach the amended claim limitations.  
Therefore, the 103 rejection is maintained.  
Relevant Prior Art Not Relied Upon
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure. The additional cited art, including but not limited to the excerpts below, further establishes the state of the art at the time of Applicant’s invention and shows the following was known:
Black (US 20130246302 A1) is directed to systems and methods for obtaining and providing validated customer feedback information about a ratable subject, such as a service, product, facility, etc. Generally, the methods include instructing a customer to provide initial customer feedback information about the ratable subject. The methods can further include using a digital ratings device to collect the initial customer feedback information and to associate that information with temporal data (such as time, date, location, or a unique QR code). The digital ratings device can also be used to send the initial customer feedback information and temporal data to a third-party validator. The validator can then validate the initial customer feedback information by checking the temporal data to ensure the customer is a verified customer of the ratable subject. The validated information may present a substantially fair representation of the ratable subject and can be useful to potential customers. 
Roth (US 10103875 B1) is a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message. The secret is representation of redacted message. Further, Roth teaches, “Secrets may also be redacted or protected from receipt by the client as well. In one embodiment, sensitive information is removed from messages intercepted by the proxy and sent to the client. For example, credit card information may be detected by the proxy and removed from messages received by proxy on the way to the client. The credit card information can be used and/or stored by the proxy. In some embodiments, the credit card information is referenced in the message. The reference may be a token or encrypted version of information that is not accessible to the client, but may be referred to by the client. For example, the client can request that a token representing a credit card be charged by a service. The proxy may receive the token and substitute actual credit card information for the token and forward the request over a secure channel to the service.” Which describes the redacting of receipts. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WENREN CHEN whose telephone number is (571)272-5208. The examiner can normally be reached Monday - Friday 10AM - 6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sarah M. Monfeldt can be reached on (571) 270-1833. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.C./Examiner, Art Unit 3689         

/SARAH M MONFELDT/Supervisory Patent Examiner, Art Unit 3689