DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendments filed on September 20, 2022 have been entered.
Claims 1, 8 and 15 have been amended.
Claim objections have been withdrawn for Claims 1, 8 and 15 in lights of the amendments filed by the applicant.

Response to Arguments
Applicant’s arguments filed on September 20, 2022 have been considered, and are moot in view of the new ground(s) of the current rejection in view of Russ et al. (Pub No. US 2020/0242138).  















Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.   

Claims 1-5, 7-12, and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over LaFever et al. (Pub. No. US 2014/0287723), hereinafter LaFever, in view of Russ et al. (Pub No. US 2020/0242138), hereinafter Russ, and in view of Sze et al. (Pub. No. US 2012/0311017), hereinafter Sze. 
	
            Claim 1. 	LaFever discloses a computer-implemented method comprising: 
            receiving, by a user device, a tracking cookie from a content publisher (Parag. [0023-0025], Parag. [0139], and Parag. [0308-0309]; (The art teaches that a cookie is sent from the website (i.e., publisher) to the user’s browser running on the user’s device));  
            detecting, by the user device, a semi-anonymous cookie attribute for the tracking cookie (Parag. [0022-0025], Parag. [0055-0056]; (The art teaches that the privacy client (i.e., within the client device) captures activity conducted using the device, and relates the conducted activity to the TDR including dynamically changing de-identifiers (DDID). The art teaches that each DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous));  
		in response to detecting the semi-anonymous cookie attribute, requesting, by the user device, anonymization advice for the tracking cookie from an anonymization service (Parag. [0031], Parag. [0047], Parag. [0049], Parag. [0139], Parag. [0206], Parag. [0228], and Parag. [0246]; (The art teaches that clients communicate with a privacy server that processes and responds to requests for information from privacy clients, such as requests regarding data attributes or attribute combination. The art teaches receiving a request, at a privacy server (i.e., providing anonymizing service), from a client device to conduct activity over a network; determining which of a plurality of data attributes in a database is necessary to complete the requested activity; creating a DDID, etc.,)), wherein requesting the anonymization advice comprises providing a desired level of anonymity and a demographic attribute to the anonymization service (Parag. [0029] and Parag. [0206-0208]; (The art teaches that the data attribute may be linked to independent attributes or dependent attributes or separated into independent attributes or dependent attributes by means of a privacy server coupled to the database in response to requests for functions and/or services from one or more privacy clients. The art teaches sending a request via the privacy client to the privacy server to conduct a desired action, activity or process. The privacy server determines the attribute combinations necessary to perform the desired action, activity, or process and retrieves them from the database as attribute combination. In this example implementation of the system, the abstraction module of the privacy server is configured to add or delete attributes, retrieve attribute combinations, and to modify attributes within any given combination. The user may notify the privacy server to release only the recent shopping and other user defined information to the visited site (i.e., the desired level of anonymity). As a result in this example, the privacy server may select the following attributes: shoe size=9, shoes recently viewed at other websites=Nike X, Asics Y, New Balance Z, average price of the shoes viewed=$109, zip code of the shopper=80302, gender of the shopper=male (i.e., demographic attribute), weight of the shopper=185 lbs.  The privacy server may collect these attributes, generate a unique DDID or accept or modify a temporally unique, dynamically changing value to serve as the DDID and assign the DDID to the attributes and send the same to the visited website as a TDR));  
           receiving, by the user device, the anonymization advice including a semi-anonymous value for the tracking cookie from the anonymization service (Parag. [0018], Parag. [0055], Parag. [0214], Parag. [0233], Parag. [0234], Parag. [0252-0253], and Parag. [0290]; (The art teaches receiving a request, at a privacy server, from a client device to conduct activity over a network; determining which of a plurality of data attributes in a database are necessary to complete the requested activity; creating a DDID; associating the DDID with the determined data attributes to create a combined TDR; making the combined TDR accessible to at least one network device for conducting or initiating the requesting activity. The art teaches that the client receives temporally limited data representations (TDRs) including dynamically changing de-identifiers (DDIDs) and associated data attributes necessary for conducting the activity over the network from the privacy server. The art teaches that each DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous));                                         
           storing, by the user device, the semi-anonymous value for the tracking cookie based on the anonymization advice (Parag. [0055-0056], Parag. [0214], Parag. [0233-0234], Parag. [0252-0253], and Parag. [0314-0316]; (The art teaches that the client receives temporally limited data representations (TDRs) including dynamically changing de-identifiers (DDIDs) values and associated data attributes necessary for conducting the activity over the network from the privacy server; and the privacy client captures activity conducted using the device, and relate the conducted activity to the TDRs (i.e., TDRs are stored in the privacy client residing on a mobile device))), and
           transmitting, by the user device, the tracking cookie and the semi-anonymous value for the tracking cookie with a request for content (Parag. [0023], Parag. [0214], Parag. [0233-0234], Parag. [0308], and Parag. [0314-0316]; (The art teaches that TDRs including the DDIDs (serving as a cookie) comprised of attribute combinations and identifiers are transmitted via privacy clients to recipient entities for use by recipient entities in connection with desired actions, activities or processes pertaining to recipient entities));
           the semi- anonymous value for a respective tracking cookie (Parag. [0023], Parag. [0214], Parag. [0233-0234], Parag. [0308], and Parag. [0314-0316]; (The art teaches that TDRs including the DDIDs (serving as a cookie) comprised of attribute combinations and identifiers are transmitted via privacy clients to recipient entities for use by recipient entities in connection with desired actions, activities or processes pertaining to recipient entities)).
           LaFever doesn’t explicitly disclose wherein the semi-anonymous value non-uniquely identifies the user device as one of a group of user devices each using the semi- anonymous value, and wherein the semi-anonymous value does not contain the demographic attribute, wherein the group of user devices is selected such that each user device of the group of user devices is associated with a different respective user having the demographic attribute, and the group has a number of members within a range criteria corresponding to the desired level of anonymity requested by the user device; and receiving, by the user device, content based on actions performed by the different respective users of other user devices in the group of user devices.
           However, Russ discloses wherein the semi-anonymous value non-uniquely identifies the user device as one of a group of user devices each using the semi- anonymous value, and wherein the semi-anonymous value does not contain the demographic attribute, wherein the group of user devices is selected such that each user device of the group of user devices is associated with a different respective user having the demographic attribute (The art teaches in Parag. [0025] that the anonymity protection system associates a gender data field with a strict anonymity threshold to prevent an analyst from identifying respondents based on gender, while the system associates more generic data fields with more lenient anonymity thresholds. The art teaches in Parag. [0028] that the anonymity protection system protects the anonymity of respondents associated with any data included in any data breakout. As used herein, the term “data breakout” refers to any subset of a dataset based on one or more data characteristics. For example, a dataset can include all survey responses for corresponding to an electronic survey, and a data breakout can include a subset of survey responses based on any number of parameters, such as survey administration time or date, location, gender, age, other demographic characteristics, employee position, compensation, and/or any other characteristic or attribute associated with a survey response. The art teaches in Parag. [0050-0051] that the anonymity protection system improves upon conventional anonymity protection methods and simultaneously ensures quality data reporting to an analyst. For example, unlike conventional systems, the anonymity protection system protects respondent anonymity by implementing anonymity thresholds and genericizing text responses. Further, the anonymity protection system implements these thresholds in a flexible user-dependent, data field-dependent manner, and as needed basis. The result is that the anonymity protection system provides a level of anonymity protection that conventional systems were not able to provide. While ensuring the anonymity of respondents, the anonymity protection system also provides powerful data analytics tools that automatically modifies data output that most closely provides the data which an analyst requested, but also ensures the protection of respondent anonymity. To accomplish this, the anonymity protection system may determine new demographic groupings that are non-identifying, but that provide an analyst with data similar to the requested filters. See also Parag. [0089] and Parag. [0106-0107]); and the group has a number of members within a range criteria corresponding to the desired level of anonymity requested by the user device (The art teaches in Parag. [0026] enabling a user increased control over anonymity settings (i.e., desired level of anonymity). For example, the anonymity protection system can receive user-defined anonymity settings based on a particular organization's needs, industry standards, or other considerations. In addition, the anonymity protection system provides a graphical user interface to allow a user to enter “grades” or “scores” representing the importance of anonymity for each data field present in a dataset, and the anonymity protection system may determine anonymity thresholds based on the “grades” or “scores.” In other embodiments, the anonymity protection system can generate anonymity thresholds based on the type of data in a data field, the amount of data in the data set, and/or other characteristics of data fields and data sets. The art teaches in Parag. [0027] that anonymity threshold” refers to a system-required number of respondents (i.e., number of members) related to a data request in order for the system to present data related to that request. In particular, the term “anonymity threshold” can include a minimum number of respondents within filtered-in data, filtered-out data, and possible cross-filters of data necessary for the anonymity protection system to provide anonymous data in response to a data request. In other words, an “anonymity threshold” can include a minimum number of respondents associated with a data breakout that would ensure the anonymity of the respondents. For example, an anonymity threshold can include a minimum number of respondents to include in a data breakout to ensure that the identity of an individual respondent cannot be directly viewed in a data breakout (e.g., within filtered-in data provided in response to a data request) and cannot be indirectly inferred from data not included in a data breakout (e.g., within filtered-out data that can be identified based on a cross-filter between unfiltered data and filtered-in data). The art teaches in Parag. [0106-0107] that FIGS. 5A-5B illustrate a flow diagram representing an overview of the process of maintaining respondent anonymity in a dataset according to permissions set by the survey administrator 110. As shown in FIGS. 5A-5B, the flow diagram includes reporting devices 102a, 102b, the survey administrator device 108, and server device(s) 120, as described above with regard to FIG. 1. As illustrated in FIG. 5A, the survey administrator device 108 may detect user input(s) defining a hierarchy of anonymity value levels associated with one or more user groups, as shown in step 502. Similar to the discussion in FIGS. 2-4 above, the server administrator device 108 may receive the user input defining a hierarchy of anonymity value levels in any of a variety of ways in a variety of contexts. The hierarchy of anonymity values may determine one or more permissions levels and may associate one or more anonymity values one or more user groups with a permissions level. See also Parag. [0089]).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modifying the information in the cookies taught by LaFever to incorporate the teaching of Russ. This would be convenient to for sufficiently maintaining the anonymity of a respondent (i.e., user).
            Sze discloses receiving, by the user device, content based on actions performed by the different respective users of other user devices in the group of user devices (Parag. [0037], Parag. [0040-0041], Parag. [0045], and Parag. [0049]; (The art teaches that based on data included in the request for advertisements, the advertisement management system selects advertisements (i.e., content) that are eligible to be provided in response to the request. For example, eligible advertisements can include advertisements having characteristics (e.g., size and/or aspect ratio) matching the characteristics of advertisement slots and that are identified as relevant to specified resource keywords or search queries (i.e., submitted by different user devices). Data representing conditions under which advertisements were selected for presentation to a user, and user interaction data (e.g., Id1 .  . . Idn) representing actions taken by users in response to presentation of the advertisement (e.g., Ad1 .  . . Adi) can be stored in a data store such as performance data store. The art teaches that a user's identity may be anonymized and/or encrypted so that the no personally identifiable information can be determined for the user, or a user's activities may be generalized (e.g., to a large group of users) where user activity information is obtained. The ad server uses information included in the ad request to select an ad that will be provided with the web page. For example, the ad server can use psychographic, demographic, or other information about a group of users with which the user is associated in order to select the ad. In some implementations, the ad server can access an advertisement data store to select an ad having targeting criteria that match the information included in the ad request)).
                It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify LaFever in view of Russ to incorporate the teaching of Sze. This would be convenient for preventing an error to occur that prevents the specified resource from being provided to the user device (Parag. [0002]). 

Claim 2. 	LaFever in view of Russ and Sze discloses the computer-implemented method of claim 1, 
LaFever further discloses the computer-implemented method further comprising replacing a unique value for the tracking cookie with the semi-anonymous value for the tracking cookie (Parag. [0018], Parag. [0022], and Parag. [0043]; (The art teaches that each DDID is associated with data attributes, and the current DDID is replaced with different DDID. The art teaches that selecting a DDID includes generating the unique DDID, which is a value, or modifying a temporally unique, dynamically changing value to serve as the DDID. The DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous)). 
 
Claim 3. 	LaFever in view of Russ and Sze discloses the computer-implemented method of claim 1,  
LaFever further discloses wherein the semi-anonymous value of the tracking cookie is shared with each user device of the group of user devices (Parag. [0037], Parag. [0200], and Fig.6; (The art teaches that the user device shares the TDRs, which include DDIDs, with other network devices with a predetermined physical, virtual or logical proximity of the mobile device. Locations 602 to 618 (Fig. 6) show locations of mobile device 110, 112, 114, 116 users, comprising the location 606 of the mobile device 110 whose user desires anonymization of data and the locations 602, 604, 608-618 of other mobile device 112, 114, 116 users)).  
Claim 4. 	LaFever in view of Russ and Sze discloses the computer-implemented method of claim 1,   
LaFever in view of Russ doesn’t explicitly disclose wherein a content publisher stores a log file for actions performed by the group of user devices using the semi-anonymous value for the tracking cookie.  
		However, Sze discloses wherein a content publisher stores a log file for actions performed by the group of user devices using the semi-anonymous value for the tracking cookie (Parag. [0037], Parag. [0040-0041], Parag. [0045], and Parag. [0049]; (The art teaches that based on data included in the request for advertisements, the advertisement management system selects advertisements (i.e., content) that are eligible to be provided in response to the request. For example, eligible advertisements can include advertisements having characteristics (e.g., size and/or aspect ratio) matching the characteristics of advertisement slots and that are identified as relevant to specified resource keywords or search queries (i.e., submitted by different user devices). Data representing conditions under which advertisements were selected for presentation to a user, and user interaction data (e.g., Id1 .  . . Idn) representing actions taken by users in response to presentation of the advertisement (e.g., Ad1 .  . . Adi) can be stored in a data store such as performance data store The art teaches that a user's identity may be anonymized and/or encrypted so that the no personally identifiable information can be determined for the user, or a user's activities may be generalized (e.g., to a large group of users) where user activity information is obtained)).  
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify LaFever in view of Russ to incorporate the teaching of Sze. This would be convenient for preventing an error to occur that prevents the specified resource from being provided to the user device (Parag. [0002]).

Claim 5. 	LaFever in view of Russ and Sze discloses the computer-implemented method of claim 4,    
LaFever in view of Russ doesn’t explicitly disclose the computer-implemented method wherein the received content is tailored based on the log file for actions performed by the group of user devices using the semi-anonymous value for the tracking cookie. 
However, Sze discloses wherein the received content is tailored based on the log file for actions performed by the group of user devices using the semi-anonymous value for the tracking cookie (Parag. [0024-0026]; (The art teaches that when a request for content is received (i.e., by the content publisher), and the request includes an anonymous identifier associated with a user's desktop device.  The received anonymous identifier is used to look up the user's other anonymous identifiers (e.g., for mobile and other devices of the user). The retrieved set of anonymous identifiers can be used access to session history information in the other tables (e.g., user browsing history). The aggregated session history information, associated with the anonymous identifier, is provided to a content management system in order to determine and select eligible content for delivery to the user responsive to the received request (i.e., receiving content))). 
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify LaFever in view of Russ to incorporate the teaching of Sze. This would be convenient for preventing an error to occur that prevents the specified resource from being provided to the user device (Parag. [0002]).

Claim 7. 	LaFever in view of Russ and Sze discloses the computer-implemented method of claim 1,   
		LaFever further discloses wherein the semi-anonymous value is selected using a random number generator (Parag. [0034]; (The art teaches that the DDIDs, which are associated with a data subject to operate in a “dynamically anonymous” manner, are assigned for purposes of disassociation and/or replacement and retain their initially assigned value(s) until the value(s) are changed based on a random, fixed, variable)).  

Claim 8. 	LaFever discloses a non-transitory computer-readable storage medium comprising instructions executable by a processor of a user device (Parag. [0139]; user device), the instructions when executed causing the processor to perform actions comprising:  
receiving, by the processor, a tracking cookie from a content publisher (Parag. [0023-0025], Parag. [0139], and Parag. [0308-0309]; (The art teaches that a cookie is sent from the website (i.e., publisher) to the user’s browser running on the user’s device));  
detecting, by the processor, a semi-anonymous cookie attribute for the tracking cookie (Parag. [0022-0025], Parag. [0055-0056]; (The art teaches that the privacy client (i.e., within the client device) captures activity conducted using the device, and relates the conducted activity to the TDR including dynamically changing de-identifiers (DDID). The art teaches that each DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous));  
in response to detecting the semi-anonymous cookie attribute, requesting, by the processor, anonymization advice for the tracking cookie from an anonymization service (Parag. [0031], Parag. [0047], Parag. [0049], Parag. [0139], Parag. [0206], Parag. [0228], and Parag. [0246]; (The art teaches that clients communicate with a privacy server that processes and responds to requests for information from privacy clients, such as requests regarding fata attributes or attribute combination. The art teaches receiving a request, at a privacy server (i.e., providing anonymizing service), from a client device to conduct activity over a network; determining which of a plurality of data attributes in a database is necessary to complete the requested activity; creating a DDID, etc.,)), wherein requesting the anonymization advice comprises providing a desired level of anonymity and a demographic attribute to the anonymization service (Parag. [0029] and Parag. [0206-0208]; (The art teaches that the data attribute may be linked to independent attributes or dependent attributes or separated into independent attributes or dependent attributes by means of a privacy server coupled to the database in response to requests for functions and/or services from one or more privacy clients. The art teaches sending a request via the privacy client to the privacy server to conduct a desired action, activity or process. The privacy server determines the attribute combinations necessary to perform the desired action, activity, or process and retrieves them from the database as attribute combination. In this example implementation of the system, the abstraction module of the privacy server is configured to add or delete attributes, retrieve attribute combinations, and to modify attributes within any given combination. The user may notify the privacy server to release only the recent shopping and other user defined information to the visited site (i.e., the desired level of anonymity). As a result in this example, the privacy server may select the following attributes: shoe size=9, shoes recently viewed at other websites=Nike X, Asics Y, New Balance Z, average price of the shoes viewed=$109, zip code of the shopper=80302, gender of the shopper=male (i.e., demographic attribute), weight of the shopper=185 lbs.  The privacy server may collect these attributes, generate a unique DDID or accept or modify a temporally unique, dynamically changing value to serve as the DDID and assign the DDID to the attributes and send the same to the visited website as a TDR));  
receiving, by the processor, the anonymization advice including a semi-anonymous value for the tracking cookie from the anonymization service (Parag. [0018], Parag. [0055], Parag. [0214], Parag. [0233], Parag. [0234], Parag. [0252-0253], and Parag. [0290]; (The art teaches receiving a request, at a privacy server, from a client device to conduct activity over a network; determining which of a plurality of data attributes in a database are necessary to complete the requested activity; creating a DDID; associating the DDID with the determined data attributes to create a combined TDR; making the combined TDR accessible to at least one network device for conducting or initiating the requesting activity. The art teaches that the client receives temporally limited data representations (TDRs) including dynamically changing de-identifiers (DDIDs) and associated data attributes necessary for conducting the activity over the network from the privacy server. The art teaches that each DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous)); 
storing, by the processor, the semi-anonymous value for the tracking cookie based on the anonymization advice (Parag. [0055-0056], Parag. [0214], Parag. [0233-0234], Parag. [0252-0253], and Parag. [0314-0316]; (The art teaches that the client receives temporally limited data representations (TDRs) including dynamically changing de-identifiers (DDIDs) values and associated data attributes necessary for conducting the activity over the network from the privacy server; and the privacy client captures activity conducted using the device, and relate the conducted activity to the TDRs (i.e., TDRs are stored in the privacy client residing on a mobile device))); and 
transmitting, by the processor, the tracking cookie and the semi-anonymous value for the tracking cookie with a request for content (Parag. [0023], Parag. [0214], Parag. [0233-0234], Parag. [0308], and Parag. [0314-0316]; (The art teaches that TDRs including the DDIDs (serving as a cookie) comprised of attribute combinations and identifiers are transmitted via privacy clients to recipient entities for use by recipient entities in connection with desired actions, activities or processes pertaining to recipient entities));
the semi- anonymous value for a respective tracking cookie (Parag. [0023], Parag. [0214], Parag. [0233-0234], Parag. [0308], and Parag. [0314-0316]; (The art teaches that TDRs including the DDIDs (serving as a cookie) comprised of attribute combinations and identifiers are transmitted via privacy clients to recipient entities for use by recipient entities in connection with desired actions, activities or processes pertaining to recipient entities)).  
		LaFever doesn’t explicitly disclose wherein the semi-anonymous value non-uniquely identifies the user device as one of a group of user devices each using the semi- anonymous value, and wherein the semi-anonymous value does not contain the demographic attribute, wherein the group of user devices is selected such that each user device of the group of user devices is associated with a different respective user having the demographic attribute; and the group has a number of members within a range criteria corresponding to the desired level of anonymity requested by the user device; and receiving, by the processor, content based on actions performed by the different respective users of other user devices in the group of user devices. 
		However, Russ discloses wherein the semi-anonymous value non-uniquely identifies the user device as one of a group of user devices each using the semi- anonymous value, and wherein the semi-anonymous value does not contain the demographic attribute, wherein the group of user devices is selected such that each user device of the group of user devices is associated with a different respective user having the demographic attribute (The art teaches in Parag. [0025] that the anonymity protection system associates a gender data field with a strict anonymity threshold to prevent an analyst from identifying respondents based on gender, while the system associates more generic data fields with more lenient anonymity thresholds. The art teaches in Parag. [0028] that the anonymity protection system protects the anonymity of respondents associated with any data included in any data breakout. As used herein, the term “data breakout” refers to any subset of a dataset based on one or more data characteristics. For example, a dataset can include all survey responses for corresponding to an electronic survey, and a data breakout can include a subset of survey responses based on any number of parameters, such as survey administration time or date, location, gender, age, other demographic characteristics, employee position, compensation, and/or any other characteristic or attribute associated with a survey response. The art teaches in Parag. [0050-0051] that the anonymity protection system improves upon conventional anonymity protection methods and simultaneously ensures quality data reporting to an analyst. For example, unlike conventional systems, the anonymity protection system protects respondent anonymity by implementing anonymity thresholds and genericizing text responses. Further, the anonymity protection system implements these thresholds in a flexible user-dependent, data field-dependent manner, and as needed basis. The result is that the anonymity protection system provides a level of anonymity protection that conventional systems were not able to provide. While ensuring the anonymity of respondents, the anonymity protection system also provides powerful data analytics tools that automatically modifies data output that most closely provides the data which an analyst requested, but also ensures the protection of respondent anonymity. To accomplish this, the anonymity protection system may determine new demographic groupings that are non-identifying, but that provide an analyst with data similar to the requested filters. See also Parag. [0089] and Parag. [0106-0107]), and the group has a number of members within a range criteria corresponding to the desired level of anonymity requested by the user device (The art teaches in Parag. [0026] enabling a user increased control over anonymity settings (i.e., desired level of anonymity). For example, the anonymity protection system can receive user-defined anonymity settings based on a particular organization's needs, industry standards, or other considerations. In addition, the anonymity protection system provides a graphical user interface to allow a user to enter “grades” or “scores” representing the importance of anonymity for each data field present in a dataset, and the anonymity protection system may determine anonymity thresholds based on the “grades” or “scores.” In other embodiments, the anonymity protection system can generate anonymity thresholds based on the type of data in a data field, the amount of data in the data set, and/or other characteristics of data fields and data sets. The art teaches in Parag. [0027] that anonymity threshold” refers to a system-required number of respondents (i.e., number of members) related to a data request in order for the system to present data related to that request. In particular, the term “anonymity threshold” can include a minimum number of respondents within filtered-in data, filtered-out data, and possible cross-filters of data necessary for the anonymity protection system to provide anonymous data in response to a data request. In other words, an “anonymity threshold” can include a minimum number of respondents associated with a data breakout that would ensure the anonymity of the respondents. For example, an anonymity threshold can include a minimum number of respondents to include in a data breakout to ensure that the identity of an individual respondent cannot be directly viewed in a data breakout (e.g., within filtered-in data provided in response to a data request) and cannot be indirectly inferred from data not included in a data breakout (e.g., within filtered-out data that can be identified based on a cross-filter between unfiltered data and filtered-in data). The art teaches in Parag. [0106-0107] that FIGS. 5A-5B illustrate a flow diagram representing an overview of the process of maintaining respondent anonymity in a dataset according to permissions set by the survey administrator 110. As shown in FIGS. 5A-5B, the flow diagram includes reporting devices 102a, 102b, the survey administrator device 108, and server device(s) 120, as described above with regard to FIG. 1. As illustrated in FIG. 5A, the survey administrator device 108 may detect user input(s) defining a hierarchy of anonymity value levels associated with one or more user groups, as shown in step 502. Similar to the discussion in FIGS. 2-4 above, the server administrator device 108 may receive the user input defining a hierarchy of anonymity value levels in any of a variety of ways in a variety of contexts. The hierarchy of anonymity values may determine one or more permissions levels and may associate one or more anonymity values one or more user groups with a permissions level. See also Parag. [0089]).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modifying the information in the cookies taught by LaFever to incorporate the teaching of Russ. This would be convenient to for sufficiently maintaining the anonymity of a respondent (i.e., user).
		Sze discloses receiving, by the processor, content based on actions performed by the different respective users of other user devices in the group of user devices (Parag. [0037], Parag. [0040-0041], Parag. [0045], and Parag. [0049]; (The art teaches that based on data included in the request for advertisements, the advertisement management system selects advertisements (i.e., content) that are eligible to be provided in response to the request. For example, eligible advertisements can include advertisements having characteristics (e.g., size and/or aspect ratio) matching the characteristics of advertisement slots and that are identified as relevant to specified resource keywords or search queries (i.e., submitted by different user devices). Data representing conditions under which advertisements were selected for presentation to a user, and user interaction data (e.g., Id1 .  . . Idn) representing actions taken by users in response to presentation of the advertisement (e.g., Ad1 .  . . Adi) can be stored in a data store such as performance data store. The art teaches that a user's identity may be anonymized and/or encrypted so that the no personally identifiable information can be determined for the user, or a user's activities may be generalized (e.g., to a large group of users) where user activity information is obtained. The ad server uses information included in the ad request to select an ad that will be provided with the web page. For example, the ad server can use psychographic, demographic, or other information about a group of users with which the user is associated in order to select the ad. In some implementations, the ad server can access an advertisement data store to select an ad having targeting criteria that match the information included in the ad request)).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify LaFever in view of Russ to incorporate the teaching of Sze. This would be convenient for preventing an error to occur that prevents the specified resource from being provided to the user device (Parag. [0002]). 

Claim 9 is taught by LaFever in view of Russ and Sze as described for claim 2. 

Claim 10 is taught by LaFever in view of Russ and Sze as described for claim 3.

Claim 11 is taught by LaFever in view of Russ and Sze as described for claim 4.   

Claim 12 is taught by LaFever in view of Russ and Sze as described for claim 5.

Claim 14 is taught by LaFever in view of Russ and Sze as described for claim 7.  

Claim 15. 	LaFever discloses a computer system comprising:  
a computer processor of a user device; and a non-transitory computer-readable storage medium comprising instructions (Parag. [0139]; user device) that when executed by the computer processor cause the computer system to perform actions 2126295/42127/FW/10432930.4comprising: 
receiving, by the computer processor, a tracking cookie from a content publisher (Parag. [0023-0025], Parag. [0139], and Parag. [0308-0309]; (The art teaches that a cookie is sent from the website (i.e., publisher) to the user’s browser running on the user’s device));  
detecting, by the computer processor, a semi-anonymous cookie attribute for the tracking cookie (Parag. [0022-0025], Parag. [0055-0056]; (The art teaches that the privacy client (i.e., within the client device) captures activity conducted using the device, and relates the conducted activity to the TDR including dynamically changing de-identifiers (DDID). The art teaches that each DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous));  
in response to detecting the semi-anonymous cookie attribute, requesting, by the computer processor, anonymization advice for the tracking cookie from an anonymization service (Parag. [0031], Parag. [0047], Parag. [0049], Parag. [0139], Parag. [0206], Parag. [0228], and Parag. [0246]; (The art teaches that clients communicate with a privacy server that processes and responds to requests for information from privacy clients, such as requests regarding fata attributes or attribute combination. The art teaches receiving a request, at a privacy server (i.e., providing anonymizing service), from a client device to conduct activity over a network; determining which of a plurality of data attributes in a database is necessary to complete the requested activity; creating a DDID, etc.,)), wherein requesting the anonymization advice comprises providing a desired level of anonymity and a demographic attribute to the anonymization service (Parag. [0029] and Parag. [0206-0208]; (The art teaches that the data attribute may be linked to independent attributes or dependent attributes or separated into independent attributes or dependent attributes by means of a privacy server coupled to the database in response to requests for functions and/or services from one or more privacy clients. The art teaches sending a request via the privacy client to the privacy server to conduct a desired action, activity or process. The privacy server determines the attribute combinations necessary to perform the desired action, activity, or process and retrieves them from the database as attribute combination. In this example implementation of the system, the abstraction module of the privacy server is configured to add or delete attributes, retrieve attribute combinations, and to modify attributes within any given combination. The user may notify the privacy server to release only the recent shopping and other user defined information to the visited site (i.e., the desired level of anonymity). As a result in this example, the privacy server may select the following attributes: shoe size=9, shoes recently viewed at other websites=Nike X, Asics Y, New Balance Z, average price of the shoes viewed=$109, zip code of the shopper=80302, gender of the shopper=male (i.e., demographic attribute), weight of the shopper=185 lbs.  The privacy server may collect these attributes, generate a unique DDID or accept or modify a temporally unique, dynamically changing value to serve as the DDID and assign the DDID to the attributes and send the same to the visited website as a TDR)); 
receiving, by the computer processor, the anonymization advice including a semi-anonymous value for the tracking cookie from the anonymization service (Parag. [0018], Parag. [0055], Parag. [0214], Parag. [0233], Parag. [0234], Parag. [0252-0253], and Parag. [0290]; (The art teaches receiving a request, at a privacy server, from a client device to conduct activity over a network; determining which of a plurality of data attributes in a database are necessary to complete the requested activity; creating a DDID; associating the DDID with the determined data attributes to create a combined TDR; making the combined TDR accessible to at least one network device for conducting or initiating the requesting activity. The art teaches that the client receives temporally limited data representations (TDRs) including dynamically changing de-identifiers (DDIDs) and associated data attributes necessary for conducting the activity over the network from the privacy server. The art teaches that each DDID is associated with a data subject to operate in a “dynamically anonymous” manner, which refers to a user’s ability to remain anonymous));  
storing, by the computer processor, the semi-anonymous value for the tracking cookie based on the anonymization advice (Parag. [0055-0056], Parag. [0214], Parag. [0233-0234], Parag. [0252-0253], and Parag. [0314-0316]; (The art teaches that the client receives temporally limited data representations (TDRs) including dynamically changing de-identifiers (DDIDs) values and associated data attributes necessary for conducting the activity over the network from the privacy server; and the privacy client captures activity conducted using the device, and relate the conducted activity to the TDRs (i.e., TDRs are stored in the privacy client residing on a mobile device))); and 
transmitting, by the computer processor, the tracking cookie and the semi- anonymous value for the tracking cookie with a request for content (Parag. [0023], Parag. [0214], Parag. [0233-0234], Parag. [0308], and Parag. [0314-0316]; (The art teaches that TDRs including the DDIDs (serving as a cookie) comprised of attribute combinations and identifiers are transmitted via privacy clients to recipient entities for use by recipient entities in connection with desired actions, activities or processes pertaining to recipient entities));
            the semi- anonymous value for a respective tracking cookie (Parag. [0023], Parag. [0214], Parag. [0233-0234], Parag. [0308], and Parag. [0314-0316]; (The art teaches that TDRs including the DDIDs (serving as a cookie) comprised of attribute combinations and identifiers are transmitted via privacy clients to recipient entities for use by recipient entities in connection with desired actions, activities or processes pertaining to recipient entities)).
		LaFever doesn’t explicitly disclose wherein the semi-anonymous value non-uniquely identifies the user device as one of a group of user devices each using the semi- anonymous value, and wherein the semi-anonymous value does not contain the demographic attribute, wherein the group of user devices is selected such that each user device of the group of user devices is associated with a different respective user having the demographic attribute; and the group has a number of members within a range criteria corresponding to the desired level of anonymity requested by the user device; and receiving, by the computer processor, content based on actions performed by the different respective users of other user devices in the group of user devices. 
		However, Russ discloses wherein the semi-anonymous value non-uniquely identifies the user device as one of a group of user devices each using the semi- anonymous value, and wherein the semi-anonymous value does not contain the demographic attribute, wherein the group of user devices is selected such that each user device of the group of user devices is associated with a different respective user having the demographic attribute (The art teaches in Parag. [0025] that the anonymity protection system associates a gender data field with a strict anonymity threshold to prevent an analyst from identifying respondents based on gender, while the system associates more generic data fields with more lenient anonymity thresholds. The art teaches in Parag. [0028] that the anonymity protection system protects the anonymity of respondents associated with any data included in any data breakout. As used herein, the term “data breakout” refers to any subset of a dataset based on one or more data characteristics. For example, a dataset can include all survey responses for corresponding to an electronic survey, and a data breakout can include a subset of survey responses based on any number of parameters, such as survey administration time or date, location, gender, age, other demographic characteristics, employee position, compensation, and/or any other characteristic or attribute associated with a survey response. The art teaches in Parag. [0050-0051] that the anonymity protection system improves upon conventional anonymity protection methods and simultaneously ensures quality data reporting to an analyst. For example, unlike conventional systems, the anonymity protection system protects respondent anonymity by implementing anonymity thresholds and genericizing text responses. Further, the anonymity protection system implements these thresholds in a flexible user-dependent, data field-dependent manner, and as needed basis. The result is that the anonymity protection system provides a level of anonymity protection that conventional systems were not able to provide. While ensuring the anonymity of respondents, the anonymity protection system also provides powerful data analytics tools that automatically modifies data output that most closely provides the data which an analyst requested, but also ensures the protection of respondent anonymity. To accomplish this, the anonymity protection system may determine new demographic groupings that are non-identifying, but that provide an analyst with data similar to the requested filters. See also Parag. [0089] and Parag. [0106-0107]), and the group has a number of members within a range criteria corresponding to the desired level of anonymity requested by the user device (The art teaches in Parag. [0026] enabling a user increased control over anonymity settings (i.e., desired level of anonymity). For example, the anonymity protection system can receive user-defined anonymity settings based on a particular organization's needs, industry standards, or other considerations. In addition, the anonymity protection system provides a graphical user interface to allow a user to enter “grades” or “scores” representing the importance of anonymity for each data field present in a dataset, and the anonymity protection system may determine anonymity thresholds based on the “grades” or “scores.” In other embodiments, the anonymity protection system can generate anonymity thresholds based on the type of data in a data field, the amount of data in the data set, and/or other characteristics of data fields and data sets. The art teaches in Parag. [0027] that anonymity threshold” refers to a system-required number of respondents (i.e., number of members) related to a data request in order for the system to present data related to that request. In particular, the term “anonymity threshold” can include a minimum number of respondents within filtered-in data, filtered-out data, and possible cross-filters of data necessary for the anonymity protection system to provide anonymous data in response to a data request. In other words, an “anonymity threshold” can include a minimum number of respondents associated with a data breakout that would ensure the anonymity of the respondents. For example, an anonymity threshold can include a minimum number of respondents to include in a data breakout to ensure that the identity of an individual respondent cannot be directly viewed in a data breakout (e.g., within filtered-in data provided in response to a data request) and cannot be indirectly inferred from data not included in a data breakout (e.g., within filtered-out data that can be identified based on a cross-filter between unfiltered data and filtered-in data). The art teaches in Parag. [0106-0107] that FIGS. 5A-5B illustrate a flow diagram representing an overview of the process of maintaining respondent anonymity in a dataset according to permissions set by the survey administrator 110. As shown in FIGS. 5A-5B, the flow diagram includes reporting devices 102a, 102b, the survey administrator device 108, and server device(s) 120, as described above with regard to FIG. 1. As illustrated in FIG. 5A, the survey administrator device 108 may detect user input(s) defining a hierarchy of anonymity value levels associated with one or more user groups, as shown in step 502. Similar to the discussion in FIGS. 2-4 above, the server administrator device 108 may receive the user input defining a hierarchy of anonymity value levels in any of a variety of ways in a variety of contexts. The hierarchy of anonymity values may determine one or more permissions levels and may associate one or more anonymity values one or more user groups with a permissions level. See also Parag. [0089]).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modifying the information in the cookies taught by LaFever to incorporate the teaching of Russ. This would be convenient to for sufficiently maintaining the anonymity of a respondent (i.e., user).  
		Sze discloses receiving, by the computer processor, content based on actions performed by the different respective users of other user devices in the group of user devices (Parag. [0037], Parag. [0040-0041], Parag. [0045], and Parag. [0049]; (The art teaches that based on data included in the request for advertisements, the advertisement management system selects advertisements (i.e., content) that are eligible to be provided in response to the request. For example, eligible advertisements can include advertisements having characteristics (e.g., size and/or aspect ratio) matching the characteristics of advertisement slots and that are identified as relevant to specified resource keywords or search queries (i.e., submitted by different user devices). Data representing conditions under which advertisements were selected for presentation to a user, and user interaction data (e.g., Id1 .  . . Idn) representing actions taken by users in response to presentation of the advertisement (e.g., Ad1 .  . . Adi) can be stored in a data store such as performance data store. The art teaches that a user's identity may be anonymized and/or encrypted so that the no personally identifiable information can be determined for the user, or a user's activities may be generalized (e.g., to a large group of users) where user activity information is obtained. The ad server uses information included in the ad request to select an ad that will be provided with the web page. For example, the ad server can use psychographic, demographic, or other information about a group of users with which the user is associated in order to select the ad. In some implementations, the ad server can access an advertisement data store to select an ad having targeting criteria that match the information included in the ad request)).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify LaFever in view of Russ to incorporate the teaching of Sze. This would be convenient for preventing an error to occur that prevents the specified resource from being provided to the user device (Parag. [0002]).

Claim 16 is taught by LaFever in view of Russ and Sze as described for claim 2.  

Claim 17 is taught by LaFever in view of Russ and Sze as described for claim 3.    

Claim 18 is taught by LaFever in view of Russ and Sze as described for claim 4.   

Claim 19 is taught by LaFever in view of Russ and Sze as described for claim 5. 

Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over LaFever et al. (Pub. No. US 2014/0287723), hereinafter LaFever, in view of Russ et al. (Pub No. US 2020/0242138), hereinafter Russ; in view of Sze et al. (Pub. No. US 2012/0311017), hereinafter Sze; and in view of Rose et al. (Pat. No. US 6,944,765), hereinafter Rose. 
 
Claim 6. 	LaFever in view of Russ and Sze discloses the computer-implemented method of claim 1,   
The combination doesn’t explicitly disclose wherein the semi-anonymous value for the tracking cookie is calculated by hashing a unique value for the user device, and truncating the resultant hash.  
However, Rose discloses wherein the semi-anonymous value for the tracking cookie is calculated by hashing a unique value for the user device, and truncating the resultant hash (Col. 6 lines 58-62; (The art teaches that steps used to encrypt a cookie include a secure hash algorithm (SHA) hash H (Ka, cookie) is calculated and then truncated to eight octets (i.e., for Ka is the authentication key))).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the combination to incorporate the teaching of Rose. This would be convenient for authenticating anonymous users that reduce the potential for “middleman” fraud (Col. 1 lines 7-10).

Claim 13 is taught by LaFever in view of Russ, Sze, and Rose as described for claim 6.

Claim 20 is taught by LaFever in view of Russ, Sze, and Rose as described for claim 6.


















Conclusion
		The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Varga et al. (US 2020/0302564) – Related art in the area of leveraging the use of data collection, analytics and predictive modeling, (Parag. [0070], Data anonymization techniques may be applied to the collected user data 130 may include removal of one or more fields that could be used to identify the user, scrubbing personally identifying information from the user data 130, and/or tokenization of personally identifiable data with a numerical representation. Advanced techniques such as generalization of the collected data to achieve k-anonymity and differential privacy may also be employed. Generalization of data may be performed by removing portions of the collected user data 130 and replacing the data with a common value amongst a range or group of similar persons to achieve k-anonymity. L-diversity may be achieved within the group wherein personal identifiers are first generalized by making sure each attribute being generalized occurs a minimum number of times so that any one person within the group cannot be singled out).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDELBASST TALIOUA whose telephone number is (571)272-4061.  The examiner can normally be reached on Monday-Thursday 7:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.T./Patent Examiner, Art Unit 2442                                                                                                                                                                                                           
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442