DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-7, 10-18, and 20-21 are pending.
Claims 8-9 and 19 are cancelled by Applicant.

Allowable Subject Matter
2.	Claim 21 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
	Please note, claim 21 is dependent onto claim 1 which would be allowable if the limitations of claim 21 are incorporated into claim 1. The same would apply (i.e. claim 21 limitations) to independent claim 11 as well to advance prosecution.

 Response to Arguments
3.	Applicant's arguments filed 7/12/22 have been fully considered but they are not persuasive.
	In response to the argument (pg. 8), regarding the current amendment of storing log entry in a separate location:
Ronda discloses signing the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry; and transmitting the signed first entry to the first ledger [Ronda: para 0017, 0021]. Further, other examples in Ronda suggests separate storing of distributed ledgers by discussing the auditor servers may be distributed and have separate ledgers for backing. Identity management system 300 further has a key registrar server 340 (which key registrar system may be a distributed system with separate ledgers), a recovery server 390 and ledger server system 370, which can include one or more IdP private service ledger, RP private service ledger and distributed service ledger, or ledger server system 370′, which can include multiple copies of a distributed service ledger with logical partitions [Ronda: 0164-0165, 0293]. Thus, by transmitting the signed entry to the ledger(s) and the different separate storages of the distributed ledger of the suggests “storing the log entry including the encrypted portion in a location separate from the distributed ledger”.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4.	Claims 1-7, 10-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ronda, et al. [US 2017/0250972] in view of Circenis, et al. [US 20040054908].
As per claim 1:	Ronda, et al. teach a method for maintaining immutable data access logs with privacy comprising: 
in a cloud provider comprising at least one computer processor, the cloud provider having a plurality of clients: 
receiving data from a data owner, wherein the data owner is one of the clients; [Ronda: 0190; data exchange]
storing the data in cloud storage; [Ronda: 0169, 0175; e.g. cloud services by server or devices where operations involving a ledger will also involve the ledger server computer processor, memory and databases]
executing an action or condition that impacts the data stored in cloud storage; [Ronda: 0039; an action or condition is not specific to what constitutes an action or condition. Thus, an action or condition can be given the broadest reasonable interpretation (BRI) as relating to a function, event, a deed or instructions per se. Ronda discloses an action or condition as challenge/response or request that impacts stored data which in essence sends the data and/or generates an entry]
generating a log entry associated with the action or condition [Ronda: 0041; log entry can be given the BRI as an entry or record which relates to an action or condition such as ledger or cryptographic hashing the response (action/condition)] comprising a timestamp for the action or condition, an identification of a system associated with the action or condition, and an identification of the data associated with the action or condition; [Ronda: 0016-0017; entry for a (first ledger) includes a “timestamp” such as expiry information corresponding to the one or more attributes, an “identification of a system” such as identity provider public key, an “identification of data” such as cryptographic hashing of data bundle or hashed attributes and corresponding blinding factor or crypto nonce where the log entry is associated with an action or condition]
encrypting [Ronda: 0009, 0016] **at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry [**rejected under a secondary reference, discussion below] with a public key for the data owner; [Ronda: 0011-0012, 0024; generating a first entry for a first ledger, where the entry can be the claimed “log entry” and the ledger refers to “distributed ledger. See also 0038; at least a portion of an encrypted data bundle from the identity provider server based on the first request, the encrypted data bundle identifying one or more attributes associated with a user related to the user agent server]
committing a cryptographic signature of the encrypted portion in the log entry to a distributed ledger; and [Ronda: 0260; each transaction record can have one or more associated audit record stored by an auditor server, with each audit record eventually assigned to a custodian (and a separate audit record stored for each transaction participant). Transaction records can contain identifiers, blinded data, and non-blinded data, whereas audit records are stored encrypted (using unique keys for each record). Further para 0269-0274; Discusses storing various portions of data in the ledger entry which may include encrypted and unencrypted data (e.g. attributes) along with signed encrypted portions. Also, para 0282; transaction metadata is stored in the distributed and private service ledgers when a data bundle is created. Thus, the discussion above of encrypted portion is signed suggests there is a cryptographic signature of the encrypted portion that is part of the log entry to a distributed ledger. See also TABLE-US-00001 TABLE 1, para 0518] 
storing the log entry including the encrypted portion in a location separate from the distributed ledger [Ronda: para 0017, 0021; signing the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry; and transmitting the signed first entry to the first ledger. More examples on para 0164-0165; the auditor servers may be distributed and have separate ledgers for backing. Identity management system 300 further has a key registrar server 340 (which key registrar system may be a distributed system with separate ledgers), a recovery server 390 and ledger server system 370, which can include one or more IdP private service ledger, RP private service ledger and distributed service ledger, or ledger server system 370′, which can include multiple copies of a distributed service ledger with logical partitions. See also para 0293. Thus, by transmitting the signed entry to the ledger(s) and the different separate storages of the distributed ledger of the suggests “storing the log entry including the encrypted portion in a location separate from the distributed ledger”], so that the committed log entry is immutable and cryptographically verifiable. [Ronda: 0155, 0158; investigations the parameters of each transaction can be recorded into an immutable audit trail, using a hash chain structure (e.g., ledgers) to achieve immutability, and multi-organization distributed networks can be used to demonstrate the validity of the latest transactions. Some parameters may be sensitive (e.g., they enable activity tracking) and can be protected by the use of encryption that requires multiple parties to decrypt. Once endorsed by enough entities, the transaction can be preserved into an immutable audit trail and the system's ledgers can be updated to reflect that the transaction is accepted. More examples cryptographic verification on 0225, 0239, 0261]
Examiner note (explained above), the claimed “encrypting at least a portion” is relative as the at least a portion is not specific as there is no exact amount nor a specific measurement to any or all portion of a log entry that is encrypted per se. The log entry being encrypted or consist of some cryptographic process of the log entry broadly suggest “encrypting at least a portion”. As such, the encrypted portion can be given the broadest reasonable interpretation (BRI) as non-specific data/information that have been through a non-specific encryption process of which may be any portion(s) of data associated or part of a log entry. Per Ronda, includes encryption and/or cryptographic processing of the “at least a portion” of data of the log entry [Ronda: 0009, 0016]. However, Ronda did not clearly discuss the encryption of “at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry”.
	Circenis discloses a tamper-evident data management system uses public-private digital signature keys to control use of data and to ensure the fidelity of data [Circenis: 00]. Circenis’s invention include a data structure for data logging that includes a table of at least one data row or data log entry where each data log entry includes a computer metrics data element, a sequence number for that data log entry, information identifying the computer from which the data element is obtained, along with a digital signature of the data log entry, including the metrics data element, the sequence number and system identifying information for the data entry [Circenis: 0010]. Circenis suggest encryption involves “at least a portion of…data associated with the action or condition in the log entry with a public key for the data owner”, by discussing encryption of the log file entries and their corresponding digital signatures, where the application program may use the vendor public key to encrypt the data log entries into a form that only the vendor can decrypt by using a vendor private key [Circenis: 0031]. Further, Circenis discloses collection and encryption of the data log. The application program starts by first collecting system metrics data that may then be processed to add the sequence number (“identification of data associated with the action or condition”) and system identification information (“identification of a system associated with the action or condition”) to form the data log entry. A timestamp may also be added. Once the sequence number, system identification information (“identification of a system associated with the action or condition”) and optional timestamp (“timestamp for the action or condition”) have been added, the application program may digitally sign the data log entry, by first creating a digest of elements in data log entry using the public hash function and encrypting the digest using the application private key, resulting in a digital signature that is attached or affixed to the data log entry, either linked to the data log entry or as part of the data log entry itself (“identification of data associated with the action or condition”). The application private key may be available only to the application program, providing a high degree of certainty that the encrypted digest as the original data log entry [Circenis: 0038]. Thus, Circenis discloses encryption to the log entry that includes system identification information, timestamp, and digitally sign the data log entry and encrypting the digest. As such, Circenis obviously suggest encrypting “at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry”, suggesting at least one portion of data included in the log entry is encrypted where motivation for a tamper-evident data management system to control use of data and to ensure the fidelity of data.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ronda with Circenis to teach “encrypting at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry” for the reason to provide a tamper-evident data management system to control use of data and to ensure the fidelity of data.
As per claim 2:  Ronda: 0057; discussing the method of claim 1, wherein the data received from the data owner is encrypted.
As per claim 3:  Ronda: 0169; discussing the method of claim 1, wherein the action or condition comprises accessing the data stored in cloud storage.
As per claim 4:  Ronda: 0305; discussing the method of claim 1, wherein the action or condition comprises encrypting or decrypting the data stored in cloud storage.
As per claim 5:  Ronda: 0029; discussing the method of claim 1, wherein the action or condition comprises an environmental change for the data stored in cloud storage.
As per claim 6:  Ronda: 0169-0171; discussing the method of claim 1, wherein the action or condition comprises a security event with the data stored in cloud storage.
As per claim 7:  Ronda: 0169; discussing the method of claim 3, wherein the action or condition is part of a service provided by the cloud provider.
As per claim 8:  Cancelled
As per claim 9:  Cancelled
As per claim 10:  Ronda: 0133; discussing the method of claim 1, wherein the distributed ledger comprises a Blockchain-based distributed ledger or an Ethereum-based distributed ledger.
As per claim 11:	Ronda, et al. teach a system that maintains immutable data access logs with privacy comprising: 
a cloud provider comprising at least one computer processor, the cloud provider having a plurality of clients; and [Ronda: 0169, 0175]
a distributed ledger; [Ronda: 0165]
wherein: 
the cloud provider receives data from a data owner, wherein the data owner is one of the clients; [Ronda: 0190; data exchange]
the cloud provider stores the data in cloud storage; [Ronda: 0169, 0175; e.g. cloud services by server or devices where operations involving a ledger will also involve the ledger server computer processor, memory and databases]
the cloud provider executes an action or condition that impacts the data stored in cloud storage; [Ronda: 0039; an action or condition is not specific to what constitutes an action or condition. Thus, an action or condition can be given the broadest reasonable interpretation (BRI) as relating to a function, event, a deed or instructions per se. Ronda discloses an action or condition as challenge/response or request that impacts stored data which in essence sends the data and/or generates an entry] 
the cloud provider generates a log entry associated with the action or condition comprising a timestamp for the action or condition, an identification of a system associated with the action or condition, and an identification of the data associated with the action or condition; [Ronda: 0016-0017; entry for a (first ledger) includes a “timestamp” such as expiry information corresponding to the one or more attributes, an “identification of a system” such as identity provider public key, an “identification of data” such as cryptographic hashing of data bundle or hashed attributes and corresponding blinding factor or crypto nonce where the log entry is associated with an action or condition] 
the cloud provider encrypts [Ronda: 0009, 0016] **at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry [**rejected under a secondary reference, discussion below] with a public key for the data owner; and [Ronda: 0011-0012, 0024; generating a first entry for a first ledger, where the entry can be the claimed “log entry” and the ledger refers to “distributed ledger. See also 0038; at least a portion of an encrypted data bundle from the identity provider server based on the first request, the encrypted data bundle identifying one or more attributes associated with a user related to the user agent server] 
the cloud provider commits a cryptographic signature of the encrypted portion in the log entry to a distributed ledger; and[Ronda: 0260; each transaction record can have one or more associated audit record stored by an auditor server, with each audit record eventually assigned to a custodian (and a separate audit record stored for each transaction participant). Transaction records can contain identifiers, blinded data, and non-blinded data, whereas audit records are stored encrypted (using unique keys for each record). Further para 0269-0274; Discusses storing various portions of data in the ledger entry which may include encrypted and unencrypted data (e.g. attributes) along with signed encrypted portions. Also, para 0282; transaction metadata is stored in the distributed and private service ledgers when a data bundle is created. Thus, the discussion above of encrypted portion is signed suggests there is a cryptographic signature of the encrypted portion that is part of the log entry to a distributed ledger. See also TABLE-US-00001 TABLE 1, para 0518] [Ronda: 0190; data exchange]
storing the log entry including the encrypted portion in a location separate from the distributed ledger [Ronda: para 0017, 0021; signing the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry; and transmitting the signed first entry to the first ledger. More examples on para 0164-0165; the auditor servers may be distributed and have separate ledgers for backing. Identity management system 300 further has a key registrar server 340 (which key registrar system may be a distributed system with separate ledgers), a recovery server 390 and ledger server system 370, which can include one or more IdP private service ledger, RP private service ledger and distributed service ledger, or ledger server system 370′, which can include multiple copies of a distributed service ledger with logical partitions. See also para 0293. Thus, by transmitting the signed entry to the ledger(s) and the different separate storages of the distributed ledger of the suggests “storing the log entry including the encrypted portion in a location separate from the distributed ledger”], so that the committed log entry is immutable and cryptographically verifiable. [Ronda: 0155, 0158; investigations the parameters of each transaction can be recorded into an immutable audit trail, using a hash chain structure (e.g., ledgers) to achieve immutability, and multi-organization distributed networks can be used to demonstrate the validity of the latest transactions. Some parameters may be sensitive (e.g., they enable activity tracking) and can be protected by the use of encryption that requires multiple parties to decrypt. Once endorsed by enough entities, the transaction can be preserved into an immutable audit trail and the system's ledgers can be updated to reflect that the transaction is accepted. More examples cryptographic verification on 0225, 0239, 0261]
Examiner note (explained above), the claimed “encrypting at least a portion” is relative as the at least a portion is not specific as there is no exact amount nor a specific measurement to any or all portion of a log entry that is encrypted per se. The log entry being encrypted or consist of some cryptographic process of the log entry broadly suggest “encrypting at least a portion”. As such, the encrypted portion can be given the broadest reasonable interpretation (BRI) as non-specific data/information that have been through a non-specific encryption process of which may be any portion(s) of data associated or part of a log entry. Per Ronda, includes encryption and/or cryptographic processing of the “at least a portion” of data of the log entry [Ronda: 0009, 0016]. However, Ronda did not clearly discuss the encryption of “at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry”.
	Circenis discloses a tamper-evident data management system uses public-private digital signature keys to control use of data and to ensure the fidelity of data [Circenis: 00]. Circenis’s invention include a data structure for data logging that includes a table of at least one data row or data log entry where each data log entry includes a computer metrics data element, a sequence number for that data log entry, information identifying the computer from which the data element is obtained, along with a digital signature of the data log entry, including the metrics data element, the sequence number and system identifying information for the data entry [Circenis: 0010]. Circenis suggest encryption involves “at least a portion of…data associated with the action or condition in the log entry with a public key for the data owner”, by discussing encryption of the log file entries and their corresponding digital signatures, where the application program may use the vendor public key to encrypt the data log entries into a form that only the vendor can decrypt by using a vendor private key [Circenis: 0031]. Further, Circenis discloses collection and encryption of the data log. The application program starts by first collecting system metrics data that may then be processed to add the sequence number (“identification of data associated with the action or condition”) and system identification information (“identification of a system associated with the action or condition”) to form the data log entry. A timestamp may also be added. Once the sequence number, system identification information (“identification of a system associated with the action or condition”) and optional timestamp (“timestamp for the action or condition”) have been added, the application program may digitally sign the data log entry, by first creating a digest of elements in data log entry using the public hash function and encrypting the digest using the application private key, resulting in a digital signature that is attached or affixed to the data log entry, either linked to the data log entry or as part of the data log entry itself (“identification of data associated with the action or condition”). The application private key may be available only to the application program, providing a high degree of certainty that the encrypted digest as the original data log entry [Circenis: 0038]. Thus, Circenis discloses encryption to the log entry that includes system identification information, timestamp, and digitally sign the data log entry and encrypting the digest. As such, Circenis obviously suggest encrypting “at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry”, suggesting at least one portion of data included in the log entry is encrypted where motivation for a tamper-evident data management system to control use of data and to ensure the fidelity of data.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ronda with Circenis to teach “encrypting at least a portion of the timestamp, the identification, and identification of the data associated with the action or condition in the log entry” for the reason to provide a tamper-evident data management system to control use of data and to ensure the fidelity of data.
As per claim 12:  Ronda: 0057; discussing the system of claim 11, wherein the data received from the data owner is encrypted.
As per claim 13:  Ronda: 0169; discussing the system of claim 11, wherein the action or condition comprises accessing the data stored in cloud storage.
As per claim 14:  Ronda: 0305; discussing the system of claim 11, wherein the action or condition comprises encrypting or decrypting the data stored in cloud storage.
As per claim 15:  Ronda: 0029; discussing the system of claim 11, wherein the action or condition comprises an environmental change for the data stored in cloud storage.
As per claim 16:  Ronda: 0169-0171; discussing the system of claim 11, wherein the action or condition comprises a security event with the data stored in cloud storage.
As per claim 17:  Ronda: 0169; discussing the system of claim 13, wherein the action or condition is part of a service provided by the cloud provider.
As per claim 18:  Ronda: 0016; discussing the system of claim 11, wherein the public key is maintained in a public key infrastructure by the cloud provider.
As per claim 19:  cancelled
As per claim 20:  Ronda: 0133; discussing the system of claim 11, wherein the distributed ledger comprises a Blockchain-based distributed ledger or an Ethereum-based distributed ledger.
As per claim 21:  Objected

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA TRUVAN whose telephone number is (571)272-3851. The examiner can normally be reached Monday-Friday 8:00AM-5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

LEYNNA TRUVAN
Examiner
Art Unit 2435



/L.TT/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435