Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/6/2022 has been entered.
Claims 1-3,5-6 and 8-12 are pending. Claims 4, 7 and 13-32 are cancelled or withdrawn.


Response to Arguments
Applicant’ s arguments have been received 9/6/2022 and are respectfully addressed as follows:
Regarding the 112 b rejection the rejection is withdrawn in response to the amendments.
Regarding the prior art rejection, Applicant argues:
“As further explained in dependent claim 5, the audit requirement of the claimed invention might be due to a regulatory requirement, and paragraph [0007] of the specification of the present application further describes that this audit requirement is an audit of the transmitted encrypted data sent by the sending device to the receiving device, meaning, in the context of the present invention, that the audit is checking on whether it would be appropriate for the receiving device to receive the encrypted data transmission and/or whether the DRM factors selected for the transmission would be appropriate for the receiving device in view of the encrypted data being transmitted to that receiving device. There is clearly no suggestion in either Hartung or Liu to have a third device audit the encrypted transmission from a first device to a second device as described in the urged combination of these two references”.
The examiner respectfully disagrees, neither the claims nor the specification disclose  the italicized portion of “... this audit requirement is an audit of the transmitted encrypted data sent by the sending device to the receiving device, meaning, in the context of the present invention, that the audit is checking on whether it would be appropriate for the receiving device to receive the encrypted data transmission and/or whether the DRM factors selected for the transmission would be appropriate for the receiving device in view of the encrypted data being transmitted to that receiving device.” Rather, the specification in para. [0058] discloses: “The security messaging application also includes encrypting those messages which meet audit requirements using a distinct key/keys for audit purposes, transmitting the encrypted messages which meet audit requirements to a distinct, non-mobile, repository for viewing by auditors without the limits imposed by the Digital Rights Management Features selected by the sender...”. The audit purposes are not described as alleged by the Applicant.
An audit as known in the art is for verifying compliance with some standards. That is what the specification discloses i.e. “An audit requirement may occur when the data transmitted is subject to regulatory compliance, such as financial regulations, FDA regulations, employment regulations, and the like” ([[0007]).
Applicant also argues:
The Examiner's characterization of Garcia improperly attempts to correlate "access rights" with "DRM factors", which is a term of art, as clearly described in primary reference Hartung.
The examiner respectfully disagrees; Hartung discloses in [0004] "Digital Rights Management" (DRM), i.e. mechanisms to control the usage of the content on the user device; in [0005][0006] a DRM protected content includes content and a rights object instructing how to use the content by the user. 
Regarding the arguments about the auditing, an updated search has provided a better prior art (see rejection below).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.




Claims 1-3, 5-6 and 8-9, and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

The claims recite “the first device”, “the second device”, which lacks antecedent basis and render the claims indefinite. For examination purposes, the examiner will consider the limitations as “a first device” and “a second device”.
Additionally, claim 5 recites “the audit” which lacks antecedent basis and renders the claim indefinite. The limitation will be considered as “an audit”.
Correction or clarification is kindly requested.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-3, 5-6, 8-11 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over US. 20070079381 to Hartung et al., hereinafter Hartung  Hartung, in view of NPL titled “An Efficient Key Distribution Method Applying to OMA DRM 2.0 with Device Identifier”, by Liu et al., 2008, IEEE, p. 3-7, hereinafter Liu, in view of US  20090037975 to Ishikawa et al., hereinafter Ishikawa. 

Regarding claim 1, Hartung discloses a method for securing data to be transmitted between a plurality of devices, the method comprising:selecting digital rights management (DRM) features for the data which is to be transmitted from the first device to the second device ([0051][0067], Fig. 1, step 125: define usage rights for content);encrypting the data to be transmitted and the selected digital rights management features using at least one distinct key ([0068], Fig. 1, step 115: encrypt media including rights with CEK) of the second device ([0019]: recipient D2 decrypts the content using a key corresponding to the encryption key CEK, meaning the encryption/decryption key CEK is also a key of the recipient device); transmitting the encrypted data and the selected DRM features to the second device of the plurality of devices (Fig. 1  content embedding rights ([0068]), encrypted with CEK, sent in a single message ([0069]) is sent to D2 (Fig. 1), a plurality of recipients may be used  [0033] (the sent message includes also the CEK encrypted by the recipient public key plus the integrity data encrypted with the sender private key ([0069], see Fig. 1);decrypting the encrypted data on the second device ([0079] : decrypt the content with CEK) and displaying the data according to the selected DRM features ([0051][0081], Fig. 1, step 175, 180: use content as specified in usage rights, the usage including viewing ([0052][0063]); encrypting the data and the selected DRM features using a distinct key; and transmitting the encrypted data and the selected DRM features using the distinct key to a third device of the plurality of devices ([0033][0068]: a plurality of devices can receive the data associated with the rights, encrypted, with the CEK ([0050])); wherein the third device comprises a device that accesses, decrypts, and displays the received encrypted data, (([0079]: although the decrypting is described at recipient D2 (second device), the same process applies to all the devices that received the encrypted content ([0033]); the distinct key is the symmetric key, used to encrypt and decrypt the content including the usage rights ([0068]), the decrypted content is used according to the usage rights ([0080][0081])).
Hartung does not explicitly teach encrypting the data with a distinct key of the second device, the at least one distinct key including at least one of a phone number, IMEI number, MAC address, IP address.
However using a device identifier to encrypt content is well-known, as evidenced by Liu, who, in an analogous art, discloses using a device identifier such as an IMEI which is unique to a device as a symmetric encryption key (under 4.1.). It would have been obvious to a skilled artisan at the time of the invention to use the second device unique identifier to encrypt the data as taught by Liu, because it would tie the decrypting of the data to a specific device, increasing the security of the data (see Liu, under 4.1).
The combination of Hartung and Liu does not explicitly teach: encrypting ... for audit purposes ..., transmitting ... for audit purposes to a third device ...
However, Hartung discloses sending the encrypted data to a plurality of user devices with different rights ([0033]); in an analogous art, Ishikawa is concerned about providing owners of content a way to know whether their content is not being infringed upon, by providing the data to the owners for reviewing or auditing  ([0004]); Ishikawa discloses providing a content owner previous instances of inquired content, which may have included at least a portion of their known content. A known content owner or rights holder could utilize the saved inquired content data to determine past instances of matches between their known content data and inquired content data. As desired, the past instances can be verified to determine whether the past instance of a match still currently exists. As desired, the past instances could be utilized to gather statistical data on usage of known content. ([0116]). Content owners by definition have all rights on their data i.e are not limited by any defined DRM features. Therefore it would have been obvious to a skilled artisan at the time of the invention to provide the encrypted content of Hartung/Liu to a plurality of users, one being the content owner for audit purposes as taught by Ishikawa, wherein the third device is an auditor device that accesses, the received data for the audit purposes without being limited by the selected DRM features.
It would have been obvious to a skilled artisan at the time of the invention to associate the usage rights embedded in a secure content, encrypted with a distinct key and provided to a plurality of users as taught by Hartung/Liu , one of the recipient including the content owner for auditing purposes as taught by Ishikawa, because it would allow data owners to locate unauthorized use and distribution of such material on a network, ensuring that potential users are assured that they are purchasing or distributing authorized copies of the materials and enabling a content owner to gather statistical data and other activity to support the digital distribution of their content (Ishikawa [0007]). 

 Regarding claim 2, the combination of Hartung, Liu and Ishikawa discloses the method of claim 1, wherein the data includes one or more of  text data, picture data, audio data, video data, SMS data, and MMS data (Hartung, [0049]; Ishikawa [0056])).

Regarding claim 3, the combination of Hartung, Liu and Ishikawa discloses the method of claim 1, wherein the DRM features comprise data expiration time, limit on number of times data is viewable, limits on data export rights, and limits on data forwarding rights (Hartung, [0052]-[0063]).

Regarding claim 5, the combination of Hartung, Liu and Ishikawa discloses the method of claim 1, wherein the audit occurs because the data transmitted between the first and second device is subject to a regulatory compliance (Ishikawa [0002][0007] the regulatory compliance are the usage rules the  owner has set for her clients to comply with, when using the content).

Regarding claim 6, the combination of Hartung, Liu and Ishikawa discloses the method of claim 4, wherein the third device comprises a non mobile database (Hartung: [0070],[0083]: right server DS).

Regarding claim 8, the combination of Hartung, Liu and Ishikawa discloses the method of claim 1, wherein the encrypted data is stored within an encrypted database on both the first and second devices (Hartung, Fig. 1, step 115: data encrypted at sender, and step 135: recipient receives encrypted content that is decrypted at 165).

Regarding claim 9, the combination of Hartung, Liu and Ishikawa discloses the method of claim 1, wherein encryption keys used by the first and second devices are accessed, maintained, and modified through a key server (Hartung, [0047]: use of a PKI server to facilitate keys exchange).

Regarding claim 11, the combination of Hartung, Liu and Ishikawa discloses the method of claim 9, wherein the key server can verify whether the first and second device are authorized to communicate with each other (Hartung, [0087]).

Claim 10 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Hartung, Liu and Ishikawa, in view of US7380120 to Garcia, hereinafter Garcia.
Regarding claim 10, the combination of Hartung, Liu and Ishikawa discloses the method of claim 9 but does not explicitly teach wherein the key server can revoke the encryptions  keys used by the first and second device.
In an analogous art Garcia discloses a server managing a secure document defining different access levels for multiple users (col. 16, lines 59-67 to col. 17, lines 1-5); the document is encrypted with a file key, access rules that define how the document can be accessed are included in the document header as a part of a security information, the security information including the file key is encrypted by a user key and attached to the encrypted document forming a secured document 208 (Fig. 2A, col. 11, lines 16-50);  The secure document embedding the access rules (rights) such as the one depicted in Fig. 2A, sent to a group of recipients (col. 12, lines 53-64) including a user with highest privileges (user A) and a user B, would be accessed by B according to the access rules, but would be fully accessed by A at all days, all time from any locations (col. 27, lines 52-58), meeting the limitation accessing the data ... “without being limited by the selected DRM features transmitted to the second and third device”. Additionally the  user keys are managed by the server (col.4:31-43),  revoking users’ encryption keys when users leave an organization or periodically replacing encryption keys for each user (col.25:1-19). It would have been obvious to a skilled artisan at the time of the invention to revoke the encryption keys as taught by Garcia because it would enhance data protection and prevent unauthorized users from accessing encryption keys, promoting data confidentiality. 

Claim 12 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Hartung, Liu and Ishikawa, in view of US 20030105812 to Flowers et al., hereinafter Flowers.
Regarding claim 12, the combination of Hartung, Liu and Ishikawa discloses the method of claim 9, but does not teach: wherein the key server can request status updates from the first and second device to verify whether the devices authorized to communicate with each other.
In an analogous art, Flowers discloses a peer server enabling communications between peer devices over a network ( [0021],[0029]). The peer server maintains information as to which peer devices are on-line at a given time based on the on-line status ( [0024]).  It would have been obvious to a person with ordinary skills in the art at the time of the invention to include in the PKI server of Hartung the functionalities to manage the on-line status of the communicating peers in order to implement the claim. A peer sever enabling communication between peer devices would allow nodes to be aware of the status of other nodes they want to communicate with and would prevent failed communication attempts.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Ratcliff et al 20080163347 discloses a system for performing regular review or auditing of access rights, ensuring compliance with regulatory requirements (i.e., Sarbanes-Oxley, etc.), oversight of access rights, and the like.
Martinez et al 20080155701 disclose owners of media items tracking content files online which constitute infringing uses of media items and reviewing of the content files, provided with takedown options with respect to the content files, and options to claim revenue generation related to the content files. These systems and methods may control the use of the content file on a network, using legal action, or through other techniques.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        10/11/2022