DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application filed on 12/21/2020. Claims 1-20 are examined.
Specification
The disclosure is objected to because of the following informalities:
All of the pages contain the law firm’s header/stamp.   
Appropriate correction is required.

Claim Objections
Claim (All pages) objected to because of the following informalities:  
All of the pages contain the law firm’s header/stamp.   
Appropriate correction is required.

Claim Rejections - 35 USC § 101
Claim 20 is rejected under § 101 because claim 20 is not limited to “non-transitory computer readable medium,” and therefore, include transitory signals. When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter. See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2. 
Examiner takes note of ([0012] The storage devices may be tangible, non-transitory, and/or non-transmission). Applicant indicated that the storage devices may be tangible, non-transitory, and/or non-transmission) and therefore could be interpreted as signals per se).

Examiner’s interpretation
	Claims 7 and 18 recite the feature “to reduce the likelihood that at least one user is identifiable” this feature recites intended use. A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art. If the prior art structure is capable of performing the intended use, then it meets the claim.
Functional recitation(s) have been considered but given less patentable weight because they fail to add any steps and are thereby regarded as intended use language. A positive recitation of the limitations is required in order to be given patentable weight.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1-6, 8-10, 13-17, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Besanson (U.S. 20210165913) in view of Madan (U.S. 11297024).

Regarding claim 1, 
Besanson discloses: An apparatus, comprising: a processor; and a memory that stores code executable by the processor to ([0004] a device or system may include one or more memories; and one or more processors, communicatively coupled to the one or more memories): receive a query for a set of ([0004] receive a request for a feature set) aggregated data ([0004] the feature set includes multiple sets of quasi-identifiers, wherein each set of quasi-identifiers is included in a different de-identified data set of the multiple de-identified data sets; [0013] larger data sets can be created by aggregating multiple data sets) associated with a plurality of users ([0017] In example implementation 100, the data set management system is shown as receiving a first de-identified data set (shown as De-Identified Data Set 1) from a first data source (shown as Data Source 1), receiving a second de-identified data set (shown as De-Identified Data Set 2) from a second data source (shown as Data Source 2), and receiving a third de-identified data set (shown as De-Identified Data Set 3) from a third data source (shown as Data Source 3). However, in practice, the data set management system may receive a different number of data sets (e.g., tens, hundreds, thousands, or millions of data sets) from a different number of data sources (e.g., tens, hundreds, thousands, or millions of data sources). Additionally, or alternatively, the data set management system may receive multiple data sets from a particular data source. A data source of a data set may refer to a system or entity (e.g., an organization or an individual)), the aggregated data set ([0013] larger data sets can be created by aggregating multiple data sets) comprising anonymized data for each user of the plurality of users ([0004] multiple de-identified data sets that include de-identified personal data; [0014] the data sets may contain de-identified (e.g., anonymized) personal data; [0016] Example de-identified data sets include… de-identified user data); analyze a results data set for the query to determine an indication that at least one user of the plurality of users is identifiable from the results data set ([0004] calculate a re-identification risk score for the multiple sets of quasi-identifiers).

Besanson does not disclose: prevent at least a portion of the results data set from being accessed in response to the indication that the at least one user is identifiable.
However, in the same field of endeavor Madan teaches: prevent at least a portion of the results data set from being accessed in response to the indication that the at least one user is identifiable ([Col 8 Line 19-64] corrective action taken for a transmitted file that includes private information detected by a data loss prevention service...Corrective action may include one or more of: quarantining the data that includes the private information, deleting the data that includes the private information; [Col 1 line 22-53] Private information may include one or any combination of: personally identifiable information (e.g., phone number, email address, person name (e.g., first and/or last name), location, credit card number, and/or age)… etc)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Madan in the data access protection of Besanson by preventing access to results when identification that can be used to identify an individual is detected. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide “Corrective action… to prevent access to the data by certain users” (Col 8 Line 19-23). 

Regarding claim 13, 
Besanson discloses: A method comprising: receiving, by a processor, a query for a set of ([0004] receive a request for a feature set) aggregated data ([0004] the feature set includes multiple sets of quasi-identifiers, wherein each set of quasi-identifiers is included in a different de-identified data set of the multiple de-identified data sets; [0013] larger data sets can be created by aggregating multiple data sets) associated with a plurality of users ([0017] In example implementation 100, the data set management system is shown as receiving a first de-identified data set (shown as De-Identified Data Set 1) from a first data source (shown as Data Source 1), receiving a second de-identified data set (shown as De-Identified Data Set 2) from a second data source (shown as Data Source 2), and receiving a third de-identified data set (shown as De-Identified Data Set 3) from a third data source (shown as Data Source 3). However, in practice, the data set management system may receive a different number of data sets (e.g., tens, hundreds, thousands, or millions of data sets) from a different number of data sources (e.g., tens, hundreds, thousands, or millions of data sources). Additionally, or alternatively, the data set management system may receive multiple data sets from a particular data source. A data source of a data set may refer to a system or entity (e.g., an organization or an individual)), the aggregated data set ([0013] larger data sets can be created by aggregating multiple data sets) comprising anonymized data for each user of the plurality of users ([0004] multiple de-identified data sets that include de-identified personal data; [0014] the data sets may contain de-identified (e.g., anonymized) personal data; [0016] Example de-identified data sets include… de-identified user data); analyzing a results data set for the query to determine an indication that at least one user of the plurality of users is identifiable from the results data set ([0004] calculate a re-identification risk score for the multiple sets of quasi-identifiers).
Besanson does not disclose: preventing at least a portion of the results data set from being accessed in response to the indication that the at least one user is identifiable.
However, in the same field of endeavor Madan teaches: preventing at least a portion of the results data set from being accessed in response to the indication that the at least one user is identifiable ([Col 8 Line 19-64] corrective action taken for a transmitted file that includes private information detected by a data loss prevention service...Corrective action may include one or more of: quarantining the data that includes the private information, deleting the data that includes the private information; [Col 1 line 22-53] Private information may include one or any combination of: personally identifiable information (e.g., phone number, email address, person name (e.g., first and/or last name), location, credit card number, and/or age)… etc)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Madan in the data access protection of Besanson by preventing access to results when identification that can be used to identify an individual is detected. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide “Corrective action… to prevent access to the data by certain users” (Col 8 Line 19-23). 

Regarding claims 2 and 14,
Besanson in view of Madan discloses: The apparatus of claim 1, wherein the code is executable by the processor to analyze the results data set by 
Besanson further discloses: performing one or more statistical analyses on the results data set to identify outlier data that uniquely identifies the at least one user ([0038] As an example, the data set management system may calculate the re-identification risk score using the first technique as follows. Given an anonymized data set D containing N electronic health records that include no duplicate records and that includes quasi-identifiers aux and sensitive information, a vulnerable record r is that one that can be identified uniquely under a set of quasi-identifiers aux. In this case, the re-identification score for a record (sometimes referred to as a probabilistic risk of disclosure a record) ra may be calculated; [0039] In the context of health or medical records, certain quasi-identifiers may be uncommon in the total population (e.g., event dates, as described above). As a result, an individual that is identified as unique in D could be also uniquely identified in external sources E; [0030] (e.g., a set of quasi-identifiers resulting in a higher re-identification probability)).

Regarding claims 3 and 15, 
Besanson in view of Madan discloses: The apparatus of claim 1, wherein the code is executable by the processor to 
Besanson further discloses: analyze the results data set by invoking at least one machine learning algorithm that is trained using training data ([0025] In some implementations, the data set management system may train a machine learning model on actual data) comprising anonymized data for a plurality of users ([0025] train a machine learning model on actual data; [0025] actual data, from the one or more de-identified data sets), the machine learning algorithm providing a prediction of the at least a portion of data that uniquely identifies the at least one user ([0025] As another example, a rectified linear unit (ReLU) activation function may be applied to count quasi-identifiers to guarantee a non-negative outcome (e.g., a count outcome) in the synthetic data).

Regarding claim 4, 
Besanson in view of Madan discloses: The apparatus of claim 1, 
Besanson further discloses: wherein the indication comprises a statistical value, a predicted value, and/or at least one record that indicates that the results data set comprises identifiable data for the at least one user ([0038] The data set management system may calculate the re-identification risk score using the first technique as follows. Given an anonymized data set D containing N electronic health records that include no duplicate records and that includes quasi-identifiers aux and sensitive information, a vulnerable record r is that one that can be identified uniquely under a set of quasi-identifiers aux. In this case, the re-identification score for a record (sometimes referred to as a probabilistic risk of disclosure a record) ra may be calculated).

Regarding claims 5 and 16, 
Besanson in view of Madan discloses: The apparatus of claim 1, 
Besanson further discloses: wherein the code is executable by the processor to prevent the at least a portion of the results data set from being accessed by removing at least one data record from the results data set that uniquely identifies the at least one user ([0027] In some implementations, based on determining that the re-identification risk score does not satisfy the condition (e.g., indicating a high or unacceptable re-identification risk), the data set management system may identify a first subset of quasi-identifiers of the set of quasi-identifiers, and may generate synthetic data for the first subset of quasi-identifiers. The data set management system may replace the actual date for the first subset of quasi-identifiers with the synthetic data, and may recalculate the re-identification risk score for the set of quasi-identifiers based on the synthetic data generated for the first subset of quasi-identifiers and actual data for a second subset of quasi-identifiers of the set of quasi-identifiers; [0028] If the data set management system determines that the recalculated re-identification risk score satisfies the condition (e.g., indicating a low or acceptable re-identification risk), then the data set management system may output the synthetic data generated for the first subset of quasi-identifiers and the actual data for the second subset of quasi-identifiers. If the data set management system determines that the recalculated re-identification risk score does not satisfy the condition, then the data set management system may generate additional synthetic data for the set of quasi-identifiers. For example, the data set management system may increase a number of quasi-identifiers included in the first subset of quasi-identifiers for which synthetic data is generated, and may decrease a number of quasi-identifiers included in the second subset of quasi-identifiers for which actual data is output. The data set management system may continue in this manner until the re-identification risk score satisfies the condition, and then may output the first subset of quasi identifiers (e.g., containing synthetic data) and the second subset of quasi identifiers (e.g., containing actual data) to the user device).

Regrading claims 6 and 17, 
Besanson in view of Madan discloses: The apparatus of claim 1, 
Madan further discloses: wherein the code is executable by the processor to prevent the at least a portion of the results data set from being accessed by rejecting the query and providing a message that the results data set for the query comprises identifiable information for the at least one user ([Col 7 Line 24-30] FIG. 3 is a diagram illustrating a chat alert 300 that indicates detection of a file including private information by a data loss prevention service according to embodiments of the disclosure. In certain embodiments, chat alert 300 is sent (e.g., by chat service 102 in FIG. 1 or FIG. 2) on detection of private information; [Col 8 line 29-30] private information, including, but not limited to, personally identifiable information); ([Col 9 Line 24-50] a possible action is causing a corrective action to be taken on the private information, e.g., by selecting the corrective action button 704 (which may have its text changed to indicate the action, e.g., “DELETE” text as one example) to cause the corrective action to be taken on the private information. Corrective action may include one or more of: quarantining the data that includes the private information, deleting the data that includes the private information, redacting the data that includes the private information, and/or changing access permission for the data that includes the private information (e.g., to prevent access to the data by certain users). A chat alert for the corrective action may be sent to the user that sent the message that included private information to alert them to the current status of that private information instance. For example, summary 700 includes history entries 706 that include a first entry 708 that indicates a notification (e.g., chat alert) was sent to user_1 (e.g., the administrator) that the message that has private information has been deleted, and second entry 710 that indicates a notification (e.g., chat alert) was sent to user_1 (e.g., the administrator) and user_9 (e.g., the sender of the message) for that message (e.g., notifying that a suspicious message was found) in this example).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention that the same reason to modify with Madan as in claim 1, applies.

Regrading claim 8, 
Besanson in view of Madan discloses: The apparatus of claim 7, wherein the code is executable by the processor to provide to an entity providing the query.
Madan further discloses: A message that explains that the results data set is not complete and that at least a portion of the results data set is removed due to exposing an identity of the at least one user, the message comprising the number of data records that are removed from the results data set ([Col 9 Line 24-50] a possible action is causing a corrective action to be taken on the private information, e.g., by selecting the corrective action button 704 (which may have its text changed to indicate the action, e.g., “DELETE” text as one example) to cause the corrective action to be taken on the private information. Corrective action may include one or more of: quarantining the data that includes the private information, deleting the data that includes the private information, redacting the data that includes the private information, and/or changing access permission for the data that includes the private information (e.g., to prevent access to the data by certain users). A chat alert for the corrective action may be sent to the user that sent the message that included private information to alert them to the current status of that private information instance. For example, summary 700 includes history entries 706 that include a first entry 708 that indicates a notification (e.g., chat alert) was sent to user_1 (e.g., the administrator) that the message that has private information has been deleted, and second entry 710 that indicates a notification (e.g., chat alert) was sent to user_1 (e.g., the administrator) and user_9 (e.g., the sender of the message) for that message (e.g., notifying that a suspicious message was found) in this example).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention that the same reason to modify with Madan as in claim 1, applies.

Regarding claims 9 and 19, 
Besanson in view of Madan discloses: The apparatus of claim 1, 
Besanson further discloses: wherein the code is executable by the processor to prevent the at least a portion of the results data set from being accessed based on permissions associated with an entity providing the query ([0020] In some implementations, the data set management system may control access, by a user, to one or more data sets. For example, the data set management system may issue a credential (e.g., a username, a password, a token, and/or the like) for the user and/or the user device, and the credential may be used to grant or deny access to different data sources and/or different data sets. In some implementations, a credential may be specific to a data source. Additionally, or alternatively, the credential may be specific to a data set. An administrator associated with the data source may provide input to the data set management system to grant or deny access to data sets associated with the data source; [0031] the user may provide input to request certain computational resources or to request computational resources with certain characteristics or capabilities. The data set management system may allocate computational resources to the user or the user device accordingly. In some implementations, the data set management system may control whether the user is allowed to share analysis results, generated by the user, with other users, or download analysis results from the computational resources. In some implementations, a source device administrator may provide input to indicate whether analysis results generated using a data set (or group of data sets) is permitted to be shared with other users, and the data set management system may permit or deny sharing accordingly).

Regarding claim 10,
Besanson in view of Madan discloses: The apparatus of claim 9, 
Besanson further discloses: wherein the code is executable by the processor to override preventing at least a portion of the results data set from being accessed in response to the entity providing the query having permissions to access the results data set ([0020] In some implementations, the data set management system may control access, by a user, to one or more data sets. For example, the data set management system may issue a credential (e.g., a username, a password, a token, and/or the like) for the user and/or the user device, and the credential may be used to grant or deny access to different data sources and/or different data sets. In some implementations, a credential may be specific to a data source. Additionally, or alternatively, the credential may be specific to a data set. An administrator associated with the data source may provide input to the data set management system to grant or deny access to data sets associated with the data source; [0031] the user may provide input to request certain computational resources or to request computational resources with certain characteristics or capabilities. The data set management system may allocate computational resources to the user or the user device accordingly. In some implementations, the data set management system may control whether the user is allowed to share analysis results, generated by the user, with other users, or download analysis results from the computational resources. In some implementations, a source device administrator may provide input to indicate whether analysis results generated using a data set (or group of data sets) is permitted to be shared with other users, and the data set management system may permit or deny sharing accordingly).

Regarding claim 20, 
Besanson discloses: A computer program product, comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to: ([0004] a device or system may include one or more memories; and one or more processors, communicatively coupled to the one or more memories): receive a query for a set of ([0004] receive a request for a feature set) aggregated data ([0004] the feature set includes multiple sets of quasi-identifiers, wherein each set of quasi-identifiers is included in a different de-identified data set of the multiple de-identified data sets; [0013] larger data sets can be created by aggregating multiple data sets) associated with a plurality of users ([0017] In example implementation 100, the data set management system is shown as receiving a first de-identified data set (shown as De-Identified Data Set 1) from a first data source (shown as Data Source 1), receiving a second de-identified data set (shown as De-Identified Data Set 2) from a second data source (shown as Data Source 2), and receiving a third de-identified data set (shown as De-Identified Data Set 3) from a third data source (shown as Data Source 3). However, in practice, the data set management system may receive a different number of data sets (e.g., tens, hundreds, thousands, or millions of data sets) from a different number of data sources (e.g., tens, hundreds, thousands, or millions of data sources). Additionally, or alternatively, the data set management system may receive multiple data sets from a particular data source. A data source of a data set may refer to a system or entity (e.g., an organization or an individual)), the aggregated data set ([0013] larger data sets can be created by aggregating multiple data sets) comprising anonymized data for each user of the plurality of users ([0004] multiple de-identified data sets that include de-identified personal data; [0014] the data sets may contain de-identified (e.g., anonymized) personal data; [0016] Example de-identified data sets include… de-identified user data); analyze a results data set for the query to determine an indication that at least one user of the plurality of users is identifiable from the results data set ([0004] calculate a re-identification risk score for the multiple sets of quasi-identifiers).
Besanson does not disclose: prevent at least a portion of the results data set from being accessed in response to the indication that the at least one user is identifiable.
However, in the same field of endeavor Madan teaches: prevent at least a portion of the results data set from being accessed in response to the indication that the at least one user is identifiable ([Col 8 Line 19-64] corrective action taken for a transmitted file that includes private information detected by a data loss prevention service...Corrective action may include one or more of: quarantining the data that includes the private information, deleting the data that includes the private information; [Col 1 line 22-53] Private information may include one or any combination of: personally identifiable information (e.g., phone number, email address, person name (e.g., first and/or last name), location, credit card number, and/or age)… etc)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Madan in the data access protection of Besanson by preventing access to results when identification that can be used to identify an individual is detected. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to provide “Corrective action… to prevent access to the data by certain users” (Col 8 Line 19-23). 

Claim 7 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Besanson (U.S. 20210165913), in view of Madan (U.S. 11297024) and in further view of Rogers (U.S. 11170131).
Regarding claims 7 and 18,
Besanson in view of Madan discloses: The apparatus of claim 1, wherein the code is executable by the processor to 
Besanson in view of Madan discloses does not disclose: prevent the at least a portion of the results data set from being accessed by limiting a number of data records that are returned in the results data set to reduce a likelihood that the at least one user is identifiable
However, in the same field of endeavor Rogers discloses: prevent the at least a portion of the results data set from being accessed by limiting a number of data records that are returned in the results data set to reduce a likelihood that the at least one user is identifiable ([Col 9 Line 22-24] the result limit is reached based on a number of results that are returned from one or more queries)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rogers in the data access protection of Besanson by limiting the number of results returned. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to ensure data privacy (Col 2 Line 35). 

Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Besanson (U.S. 20210165913), in view of Madan (U.S. 11297024) and in further view of McCray (U.S. 20210216537).
Regarding claim 11,
Besanson in view of Madan discloses: The apparatus of claim 10, wherein the code is executable by the processor to 
Besanson in view of Madan does not disclose: determine that the query comprises an aggregate query and to reject the query in response to the entity providing the query not having permissions to execute aggregate queries on the data set.
However, in the same field of endeavor McCray teaches: determine that the query comprises an aggregate query and to reject the query in response to the entity providing the query not having permissions to execute aggregate queries on the data set ([0023] The data rules 1 124A may also include privacy requirements. For example, the privacy requirements may include a requirement for a minimum number of user data to be disclosed in response to a search query such as a minimum bin aggregation rule. For example, the minimum bin aggregation may be 100 users. The user data may be shared on an individual basis, or the user data may be aggregated. If a search results is fewer than 100 results, the search results of the data corpus 1 122A may not be disclosed as the number of search results may not satisfy the minimum bin aggregation rule. Additionally or alternatively, if the search results is fewer than 100 results, the search results of the data corpus 1 122A may not be aggregated and the aggregated data may not be shared).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of McCray in the data access protection of Besanson by rejecting query that do not have the correct permissions to perform the requested query. This would have been obvious because the person having ordinary skill in the art would have been motivated to combine, see “provides an electronic multi-tenant data management system that entities can use to cross-share data among other entities, while still maintaining privacy of user information and company proprietary information.” (McCray, para.0012)). 

Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Besanson (U.S. 20210165913), in view of Madan (U.S. 11297024) and in further view of Ghemawat (CN 101292243).
Regarding claim 12, 
Besanson in view of Madan discloses: The apparatus of claim 1, wherein the query is received at a database management system for data stored in a database, the code executable by the processor to
Madan further discloses: that uniquely identifies the at least one user ([Col 8 Line 19-64] private information detected by a data loss prevention service... [Col 1 line 22-53] Private information may include one or any combination of: personally identifiable information (e.g., phone number, email address, person name (e.g., first and/or last name), location, credit card number, and/or age)… ect)).
Besanson in view of Madan does not disclose: intercept the results data set and remove at least a portion of the results data set
However, in the same field of endeavor Ghemawat teaches: intercept the results data set and remove at least a portion of the results data set ([0088] In another embodiment, the through additional tools such as associated with client terminal 210 to show and intercepts the original list of search result documents. can determine whether any document with a search result file list on the remove list for the user (block 1230). document identification information (e.g., address) and removing the list of document identification information is compared in this embodiment, tool bar capable of identifying user removal of the locally stored list, and associated with each document in the list of search result documents).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ghemawat in the data access protection of Besanson by intercepting the results and remove at least a portion of the results. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to “provide.. result of high quality to the user based on the search query” (Ghemawat para.0004). 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Carlson 08/23/2019 (US 20210240853) teaches detection when de-identified PII is leaked.
Wasiscek 09/27/2019 (US 20210097201) teaches protecting PII using synthetic PII and detection of leaked PII that should be protected.
Bulut 06/12/2020 (US 20200394334) teaches determining when PII that should be protected is able to be used to identify users.
Krafcik 05/14/2019 (US 20200364370) teaches automatically detecting unauthorized re-identification of PII.
Gkoulalas 12/20/2017 (US 20190188292) teaches data de-identification using statistical based methods.
El Emam 09/22/2009 (US 20100077066) teaches re-identification risks of de-identified user data.

Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434