DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restrictions warranted at applicant’s initial time of filing for patent. 
Priority
Applicant claims NO foreign or domestic priority at initial time of filing for patent. Thus, the effective filing date of the claimed invention is 12/17/2020. 
Information Disclosure Statement
Applicant filed NO information disclosure statement at initial time of filing for patent. 
Drawings
Applicant’s drawings filed on 12/17/2020 have been inspected and is in compliance with MPEP 608.02. 
Specification
Applicant’s specification filed on 12/17/2020 has been inspected and is in compliance with MPEP 608.01. 
Claim Objections
NO claim objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation – 35 USC 112th 6th or F
It is in the examiner’s opinion that claim[s] 1 – 20 do not invoke means for or step plus functional claim language under the meaning of the statue. 
Claim Rejections - 35 USC § 112
NO rejections warranted at applicant’s initial time of filing for patent. 
Double Patenting
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim[s] 10 – 18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) 10 - 18 does/do not fall within at least one of the four categories of patent eligible subject matter because there are NO forms of structure or hardware explicitly recited/implements the claim limitations of the device. The claimed invention recites a “processor intermediary,” which is not a device per se., it could be, but doesn’t have to be. Thus, such element is software per se.   While the claimed invention does recite a “client,” and “server,” however, such elements are recited in such manner that does not further limit the claim language. Such elements are for use with the “processor intermediary,” but are not needed for the operation of applicant’s claimed invention. 
	Appropriate action required. 
Claim Rejections - 35 USC § 102
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim(s) 1, 4, 9, 10, 13 18, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Call et al. [US PGPUB # 20150163201] in view of Le Jouan [US PGPUB # 2011/0295988].
As per claim 1.  Call does teach a method [paragraph: 0065, In an embodiment, performing one or more of the methods discussed herein may prevent, and/or reduce the effectiveness of, one or more various attacks, such as a denial of service (“DOS”) attack, credential stuffing, fake account creation, ratings or results manipulation, man in the browser attacks, reserving rival goods or services, scanning for vulnerabilities, and/or exploitation of vulnerabilities. For example, if an intermediary computer intercepts an improper request from a visitor browser, such as a request that does not include one
or more identifiers that match one or more attribute map identifiers, DOM map identifiers, and/or transaction identifiers, then the intermediary computer need not reverse translate and/or forward the improper request on to the targeted web server computer. Thus, the targeted web server computer, or an application running on the targeted web server computer, need not be burdened with processing improper and/or malicious requests that are part of an attack] comprising:
	receiving, by a device intermediary between a client and a server, a request from the client for a page from the server that includes confidential information to be verified with an owner of the confidential information [Call, paragraph: 0067, In an embodiment, each time a web page is requested, such as an account creation page, order page, voting page, and/or other page from a web server computer, the intermediary computer may modify the identifiers in the returned page. Thus, a bot may receive a different set of instructions after each request and may not observe the same one or more field identifiers twice. Without receiving the same one or more identifiers, the bot may be incapable of determining what data should be entered in and/or associated with each field to create a fake account, order and/or reserve one or more goods or services, vote, inject malicious SQL, and/or submit any other malicious content.];
replacing, by the device prior to providing the page to the client for rendering, a first user interface (UI) element having the confidential information in the page, with a second UI element to obfuscate the confidential information [Call, account creation page, order page, voting page, and/or other page from a web server computer, the intermediary computer may modify the identifiers in the returned page. Thus, a bot may receive a different set of instructions after each request and may not observe the same one or more field identifiers twice. Without receiving the same one or more identifiers, the bot may be incapable of determining what data should be entered in and/or associated with each field to create a fake account, order and/or reserve one or more goods or services, vote, inject malicious SQL, and/or submit any other malicious content]. 
Call does not clearly teach receiving, by the device from the client, an activation of the second UI element to request the owner to verify the confidential information; and
sending, by the device to the client, an update to the page to include an indication of whether the confidential information has been correctly verified with the owner.
However, Le Jouan does teach receiving, by the device from the client, an activation of the second UI element to request the owner to verify the confidential information [paragraph: 0082, The controlled data management system process is in addition to or instead of using a data sharing transparency engine at a user's machine (see, e.g., FIG. 1, data sharing transparency engine 112), which enables the user to grab data given to brands/sites when registering or updating personal information on the respective sites or, in general, when providing personal information to a third party. The controlled data management system process can include two different processes: 1) The user has already provided personal information and wants to save the data to a profile on the controlled management system. When on, e.g., a personal profile page, the user can, for example, right click on a button displayed on the user's desktop, within a browser, on a smart phone, etc. and choose to save the personal information to a profile associated with the user (note: in a specific implementation, each user can have multiple profiles). It may also be desirable to detect that the user has provided personal information and automatically perform the update, presumably in accordance with user preferences, without asking anything of the user. 2) The user is entering or updating personal information. The controlled data management process residing on the user's desktop, browser, or the like can intercept data as it is entered and can automatically save the data to a relevant profile of the user. In either of cases 1) and 2), when the user exits a page or otherwise reaches a point that can be characterized as completing the data entry, the controlled data management process can recapitulate what is going to be sent to the controlled data management system, and have the user validate the personal information and/or confirm that the data should be sent to the controlled data management system.]; and
sending, by the device to the client, an update to the page to include an indication of whether the confidential information has been correctly verified with the owner [paragraph: 0082, The controlled data management system process is in addition to or instead of using a data sharing transparency engine at a user's machine (see, e.g., FIG. 1, data sharing transparency engine 112), which enables the user to grab data given to brands/sites when registering or updating personal information on the respective sites or, in general, when providing personal information to a third party. The controlled data management system process can include two different processes: 1) The user has already provided personal information and wants to save the data to a profile on the controlled management system. When on, e.g., a personal profile page, the user can, for example, right click on a button displayed on the user's desktop, within a browser, on a smart phone, etc. and choose to save the personal information to a profile associated with the user (note: in a specific implementation, each user can have multiple profiles). It may also be desirable to detect that the user has provided personal information and automatically perform the update, presumably in accordance with user preferences, without asking anything of the user. 2) The user is entering or updating personal information. The controlled data management process residing on the user's desktop, browser, or the like can intercept data as it is entered and can automatically save the data to a relevant profile of the user. In either of cases 1) and 2), when the user exits a page or otherwise reaches a point that can be characterized as completing the data entry, the controlled data management process can recapitulate what is going to be sent to the controlled data management system, and have the user validate the personal information and/or confirm that the data should be sent to the controlled data management system.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Call and Le Jouan in order for the intermediary computer monitoring improper user web browser requests to the targeted web server computer of Call to include a controlled data management system that makes the user aware of requests/removal and other operations regarding their personal/sensitive data in a profile when requested by third parties of Le Jouan. This would allow for the user to manipulate an interface to manage all aspects of the user’s personal data in the following manner: who is using the profile data, how is the user’s profile data being used, type of user profile data use, purpose for using the user’s profile data. See paragraph: 0052 of Le Jouan.  
As per claim 4.  Call does teach the method of claim 1, comprising:
	storing, by the device, the confidential information from the page [Call, paragraph: 0065, In an embodiment, performing one or more of the methods discussed herein may prevent, and/or reduce the effectiveness of, one or more various attacks, such as a denial of service (“DOS”) attack, credential stuffing, fake account creation, ratings or results manipulation, man in the browser attacks, reserving rival goods or services, scanning for vulnerabilities, and/or exploitation of vulnerabilities. For example, if an intermediary computer intercepts an improper request from a visitor browser, such as a request that does not include one or more identifiers that match one or more attribute map identifiers, DOM map identifiers, and/or transaction identifiers [i.e. applicant’s storing,….the confidential information from the page], then the intermediary computer need not reverse translate and/or forward the improper request on to the targeted web server computer.]; and
comparing, by the device, the stored confidential information with verification information obtained from the owner [Call, paragraph: 0065, In an embodiment, performing one or more of the methods discussed herein may prevent, and/or reduce the effectiveness of, one or more various attacks, such as a denial of service (“DOS”) attack, credential stuffing, fake account creation, ratings or results manipulation, man in the browser attacks, reserving rival goods or services, scanning for vulnerabilities, and/or exploitation of vulnerabilities. For example, if an intermediary computer intercepts an improper request from a visitor browser, such as a request that does not include one or more identifiers that match [i.e. applicant’s comparing….] one or more attribute map identifiers, DOM map identifiers, and/or transaction identifiers, then the intermediary computer need not reverse translate and/or forward the improper request on to the targeted web server computer.]; and
determining, by the device according to the comparing, whether the confidential information has been correctly verified with the owner [paragraph: 0082, In either of cases 1) and 2), when the user exits a page or otherwise reaches a point that can be characterized as completing the data entry, the controlled data management process can recapitulate what is going to be sent to the controlled data management system, and have the user validate the personal information and/or confirm that the data should be sent to the controlled data management system.].
As per claim 9. Call does teach the method of claim 1, wherein at least one of: 
the confidential information, or a type of the confidential information, is prevented from being exposed or presented to a user of the client [Call, paragraph: 0065, In an embodiment, performing one or more of the methods discussed herein may prevent, and/or reduce the effectiveness of, one or more various attacks, such as a denial of service (“DOS”) attack, credential stuffing, fake account creation, ratings or results manipulation, man in the browser attacks, reserving rival goods or services, scanning for vulnerabilities, and/or exploitation of vulnerabilities. For example, if an intermediary computer intercepts an improper request from a visitor browser, such as a request that does not include one or more identifiers that match one or more attribute map identifiers, DOM map identifiers, and/or transaction identifiers, then the intermediary computer need not reverse translate and/or forward the improper request on to the targeted web server computer. Thus, the targeted web server computer, or an application running on the targeted web server computer, need not be burdened with processing improper and/or malicious requests that are part of an attack].
As per device claim 10 that includes the same or similar claim limitations as method claim 1, and is similarly rejected.
***The examiner points out that applicant’s recited “processor intermediary,” “client,” and “server” are taught by the prior art of “Call” at Figure # 2, items: 230, 299, 205, respectively. 
As per device claim 13 that includes the same or similar claim limitations as method claim 4, and is similarly rejected. 
As per device claim 18 that includes the same or similar claim limitations as method claim 9, and is similarly rejected.
As non – statutory computer readable medium claim 19 that includes the same or similar claim limitations as method claim # 1, and is similarly rejected. 
***The examiner notes that applicant’s recited: “non – transitory computer readable medium,” “program instructions,” and “processor” are taught by the prior art of “Call” at paragraphs: 0183 - 0187. 
Claim(s) 2, 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Call et al. [US PGPUB # 20150163201] in view of Le Jouan [US PGPUB # 2011/0295988] as applied to claim[s] 1 above, and further in view of Galvin et al. [US PGPUB # 2011/0093710]
As per claim 2. Call and Le Jouan do teach what is taught in the rejection of claim # 1 above. 
Call and Le Jouan do not appear to teach the method of claim 1, wherein the request is initiated by a user of the client in a communication session with the owner, the request initiated to verify the confidential information with the owner in the communication session.
However, Galvin does teach the method of claim 1, wherein the request is initiated by a user of the client in a communication session with the owner, the request initiated to verify the confidential information with the owner in the communication session [paragraph: 0020, lines 1 – 20, FIGS. 1-2 together presents an exemplary scenario featuring a source device 12 (e.g., a client initiating a request for a communication session) [i.e. applicant’s client] and a target device 14 (e.g., a server receiving the request to initiate the communication session) that endeavor to establish and utilize a communication session in a secure manner. In the exemplary scenario 10 of FIG. 1, the source device 12 and the target device 14 generate and exchange some information involved in securing the communication session through the use of an encryption algorithm 16 featuring asymmetric key cryptography, such as the RSA algorithm. This algorithm is configured to generate a cryptographic key pair comprising a public key and a private key having two properties: the private key cannot be identified using the public key; and a message encrypted with the public key can only be decrypted using the private key. As an additional advantage, a message may be cryptographically "signed" using the private key, and the signature may be verified using the public key, thus verifying the author [i.e. applicant’s owner] of the message as the holder of the private key (and verifying the contents of the message.)].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Call as modified and Galvin in order for the intermediary computer monitoring improper user web browser requests to the targeted web server computer of Call as modified to include encrypting such user web browser requests of Galvin. This would allow for the data of the request carrying either personal/non-personal to be secure while in transit to the intermediary and or target web server and prevent a man in the middle attack on the request. See paragraph: 0023 of Galvin. 
As per device claim 11 that includes the same or similar claim limitations as method claim 2, and is similarly rejected. 
Claim(s) 3, 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Call et al. [US PGPUB # 20150163201] in view of Le Jouan [US PGPUB # 2011/0295988] as applied to claim[s] 1 above, and further in view of Best et al. [US PGPUB # 2009/0135444].
As per claim 3.  Call and Le Jouan do teach what is taught in the rejection of claim # 1 above. 
Call and Le Jouan do not appear to teach the method of claim 1, comprising: determining, by the device, that the page from the server includes the confidential information, according to at least one of:
application of at least one rule,
identification of the first UI element, or
an output of a data loss prevention (DLP) system.
However, Best does teach the method of claim 1, comprising: determining, by the device, that the page from the server includes the confidential information, according to at least one of:
application of at least one rule [Best, paragraph: 0030, Responsive to entering data into a document, a user of a client, such as client 110 of FIG. 1, can designate the data as sensitive data. An expiration date [i.e. applicant’s application of at least one rule], which can be custom, is then associated with the sensitive data. Upon a subsequent viewing of the document, a determination is made as to the occurrence of the expiration date. Responsive to identifying the occurrence of the expiration date, sensitive data is redacted from the document. The user is presented with an edited document that contains only the data that was not designated as sensitive. The document can be stored locally on the client, or can be stored remotely, for example on a server, such as server 104 of FIG. 1.],
identification of the first UI element, or
an output of a data loss prevention (DLP) system.
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Call as modified and Best in order for the intermediary computer monitoring improper user web browser requests to the targeted web server computer of Call as modified to include limiting requests for content based on location of the user that made the request of Best. This would allow for the request to be denied based on the location of the user of the request. See paragraph: 0007 of Best. 
As per device claim 12 that includes the same or similar claim limitations as method claim 3, and is similarly rejected. 
Claim(s) 5, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Call et al. [US PGPUB # 20150163201] in view of Le Jouan [US PGPUB # 2011/0295988] as applied to claim[s] 1 above, and further in view of Foote [US PAT # 7822821].
As per claim 5. Call and Le Jouan do teach what is taught in the rejection of claim # 1 above. 
Call and Le Jouan do not appear to teach the method of claim 1, comprising: sending, by the device to the client, the page with the second UI element for display to a user of the client, wherein the second UI element comprises a button or widget that can be activated by the user of the client.
However, Foote does teach the method of claim 1, comprising: sending, by the device to the client, the page with the second UI element for display to a user of the client, wherein the second UI element comprises a button or widget that can be activated by the user of the client [Figure # 11, and col. 6, lines 22 – 33, FIG. 11 shows that, as mentioned above, when the owner designates his presence at a particular access point to be "offline", a buddy [i.e. applicant’s user of the client] can click on a "leave a message" button 58 to send a message to the owner of the access point that is equivalent to email, but without needing a specific email address to perform this function. FIG. 12 shows the resulting display, wherein a message can be typed into a message box 60 and sent to the owner of the access point. Additionally, using, e.g., the invitation message and/or the object linking feature discussed further below, a mechanism is provided for the buddy and owner/user to propose communication using text messages (instant messaging) voice, email or video.]. 
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Call as modified and Foote in order for the intermediary computer monitoring improper user web browser requests to the targeted web server computer of Call as modified to include anonymizing the data of the request of Foote. This would allow for the prevention of an attack on the request data. See col. 2, lines 1 – 8 of Foote.  
As per device claim 14 that includes the same or similar claim limitations as method claim 5, and is similarly rejected. 
Claim(s) 6, 15, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Call et al. [US PGPUB # 20150163201] in view of Le Jouan [US PGPUB # 2011/0295988] as applied to claim[s] 1 above, and further in view of Tarchinski et al. [US PGPUB # 2020/0353839].
As per claim 6. Call and Le Jouan do teach what is taught in the rejection of claim # 1 above. 
Call and Le Jouan do not appear to teach the method of claim 1, comprising: initiating, by the device responsive to receiving the activation of the second UI element: 
a one-time verification message to the owner, 
a push notification to the owner, 
a representational state transfer (REST) call to a verification service, or 
a prompt to the client or the owner to select a method to verify the
confidential information.
However, Tarchinski does teach the method of claim 1, comprising: 
initiating, by the device responsive to receiving the activation of the second UI element: 
a one-time verification message to the owner, 
a push notification to the owner [paragraph: 0044, If any of the assessments carried out at decision blocks 105, 107 and 113 returns a false determination (block 105 OR block 107 OR block 113=NO), indicating the host vehicle likely should not participate in VGI activities, the method 100 proceeds to process block 117 and informs the owner/driver of the intent to deny the requested RPF operation and, if so desired, the basis for this repudiation. As with any of the occasions in this disclosure where user [i.e. applicant’s owner] feedback is invited, human-machine interface may be by way of exchange with the owner/driver's smartphone (e.g., text, app, push notification, email, web browser, etc.), via the center stack telematics unit's touchscreen display 46, via in-vehicle connected support service, or other appropriate methodology. It is envisioned that the operations set forth in blocks 117, 119 and 121 may be altogether eliminated from the method 100 of FIG. 2, for example, in use-cases where user feedback is not considered necessary or is not permitted.], 
a representational state transfer (REST) call to a verification service, or 
a prompt to the client or the owner to select a method to verify the confidential information.
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Call as modified and Tarchinski in order for the intermediary computer monitoring improper user web browser requests to the targeted web server computer of Call as modified to include a number request usage limit of Tarchinski. This would allow for the intermediary computer to monitor the number of requests made for a specific target web server for determination of an improper requests. See paragraph: 0006, lines 19 – 24 of Tarchinski. 
As per device claim 15 that includes the same or similar claim limitations as method claim 6, and is similarly rejected. 
As non – statutory computer readable medium claim 20 that includes the same or similar claim limitations as method claim # 6, and is similarly rejected. 
Allowable Subject Matter
Claim[s] 7, 8, and 16, 17 contain allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Claim[s] 7, 8, 16, 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
***The examiner notes that a reason for allowance is forth coming in the next subsequent office action, once all formal requirements have been met. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Unger et al., “who does teach a GUI displayed on a display device is disclosed. The GUI includes a website that, when loaded onto a user device, permits the user device to communicate with at least one server to send to the at least one server item information to electronically manage one or more items in a product information database, to receive from the at least one server item information from the product information database, and to cause display of the item information received.” 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434