[go: up one dir, main page]

HK1088165B - System, method, and apparatus for location services privacy management with a mobile station - Google Patents

System, method, and apparatus for location services privacy management with a mobile station Download PDF

Info

Publication number
HK1088165B
HK1088165B HK06108227.2A HK06108227A HK1088165B HK 1088165 B HK1088165 B HK 1088165B HK 06108227 A HK06108227 A HK 06108227A HK 1088165 B HK1088165 B HK 1088165B
Authority
HK
Hong Kong
Prior art keywords
privacy
location
mobile station
location request
rules
Prior art date
Application number
HK06108227.2A
Other languages
Chinese (zh)
Other versions
HK1088165A1 (en
Inventor
苏珊娜.阿西斯
Original Assignee
高通股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/779,109 external-priority patent/US7088237B2/en
Application filed by 高通股份有限公司 filed Critical 高通股份有限公司
Publication of HK1088165A1 publication Critical patent/HK1088165A1/en
Publication of HK1088165B publication Critical patent/HK1088165B/en

Links

Description

System, method and apparatus for location services privacy management with mobile stations
Cross Reference to Related Applications
Priority is claimed for pending U.S. provisional application No.60/447,563, and U.S. provisional application No.60/490,765, all of which are incorporated herein by reference, wherein U.S. provisional application No.60/447,563 is filed on 14/2/2003 under the designation "Enhanced User Privacy for mobile Station locations Services" and U.S. provisional application No.60/490,765 is filed on 28/7/2003.
Technical Field
The present invention relates to the field of mobile device location services, and more particularly to enhanced user control of privacy policies in response to location requests.
Background
LoCation services ("LCS") for mobile phones and wireless digital communication devices (hereinafter collectively referred to as mobile stations) is an increasingly important business area for wireless communication providers. This importance is reflected in the establishment of LCS standards and functional specifications. Three exemplary LCS references are: LCS functionality stage 2(SA2) describes release 6(3GPP TS 23.271v6.0.0) in terms of third generation partnership project (3GPP) Technical Specification Group (TSG) traffic and systems, released in 2002, 6; technical Documentation (TD) S2-022360 of the 3GPP TSG-SA2 #26 conference held in toronto canada at 8-23 of 2002, and LCS functionality stage 2(SA2) describes release 6(3GPP TS 23.271 V6.3.0) in terms of third generation partnership project (3GPP) Technical Specification Group (TSG) services and systems, released at 3 of 2003. Hereinafter, these references are referred to as 3GPP-R1, 3GPP-R2, and 3GPP-R3, respectively.
The functional model of the overall LCS system is described with reference to 3GPP-R1 and 3GPP-R3, including the parts relating to user privacy. A network element called Privacy Profile Registrar (PPR) is described with reference to 3GPP-R2, which maintains LCS privacy information for users and facilitates corresponding privacy functions. These incorporated references provide an overview of the latest techniques and standards related to LCS and related LCS privacy operations. Various methods and apparatus for providing LCS to a user in accordance with these references are known to those of ordinary skill in the art of communications.
One known advantageous method for determining the location of a mobile station in a wireless communication system utilizes the Global Positioning System (GPS). Including GPS devices in mobile stations (or more)Plus generally, the inclusion of a position determination module, or "PDM") provides very accurate position determination capabilities. When the PDM is used as the primary means of providing accurate location information within a mobile station, the service provider network must contact the mobile station upon receiving a request for accurate location. Methods and apparatus for implementing location services functionality in a mobile station using a PDM such as GPS are well known to those of ordinary skill in the art of wireless communications. Handsets that implement LCS functionality using GPS are currently available. An article "An Introduction to SnapTrack" published by M.Moeglein and N.F.Krasner in Institute of Navigation (ION) GPS 1998 Proceedings, 9.9.18.1998, pages 333-TMAn exemplary GPS system for a mobile station is described in Server-aid GPS Technology ". A recent patent application describing a GPS System suitable for mobile stations is U.S. patent application 20020050944 entitled "Method and apparatus for Measurement Processing of Satellite Positioning Systems (SPS) Signals" filed on 5/2 2002 by l.sheynblat and n.f.krasner.
Disadvantageously, in existing LCS privacy methods, where user privacy is managed by the network providing the service, user control of privacy policy information using existing LCS privacy methods is very limited and inflexible. For example, in some exemplary prior art LCS privacy methods, a service provider defines various requester client classes, and establishes user privacy profiles based on these classes, such as the PPR described above, when a user initiates a service. According to these LCS privacy methods, the privacy profile specifies a particular requester level for unrestricted access to the location of the user, as well as other requester levels for which access is restricted. Such restrictions may include, for example, automatic rejection of LCS information to a particular restricted level. These restrictions may also include the requirement to notify the user and (optionally) the user to grant LCS access requests from requestors of a particular restricted class. In these exemplary prior art systems, changes to the privacy configuration may only be possible by changing the service agreement between the provider and the user. If the user location is determined primarily by the PDM residing within the mobile station, additional modification options are implemented by deactivating the PDM. While this option enhances privacy by enabling the user to prevent accurate location information retrieval, this approach is very limited in effectiveness because it prevents accurate location retrieval at all requestor levels until the PDM is again operational.
The present disclosure relates to a method and apparatus for LCS privacy management within a mobile station. The present disclosure enables convenient and flexible LCS control for mobile station users.
Disclosure of Invention
The present disclosure relates to a method and apparatus for providing geolocation of wireless mobile stations, and more particularly, to methods and apparatus for providing enhanced user control of privacy policies that oversee responses to requests for location information. Hereinafter, these requests are referred to as location requests, or equivalently location requests.
In one exemplary embodiment, a privacy control system for a mobile station includes a privacy engine, a location determination module (PDM), and a user interface. The privacy engine is a software module that controls the response of the mobile station to location requests.
The privacy engine further includes a privacy policy. The privacy policy includes privacy classes for classifying location requestors and their associated location requests, and privacy rules for determining responses to location requests of each privacy class.
The privacy level is defined by a list of location requestors and applications. Location requestors and applications may be individually specified or grouped into different categories or types based on identifying information, such as a URL, an Internet domain, or other data that may be provided by a location request. The location request is classified according to the location requester. Thus, a privacy class may be assigned to a location request based on the information with which the location request is made. Examples of privacy classes include, but are not limited to: a default privacy level for unknown or unclaimed location requesting applications and requester identities that are not specifically included in any other levels; a default privacy level for trusted location requesting applications and requester identities not specifically included in any other level; and a user-specified rating including the location request application and the requestor identity identified by the URL or other identifying data that may have location request data.
Each privacy class has an associated set of privacy rules for determining the response of the privacy engine to a location request. Examples include, but are not limited to: rules specifying unrestricted access; rules for access default denial; based on the user notification and the required granted access rules; access rules with user notification but no required permissions; rules for access denial during user selected time periods; rules that access only in the vicinity of defined locations, and so on. The privacy policy, privacy class, and privacy rules determine how the privacy engine responds to each and every location request.
Using the enhanced user privacy method and apparatus of the present invention, a user may advantageously control or alter the privacy policy for a particular mobile station via the user interface of the mobile station. In an exemplary embodiment, the user interface comprises a user interface with suitable input means such as a stylus, pointing device or keypad. In another embodiment of the inventive concept, the privacy policy is controlled via a network application connected to the mobile station through a wireless data network. In another embodiment of the inventive method the privacy policy may be controlled by an application residing in a local device, such as a laptop computer or a personal digital assistant, wherein the device may be connected to the mobile station.
Advantageously, the privacy engine of the mobile station, including the initial privacy policy, may be received (i.e., downloaded) by the mobile station via the wireless data network.
Drawings
Fig. 1 is a block diagram of an exemplary communication system including a mobile station having a privacy engine suitable for use with the concepts of the present invention.
Fig. 2A-2D illustrate a flow chart of an exemplary method for providing enhanced user privacy in location services applications used by mobile stations and other wireless communication devices.
Like reference numbers and designations in the various drawings indicate like elements.
Detailed Description
Throughout this description, various embodiments and variations thereof are described in order to illustrate the use and implementation of the inventive concepts. The illustrative description should be understood as being representative of the inventive concept and not as limiting the scope of the concept disclosed herein.
Fig. 1 shows a block diagram of a wireless communication device and a wireless communication system that can be adapted to the inventive concept. As shown in fig. 1, one exemplary embodiment includes a mobile station 102 that includes a user interface 106, a wireless network communication module 112, an application block 114, a local communication module 118, a privacy engine 120, a location determination module 122, and other modules 124.
As shown in fig. 1, in one embodiment of the inventive concept, wireless network communication module 112 provides a wireless data connection between mobile station 102 and external data network 110. The external data network 110 may include various network systems. For example, in one embodiment, the external data network may comprise a wireless service provider network. As another example, the external data network may be an Internet service provider that provides a connection to receive and transmit data between the mobile station and the Internet. In general, external data network 110 comprises any data system capable of transmitting data to and receiving data from mobile stations using wireless communication. As shown in fig. 1, the wireless network communication module 112 may also be coupled to an applications block 114 and a privacy engine 120. The wireless communication module 112 receives and transmits data from the application block 114 and the privacy engine 120.
In one embodiment, the application block 114 includes a positioning application that may require mobile station position estimation. These location applications may reside in the MS, which does not require interaction with the network, or may involve interaction with a location server (e.g., module 108) in the network and thus act as a location client. For this exemplary embodiment, the application block 114 also includes other applications relating to network data communications and other functions of the mobile station. Examples of such applications include, but are not limited to: an e-mail client, a web browser, an ftp client, and other software applications for receiving or downloading data, data files, and software instructions to mobile station 102. The application block 114 is connected to the wireless communication module 112 to receive and transmit data and thus communicate with the external data network 110. The application block 114 may also be coupled to the user interface 106 to receive and transmit data for user operations and communication with various applications. The application block 114 may also be coupled to the privacy engine 120 to receive and transmit data. Such data may include location request and response data. Such data may also include received or downloaded software instructions to create, modify, and implement the functions and capabilities of the privacy engine 120. Alternatively, the data that creates, modifies, or implements the functionality of the privacy engine may be received directly from the wireless communication module 112, and the wireless communication module 112 may also be coupled to the privacy engine 120 to receive and transmit data. As another alternative, the data that creates, modifies, or implements the privacy engine functionality may be received and executed by a mobile station component not shown in fig. 1. Such components are well known to those skilled in the communications arts and may include, for example, Application Specific Integrated Circuits (ASICs), Application Programming Interfaces (APIs), Random Access Memories (RAMs), Read Only Memories (ROMs), and the like. An exemplary method and system for downloading and executing applications in a mobile station via a Wireless network is described in U.S. patent Application publication No. US 2002/0183056A 1 entitled "Safe Application Distribution and Execution in Wireless Environment" filed by Lundblade et al, published 12, 5, 2002.
The local communication module 118 provides a means for optionally receiving and transmitting data between the mobile station 102 and the external local application module 116. In one embodiment, the external local application module 116 resides in a locally connected device, such as a personal computer, laptop computer, or personal digital assistant. Module 118 provides connectivity to locally connected devices. The local communication module 118 is also optionally coupled to the privacy engine 120 to receive and transmit data. Such data may include software instructions that create, modify, and implement the functions and capabilities of the privacy engine 120. In addition, these data may include input and output data for a positioning application (an application that requires positioning data) running in a separate device such as a laptop computer connected to the MS via infrared, bluetooth, USB cable, or other means other than the network connection provided by the wireless communication module 112. Routing these location data to the privacy engine 120 facilitates privacy management of local application location requests, as described below.
As described above, the privacy engine 120 is coupled to the elements 112, 114, and 118 to receive and transmit data. The privacy engine 120 is also coupled to the user interface 106, the location determination module 122, and the other modules 124 to receive and transmit data. The function and operation of the privacy engine 120 is described below.
The user interface 106 provides a means for the mobile station user to receive information from the application block 114 and the privacy engine 120, to provide instructions to the application block 114 and the privacy engine 120, and to run applications and functions contained in the application block 114 and the privacy engine 120. For example, the user interface 106 may include a graphical user interface and a suitable input device, such as a touch screen, pointing device, or keypad. User interface 106 may also include a means for transmitting and receiving sounds, voice commands, or any other means for receiving information from, providing instructions to, and operating software modules, applications, and digital devices coupled to mobile station 102.
A Position Determination Module (PDM)122 generates data representative of the location of the mobile station 102. One well-known example of a suitable PDM uses a Global Positioning System (GPS) device or method. However, the current approach involves the utilization of any PDM capable of providing position or location data to the mobile station 102. For example, the PDM may use well-known positioning methods such as assisted gps (agps), Advanced Forward Link Trilateration (AFLT), time of arrival (TOA), enhanced observed time difference (E-OTD), location based on identifying a wireless communication cell in which the MS is operating (cell-based positioning), and so forth. Such methods are well known to those skilled in the art of communications and need not be described herein.
Other modules block 124 represents software modules and hardware components for implementing or augmenting the functionality of the mobile station. For example, these software modules and hardware components may include an Application Specific Integrated Circuit (ASIC), an Application Program Interface (API), a Random Access Memory (RAM), a Read Only Memory (ROM), a Subscriber Identity Module (SIM) or Universal Subscriber Identity Module (USIM), a camera, and so forth. Although connections for the other module frame 124 are not shown in fig. 1, those skilled in the art will appreciate how the modules and components in the other module frame 124 are connected within the mobile station as functionally required.
Still referring to FIG. 1, in an exemplary embodiment, the privacy management server 104 includes a software application that interfaces with an external data network 110 to receive and transmit data. The privacy management server 104 is connected to an external data network 110 to exchange data with a wireless network communication module 112. The privacy management server 104 communicates with the privacy engine 120 via the external data network 110 and the wireless network communication module 112. The privacy management server 104 may receive data from and send data to the web application block 114 via the external data network 110 and the wireless network communication module 112. The data communicated between the privacy management server 104, the web application block 114, and the privacy engine 120 may include software instructions to create, modify, and implement the functions or capabilities of the privacy engine 120. Similarly, data communicated between the privacy management server 104 and the privacy engine 120 via the communication module 112 may include software instructions to create, modify, and implement the functions and capabilities of the privacy engine 120. In general, data communicated between the privacy management server 104 and elements comprising the mobile station 102 may be used to create, modify or implement software modules within the mobile station 102 that facilitate or relate to LCS and privacy management.
The location request application block 108 of fig. 1 represents a location request application connected to receive and transmit data with the mobile station 102 via an external data network 110. The location request application 108 is coupled to the privacy engine 120 via the external data network 110 and the wireless network communication module 112 to receive and transmit data. The transmission and reception of location request and location reply data between the location request application block 108 and the privacy engine 120 is described below.
Exemplary privacy policy
In an exemplary embodiment, the privacy engine 120 is a software module that performs various operations to control the response of the mobile station to requests for location information. These requests are referred to herein as location requests, or equivalently location requests.
The privacy engine further includes a privacy policy. A privacy policy is a component of the privacy engine that includes privacy classes for classifying location requestors and their associated location requests, and privacy rules for determining responses to location requests for each privacy class.
The privacy level is defined by the location requester and the application list. Location requestors and applications may be individually specified or grouped into different categories or types based on identifying information, such as a URL, Internet domain, or other data that may be provided by a location request. The location request is classified according to the location requester. Thus, a privacy class may be assigned to a location request based on the information with which the location request is made. Examples of privacy classes include, but are not limited to: a default privacy level for unknown or unclaimed location requesting applications and requester identities that are not specifically included in any other levels; a default privacy level for trusted location requesting applications and requester identities not specifically included in any other level; and a user-specified rating including the location request application and the requestor identity identified by the URL or other identifying data that may have location request data.
Each privacy class has an associated set of privacy rules for determining the response of the privacy engine to a location request. Examples include, but are not limited to: rules specifying unrestricted access; specifying rules for access default denials; rules specifying access based on user notifications and required permissions; rules that specify access with user notification but without required permission; specifying a rule to deny access during a user selected time; specifying rules that are only accessed in the vicinity of the defined position fix; and so on. The privacy policy, the included privacy levels, and the included privacy rules determine how the privacy engine responds to each and all location requests.
Exemplary initialization and software update methods
In an exemplary embodiment of the inventive concept, a mobile station without user privacy control may initially be provided with a software module to enable enhanced user privacy for mobile station LCS by receiving or downloading data from a network server. Software data and instructions for installing and implementing the privacy engine 120 (fig. 1), including the initial privacy policy, may be received or downloaded to the mobile station 102 from a network server (e.g., the privacy management server 104 of fig. 1, or other network server not shown) via the wireless communication module 112. Receiving and installing the received or downloaded data may be performed by other components in the browser or web application module 114 or by components included in other modules 124. Methods for receiving or downloading applications and software modules to mobile stations via wireless network connections are well known to those skilled in the art of wireless communications. As noted above, exemplary methods and systems for downloading and executing applications in a mobile station via a wireless network are described by the Lundblade reference. At one isIn an embodiment, the mobile station includes a software platform to facilitate connection of applications to the mobile station, such as developed by QUALCOMM corporation, headquarters in san Diego, Calif. for WirelessTMBinary Runtime Environment (BREW) software.
Software updates and changes to the privacy engine 120 (still referring to fig. 1), privacy policies, and other mobile station software modules and components may also be received or downloaded from a network server, as described above. In particular, the user (or other entity obtaining permission to do so) may update the privacy policy using the wireless network connection. Optionally, the user may also update the privacy policy using the user interface 106. In another alternative embodiment, the user may update the privacy policy by entering data using an external local application connected via the local communication module 118 (as shown by the external local application block 116). In another alternative embodiment, the user may enter user-specified privacy policy data using a removable data storage device (not shown in FIG. 1). The user-specified privacy policy data includes privacy classes and privacy rules that may be selected, modified or created according to the requirements or preferences of the mobile station user. In one advantageous embodiment of the inventive concept, mobile station 102 is provided by a manufacturer or service provider having an initial or default privacy engine that includes a generic privacy policy. The generic privacy policy is then customized by the user to include the user-specified privacy levels and privacy rules by one or more of the following methods: 1) downloading user-specified privacy policy data from a network; 2) inputting a user-specified privacy policy using a user interface; 3) using an external local application in the locally connected device to input user-specified privacy policy data; or, 4) using a removable data storage device to input pre-stored user-specified privacy policy data. One exemplary implementation of a removable data storage device, such as a subscriber identity module, a universal subscriber identity module, or a removable identity module, is described below.
Exemplary method of enhanced user privacy control operation
Fig. 2(a) -2(d) illustrate a unified flow diagram of an exemplary method for enhancing user privacy for use in a mobile station LCS. The flow connections between fig. 2(a) and fig. 2(b) are represented by elements 214, 220, 230, and 232. Likewise, the flow connections between FIG. 2(a) and FIG. 2(c) are represented by elements 202, 208, and 223. The flow connection between fig. 2(b) and fig. 2(c) is represented by element 258. The flow connection between fig. 2(b) and fig. 2(d) is represented by elements 214 and 246. The flow connection between fig. 2(c) and fig. 2(d) is represented by element 246.
Element 202 in fig. 2(a) represents a state during which the privacy engine 120 (fig. 1) waits to receive a request for location data information (i.e., a location request). In step 204, the privacy engine 120 receives a location request via the data connection described above with reference to fig. 1. With respect to this exemplary implementation, the location request data may include any of the following information: 1) the network address and the type of location requesting application; 2) requester category (e.g., emergency services, business services, individuals); 3) requester identity (if available); 4) a codeword or digital certificate for requester identity verification; 5) requested quality of service (QoS). It will be apparent to those skilled in the communications arts that the scope of the present teachings includes the use of other types of location request data, e.g., geographic area information, user information, requester information, coordinate systems, etc., as may be desired in implementing other embodiments.
Referring again to fig. 2(a), in step 206, a position request counter is initialized to a value of zero. A value of zero represents the case where only one position request is received. If a subsequent position request is received while the first position request is being processed, the position request counter is incremented and decremented as described below. The purpose of the location request counter is to manage multiple concurrent location requests.
Element 208 represents the flow connection from FIG. 2 (c). As described below, the location request data is processed by the inventive method at a step following step 286 of fig. 2(c) via flow connection 208 whenever a subsequent location request is received while a previous location request is being processed.
In step 210, the privacy engine 120 (FIG. 1) invokes the selected privacy policy, which assigns a privacy class to the location request received during step 204 (or via element 208). As described above, the privacy policy includes a list for assigning privacy levels to location requests, and privacy rules for making decisions based on the assigned privacy levels.
Referring again to fig. 1, the privacy engine 120 may selectively invoke the application module 114, other modules 124, or mobile station modules and components not shown in the figures to perform classification of location request data. For example, a web application may be invoked to verify digital certificate data.
Referring again to fig. 2(a), in step 212, the location request data is evaluated to determine whether the location request is an emergency service request. In accordance with normal statutory requirements, emergency service requests should override the privacy policy and return location data to the requester as quickly as possible. For emergency service requests, the method proceeds via flow connection 214 to step 256 (fig. 2(b)) to skip the privacy policy and speed up the response. For non-emergency requests, the method proceeds to step 216.
In step 216, the location request data is evaluated to determine if there are other requirements that must override the privacy policy. For example, certain countries may require priority to requests from law enforcement or other governmental agencies. If priority is required, the method proceeds via flow connection 214 to step 256 to speed up processing. If no priority is required, the method proceeds to step 218.
Referring again to fig. 2(a), in step 218, the privacy engine 120 (fig. 1) invokes a privacy policy to determine whether the location request should be denied based on the rules associated with the privacy level assigned to the request. The denial of the request for location information may be determined based on a number of criteria. In a first example, the request may be denied because the requestor is a business entity, and the privacy level assigned to the business entity specifies an automatic denial. In a second example, the request may be denied because the requestor identity is a private individual that is already at a privacy level with rules that specify automatic denial. In a third example, the request may be denied because the location request data does not include a digital certificate or password to prove the identity of the requestor, while the default privacy level for this category includes a rule that specifies automatic denial. In a fourth example, the user may have chosen to specify that all location requests other than those related to emergency services are at a privacy level that specifies automatic denial during a particular time period. It will be apparent to those skilled in the art of wireless communications that many other examples are encompassed within the scope of the present teachings.
If the decision made at step 218 rejects the location request, no location is calculated and the method proceeds to step 222 where a service reject message is sent to the location requesting application. As described below in more detail with reference to the description of the flow chart of fig. 2(b), step 222 may also be implemented via flow connection 220 after steps 238 or 242 of fig. 2 (b). After step 222, applicants' method advances to step 282 of FIG. 2(c) via process flow connection 223. As will be described in detail below, the method checks the location request counter in step 282 to determine if additional location requests are queued before returning to the idle state processing step 202 or performing further processing steps.
Returning to fig. 2(a), if it is determined in decision step 218 that the request should not be denied, a privacy policy is invoked in step 224 to determine whether user notification is required. If it is determined in step 224 that no user notification is required, then the inventive method proceeds via flow connection 230 to step 250 of FIG. 2(b) for further processing. This is explained in more detail in the description below with respect to fig. 2 (b).
If it is determined in step 224 that a user notification is required, in step 226, a notification is transmitted to the user via the user interface 106 (FIG. 1). The user interface 106 may alert the user that the location request has been granted using sound, image, vibration, or other means, and may communicate information related to the location request, such as the requester category, the requester identity, and/or the requested QoS, possibly using a graphical, textual, or audio display or other presentation.
In step 228, the privacy engine 120 invokes the privacy policy to determine whether the location request requires a user response in addition to the user notification. If not, the method proceeds via flow connection 230 to step 250 of FIG. 2(b) for further processing. If a user response is required, a timed wait for the user response is initiated in step 232.
Fig. 2(b) is a continuation of the unified flow diagram of fig. 2(a) -2 (c), starting with step 232 (timed wait for user response). Steps 234, 236 and 238 represent possible events that may terminate the timed wait period in step 232. Step 240 represents an event that may occur during the timed wait period in step 232.
If the timed wait for user response in step 232 is terminated by the user acceptance request event represented in step 234, the location request data is passed to step 250 for further processing.
If the timed wait for user response in step 232 is terminated by the timeout event represented by step 236 and there is no user response, the location request data is transmitted to step 242 and the method proceeds to step 242 for further processing. Step 242 invokes the privacy policy to determine if the lack of user response requires denial. If there is a lack of user response claim rejection, then the method proceeds via flow connection 220 to step 222 (shown in FIG. 2 (a)). If no rejection is required in the absence of a user response, the method proceeds to step 250 for further processing.
If the user response timed wait in step 232 is terminated by the event represented by step 238 (user rejection request), then the method proceeds via flow connection 220 to step 222, which is shown in FIG. 2 (a).
As shown in fig. 2(b), if a new location request is received during the timed wait of step 232, i.e., the event represented by step 240 (and possibly the arrival of a new location request during the wait) occurs before the user's timed wait expires, the new location request data received by the privacy engine 120 (fig. 1) is transmitted, and the method proceeds to step 244.
Still referring to fig. 2(b), in step 244, the new location request is evaluated to determine whether the request is an emergency service request. For emergency service requests, the method proceeds via flow connection 246 to step 288 (fig. 2 (d)). In step 288, the position request counter is incremented and the method proceeds to step 290. In step 290, processing of the previous position request is suspended and placed in a queue, awaiting subsequent processing, as described below. In another embodiment (not shown), the method may instead abort processing of the previous location request in step 290. In yet another embodiment (not shown), the provisioning apparatus enables the PD module 122 (fig. 1) to handle multiple simultaneous requests. After step 290, the method proceeds via flow connection 214 to step 256 (fig. 2(b)) to expedite processing of the emergency service request. If the new request is not an urgent request, the method proceeds directly from step 244 to step 248 (FIG. 2 b).
In step 248, the position request counter is incremented. The method then proceeds to step 260 and transfers the new location request data to the queue. In step 260, the method places the new location request data in the data queue. After completing step 260, applicants' method returns to step 232 and awaits a response from the user. In an alternative embodiment, rather than queuing, additional steps may be inserted and implemented prior to step 248 to decide whether the new location request should be denied. In these embodiments, it may be advantageous to reject requests that are not accepted if the added steps may result in an overall improvement in efficiency. In one example, requests specifying unacceptable QoS are immediately rejected rather than placed in a queue.
As shown in fig. 2(b), step 250 may be entered from steps 234, 242 or (via flow connection 230) step 228 (fig. 2 (a)). In step 250, the location request data specifying the QoS is compared to the privacy rules applied to the current location request. To describe an exemplary implementation, QoS may represent the accuracy with which location data for a location-requesting application is to be returned. The location data may include latitude and longitude coordinate data, along with QoS data representing the accuracy of the location estimate. If the QoS specified by the location request data is consistent with the restrictions specified by the privacy rules applied to the current location request, the method proceeds to step 256. If the QoS specified by the location request data does not comply with the restrictions of the privacy policy, the QoS data is modified in step 252 to make it consistent before further processing in step 256. Further explanation setting forth the purpose and use of QoS specifications will be given in the exemplary applications section described below.
In step 256, the method activates the PD module 122 (fig. 1) to retrieve location data in accordance with the location request data and the current privacy policy specifications. As described above, when an urgent or other privacy priority request is received, the method may implement step 256 via flow connection 214 after steps 212, 216 (fig. 2(a)) or step 290 (fig. 2 (d)). The method then proceeds to step 258. In step 258, the method performs a timed wait for the PDM 122 response.
Fig. 2(c) is a continuation of the unified flow diagram of fig. 2, starting with a timed wait (timed wait for PDM response) of step 258 (fig. 2 (b)). Steps 262 and 264 represent events that may terminate the timed wait period in step 258. Step 266 also represents an event that may occur during the timed wait period in step 258. These steps are described in more detail below.
As shown in fig. 2(c), if the timing of the PDM response in step 258 waits for the event represented by step 262 to expire, that is, if the PDM 122 responds to the privacy engine 120 (fig. 1), the method proceeds from step 262 to decision step 270. If the timed wait of step 258 "times out", i.e., it is terminated by the event represented by step 264 (time out), then the method proceeds from step 264 to step 272 and an error message is sent to the location requesting application. In an alternative embodiment (not shown), pre-stored location information may be sent instead of an error message. After step 272, the method proceeds to step 282 to check for pending position requests in the new position request queue.
As shown in fig. 2(c), if a new position request occurs during step 258, the method proceeds to step 266 (a new position request may arrive during the wait). In step 266, the privacy engine 120 (fig. 1) receives the new location request data. In a next step 268, the new location request is evaluated to determine if the request is an emergency service request. For emergency service requests, the method proceeds via flow connection 246 to step 288 (fig. 2(d)) for subsequent processing steps, as described above. If the new request is not an urgent request, the method proceeds directly from step 268 to step 274.
In step 274, the method increments the location request counter. In a next step 278, the method places the new location request in a data queue. After completing step 278, the method returns to step 258 to continue to perform timed waits for PDM responses.
When the timed wait in step 258 is interrupted by the PDM 122 in response to the privacy engine 120 (fig. 1), the method proceeds from step 258 to step 262, as shown in fig. 2 (c). In step 262, the PDM data is transferred from the PDM 122 in step 262 to the privacy engine 120. The PDM data includes position coordinate data and QoS data. In step 270, the PDM data specifying QoS is compared to privacy rules relating to the current location request privacy class. To describe an exemplary implementation, QoS may represent the accuracy of the estimate of the PDM position coordinate data to be returned to a location-requesting application. For example, the PDM data may include latitude and longitude data, along with QoS data representing the accuracy of the position estimate. If the QoS of the PDM data is consistent with the restrictions specified by the privacy rules relating to the privacy class of the current location request, the method proceeds to step 280 for further processing. If the QoS specified by the PDM data does not conform to the then-current privacy policy restrictions, the QoS data is modified to conform in step 276. After reformatting the position estimate at step 276, the method proceeds to step 280. A more detailed description of the purpose and use of the QoS specification is provided in the exemplary applications section below.
In step 280, the PDM data is sent to the location request application. The method then proceeds to step 282 where the location request counter is queried to determine if a new location request is pending. If the value of the counter is determined to be zero, indicating that there are no requests pending, the method returns to the wait state 202 (FIG. 2 (a)). If the value of the counter is an integer greater than zero, the method proceeds to step 284. In step 284, new location request data is retrieved from the new location request data queue.
The method then proceeds to step 286, where the position request counter is decremented. The method then proceeds (via flow connection 208) to step 210 (fig. 2(a)) to further process the new location request data.
Exemplary applications
In a typical application of the teachings of the present invention, a plurality of user-configurable privacy levels and characteristics or rules pertaining thereto may be defined. As described above with reference to fig. 1, user configurability may be achieved via a data connection between the privacy engine 120 and the user interface 106, the privacy management server 104 (or other web server not shown in the figures), or the external local application 116. It is desirable to only allow configuration and changes to the privacy engine 120 and privacy policy by security means. By way of example, the security means may include various methods and apparatus for providing secure digital communications, cryptographic uses, digital certificates, and other well-known authentication and authorization methods.
Privacy classes may include, but are not limited to, the following types:
1. a default privacy level for unknown or unclaimed (i.e., untrusted) location requesting applications and requester identities that are not specifically included in any other levels;
2.a default privacy level for trusted location requesting applications and requester identities not specifically included in any other level;
3. including a user-specified rating of the location requesting application and the identity of the requestor.
Each privacy class may include, but is not limited to, the following privacy rules:
1. a default acceptance or rejection, or specification of acceptance based on specified limits;
2. specification of user notification requirements:
a user notification of absolute or no requirement, notification based on required QoS (e.g., user specified, notification is required for a location estimate with an accuracy greater than 10 meters or more
Notification based on whether the request is periodic or initiated when needed;
c notification based on time of occurrence, such as time of day, day of week, date or similar time related restrictions.
3. Display mode specifications for user notifications (e.g., pop-up icons in a graphical user interface, tones, music or other sound notifications, vibration notifications, etc.), and information to be displayed (if any);
4. a specification of notification requirements relating to periodic requests, e.g., whether explicit notification is required for each periodic request or only for the first request in a periodic sequence;
5. QoS or location estimate accuracy specifications to be submitted (e.g., a privacy policy level may only permit zip code accuracy, or only permit accuracy within more than a specified distance radius);
6. the user does not respond to the default handling specification in the case of a notification (e.g., whether the request is allowed or disallowed when the user does not respond to the notification, e.g., this notification may be a pop-up window with or without an "OK" button that automatically disappears after a few seconds);
7. specifications are configured based on various rules for the location or time of day of the mobile station. (for example, a user may establish a rule to modify or disable a response from a particular location or at a particular time of day.)
In one embodiment of the inventive concept, mobile station 102 (fig. 1) may include a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), or a removable subscriber identity module (RUIM). SIM, USIM and RUIM devices are removable storage components for mobile stations that can guarantee the secure storage of user-specific information. As previously described with reference to fig. 1, a SIM, USIM, or RUIM device may be included in the other module block 112. In this exemplary embodiment, the user specific privacy policy data is stored in the SIM, USIM or RUIM device. The device may be connected to the privacy engine 120 (connection not shown in fig. 1) and transmit user-specific privacy policy data to the privacy engine 120 to enable operation of the privacy engine 120 as described hereinabove. User-specific privacy policy data is also received from the privacy engine for storage. This occurs when privacy policy data is initially received for storage by the SIM, USIM and or RUIM device, and when the data is changed or updated. When the SIM, USIM or RUIM is removed from the mobile station 120, the user specific privacy policy information may then advantageously be automatically deleted from the privacy engine 120. The use of SIM, USIM or RUIM devices for removable storage of user-specific data in mobile stations is well known to those skilled in the art of communications. The implementation standard for SIM devices is described in the reference to the third generation partnership project (3GPP) Technical Specification (TS) group terminal, release 1999 of the Subscriber Identity Module Application Programming Interface (SIMAPI) phase 1 (3GPP TS 02.19 V8.0.0), published 6 months 2001. The entire contents of which are hereby incorporated by reference into this application as teachings relating to the implementation of SIM devices. It will be apparent to those skilled in the art that the present teachings include various embodiments in which other removable storage devices (e.g., smart cards or memory sticks) may be included in the mobile station and used in conjunction with the privacy engine to store user-specific privacy policy data.
In light of the various examples provided in the foregoing description, those of ordinary skill in the communications arts will recognize that the present teachings herein are broadly and generally applicable to user control and management of personal privacy information related to LCS.
Those of ordinary skill in the communications and computer arts will also appreciate that computer-readable media that explicitly implement the method steps of any of the embodiments herein may be used in accordance with the present teachings. For example, the method steps described above with reference to fig. 2(a) -2 (c) may be implemented as a series of computer executable instructions stored on a computer readable medium. Such media can include, but are not limited to, RAM, ROM, EPROM, EEPROM, floppy disks, hard disks, CD-ROMs, and the like. The present disclosure also includes method steps of any of the foregoing embodiments integrated as digital logic in an integrated circuit, such as a field programmable gate array, or programmable logic array, or other integrated circuit that can be constructed or modified to implement computer program instructions.
Mobile station 102 in accordance with the present teachings may include, but is not limited to: wireless telephones, personal digital assistants having wireless communication capabilities, laptop computers having wireless communication capabilities, and any other mobile digital devices that communicate personally via a wireless connection.
A number of embodiments of the inventive concept have been described. It should be understood, however, that various modifications may be made without departing from the scope of the concepts disclosed herein. For example, the present method may be performed in software or hardware, or a combination of hardware and software, implementations. As another example, it should be appreciated that functionality described as part of one module may, in general, be equivalently implemented in another module. As another example, steps or actions shown or described in a particular order may generally be performed in a different order than those described in the claims, including the particular order of the steps.
It is to be understood, therefore, that the inventive concepts are not to be limited by the specific illustrated embodiments, but only by the scope of the appended claims. This description may provide examples of similar features, as recited in the claims, but such similar features should not be considered equivalent to those in the claims, unless such identification is necessary for an understanding of the scope of the claims. In some instances, the intended distinction between claimed features and described features is emphasized through the use of slightly different terminology.

Claims (37)

1. A privacy control system for use in a mobile station, wherein the mobile station is in communication with a wireless communication system, and the privacy control system provides geolocation information associated with the mobile station, the privacy control system comprising:
a) a privacy engine comprising a privacy policy component having at least one privacy rule, wherein the privacy engine receives a location request generated by a location requestor external to the mobile station in relation to a geolocation of the mobile station and determines whether to respond to the location request based in part on the at least one privacy rule; and
b) a location determination module (PDM) coupled to and responsive to the privacy engine, wherein the PDM provides a geolocation estimate of the mobile station to the privacy engine;
wherein the privacy engine receives the geolocation estimate from the PDM and selectively responds to the location request by processing the location estimate and providing a response message in accordance with the privacy policy component.
2. The privacy control system of claim 1, wherein the PDM operates according to one or more of the following methods: global positioning system GPS, assisted GPS, advanced forward link trilateration, time of arrival, enhanced observed time difference, and location based on identifying a wireless communication cell in which a mobile station operates.
3. The privacy control system of claim 1, further comprising a wireless network communication module coupled to the privacy engine and the wireless communication system, wherein the wireless network communication module is configured to receive the location request from the wireless communication system and send a response message to the wireless communication system, the wireless network communication module further configured to receive data and software instructions from the wireless communication system and send data and software instructions to the wireless communication system.
4. The privacy control system of claim 3, wherein the privacy engine comprises software downloaded from the wireless communication system.
5. The privacy control system of claim 3, wherein the privacy engine is modified with a software upgrade downloaded from the wireless communication system.
6. The privacy control system of claim 3, wherein the privacy policy comprises software downloaded from the wireless communication system.
7. The privacy control system of claim 3, wherein the privacy policy is modified with updates downloaded from the wireless communication system.
8. The privacy control system of claim 7, wherein the updates include user-specific privacy policy data.
9. The privacy control system of claim 3, wherein the location request is received from an external application connected to the wireless communication system.
10. The privacy control system of claim 1, wherein the location request is received from a local software application executing within the mobile station.
11. The privacy control system of claim 1, further comprising a local communication module coupled to the privacy engine and an external local application, wherein the local communication module is configured to receive the location request from the external local application and send a response message to the external local application, the local communication module further configured to receive data and software instructions from and send data and software instructions to the external local application.
12. The privacy control system of claim 11, wherein the privacy engine comprises software downloaded from an external local application.
13. The privacy control system of claim 11, wherein the privacy engine is modified with a software upgrade by software instructions downloaded from an external local application.
14. The privacy control system of claim 11, wherein the privacy policy comprises software downloaded from an external local application.
15. The privacy control system of claim 11, wherein the privacy policy is modified with updates downloaded from an external local application.
16. The privacy control system of claim 15, wherein the update comprises user-specific privacy policy data.
17. The privacy control system of claim 11, wherein the location request is received from an external local application.
18. The privacy control system of claim 1, further comprising a user interface coupled to the privacy engine, wherein the user interface is configured to receive input from a user, and the user input utilizes an update to alter the privacy policy.
19. The privacy control system of claim 18, wherein the updates include user-specific privacy policy data.
20. The privacy control system of claim 18, wherein the user interface provides location request notifications to the user in accordance with the privacy policy, and the user interface is configured to receive responses from the user in response to the location request notifications.
21. The privacy control system of claim 20, wherein the privacy policy includes a plurality of privacy classes, wherein the privacy classes classify location requests received by the privacy engine, and the privacy policy further includes privacy rules that determine responses to location requests for each privacy class, and the privacy rules include at least one of:
a) rules requiring default acceptance or rejection of location requests;
b) rules requiring user notification of location requests;
c) rules for user notification based on requested quality of service requirements;
d) rules requiring user notification based on whether the location request is initiated periodically or on-demand;
e) rules requiring user notification based on the occurrence time of the positioning request;
f) a rule specifying a display mode for user notification;
g) a rule specifying a range of accuracy of the location estimate to be provided;
h) rules requiring default handling of response messages if the user does not respond to the user notification; and
i) rules for response message processing are specified based on the current geographic location of the mobile station.
22. The privacy control system of claim 1, further comprising a removable data storage device, wherein the removable data storage device is coupled to the privacy engine, and the removable data storage device is configured to receive, store, and transmit user-specific privacy policy data.
23. The privacy control system of claim 22, wherein the removable data storage device comprises a subscriber identity module device.
24. The privacy control system of claim 22, wherein the removable data storage device comprises a universal subscriber identity module device.
25. The privacy control system of claim 22, wherein the removable data storage device comprises a removable subscriber identity module device.
26. A method in a mobile station of providing privacy control of geolocation information of the mobile station, wherein the mobile station is in communication with a wireless communication system, the mobile station including a privacy engine comprising software instructions, the software instructions of the privacy engine further comprising privacy policy instructions, wherein the mobile station further includes a location determination module, PDM, capable of providing an estimate of the geolocation of the mobile station, the method comprising the steps of:
a) receiving a location request for a current geolocation of the mobile station;
b) processing the location request in accordance with software instructions of the privacy engine, the software instructions of the privacy engine including privacy rules that determine whether to respond to the location request based in part on information included in the location request;
c) obtaining a geolocation estimate of the mobile station;
d) processing the location estimate in accordance with the location request, software instructions of the privacy engine, and the privacy rules; and
e) selectively providing a response message responsive to the location request, software instructions of the privacy engine, the location estimate, and the privacy rules.
27. The privacy control method of claim 26, wherein the step b) of processing the location request further comprises the step of processing an emergency location request by skipping the privacy policy instructions to provide an emergency response message.
28. The privacy control method of claim 27, wherein the step b) of processing the location request comprises processing a plurality of concurrent location requests.
29. The privacy control method of claim 28, wherein processing of pending location requests is suspended while the emergency location request is processed.
30. The privacy control method of claim 26, further comprising the step of notifying a user of a location request.
31. The privacy control method of claim 30, wherein the privacy policy instructions include privacy classes for classifying the location request received in this step a), wherein the privacy policy instructions further include privacy rules for determining a response to the location request for each privacy class, and the privacy rules include at least one of the following rules:
a) rules requiring default acceptance or rejection of location requests;
b) rules requiring user notification of location requests;
c) rules for user notification based on requested quality of service requirements;
d) rules requiring user notification based on whether the location request is initiated periodically or on-demand;
e) rules requiring user notification based on the occurrence time of the positioning request;
f) a rule specifying a display mode for user notification;
g) a rule specifying a range of accuracy of the location estimate to be provided;
h) rules requiring default handling of response messages if the user does not respond to the user notification; and
i) rules for response message processing are specified based on the current geolocation of the mobile station.
32. An apparatus in a mobile station that provides privacy control of geolocation information of the mobile station, wherein the mobile station is in communication with a wireless communication system, the mobile station including a privacy engine comprising software instructions, the privacy engine's software instructions further comprising privacy policy instructions, and wherein the mobile station further includes a location determination module (PDM) capable of providing an estimate of the geolocation of the mobile station, the apparatus comprising:
a) means for receiving a location request for a current geolocation of the mobile station;
b) means for processing the location request in accordance with software instructions of the privacy engine, the software instructions of the privacy engine including privacy rules that determine whether to respond to the location request based in part on information included in the location request;
c) means for obtaining a geolocation estimate of the mobile station;
d) means for processing the location estimate in accordance with the location request, software instructions of the privacy engine, and the privacy rules; and
e) means for selectively providing a response message in response to the location request, the software instructions of the privacy engine, the location estimate, and the privacy rules.
33. The privacy control apparatus of claim 32, wherein means for processing the location request further comprises means for skipping the privacy policy instructions to process an emergency location request and provide an emergency response message.
34. The privacy control apparatus of claim 33, wherein means for processing the location request further comprises means for processing a plurality of concurrent location requests.
35. The privacy control apparatus of claim 34, wherein processing of pending location requests is suspended when processing the emergency location request.
36. The privacy control apparatus of claim 32, further comprising means for notifying a user of a location request.
37. The privacy control apparatus of claim 36, wherein the privacy policy comprises privacy classes for classifying location requests received in step a), and wherein the privacy policy further comprises privacy rules for determining a response to a location request for each privacy class, and wherein the privacy rules comprise at least one of the following rules:
a) rules requiring default acceptance or rejection of location requests;
b) rules requiring user notification of location requests;
c) rules for user notification based on requested quality of service requirements;
d) rules requiring user notification based on whether the location request is initiated periodically or on-demand;
e) rules requiring user notification based on the occurrence time of the positioning request;
f) a rule specifying a display mode for user notification;
g) a rule specifying a range of accuracy of the location estimate to be provided;
h) rules requiring default handling of response messages if the user does not respond to the user notification; and
i) rules for response message processing are specified based on the current geolocation of the mobile station.
HK06108227.2A 2003-02-14 2004-02-17 System, method, and apparatus for location services privacy management with a mobile station HK1088165B (en)

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US44756303P 2003-02-14 2003-02-14
US60/447,563 2003-02-14
US49076503P 2003-07-28 2003-07-28
US60/490,765 2003-07-28
US10/779,109 2004-02-13
US10/779,109 US7088237B2 (en) 2003-02-14 2004-02-13 Enhanced user privacy for mobile station location services
PCT/US2004/004670 WO2004075594A1 (en) 2003-02-14 2004-02-17 Enhanced user privacy for mobile station location services

Publications (2)

Publication Number Publication Date
HK1088165A1 HK1088165A1 (en) 2006-10-27
HK1088165B true HK1088165B (en) 2010-07-23

Family

ID=

Similar Documents

Publication Publication Date Title
EP1593286B1 (en) Enhanced user privacy for mobile station location services
US7054648B2 (en) Location privacy proxy server and method in a telecommunication network
US6594483B2 (en) System and method for location based web services
US7715542B2 (en) Service delivery method and system
US8613109B2 (en) Method and apparatus for providing mobile social networking privacy
US20190075117A1 (en) Method for serving location information access requests
US20060099970A1 (en) Method and system for providing a log of mobile station location requests
US9860693B2 (en) Method and apparatus for sending a request to locate an individual via a text message
CN114342340A (en) Device profile determination and policy enforcement
CN100551116C (en) Systems, methods and apparatus for location services privacy management with mobile stations
HK1088165B (en) System, method, and apparatus for location services privacy management with a mobile station
KR100719142B1 (en) Mobile communication terminal whose password varies depending on the location and its control method, location-based variable password setting system for this
KR100575793B1 (en) Mobile communication terminal authentication system and method using anonymous