HK1246440B - Privacy enhanced personal search index - Google Patents

Description

Privacy-enhanced personal search index

Background Art

Cloud storage systems are file hosting services that allow users to upload and synchronize files to one or more storage devices, and subsequently access the files from a web browser or the user's local device. Performing searches for files within a cloud storage system raises several privacy concerns, as the cloud storage system service provider has access to documents, document indexes, and metadata in plain text. While various technologies and approaches have been developed to address these privacy concerns, these solutions rely on providing documents to the cloud storage system in plain text. As a result, if a cloud storage system is compromised, all users who use the service to store data are potentially at risk.

The various aspects disclosed herein are made with respect to these and other general considerations.Also, although relatively specific problems may be discussed, it should be understood that these examples should not be limited to solving specific problems identified elsewhere in the background or this disclosure.

Summary of the Invention

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.

Examples of the present disclosure describe systems and methods for enhancing the privacy of a personal search index. In some aspects, a personal plaintext document is created on a first device (e.g., a client device) that communicates with a second device (e.g., a server device). The second device can be part of a distributed network (e.g., utilizing a cloud-based service provider). The personal plaintext document can be used to generate an encrypted document digest and an encrypted document on the first device. The encrypted document digest and the encrypted document can then be transmitted to the second device. The second device can decrypt the document digest, build a personal search index based on the decrypted document digest, and store the encrypted document in at least one data repository. The first device can then receive a plaintext search query. The search query can be used to generate an opaque search query digest that is transmitted to the second device. The second device can use the opaque search query digest to search the personal search index to provide opaque search query results. The opaque search query results can be used to retrieve the encrypted document from the data repository. The opaque search query results and the retrieved encrypted document can then be transmitted to the client device. The client device can use the opaque search query results and the retrieved encrypted document to generate plaintext search results.

This summary is provided to introduce in simplified form a selection of concepts that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to limit the scope of the claimed subject matter. Other aspects, features, and/or advantages of the examples will be set forth in part in the subsequent description and will be apparent in part from the description or may be learned through practice of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive examples are described with reference to the following figures.

FIG1 shows an overview of an example system for a privacy-enhanced personal search index for cloud services as described herein.

2A and 2B are diagrams of a client computing device and a server, respectively, as described herein.

3 illustrates an example method of processing documents for use with a privacy-enhanced personal search index for cloud services as described herein.

FIG. 4A illustrates an example method for creating an encrypted opaque document digest as described herein.

FIG. 4B illustrates an example method for creating encrypted documents and document fragments as described herein.

FIG5 illustrates an example method for constructing a privacy-enhanced personal search index for distributed network services as described herein.

6 illustrates an example method of processing queries for encrypted documents for use with a privacy-enhanced personal search index for a distributed web service as described herein.

7 illustrates an example method for retrieving encrypted documents using a privacy-enhanced personal search index for a distributed web service as described herein.

8 illustrates an example method for generating plaintext search results using a privacy-enhanced personal search index for a distributed network service as described herein.

9 is a block diagram illustrating an example of a computing device that can be used to practice aspects of the present disclosure.

10A and 10B are simplified block diagrams of mobile computing devices that may be used to practice aspects of the present disclosure.

11 is a simplified block diagram of a distributed computing system in which aspects of the present disclosure may be practiced.

DETAILED DESCRIPTION

Various aspects of the present disclosure are described more fully below with reference to the accompanying drawings, which form part of the present disclosure and illustrate specific exemplary aspects. However, different aspects of the present disclosure can be implemented in many different forms and should not be construed as limited to the aspects set forth herein; on the contrary, these aspects are provided so that the present disclosure will be thorough and complete and will fully convey the scope of the various aspects to those skilled in the art. Various aspects can be practiced as methods, systems, or devices. Therefore, various aspects can take the form of hardware implementations, complete software implementations, or implementations combining software and hardware aspects. The following detailed description should therefore not be understood in a limiting sense.

The present disclosure provides systems and methods for enhancing the privacy of personal search indexes for distributed network services such as cloud services. As used herein, personal search can refer to a search for non-public data (e.g., documents, audio files, video files, etc.) that is accessible only to the user who created and/or stored the data or a small group of privileged users. In various aspects, these methods can be practiced in a distributed computing environment including a trusted client environment and a partially trusted environment. As used herein, a trusted client environment can refer to a secure area on a first processing device (such as a client device) that provides protected loading and execution of code and data. As used herein, a partially trusted environment can refer to an unsecure area on a second device (e.g., a server device) that does not allow loading and execution of code and data, or imposes security constraints before allowing loading and execution of code and data.

In some examples, plaintext data (e.g., a plaintext document) can be created on a client device. As used herein, a plaintext document can refer to human-readable data that is transmitted and/or stored in an unencrypted format. The client device can use the plaintext document to generate a document summary, convert the document summary into an opaque document summary, encrypt the opaque document summary, generate document fragments, and encrypt the document and document fragments. As used herein, a document summary can refer to a compilation of metadata describing the document and terms from the document. In some examples, the terms and metadata of the document summary can be tokenized. As used herein, an opaque document can refer to a plaintext or other human-readable document whose data has been converted into a human-unreadable format using data conversion technology. As used herein, a document fragment can include a brief summary of the document, metadata, and/or one or more sentences from the document. The encrypted opaque document summary and the encrypted document and document fragments can then be transmitted to the server device.

In an example, a second device (e.g., a server device) can decrypt the encrypted opaque document digest and use the decrypted opaque document digest to build a personal search index. As used herein, a personal search index can collect, parse, and store document summary data in an index to facilitate fast and accurate information retrieval. The server device can also use a storage management utility to store encrypted documents and document fragments in a data repository. As used herein, a storage management utility can refer to devices, processes, and software used to manage storage devices and storage network solutions.

In some aspects, the client device may subsequently receive a plaintext search query. The client device may use the plaintext search query to generate a query digest and convert the query digest into an opaque query digest. As used herein, a query digest may refer to metadata describing the search query and a compilation of terms from the search query. The opaque query digest may then be transmitted to a server device. After receiving the opaque query digest, the server device may use the opaque query digest to search a personal search index to generate ranked query results. As used herein, ranked query results may refer to a set of opaque results that are sorted and/or prioritized based on at least one of several criteria, such as relevance, document age, document size, user profile information, etc. The ranked query results may be used to retrieve encrypted documents and/or document fragments from a data repository. The encrypted documents and/or document fragments may then be transmitted to the client device. The client device may decrypt the received encrypted documents and/or document fragments and combine the ranked query results with the documents and/or document fragments. The client device may perform content-based ranking on the combined ranked query results and documents and/or document fragments to generate ranked plaintext search results.

Thus, aspects of the present disclosure provide a variety of benefits, including but not limited to: enhanced personal document security, eliminating the transmission of plaintext user information, queries, and search results to cloud services; eliminating the need for all data stored using cloud services to reside in a single trust boundary; minimizing the transmission of user keys to cloud services; reducing the security measures required by cloud services; gracefully improving privacy-enhanced personal indexes to older search services, and other examples.

FIG1 shows an overview of an example system for a privacy-enhanced personal search index for cloud services as described herein. The example system 100 can be a combination of interdependent components that interact to form an integrated whole for improving recommendations from implicit feedback. The components of the system can be hardware components or software implemented on and/or executed by the hardware components of the system. In an example, the system 100 can include any of hardware components (e.g., used to execute/run an operating system (OS)) and software components running on the hardware (e.g., applications, application programming interfaces, modules, virtual machines, runtime libraries, etc.). In one example, the example system 100 can provide an environment for the software components to run, complying with constraints set for the operation, and utilizing the resources or facilities of the system 100, wherein the components can be software (e.g., applications, programs, modules, etc.) running on one or more processing devices. For example, the software (e.g., applications, operating instructions, modules, etc.) can be run on a processing device such as a computer, a mobile device (e.g., a smartphone/phone, a tablet computer), and/or any other electronic device. As an example of a processing device operating environment, reference is made to the example operating environments depicted in FIG9 to FIG11. In other examples, the components of the system disclosed herein can be spread across multiple devices. For example, input can be entered on a client device (e.g., a processing device), and information can be processed or accessed from other devices such as one or more server devices in the network.

As an example, system 100 includes client device 102A, client device 102B, client device 102C, distributed network 104, and a distributed network environment including one or more servers, such as server device 106A, server device 106B, and server device 106C. Those skilled in the art will recognize that the scale of systems such as system 100 can vary and can include more or fewer components than those depicted in FIG1 . In some examples, interfacing between components of system 100 can occur remotely, such as where components of system 100 can be spread across one or more devices of a distributed network.

Client computing device 102A, for example, can be a trusted environment configured to generate and/or receive one or more plaintext personal documents and use these plaintext personal documents to generate an encrypted opaque document digest and an encrypted personal document. Client computing device 102A can then transmit the encrypted opaque document digest and the encrypted personal document to one or more servers 106A, 106B, and 106C via network 104. Server 106A can, for example, be configured to receive the encrypted opaque document digest and the encrypted personal document, decrypt the opaque document digest, use the decrypted opaque document digest to generate a personal search index, and store the encrypted personal document in a personal document data repository. Server 106A can be an untrusted environment or a partially trusted environment and can provide a service hosted by a cloud service provider.

The client computing device 102A may be further configured to receive a plaintext search query request, generate an opaque query digest, and transmit the opaque query digest to one or more of the servers 106A, 106B, and 106C via the network 104. The server 106A may be further configured, for example, to receive the opaque query digest, search a personal search index using the opaque query digest, generate ranked query results, and retrieve an encrypted document using the ranked query results. The server 106A may then transmit the ranked query results and the retrieved encrypted document to the client computing device 102A via the network 104. The client computing device 102A may be further configured to receive the ranked query results and the encrypted document, decrypt the encrypted document, generate ranked plaintext search results, and display the ranked plaintext search results on a display area of the client computing device 102A.

Figures 2A and 2B are exemplary diagrams of a client computing device 200 and a server computing device 220, respectively, as described herein. Client computing device 200 may include a document generation module 202, an encryption module 204, a query receiving module 206, a query processing module 208, and a result processing module 210, each of which may have one or more additional components. Document generation module 202 may be configured to generate and/or receive one or more personal documents. For example, document generation module 202 may include or interface with a word processing application. The word processing application may be used to generate documents based on plain text. Encryption module 204 may be configured to receive and encrypt one or more personal documents. In some aspects, encryption module 204 performs operations along one or more processing paths. For example, encryption module 204 may perform operations along a document understanding pipeline path and a document encryption path.

In an example, the document understanding pipeline path may include using a received personal document to generate a plaintext document summary of terms included in the personal document and metadata describing the personal document. A private transformation key (PTK) may be applied to the plaintext document summary to generate an opaque document summary. As used herein, a PTK may refer to a key or algorithm that uses a data conversion technique to convert a set of data values from a first data format of a source to a second data format. In some aspects, the data conversion technique preserves the structure of the personal document (e.g., isometric conversion), thereby preserving approximate term matches, relative term frequencies, and certain distance metrics within the opaque document summary. A private index key (PIK) may be applied to the opaque document summary to generate an encrypted opaque document summary. As used herein, a PIK may refer to a value provided by a designated authority as an encryption key used to protect the content of the personal document. The PIK may be generated using any known asymmetric cryptography (e.g., public key cryptography) or symmetric cryptography (e.g., password-based encryption) method. The encrypted opaque document summary and the PIK may then be processed for export to the server device 220, thereby concluding the document understanding pipeline path.

In an example, the document encryption path may include using plaintext personal documents to generate document fragments. A private document key (PDK) may be applied to plaintext personal documents and/or document fragments to generate an encrypted personal document including an encrypted personal document and/or encrypted document fragments. As used herein, a PDK may refer to a value provided by a designated authority as an encryption key for protecting the content of a personal document. The PDK may be generated using any known asymmetric cryptographic (e.g., public key encryption) or symmetric cryptographic (e.g., password-based encryption) method. In at least one example, the PDK will be different from the PTK and PIK. The encrypted personal document may then be processed for export to server device 220, thereby concluding the document encryption path.

The query receiving module 206 can be configured to receive or generate a plaintext query for one or more personal documents. For example, the query receiving module 206 can include or interface with a user interface. The user interface provides an input area for submitting a query. The query processing module 208 can be configured to use the plaintext query to generate a plaintext query digest of metadata and terms. A PTK can be applied to the plaintext query digest to generate an opaque query digest. In some aspects, the PTK applied to the plaintext query digest can be the same PTK applied to the plaintext document digest. The opaque query digest can then be processed for export to the server device 220.

The result processing module 210 can be configured to receive and process the opaque ranked query results and the encrypted personal documents. For example, the result processing module 210 can apply a PTK to the opaque ranked query results to generate plaintext ranked query results. In some aspects, the PTK applied to the opaque ranked query results can be the same PTK applied to the plaintext document summary and the plaintext query summary. The result processing module 210 can also apply a PDK to the encrypted personal documents to generate plaintext documents and/or plaintext document fragments. In some aspects, the PDK applied to the encrypted personal documents can be the same PDK applied to the plaintext personal documents and/or document fragments. The plaintext ranked query results and the plaintext personal documents and/or document fragments can then be combined into ranked plaintext search results. In one example, the ranked plaintext search results can be ranked according to one or more criteria such as content, relevance, size, or date.

Server device 220 may include an ingestion module 222, an index search module 224, and a document retrieval module 206, each having one or more additional components. Ingestion module 222 may be configured to receive and process information from encryption module 204, such as encrypted opaque document digests, PIKs, and encrypted personal documents. In some aspects, ingestion module 222 may perform operations along one or more processing paths. For example, ingestion module 222 may perform operations along a document indexing path and a document storage path.

In an example, the document indexing path may include applying the received PIK to the received encrypted opaque document digest to decrypt the encrypted opaque document digest. In some aspects, the resulting opaque document digest may be aggregated with other opaque document digests previously received from the client device 200 to form a collection of opaque document digests. An index generation operation may be performed on the opaque document digest or the collection of opaque document digests to construct a personal search index. The personal search index may include an opaque word index from a sentence, a sequence of alphanumeric characters, or tokens within the opaque document digest.

The document storage path may include ingestion module 222 interacting with a storage management utility. For example, ingestion module 222 may use a storage management service running on server device 220 to store encrypted personal documents in a data repository. In some aspects, the storage management service and the data repository may be located on server device 220. In other aspects, one or more of the storage management service and the data repository may be located on a separate server accessible to server device 220.

The index search module 224 can be configured to receive and process information from the query processing module 208, such as the opaque query digest. For example, the index search module 224 can use the received opaque query digest to search a personal search index that includes an opaque word index. The search of the personal search index can produce a ranked query result of the top search results found. In some aspects, the ranked query result can include an ordered list of opaque search results and opaque document snippets. In such aspects, the opaque search results and opaque document snippets can then be processed for export to the client device 220.

In other aspects, the ranked query results may include an ordered list of opaque search results, but may not include opaque document fragments. In such aspects, the document retrieval module 226 may be configured to retrieve encrypted personal documents from the data repository. For example, the opaque search results may be provided to a storage management utility. The storage management utility may search the data repository for encrypted documents and/or document fragments having data (e.g., strings, words, characters, tokens, etc.) that matches the data in the opaque search results. The encrypted documents and/or document fragments retrieved from the data repository may then be processed for export to the client device 220.

Figures 3 to 8 illustrate various processing flows associated with privacy-enhanced personal search indexes for cloud services as described herein. In various aspects, methods 300-800 can be performed by an exemplary system such as system 100 of Figure 1. In an example, methods 300-800 can be performed on a device comprising at least one processor configured to store and execute operations, programs, or instructions. However, methods 300-800 are not limited to such examples. In other examples, methods 300-800 can be performed on an application or service for providing recommendations. In at least one example, methods 300-800 (e.g., computer-implemented operations) can be performed by one or more components of a distributed network (e.g., web services/distributed network services (e.g., cloud services)) to utilize indexed search and generated and encrypted document processing.

Figure 3 shows an example method for processing documents as described herein for use with a privacy-enhanced personal search index for cloud services. Exemplary method 300 begins at operation 302, where a document can be generated. In some aspects, the document is a plaintext personal document created or received using an application on a client device. In one example, the client device can represent a trusted environment so that the document is accessible only to the author of the document or a group of privileged users. However, those skilled in the art will recognize that the operations described herein are applicable to trusted environments, partially trusted environments, and untrusted environments. The client device can generate one or more privacy keys (e.g., PTK, PIK, and PDK) before or after receiving the plaintext personal document. The client device can alternatively receive one or more privacy keys from a trusted third-party certificate authority.

In operation 304, an opaque document summary can be created. In an example, a plaintext personal document is provided to a process that performs a document understanding operation. In some aspects, the process follows a path such as a document understanding path. As used herein, document understanding may refer to a semantic analysis of a document to extract human-understandable information and format that information into a machine-readable form. The document understanding operation may include using the plaintext personal document to generate a plaintext document summary of metadata and terminology, applying a PTK to the plaintext document summary to generate an opaque document summary, and applying a PIK to the opaque document summary to generate an encrypted opaque document summary.

In operation 306, an encrypted personal document may be created. In this example, a plaintext personal document is provided to a process that performs a document encryption operation. The document encryption operation may include generating plaintext document fragments from the plaintext personal document and applying the PDK to the plaintext personal document and/or the plaintext document fragments to generate an encrypted personal document. Operations 304 and 306 may be performed sequentially or in parallel.

In operation 308, the encrypted opaque document digest, the PIK used to encrypt the opaque document digest, and the encrypted personal document are transferred from the trusted environment of the client device to the partially trusted environment of the server device. In various aspects, the PTK and PDK remain within the client device. In addition, no plaintext (e.g., document, digest, query, etc.) is transferred to the server device.

FIG4A illustrates an example method 400 for creating an encrypted opaque document digest as described herein. Example method 400 begins at operation 402, where a plaintext document digest may be generated using a plaintext personal document. In some aspects, generating the plaintext document digest includes parsing the plaintext personal document into a plurality of plaintext index terms and associated plaintext metadata. The parsing operation may be performed by software located on a client device that generates or receives the plaintext personal document, or by software located within another trusted environment. The plaintext index terms and metadata may be combined and/or organized into a digest file.

In operation 404, an opaque document summary can be generated from a plaintext personal document. In an example, a PTK can be generated or received by a client device. The PTK is operable to perform a data conversion operation on a set of data values. The data conversion operation can include mapping a data element or value from a source data format to a destination data format, recording any conversions that may have occurred, generating code to perform the recorded conversions, and executing the conversion code. In a specific example, executing the conversion code can include creating tags representing data elements from the source data format. In some aspects, any document summary to which the PTK is applied will share a common data conversion, such that a basic term frequency-inverse document frequency (TF-IDF) ranking is retained for the file (e.g., document summary, query summary). TF-IDF, as used herein, can be an index value statistic or weighting factor that is intended to reflect the importance of a word in a document or collection of documents. The PTK can be applied to a plaintext personal document to generate an opaque document summary. In various aspects, the PTK cannot be transmitted from the client device.

In operation 406, an encrypted opaque document digest can be generated from the opaque document digest. In an example, the PIK can be generated or received by a processing device such as a client device. The PIK can be operable to perform an encryption operation on one or more documents. An encryption operation generally involves converting ordinary information (e.g., plaintext) into human-unreadable text (e.g., ciphertext). Methods for encrypting files and documents are well known to those skilled in the art and will not be described in detail in this disclosure. The PIK can be applied to the opaque document digest to generate an encrypted opaque document digest. In some aspects, the PIK can be transmitted along with the encrypted opaque document digest to one or more untrusted or partially trusted server devices. Encrypting the opaque document digest can prevent statistical attacks based on bulk access to opaque terms and metadata.

FIG4B illustrates an example method 420 for creating encrypted documents and document fragments as described herein. Example method 420 begins at operation 422, where a plaintext personal document may be used to generate a plaintext document fragment. In an example, a document fragment may be a file created by analyzing a plaintext personal document and extracting various parts, strings, and/or metadata. In one particular aspect, a document fragment may include a document title, a brief description of the document, the name of the document author, the first three sentences of the document, the document type, a preview image of the document, and the like.

In operation 424, an encrypted personal document can be generated. In some examples, a PDK can be generated or received by a client device. The PDK can be operable to perform cryptographic operations on one or more documents. Cryptographic operations typically involve converting ordinary information into human-unreadable text (e.g., ciphertext). The PDK can be applied to plaintext personal documents and/or document fragments to generate an encrypted personal document. In various aspects, the PDK cannot be transmitted from the client device. In examples, although the PDK and PIK can share similarities (e.g., cryptographic keys) and the PDK and PTK can share similarities (e.g., keys are not transmitted from the client device), the PTK, PIK, and PDK are separate and/or different keys.

FIG5 illustrates an example method 500 for constructing a privacy-enhanced personal search index for a distributed network service as described herein. Example method 500 begins at operation 502, where an encrypted document, an encrypted opaque document digest, and a PIK may be received by a component of a server device of a cloud service system. The server device may represent an untrusted environment or a portion of an environment, thereby rendering the document inaccessible to the server device or a user of the server device. The encrypted document may include encrypted personal documents and encrypted document fragments.

In operation 504, a personal search index may be created. In an example, an encrypted opaque document digest and the PIK used to encrypt the encrypted opaque document digest may be provided to a process that facilitates document indexing. As used herein, document indexing may refer to categorizing documents by terms or symbols to describe and/or summarize the subject matter of the documents. The process may include decrypting the encrypted opaque document digest using the PIK and optionally aggregating the decrypted opaque document digest with other opaque document digests to generate a collection of opaque document digests. In some aspects, other opaque document digests may have been previously received from a client device. For example, the other opaque document digests may be associated with a particular user or user account on the client device. In other aspects, other opaque document digests may have been previously received from various client devices associated with a particular user, user account, or group account. The process may also include indexing the collection of opaque document digests to create opaque terms and/or symbols. The opaque terms and/or symbols may then be used to construct the personal search index. In some aspects, the personal search index may only include information associated with a particular client device or information associated with a particular user account. Operation 504 proceeds to end operation 508 .

At operation 506, the received encrypted document may be stored. In an example, the server device may communicate with a storage management utility. The storage management utility may facilitate storing the encrypted document in one or more data repositories. In various aspects, the storage management utility may be located on the server device, on another component of the cloud service system, or on a computing device accessible to the cloud service system. The data repositories may be co-located with the storage management utility, located separately from the storage management utility, or distributed among various server devices. In at least one example, the data repositories may be personal document storage spaces accessible only to the document author, a set of privileged viewers, or a set of privileged users of the server device. Operation 506 proceeds to end operation 508.

FIG6 illustrates an example method 600 for processing queries for encrypted documents for use with a privacy-enhanced personal search index for a distributed network service as described herein. Example method 600 begins at operation 602, where a client device may receive or generate a search query for documents stored by a cloud service on a server device. In various aspects, the query may be received or generated in plain text or in plain text. In a specific aspect, the query is generated on a client device that is different from the client device used to transmit the searched document to the server device.

In operation 604, a plaintext query summary can be generated using the plaintext query. In various aspects, the plaintext query can be analyzed and parsed to extract plaintext query terms and/or metadata. The analysis and parsing operations can be performed by software located on the client device or by software located within another trusted environment. The plaintext query terms and metadata can be combined and/or organized into a summary file, such as a plaintext query summary file.

In operation 606, an opaque query digest may be generated. In an example, a PTK may be generated or received by a client device. The PTK may be operable to perform a data transformation operation on a set of data values, as discussed above with respect to FIG. 4 . The PTK may be applied to a plaintext query document to generate the opaque query digest. In some aspects, the PTK applied to the plaintext query digest may be the same PTK applied to the plaintext document digest of one or more searched documents.

In operation 608, the encrypted opaque query digest is transmitted from the trusted environment of the client device to the partially trusted or untrusted environment of the server device. In various aspects, the PTK used to encrypt the opaque query digest can be maintained within the client device. In such aspects, plaintext information from the client device may not be transmitted to or exposed to the queried server device.

FIG7 illustrates an example method 700 for retrieving encrypted documents using a privacy-enhanced personal search index for a distributed network service as described herein. Example method 700 begins at operation 702, where an opaque query digest may be received by a component of a server device of a distributed network system (e.g., a cloud service system). The server device may represent an untrusted environment or portion of an environment, such that the opaque query digest may not be accessible to the server device or a user of the server device.

In operation 704, opaque query results can be generated. In an example, the content of the opaque query summary can be analyzed and used as input to search a personal search index. The personal search index can include opaque data from previously received opaque document summaries. In some aspects, the personal search index can also include encrypted document fragments from one or more encrypted personal documents. Searching the personal search index can produce opaque query results, which can be ranked according to criteria such as relevance, document age, document size, user profile information, etc. In various aspects, the opaque query results can include opaque document names and/or identifiers. In one aspect, the opaque query results can alternatively or additionally include encrypted document fragments. In such aspects where document storage can be removed from the query workflow, the process proceeds to operation 708.

In optional operation 706, the data repository can be searched for encrypted personal documents. In an example, the opaque query results can be provided to a storage management utility. The storage management utility can analyze the opaque query results to search the data repository for encrypted personal documents and/or document fragments having data (e.g., strings, words, characters, tokens, etc.) that matches the data in the opaque query results. Documents found in the data repository can be processed for export to a client device.

In operation 708 , the opaque query results, the encrypted personal document, and the encrypted document fragments, or some combination thereof, may be transmitted from the partially trusted or untrusted environment of the server device to the trusted environment of the client device.

FIG8 illustrates an example method 800 for generating plaintext search results using a privacy-enhanced personal search index for a distributed network service as described herein. Example method 800 begins at operation 802, where query result information can be received by a component of a client device. The query result information can include opaque query results, encrypted personal documents, and encrypted document fragments.

In operation 804, the opaque query result can be converted. In an example, the opaque query result can be converted into a plaintext query result using a PTK accessible to the client device. The PTK can be the same PTK that is applied to the plaintext document digest and the plaintext query digest as described in FIG. 4A . Operations 802 and 804 can be performed sequentially or in parallel.

In operation 806, the encrypted document can be decrypted. In an example, the encrypted personal document and/or the encrypted document fragment can be decrypted using a PDK accessible to the client device. In some aspects, the PDK applied to decrypt the encrypted personal document can be the same PDK applied to the plaintext personal document and/or the document fragment, as described in FIG4B .

In optional operation 808, the personal documents are ranked. In an example, the ranking process can be associated with the client device. The ranking process can apply the plaintext query results together with the plaintext personal documents and/or plaintext document fragments. In some aspects, the plaintext personal documents can be ranked according to several criteria (e.g., document content, description, age, size, rarity), such that the most relevant documents can be positioned higher on the results list or can be graphically depicted differently from less relevant documents in other ways.

In operation 810, ranked plaintext search results may be generated. In some examples, the ranking process described in operation 808 may produce a file including ranked query results. The file may then be matched with corresponding documents or document fragments referenced therein to create ranked plaintext search results. In other examples, when ranking operation 808 is not performed, the plaintext query results may be applied to plaintext personal documents and/or plaintext document fragments, thereby generating plaintext search results. The plaintext search results may not be ranked in a particular order. In various aspects, the plaintext search results may include plaintext documents and/or document fragments (or links thereto).

Figures 9 to 11 and the associated descriptions provide a discussion of various operating environments in which examples of the present invention may be practiced. However, the devices and systems shown and discussed with respect to Figures 9 to 11 are for purposes of example and illustration, and are not intended to limit the wide variety of computing device configurations that may be used to practice the examples of the present invention described herein.

FIG9 is a block diagram illustrating the physical components of a computing device 902, such as components of a system that can be used to practice examples of the present disclosure. The computing device components described below can be applied to the computing device described above. In a basic configuration, computing device 902 can include at least one processing unit 904 and system memory 906. Depending on the configuration and type of computing device, system memory 906 can include, but is not limited to, volatile memory (e.g., random access memory), non-volatile memory (e.g., read-only memory), flash memory, or any combination of such memories. System memory 906 can include an operating system 907 and one or more program modules 908 suitable for running software applications 920 such as applications 928, an IO manager 924, and other utilities 926. As an example, system memory 906 can store instructions for execution. As another example, system memory 906 can include components such as knowledge resources or a learning program pool. For example, operating system 907 can be suitable for controlling the operation of computing device 902. In addition, examples of the present invention can be practiced in conjunction with a graphics library, other operating systems, or any other application and are not limited to any particular application or system. This basic configuration is illustrated in FIG9 by those components within dashed line 922. Computing device 902 may have additional features or functionality. For example, computing device 902 may also include additional data storage devices (removable and/or non-removable), such as, for example, magnetic disks, optical disks, or tapes. Such additional storage is illustrated in FIG9 by removable storage device 909 and non-removable storage device 910.

As described above, a number of program modules and data files may be stored in the system memory 906. When executed on the processing unit 904, the program modules 908 (e.g., applications 928, input/output (I/O) manager 924, and other utilities 926) may perform processes including, but not limited to, one or more of the stages of the operating method 400, such as shown in FIG4. Other program modules that may be used in accordance with examples of the present invention may include email and contact applications, word processing applications, spreadsheet applications, database applications, slide presentation applications, input recognition applications, drawing or computer-assisted applications, and the like.

In addition, the example of the present invention can be put into practice in a circuit including a discrete electronic component, a package or integrated electronic chip including a logic gate, a circuit utilizing a microprocessor, or a single chip including an electronic component or a microprocessor. For example, the example of the present invention can be put into practice via a system on chip (SOC), in which each or multiple components of the components shown in Figure 9 can be integrated into a single integrated circuit. Such an SOC device can include one or more processing units, a graphics unit, a communication unit, a system virtualization unit, and various application functions, all of which are integrated (or "burned") into a chip substrate as a single integrated circuit. When operated via an SOC, the functions described herein can be operated via a dedicated logic integrated with other components of a computing device 902 on a single integrated circuit (chip). The example of the present disclosure can also be put into practice using other technologies capable of performing logical operations such as, for example, AND, OR, and NOT, including but not limited to mechanical, optical, fluid, and quantum technologies. In addition, the example of the present invention can be put into practice in a general-purpose computer or in any other circuit or system.

The computing device 902 may also have one or more input devices 912, such as a keyboard, a mouse, a pen, a voice input device, a device for voice input/recognition, a touch input device, and the like. One or more output devices 914, such as a display, a speaker, a printer, and the like, may also be included. The aforementioned devices are examples, and other devices may be used. The computing device 904 may include one or more communication connections 916 that allow communication with other computing devices 918. Examples of suitable communication connections 916 include, but are not limited to, RF transmitters, receivers, and/or transceiver circuits; Universal Serial Bus (USB), parallel, and/or serial ports.

As used herein, the term computer-readable media may include computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in accordance with any method or technology for storing information such as computer-readable instructions, data structures, or program modules. System memory 906, removable storage device 909, and non-removable storage device 910 are all examples of computer storage media (i.e., memory storage devices). Computer storage media may include RAM, ROM, electrically erasable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage devices, magnetic cassettes, magnetic tape, magnetic disk storage devices or other magnetic storage devices, or any other article that can be used to store information and can be accessed by computing device 902. Any such computer storage media may be part of computing device 902. Computer storage media does not include carrier waves or other propagated or modulated data signals.

Communication media may be embodied by computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and includes any information delivery media. The term "modulated data signal" may describe a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared, and other wireless media.

Figures 10A and 10B show a mobile computing device 1000 that can be used to practice examples of the present invention, such as a mobile phone, smartphone, personal digital assistant, tablet personal computer, laptop computer, etc. For example, the mobile computing device 1000 can be implemented as a system 100, and the components of the system 100 can be configured to perform the processing methods described in Figure 4 and other examples. Referring to Figure 10A, an example of a mobile computing device 1000 for implementing these examples is shown. In a basic configuration, the mobile computing device 1000 is a handheld computer having both input elements and output elements. The mobile computing device 1000 typically includes a display 1005 and one or more input buttons 1010 that allow a user to enter information into the mobile computing device 1000. The display 1005 of the mobile computing device 1000 can also serve as an input device (e.g., a touch screen display). If included, an optional side input element 1015 allows further user input. The side input element 1015 can be a rotary switch, a button, or any other type of manual input element. In alternative examples, the mobile computing device 1000 can have more or fewer input elements. For example, the display 1005 may not be a touch screen in some examples. In another alternative example, the mobile computing device 1000 is a portable telephone system, such as a cellular phone. The mobile computing device 1000 may also include an optional keypad 1035. The optional keypad 1035 may be a physical keypad or a "soft" keypad generated on the touch screen display. In various examples, the output element includes a display 1005 for showing a graphical user interface (GUI), a visual indicator 1020 (e.g., a light emitting diode), and/or an audio transducer 1025 (e.g., a speaker). In some examples, the mobile computing device 1000 incorporates a vibration transducer for providing tactile feedback to the user. In another example, the mobile computing device 1000 incorporates input and/or output ports, such as an audio input (e.g., a microphone jack), an audio output (e.g., a headphone jack), and a video output (e.g., an HDMI port), for sending signals to or receiving signals from external devices.

Figure 10B is a block diagram illustrating the architecture of one example of a mobile computing device. That is, mobile computing device 1000 can be incorporated into system (i.e., architecture) 1002 to implement some examples. In an example, system 1002 is implemented as a "smart phone" capable of running one or more applications (e.g., a browser, email, input processing, a calendar, a contact manager, a messaging client, a game, and a media client/player). In some examples, system 1002 is integrated into a computing device, such as an integrated personal digital assistant (PDA) and a wireless phone.

One or more application programs 1066 can be loaded into memory 1062 and run on or in association with operating system 1064. Examples of application programs include phone dialers, email programs, personal information management (PIM) programs, word processing programs, spreadsheet programs, Internet browser programs, messaging programs, and the like. System 1002 also includes a non-volatile storage area 1068 within memory 1062. Non-volatile storage area 1068 can be used to store persistent information that should not be lost if system 1002 loses power. Application programs 1066 can use and store information in non-volatile storage area 1068, such as emails or other messages used by the email application. A synchronization application (not shown) also resides on system 1002 and is programmed to interact with a corresponding synchronization application residing on the host computer to synchronize information stored in non-volatile storage area 1068 with corresponding information stored on the host computer. As should be appreciated, other applications may be loaded into memory 1062 and executed on mobile computing device 1000 , including the applications 928 described herein, IO manager 924 , and other utilities 926 .

The system 1002 has a power supply 1070, which can be implemented as one or more batteries. The power supply 1070 can also include an external power source, such as an AC adapter or a power docking station to replenish or recharge the batteries.

The system 1002 may include a peripheral device port 1078 that performs the function of facilitating a connection between the system 1002 and one or more peripheral devices. Transmissions to and from the peripheral device port 1072 are performed under the control of the operating system 1064. In other words, communications received by the peripheral device port 1078 can be propagated to the application 1066 via the operating system 1064, and vice versa.

The system 1002 may also include a radio 1072 that performs the functions of transmitting and receiving radio frequency communications. The radio 1072 facilitates wireless connectivity between the system 1002 and the "outside world" via a communications carrier or service provider. Transmissions to and from the radio 1072 are performed under the control of the operating system 1064. In other words, communications received by the radio 1072 can be propagated to the applications 1066 via the operating system 1064, and vice versa.

The visual indicator 1020 can be used to provide a visual notification, and/or the audio interface 1074 can be used to generate an audible notification via the audio transducer 1025. In the illustrated example, the visual indicator 1020 is a light emitting diode (LED) and the audio transducer 1025 is a speaker. These devices can be directly coupled to the power supply 1070 so that when activated, they remain on for the duration specified by the notification mechanism even when the processor 1060 and other components may be turned off to save battery power. The LED can be programmed to remain on indefinitely until the user takes action to indicate the power-on state of the device. The audio interface 1074 is used to provide an audible signal to the user and receive an audible signal from the user. For example, in addition to being coupled to the audio transducer 1025, the audio interface 1074 can also be coupled to a microphone to receive audible input, such as to facilitate a telephone conversation. According to an example of the present invention, the microphone can also serve as an audio sensor to facilitate control of the notification, as will be described below. The system 1002 may also include a video interface 1076 that enables operation of the onboard camera 1030 to record still images, video streams, and the like.

The mobile computing device 1000 implementing the system 1002 may have additional features or functionality. For example, the mobile computing device 1000 may also include additional data storage devices (removable and/or non-removable), such as magnetic disks, optical disks, or tapes. Such additional storage is illustrated in FIG10B by the non-volatile storage area 1068.

The data/information generated or captured by the mobile computing device 1000 and stored via the system 1002 may be stored locally on the mobile computing device 1000 as described above, or such data may be stored on any number of storage media that can be accessed via the radio 1072 or via a wired connection between the mobile computing device 1000 and a separate computing device associated with the mobile computing device 1000 (e.g., a server computer in a distributed computing network such as the Internet). As will be appreciated, such data/information may be accessed via the mobile computing device 1000 via the radio 1072 or via a distributed computing network. Similarly, such data/information may be readily transferred between computing devices for storage and use according to well-known data/information transmission and storage means, including email and collaborative data/information sharing systems.

Figure 11 shows an example of the architecture of a system for providing an application as described above, which reliably accesses the target data on the storage system and handles communication failures to one or more client devices. The target data accessed, interacted with, or edited in association with application 928, IO manager 924, other utilities 926, and storage devices can be stored in different communication channels or other storage types. For example, directory services 1122, web portals 1124, mailbox services 1126, instant messaging storage repositories 1128, or social networking sites 1130, applications 928, IO manager 924, other utilities 926 can be used to store various documents, and the storage system can use any of these types of systems, etc., for realizing data utilization, as described herein. Server 1120 can provide a storage system for use by the client operating on general computing device 902 and mobile device 1000 through network 1115. For example, the network 1115 may include the Internet or any other type of local or wide area network, and the client node may be implemented as a computing device 902 embodied in a personal computer, a tablet computing device, and/or implemented by a mobile computing device 1000 (e.g., a smartphone). Any of these examples of the client computing device 902 or 1000 may obtain content from the repository 1116.

References throughout this specification to "one example" or "an example" mean that a particular described feature, structure, or characteristic is included in at least one example. Thus, use of such phrases may refer to more than just one example. Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more examples.

However, one skilled in the relevant art will recognize that the examples may be practiced without one or more of these specific details, or with other methods, resources, materials, etc. In other instances, well-known structures, resources, or operations are not shown or described in detail solely to avoid obscuring aspects of the examples.

Although sample examples and applications have been illustrated and described, it will be understood that the examples are not limited to the precise configuration and resources described above. Various modifications, changes, and variations apparent to those skilled in the art may be made in the arrangement, operation, and details of the methods and systems described herein without departing from the scope of the claimed examples.

Claims (19)

1. A system for creating a privacy-enhanced personal search index, the system comprising: At least one processor; and A memory coupled to the at least one processor, the memory including computer-executable instructions that, when executed by the at least one processor, perform a method comprising: At the server, an encrypted opaque document digest is received from the client device, wherein the encrypted opaque document digest is associated with the user; At the server, an index key is received from the client device; At the server, the encrypted opaque document digest is decrypted using the index key; At the server, the decrypted opaque document digests are indexed; and At the server, a user-specific opaque search index is created using the decrypted document digest of the compiled index, wherein the user-specific opaque search index is for the individual user, and wherein authorized access to the user-specific opaque search index is limited to the user. 2. The system of claim 1, wherein the method further includes receiving an encrypted document. 3. The system of claim 2, wherein the decrypted opaque document digest includes one or more opaque terms and opaque metadata describing the encrypted document. 4. The system of claim 3, wherein the decrypted opaque document digest further comprises a document fragment from the encrypted document, wherein the document fragment includes at least one of the following: A summary of the encrypted document; Metadata associated with the encrypted document; and One or more sentences from the encrypted document. 5. The system of claim 1, wherein a conversion key is used to convert the decrypted opaque document digest into a plaintext document digest. 6. The system of claim 5, wherein the system has no access to the conversion key. 7. The system of claim 1, wherein the system is a partially trusted environment, wherein the plaintext data associated with the decrypted opaque document digest remains opaque in the partially trusted environment. 8. A system for searching privacy-enhanced personal search indexes, the system comprising: At least one processor; and A memory coupled to the at least one processor, the memory including computer-executable instructions that, when executed by the at least one processor, perform a method comprising: At the server device, an opaque query digest is received from the client device, the opaque query digest including at least one opaque term associated with the user; At the server, an index key is received from the client device; At the server, the encrypted opaque document digest is decrypted using the index key; At the server, the decrypted opaque document digests are indexed; and At the server, a user-specific opaque search index is created using a decrypted opaque document digest of a compiled index, wherein the user-specific opaque search index is for the individual user, and wherein authorized access to the user-specific opaque search index is limited to the user. Identify the at least one opaque term in the user-specific opaque search index; Retrieve query results from the user-specific opaque search index; The query results are ranked based on the relevance of the at least one opaque term to create ranked query results; and The query results of the ranking are transmitted to the processing device associated with the user. 9. The system of claim 8, wherein the method further comprises: Using the query results, retrieve the encrypted document from the data repository; and The encrypted document is transmitted to the processing device. 10. The system of claim 9, wherein the system is a partially trusted environment, wherein the plaintext data associated with the opaque query digest, the query results, and the encrypted document remain opaque in the partially trusted environment. 11. The system of claim 9, wherein the query result includes at least an opaque document name, wherein the at least opaque document name is provided to a storage management utility that retrieves the encrypted document from the data repository. 12. The system according to claim 8, wherein the query result includes: At least one opaque index term; and At least one document fragment from at least one encrypted document among a plurality of encrypted documents. 13. The system of claim 8, wherein the opaque query summary includes one or more opaque terms and opaque metadata describing the query. 14. The system of claim 13, wherein the transformation key is applied to the plaintext query digest to create the opaque query digest. 15. The system of claim 14, wherein the index key is applied to the plaintext query digest to create the opaque query digest. 16. A method for searching a privacy-enhanced personal search index, the method comprising: At the server, an encrypted opaque document digest is received from the client device, wherein the encrypted opaque document digest is associated with the user; At the server, an index key is received from the client device; At the server, the encrypted opaque document digest is decrypted using the index key; At the server, the decrypted opaque document digests are indexed; and At the server, a user-specific opaque search index is created using a decrypted opaque document digest of a compiled index, wherein the user-specific opaque search index is for the individual user, and wherein authorized access to the user-specific opaque search index is limited to the user. At the server, an opaque query summary is received, wherein the opaque query summary includes one or more opaque terms associated with the query; Use at least one opaque index term to search the user-specific opaque search index; When at least one opaque index term is identified in the user-specific opaque search index, retrieve the query results from the user-specific opaque search index; The query results are ranked based on the relevance of the at least one opaque term to create ranked query results; and The query results of the ranking are transmitted to the client device. 17. The method of claim 16, wherein the client device executes a trusted environment configured to expose plaintext data associated with the query results of the ranking and the encrypted document. 18. The method of claim 16, wherein the user-specific opaque search index includes information identifying an encrypted document and at least one of the one or more opaque terms associated with the query. 19. The method of claim 16, further comprising: Use at least one of the opaque index terms to search the data repository; When the at least one opaque index term is identified in the data repository, the encrypted document associated with the at least one opaque index term is retrieved, wherein a document key was applied to a plaintext document to create the encrypted document, and wherein the document key is inaccessible; and The encrypted document is transmitted to the client device.