[go: up one dir, main page]

WO2001090968A1 - Systeme et procede d'etablissement d'une voie de communication secrete - Google Patents

Systeme et procede d'etablissement d'une voie de communication secrete Download PDF

Info

Publication number
WO2001090968A1
WO2001090968A1 PCT/DK2001/000352 DK0100352W WO0190968A1 WO 2001090968 A1 WO2001090968 A1 WO 2001090968A1 DK 0100352 W DK0100352 W DK 0100352W WO 0190968 A1 WO0190968 A1 WO 0190968A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
legal entity
legal
communication
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/DK2001/000352
Other languages
English (en)
Inventor
Stephan J. Engberg
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to AU2001260087A priority Critical patent/AU2001260087A1/en
Priority to EP01933648A priority patent/EP1290599A1/fr
Publication of WO2001090968A1 publication Critical patent/WO2001090968A1/fr
Priority to US10/302,738 priority patent/US20030158960A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/48Message addressing, e.g. address format or anonymous messages, aliases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • P3P - a standard pushed by for instance Microsoft - is basically an automatic profile information pusher. It totally fails to handle the basic issue of releasing identifiable information per definition is leading to total loss of information control.
  • An object of the present invention is therefor to provide a system to solve this problem such that individuals have full Privacy control over persistent and convenience-rich relationships - only restricted by minimum requirements to accountability in case of fraud as defined by law.
  • the invention implements a Privacy Infrastructure Platform that provides a solution for privacy enabling communication and secure trade of both electronic and physical goods and services.
  • a Privacy Infrastructure Platform that provides a solution for privacy enabling communication and secure trade of both electronic and physical goods and services.
  • the invention builds a support for Privacy Enabling the full value chain from the original supplier to the consumer.
  • the invention can support trade across existing standard barriers supporting standard conversion, government reporting and existing and future eCommerce standards such as EDIFACT, OFX, OBI and CBL.
  • the solution is Privacy Enhancing putting the Individual in control.
  • the Individual is free to encrypt content of communication and private data using any encryption technique.
  • the Individual will retain possibility to stop any further contact with specific companies without these companies have identifiable private information to abuse.
  • the trusted party can reveal the identity of the individual after legal proceedings protecting individual rights which can include anonymous legal representation.
  • the invention establishes an infrastructure for communication, trade and marketing services for Personal Relationship Management and Corporate Customer Relationship Management.
  • the invention builds a service platform for Communities, Auctions and Market Makers combined with a service interface for privacy-enabled Customer Agents and Selling Agents where private information can be made available for analysis under individual control.
  • the invention also provides a solution to reverse the increasing sales/marketing communication pressure on the individual to a Suggestion House where the individual is in control.
  • the Suggestion House structures the pre-purchase phase handling inbound suggestions, requested offers, interest list, wish lists with restricted access, shopping lists and full use of the Privacy Platform Trade services for fulfillment of purchases including anonymous delivery.
  • a communication path could be any path adapted for communication between two legal entities such as between two persons or between a person and an electronic agent of a legal entity such as an Internet shop.
  • a regular phone line a mail system, a postal mail delivery, a short-range wireless session involving infrared or other wireless communication protocols, a physical contact in a store, a confirmation request, a payment request, a legal dispute settlement or any internet related communication attempt.
  • a set of communication rules could be a list of logical rules determining whether said communication path should be established, how such a communication path should be established, by whom such a communication path should be established, to whom such a communication path should be established based on access actual information related to any of the legal entities, the actual situation, the history leading to the situation, expert or other advice such as a content scanner, information about the communication path or the communication itself whether based on information freely, required or otherwise collected, accessed or evaluated.
  • a set of communication rules further could include information as to providing second legal entity with authentication or profile information related to said communication path and/or first legal entity.
  • a virtual identifier could be a virtual identifier of a company combined with a company only unique identifier, such as a company tax registration number combined with a random, but unique, customer number or a customer chosen nickname.
  • a virtual identifier could also be related to a specific communication channel such as an email-address or a Public digital signature key related to a company-specific pseudonym.
  • a preferred embodiment involves providing a virtual identifier equaling establishing an authenticated yet anonymous session in any kind of communication path.
  • a first or second legal entity could be a person acting in any role such as a legally identified person acting as a private individual, an employee acting as a purchaser of a company. It could also be an electronic agent acting on behalf of a legal entity.
  • First legal entity is established with means to remain anonymous to second legal entity even with multiple establishments of any communication path across online and offline channels such as telephone conversations, physical appearance in a shop, package deliveries, payments, interactive internet sessions or email.
  • the second legal entity according to the first aspect of the present invention may be provided with means for obtaining a legal identification of the first legal entity based on the virtual identifier. Further, the means for legal identification may be provided by a third legal entity according to a set of rules agreed between the first legal entity and the third legal entity. Additionally, the means for legal identification may be provided by a third legal entity according to a set of rules determined by a fourth legal entity.
  • the method according to the first aspect of the present invention may further comprise a step of providing the second legal entity with means for associating a first virtual identifier of a first legal entity with previous communication path established with that first legal entity. Further, the second legal entity is provided with means for obtaining information about previous communication path for a first virtual identifier of a first legal entity.
  • the method according to first aspect of the present invention may further comprise a step of providing a second virtual identifier of the second legal entity to the first legal entity, the second legal entity remaining anonymous to the first legal entity.
  • the method according to the first aspect of the present invention may further comprise the step of providing legal identification of the first legal entity to the second legal entity upon request from the first legal entity.
  • the method according to the first aspect of the present invention may further comprise the step of establishing a communication path to the first legal entity in response to receiving a request from the second legal entity.
  • the method according to the first aspect of the present invention may further comprise the step of establishing a communication path in accordance with a second set of communication rules specified by the second legal entity.
  • the method according to the first aspect of the present invention may further comprise the step of establishing a communication path to the second legal entity in accordance with the second set of communication rules in response to receiving a request from the first legal entity.
  • the method according to the first aspect of the present invention may further comprise the step of establishing the communication path between the first legal entity and the second legal entity in response to a request from a third legal entity, the communication path is established in accordance with the first set of communication rules and the second set of communication rules.
  • a communication path according to the first aspect of the present invention may be established between the first legal entity and the third legal entity and wherein another communication path is established between the second legal entity and the third legal entity so as to establish communication between the first legal entity and the second legal entity.
  • the communication path between the first legal entity and the third legal entity may be established in accordance with the first set of communication rules. Further, the communication path between the second legal entity and the third legal entity may be established in accordance with the second set of communication rules.
  • the communications path may be categorised and wherein the communication path is established in response to a request, and the request may comprise a communication path category and a virtual identifier of a legal entity.
  • the communication path may be adapted to transfer information between the first and the second legal entity and the information may be evaluated based on a pre-determined criteria determined by the first legal entity. The selected information may be transferred to a first information carrier based on the evaluation and/or the first set of communication rules.
  • the third legal entity according to the first aspect of the present invention may be provided with a profile of the first legal entity and the third legal entity may be invited to transfer selected information from the first information carrier to a second information carrier based on the profile. Further, the third legal entity may be provided with information about communication path established between a first and a second legal entity and wherein the first legal entity remains anonymous to the third legal entity.
  • a commercial transaction according to the first aspect of the present invention may be established based on information comprised in the first and/or the second information carrier.
  • the communication path according to the first aspect of the present invention may be established between a first legal entity and a second legal entity based on information about previous communication path established with the second legal entity.
  • a preference list of the first legal entity may be created from the information about the communication path.
  • the second legal entity according to the first aspect of the present invention may be provided with a profile of the first legal entity. Further, the third legal entity may confirm the profile, the first legal entity remaining anonymous to the second legal entity. Furthermore, the second legal entity may be provided with means for requesting the profile based on rules defined by the first legal entity. Additionally, the second legal entity is provided the profile by the first legal entity.
  • the method according to the first aspect of the present invention may establish a communication path between a first legal entity and a second legal entity based on information about previous communication path established with the second legal entity.
  • the method according to the first aspect of the present invention may enable a "closed loop control" of communication interactions wherein evaluation of previous interaction can be used e.g. to establish trust e.g. towards a company using the communication path to advertise. If company behaves malicious, this information will be available e.g. for potential customers of that company who may have a filter rule which is based on the evaluation as part of their communication rules. Another consequence of malicious behaviour is that customers may as part of their set of communication rules have a threshold evaluation value for accepting authentication.
  • a third legal entity according to a second aspect of the invention may confirm existence of a traceable non-reputable legal commitment of the one of either the first or the second legal entity. Further, the third legal entity may provide prove of existence of the legal commitment.
  • the method according to a second aspect of the invention may further comprise a step of providing the second legal entity with means for associating a first virtual identifier of a first legal entity with previous legal commitments established with that first legal entity. Further, the second legal entity may be provided with means for obtaining information about previous legal commitments for a first virtual identifier of a first legal entity.
  • a legal commitment according to a second aspect of the invention may be established between a first legal entity and a second legal entity based on information about previous legal commitments established with the second legal entity.
  • a third legal entity according to a second aspect of the invention may be provided with information about legal commitments between a first and a second legal entity and the first legal entity may remain anonymous to the third legal entity.
  • the legal commitment according to a second aspect of the invention may comprise performing at least one of the following activities:
  • the first legal entity may remain anonymous to the second legal entity.
  • the second legal entity may remain anonymous to the first legal entity.
  • the first legal entity may transfer a financial instrument to the second legal entity, the first legal entity remaining anonymous to the second legal entity.
  • the first legal entity may transfer a first financial instrument to a third legal entity, upon receipt of said first financial instrument the third legal entity transfer a second financial instrument to the second legal entity, the first legal entity remaining anonymous to the second legal entity.
  • the method according to a second aspect of the invention may further comprise the second legal entity delivering a service to the first legal entity, the second legal entity addressing a virtual identifier of the first legal entity. Further the method may further comprise the steps of: depositing a financial instrument with a third legal entity, the first legal entity ordering a service from the second legal entity, the second legal entity requesting confirmation of payment from the third legal entity, the second legal entity delivering the service addressing the virtual identifier of the first legal entity upon receipt of the confirmation.
  • the addressing the virtual identifier according to a second aspect of the invention may comprise an identifier of the third legal entity, a virtual identifier of the second legal entity, and encrypted: the virtual identifier of the first legal entity, and an identifier of the service.
  • the encrypted identifiers may be decrypted by a key common to the second and third legal entity.
  • the step of delivering according to a second aspect of the invention may comprise the step of: forwarding the service to a fourth legal entity, requesting a physical delivery address from the third entity by means of the fourth legal entity.
  • the method according to the second aspect of the present invention may further comprise the step of the third legal entity providing the physical delivery address to the fourth legal entity according to the first set of communication rules. Further, the step of delivering may further comprise the step of: receiving a receipt acknowledging delivery of the service at the physical address by means of the fourth legal entity. The receipt may comprise a proof of delivery at the physical delivery address. The proof of delivery may be verified by the fourth legal entity.
  • the method according to the second aspect of the present invention may further comprise the step of releasing payment according to a pre-defined set of trade rules.
  • the set of trade rules is agreed between the first and the second legal entity.
  • the step of ordering a service according to the second aspect of the present invention may be performed in a physical or electronic market place, such as an auction, a stock exchange, a community, a trade portal, etc.
  • a third aspect of the invention obtained by a method for commercial transactions between a first legal entity and a second legal entity, wherein a first communication path is established between the first legal entity and a third legal entity and wherein a second communication path is established between the second legal entity and the third legal entity and wherein the first and second communication path is adapted for providing a legal commitment of the first legal entity towards the second legal entity, said legal commitment comprising the steps of:
  • the communication according to the third aspect of the present invention may be between the third and the first legal entity established by a fourth legal entity, the communication path to the first legal entity remaining unknown to the third legal entity. Further, the communication path is established according to the method according to the first aspect of the present invention.
  • the methods according to the first, second or third aspect of the present invention relates to methods for commercial transactions between a first legal entity and a second legal entity, wherein a communication path is established according to previous mentioned method for communication, and wherein the communication path is adapted for providing a legal commitment of one of either the first or the second legal entity, the first legal entity remaining anonymous to the second legal entity.
  • Anonymous legal commitments such as a trade of goods or payment for an item
  • the trusted party could e.g. be provided with means for proving existence of an identifiable legal commitment.
  • This could e.g. be message containing a legal commitment - such a contract - encrypted using a key shared between the parties of the legal commitment but unknown to the trusted party.
  • the trusted party thus receives a signature from the parties of the legal commitment that they agree to the commitment.
  • trusted party can confirm the existents of the signed legal commitment to any other entity by providing the encrypted message e.g. signed by the trusted party on the behalf of a client taking part in the legal commitment.
  • the method according to the first, second or third aspect of the present invention relates to methods for commercial transactions between a first legal entity and a second legal entity, wherein a first communication path is established between the first legal entity and a third legal entity and wherein a second communication path is established between the second legal entity and the third legal entity and wherein the first and second communication path is adapted for providing a legal commitment of the first legal entity towards the second legal entity, said legal commitment comprising the steps of: - the first legal entity providing the second legal entity with an identifier,
  • the identifier provided by the first legal entity to the second legal entity could, as an example, be a credit card.
  • a customer e.g. in an internet store or in a restaurant provides a credit card for paying the bill.
  • the restaurant then contacts a credit card verifier for verification of the credit card payment.
  • the credit card verifier establishes a strong authenticated contact with the customer, before returning a confirmation of the payment to the restaurant.
  • the strong authenticated contact session can be an access controlled mobile phone, through an internet connection or by means of any other direct way of addressing the customer - even by addressing the customer through the restaurant using a previous agreed one-time-only challenge- response sequence.
  • the methods according to the first, second or third aspect of the present invention relates to methods of contacting the customer and may comprise that the communication between the third and the first legal entity is established by a fourth legal entity, the communication path to the first legal entity remaining unknown to the third legal entity.
  • the fourth legal entity may, as an example, be a trusted party providing anonymous legal commitments from the client or customer. According to this embodiment of the Internet store, restaurant or similar credit card payment requester is not provided with information as to identify the customer.
  • the commercial transaction could be established by means of the previously described method of communication.
  • a system for establishing a privacy communication channel between a first client and a second client comprising:
  • an authentication unit for communicating through said privacy communication channel with said first client and for providing a first intermediary between said first client and said second client, said authentication unit enabling said first client establishing a first virtual identity having a first virtual communication channel and establishing a rule based communication routing scheme for said privacy communication channel,
  • a trust unit for communicating with said authentication unit through said virtual communication channel providing a second intermediary between said virtual identity of said first client and said second client and for providing storage of first client profile information, and said first client applying said private encryption key for encrypting said profile information so as to enable anonymous communication from said first client to said second client.
  • the authentication unit may further enable the second client for establishing a second virtual identity having a second virtual communication channel and establishing a rule based communication routing scheme for a privacy communication channel between the authentication unit and the second client.
  • the system may further comprise an integration unit for communicating with said second client and for providing said second client an interface to said first virtual identity of said first client.
  • the mobile processing and memory unit according to the fourth aspect of the present invention may comprise SmartCard enabling Zero-knowledge authentication.
  • the general authentication device may comprise:
  • the system according to the fourth aspect of the present invention may further comprise an ID Unit issuing said mobile processing and memory unit for the general authentication device.
  • the ID unit may store identifiable information encrypted by applying a plurality of encryption keys comprising a public key of a legal institution.
  • the system may provide the client with full privacy control of the first client identity and information related to the first client, however the information is subject to basic accountability principles.
  • the authentication unit may enable the first client signing an agreement and authenticate towards a third-party based on a sign-on identity stored in the mobile processing and memory unit. Further, the authentication unit may enable the first client establishing a plurality of virtual identities each having a set of virtual communication channels.
  • the system according the fourth aspect of the present invention may further comprise a device authentication unit providing a certificate to the general authentication device to authenticate any device and verify the certificate.
  • the trust unit may store relationship information and enable access to the relationship information for the first client and the second client, and may protect the authentication unit from knowledge relating to the virtual identity.
  • the system according to the fourth aspect of the present invention may further comprise a first plurality of general authentication devices, a second plurality of communication channel providers, a third plurality of authentication units, a fourth plurality of trust units, and a fifth plurality of integration units. Further, the system may further comprise a first multiplicity of first clients and a second multiplicity of second clients. Furthermore, the second client may be constituted by a company, a group of companies, a community or any combination thereof.
  • the system according to the fourth aspect of the present invention may enable anonymity of the first client relative to the second client during a bi-directional communication through the authentication unit.
  • the system may enable anonymity of the first client relative to the second client and enable anonymity of the second client relative to the first client during a bi-directional communication through the authentication unit.
  • Full privacy control may be achieved by a principle of establishing continuous relationships only needing a persistent virtual identity, a set of related virtual communication channels and services to manage structured interactions.
  • a number of profile data elements constituting profile information may be attached to any relationships, which number of profile data elements are under the first client's control and may be verifiable by third party and may provide the specific necessary information for relationship convenience for all parties.
  • the system according to the fourth aspect of the present invention wherein the first client enabling access for multiple clients having decryption keys to predefined data elements of the relationship information for the first client. For instance only some of the multiple clients may have access to data elements containing identifying information while others have only access the non-identified profile information.
  • the system might Privacy-enable even Mobile Phones without eliminating the convenience of advanced location-tracking services or preventing police etc. from using same services to investigate crimes.
  • a particular advantage of the system according to the fourth aspect of the present invention is the ability to enter into a two-way anonymous relationship and sign legally binding documents while still eliminating the risk of a man-in-the-middle- attack.
  • a primary object of the present invention is to eliminate linkability without individual consent - except for mentioned minimum access to accountability. This can be translated into possible abuse of persistent identifiers whereas related to client, communication devices or communication channels.
  • a secondary object is to build-in damage control in case of linkability.
  • a third object is to ensure convenience and usability, as this is necessary for real-world value of the invention.
  • the first and/or second client may establish a minimum convenience set-up disabling violation of privacy of the client.
  • the first and/or second client may establish a maximum convenience set-up having identified and non-identified relationships incorporated together with privacy communication channels and/or virtual communication channels so as to provide the first and/or second client with full control of communication and relationships with a minimum of linkability.
  • the authenticating unit and the trust unit may be established based on a Proxy including Mapping routers.
  • the privacy communication channel and or virtual communication channel may be based on a separate mapping units such as an email gateway mapping email addresses to ensure that no linkable identifiers are present.
  • the system according to the fourth aspect of the present invention may incorporate any features as described with reference to the method according to the first, second or third aspect of the present invention.
  • a general authentication device for establishing a privacy communication channel between a client and an authentication unit, and said general authentication device comprising:
  • a unit reader for connecting a mobile processing and memory unit with the general authentication device
  • a memory space for containing persistent identifier of said general authentication device accessible by said mobile processing and memory unit, and/or said mobile processing and memory unit authenticating the privacy communication channel to the authenticating unit on the basis of the persistent identifier in the memory space.
  • the general authentication device may only be accessible under control by the mobile processing and memory unit.
  • the general authentication device according to the fifth aspect of the present invention may incorporate any features as described with reference to the method according to the first, second or third aspect of the present invention and incorporate any features as described with reference to the system according to the fourth aspect of the present invention.
  • Fig 1 "100 Systems Overview" shows the logical layer structure of an embodiment implementation
  • Fig 2 "200 Central Entities” shows a logical connection diagram between some of the central entities in a embodiment implementation
  • Fig 3 "300 Communication Intermediation” shows an overview of the central principles of communication intermediation in an embodiment implementation
  • Fig 4 "310 Encryption and Intermediation" shows the central logical steps in the session management in an embodiment implementation
  • Fig 5 "320 Establish VID” shows the central steps when establishing a new identity in an embodiment implementation
  • Fig 6 "325 Generate Symkey” shows a principle in which a key only shared between first and second legal entity can be established without a Trusted Party sheltering the identity of one of the entities knowing the key in an embodiment implementation
  • Fig 7 "330 Communication Encryption" shows in more detail some of the central session management steps for certain communication paths in an embodiment implementation
  • Fig 8 "340 Inbound Intermediation” shows the main steps in the inbound communication intermediation in an embodiment implementation
  • Fig 9: “345 Outbound Intermediation” shows the main steps of the outbound communication intermediation in an embodiment implementation
  • Fig 10 "350 Privacy Enabling Public Reporting Communication” shows the central steps of public reporting respecting CLIENT anonymity in an embodiment implementation,
  • Fig 11 “360 Private Data Storeage” shows a high-level logical structuring of the Private Data Storage in an embodiment implementation
  • Fig 12 "400 Traceability Route” shows how traceability can be implemented respecting multiple interest protecting each entity from fraud even by the other entities in union in an embodiment implementation
  • Fig 13 "410 Realworid Authentication" shows some of the multiple ways an zero- knowledge authentication can occur in an embodiment implementation even in offline environments such as a store,
  • Fig 14 "420 Anonymous Delivery” shows the central steps in achieving anonymous intermediated delivery of physical goods in an embodiment implementation.
  • Fig 15 "450 Securing standard Credit Card Payment” shows how strong authentication can be added to existing standard Credit Card payments in an embodiment implementation
  • Fig 16 “460 Anonymous Credit Card Payments” shows how anonymous strong authentication can be added to Standard Credit Card payments and intermediated in an embodiment implementation
  • Fig 17 :”470 Realworid Privacy Trade shows how anonymous strong authentication can achieved in a realworid offline situation such as a normal store purchase in an embodiment implementation
  • Fig 18 “500 Privacy Trade Platform” shows the logical structure of a combination of functions in a full-service Privacy Trade Platform in an embodiment implementation
  • Fig 19 "510 Authentication” shows the main steps in the Authenticator in the direct simple authentication procedure in an embodiment implementation
  • Fig 20 "520 Anonymous Signature" shows how a legal commitment can be established anonymously using a Trusted Party in an embodiment implementation
  • Fig 21 “560 Online Privacy Payment Intermediation” shows how the online payment process can be intermediated and privacy enabled in an embodiment implementation
  • Fig 22 “590 Anonymous Secure Trade” shows how secure trade balancing releasing payment and goods or services can be implemented in Privacy respecting manor in an embodiment implementation
  • Fig 23: “600 Community Secure Trade” shows how a secure privacy respecting trade process can be supported even if CLIENT is identified to one entity by intermediation by a Trusted Party in an embodiment implementation
  • Fig 24: “610 Anonymous Auction” shows how an auction marketplace situation can be supported with secure Privacy enabled trade processes using a Trusted Party in an embodiment implementation
  • Fig 25 "660 Privacy Enabling OBI Standard Trade Specifications” shows how a example of how the full value chain can be supported, secured and privacy enabled by a trusted party using open standard interface specifications in an embodiment implementation
  • Fig 26 "700 Personal Services” shows an example of the outline menu available to CLIENT in a wireless device or online in an embodiment implementation
  • Fig 27 “710 Suggestion House” shows the logical information flows when Trusted Party support Privacy enabled product and service information search in an embodiment implementation
  • Fig 28: “750 Business Services” shows the logical structure of services towards COMPANY in an embodiment implementation
  • Fig 29: " 760 Business Services Inbound” shows the logical steps in the improved inbound corporate customer communication process using the trusted party dialog service in an embodiment implementation
  • Fig 30 "770 Business Service Outbound” shows the logical steps in the improved outbound corporate customer communication process using the trusted party dialog service in an embodiment implementation
  • Fig 31 “780 Privacy Care Trust Certificates and Evaluation Service” shows the logical information flows implementing a closed-loop feedback Trust certificate in an embodiment implementation.
  • Fig 32 “80 Total System View” shows the preferred embodiment of the system according to the present invention.
  • Fig 33 shows the preferred embodiment of a general authentication device of the system according to the present invention.
  • the invention is implementing a third route in between the infomediary and the total atomization of Privacy without the use of trusted party by describing a Privacy-Enhancing Trusted Party without the need of knowing Private Data.
  • the individual is in full control of own data unless respect for other trading parties rights require special attention such as traceability in case of fraud. And even in this situation the Trusted Party can reveal identity but not the contents of communication.
  • This patent is a solution implementing a platform of non-identified secure communication and trade.
  • the platform is open for integration with existing websites, communication and real-world transactions. It establish the necessary basis for Individuals to interact non-identified both online and offline transferring detailed personal information over the full customer life-cycle. It creates a platform for intelligent agents analyzing and communicating with CLIENTS without the ability to identify the individual behind the data.
  • This invention is made up of multiple parts. Firstly a central distributed on-line service acting as a Trusted Party implementation. This online service is separate into in principle 5 layers;
  • Authenticator is a client-side devices handling services such as Universal Sign-On, CLIENT anonymization and Identity switching.
  • the Authenticator services depends on the physical device in question.
  • the two primary implementations is Desktop Computer Add-on Software or a mobile wireless device such as an Mobile phone or a PDA.
  • An important task of the Authenticator is to isolate the Authentication identification information from COMPANY. For instance if the device contains a Biometrics reader then this device is completely isolated and only accessible for authentication towards TP.
  • COMPANY Side part to be installed at COMPANY devices providing interface services for COMPANY-CLIENT Relationship Management, trade and agent/communities.
  • This Blacklist is further enhanced if a marking arrangement are in place either under the TP Brand or as a collaboration with others with a revocable online indicator at COMPANY websites, shops etc. because (a critical mass of) individuals only deal with suppliers able to prove compliance to Privacy Standards.
  • the Individual is not restricted from operating since he will be able to re-emerge under a new Virtual Identity that cannot be traced to the Identified individual.
  • the Trusted party itself is the most dangerous part in a catastrophe scenario: a) If the central internal security is broken so that someone can impersonate TP, all present and future Identities are violated. b) If TP turn malicious and systematically abuse trust. c) A Big Brother attempt from a government with both skill, brute force computing power and access to necessary resources. However to minimize these risks central principles and procedures are included and will continuously be updated: a) Internal security is built on the guidelines from the open source experts providing multilevel key generation based on short term often rolled signatures, separation of responsibilities and access to keys and backups, organizational split according to the same guidelines as external and of course technical protection using firewalls etc.
  • the invention is designed to minimize TP knowledge of content in communication and data since CLIENT can encrypt using any method desired. Control of the central Identity-VID combination is isolated and separately monitored. On top of this external inspection mechanisms will be set-up.
  • the Government Big Brother attempt is serious. Measures against this is using the national extemal controlling system access (for instance time-limited key certificates requiring cross-national issuing of certificates) storing of the central Identity-VID combinations combined with a disaster procedure for primitive deletion.
  • COMPANIES will be able to get more accurate and detailed data from CLIENTS making true One to One customization easier. This will increase the value COMPANY can supply to CLIENT and thus increase potential profits. With the built-in loyalty service COMPANY can now get access to link previous discrete transactions into a full anonymous customer profile and use this for Suggestive Selling, Customer Loyalty Programs and improved Business Intelligence.
  • Encryption is central to Privacy. This invention works on top of standard cryptography making use of well-established techniques. The basic principle of all cryptography security being NOT to keep methods secret but only rely on secrecy of keys. This invention make use of tested vendors and open source tools for cryptography.
  • Symmetric encryption is when two parties share a common key used for both encryption and decryption. Fast and generally accepted secure methods are available for symmetric encryption for key size large enough.
  • This invention makes heavy use of symmetric encryption and therefore the below functions are described.
  • Hash functions For multiple purposes One-Way hash functions are used to generate a summary of a data block. Hash-functions are designed so that is computational infeasible to generate a message that produces a specific hash value. I parallel to this Hash- functions are also designed so that it is computational infeasible to find two input that generate the same hash-value [NIST FIPS 180-1].
  • Hash functions are referred to as H (ClearText)
  • Asymmetric encryption cover processes where a key pair is used. What one key encrypts you need the other key to decrypt. This is advantageous because one part of the key can be kept private only accessible to the owner.
  • the other part of the key - the public key - is published in for instance X.500 or X.509 tables together with identifiable or pseudonymous information.
  • This invention makes heavy use of reversible asymmetric encryption and therefore the below functions are defined
  • Dec (Cleartext, key) and Enc (Cleartext, symmetric key) respectively is the reversible asymmetric decryption and encryption algorithm using key to encrypt or decrypt Cleartext.
  • the corresponding one-way Hash value is encrypted by the Private key.
  • the recalculated hash value of the assumed document is compared to the decrypted signature using the public key. If they do not match, then this document was not signed by the private key resulting in the signature forwarded.
  • One special advantage of this procedure is that the integrity of the document is verified simultaneously. If the document has been changed then its hash value will also change and the signature no longer holds.
  • Dec ( Sign( ClearText, Private Key), Public Key) H(ClearText)
  • a digital signature is an attachment to a document and can as such be removed from the document. A digital signature without the original document is not usable.
  • the Master Key is used to sign the public key of a new set of keys.
  • the new set of keys are then used as a temporary signature or encryption keys traceable to the master key.
  • the main advantage being that the temporary keys can be revoked or periodically rolled without having to replace the Master Key. This can be in multiple layers depending on the importance. Large commercial systems works with hourly replaced server keys in with a multi-layer structure with increasing intervals between keys replacement.
  • B prove to A that he is B in a PKI-scenario.
  • B has now proven to A that he is B because he has access to B.Pr (B's secret key) without exchanging any identifiable information.
  • a challenge B with a one-time only challenge number looks up the related one-time only response and reply with this number. B has now proven to A that he is B without exchanging any identifiable information.
  • A has now established authentication of B.
  • Both the encrypted and non-encrypted version can be repeated to establish a two- way zero-knowledge authentication.
  • a list of numbers or number-pairs can be generated at both sides using an shared algorithm and seed values combined with a shared secret value. This can be built- in in SmartCards etc. so they are portable, non-accessible before use and new numbers can be created anonymously and with zero-knowledge communication with TP.
  • An embodiment of this invention uses a combination of asymmetric encryption and Diffie-Hollman to ensure that TP cannot listen in on communication between CLIENT and COMPANY. This works only if one part is identified. Two-way unidentified security without a trusted party are theoretically very difficult if not impossible to established due to the man-in-the-middle attack. Anonymous auction services as the ones implemented are due to this very dependant on Trusted Parties.
  • Attribute Certificates are a special type of anonymous certificates where the holder is able to demonstrate to third-party with zero-knowledge communication that he holds or does not hold a certain credential.
  • Attribute Certificates can be positive in terms of a education degree verified by the education institution or negatively in terms of proving no major criminal offenses have been committed verified by the relevant Public authorities.
  • VIDs Virtual Identities
  • a Virtual Identity is a Pseudonym for an individual created for a specific purpose. Using the Trusted Party (TP) an individual can assume use a VID to communicate, trade etc. anonymously and under full control of the process.
  • TP Trusted Party
  • a VID is covering the range of communication channels and services if appropriate to the type of VID.
  • a key element is that a VID can be eliminated without trace except in the case of fraud or other criminal activity.
  • the core part is thus the principle that any player will either interact with an Identified individual who will only share limited information or interact with a virtual, but anonymous Identity about which detailed information is much easier obtainable since risks are greatly reduced.
  • TP Identification TP - Trusted Party - is generally treated as one entity identified by TP Token
  • TP.Pu public key of TP (TP.Pu) that can be verified in official registers such as X500 or X509.
  • TP is assumed to be multiple both virtually, geographically and perhaps organisationally distributed servers. All implementations of CLIENT, COMPANY or other entities include identification of the TP handling the entity. Also multiple distributed TPs are internally linked virtually, geographically and organisational in order to appear as one entity externally.
  • CLIENT roles are separated into private roles such as a Family member, Friend, Sports Club Leader and business roles such as Board member, Employee, Corporate Purchaser etc.
  • the main reason for using roles is to establish a structure, overview and services for the Individual.
  • VIDs are based on links into other structures such as a COMPANY Customer Database with added security and services. There are identified by a COMPANY Token Id and a COMPANY-only unique identifier. This identifier will avoid linkage because they are only unique in regards to the specific COMPANY. Authentication is strong between COMPANY and TP. COMPANY has adopted Privacy Trade functions such as Privacy Payments and Privacy Delivery.
  • CLIENT can setup all his existing logins as migration VIDs (e.g. user-id, password and e-mail address for a web-site). These are identified. Authentication is weak as user-ids and passwords are as today easily violated by third-party. New anonymous VIDs used to create new registration in existing setups. They resemble the migration VIDs except that they are anonymous and only based on virtual channels intermediated by TP. Authentication is still weak as COMPANY ability to authenticate is the bottleneck. These VIDs can be continued as the primary VID form in case no linkable interaction has been taken place. COMPANY can have adopted Privacy Trade in key areas.
  • migration VIDs e.g. user-id, password and e-mail address for a web-site. These are identified. Authentication is weak as user-ids and passwords are as today easily violated by third-party. New anonymous VIDs used to create new registration in existing setups. They resemble the migration VIDs except that they are anonymous and only
  • Identified VIDs are often used in combinations where some identity information are known and others are not. This could for instance be customer name and address is known, but communication channels are intermediated for update efficiency and in order to minimize linkability.
  • This type of semi-identified VID is particular useful for Personal Relations (Friends), Special Online Communities or suppliers where Identity is to be known. This kind of suppliers can be utilities who by definition have, have to have or CLIENTS wants them to have access to identifiable information such as Postal services, fixed-line telephone, power, house repair, doctors, hairdressers, dentists etc.
  • One-time trade ID for a one-time only Privacy Trade transaction
  • Delivery Only Outside delivery, no communication enabled
  • each combination of channels can have its own subtype.
  • VID can be Anonymous, Semi- or fully identified with no, selective or full access to Private Data.
  • Communication channels open to a VID and Message filtering is customizable to make VIDs a very flexible setup.
  • very Privacy concerned individuals can be very closed without private data available.
  • TP can be used for convenience intermediation alone without any privacy established. More important the individual can selectively decide which relations belongs where in the matrix.
  • RELATIONS such as RELATION (figure 2 reference numeral 100) are a push solution in the sense that CLIENT give access to their data to another target CLIENT and at the same time can request the target CLIENT to accept a two-way relation.
  • Target CLIENT accepts by choosing a VID to use for the RELATION.
  • target CLIENT is previously unknown to TP target CLIENT is able to do initial registration with a detailed registration to follow to accept a two-way RELATION.
  • CLIENT control how much information is revealed to relations using the VID they link from and to. This includes access to Private Data, communication channels set-up in the sense of both intermediation and access in general, filtering etc.
  • a CLINT can have RELATIONS linked to different VIDs.
  • CLIENT can attach multiple symmetric encryption keys to a RELATION for communication encryption. Keys are encrypted using encryption keys not known to TP. Since RELATIONS are identified they can use their digital signatures to establish whatever kind of key exchange and encryption method they want. For CLIENT relationships not encrypting themselves communication encryption TP handle encryption towards third-party as close to CLIENT as possible in the specific channel as part of the normal TP service.
  • RELATIONS are typically used for linking personal relations like family, friends and business associates which are the basic of the Personal Address Book service.
  • a special RELATION is a GUARDIAN which is a parent or other person who are guardians of children.
  • a GUARDIAN RELATION manages, controls, approves and have access to multiple parts of children CLIENT registrations.
  • a CLIENT can create flexible GROUPS.
  • Groups can be nested, (figure 2 reference numeral 140). Groups are multipurpose controlled by CLIENT. They can be used as simple structuring tool, as communication distribution lists or as basis for other services like Personal Event Management, Project Team Management etc.
  • Identifiers Central to Privacy is non-linkability and anonymization.
  • the Identifier for a VID or channel can in itself be the source of linkability when used across companies. Identifiers are therefore non-information carrying.
  • the standard identifier is a combination of ⁇ COMPANY-identifier>, ⁇ COMPANY-unique identifier for CLIENT> since this will by definition not be linkable across COMPANIES.
  • An email-address in the form ⁇ COMPANY id>. ⁇ CLIENT id> is traceable.
  • the contact information can be traced to the COMPANY it relates to without information about CLIENT.
  • Rollover is the action that occurs when an outstanding VID is replaced by a new VID in order to minimize risk of violation. The larger the risk of violation of identity the more often will the VID be rolled.
  • VIDs used for linkable activities like Internet Surfing, old-fashion Credit Card authentication, Cable Set top box or Mobile Phone anonymization etc. will be rolled according to use in order to minimize the risk of linkage based on the Token Identifier itself (linking a COMPANY A customer to a COMPANY B customer because they use the same Credit Card number).
  • This invention is implementing a Trusted Party for CLIENT to construct virtual
  • TP is also trusted party for anyone interacting with a VID they must trust that TP knows CLIENT real identity in case of fraud.
  • the fraud is directed at in the first hand and secondly to protect the individuals whose identity is abused for fraud purposes. Thirdly the trust image of TP needs to be maintained.
  • the individual is far more damaged by the fraud than the COMPANY since the COMPANY mostly risk loosing a smaller amount of money whereas the individual being the innocent victim of identity fraud can spend years trying to unlock the problem perhaps being denied access to credit, jobs etc.
  • This invention is generally working with the basic assumption that initial identification is taken place at least with the level required for creating officially accepted digital signatures or other central papers in the home country of the individual or the country in which the individual does trade or communication.
  • Initial identification is important to be able to establish authentication in daily operation.
  • Several identification methods will be used in parallel in order to make Identity fraud as close to impossible as practical achievable.
  • the more methods of identification, channel verification, RELATION verification, existing identified interactions etc. being used the more difficult it will be for an individual to fraud everything and the higher the chance that the real individual will be informed in case of attempted identity theft.
  • One important aspect of identification is to ensure that in case of fraud a verified picture is obtainable because pictures are usable for investigations of electronic fraud.
  • Non-CLIENT used for CLIENT own registrations of relations in Address Book not confirmed by the individual in question. Not-identified for registered CLIENT not satisfying sufficient criteria to be considered as Identified. When classified as Identified absolute identification with traceability is established. In addition to this a special One-time-Only is used for Community and portal services where TP is acting as temporary trusted party for a non-CLIENT customer trade.
  • Biometrics working with recognition of unique or close to unique bodily characteristics such as fingerprints, iris, DNA etc are expected to grow. Fingerprints as been used for many years. DNA are growing as evidence in courtrooms and for paternity cases.
  • Biometrics are excellent for authentication and especially for the mobile Authenticator. Iris and Fingerprint readers are already available for ordinary desktop computers such as windows. Fingerprint readers are being built into Smart Cards etc. A central task for the TP CLIENT services is to make use of biometrics while at the same time to isolate the Biometrics reading devices from COMPANY.
  • Biometrics are very usable for initial identification. If a case of Identity fraud is discovered only Biometrics are both very likely to free the victim (the real individual) and provide the criminal investigators with material to recognise the offender.
  • a bank transfer from a Customer Account contain detailed information as to the identity of the account owner. Since the account owner has been through a strong authentication to establish the account and again to transfer money a match between registering information and information from the bank account is close to strong authentication.
  • CLIENT to show that he has access to the channel.
  • a simple way to do this is the one-time only key-pair with challenge and response challenge or just a keyword or number to pass when channel authentication is done.
  • This authentication scheme is used to cross authenticate Communication Channels thereby linking them to CLIENT. Depending on national conditions this can be improved by using electronic means for confirming encourageon integrity in for instance phone book etc.
  • Tools for setting up the basic CLIENT-ROLE-VID structure which includes linking physical communication channels to the basic ROLEs and VIDs and creation of a starting Access Control Filter and basic routing controls.
  • TP will establish a symmetric encryption key between TP and COMPANY for message encryption - CompanyKey.
  • Communication Channels verification - Related to the identified COMPANY is the different communication channels such as Physical Address, Telephone, Fax, Email, Internet-address, bank-account etc. These channels are cross- authenticated to establish an initial link to COMPANY.
  • the structure of Communication channels will evolve as purpose and COMPANY Customer responsibilities are built into the structure facilitating the interaction between COMPANY and CLIENT.
  • One important Communication Channel is the payment channel.
  • Default TP will set up an internal account for COMPANY which COMPANY can address and transfer money to where-ever. Payment to this account shall be considered legal payment for CLIENT.
  • a Privacy Payment is always implementable as two separate payment instruction.
  • the Delivery Channel also is central. From the outset this can be done through the virtual address, but in order for the interaction with CLIENT to operate the best COMPANY will need to integrate the Delivery procedure into COMPANY logistics in order to provide CLIENT with relevant information in the delivery process. Before this integration the virtual process-specific delivery address can be constructed by TP in the trade process.
  • the process of integration involves a COMPANY side service to facilitate communication services and integration the Privacy Trade Platform services into CRM and ERP systems.
  • the Communication Channel set-up will be augmented with an eCRM service modelling the internal COMPANY service functions such as Support, Sales,
  • the eCRM services involves an integration with COMPANY Customer
  • a part of this is the online access control where a Privacy Server supply authentication of Virtual Identities at Customers website.
  • the Privacy Server is integrated to maintain part of Corporate Customer Database For inbound and outbound communication and trade the Privacy Server can interact with COMPANY internal communication and trade systems to support the ongoing relationship between CLIENT and COMPANY. This include authentication, establishment of outbound Communication paths based on generic information only (CLIENT internal id, channel type depending on the type of communication and optionally additional information to improve CLIENT inbound access control procedure.
  • VID Virtual Identity
  • COMPANY and CLIENT are in the following assumed known to TP. If COMPANY not known then this procedure will be augmented by a TP customer care support process helping CLIENT to identify and model the COMPANY customer registration and authentication procedures and to provide the needed information for registration.
  • TP is able to prove that VID belongs to CLIENT in case of fraud.
  • CLIENT establish an anonymous identity towards a relation under full CLIENT control.
  • Contents of communication can be private from TP because a symmetric encryption key SYMKEY has been exchanged with COMPANY without revealing this to TP.
  • COMPANY establish a new customer relationship with CLIENT together with trade and communication support according to the wishes of the customer, an Customer specific encryption key SYMKEY and a signature from TP confirming knowledge of customer identity in case of fraud.
  • COMPANY do not receive any identifiable or linkable information.
  • CLIENT indicate COMPANY (or other party) he wish to establish a VID towards.
  • TP creates key pair (Cl.Vir.Pu, Cl.Vir.Pr).
  • the Public Key is forwarded to and signed by CLIENT and the signature is returned to TP.
  • TP then authenticates VID Public key to COMPANY towards the COMPANY created Customer Token Id which will typically be a customer number from the internal COMPANY Customer Relationship Management System. COMPANY is informed of the virtual communication channels open to this VID.
  • This invention works with a secret shared symmetric key SYMKEY to encrypt communication between CLIENT and COMPANY.
  • SYMKEY is treated as if it is reused from session to session, however SYMKEY can just as well be generated as part of establishing a session as a session specific encryption key which is saved together with communication encrypted by the public key of CLIENT (CI.Pu).
  • SYMKEY can be created without revealing this to TP .
  • One embodiment is the straight forward where CLIENT create SYMKEY and encrypts this together with a random challenge text using the Public Key of COMPANY (Co.Pu) and forward this to COMPANY. Since TP cannot read this message TP can not know the SYMKEY. COMPANY verifies by returning the Challenge Text encrypted with SYMKEY. Now CLIENT can verify that the key has been exchange without TP knowing.
  • Another embodiment with the desired outcome that does not include transferring the SYMKEY itself is by using a slightly modified Diffie-Hellman protocol making use of the fact that CLIENT can do a non-TP controlled verification of the Public Key of COMPANY.
  • COMPANY finishes the modified Diffie-Hellman protocol by generating the key SYMKEY and encrypting a message containing the CLIENT part with SYMKEY and returning this to CLIENT together with the unencrypted COMPANY part of the Diffie-Hellman protocol.
  • CLIENT can now calculate SYMKEY. If CLIENT is not able to reproduce the originally forwarded value ((Agreed Generator) ⁇ (CLIENT chosen random) MOD (Agreed large Prime)) when decrypting the message with SYMKEY, CLIENT has calculated, then the protocol has gone wrong indicating a potential attempt to intercept the communication by TP.
  • CLIENT is not able to reproduce the originally forwarded value ((Agreed Generator) ⁇ (CLIENT chosen random) MOD (Agreed large Prime)) when decrypting the message with SYMKEY, CLIENT has calculated, then the protocol has gone wrong indicating a potential attempt to intercept the communication by TP.
  • Each CLIENT can approve another CLIENT as a personal relationship that TP is permitted/requested to maintain.
  • TP creates the link (figure 2) between two CLIENT VIDs to handle this.
  • CLIENT communication channel intermediation is still in place because this is convenient due to channel changes (new phone number, moving etc.) and routing (Receiver controlled).
  • Each relation will have a specification on the type (father, friend, etc ) and group. Note that this is a one-way solution.
  • CLIENT A can approve CLIENT B without CLIENT B approving CLIENT A.
  • To create two-way links two separate relations need to be created.
  • CLIENT can create non-TP Customer RELATION VIDs without link to actual CLIENT B this VID is representing.
  • On behalf of CLIENT can TP contact
  • CLIENT can create Groups of Relations (figure 2 reference numeral 140). Groups can be nested.
  • VIDs and Groups to define interaction options. This include Communication Channels, Access to Private data., Access Control Filtering and Routing.
  • a Business associate is limited to the intermediated business communication channels and Business information but no access to private data, address or communication channels.
  • the VID can have a general SYMKEY for all RELATIONS linked to the specific VID.
  • a RELATION can have a Relation-specific SYMKEY or communication can be based on session-keys created and saved in connection with communication.
  • Establishing SYMKEY works just as well with a CLIENT/CLIENT relationship as a COMPANY/CLIENT relationship where at least one CLIENT or one communication channel is identified.
  • the main issue is to exchange information that TP is not able to access.
  • two anonymous parties - such as two CLIENTS - wants to establish an anonymous relationship the problem of TP as man-in-the-middle is un-resolvable. They can choose to exchange a SYMKEY in unencrypted form or better do a Diffe-Holmann to making it more difficult for TP to handle. But they cannot have any guarantee that TP is not listening in.
  • RELATION CLIENT For each RELATION CLIENT can maintain a special Note Space containing preferences (ex food and people likes and dislikes, event history, notifies (birthday etc.).
  • PRIVATE DATA except to confirm the existence of signed documents and providing a minimum of traceability in case of fraud.
  • TP under this invention has no interest in knowing contents of communication or trade.
  • Private Data is stored in a Privacy Storage attached to the CLIENT, a CLIENT role or a CLIENT Identity default in encrypted format using either a CLIENT generated symmetric KEY or in the form of a anonymous Attribute Certificates [S. A. Brands 1999 PHD thesis later published as "Re-thinking Public Structures and Digital Certificates", MIT Press, 2000, ISBN 0-262-02491-8].
  • Decryption keys are stored either CLIENT side or together with the data in encrypted form using the Public part of the CLIENT Digital Signature.
  • the CLIENT is able to produce additional both symmetric or asymmetric encryption keys for the data storage, change encryption, add, move or remove any attribute Data according to CLIENT Privacy Wishes.
  • the CLIENT can attach specific attributes in a form that can be decrypted by TP in secure mode on request by a COMPANY for customization purposes. Requesting other attributes will by definition require active accept from CLIENT. If CLIENT accepts, attributes can be stored together with the VID in question for documentation or a generally changed privacy profile.
  • Negative Credentials can often be a question from COMPANYs. In order to show anonymously that one has not been to prison etc., attribute certificates are central.
  • CLIENT When CLIENT approves someone to access Private Data, CLIENT create a new Symmetric Key, select the attributes to be stored encrypted with this new key and forwards the key to COMPANY or AGENT who is allowed to Access. CLIENT informs (automatically) TP by linking the attribute to the relevant VID or Role that COMPANY can access attribute and TP can control access without knowing contents.
  • Private Data is stored in the most appropriate Data format with or without an identifier for convenience.
  • the default format is assumed to be XML.
  • Attached to the Private Data are a Meta Data description of what the piece of data contain together with link to data definitions.
  • the INVOICE AGENT is the only agent that can access invoice data.
  • the INVOICE AGENT have no external communication and can only report findings back to the Invoice recommendations part of CLIENT Suggestion House.
  • CLIENT can Give other Agents Access to the Invoice Recommendations part, but not to the Invoice Data themselves.
  • CLIENT will authenticate towards TP and the TP will handle authentication towards specific COMPANY.
  • the base level of security is extended to a given COMPANY building a general security service only limited by COMPANY ability to integrate. Given the security problems with simple login/password solutions COMPANY has a heavy incentive to move to an integrated authentication solution.
  • TP maintain a database of specific VIDs (both anonymous and identified) and information to authenticate the VID towards COMPANY. This include necessary login information, passwords, digital signatures and SPECIFIC COMPANY communication rules.
  • the client-side part of TP will implement a Single Sign-on procedure so that CLIENT first authenticate towards TP and from there choose actions (the sequence can vary depending on channel and situation) without any need to re-authenticate.
  • CLIENT can use the IdentitySwitcher and change VID to another VID/COMPANY.
  • TP use the original authentication and carry out an auto-authentication using the new VID.
  • a central specific embodiment of this is a portal solution, e.g. WAP-based, where the CLIENT menus are dynamically created based on CLIENT registered VIDs with automatic Sign-on/authentication of VID towards COMPANY.
  • the VID can be supplied with information about Profile and wishes from the Private Data Storage controlled by CLIENT.
  • This profile information can include an anonymous proof of credit worthiness, a credential such as a formal educational degree or an anonymous proof of absence of a negative credential such as a criminal record or outstanding debts.
  • One embodiment include a XML format collection of parameters, encrypted according to the structure of roles and VIDs and manageable by TP only on reference but not by access to contents.
  • the central authentication for this invention makes use different forms of authentication.
  • the central tool is an Authenticator in the form of a portable wireless devices such as a WAP mobile phone able to access a SmartCards/Simcards either installed or using a mobile reader.
  • a portable wireless devices such as a WAP mobile phone able to access a SmartCards/Simcards either installed or using a mobile reader.
  • Using infrared or other local communication protocols such as Bluetooth to communicate with computers, in store located communication tools or the built-in access to the wireless network this device cover all general purpose authentication.
  • the basic technology is known and almost a commodity product such as for example the Ericsson mobile phone R320s.
  • the SmartCard is able to carry out simple encryption functions 1 ) Asymmetrically encrypting small pieces of data for zero-knowledge authentication and authorization.
  • Biometrics like a fingerprint reader, pincodes or other method.
  • the Smart Card does not contain the Identified Digital Signature of CLIENT (CLIENT Private Key).
  • CLIENT Prior to use CLIENT has used his digital signature to sign the Public Key of a key pair unique to the SmartCard towards TP. Signatures has to be confirmed by TP to be traceable to CLIENT through a VID. This means that if the SmartCard is stolen or otherwise violated the SmartCard key can be revoked by TP with minimum damage.
  • the authentication procedure sequence towards TP is channel dependent, e.g. some channel will require cross authentication, while others do not need this. This will specifically in connection with the migration services where for instance standard Credit Card Payments are implemented in a strong authentication/verification solution.
  • the Authenication procedure can be complex including Post-verification in a later session of a pervious weak authentication (will locate problems and initiate a fraud investigation).
  • a more interesting complexity in the Authentication procedure is incorporation of general Procura-principle using principles known from workflow systems. This is directly relevant if CLIENT is a COMPANY or for COMPANY integration. But the same principle is also very useful in non-company situations.
  • a parent has to co-authenticate child authentications - this can be done in real-time or prior by a set of rules.
  • Thresholds can be set according to a price maximum over which a spouse or legal guardian has to co-authenticate.
  • a weak channel can require co-authentication in another weak channel and thus be considered strong like a weak web authentication combined with return phone call to a previously agreed telephone number to cross-authenticate by.
  • CLIENT Manually by CLIENT. From the outset this can mean CLIENT entering a one-time- only identity key hinting to his identity.
  • TP responds by a challenge number related to a one-time-only key-pair and in return getting the related response. This procedure does not require any special electronics implemented at either CLIENT nor COMPANY. It only requires CLIENT to have interacted with TP prior to the authentication procedure to receive the one-time-only keys in advance.
  • messages can be signed and sessions/other channels can be cross-authenticated .
  • Actions A10 and A20 are the standard authentication procedure where CLIENT first authenticates towards TP either online or through a mobile authenticator. TP then authenticates CLIENT towards COMPANY.
  • An example of this is when CLIENT is accessing his list of existing VIDs and choosing one related to an online shop. The online shop this way gets an anonymous customer relationship linkable over multiple interactions valuable to build continuity into the service. Measurements, preferences, purchases etc. all can be taken into consideration dealing with CLIENT.
  • Actions B10 and B40 cover the situation where CLIENT has no direct link to TP.
  • CLIENT authenticates zero-knowledge towards TP though a COMPANY link with TP and then TP authenticates the correct related VID towards COMPANY.
  • An example of this is a physical grocery where CLIENT interacts with TP though a mobile device with an infrared communication link to in-store communication points.
  • the authentication procedure can work through an in-store located computer with a standard Internet Browser.
  • CLIENT get a transaction code from COMPANY and enter this number in connection with the authentication procedure.
  • TP can then forward the related VID identifier together with the transaction code through any communication channel such as encrypted email.
  • Actions C10 and C40 cover the situation where COMPANY itself has no direct contact to TP.
  • a fourth party authenticates towards TP in the transaction verification process to get a transaction confirmation.
  • An example of this is Credit Card payments combined with a strong authentication procedure implemented through the card verifier.
  • Action E10 covers the case where an initial authentication is re-used to authenticate towards a new fifth partner. This can be done either by COMPANY or by TP intermediating the relationship between COMPANY and the fifth partner. Examples of this can be an online news-service requiring payment or a new introduction in this invention in the form of a TP intermediated purchase directly from a supplier using B2B trade standards. Privacy Trade Platform
  • the Privacy Trade Platform is a generic collection of services on top of the Virtual
  • the range of service cover a full customer life cycle from communication to onetime-only purchases to signing of agreements, purchasing and delivering electronic and physical goods, returning goods and anonymous dispute arbitration.
  • Figure 18 shows the entire Privacy Trade Platform with interfaces to important services.
  • Reference numerals 10 to 30 cover the Core Virtual Identity Services.
  • Reference numerals 40 to 120 cover the full range of services necessary to trade online and real-world.
  • Reference numeral 130 is the services that enable CLIENT'S to let third party
  • Reference numeral 140 is the special area where all selling suggestions are directed.
  • Reference numerals 150 and 160 cover a full hosted virtual shopping facility where Agent suggestions converted into transactions according to Open Trading standards such as Open Buying on the Internet (such as www.openbuy.org) with the necessary modifications to support Privacy.
  • Open Trading standards such as Open Buying on the Internet (such as www.openbuy.org) with the necessary modifications to support Privacy.
  • Agents are interfacing with one Virtual Identity whereas supplier see another in order to minimize linkage.
  • Reference numeral 170 covers the Privacy-enabled Customer Relationship Management Business Services to support the virtual relationship build-up between Supplier and CLIENT under full CLIENT control.
  • Enabling legally binding commitments in an anonymous trade system is the key.
  • the simplest solution would be based on a Power of Attorney to TP from CLIENT.
  • TP can the sign using the Virtual Identity Signature (Cl.Vir.Pr) on behalf of CLIENT. This would however open up for TP fraud towards CLIENT and for TP to take risks of CLIENT accusing TP of fraud. These problems can be handled by agreement.
  • the central problem of TP needing to know contents of the legally binding commitments is in line with a Privacy priority.
  • CLIENT creates a new set of Signature Keys (Cl.Pr and CI.Pu). CLIENT keeps the private key Cl.Pr, which is not revealed, to anyone else. CLIENT signs the public key CI.Pu with either a nationally implemented Digital Signature (DS.Pr) or by other traditional means. The public key CI.Pu and the Signed public key Sign(CI.Pu, DS.Pr) is forwarded to TP. TP can now prove non-reputable by CLIENT that anything signed by Cl.Pr is signed by and only by CLIENT without anyone else being able to identify CLIENT. This principle is a technically well- known set-up implemented in PKI standards.
  • CLIENT is protected from escrow-systems, where the Certificate authority can create copies of CLIENT Private Signature Key. Even if the national standard is based on escrow systems CLIENT can establish Privacy.
  • the Server handling CLIENT identity anonymisation can be located outside the national borders of CLIENT nationality.
  • As a general principle implementation of CLIENT identity anonymisation is dynamic so that identification information can be moved from one server to another server in another country if the situation so requires. This can for instance be the situation if military coups or other non-democratic developments are expected or feared.
  • TP create a new set of signature keys (Cl.Vir.Pr and Cl.Vir.Pu). TP keeps the private key Cl.Vir.Pr which is not revealed to anyone else.
  • the public key Cl.Vir.Pu is forwarded to CLIENT.
  • CLIENT sign the public key with his private signature key Sign(CI.Vir.Pu, Cl.Pr) and return this to TP.
  • TP Sign the combination of the public key of the virtual identity and the public key of COMPANY Sign(CI.Vir.Pu + Co.Pu, TP.Pr) and forward this together with the public key of the virtual identity and the public key of COMPANY to CLIENT.
  • CLIENT sign the same combination Sign(CI.Vir.Pu + Co.Pu, Cl.Pr) and return this to TP.
  • the signature Sign((CI.Vir.Pu, Cl.Pr) or Sign(CI.Vir.Pu + Co.Pu, Cl.Pr) establish a provable and non-reputable by CLIENT route between the virtual identity and CLIENT.
  • TP is not able to use the same virtual identity towards multiple CLIENTS because the first CLIENT decides the symmetric encryption key SYMKEY and forwards this to COMPANY. If SYMKEY is used for encryption only CLIENT will be able to decrypt messages from COMPANY.
  • CLIENT can sign any message non-reputable with his Signature private key Cl.Pr. TP cannot fraud CLIENT signature because TP does not know Cl.Pr. Only TP can verify this signature using CI.Pu because only TP know the link between Cl.Pr and DS.Pu, TP can provide this proof of link.
  • TP When TP has in possession a message signed by Cl.Pr, TP can sign the same message using the private key of the virtual identity Cl.Vir.Pr. TP will be able to provide the signed message by CLIENT and therefore does not need to know the contents of the message. CLIENT cannot fraud the signature of the virtual Identity because only TP knows the private key of the virtual identity Cl.Vir.Pr.
  • TP cannot create and sign messages on CLIENTS behalf. If messages are not encrypted and TP sign a message to COMPANY without having a CLIENT signature then TP is responsible towards COMPANY. COMPANY will thus have a legal counterpart in any deal even though COMPANY does not know whom unless identity is freely revealed or legal disputes require revealing of identity.
  • TP is able to verify that a signed encrypted agreement exist without knowing the contents and then forward an identical copy signed by the VID to COMPANY. TP is thus verifying that this piece of unknown content is signed unchanged without knowing what the message is about.
  • a key requisite for this is that CLIENT is IDENTIFIED according to internal policies of TP.
  • COMPANY generates an agreement that is encrypted with the symmetric SYMKEY not known by TP.
  • COMPANY signs the encrypted message and forwards the message to TP (figure 20 reference numeral 100).
  • TP verify the COMPANY signature and confirm this by signing the message and forwarding the message to the related CLIENT.
  • TP does not know the encryption key SYMKEY so TP is not able to read the contents (figure 20 reference numeral 110).
  • CLIENT verifies TP signature (confirming COMPANY signature) and after checking the agreement signs the message and returns the signed message to TP (figure 20 reference numeral 120).
  • TP verifies CLIENT signature and the originality of message towards the original forwarded by COMPANY.
  • TP now has an encrypted agreement signed by both COMPANY and CLIENT.
  • the encrypted agreement signed by both parties is stored for safekeeping on behalf of both CLIENT and COMPANY.
  • TP strips the CLIENT signature and sign on behalf of CLIENT using the Private Part of the CLIENT VID and by TP confirming existence of a signed agreement in safe custody.
  • COMPANY (figure 20 reference numeral 130).
  • COMPANY verifies signatures of VID and of TP confirming the existence of an agreement signed by CLIENT.
  • CLIENT signs the Public Key of the CLIENT VID for verification on time of creation.
  • TP therefore has a traceable and non-reputable line of signatures between CLIENT and COMPANY.
  • CLIENT is protected from fraud by TP because TP cannot get CLIENT signature on the agreement.
  • TP will be responsible towards COMPANY if TP sign an agreement on behalf of CLIENT without having CLIENT signature in place.
  • TP is protected from fraud by CLIENT and COMPANY in union because CLIENT does not know the secret key of the CLIENT VID and is not able to generate deliberate fake anonymous signatures which are only signed by the VID.
  • the anonymous Digital Signature shown in figure 20 is implemented in a two-way anonymous version between two CLIENTS by replacing step 110 in parallel with step 130 so that TP replace The New Anonymous CLIENT (Company in figure 20) Signature with VID2 Signature Cl.Vir.Pr.
  • Payment intermediation involves acceptance by the paying CLIENT of an electronic invoice in a secure and anonymous environment. For one-time only purchasing of electronic goods this can be done using an electronic equivalence of cash - non-traceable token value certificates of a trusted party such as a bank etc. But for ongoing relationships including for instance physical delivery or any form of credit from supplier to purchaser additional means are advantageous.
  • the payer can decide on multiple payment channels including a default online account, purpose-restricted currencies, electronic anonymous money, credit card transfers and direct banking account transfers.
  • TP acts as an intermediate between CLIENT and COMPANY with in principle two separate payments. One from CLIENT to TP and one from TP to COMPANY..
  • the standard generic solution is for COMPANY to forward an electronic invoice to CLIENT via TP.
  • the electronic invoice contains COMPANY identification information.
  • TP present this invoice to CLIENT.
  • CLIENT approves this invoice and authorize payment and payment method in a secure channel.
  • TP confirms payment towards COMPANY.
  • Payment can be against a CLIENT or COMPANY account with TP or any other means of payment including electronic cash certificates, account transfers directly against online banking accounts, credit payments, up-front payments, real-time loans etc.
  • TP confirmation of payment towards COMPANY can be optional so that additional services can be included such as payment upon Privacy delivery, payment upon product verification, CLIENT approval or other criteria agreed.
  • the Electronic invoice is in a structured format and stored in the CLIENT Data Space as documentation of the purchase.
  • COMPANY need the ability to pass the address back through the value chain to the actual supplier and the delivery still be traceable to COMPANY.
  • COMPANY need the ability to pass the address back through the value chain to the actual supplier and the delivery still be traceable to COMPANY.
  • an online clothes store need to be able to send a delivery request to a Custom Clothes manufacturer to deliver a customized dress to CLIENT without the customer clothes manufacturer can identify CLIENT or send additional communication to CLIENT.
  • This Invention works with an address identifying a) The Trusted party, b) The Sender (towards Trusted Party) and c) a reference information combining CLIENT Token Identifier and Shipment Information - see figure 14.
  • Co Token Identifier for TP to identify sender for Access Control filtering
  • This default address can be used in standard word processors for any manual mailings such as Direct Marketing etc.
  • a new Address is created because Shipment Info is changed to a transaction or dialog identifier.
  • SHIPPER or other third party has thus no way to construct an address that does not resemble a default manually Time-stamped address. If abused and regularly this address can be renewed leaving no external access for abuse not involving either SHIPPER or third party.
  • COMPANY can actively sell the address plus CompanyKey but in this case COMPANY is punished for any SPAM since mailings will be traceable to COMPANY and thus can be stopped in the filter process.
  • SHIPPER can anonymously and Zero-knowledge Identify Client and Proof Delivery (figure 14 reference numerals 30 to 70) by receiving a) information to challenge CLIENT at point of delivery and b) data to verify by a cryptographic algorithm that the response is valid.
  • this can be accomplished by generating two Random keys R1 and R2.
  • the SHIPPER is informed of the Hash result H(R1), a challenge for CLIENT (Enc(R2,CI.Pu)) and the result of Encs(R1 ,R2) to verify the response.
  • SHIPPER does not know the identity of CLIENT and therefore not know CI.Pu. CI.Pu is not the published actual digital public signature key of CLIENT but as the general principle part of a generated key pair signed by CLIENT private digital signature key.
  • R1 can be a complex message and R2 be chosen according to CLIENT means of authenticating.
  • SHIPPER to Proof that he has not generated a fake R1 , R2 he saves the entire Signed Coded Message by TP (see figure 5 reference numeral 120).
  • CLIENT can on top of the Intermediated Delivery Service add a Mail-drop partner with for instance a nearby friend, a nearby shop or an local community organized drop-point. CLIENT will notify this Mail-drop partner of (Enc(R2,CI.Pu) and R2) when expecting shipments. When Challenged with Encs(R1 ,R2) the Mail-drop Partner can give the solution without knowing the CLIENT Secret Key (Cl.Pr). This will protect against the situation where SHIPPER abuse the trusted relationship and informs COMPANY of CLIENT Identity. However it ads a level of inconvenience since CLIENT will not receive the shipment to his house.
  • CLIENT can provide TP with H(R1 ) and the encrypted parts Enc(R2, CI.Pu) and Encs(R1 ,R2) but not R2 itself, or generate the challenge sequence at time of purchase or dialog. This is built into advanced trade and dialogue solutions.
  • CLIENT can continuously forward combinations of generated keys to TP for this purpose to avoid being a delaying factor in the costly and sensitive physical distribution process from shipment to delivery.
  • An embodiment of the present Invention comprises a Postal Services Move-Database used for fast redirection of Mail and parcels.
  • a further embodiment of the present Invention comprises a SHIPPER delivering directly to the CLIENT residence. Anonymous Internet Letter of Credit
  • a new level of Internet Trade Security is established by combining a Trusted Party and anonymization with the dual control of delivery and payment (See figure 22 combining figure 14 showing Anonymous Delivery and figure 21 showing Anonymous Payment).
  • Towards CLIENT TP ensure Privacy and non-release of Payment until actual delivery and conditions approved.
  • Towards COMPANY TP will ensure release of Payment when delivery is verified and conditional approvals. Condition can be incorporated so that CLIENT has time to control the goods before the release of payment.
  • Conditions are normally based purely on time from delivery proof. If no objection has been raised by CLIENT payment is released. However special conditions can be meet where CLIENT has to approve payment release.
  • CLIENT surfs COMPANY website and determines what to purchase.
  • An order request (according to OBI or other trade standard) or invoice is forwarded to TP for approval.
  • TP gets CLIENT approval and confirmation of payment. Payment is secured until delivery is confirmed.
  • COMPANY ships the purchased goods according to agreement (reference numeral 420).
  • the TP receives the proof of delivery when confirmation from shipper and the conditional terms has been meet payment is released.
  • Additional services can be offered on top of the base service.
  • a simple solution is for the anonymous Letter of Credit to be extended for BUYER to have time to verify quality of goods before release of payment. Terms can be agreed between Buyer and Seller. One embodiment will include a fixed time before release of payment. Unless Buyer object payment is released.
  • Another embodiment include a third party product verifier in the delivery process so that Buyer and Seller have unbiased verification.
  • This invention incorporates Privacy Enabling the full value chain back top the originating supplier with intermediated shipping directly to CLIENT.
  • OBITM Open Buying on the Internet - www.openbuy.org
  • This invention incorporates a Privacy Enabling implementation of open Business to Business specifications.
  • TP will intermediate the transaction including payment, delivery control, warranty and post-delivery service according to the Privacy Trade Platform.
  • TP will act as the Buying Company and CLIENT will be technically be disguised as a employee of the Buying Organization.
  • the Virtual CLIENT Identity can be a one-time-only Identity or a COMPANY known virtual identity according to the purchase background.
  • figure 25 An embodiment according to OBI 2.1 is shown - see figure 25. Please note that figure 25 can have additional suppliers in multi-party Value Chain without changing the basic concept.
  • CLIENT has intention to buy a specific product knowing the product and/or the desired supplier. Acquiring this information can be the result of additional TP services not relevant to the OBI Standard. TP supply CLIENT with the correct VID. CLIENT goes to the selected supplier website and is technically identified by Selling Organization as en employee of TP and presented products and prices according to agreement. CLIENT selects products according to standard shopping methods.
  • TP gets authorization for the order and payment terms from CLIENT and issues a formal order with an Intermediated Delivery Address supplied with the encrypted Shipment Info.
  • COMPANY issues an Electronic Invoice, which is forwarded to TP for payment according to terms and ships the goods.
  • This method can easily be implemented in other parallel B2B trade specifications. Since TP can translate between standards this method also opens for trade across regions with different standard trade specifications so that a European CLIENT can purchase from an American Supplier creating a truly homogenous trade flow for suppliers across segments and standards.
  • CLIENT is identified to the virtual store a one-time-only identity will ensure that collaboration between the store and supplier cannot be linked to other purchases.
  • This invention also incorporates a solution where TP use and supports a third- party broker for locating the cheapest supplier able to supply or the best Product according to Common Business Library Product Catalogue with standard Product Identification and references to suppliers.
  • COMPANY has a right to refuse transfer of ownership, rights and obligation. This is a special case to be handled the parties in between with possible dispute arbitration.
  • COMPANY can issue a special electronic warranty stating clearly what is covered by warranty and how repairs, upgrades etc. should be handled.
  • This electronic document can contain links to the COMPANY web-site for detailed information.
  • CLIENT can at any point show the original electronic invoice regarding the purchase and use this to claim warranty services.
  • CLIENT interacts with supplier using his VID and receives a reference numeral to use for returning the product.
  • CLIENT packages the product and issues the return slip with the reference numeral and ship it using any shipper. In case the shipper have problems or upon reparation returning the product to CLIENT will follow the same procedure as when originally sent (see figure 14 Anonymous Delivery). As his own return address he use the address of the VID with the reference numeral encoded into the address ( ENCS(CLIENT token Identifier + reference numeral, SYMKEY)).
  • a mediation process is enabled for crime investigation enabling legal representation of not identified individuals. Under these circumstances a suspicion by the police is not enough for TP to release the Identity of a CLIENT. A judge will have to be involved and the individual informed of the proceedings.
  • TP can and must as minimum ensure that proper proceedings are in place before releasing identity.
  • CLIENT must be issued a lawyer representation.
  • a special VID of CLIENT is created to Interact with his lawyer so that not even the lawyer knows his identity. If the police fear the crime is of a type that may lead to a possible escape they can ask to have a lawyer representing the CLIENT without CLIENT knowledge of the proceedings. This has to be justified towards the judge and the lawyer will have to contest this violation of CLIENT rights of PRIVACY.
  • TP and the lawyer and the CLIENT (unless he is not informed due to a decision by a judge) can know interact to defend CLIENT right of non-identification.
  • a Privld Card is a tamper-resistant SMARTCARD containing as a minimum the private key of a VID, the public key of TP and an ability to encrypt. Additionally it can have an internal Clock to time-limit the private key.
  • PIC Privld Card
  • the Privacy Server When entering into agreements or purchases requiring identification the Privacy Server will act as a guarantee of identification and/or intermediary in legally binding agreements. Specifically this will also apply when purchasing communication services making new communication channels anonymous by definition.
  • the Shop Internal Identification can either be transferred from the Privacy Server, using wireless communication units (infrared, mobile etc.) or from the PIC itself. See the Authentication procedure.
  • special services can be suggested using a variety of different Interactive Communication Channels. For instance special purchase suggestions (a specific item), special services (information support) or individual discounts (based on the full customer knowledge).
  • the Client can have individual pricing on all goods and services as being prior virtually identified.
  • the Client can accept this for payment through a one-time only verification. This can be using an request-answer protocol or through alternative interactive channels such as a Mobile Communication Unit. The Supermarket will then receive verification from the Privacy Server that Payment is approved.
  • a technically reduced version of the Privld Card is an anonymized Credit Card only featuring an identifier, a end date and a TP Company name not related to CLIENT and information as to the Card issuer.
  • This anonymized Credit Card can be accompanied with a partnership agreement with Credit Card Verifiers to enable Strong Authentication - see Migration Services Payments. In this version no fraud is possible without additional traceability has been established in the form of a strong authenticated authorization.
  • a central solution to this invention is the establishment of a close-loop customer
  • a Privacy Trust Logo Icon can be located at the COMPANY homepage (figure 31 reference numeral 20). When a new prospect customer of COMPANY looks at COMPANY website he can look for the Trust logo. In order to prevent abuse by COMPANY the prospect customer can press the Trust Logo and through a link reach TP website where a Trust Certificate is created verifying that COMPANY is abiding the principles of Privacy both in signature and in actions (figure 31 reference numeral 30).
  • a Trust Certificate require:
  • Non-CLIENTs of TP can from the Trust Certificate register with TP and get immediate anonymous auto-authentication (figure 31 reference numeral 30).
  • TP CLIENTS authenticating with COMPANY will receive warnings if the Trust Certificate is revoked.
  • the communication intermediation process includes a) Catching the communication attempt in a virtual manor, b) Identifying involved actors, c) filtering according to setup rules (inbound communication only), d) routing session according to rules and receiver instructions (inbound communication only) and e) session management to establish and manage the communication. Se figure 3.
  • the process of Virtualization require that communication pass through an active part of TP where communication are re-addressed and re-packed without the possibility of link physically outgoing to the virtually incoming communication.
  • the weak spot of virtualization is the physical address not under control of TP.
  • the Catch Process will in some cases also involve alliances. For instance Delivery, SmartCard, Credit Card etc. all require a Partner active contacting TP in order to attain critical information to establish a session.
  • CLIENT intermediation requires CLIENT participation (active or passive) and this leaves CLIENT in control. This include the possibility to bypass TP whether this is temporarily for web-surfing or dealing with relations or suppliers that CLIENT does not want TP to know about.
  • the CLIENT can always login identified (even with a supplier where CLIENT has a VID-relation), inform relations the physical channel identifier or establish additional communication channels such as web-mailboxes, ISP-dialups etc.
  • a central embodiment will be WAP Push Proxy filtering because the WAP Push service will be misused for SPAM.
  • Privacy enabling Devices such as mobile
  • CLIENT In catching outbound communication attempts it is important to realise, that CLIENT will always be the weak link. It will not be possible for TP to catch all outbound communication attempts, face-to-face communication being the extreme case. CLIENT needs to be mentally aware of the role he chooses, when contacting COMPANY. It will hence always be the responsibility of CLIENT not to reveal information, which will compromise anonymity. TP will provide services that help minimising, these problems.
  • Outbound communication attempts made using TP operated means of communication can be caught in the same way as inbound communication attempts.
  • Communication attempts using non-TP operated means of communications can be supported by providing switching facilities, e.g. a TP dial in service that can be used to establish contact with a given COMPANY.
  • the CLIENT receiver will by nature of definition be easily identified inbound as the
  • Token Identifier of the Communication Channel is uniquely traceable to the CLIENT by TP only.
  • the Token Identifier can be translated into the VID using reference numeral 20 and from there be matched with the related Role or Base Identity.
  • a Channel Partner requires special identification and authentication to verify privacy protection agreements and risk of leakage. This especially includes Delivery where address conversion is requested.
  • Sender will in most cases be Identified using a Token Identifier and authenticated using a PKI Scheme. Using Email, this can be achieved by combining sender with email encryption.
  • a strong channel is a identified and access controlled channel that can be used to communicate control messages that upon used in a weaker channel (or vice versa) verifies the weaker channel to the level of the stronger channel. For some weak channels this can only be a session verification. For instance Credit Cards can be stolen, normal telephone lines have general access and is without standard login procedures.
  • Sender cannot be Identified in every circumstance. For instance a friend calling from a public pay phone. It is then up to the CLIENT Receiver to decide. This decision can be built into the VID so that non-identified communication attempts will only be accepted in special semi-identified VIDs used for personal RELATIONS, i.e. if the SENDER knows the Token Identifier then SENDER is likely ok and RECEIVER accepts the call by default. Whereas for the general surfing VID the CLIENT can decide not to accept non-identified SENDER communication and not even being prompted up-front.
  • caller can authenticate interactively using previous agreed methods if caller is already known to PT.
  • VID and physical communication channel Identification will include establishing a mapping between physical identifiers and
  • VID enabling session management to perform this mapping with an insignificant overhead.
  • mapping provided by session management has to be divided into two separate parts each encrypted with a separate session key to avoid breaking anonymity by monitoring and pairing inbound and outbound communication.
  • Encryption is central to protect against eavesdropping and surveillance of communication. This is multi-layered.
  • Central is the core message encryption using SYMKEY between CLIENT and COMPANY.
  • the purpose is to ensure nobody but CLIENT, COMPANY and anyone trusted by any of these have access to the actual message content.
  • Added to the central message is functions, data and messages to and from TP encrypted with ClientKey or CompanyKey respectively. Messages will thus be decrypted and re-encrypted in the intermediation process.
  • communication packages are continuously re-addressed including changing to and from addresses, stripping identifiable signatures ad replacing them with the appropriate Virtual Identify or Channel specific information.
  • Session management facilitates real-time mapping of physical to virtual information.
  • Inbound Intermediation is a central process with the objective to identify and block
  • TP When TP receive a message bound for a CLIENT it will act as the CLIENT agent deciding if the message is to be denied access, let through, routed to Suggestion House (see Personal Services) or other action taken.
  • Suggestion House see Personal Services
  • One possible further action is a request for additional information from sender/caller.
  • CLIENT can prior to the event set up a set of communication rules. These communication rules is based on the richness of information available to decide.
  • Available information include Sender identity, Channel, Purpose (if available), Importance, Receiver temporary Rules, Receiver Actual Status, Sender History, Dialog Status, Commercial Transactions status, Sender history with other
  • CLIENTS etc. Additionally special references can be set up in agreement between CLIENT and COMPANY.
  • a specific example of this is the delivery channel where COMPANY can incorporate reference information in the encrypted part of the address.
  • sender If sender is previous unknown to receiver and/or TP then sender can be identified and classified afterwards to control future communication attempts.
  • SPAM messages from previous unknown sources is readable by TP due to lack of secret encryption keys. These messages can optionally for CLIENT be subject to filtering using automatic Text Scanning rules and evaluation by other CLIENTS of earlier communication from the same source. Using neural networks combined with CLIENT evaluation of earlier unencrypted messages a quasi-intelligent neural net simulating CLIENT preferences can be trained and available for future communications. If CLIENT do not establish an encryption key not known to TP Symkey, then TP can be asked to Scan messages from known sources also.
  • Sender history makes it possible for an access control filter to condition the rule on CLIENT or other CLIENTS evaluations of COMPANY (see evaluation of quality). This is especially interesting if a COMPANY suddenly starts to abuse emails for SPAM marketing. As soon as the first significant group of CLIENT has characterized COMPANY actions as SPAM COMPANY can be reclassified as a potential spammer leading some Access Control Filters to block further communication. Central here is the link to the Privacy Trust Program because the same problem will be visible to CLIENTS in the authentication process thereby reaching a large subset of COMPANY customers shortly after change of policy putting a heavy pressure on non-accepted behavior.
  • the output from the Access Control Filtering can be either a denial, a routing to the suggestion house for sales/marketing messages, a request for additional input (such as a password or an identification), a individual message requesting or serves as input for the redirection service.
  • Individual blocking can be useful in a general concept to avoid bothersome contacts ranging from press-people to unwanted earlier boyfriends.
  • the Priority parameter can both be used to speed a message and to slow it down. It serves as control for how extensively Receiver shall be searched through all channels. For instance an emergency call from a Child of a receiver can lead to a search through all channels, whereas a low priority message is more likely to end up in the electrical answering service.
  • receiver Role-dependant
  • Receiver Actual Status are parameters to situation-specific rules that can be dynamically altered to the specific situation of CLIENT.
  • CLIENT can be in shopping mode letting through more sales-related messages. These rules are to be seen in close connection with the following routing rules which are almost 100% situation-based. For instance if CLIENT is in shopping mode with a GPS- enabled WAP mobile phone CLIENT can accept receiving Calls for Action based on location. These SPAM calls are normally filtered out.
  • Routing is the central CLIENT Communication Path Control ensuring that
  • Communication is best suited to actual wishes, communication type, security, convenience and cost.
  • CLIENT can contact TP to inform CLIENT mode and presently preferred communication channel. This highly very valuable feature enables the ability to dynamically change status without Sender knowing or having to consider it.
  • High Priority Messages can involve extensive search in all communication channels or notification in mobile or other Channels.
  • a very central example of a high priority message is where a relative under the care of a CLIENT is in need of help. This could be a child, an elderly or a disabled person. These relatives are often troubled by the difficulty in locating CLIENT. Instead a single alarm number can be setup and pre-programmed into telephones or Wireless beepers where a call will automatically trigger a Top-Priority establishment of a Communication Path to CLIENT.
  • routing options could be prioritized in the following order:
  • An example of a situation-specific contact protection is when CLIENT is in an important meeting or otherwise attending something that should not be disturbed. Instead of shutting of for instance a mobile phone CLIENT can go into Meeting mode and increase the threshold of importance before being disturbed. More messages will be routed to the answering service but emergency calls will still be put through. When attending a meeting RELATIONS with relevance to the meeting can temporary get higher priority and thus enable a user controlled relevance criteria.
  • a request for additional information about purpose or importance from sender can be collected in interactive channels using automated interaction such as Voice Response etc.
  • Communication of same type can be routed between physical channels of the same type, e.g. routing email to a Role-based email address to the email address currently most reachable (e.g. home address after office hours). Communication can be redirection between to channels of different type, where content translation is possible (e.g. translating a telephone call to Voice over IP, Voicemail etc.). Calls failing to reach CLIENT can be routed to other Receivers such as a Permanently staffed Emergency Call Centers, a secretary, a Spouse, a backup colleague etc.
  • a PRIVACY CARE rating will be as strong an indicator of good marketing performance as financial ratings and a strong indicator of future financial performance.
  • a drop in rating signifies indicator of drop in financial performance.
  • a special EMBODIMENT include token information used to open for third-party emailing when for instance a customer agent is asked to collect quotes.
  • Establishing a Virtual outbound channel requires TP intermediation.
  • TP intermediated communication channel makes it possible for CLIENT only to specify receiver and channel type (indirectly indicated by choice of device - email, phone, etc.) and optionally purpose, but not channel or actual address.
  • TP looks up the correct receiver address. Establishing communication includes looking up and switching to the relevant VID.
  • the central principle about Browsing is that no trace nor registration about behavior is done. If CLIENT so wish third-party anonymisers can be used when browsing.
  • TP will supply CLIENT-side software that can be used optionally, including services like Cookie handling, Browser anonymization, auto-registering, auto-login and the core One-stop sign-in with the related Identity-Switcher. Additionally special services are available for supporting interaction with registered sites like forms filling, profile/wish presentment.
  • CLIENT-side software can be used optionally, including services like Cookie handling, Browser anonymization, auto-registering, auto-login and the core One-stop sign-in with the related Identity-Switcher. Additionally special services are available for supporting interaction with registered sites like forms filling, profile/wish presentment.
  • An embodiment using current technology must include browser anonymization and IP-number protection.
  • IP-number protection proxy
  • IP-number protection is required to protect against tracing of behavior and linking based on the use of IP-number and other similar traceable information.
  • Cookies The use of session management technologies likes Cookies is limited to a minimum, e.g. by making sure that a cookie can survive only during a session and deleting other cookies after browsing.
  • TP assisted login and logout identity switching
  • all non-relevant cookies are deleted.
  • cookies can be transferred into the VID data archive. These cookies can optionally be restored when entering the site again.
  • the anonymous VID can be supplied with information about Profile and wishes from the Private Data Storage controlled by CLIENT.
  • This profile information can include an anonymous proof of credit worthiness, a credential such as a formal educational degree or an anonymous proof of absence of a negative credential such as a criminal record or outstanding debts.
  • One embodiment include a XML format collection of parameters, encrypted according to the structure of roles and VIDs and manageable by TP only on reference but not by access to contents.
  • a CLIENT-side companion When filling out forms a CLIENT-side companion help fill out these forms and keep a copy of information revealed.
  • auto-login and auto-Identity-Switch can be enabled by the CLIENT-side.
  • TP can auto-register.
  • CLIENT When entering sites where CLIENT has not registered, TP can auto-register.
  • CLIENT When auto-registering CLIENT is asked the type of VID and optionally under which role CLIENT wish to register. Also special requirements as to Channels availability is customizable.
  • TP then creates a new VID and registers this VID with COMPANY.
  • COMPANY site with a Privacy agreement with TP registration is done straight into COMPANY customer database with the Company customer Database ID for Client becoming the common identifier.
  • Email and similar means of communication is characterised by being asynchronous, and hence not having an active session.
  • Standard email anonymization is well known in several types.
  • the standard solution is to have e third-party re-mailer to act as an anonymiser by translating between an anonymous email address and the actual user email address.
  • An email address is a Token Identifier where only uniqueness and a link to a role is key requisite.
  • TP must set up means (both inbound and outbound) that makes it possible for CLIENT to use the physical line without revealing the physical identity. For inbound calls this can be done by routing from a TP operated phone number to the physical phone number.
  • a Telco Alliance Partner will translate on the fly. Basics is that the Calling Party will always reach a line controlled by TP. Information can be obtained from the Calling Party concerning purpose, validating identity etc. before attempts to reach the Receiving Party. The receiving party will have some sort of log-in validation and advance notification of caller and purpose before connection is established.
  • Outbound Telephone number can be ⁇ Local Privacy Number> - ⁇ Token information> or ⁇ Local Privacy Number> - ⁇ Corporate Customer Internal Customer Identifiers
  • a Telco Alliance Partner will translate on the fly.
  • a mobile Telephone however has the advantage over fixed-luine telephones that they are not identifiable by the physical location link to an address.
  • Voice over IP has further the advantage that no permanent identifier are linked to a Voice over IP session.
  • TP host a WAP Gateway that controls access to the mobile device.
  • the basic service is to acquire the device anonymously so that not even the phone company knows the identity of the owner.
  • the additional service is to Intermediate the calls through TP according to the generic specification.
  • Second is upcoming GPS - possibilities. With this the phone company can trace the physical location of a mobile device.
  • This channel will be intermediated primarily using anonymized Registration so that Interactive Service Providers have to listen in order not be blacklisted. Content itself will not be streamed though TP but each atomized program/advert will.
  • the CLIENT-side browser is anonymized with integrated links to online services for ordering etc.
  • a general problem with this solution is that the anonymous Credit Card can be used as link information between COMPANY x and COMPANY y. This will not identify user unless linkage can be established to a COMPANY where Identified purchases using the same Credit Card has been made.
  • Standard Linkable Credit Cards can either be used offline or in online SSL trade in combination with an online Network-based payment authentication or a wireless authentication as shown in Figure 15. This is done in coalition with Credit Card verifiers who will implement a table translating a Credit Card to a contact channel for CLIENT to be used for CLIENT payment authentication outside the reach of COMPANY thus eliminating most Credit Card fraud. CLIENT will then authenticate Payment with Credit Card Verifier outside the reach of COMPANY. Credit Card verifier presents an electronic payment slip to CLIENT either directly or through a Trusted Agent. Upon authentication by CLIENT the Credit Card Verifier can authenticate Payment towards COMPANY according to standard procedures with the Credit Card Issuer. This procedure eliminate the need for Credit Card pin- codes since a stronger Channel authentication is used.
  • the CLIENT payment verification channel will be according to the Channel Trade taking place. Offline in stores etc. the use of Traceable Wireless Devices such as Mobile Phones with separate authentication mechanism will significantly improve security due to fraud requiring theft of both the Credit Card and the authentication device.
  • the Credit Card number is linkable across COMPANIES a special VID for this purpose only is used with Trusted Agent authentication.
  • the Token VID identifier can be the Credit Card Number itself
  • This procedure is extended into an anonymous procedure making. By issuing anonymous Credit Cards COMPANY will not be informed of CLIENTS identity even with existing payment procedures. In addition this is combined with Trusted Agent intermediating payment verification so that the Trusted Agent Authenticate Payment towards Credit Card Verifier and Credit Card Verifier then Authenticates Payment towards COMPANY.
  • Credit Card Information are linkable information and if informed to COMPANY a breach of Privacy.
  • the Payment Mechanism will include intermediation such that Payment is guaranteed by a Trusted Party.
  • a new CLIENT can after registration and identification download a synchronization tool customized for standard Personal Automation tools (such as Palm Pilots, Outlook, Lotus Notes Personal Address Book etc.).
  • standard Personal Automation tools such as Palm Pilots, Outlook, Lotus Notes Personal Address Book etc.
  • Each contact will by definition be an Address Book Only type of VID.
  • CLIENT can reorganize his contacts according to his own Roles and VIDs so that Business Contacts and Personal Contacts, Family, Suppliers etc. are separated. In this process each Contact will be separated into how much information each Contact can access with CLIENT - Wishlists, Preferences, Physical Communication Channels etc.
  • CLIENT When this process is over CLIENT can ask TP to contact all or some of the Contacts and ask whether they will take it upon themselves to keep the address book updated. At the same time CLIENT offers to keep personal address book updated.
  • the individual confirmation ensure that control of access to contact information is retained to the individual (Nobody can force a Celebrity like a movie star to update contact information but a specific Fan Service can be setup under the control of the Celebrity thus getting both Privacy and Convenience.). Two major advantages are introduced above convenience.
  • a CLIENT have his own Relation database and TP know how to contact these relations. CLIENT decides the channel type (email, voice, postal mail) and send it to TP together with the internal reference. TP takes care of delivering the message including locating the best channel to use.
  • the message delivery is according to the Receivers wishes. Not only can the receiver decide the exact level of anonymity related to communication channels available and identifiable information rendered.
  • the sending CLIENT can respect the receiving CLIENT by putting the receiver in control. Since CLIENT can not know the actual state of mind and the situation of the Receiver, CLIENT can be violating Privacy alone, by the choice of channel and the point in time, CLIENT chooses to use it.
  • Receiving CLIENT can through RELATIONS and GROUPS setup priorities in the Inbound Communication filtering and routing to match the exact desired situation across relations, sender and receiver situations and communication channels.
  • a temporary solution for Privacy-enhancing Communication Channels is by to acquire channels anonymously using support from TP.
  • Wireless devices line mobile Phones, PDAs etc. Virtual Channels like email, Internet Gateway, WAP Gateway, SmartCards for Satellite or wireless Interactive TV.
  • a central issue about anonymization of channels without intermediation is the problem of linkage. Since the logical target of an anonymous non-intermediated channel is known to all COMPANY with whom the channels has been in use the Channel Identifier can act as a linkage device between COMPANIES.
  • Rollover will be the best way to minimize damage. Key about Rollover and anoymised Channel Identities is to manage the Rollover in such a way that no residual linkage is possible. This means that both All anonymized Channels has to be rolled simultaneously ensuring that COMPANY loose trace information.
  • TP Service For the individual CLIENT a major advantage of the TP Service is the access to an answering service covering multiple (if not all) communication channels no matter physical location, type or service provider involved.
  • a CLIENTS RELATIONS and members of his Groups are his Address Book, which can be online accessed or exported and stored in any device CLIENT use. This can be an email address book, a Mobile Phone register, a wireless PDA etc.
  • a specific Identity will be created for each personal contact that is member of a CLIENT Personal Address Book without being a registered TP CLIENT. This is necessary for the inbound control and for notification of changes on behalf of CLIENT.
  • CLIENT can set-up different profiles related to roles, VIDs etc. These can be accessed either by CLIENT push (always presented or presented on request by CLIENT) or pull mechanisms (requiring specific request from receiver).
  • the Suggestion House is reversing the Direct Marketing/sales process to create an alternative to SPAM. Instead of CLIENTS being bombarded with sales signals the Suggestion House is the place where Sales messages are going. When - and only when - CLIENT enters this virtual Suggestion House, he is open to suggestions.
  • Source of Suggestion both company or agent
  • CLIENT can setup his Suggestion House as he pleases. It can be divided into separate rooms where different kinds of messages is directed. CLIENT is in control of inbound messages from the filtering function and from the Agent Access Control.
  • TP supports the Privacy Enabled process from Suggestion to delivery. Central is the problem of containing detailed Private Data from Identification. For a specific purchase CLIENT give information that are more detailed than is necessary and desired (by CLIENT) for the continued relationship. Key to handle this problem is the separation of identities.
  • the suggestion process is a natural continuation of the relationship and as such the purchase is done using COMPANY specific VID.
  • an Agent given access to Private Data Analysis and counseling is seeing one Identity.
  • the actual delivery is done under another One-time-Only Identity.
  • the main purpose is to contain Private Data and still ensure Agents interest of fees etc.
  • CLIENT is in control by accepting Agent access to Private Data - optionally on a rental basis.
  • CLIENT can add the suggested item to his Wishlist (with reference to the original suggester to ensure the fee when delivered).
  • TP will establish a Collaborative CRM meaning that evaluation of a COMPANY practices plus the existence of signed principle documents will be used to rank COMPANIES to non-customer CLIENTS.
  • CLIENT can add this to an interest list for later checking and potentially transferal to a Wishlist or a Shoppinglist.
  • CLIENT is looking through Suggestions marking interesting ones for the Interest List. He can ask to receive advice from Advice Agent accessing either CLIENT Private Data or by Permission getting gift suggestions for RELATIONS.
  • CLIENT create Privacy-Enabled personal Wishlist located in the Private Data
  • CLIENT can appoint one or more RELATIONSs as WISHLIST COORDINATOR. Co-ordination of wedding gifts or parent supervising lists for children adding items is two examples of use.
  • a WISHLIST COORDINATOR can use AGENTS to PRIVACY enabled analyze the Private Data of CLIENT to generate new Ideas figure 27 reference numeral 36 or get additional information about the Wish such as sizes, color etc. from the Adaption Agent (figure 27 reference numerals 220, 37 and 39) . Dynamic Shopping Lists
  • a dynamic shopping list is related to a CLIENT, a Group of CLIENTS (a family or an event) and optionally an event. See figure 27 reference numeral 140.
  • Each Client will have relation with multiple SHOPPING LISTS in order to separate purchases depending of purpose and timing.
  • At point of purchase list can be combined into one operational list.
  • a shopping list can be forwarded to a Price Agent (figure 27 reference numeral 20) for getting quotes and suggestions.
  • a shopping list or single items can be forwarded to COMPANY for purchase according to the full Privacy Trade Service (figure 27 reference numeral 50).
  • the arranger CLIENT can have access to personal likes and dislikes of each participant without having to keep updated files or calling everyone. This ranges from being a vegetarian for meal selection to seating assistance based on jobs, interests and even prior events. Meal selection services are linked to recipe libraries and can feed into a dynamic Shopping Lists that can be accessed at point of sales in shops etc.
  • Arranging CLIENT can for each relation maintain personal knowledge of a participating CLIENT regarding likes/dislikes, ideas, etc.
  • Participants can coordinate gift purchase based on the personal Wishlist. Gift decision discussions, money collection, transfer of ownership of gifts and warranties is serviced by TP. Please note that a Special Wishlist co-ordinater can be appointed through the RELATION link (see figure 2 reference numeral 100),
  • Event Dynamic Shopping lists support group shopping. If each shopper has access to the same list through for instance a mobile wireless device they can mark items in real-time and across different shops. Using on e of the well- known mobile devices with built-in bar code readers will greatly enhance this service.
  • Data available for analysis in order to get relevant customized suggestions can include finance, house, style, clothes, literature, hobbies etc.
  • CLIENT will create a Virtual identity towards each Agent in order to control access to data.
  • CLIENT selection of Agents is based on their price requirements and history. TP will ensure Agent receive his fee when purchase is done (using TP services) and maintain an individual and allover CLIENT evaluation of Agent Services.
  • CLIENTS will over time build loyalty with specific Agents that are used repeatedly because of quality of suggestions.
  • Agent access to Private Data can be subject to fee payments from Agent to CLIENT.
  • New Agents do not known to CLIENTS can rent access to Private Data under CLIENT approval.
  • CLIENT can show some basic Profile and TP can verify purchase level for Agents to bid.
  • CLIENT can be paid on basis of time and prifle access richness. Just as CLIENT can say no so can the AGENT by stopping to pay rent.
  • CLIENT decide to build relations to one Advice Agent (figure 27 reference numeral 210) specializing on Suggestions based on Private Data. Advice Agents is separated in rooms in the Suggestion House according to specialization. Only Agents adhering to the Privacy Principles will be allowed to register for access to CLIENT Data.
  • Adaptation Agent (figure 27 reference numeral 220) which is used for discussing customization of the Item to purchase with the suppler.
  • Each agent is important to separate issues and data access.
  • This invention works implements a rich list of online and off-line community services.
  • the VID has to be one-time-only if CLIENT is identified by the COMMUNITY because of risks of linking CLIENT identity to the VID related to the partner.
  • the one-time-only VID are generated on the fly and is standard prepared for safe trade involving anonymous sametime payment and delivery intermediation.
  • Communication channels such as email, telephone or chat with supplier can be available depending on the wishes of the COMMUNITY. Guarantee or other post- transaction services likewise.
  • One-time-only VIDs will require setup of encryption keys between TP and the Supplier to handle Delivery Address exchange and intermediation and payment agreements. These keys do not have to be one-time-only as they are specific for the supplier and not containing or use to protect identifying information about CLIENT.
  • This service will be able to take care of all aspects of the trade including a final transfer of a fee to the COMMUNITY account.
  • This fee is an agreement between COMMUNITY and supplier for the COMMUINITY to setup a sales channel for supplier.
  • TP can offer a service where suppliers registered with TP can be offered to the COMMUNITY or even managed by TP.
  • CLIENTS Anonymization of CLIENTS will open for much easier trade relations where COMMUNITIES can concentrate of their core business without risking suppliers starting to contact CLIENTS without paying the fees to the COMMUNITY. CLIENT does not necessarily need to know the supplier further protecting the interests of the COMMUNITY.
  • FIG 24 shows, a generic privacy auction service for Online communities, portals, societies etc. combine Delivery Control, Payment, Communication intermediation, two-way anonymous signature and Trusted Party Service.
  • the Auction Community can setup the rules for with kind of interaction between Buyer and Seller is available according to the trade process. Also the Auction Community can setup a default Agreement that both Buyer and Seller has to accept anonymously in order to continue the trade process.
  • CLIENTS can be previously unknown to TP to which TP will need to create One-Time-Only VIDs to establish Privacy. Both BUYER and SELLER can prior have registered with TP and already be using a VID for the specific Community. Depending on the type of service the VIDs can be identified or non-identified according to the wishes of CLIENT. Seller or Buyer does never need to know each-others identity. TP can in this setup be the only party knowing the identities of the players thus adding trust to the Auction Community.
  • Which communication channels are open can be customized by Auction Service. In one end is a fully open market place only focussing on matching supply and demand for anything. In the other end the actual trade is fully intermediated without free communication between CLIENTS. In the case of full Intermediation only specified messages can be transferred between CLIENTS without them being able to communicate.
  • An Auction Trade can take place without the two CLIENTS ever revealing their identity towards the other or the Auction site. This can be because the Auction site require this as part of their business case (for instance a job matching service) or because either CLIENT wants it so due to the nature of the item in question (tipping the police etc.).
  • TP acts as the Trusted Party in the Deal on behalf of the Auction site.
  • TP Privacy Communication Services can be used to negotiate anonymously and use Privacy Agreement to create a formal agreement. For most Auctions the agreement will be in the form of an invoice (figure 24 reference numeral 10).
  • BUYER CLIENT then deposits payment and TP confirms this towards Seller and ACUTION COMPANY (figure 24 reference numerals 10 to 40). In some Auction models a BUYER CLIENT will have to deposit Payment with TP when bidding.
  • TP can enable Dispute Arbitration - a third identified party to act as independent arbitrageur. If this does not solve problems then legal proceedings can start. This can be totally anonymous but at any point CLIENTS themselves can decide to reveal identities or ask TP to do it simultaneously.
  • the fee for the Auction Site and for TP can be added to the Payment from Buyer or reduced from the payment forwarded to Seller. Additionally there is an optionally Fee Deposit from Seller upon registration item in question at the Auction Site. This fee can be released to AUCTION COMPANY simultaneously with release of Payment to SELLER.
  • the COMMUNITY can outsource most basic COMMUNITY functionality to TP.
  • the heavy membership management part including membership payments (recurring payments), security (identification and authentication) and information management is simple add-ons to the basic TP services.
  • the COMMUNITY receive a list of one-time-only Membership Tokens. Whenever a new member to the COMMUNITY through any means has been approved to become a member the CLIENT can supply the Membership Token. When CLIENT has been accepted for membership an automatic registration as Member of the COMMUNITY is initiated together with membership fee payments added to the list of recurring payments after confirmation by CLIENT.
  • COMMUNITY costly setup and management of communication channels and membership payment collection is significantly reduced. Since TP is taking care of identification and authentication procedures the COMMUNITY IT complexity is greatly reduced because they can use a limited strong authentication access channel directly with TP instead of a more exposed weak authentication only recurring simple passwords etc. Since TP already has an authentication service in place the full TP services are available to COMMUNITY members.
  • This invention opens up for a new type of long-term anonymous customer relationships where customers are in control. If COMPANY make active use of this they are likely to get better customer relationships because they can now focus on servicing customers the best way with customers being much less afraid that COMPANY can abuse information.
  • COMPANY can outsource these procedures to TP at considerable cost savings as compared to how they can do it on their own accord. More importantly since COMPANY cannot do the Identification themselves anonymously, they need a trusted party to establish a secure identification and authentication path when dealing with anonymous virtual identities.
  • Identified and anonymous virtual identities TP can offer to handle the identification and authentication of the full COMPANY customer portfolio.
  • COMPANY (figure 17 reference numeral 10) Generates a Transaction Id and sign this with the COMPANY Private Key.
  • This message is transferred to a TP issued SmartCard able of doing
  • CLIENT Sign the message with a Token Client Identifier (an Identifier of the Specific SmartCard) and encrypts the message using a random symmetric sessionkey. This message together with the Sessionkey encrypted with TP.Pu is then transferred back to COMPANY.
  • COMPANY can use the TP Public Key TP.Pu to locate TP using a standard X.509 library and send the message over a communications networks such as the Internet to TP (figure 17 reference numeral 30).
  • TP receives the message and decrypts the encrypted sessionkey with TP.Pr (figure 17 reference numeral 40).
  • TP extracts the symmetric sessionkey and decrypts the message to get the Transaction Id, the Company Signature and the Token CLIENT Identifer.
  • TP acquire (or generate a new if none valid) the VID related to (Company, CLIENT).
  • the Pair VID, TransactionKey is sent as a Coded Message to COMPANY and Virtual Identification Link is established.
  • CLIENT locate the goods or services wanted. COMPANY can look up the VID and offer customized service accordingly.
  • CLIENT can use the SmartCard to link to the Transaction Id (figure 17 reference numeral 50).
  • the procedure reference numerals 10 to 50 can be done at checkout but then COMPANY has no information to customize service.
  • CLIENT When the electronic invoice and related warranties is ready CLIENT receive in his SmartCard payment request.
  • CLIENT Signs the Payment Data Part end encrypt the signature with TP.Pu (figure 17 reference numeral 60).
  • COMPANY sends the Electronic Invoice together with the encrypted payment authorization to TP (figure 17 reference numeral 70).
  • TP (figure 17 reference numeral 80) decrypts the payment framework and verifies the electronic invoice contains the related warranties.
  • TP Reply with a Payment Transaction Code Payment is carried out according to agreements between TP/CLIENT and TP/COMPANY respectively.
  • TP incorporates both accountability and privacy dedicated secured spaces can be setup where TP provides the gatekeeper access based on credentials. This can for instance be an online playground for children where only identified children an enter with parental accept. Here the child can be presented to a learning program that is both secured from un-identified access by for isntance pedophiles, customized to the childs age and special needs, under parental control and privacy-enabled.
  • Secured Spaces can be used for a multily of purposes setting up access criterias based any credential.
  • Partner - based loyalty programs with multiple COMPANYs involved are increasingly used to build loyalty towards a broader range of products. This is a direct threat to Privacy because these programs are based on cross-company linkability and collection of profile information.
  • Major incentives can be involved to get CLIENT to accept participating in such a program.
  • TP is offering a service where multiple COMPANIES can add loyalty points to a joint program.
  • TP can offer a simple anonymisation service.
  • COMPANY provides TP with a list of VIDs that should participate in the vote and send a message to CLIENTS through TP.
  • TP set-up a one-time-only authorisation scheme which each CLIENT can use only once access a questionnaire form located outside TP control with either COMPANY or a questionnaire analysis outsourcing service.
  • TP guarantees that each CLIENT has accessed the questionnaire only once but does not have access to information rendered.
  • TP can ask CLIENTS that have not voted to vote.
  • Customs, VAT and other reporting Handling of Customs and VAT payment issues across borders etc. depend on the countries of both Buyer and Seller. TP intermediation is necessary in order to calculate these values.
  • Public reporting is a service that TP do on-the-fly as part of the Privacy Payment Service. All necessary information is available in electronic format.
  • TP can offer a full-service Public Reporting thus heavily decreasing barriers to New startups or just outsourcing administration.
  • TP can act as the central core in a Total Business Service. Since Privacy require
  • this intermediation can include a total service concept related to the subset of COMPANY customers which are TP CLIENTS.
  • COMPANY Products can be made available for Agent Services as part of the Trade Server integration thus facilitating availability in the marketplaces.
  • Government services has a general tendency to increase in scope and depth of services and information required in the name of public good.
  • the cost is a significant threat to Privacy for the Individual.
  • An anonymising service like TP will open up for new types of digital voting services. Central conditions is that TP cannot tamper with voting procedures. That CLIENT remain anonymous and sure that no-one can link their vote with their identity even when TP act in combination with a governmental operation.
  • a CLIENT can collect a vote token only once and get anonymous access to the voting booth delivering this token.
  • the principle is based on division of control functions.
  • TP ensure that each CLIENT vote only once by authenticating anonymously and zero-knowledge towards a Public Token control service.
  • This Token CLIENT can go to the vote booth outside TP control and provide the One-time-Only certificate and give both physical and virtual votes.
  • TP can supply government with a list of which CLIENTS have voted which can be verified against the total number of votes.
  • TP can prove that each of these CLIENTS have voted by having them sign a statement confirming that they have voted.
  • Anonymisation services are very useful in public context for services concerning sensitive questions that is related to fear, disgrace, shame. This can be sexual related, reporting criminal incidents anonymous etc.
  • CLIENT is free to use alternative informational-theoretical anonymisers for these purposes.
  • a DNA sample is numbered and linked with an anonymous identification. This can be done using the same functionality as for Realworid Loyalty Programs.
  • the government function create a sample identifier and asks to get this sample linked to the CLIENT.
  • CLIENT authenticates zero-knowledge towards TP and TP confirms with a signed statement that traceable identification is created.
  • the combination of the sample number and a special VID is stored with TP.
  • the unidentified numbered sample is stored and can be used for analysis purposes.
  • Car Registration should be anonymous but traceable in the same way. Simple offences like parking tickets etc. does not necessarily lead to identification but fines can be paid anonymously.
  • the system according to the preferred embodiment of the present invention for establishing a privacy communication path is shown in figure 32 and is designated in its entirety by reference numeral 80.
  • the system comprises one of more General Authentication Devices (shown in figure 33) to provide the CLIENT with control over Private Keys located in a SmartCard (shown in figure 33 as reference numeral 100) and ability to do Zero-knowledge Authentication.
  • the system comprises one or more Communication Channel Providers (shown in figure 32 as reference numerals 40, 50, 60, and 140) to establish Privacy Communication Channels or a virtual identifier intermediating a Physical Communication Channel as a Privacy Communication Channel toward one or more Authentication Units (figure 32 reference numeral 70) acting as an intermediary to provide CLIENT with the ability to set up a rule based communication routing scheme across communication channels and multiple Virtual Identities each with a set of Virtual Communication Channels and the ability to Sign Legally binding agreements and authenticate towards any third-party based on a single sign-on identity.
  • Communication Channel Providers shown in figure 32 as reference numerals 40, 50, 60, and 140
  • Authentication Units shown in figure 32 as reference numeral 70
  • the single sign-on identity is provided by one or more ID Units (figure 32 reference numeral 80) issuing SmartCards (figure 33 reference numeral 100) for the General Authentication Device (figure 33 reference numeral 80) and storing Identifiable information according to Basic Accountability Principles.
  • the system according to the preferred embodiment of the present invention further comprises one or more Device Authentication Units (figure 32 reference numeral 170) with the ability to provide a certificate to a General Authentication Device (figure 33 reference numeral 50) to authenticate online or offline towards any device and verify said certificates to protect against theft or fraud.
  • the system comprises one or more Trust Units (figure 32 reference numeral 90) intermediating two or more Virtual Identities of different CLIENT or Company into Relationships providing storage, profile information encrypted under the control of CLIENT or Company, access to relationship information, relationship services and protecting Authentication Units from knowledge related to virtual Identities.
  • Trust Units figure 32 reference numeral 90
  • system according to the preferred embodiment of the present invention comprises one or more Integration Units (figure 32 reference numeral 100) to provide companies with a single interface to Company Relationships with CLIENTS or other Companies
  • the system provides CLIENT with full Privacy Control of CLIENT Identity and information related to CLIENT only subject to basic Accountability principles.
  • a CLIENT can chose a minimum set-up where no Units even in collaboration can violate CLIENT Privacy except for the basic Accountability Principles.
  • a CLIENT can chose a maximum convenience set-up in which both identified and non- identified relationships can be incorporated together with all relevant communication channels to provide CLIENT with full control of communication and relationships with minimum but not zero linkability.
  • both an Authenticating and a Trust Unit are build around an IP-Proxy combined with IP- Mapping routers.
  • Each Communication channel is based on a separate mapping unit such as an email gateway mapping email addresses to ensure that no linkable identifiers are present.
  • Minimum accountability is achieved by ensuring isolation of Identity and related information under CLIENT control combined with a un-broken provable route to identification stored at an ID Unit requiring minimum an algorithmic operation by a public institution according to law and a subsequent algorithmic operation by an agent of CLIENT.
  • the ID Unit has no knowledge as to the activities of CLIENT except for holding a number of multiple encrypted pieces of identifying information using different asymmetric encryption keys of which at least one is a public key of an encryption pair related to either an appropriate legal Institution such as a court or the Individual.
  • the encrypted pieces of identifying information should in addition to an external encryption key be encrypted prior by at least one encryption key related to an agent of CLIENT to verify individual fundamental rights is not violated.
  • CLIENT can thus perform a traceable voluntary identification whereas a not- voluntary identification will require a proper legal procedure protecting individual rights.
  • This procedure of an Agent of CLIENT is to ensure a last Privacy defence in a worst-case scenario where for instance control of courts is not under democratic control and transferring out of physical reach or preferably actual deletion of identifiable information can not be carried out prior to a worst case scenario taking place.
  • Embodiment CLIENT generates a ID key pair and provides the ID Unit with proof of Identity for instance by signing the Public Key (Id.Pu) using a digital Signature key (Cl. DS.Pr).
  • CLIENT then generates an asymmetric key pair for each Authentication Unit and forwards the public key CI.Pu to the ID Unit together with a message linking the Public Key of each Key Pair with the ID key pair.
  • the SmartCard shown in figure 33 designated by reference numeral 100 is accessed through the General Authentication Unit where the Private Key part of any Identity related to CLIENT is accessed.
  • CLIENT can create a new Virtual Identity in any of the Authentication Units and use this to Create a new Relationship through the Trust Unit.
  • CLIENT signs a link between the Public key of a virtual Identity with the key specific to the Authentication Unit (Cl.Pr) to ensure the un-broken traceability link back to the identifying information in the ID Unit.
  • CLIENT receives a verified proof of ownership from the Authentication Unit
  • a Virtual Identity as presented by an Authentication Unit to a Trust Unit can consist of a set of signing, authentication and encryption keys (CI.Vir.DS.Pu, CI.Vir.Auth.Pu, CI.Vir.Enc.Pu).
  • the Private part of the Signature and Authentication keys (CI.Vir.DS.Pr and CI.Vir.Auth.Pr) are only known to the Authentication Unit whereas the private part of the Encryption key (CL.Vir.Enc.Pr) is known only by CLIENT through the General Authentication Device.
  • CLIENT The encryption key known only by CLIENT is providing the core protection from a Man-ln-The-Middle attack in a two-way anonymous Relationship. CLIENT can always have any third-part verify that the correct Public key is made available to the Relationship Party at point of Relationship initialisation.
  • This principle implements a no-mans land between an Authentication Unit and a Trust Unit.
  • the Authentication Unit protects the Trust Unit from information linking a relationship to the CLIENT part meaning that the Trust Unit knows CLIENT as a number of non-linkable Relationships not differentiable from Relationships related to other CLIENTS.
  • the Trust Unit prevents the Authentication Unit from knowledge about the Relationship contents.
  • Private Keys (not the private SmartCard Key) can be transferred between Smart Cards and stored safely in a backup locating provided they are encrypted with a public key decryptable by a Private Key accessible through the SmartCard. No Private key is in clear text outside the SmartCard.
  • a General Authentication Device (shown in figure 33 as reference numeral 50)
  • a privacy communication path is constructed around a General Authentication Device (shown in figure 33) incorporating a user interface (shown in figure 33 as reference numeral 180) and operation able to communicate through a reader (shown in figure 33 as reference numeral 110) for a tamper-proof SmartCard (shown in figure 33 as reference numeral 100) able to communicate with the Device and as a minimum store a set of data elements and perform standard operations and cryptographic algorithms such as generate keys, random numbers, zero-knowledge authentication.
  • the General Authentication Device is characterised such that any persistent identifiers are physically separated from any external communication channel and only accessible under control by the SmartCard.
  • Such device can be achieved by incorporating an isolated area (shown in figure 33 as reference numerals 120 and 130)) able to store persistent identifiers and optionally the ability to perform cryptographic algorithms.
  • Such a device can for instance be in the form of a PDA, Mobile Phone, satellite set-top box, a workstation, a combination such as of a mobile unit and a workstation, a lap-top computer or other device able to establish wireless (shown in figure 33 as reference numeral 170) or cable based communication channels (shown in figure 33 as reference numeral 160).
  • the General Authentication Device is able to establish a communication path through a Communication Channel Provider to an Authentication Unit and perform a Zero- Knowledge Authentication procedure with the Authentication Unit. The Authentication Unit subsequently authenticates the communication path towards the Communications Channel Provider without providing any persistent device of CLIENT identifiers.
  • the Authenticating Unit can require the General Authenticating Unit to authenticate Zero-knowledge towards an ID Unit to check for revocation of the SmartCard or other fraud protection.
  • the Communication path can be based on a large variety of network protocols such as Wireless in the form of Bluetooth, Infared, GSM, WAP, GPRS, Wireless IP and direct cable-based over ADSL, ISDN, serial cable links etc. Any protocol able to carry IP-traffic is well suited for such solution.
  • the General Authentication Device is provided with means to generate or access random or other non-persistent device or CLIENT identifiers. This, for instance is the case in the most used network protocol where an IP- address can be dynamically assigned to a session using a DHCP.
  • the non- optional MAC address is not from a technical viewpoint required to be globally unique except within the local surroundings of the network.
  • the MAC address can be randomly generated or provided in any session from the Authenticating Unit for subsequent use in the next session.
  • the real MAC address to protect against theft etc. is located in the isolated space (figure 33 reference numeral 120) isolated and only presented to a Device Authentication Unit without providing any knowledge or persistent identifier regarding CLIENT.
  • Other ways to circumvent is reuse of an address pointing at the Authentication Unit as a gateway.
  • the future Mobile IP standard is incorporating the necessary principles for integrating the above modifications. This also covers even an always-on Mobile Phone as long as a session-switch is applied regularly.
  • the telecom provider will know where a Mobile Device is, but by incorporating these principles the communication is Privacy- enabled because the telecom provider only has a session identifier authenticated by an Authentication Unit.
  • the Telecom Provider does not know persistent identifiers of neither CLIENT nor Device and yet still have both a loyal customer, protection against theft and is able to provide advanced location based services simultaneously.
  • this principle of delayed authentication works across location - Home, Mobile, Work, Foreign Workstations, In Store and even through locations CLIENT has never before had any contact with because an Authentication Unit can instantly intermediate and establish a trusted connection, access to payment channels and a route to accountability.
  • a General Authentication Device will have a mechanism for CLIENT to Authenticate towards the SmartCard using biometrics, passwords, pin-code or any other authentication mechanism.
  • the authenticated SmartCard can then verify internal integrity of General Authentication Device including a device authentication towards the physically isolated space.
  • a General Authentication Device is able to store Device Certificates in the SmartCard for offline or online authentication of any device or system including the General Authentication Device itself.
  • the SmartCard can specifically get external verification that the Authenticator Device is not reported stolen or otherwise inappropriate to deal with.
  • a device certificate can be in many forms ranging from a shared secret to an advanced Zero-knowledge Authentication Protocol depending on the type of device and the sensitivity and timing constraints in revoking a certificate.
  • a SmartCard specific authentication key can be created as a Start/End date or limited show certificate to reduce offline damage in case of theft.
  • the Authenticator - SmartCard combination can after basic authentication create specific authentication with any other external unit made able to authenticate electronically such as access doors, computers, home control systems, cars, specific systems using wireless or cable communication.
  • the SmartCard can store algorithms and one or more identified or pseudonymous Digital Signatures related to the user that can be verified through a publicly available register such as an X.509 or any other PKI compliant protocol whereby a General Authentication Device can replace most known designs for smart-card based Identifying Devices.
  • the General Authentication Device can be incorporated as a software-based solution even without physical changes as to the MAC-address. This is more vulnerable to abuse and requires more trust to the Trusted Party because the combination of a Communication Channel Provider and an Authentication Unit will know a persistent identifier even though it is not available to the Trust Unit nor any Relationship counterparts. Unless CLIENT is very careful the telecom provider can easily identify CLIENT using location analyses if say for instance the Mobile Phone is used around the CLIENT Home. Zero-knowledge Authentication.
  • Zero-knowledge authentication mechanism is such that a message transferred is free of any persistent identifier that could be used to identify CLIENT. This means that even a third-part able to decrypt communications cannot extract any identifiable information from the communication.
  • Trust Unit A knows the public key of the Client B to authenticate because he is provided with an identifer B1. Trust Unit can verifiythat Authentication Unit does not impersonate CLIENT by carrying out a Zero-knowledge authentication based on the CLIENT encryption key of the Virtual Identity (CI.Vir.Enc.Pu/Pr).
  • A generates a random message M.
  • a Sends to B - Challenge Enc(M,B.Pu).
  • B sends to A - Responds Enc(H( Dec(Challenge),B.Pr), A.Pu).
  • A can now verify that H(M) equals Dec(Respons,A.Pr) and that B is able to decrypt the message and has in his possession the Private key part of B.Pu.
  • B returns the Hash of M and NOT the clear text of M because A would be able to make B decrypt any text including something B wants kept secret. This procedure can be repeated so that A can authenticate towards B and these procedures can also be combined in more efficient protocols.
  • Zero-Knowledge Authentication can take place, making use of pre-arranged one-time-only identifiers. This is the case when a CLIENT carries out a Single Sign-on Authenticates towards an Authenticating Unit.
  • the preferred solution is based on a series of Hash values.
  • this message is not entirely Zero-knowledge because CI.Pu is included even though it is encrypted. By signing Hashkey(20) protection against anyone else initiating a fake authentication sequence is prevented. Further protection can be incorporating by a multi-step protocol where CLIENT after having forwarded CI.Pu then Authenticates Zero- before forwarding Hashkey(20) encrypted.
  • CLIENT wants to authenticate towards an Authenticating Unit.
  • CLIENT forward Enc(Enc(HashKey(t-1 ),CI.Pr),HashKey(t)),TP.Pu) using the General Authentication Device.
  • the Authenticating Unit can now decrypt the message and retrieve the One-Time-Only key Hashkey(20) previously agreed.
  • the Authenticaing Unit save Hashkey(M) for the next authentication operation and authenticate CLIENT towards any third-party such as an Communication Channel Provider.
  • a mobile Telecommunications provider servicing an always-on mobile device with location-tracking knowledge only knows a persistent session identifier and a way to ensure payment
  • a Bank handling deposits only knows a communication channel to the holder of the deposit and a way to ensure authentication of a persistent virtual identifier of the deposit
  • a Credit provider only knows information such as to evaluate credit worthiness and a way to ensure accountability in case the credit agreement is not abided to by the borrower.
  • a Shipper providing physical transportation of goods only knows information as to a Drop point and a way to receive proof of delivery not containing any persistent identifier of the individual.
  • a Communication Channel Provider provides a virtual interface specific to the Authentication Unit only to a communication channel where the Communication Channel Provider knows a persistent identifier of CLIENT and/or the channel itself.
  • the Authentication Unit can remain unknown to identifying information and thus reduce the risk of privacy violations even when CLIENT wants maximum convenience.
  • a bank (figure 32 reference numeral 60) can forward payment with a pre-agreed one-time-only identifier without revealing the actual identity of the paying entity.
  • a shipping drop point (figure 32 reference numeral 150) can provide the physical intermediation.
  • An ISP can provide multiple aliases to the same email-account.
  • the most difficult task is in a privacy and accountability enabled supported way to enter into a legally binding contract in a two-way anonymous relationship.
  • AUI .Pr Authentication Unit 1 Private Key
  • TU.Pu Trust Unit Public Key
  • ⁇ a,b ⁇ means a and b concatenated
  • A2 and B2 represents the fully Privacy enabled virtual identities.
  • A2 is a relative address of A specific to the relationship
  • A3 is a relative address of A specific to B.
  • a key feature of the preferred embodiment of the present invention is that B3(@Auth1.com) as the TO-address in for example an email can be used irrespectively of the sending address A because the Authentication Unit maps A to A1 and ONLY from A1 does B3 provide the correct identifier to the correct relationship A1(@Auth1.com)->B2(@TUx.com).
  • B3 can be any non-unique number or code in a range small enough to ensure a crowd-effect based on existences and use in different CLIENTS Address books and as identifier in communication to and from the Authentication Unit.
  • Addresses A and B are assumed either a POP-email Account with the Authentication Unit over a fully privacy-enabled communication path or any Authentication Unit specific email alias provided by a email service provider.
  • B3 represents the virtual address of B in the Address Book of A.
  • A1 (@Auth1.Com) represents the address of the virtual identity of A in the no-mans land between the Authentication Unit and the Trust Unit.
  • A1 may only be unique to Authentication Unit 1 but not Across Authentication Units.
  • B can respond with a signature parallel to A and this can without difficulty be extended to a multi-party agreement.
  • multiple CLIENTsor COMPANIES can have keys to any data part of the relationship under full control of the CLIENT A.
  • CLIENTS or COMPANIESs can have access to data parts containing identifying information while others have only access the non-identified profile information.
  • This feature makes the invention highly suitable for e.g. Public Citizen records or electronic health care files where the CLIENT patient can give his doctor and the hospital access to identifying information whereas any third- parties such as a healthcare product supplier, a statistics project or medical research group can be granted access to specific parts of the healthcare file only.
  • the Authentication Unit and Trust Unit can in combination do translation of the asymmetric encryption key standard without either the Authentication Unit or the Trust Unit individually being able to read contents of communication.
  • the private key encryption key B2.Enc.Pu is known to the Authentication Unit only.
  • the Trust Unit knows an additional asymmetric encryption key and request Auth. Unit 2 to decrypt b2k and return the real b2k encryption with the correct encryption key.
  • Auth. Unit 2 never has the encrypted message and thus cannot read the message.
  • the Trust Unit never has an unencrypted key.
  • B can be a non-customer and thus not able to understand mka.sign and mka. hash as these are non-standard to normal email-protocols. But in this case A will know Bs standard and create mka.sign and mka. hash according to B's e-mail protocol.
  • CLIENT can automatically be aided to create a Backup entry to the same relationship through a second Authentication Unit and store proof of ownership including an encrypted copy of the private encryption key in a generally accessible storage. If the first Authentication is closed down for any reason or CLIENT so prefers he can switch to the second Authentication Unit and continue the Relationship unidentified.
  • the General Authentication Device preferably is closely shielded to prevent leakage of identifier or other information.
  • This shield is in a preferred embodiment based on a Session Manager in close connection with the Device Firewall controlling all device communication channels.
  • the Firewall On initiation the Firewall is totally closed.
  • the Firewall opens for authentication traffic towards the Authentication Unit for authentication only.
  • the General Authenticator receive a session identifier from a Communication Channel provider or generates a session identifier and forward said session identifier through a Communication Channel Provider to perform a Single Sign-On to the Authentication Unit using a Zero- knowledge authentication algorithm.
  • the Authentication Unit When receiving a request the Authentication Unit check if a Session Manager is running. If not the Authentication Unit responds with a Sessions Manager - it is either downloaded or initiated from a local storage area. CLIENT SmartCard verifies integrity of the Session Manager before activating. The Session Manager which will from then on control the dynamic firewall and provide CLIENT with Access to Virtual Identities and related storage and services.
  • a Session Manager is as such providing CLIENT with an interface able to simultaneously manage multiple sessions authenticated each as different virtual identities through the respective Authentication Unit.
  • Special services can be opened by the Session Manager according to pre- specified rules or CLIENT interaction. This can included a Peer-to-Peer connection with friends or a workgroup, a connection to another Authentication Unit, a virtual Storage unit, a VPN Connection to a trusted Network (can also be done through Authentication Unit) etc.
  • Inbound traffic to a previous verified session is accepted.
  • Outgoing traffic can be filtered and re-routed by the firewall through the Proxy where for instance IP- addresses are re-mapped unless specifically opened as a special service.
  • a filter function under CLIENT Control can be set up to strip identifying information such as footers in emails from the communication streams.
  • the Privacy Profiler works with a CLIENT-controlled storage containing a number of privacy attributes that can be either Credentials signed by any third-party such as Exams, citizenship, Letter of credit etc. or self-signed profile attributes stating preferences, demographics etc.
  • CLIENT Only CLIENT can access these data. They can be stored on a encrypted virtual storage and accessed as a natural extension of the Session Manager and Address Book .
  • Privacy Credentials can be in the form of
  • Credential Encs("Anonymous Credential", CredKey), Enc(CredKey,Third.Party.Pr), - Verifying that Credential is issued by Third-
  • CLIENT can verify that Credential is anonymous and correct by decrypting the Credential using the public key of third-party Decs(Credential,Dec(Enc(CredKey,Third. Party.Pr), Third. Party.Pu).
  • the Privacy Attribute is re-encrypted accordingly by the Privacy Profiler and transferred to the Relationship Storage.
  • Self-signed profile attributes are straightforward decrypted and re-encrypted with a random generated symmetric key.
  • the symmetric key is attached in two encrypted versions - One with the CLIENT Relationship Encryption Key and One with the public key of the other Relationship Party CO.Pu.
  • An attribute can have a time-dependant certificate that limit validity attached.
  • CLIENT When forwarding a credential to a relationship, CLIENT requires TP to verify the third-party or CLIENT signature linking the Credential to CLIENT Virtual Identity. CLIENT forwards the Linking Signature only
  • First Trust Unit converts the Credential link from Client Digital Signature to Client Authentication key towards an Authentication Unit and then the Authentication Unit can Convert the Credential link from Client Authentication key to the CLIENT Virtual Identity
  • Send-Message Enc(Enc(Message, CI.Vir.Enc.Pr), Trust Unit.Pu)
  • a Form Filler can access the stored Relationship attributes and automatically fill out web forms etc. with attributes and the corresponding decryotion keys already known to the relationship. Dynamic Out-Out and Trust filtering
  • Trust requires Privacy and Security, but Trust substance is basically to be made on history.
  • this invention incorporates two key Trust concepts for a relationship between a CLIENT or COMPANY A and a CLIENT or COMPANY B a) Trust History: Establishing a communication path based on previous interactions in the same relationship. b) Trust Network: Establishing a communication path from A to B based on previous interactions in other relationships with B. According to this a CLIENT can set up relationship rules that operate on statistical summations on previous evaluations.
  • the set of Relationship Rules thus works dynamically together with evaluations to provide a user-controlled Dynamic Opt-Out and filtering of Privacy Enabled Communications. Evaluations are directly controlling threshold filters of both inbound and outbound communication.
  • CLIENT can set up or change the type of inbound messages acceptable based on previous agreed standards and continuous feedback of evaluations.
  • CLIENT is authenticating towards Company and Company Evaluations show a negative development below a threshold then CLIENT can be informed BEFORE authentication.
  • CLIENT access to relationships is based on an address book implemented as part of a Session Manager.
  • the Address Book accesses a table of bookmarked entries.
  • This table can be stored within the SmartCard, encrypted at the workstation, encrypted as an attachment of the main identity with the Authentication Unit, at a virtual storage location accessible as a relationship or other. If the table is stored outside the SmartCard it is encrypted so that only the SmartCard can decrypt the table refusing to do so unless a certified Session Manager is initiated.
  • CLIENT can now choose any entry in the Address book.
  • the Session Manager then Establish access to the target and present the next dynamical level.
  • addressing can be entirely relative to the viewpoint without any unique identifier. Any point can be reached as a series of steps from where it starts. Without knowledge of the starting point a Logical Locater is not dangerous because any starting point can give a reasonable answer. In the email example the Logical Locator is represented by A3 respectively B3.
  • Company Customer Relationship Management According to the preferred embodiment of the present invention Company will have access to the full profile of a Virtual CLIENT through the Integration Unit providing one Interface to Customer across Contact Points and Communication Channels.
  • CLIENT set up a Privacy Profile of the Virtual CLIENT Identity attached to the Relationship in the Trust Unit as a collection of Profile information with keys encrypted with the Public key of Company Co.Pu. Information is thus always available and up-to-date whenever CLIENT interacts with Company.
  • the same storage can contain the dialog history, the trade history etc.
  • a Form Filler can automatically fill out COMPANY forms with attribute information already known to the relationship and thereby eliminate redundant requests for CLIENT information.
  • Company specifically gets the advantage of being able to address any item from any starting point.
  • An item can for instance be a specific attribute of a CLIENT Customer such as Age, an invoice, a Communication Channel Identifier or a Process Initiator. Customer management will thus become Privacy enabled and made transparent across systems and organisations at the same time.
  • TP Trusted Party - the entity that implements the Privacy Services. Major parts of the services can be outsourced to sub-suppliers. TP is covering both the Trusted party and Sub-suppliers.
  • TP is split up into multiple units - AU - Authentication Unit, ID - ID Unit, TU - Trust Unit, Device Authentication Unit according to Figure 32.
  • VID - Virtual Identity An identified or non-identified pseudonym linked to a CLIENT Role and related to a number of COMPANY or RELATION.
  • VID TYPE - VIDs are divided into specific types with possibility to determine default access. For instance a identified VID will only offer limited access to Private Data.
  • PRIVACY SERVER A server in a distributed network offering the full range of services.
  • different physical or logical services will be servicing different types of task in order to balance load and ensure response times.
  • INVOICE SERVER A specially isolated server handling the collection of invoices.
  • CLIENT - Software functionality operating on CLIENT device can be a simple manually previously agreed information such as a challenge-response pair.
  • CLIENT Individual Person that is Privacy Enabled.
  • a CLIENT can be using a Work role and acting on behalf of a COMPANY as a purchaser.
  • the term CLIENT focus on the individual.
  • ROLE - A CLIENT context This can be Private, Family, Employment, Public Function, Member of a Board etc.
  • RELATION - A link between CLIENTS representing a personal relationship (a friend, family, business connection etc.). RELATIONS are one-way and controlled by the information disclosing entity. A two-way relationship thus requires two RELATION entries.
  • COMPANY An organizational entity. This can be any selling or service organization including a shop, an online Community a basic supplier etc.
  • the term COMMUNITY is used to focus on the online COMPANY interacting with multiple CLIENTS. Often CLIENTS are provided with means to interact directly using tools such as online chat or discussion databases.
  • BUYER An entity interested in acquiring a service or good. If not otherwise stated a BUYER is a CLIENT.
  • SELLER An entity interesting in selling a service or good. If not otherwise stated a SELLER is a COMPANY. For different services involving two-way anonymity such as an Auction service a SELLER is CLIENT different from the BUYER.
  • AGENT A service that analyze CLIENT or COMPANY data in order to provide services for either CLIENT or COMPANY. AGENT comes in different versions.
  • a SHIPPER is a business offering transportation services of letters or parcels. If not otherwise stated the service involved is parcel transportation.
  • Co is a general abbreviation of COMPANY
  • TP is a general abbreviation of Trusted Party
  • AU is a general abbreviation of Authentication Unit
  • Sh is a general abbreviation of a SHIPPER Cl is a general abbreviation of a CLIENT Cl.
  • Vir ia a general abbreviation of a virtual identity VID of CLIENT Co.Pu, TP.Pu, AU.Pu, TU.Pu, Sh.Pu, CI.Pu, Cl.Vir.Pu - The Public Key of a Private/Public encryption key pairs Co, TP, AU, TU, Sh, Cl, Cl.Vir.Vir - The Public Key of a Private/Public encryption key pairs Co, TP, AU, TU, Sh, Cl, Cl.Vir.Vir - The Public Key of a Private/Public encryption key pairs Co, TP, AU, TU, Sh, Cl, Cl.Vir

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne une plate-forme d'infrastructure secrète permettant de mettre en oeuvre des communications secrètes et d'assurer des échange sécurisés à la fois de marchandises et de services électroniques et physiques. A travers des règles de communication maîtrisées par l'utilisateur comprenant un filtre de commande d'accès et un service d'acheminement dynamique un individu maîtrise les communications et met en place permet un filtre de liste d'adhésion qu'il maîtrise afin d'empêcher les messages non souhaités (SPAM). L'invention permet de construire un support secret mettant en place la chaîne de valeur complète du fournisseur original au consommateur. En outre, l'invention permet de réaliser des échanges à travers les barrières standard existantes qui supportent une conversion standard, un système de rapport de gouvernement, des standards existants et futurs de commerce électronique, notamment EDIFACT, OFX, OBI et CBL. Le secret est établi par utilisation d'un principe de pseudonymes ou d'identités virtuelles multiples sans lien, combinées à l'intermédiation de voies de communications en ligne ou hors ligne.
PCT/DK2001/000352 2000-05-22 2001-05-22 Systeme et procede d'etablissement d'une voie de communication secrete Ceased WO2001090968A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2001260087A AU2001260087A1 (en) 2000-05-22 2001-05-22 A system and method for establishing a privacy communication path
EP01933648A EP1290599A1 (fr) 2000-05-22 2001-05-22 Systeme et procede d'etablissement d'une voie de communication secrete
US10/302,738 US20030158960A1 (en) 2000-05-22 2002-11-22 System and method for establishing a privacy communication path

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
DKPA200000814 2000-05-22
DKPA200000814 2000-05-22
US20656500P 2000-05-23 2000-05-23
US60/206,565 2000-05-23

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US10/302,738 Continuation-In-Part US20030158960A1 (en) 2000-05-22 2002-11-22 System and method for establishing a privacy communication path

Publications (1)

Publication Number Publication Date
WO2001090968A1 true WO2001090968A1 (fr) 2001-11-29

Family

ID=26068826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2001/000352 Ceased WO2001090968A1 (fr) 2000-05-22 2001-05-22 Systeme et procede d'etablissement d'une voie de communication secrete

Country Status (3)

Country Link
EP (1) EP1290599A1 (fr)
AU (1) AU2001260087A1 (fr)
WO (1) WO2001090968A1 (fr)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2826536A1 (fr) * 2001-06-20 2002-12-27 Gemplus Card Int Procede de communication radiofrequence securisee
JP2006525592A (ja) * 2003-05-01 2006-11-09 サムスン エレクトロニクス カンパニー リミテッド 認証方法及びその装置
US8788679B2 (en) 2008-12-22 2014-07-22 Koninklijke Philips N.V. Method for exchanging data
WO2014122008A1 (fr) * 2013-02-06 2014-08-14 Gemalto Sa Système et procédé pour préserver la confidentialité de données lors du déploiement d'un compteur électrique intelligent
EP2639998A4 (fr) * 2010-11-12 2017-10-04 China Iwncomm Co., Ltd Procédé et dispositif pour une identification d'entité anonyme
US9987199B2 (en) 2012-07-10 2018-06-05 Tokuyama Dental Corporation Dental adhesive composition, dental adhesive primer, dental adhesive bonding material, dental adhesivecomposite resin, and dental adhesive resin cement
EP3369062A4 (fr) * 2015-10-30 2018-10-17 ID Loop AB Procédé de paiement avec carte de paiement
EP3389296A1 (fr) * 2017-04-13 2018-10-17 Vodafone GmbH Gestion et/ou traitement de l'utilisation des services respectifs des applications de service
US10291614B2 (en) 2012-03-12 2019-05-14 China Iwncomm Co., Ltd. Method, device, and system for identity authentication
CN113283869A (zh) * 2021-05-31 2021-08-20 长春工程学院 一种基于匿名策略的考核方法及系统
IT202100027632A1 (it) * 2021-10-28 2023-04-28 Foolfarm S P A Metodo e sistema elettronico per abilitare una operazione a distanza per mezzo di un collegamento punto-punto
CN116664171A (zh) * 2023-08-01 2023-08-29 中国信息通信研究院 基于区块链的商品防伪与可控匿名分销方法和装置
US20240202722A1 (en) * 2005-10-07 2024-06-20 Multiple Shift Key, Inc. Secure authentication and transaction system and method
CN120509680A (zh) * 2025-07-15 2025-08-19 融安云网(北京)技术有限公司 一种基于大模型的数据融合智能设备联动管控系统

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11594146B2 (en) 2019-05-09 2023-02-28 Microsoft Technology Licensing, Llc Agent for online training in an offline environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4914698A (en) * 1988-03-16 1990-04-03 David Chaum One-show blind signature systems
US5245656A (en) * 1992-09-09 1993-09-14 Bell Communications Research, Inc. Security method for private information delivery and filtering in public networks
WO2000001108A2 (fr) * 1998-06-30 2000-01-06 Privada, Inc. Transactions electroniques bidirectionnelles anonymes

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4914698A (en) * 1988-03-16 1990-04-03 David Chaum One-show blind signature systems
US5245656A (en) * 1992-09-09 1993-09-14 Bell Communications Research, Inc. Security method for private information delivery and filtering in public networks
WO2000001108A2 (fr) * 1998-06-30 2000-01-06 Privada, Inc. Transactions electroniques bidirectionnelles anonymes

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003003655A1 (fr) * 2001-06-20 2003-01-09 Gemplus Procede de communication radiofrequence securisee
FR2826536A1 (fr) * 2001-06-20 2002-12-27 Gemplus Card Int Procede de communication radiofrequence securisee
JP2006525592A (ja) * 2003-05-01 2006-11-09 サムスン エレクトロニクス カンパニー リミテッド 認証方法及びその装置
EP1627319A4 (fr) * 2003-05-01 2009-11-11 Samsung Electronics Co Ltd Methode et appareil d'authentification
US12288211B2 (en) 2005-10-07 2025-04-29 Multiple Shift Key, Inc. Secure authentication and transaction system and method
US20250094983A1 (en) * 2005-10-07 2025-03-20 Multiple Shift Key, Inc. Secure authentication and transaction system and method
US12217258B2 (en) * 2005-10-07 2025-02-04 Multiple Shift Key, Inc. Secure authentication and transaction system and method
US20240202722A1 (en) * 2005-10-07 2024-06-20 Multiple Shift Key, Inc. Secure authentication and transaction system and method
US8788679B2 (en) 2008-12-22 2014-07-22 Koninklijke Philips N.V. Method for exchanging data
EP2639998A4 (fr) * 2010-11-12 2017-10-04 China Iwncomm Co., Ltd Procédé et dispositif pour une identification d'entité anonyme
US10291614B2 (en) 2012-03-12 2019-05-14 China Iwncomm Co., Ltd. Method, device, and system for identity authentication
US9987199B2 (en) 2012-07-10 2018-06-05 Tokuyama Dental Corporation Dental adhesive composition, dental adhesive primer, dental adhesive bonding material, dental adhesivecomposite resin, and dental adhesive resin cement
US8893227B2 (en) 2013-02-06 2014-11-18 Gemalto Sa System and method for providing privacy in smart meter deployment
AU2014214234B2 (en) * 2013-02-06 2017-11-23 Gemalto Sa System and method for providing privacy in smart meter deployment
WO2014122008A1 (fr) * 2013-02-06 2014-08-14 Gemalto Sa Système et procédé pour préserver la confidentialité de données lors du déploiement d'un compteur électrique intelligent
US11461758B2 (en) 2015-10-30 2022-10-04 Id Loop Ab Method for payment with cash card
EP3369062A4 (fr) * 2015-10-30 2018-10-17 ID Loop AB Procédé de paiement avec carte de paiement
EP3389296A1 (fr) * 2017-04-13 2018-10-17 Vodafone GmbH Gestion et/ou traitement de l'utilisation des services respectifs des applications de service
CN113283869A (zh) * 2021-05-31 2021-08-20 长春工程学院 一种基于匿名策略的考核方法及系统
CN113283869B (zh) * 2021-05-31 2023-06-30 长春工程学院 一种基于匿名策略的考核方法及系统
IT202100027632A1 (it) * 2021-10-28 2023-04-28 Foolfarm S P A Metodo e sistema elettronico per abilitare una operazione a distanza per mezzo di un collegamento punto-punto
WO2023073542A1 (fr) * 2021-10-28 2023-05-04 Foolfarm S.P.A. Procédé et système électronique pour permettre une opération à distance au moyen d'une connexion point à point
CN116664171A (zh) * 2023-08-01 2023-08-29 中国信息通信研究院 基于区块链的商品防伪与可控匿名分销方法和装置
CN116664171B (zh) * 2023-08-01 2023-10-20 中国信息通信研究院 基于区块链的商品防伪与可控匿名分销方法和装置
CN120509680A (zh) * 2025-07-15 2025-08-19 融安云网(北京)技术有限公司 一种基于大模型的数据融合智能设备联动管控系统

Also Published As

Publication number Publication date
EP1290599A1 (fr) 2003-03-12
AU2001260087A1 (en) 2001-12-03

Similar Documents

Publication Publication Date Title
US20030158960A1 (en) System and method for establishing a privacy communication path
TWI396112B (zh) 以電子商務中身份與隱私應用進行賦權管理之系統、方法、服務方法、與程式產品
US7814025B2 (en) Methods and apparatus for title protocol, authentication, and sharing
Niranjanamurthy et al. The study of e-commerce security issues and solutions
CN100422988C (zh) 以用户为中心的上下文知晓转换模型
US20070106892A1 (en) Method and system for establishing a communication using privacy enhancing techniques
US20050234860A1 (en) User agent for facilitating transactions in networks
US20050038707A1 (en) Methods and apparatus for enabling transactions in networks
US20050038724A1 (en) Methods and apparatus for enabling transaction relating to digital assets
US20070088713A1 (en) Method of secure online targeted marketing
US20060036447A1 (en) Methods of facilitating contact management using a computerized system including a set of titles
US20030217006A1 (en) Methods and apparatus for a title transaction network
US20120278876A1 (en) System, method and business model for an identity/credential service provider
US20030028782A1 (en) System and method for facilitating initiation and disposition of proceedings online within an access controlled environment
WO2006084205A2 (fr) Procedes et appareil permettant d'optimiser la gestion d'une identite
WO2014099227A1 (fr) Réseautage de commerce électronique avec des facteurs de profondeur et de sécurité
Lacoste et al. SEMPER-secure electronic marketplace for Europe
EP1512101A2 (fr) Procedes et dispositif permettant la mise en oeuvre d'un reseau de transaction de titres
WO2001090968A1 (fr) Systeme et procede d'etablissement d'une voie de communication secrete
US7451308B2 (en) Method and system to automatically evaluate a participant in a trust management infrastructure
Jailani et al. Secure and auditable agent-based e-marketplace framework for mobile users
Leenes et al. PRIME white paper
Hussain The design and applications of a privacy-preserving identity and trust-management system
Leenes et al. PRIME white paper (V3)
Singh E Commerce

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ CZ DE DE DK DK DM DZ EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2001933648

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 10302738

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 2001933648

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP