PRIVACY MANAGEMENT
APPLICATIONPUBLISHEDUNDERTHEPATENTCOOPERATIONTREATY(PCT)
WorldIntellectualProperty
OrganizationInternationalBureau
I
(10)
InternationalPublicationNumber
(43)
InternationalPublicationDate09May2019(09.05.2019)
W1POPCT
WO2019/086553Al
HR,HU,ID,IL,IN,IR,IS,JO,JP,KE,KG,KH,KN,KP,KR,KW,KZ,LA,LC,LK,LR,LS,LU,LY,MA,MD,ME,MG,MK,MN,MW,MX,MY,MZ,NA,NG,NI,NO,NZ,OM,PA,PE,PG,PH,PL,PT,QA,RO,RS,RU,RW,SA,SC,SD,SE,SG,SK,SL,SM,ST,SV,SY,TH,TJ,TM,TN,TR,TT,TZ,UA,UG,US,UZ,VC,VN,ZA,ZM,ZW.
(51)InternationalPatentClassification:
G06F21/62(2013.01)H04L29/06(2006.01)
PCT/EP2018/079900
(21)InternationalApplicationNumber:(22)InternationalFilingDate:
31October2018(31.10.2018)
(25)FilingLanguage:(26)PublicationLanguage:(30)PriorityData:
(84)DesignatedStates(unlessotherwiseindicated,forevery
EnglishEnglish
EP
17306508.731October2017(31.10.2017)
(71)Applicant:TWINPEEK(72)Inventors:
[FR/FR];290RouteduVernon,
38410SAINT-MARTIN-D'URIAGE(FR).
GUILAUME,
Sam;
kindofregionalprotectionavailable):ARIPO(BW,GH,GM,KE,LR,LS,MW,MZ,NA,RW,SD,SL,ST,SZ,TZ,UG,ZM,ZW),Eurasian(AM,AZ,BY,KG,KZ,RU,TJ,TM),European(AL,AT,BE,BG,CH,CY,CZ,DE,DK,EE,ES,FI,FR,GB,GR,HR,HU,ΓΕ,IS,IT,LT,LU,LV,MC,MK,MT,NL,NO,PL,PT,RO,RS,SE,SI,SK,SM,TR),OAPI(BF,BJ,CF,CG,CI,CM,GA,GN,GQ,GW,KM,ML,MR,NE,SN,TD,TG).
Published:
290Routedu
Vernon,38410SAINT-MARTIN-D'URIAGE(FR).SOUBEYRAT,Cyrille;160routeduChanin,38140REAUMONT(FR).
Na'ima;Immeuble\"Visium\22,
AvenueAristideBriand,94117ARCUEIL(FR).
States(unlessotherwiseindicated,forevery
—withinternationalsearchreport(Art.21(3))
(74)Agent:HNICH-GASRI,(81)Designated
kindofnationalprotectionavailable):AE,AG,AL,AM,AO,AT,AU,AZ,BA,BB,BG,BH,BN,BR,BW,BY,BZ,CA,CH,CL,CN,CO,CR,CU,CZ,DE,DJ,DK,DM,DO,DZ,EC,EE,EG,ES,FI,GB,GD,GE,GH,GM,GT,HN,
(54)Title:PRIVACYMANAGEMENT
request
Program
communication
(57)Abstract:Thereisdisclosedacomputer-implementedmethodofprivacyman¬agement.Acoredatasetcomprisinguserpersonalidentifiabledatacanbekeptsep¬
Personalidentifiableinformation
Restofdata
staticordynamicpartitioning
programlogic
aratedfromsomeotherdatasilosassociatedwithsaidcoredatasetbyasoftwareprogram.Saidprogramcanbeasmartcontractimplementedonacrypto-ledger.Personalidentifiabledatacancomprisetrueidentityinformationand/orKnowYourCustomerdatacompliantwithbankingregulation.Datasiloscancompriseanony¬mousand/oranonymizedand/orpseudonymizedand/orde-identifieddata.Datasi¬loscanbeactivelypartitionedintoapluralityofdatasetsassociatedwithdiscretelevelsofprivacybreachrisks.Thepartitioningbetweendatasetscanuseoneormoremechanismscomprisinginparticularmulti-partycomputation,homomorphicen¬cryption,k-anonymity,ordifferentialprivacy.Asymmetricencryptioncanbeused,alongformat-preservingencryption.Softwareandsystemaspectsaredescribed.
programisasmartcontract
-onadistributedledger
-permissioned-permissionless-datacomprisessensordata,-dataissecured
\"0
©0
-
GRDPrightstranslatedintotechnicalfeatures
o
o
FIG.5
PRIVACYMANAGEMENT
TechnicalField
Thispatentrelatestothefieldofdataprocessingandmoreparticularlytomethodsandsystemsformanagingprivacy(e.g.digitalidentity).
Background
Masssurveillanceandprivacyhavebecomemajorconcernsforthegeneralpublic.
Advertisingalsorequiresmoreandmoredataregardingpotentialconsumers.
Onlineprivacydesignatestheabilityofanindividual,orofagroup,tosecludeinformationaboutthem.Foronlineprivacyprotection,animportantaspectthereofliesintheconceptof
\"identity\".
Fewtechniquesaimingatprotectingdigitalidentitiesrevealtobeefficienttrade-offs.Sometechniquesforsecuringdataareefficientbutimpedeorpreventusefulpersonalizationofadvertising.Noexistingtechnologiesallowforbalancedorfairrevenuemodels(informationtechnologyprovidersdonotremunerateusersfortheirdata).
Thereisaneedforadvancedmethodsandsystemsformanagingdigitalidentities,withimprovedtrade-offsbetweenutility,privacyandrevenue.
Summary
Thereisdisclosedamethodofprivacymanagement.Acoredatasetcomprisinguserpersonalidentifiabledatacanbekeptseparatedfromsomeotherdatasilosassociatedwith
saidcoredatasetbyasoftwareprogram.Saidprogramcanbeasmartcontractimplemented
onacrypto-ledger.Personalidentifiabledatacancomprisetrueidentityinformationand/or
KnowYourCustomerdatacompliantwithbankingregulation.Datasiloscancomprise
anonymousand/oranonymizedand/orpseudonymizedand/orde-identifieddata.Datasilos
canbeactivelypartitionedintoapluralityofdatasetsassociatedwithdiscretelevelsof
privacybreachrisks.Thepartitioningbetweendatasetscanuseoneormoremechanismscomprisinginparticularmulti-partycomputation,homomorphicencryption,k-anonymity,ordifferentialprivacy.Asymmetricencryptioncanbeused,alongformat-preservingencryption.Softwareandsystemaspectsaredescribed.
Embodimentsoftheinventionadvantageouslyallowuserstocontrolaccessand/orusageoftheirdata,andinparticularcanallowprivacymanagement,withfine-tunedgranularity.
Embodimentsoftheinventionadvantageouslycanbecompliantwithexistingorforeseeableregulations(e.g.Europeanprivacyregulation,bankingregulations,etc).
Embodimentsoftheinventionadvantageouslycanallowthesharingofrevenuesbetweenserviceprovidersandendusers,deeplymodifyingexistingbusinesspractices.
Embodimentsoftheinventionadvantageouslycanallowserviceproviderstohandleandprocessdigitalassets,consolidatinganonymousdataanddataassociatedwithtruedigitalidentities.Serviceproviderscanprocessandenrichcollecteddata(e.g.extractpatterns,performsbigdatacorrelations,etc),soastocreatedatapackageswhichcanbelatersoldorlicensed,manytimes,withtransparencyi.e.underthecontrolofusersandwithrevenue
sharing.
Briefdescriptionofdrawings
Embodimentsofthepresentinventionwillnowbedescribedbywayofexamplewithreferencetotheaccompanyingdrawingsinwhichlikereferencesdenotesimilarelements,andinwhich:
FIG.1providesageneraloverviewoftheframeworkoftheinvention;
FIG.2illustratesanembodimentoftheinvention;
FIG.3showsanexampleofprivacymanagementaccordingtoanembodimentofthe
invention;
FIG.4showsanembodimentoftheinventionwithemphasisonthemanagementof
encryptionkeys;
FIG.5showsexamplesofstepsofanembodimentoftheinvention;
FIG.6and7showexamplesofuserinterfacesofawebbrowserforprivacymanagement.
Detaileddescription
Definitionsoftermsandexpressionsarenowprovided.
Theexpression\"personaldata\"referstoanyinformationrelatingtoanidentifiedoridentifiablenaturalperson(\"datasubject\"or\"user\").Anidentifiablenaturalpersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentifiersuchasa
name,anidentificationnumber,locationdata,anonlineidentifierortooneormorefactors
specifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.Forexample,informationsuchasanonlineidentifieroranIPaddresscanbepersonaldata.Personaldataencompasseshumanresources'records,customerlists,contactdetailsetc.
Theexpression\"personallyidentifiableinformation\"or\"sensitivepersonalinformation\"or\"personalidentifiabledata\"designatesinformationthatcanbeusedonitsownorwithotherinformationtoidentify,contact,orlocateasingleperson,ortoidentifyanindividualincontext.TheNationalInstituteofStandardsandTechnologyhasdefined\"personallyidentifiableinformation\"as\"anyinformationaboutanindividualmaintainedbyanagency,
including(1)anyinformationthatcanbeusedtodistinguishortraceanindividual'sidentity,suchasname,socialsecuritynumber,dateandplaceofbirth,mother'smaidenname,orbiometricrecords;and(2)anyotherinformationthatislinkedorlinkabletoanindividual,suchasmedical,educational,financial,andemploymentinformation.\"Theexpression
\"personallyidentifiableinformation\"isthusnotstrictlyequivalenttotheexpression\"\"personallyidentifyinginformation\inthattheterm\"identifiable\"underlinesthepossibilityofidentification.Embodimentsoftheinventioncanapplyto\"personallyidentifyinginformation\"butalsoto\"personallyidentifiableinformation\"(whichisbroader).
Theassociationismoreorlessdirectbetweendataandanidentified/identifiableindividual.Forexample,auser'sIPaddressisgenerallynotconsideredas\"personallyidentifiable
information\"onitsown,butcanbeclassifiedas\"linkedpersonallyidentifiableinformation\".
Somedatacanindirectlyleadtoagivenindividual;forexamplestylometry(e.g.statistics,individualhabitsofwords'collocation,etc)canbeusedtoattributeauthorshiptoanonymousordisputeddocuments.
In
someembodimentsoftheinvention,\"personalidentifiabledata\"or\"personallyidentifiable
data\"designatedatawhichisassociated\"directly\"withanindividual,alongdatawhichcan
indirectlyleadtoanindividual(accordingtodifferentdegreesofassociation).
laylanguage,datacanbepartitionedinto\"black\"data(i.e.datadirectlyleadingto
In
individualidentification),\"grey\"data(i.e.datawhichcanpotentiallyorindirectlyleadtoreveal
theidentityofanindividual)andwhitedata(i.e.genericdata,notlinkedorlinkablewitha
givenindividual),Someembodimentsoftheinventioncanmanipulatei.e.secure\"black\"datakeptseparatedfromtherestofthedata(\"grey\"dataand\"white\"data).Insomeother
embodiments,the\"grey\"zonecanbesecuredandmanipulatedalong(inadditionto)the\"blackzone\".
Theverb\"toprocess\"designatesanyoperationorsetofoperationswhichisperformedonpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording,organization,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,publication,disseminationorotherwisemakingavailable,alignmentorcombination,aggregation,restriction,erasure,deletionordestruction.
Theterma\"processor\"designatesaperson,groupofpersons,organization,machinesorgroupsofmachineswhichprocesspersonaldata.
A\"controller\"designatesanaturalorlegalperson,publicauthority,agencyorotherbodywhich,aloneorjointlywithothers,determinesthepurposesandmeansoftheprocessingof
personaldata.Acontrollercanbeembodiedinsoftwareexecutedinhardware(e.g.acomputerexecutingrules).Theunderlyingpurposesandmeansofdataprocessingcanbedeterminedbyapplicablelaw(\"legalorregulatorypurposes\").Furtherpurposesandmeansalignedwithunderlyingpurposescanbemanipulatedbyembodimentsoftheinvention.Theterm\"anonymization\"referstoirreversiblyseveringoralteringadatasetfromtheidentity
ofadatacontributortopreventanyfuturere-identification,underanycondition.Data
anonymizationdesignatesatypeofinformationsanitizationtoprotectprivacy.Dataanonymizationcanbeachievedbyencryptingand/orremovingpersonallyidentifiableinformationfromdatasets,sothatthepeoplewhomthedatadescriberemainorcanremainanonymous.Encryptionand/oranonymizationcanbeshort-termsecurebutnotlong-term
secure.Insomeembodiments,anonymizationisratheracontinuousprocess,wherein
privacybreachescanbeassessedovertime,andfurthermitigated(e.g.with
countermeasures).Inparticular,asdataaboutanindividualiscollected,theriskofapossible
(re)identificationcanincrease(e.g.bycorrelation,orduetothefactthatonesingledataordatafieldwhichcancompromisewholedatasets).
Theterm\"de-identification\"designatesaseveringofadatasetfromtheidentityofadatacontributor,butmayincludepreservingidentifyinginformation,whichcouldbere-linkedincertainsituations(forexamplebyatrustedparty).De-identificationthusdesignatesthe
processusedtopreventaperson'sidentityfrombeingconnectedwithinformation.Commonstrategiesforde-identifyingdatasetsincludedeletingormaskingpersonalidentifiers,suchasnameandsocialsecuritynumber,andsuppressingorgeneralizingquasi-identifiers,suchasdateofbirthandzipcode.Thereverseprocessofdefeatingde-identificationtoidentifyindividualsisknownasre-identification.Insomeembodimentsoftheinvention,suchre-identificationcanbetested(i.e.asachallengetoalloworrefusecommunicationofdata,ortopartitiondatasets).Somede-identificationtechniquesmayindeednotbesafeagainst
near-termfuturere-identificationmethods.
Theterm\"pseudonymization\"(\"pseudo\\"pseudonym\")isaprocedurebywhichoneormoreidentifyingfieldswithinadatasetarereplacedbyoneormoreartificialidentifiers,orpseudonyms.Thepurposeoftheprocedureistorenderthedatasetlessidentifyingandthereforetopossiblyloweruserobjectionstoitsuse.Pseudonymizeddatainthisformcanbesuitableforextensiveanalyticsandprocessing.Pseudonymspossessvaryingdegreesof
anonymity,rangingfromhighlylinkablepublicpseudonyms(thelinkbetweenthepseudonymandahumanbeingispubliclyknownoreasytodiscover),potentiallylinkablenon-public
pseudonyms(thelinkisknowntosomepartiesbutisnotpubliclydisclosed),andunlinkablepseudonyms(thelinkisnotknowntopartiesandcannotbedetermined).
Figure1providesageneraloverviewoftheframeworkoftheinvention.
Figure1showsacomputer100(e.g.smartphone,wearablecomputer,smartwatch,
connectedhomedevice,connectedcardevice,etc)ofahumanuser110(trueuser,i.e.associatedorassociatablewithatrueidentity).Byextension,theuser100alsocandesignateagroupofusers(privacygrouppolicy).Thecomputer100leavesfootprintsandtrailsontheInternet120(e.g.searchengines,commercewebsites),forexamplethroughcookies,bugs,trackers,andothermechanisms.Noticeably,thecomputer100canbethegatewaytoacollectionofsensorsand/oractuators.Forexample,thesmartphonecanprocessorotherwisehaveaccesstodomoticsorhealthsensors.Thecomputer100executesanoperatingsystem130.
Privacyleakscanoccurviadifferentcommunicationchannels.Information
111
canbe
intentionally-ornot-providedbytheuser110tothecomputer100(initialdata).Information
112
canbeprocessed(e.g.inferred)bythecomputer100andsentbacktotheuser110,
furtherconfirmedoracknowledgedbytheuser(processeddata).Information121canbecommunicatedfromthecomputer100totheweb120,forexamplescreenresolution,useragent,OSversion,browserextensions,installedappsbutalsoinformationwhichcanbecomputedfromsaiddatae.g.fingerprintingprofileorappsusagestatistics.Information121canbegivenwithsomeconsent(conferP3Pprotocols).Information121alsocanbegivenwithoutexplicitpriorconsentoftheuser).Information121alsocanbestolen(e.g.hacks,exploits,eavesdropping,
etc).Theweb120canreturnprocesseddataabouttheuser.
Information131canbeexchangedwiththeOperatingSystem130(andmoregenerallyappsorsoftwareapplications)executedon/bythecomputer130.
Inembodimentsoftheinvention,countermeasurescanbetakentocontroldataflows(i.e.
dataleaks).Information(e.g.flows)
111
canberegulatedbyusingmonitoringwatchdogsor
daemonsorfilters,forexampleemittingwarningstotheuserbeforeaccesstopersonaldataandnotificationsafterwards.Information
112
canberegulated,forexamplebyusingfilters
executing\"auto-censorship\"rules(forexample,thecomputercansuspend,hold,stop,orpreventtheraiseofintimatequestions,e.g.inwebformsorsocialnetworks).Information121canberegulated.Forexample,thecomputercandetect,filteroutandretaindatasenttotheinternet.Thecomputercansendfakedata,possiblyfloodingrequestingmachines.Thecomputercanalterpersonaldataorotherwiseobfuscateit(e.g.useofTORoronionroutingtechniques,
useofproxiesand/orVPNs,useofspoofingtechniques,
useofmasking
techniquesbymodifyingheaders,typesofdocuments,responsetimesand/orlatencies,etc).The
computer
alsocan
usetechnologies
for
information
security
(i.e.
encryption,
steganography,etc).Fromthewebtothecomputer,receivedrequestscancausethecomputertoproceedtoproactivedefense(i.e.detect,analyze,andanticipateattacks).Information131canberegulatedorprotectedindifferentmanners(e.g.sandboxing,securedboot,wiredconnectionsbetweenthecomputerandthestoragehardwarewhichcannotlogicallybeeavesdropped,etc).
Figure2illustratesanembodimentoftheinvention.
FIG.2showsanembodimentoftheinvention,comprisingtwodatacollections210and230.
Thesedatacollectionsarelinkedorotherwisearticulatedbyaprogram220,forexampleasmartcontract,whichorganizesdatainresponsetorequestsofoneormorethirdparties240.
In
someembodiments,apluralityofprograms220e.g.ofsmartcontractscanbeexecutable
and/orexecuted.Theorganizationofdatacanbetheresultofacollectivebehavior,eitheras
anemergentproperty(bottom-up)orbydesign(top-down),oraccordingtointermediate
schemes.Dependingonembodiments,programsorsmartcontractscanbecooperativeornot,competitiveornot,convergentordivergent,synchronizedordesynchronized,securedornot,formallyprovedornot,congruentornot,etc.Inparticular,insomeembodiments,some
programsmayruleotherprograms(e.g.frameworkcontract).Cascadesofregulationsthuscanbeimplemented.Inthefollowingdescription,itwillbereferredto\"a\"or\"one\"program,
butthetermencompassestheimplementationofapluralityofsuchsoftwarepieces(e.g.asservices,agents,snippets,SOAs,APIs,add-ons,plug-in,extensions,DLCs,etc.
In
someembodiments,apluralityNofdatacollectionscanbehandled,withNsuperioror
equalto2.Datacollectionsaremutuallyexclusive,i.e.aremaintainedasdistinctandnon-overlappingdatarepositoriesor\"silos\".
Quantitatively,sizesofsilos(amountsofinformation)canbediverse.ForN=2,thedatacollection210maycompriseareducedamountofinformation(fewdataordataattributesordatafields),comparedtothedatacollection220whichcanbelarge.Datacollection230canbeaugmentedorfurtherenrichedbycross-fertilizationwithexternaldatabases231.
Differentdivisionsofdatabetweenconsideredsilosmaybeperformed(orpredefined).
Inanembodiment(\"Personalversusnon-personal\"),thedatacollection210comprises
personaldata(i.e.datawhichis\"identifiable\"orwhichcanbeassociatedwiththetrue
identityofauser,seetheprecedingdefinitions),whilethedatacollection230comprisesallotherdata.Thedatacollection230comprisesnon-personaldata,definedasdatawithoutthepersonaldatainthedatacollection210,ordefinedasdatawithoutanydirectrelationshipwiththepersonaldatacollection210(e.g.augmenteddata).
Inanembodiment(\"Biological\"),thedatacollection210cancomprisenecessaryand
sufficientdatatoestablishthe\"biologicalidentity\"ofauser.Accordingtothedifferentembodimentsoftheinvention,thebiologicalidentitycanuseoneormore(i.e.incombination)ofthefollowinginformation:DNA(wholegenomeorparticularsequencesorSNPssingle-nucleotidepolymorphisms),biometricinformation(e.g.face,fingerprint,hand,handwriting,iris,retina,keystroke,vein,voice,gestures,andbehaviorale.g.writingstyle),
civilnameandsurnames.Bycontrast,thedatacollection230cancompriseotherdata,while
thedatacollectioncancomprisedatarequiredforafinancialtransaction.
embodiment(\"Banking\"),thedatacollection210comprisesnecessaryandsufficient
Inan
datatoestablishthe\"trueidentity\"ofauser.Theexpression\"trueidentity\"canrefertobankingregulations,whereinanindividual,toopenabankaccount,mustprovideproofsofcivil(biological)identity,aswellasanaddress(physicaland/orlogicalcontactdetails).The
expressioninparticularimpliesthatthetrueidentityisverified,forexamplebycivilservantsorauthorizedrepresentativesofaprivateorganization.Insuchanembodimentanindividual
isassociatedwithatrueidentity(orbiologicalidentity),aphysicaland/orlogicaladdressand
afinancialaddress.Noticeably,accesstoexternaldatabases215canprovidefurtherorfullcontactdetailsprovidedthereexiststhenecessaryandsufficientlinkfromthetrueidentitydataset.
embodiment(\"KYC\"),thedatacollection210comprises\"KnowYourCustomer\"(KYC)
Inan
data.KYCdesignatestheprocessofabusiness,forexampleabank,identifyingand
verifyingtheidentityofitsclients(byreferencetobankregulations).Companiesorbanksshallensurethattheiremployeesorbusinesspartnersareanti-briberycompliant.KYCdata
thusdesignatesaspecificsetofdata,whichimpliesapluralityofpriorsteps(duediligencepolicies,procedures,andcontrols).
embodiment,thedatacollection210cancomprise\"true\i.e.notfalsifieddata,while
Inan
thedatacollection230cancomprisealltheother(available)data.Suchtruthstatuscanbebinary(yes/verifiedortrue;no/unverifiedorfalseorunknown).Insomeembodiments,
discretelevelsoftrustorverifications(e.g.numberofindependentsourcesattestingdata)canbeassociatedwiththepluralityofsilos.Forexample,onesilocanbetagged\"maximal
trust\whileanotheronecanbeflagged\"genericdata\".Silosalsocanberankedaccordingto
thenumberofverificationsperformed.
someembodiments,thedatacollection230comprisesdatawhichisnotinthedata
In
collection210andwhichisassociablewiththerealuser,directly(e.g.sensors,providedspontaneously)orindirectly(e.g.inferred,deduced,generated,etc).
In
someembodiments,thedatacollection230maycompriseanonymizeddata(information
sanitizationforprivacyprotection:removalofpersonallyidentifiableinformationinamannerthatenablesevaluationandanalyticspost-anonymization);e.g.removalofnameand
addresstogetherwithanyotherinformationwhich,inconjunctionwithotherdataheldbyordisclosedtotherecipientcouldidentifytheuser(e.g.browserfingerprint).
someembodiments,
thedatacollection230cancomprisedatasuchasdata
In
spontaneouslyprovidedbytheuser(advertisingpreferences,ad-blockerpreferences,etc);biologicaldata(ascapturedbywearablecomputers,fitnessbands,orothermedicaldevices),includingbutnotlimitedtogestures,emotiontrackingandeyetracking;physicaldata(geolocation,speed,acceleration);domoticsdata(e.g.doorfridgesopeningscount,
etc);automotive/cardata(e.g.drivingprofileandstyle);personalintellectualproductions(e.g.atwork/home,forexamplevoice,typedtexts);socialinteractions(e.g.socialnetwork
activities).
Adatacollection230canbebuiltbytheuserand/orautomatically.Privacypreferencesofindividualscanbecollectedandfurthercomparedand/orruled.Forexample,dataoutofthedatacollection210canbeassociatedormatchedagainstasubsetof230dataincaseofsatisfactionoffacts(e.g.conditions,binary,continuousvariables,etc)and/orrules(e.g.
Booleanexpressions,fuzzylogic,secondorderlogic,etc).Datacollectionscanbe
associatedwithblack-listsand/orwhite-lists(datafieldsinsilo210canspecifythatadata
pieceshallnevereverbeaccessed,oraccessibleundercertainconditions,uptoaccessible
ondemandwithoutrestrictions).
Adatacollection230canbeaugmentedbyusingdatastemmingfromsensorsassociated
withthecomputer100whichviatheOperatingSystem130canaccessapluralityofsensors(e.g.domotics,health,GPS/GNSSpositions,etc).A\"sensor\"isanobjectoradevicewhose
purposeistodetecteventsorchangesinitsenvironment,andthenprovideacorresponding
output.Asensorcanbeoneormoreofapressuresensor,ultrasonicsensor,humidity
sensor,gassensor,motionsensor,accelerationsensororaccelerometer,displacementsensor,forcemeasurementsensor,gyrosensororgyroscope,temperaturesensor,imagesensor,videosensor,U.V.sensor,magneticsensor,CMOSimagesensor,asilicon
microphone,InertialMeasurementUnit(IMU),micro-mirror,radiofrequencysensor,magnetic
fieldsensor,digitalcompass,oscillator,luxmeterorlightsensor,proximitysensor,G.N.S.S.(e.g.G.P.S.),barometersensor,Wifisensor,Bluetoothsensor,NFCsensor,pedometer,
pulseoximetrysensor,heartratesensor,orfingerprintsensor(nonexhaustivelist).
Datacanstemfromvarioussources(i.e.humanand/ormachinesources).Humandatafor
examplecanbedatavoluntarilyenteredorotherwisesharedbyusers(lifelogs,blogs,
emails,etc).Sensordatacanforexampleoriginatefromdomotics,activitytrackersor
automatedcars.Carsandassociateddevices(betheyautonomouscarsornot)canleadtosignificantamountsofdatawithsignificantvalue(e.g.drivingstyleforinsuranceservices).Variousparameterscanbemonitored(e.g.heartrate,sweat,bodytemperature,brainactivity,musclemotion,C02levels,commutetimesandroutes,mobility,etc)enablingto
quantifyphysiologicalormedicalconditions,presence(e.g.inthehouse)oractivity(e.g.workinginthehousehold,walking,working,sleeping,cycling,swimming,dancing,etc).Resultingdatacanleadtovariousanalytics,forexampleindividualC02indexorfingerprint,whichinturncanbemonetizedortakenintoaccountinafinancialornon-financialway(e.g.asacounterpart,adjustedpricesinpublictransportationsystems).Activitiescanbe
quantified(e.g.qualityofsleep).Ifinappropriatelyassociated,datafromsensorsoflifeloggingcanleadtobreachesofprivacy(suchasinvoluntarypublicationofsexualactivity).DatacanoriginatefromtheInternet(e.g.parsedtextscanaugmentorotherwisecross-
fertilizeuserand/orsensors'data).
In
someembodiments,thedatacollection230maybeenriched(statically,bycombination)
and/orfurtheraugmentedbyaccesstoexternaldata231.Saidexternaldata231canbegenericdata,i.e.notspecifictoauser,butwhichcanbeusedto\"enrich\"or\"crossfertilize\"ortomakesenseoutofthedatacollection230.Examplesofexternaldata231comprise
genericinformationsuchasweatherinformation,trafficdataorgeneralstatistics.
Divisionsofdatabetweensiloscanbedynamic,configurableorboth.
Theverb\"todivide\"canbesubstitutedbyoneofthefollowingverbs:separate,disconnect,segregate,divide,insulate,isolate,sequester,dissociate,quarantine,setapartorsplitup.Eachsynonymcanpresentsubtledifferencesinmeaning.Forexample,\"toquarantine\"
conveystheideaofdangerousorcriticaldata,whileotherverbsunderlinethatdatacollectionscannotoverlap,etc.
Whileinsomeembodimentssiloscanbepredefined,insomeotherembodimentsthedistinctionbetweensiloscanevolveovertime,includinginanactivemanner,i.e.withintentionoron-purpose(e.g.accordingtopredefinedandimmutablerulesand/oraccordingtorulesgoverningthedistributionofdataamongstoneormoresilos).
Inanembodiment(\"activedefense\"),somedatainthesilo230maybe-orbecome-
indirectlyrelatedtothedatacollection210.Forexample,dataofsilo230whichatfirst
cannotbeassociatedorassociatablewithsilo210mayrevealtheidentityoftheuser,forexampleafterprocessinge.g.inference,deduction,cross-referencewithexternaldata.For
example,techniquesknownasdevicefingerprintingormachinefingerprintingorbrowserfingerprintingleverageinformationcollectedaboutaremotecomputingdeviceforthepurposeofidentification.Fingerprintscanbeusedtofullyorpartiallyidentifyindividualusersordevicesevenwhencookiesareturnedoff.Asanotherexample,silo230cancomprisealistofpseudonymsofauser.Ifapseudonymbecomescompromised,i.e.thelinkis
establishedbetweenthetrueidentityofauserandoneofhispseudonyms,thenalltheotherpseudonymsmayinturnbecomecompromised.Asyetanotherexample,a\"trash\"emailaddresscanbelaterassociatedwithatrueidentityifaleakhasoccurredatsomepointintime(forexampleinpublicrecords,orprivatebuthackabledatasets).
Asacountermeasuretosaidindirectlinking,toprotectprivacy(avoidrevealingtheidentityof
theuser),embodimentsoftheinventionmaycompriseanactivemechanism211,wherebysensitivedataofsilo230canbe\"pumpedout\"211fromsilo230tosilo210.Thepartitionbetweendatasetscanbedynamicindeed.Forexample,anactivemechanismcancomprisestepsconsistingininternalizingprivacybreachattemptsorinemulatingidentitydiscoveryattacks,aswellasothermechanisms.Forexample,automatedintrusionsystemsand/orhumanteamsofhackers(\"whitehats\")cantrytoperformprivacybreaches,thereby
identifyingpossibleprivacyflaws.Asaresult,somecriticaldatainanyoneoftheNsilosalongthetrueidentityorKYCsilo210canbedetectedorflagged.Insomeembodiments,saidcriticaldatacanbemovedout(inanothersilo)ordeletedoralteredorobfuscatedor
otherwisemodified(e.g.anewtierofdatasetcanbecreated;datacanberearranged,etc).
Insomeembodiments,contractclausesalsocanbemodifiedifneeded.
Insomeembodiments(\"riskmanagement,probabilisticapproach\"),datacanbesegregated
intoNdatacollectionsorrepositories(N≥2,asshownbyFIG.2),whereineachdata
collectioncanbeassociatedwithaprivacybreachriskorprobability.
Insomeembodiments,aprivacybreachriskorprobabilitycanbedeterminedandfurther
associatedtoeachdatacollection(and/ortooneormoredata,asmetadata,i.e.atahighergranularity,whenNisalargenumber).
someembodiments,privacybreachrisksareassessedovertime(e.g.atregularor
In
periodictimeintervals,on-demand,inresponsetoanattack,etc).Aspreviouslydescribed,qualityofdataanonymizationcanevolveovertime(robustnessversusprivacybreachcanincreaseovertime,butalsocansuddenlycollapseifagivenpieceofdataallowstopercolatebetweendistinctdatasetsandinfineleadtoidentifyanindividual).Torenderanonymizationlong-termsecure,itmaybeadvantageoustore-arrangedatasets,forexamplecontinuously,
e.g.bymovingdatawhichcanbecomesensitivewhencross-fertilizedwithsomeotherdatatootherstoragetiers(orforotherreasons).
In
someembodiments,thedynamicpartitionofdataintoNdatasetsisperformedovertime
(e.g.byautomatedmonitoringdaemonsorwatchdogsand/orhumanadministrators,etc).
Thesurveillancemodalitiescanbediverse(i.e.time-drivene.g.continuous,intermittent,
periodic;event-driven;regulator-driven,on-demandbytheuser,etc).
Insomeembodiments,thesurveillanceitselfcanberuledbyalgorithms(stepscomprising
conditionsandfacts).Inotherwords,insomeembodiments,smartcontractshandlingthepartitioningofdatasetscanberuledbya\"super-contract\"(e.g.theprivacyserviceprovider
canbeasocalled\"Decentralizedautonomousorganization\"(DAO)whichisanorganization
thatisrunthroughrulesencodedassmartcontracts),orbeassociatedtherewith.Logicalcontrollayerscanthusbearticulated(top-downand/orbottom-up):fromthecontrollayers
beingveryclosetothedata(e.g.programsmanipulatingdataatdatasetlevel)uptothe
objectivespursuedbytheserviceprovider(\"privacyoperator\")controllingsmartcontractsgoverningpartitionsbetweendatasets.
anotherembodiment,temporarydatasetscanbecreated,mostlyforperformancesissues
In
and/orfortrackingpurposes.Theuseofdatacachesordatabufferscanreducetransaction
orprocessingresponsetimes.Afteradatasetiscreatedfromamerchantdatabase,theright
tobeforgottencanimplythatthedatasethastobedeletedoralteredinacertainway;itis
thereforeadvantageousto\"pack\"relateddataintoanidentifiabledatasetthatcanbeeasilymanipulated.Inothervariants,metadataisadded(datadescribingdata),whichallows
mergingtheconsidereddataintolargerdatacollectionswhilestillbeingabletoexercise
appropriateusers'rights(suchastherighttobeforgotten).
Program
Advantageously,a\"program\"220canbeusedtolinkoneormoredatacollectionsamongstthepluralityofdatacollections(forexample210and230).Dependingonembodiments,theprogramcancreate,correlate,reorganize,articulate,substitute,maintain,suspend,merge,fusion,arrange,systematize,coordinate,establish,regulate,adapt,alter,adjust,classify,codify,combine,standardize,delete,dissociate,unlinkorotherwisemodifylinksbetweendatacollections(orbetweendatawithinsaiddatacollections).
In
someembodiments,theonlyentitycapableofestablishingtheassociationbetweenthe
twodatasetsistheprogram220.
In
someembodiments,a\"program\"canbeasoftwareprogram,i.e.asequenceof
instructionswhichwhenexecutedonacomputercancausesaidprocessortoperformmethodstepsimplementingdescribedembodiments.
Thesoftwareprogramcanimplementlogicrules,ofdifferentlogictypes(formallogic,fuzzylogic,intuitionistlogic,etc).Anytypeofprogramminglanguagecanbeused.Thesoftware
programcanbeimplementedindifferentways:inadvantageousembodiments,itcanuselocaland/orremotelyaccessedresources(processing,storage),itcanbedistributed,itcan
useoroffercontrolorserviceAPIs,itcanusewebservices,itcanbeimplementedentirelyor
inpartashardwareembodiment(e.g.FPGAcircuitplacedinasmartphone).
In
someembodiments,itcanbeadvantageoustousefuzzylogicbecauseitmayhandle
personaldataorsensitivedatainawaywhichcanbemorerobustthanclassicallogic.someembodiments,thesoftwareprogramcanusevirtualizationorvariants(sandboxing,
machines,
containers,
operating-system-level
virtualization
orcontainerization,
In
virtual
partitions,virtualizationenginesorjails,etc).
Thesoftwareprogramgoverningtherelationsbetweendatacollectionscanbeopensourceand/orclosedsource(e.g.whilemostofthecodecanbeaudited,somesensitiveorsecuritycriticalpartsofthecodecanbeinbinaryform,optionallyobfuscatedifnothardened).Inanopensourcecode,bugsorsecurityflawscanbevisibletoall,butmaynotbequicklyfixed.A
programmanipulatedbyembodimentsoftheinventioncanbeopensourceinitsentirety,butalsocancomprisesomepartsinbinarycode(thesourcecodebeingnoteasilyobtainableby
reverseengineering,i.e.securitybyobscurity),therebycombiningthe\"bestofbothworlds\"(auditabilityandtrustforsomeparts,proprietarycontrolforotherpartsofthecode).Aprogramcanbefurthersecuredbyvariousencryptionschemes(includingbutnotlimitedtopost-quantumcryptography,quantum-safecryptography,Quantum-Key-Distribution,etc).Itisobservedthatinadditiontothecodeoftheprogrambeingopensourceand/orclosedsource,acodeescrowmechanismcanbeused(i.e.combinedwithrestrictedaccess,under(automatable)conditionsand/orbyahumanorganization).
Regardingform,aprograminparticularcanbehumanand/ormachinereadable.Byconstruction,an(executable)programismachine-readable:
factsandrulescanbe
manipulatedbymachines.Machinereadableinstructionscannotbereadbyhumans.Human-readablerulesorprogramsgenerally(oftenbutnotalways)canbereadbymachines
(e.g.somenaturallanguageambiguitiesinpracticecannotbehandledbymachines,nowor
intheforeseeablefuture).Insomeembodimentsoftheinvention,itcanbeadvantageous
thatprivacyprotectionrulescodedintheprogramcanbereadbyhumans(fortransparency,governance,control,etc).Insomeembodiments,theprogramcanbewritteninexecutablepseudo-code,readablebothbyhumansandbymachines.Insomeembodiments,machine-readablecodecanbetranscodedorotherwisevisualizedinhuman-understandableform
(e.g.human-readableicons).
In
someembodiments,aprogramcanbeassociatedwithauserinterface.Examplesof
graphicaluserinterfacesareprovidedinthedrawings.
embodiment,thesoftwareprogramgoverningrelationsbetweendatacollectionsis
Inan
codedinacircuit(entirelyhardwareembodiment).Forexample,thecircuitcanbeembedded
inamicro-SDcard,and/orinaUSBkey,and/orinahardwaredonglepluggableinan
availableportofacomputer(smartphone,smartwatch,wearablecomputer).
Inan
embodiment,thesoftwareprogramcanbean\"app\locallyexecutedonasmartphone,optionallysandboxedfromtheunderlyingoperatingsystem.Inanembodiment,thesoftwareprogramisan\"instantapp\downloadableandexecutableon-the-fly.Inanembodiment,thesoftwareprogramisexecutedintheCloud.
Smartcontract
Inanadvantageousembodiment,theprogramcanbeasocalled\"smartcontract\".A\"smart
contract\"(acronymSC)or\"smartproperty\"isacomputerizedtransactionprotocolwhichexecutesthetermsofacontract(suchaspaymentterms,conditions,confidentiality,andevenenforcement).Asmartcontractisatypeofcomputerprogram(sequenceof
instructions)whichfacilitates,verifies,orenforcesthenegotiationorperformanceofa
contract.Asmartcontractcanemulatethelogicofcontractualclauses.Accordingtoanotherdefinition,asmartcontractisacomputerprogramthatdirectlycontrolsthecreation,assignmentandtransferofdigitalassetsbetweenpartiesundercertainconditions.Asmartcontractmaynotonlydefinetherulesandpenaltiesaroundanagreementinthesameway
asatraditionalcontractdoes,butitmayalsoautomaticallyenforcethoseobligations.Itdoes
thisbytakingininformationasinput,assigningavaluetothatinputthroughtherulessetout
inthecontract,andexecutingtheactionsrequiredbythosecontractualclauses.Insome
embodiments,theverificationoftheexecutionofclausescanbeperformedbyhumans(e.g.
anamedthirdparty)and/ormachines.Oraclemachinescanbeused.Anoracleasamechanismfordeterminingwhetheratesthaspassedorfailedandisgenerallyoperatedseparatelyfromthesystemundertest.Anoraclecanuseoneormoreofheuristics,statisticalcharacteristics,similaritycomparisons,orcanbemodel-based.
Usingasmartcontractcanbeadvantageousinmanyaspects.Itcanallowanypartytoaudit
thecode.Itcanallowfinancialtransactions,accordingtodifferenttrustmodels.Asmartcontractspecifiesvariablesand/orconditionstoaccessorcommunicatedataofrespectivedatasets.Thesmartcontractdeterminescommunicationmodalitiestoeachoftwopredefineddatasets/domains(accesstodata,readand/orwriterights).Asmartcontractcanbeinstantiatedbya(e.g.trusted)thirdpartyforanother(e.g.beneficiary)party.Athirdpartyrequestingdatacanbeanenduser(e.g.anindividualorabank),anintermediary(e.g.adatabroker),withpossibleuseraffiliation(e.g.bank)and/orarole(i.e.access,copyand
editionrights).
Asmartcontractadvantageouslypresentsuniquefeaturesorcharacteristics,whichworksynergisticallywithfeaturesoftheinvention.Asmartcontractcanbeauditable:asasmartcontractcanbepublished,thirdpartiescanverifyorotherwisetestthecode,e.g.contractualclauses.Chainsornetworksofcontractsinparticularcanbetested(e.g.simulated,emulated,etc).Thepropertyofauditabilitycanthusincreasetrustintheprogramarticulatingdatacollections.Automatedenforcementofthesmartcontractenableslargerautomationsschemes,andinparticularallowscontrollingdataflowsofprivatedata.Built-infinancialfeaturesenablemanyfurtherdevelopments,suchasmicro-paymentsandrevenuesharing
tiedwithaccesstoprivatedata(privacymonetization).
Dependingonembodimentsoftheinvention,theprogram220e.g.smartcontractcanperformoneormoreofthefollowingsteps(i.e.possiblyincombination):a)rulestatically
and/ordynamicallytherelationsbetweendataofthedataset210andthedataset230(forexample,itcanrearrangethetieredarchitectureofsilossothatrisksofprivacybreacharediminished);b)managetheencryptionkeys(forexample,theexerciseofthe\"righttobeforgotten\"canbefulfilledbythedeletionofprivatekeys,whichcanimpedeaccesstoapiece
ofdatadesignatedasobsolete);c)manageaccessrequestsandprivileges(e.g.read/write
rights)associatedwitheachpartytothesmartcontract;d)canrecordlogsofallaccess
requestsand/ormodificationsrequestsand/oreffectivemodificationsbroughttodataofthedifferentdatasets.Thislistisnon-exhaustive.
Distributedledgers
embodiment,theprogramcanbepartofacryptoledgerordistributedledger.A
Inan
distributedledgerisapeer-to-peernetwork,whichusesadefinedconsensusmechanismtopreventmodificationofanorderedseriesoftime-stampedrecords.Byusingoneormorecryptoledgers,trustcanbefurtherincreased.Withacryptoledger,themodeloftrustissaidto
be\"trust-less\":theneedtoinvolveabilaterallyacceptedtrustedthirdpartyiseliminated.By
contrastwitha\"trusted\"systemwhereinthetrustliesinauthorities(e.g.officialorganizations,
nationalinstitutions,etc),thelargenumberofcopiesdistributedinthecrowdin/bya
cryptoledgerincreasestheconfidenceintheintegrityofdata(attackstofalsifydataarerenderedmoredifficult).Thestorageofasmartcontractinadistributedledgerisadvantageousduetothetechnology'ssecurityandimmutabilityofrecords.
Adistributedledgerisaconsensusofreplicated,shared,andsynchronizeddigitaldataspreadacrossmultiplesites,countries,and/orinstitutions.Insomeembodiments,thetypeofdistributedledgerissimilartoa\"Blockchain\".Itiscomprisedofunchangeable,digitallyrecordeddatainpackagescalledblocksandstoredinalinearchain.Eachblockinthechaincontainsdata,alsocalleda\"transaction\andiscryptographicallyhashed.Theblocksof
hasheddata,drawnupontheprevious-blockwhichcamebeforeitinthechain,ensureall
dataintheoverall\"blockchain\"hasnotbeentamperedwithandremainsunchanged.aparticularembodiment,thedistributedledgercanbeapermissionedorapermissionless
In
distributedledger(eachhavingprosandcons).
someembodiments,adistributedledgercanbepermissionless.Apermissionlessledger
In
usespseudonymous/anonymousconsensus.Inordertocontributetotheprocessingof
transactionsandhaveacontributioncounted,thereisnoneedofapreviousrelationshipwiththedistributedledgerandthecontributiondoesnotdependonhavingaprioridentityofany
kindwithinthedistributedledger.Apermissionlessledgerimpliesminingcostsandblocks'
reorganizationrisks(e.g.attacksinopensystems).Regardingprivacymanagement,apermissionlessdistributedledgerisadvantageousbecauseitmaximizesincentivestocontributetotheprivacysafeguardingsystemanditmaximizesthereachofit.
someembodiments,adistributedledgercanbepermissioned.Apermissioneddistributed
In
ledgerimpliesthattransactionsarevalidatedandprocessedbythosewhoarerecognizedby
theledgernetwork.Apermissionedledgercanuseknown/trustedvalidators(closedorcontrolledsystems).Apermissionedsystemcanbebuiltontopofapermissionlessnetwork.Membersofthenetworkmustreachaconsensusthroughavotebeforeanewblockinthe
chainisstored.Eachmember'svotecancountproportionallyagainsteveryoneelse's.Votesorcontributionscancountproportionallyagainstotherparties,basedonthespecificrules
implementedinthedistributedledger.Regardingprivacymanagement,apermissioneddistributedledgerisadvantageousbecauseitlowerstheprobabilityofattacks.
aparticularcase,thedistributedledgermaybeablockchain.Ablockchainisapeer-to-
In
peernetworkwhichtimestampsrecordsbyhashingthemintoanongoingchainofhashvalues.
AblockchainmayuseProof-of-Work(PoW).AProof-of-Worksystem(orprotocol,orfunction)isatechnicalmeasuretodeterdenialofserviceattacksandotherserviceabuses
byrequiringsomeworkfromtheservicerequester,usuallymeaningprocessingtimebya
computer.AblockchainbasedonProof-of-WorkformsrecordsthatcannotbechangedwithoutredoingtheProof-of-Work.Othersystemscanbeused.Forexample,Proof-of-Stakeschemes(PoS)canbeused.Proof-of-Stakedesignatesatypeofalgorithmbywhichablockchainnetworkaimstoachievedistributedconsensus.InProof-of-Stakesystems,thecreatorofthenextblockisselectedaccordingtovariouscriteria(e.g.randomselection,wealth,ageorthelikei.e.thestake).Hybridschemesalsocanbeused.Forexample\"Proof
ofActivity\"cancombineProof-of-WorkandProof-of-Stake,e.g.PoSasanextension
dependentonthePoWtimestamping).
Thirdparty
Theexpression\"thirdparty\"designatesamanand/oramachine.Athirdpartycanbeauser
orgroupofusers,aprivateorganization(e.g.aseller,abank,asearchengine,etc),apublic
organization(e.g.anofficialauthority,lawenforcement,etc),oranyothertypeofparties,
beinghumanormachine.
Inan
embodiment,athirdpartydesignatesanorganizationabletodeliverthe\"KnowYour
Customer\"(KYC)labeltoanaturalorlegalperson,publicauthority,agency,companyoranyotherlegalentity.KYCreferstoalegalprocessthathasbeeninplaceforseveralyearsand
ismandatoryforbankinginstitutionstoguaranteethelegitimacyoftheircustomers'activities.
It
impliesapluralityoftechnicalfeatures(levelsofproof,verificationsandotherteststo
establishtrust).
In
someembodiments,athirdpartycanbeanotherprogramcontrolledbyman,forexample
therealuser(conferfigure3).
In
someembodiments,athirdpartycanbeexclusivelyanotherprogram(e.g.trading
software,bot).Inparticularthethirdparty240and/ortheprogram220canbeassociatedwithaDecentralizedAutonomous
Organization(DOA)orDecentralizedAutonomous
Corporation(DAC).ADAO/DACisanorganizationorfirmwhichisrunthroughrulesencodedassmartcontracts.Privacygovernance(ofsmartcontracts)canberuledbysuchmachineentity(additionalregulationlayer,ultimatelyprogrammedbyhumanusers).
Athirdpartycanbetrusted,ornot.Ifthethirdpartyistrusted,moredataarelikelytobecommunicateduponrequest(ifpreviouslyandexplicitlyauthorizedin/bythesmartcontract).
If
thethirdpartyisnottrusted,someadditionallimitationsmayapply(e.g.lessdata,blanked
fields,etc).
Partitioningand/orlinkingmechanisms
Apartitioningbetweendatasetsand/orthelogicimplementedintheprogram220toruletheassociationorlinkingbetweendatasetscanusevariousmechanisms(whichcanbecombinedwithoneanother).
Apartitioningintodistinctdatasetsorrepositoriesadvantageouslycancompartmentalizesensitivedata.Forexample,theseconddataset230canbetieredintoapluralityofdatasets,eachcorrespondingtoaquantizedprivacybreachrisk.Datasegregationcanbepredefined
oritcanbeacontinuousordynamicprocess.Thepartitioningcanbeconfigured
automaticallyaccordingtopredefinedrulesand/orbeuser-configurable(inwholeorinpart).
Theassociationoftherespectivedatasetscanbehandledbytheprogram220.
In
anembodiment,datasetsarepartitioned(e.g.divisionswithoutoverlaps).
Inan
embodiment,datasetsaresegmentedordividedaccordingtopredefinedcriteria.Partitionscanbestaticbutalsocanbedynamicallyhandled(e.g.continuoustests).Inanembodiment,
theprogram220canoperatesuchpartitioning.Inanembodiment,saidpartitioningisperformedbyboththeprogramaccordingtotheinventionandoneormoreotherentities.
Inan
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
programmaycompriseadouble-blindmechanism.Theunderlyingprincipleofasmartcontractcanbethatneitherthe\"initiator\"(athirdparty240)ofthesmartcontract,nora
serviceprovider(e.g.hostingthedistributedledgerandthesmartcontract)hastheabilitytounveildatacollections,infullorinpart,atonce(otherthanbyrecapture)andthenameofthe\"Beneficiary\"(therealuser).Theinitiatoronlycanhaveaccessto(frontend)datacollections(indistinctively,i.e.notevenindividualizedbyuserprofilesi.e.\"Twinsprofiles\").Conversely,theserviceprovider(operatingthecryptoledgerandsmartcontract)canhaveaccesstothedatacollectionsbutnottotheindividualizeddatacollections.Bothorganizationsneedtobesolicitedtolinktheusertohis/hertwins'existenceandactivities.Suchadouble-blindschemecanguaranteedataprivacy.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
Inan
programmaycomprisemulti-partycomputationmechanism.Multi-partycomputationisasubfieldofcryptographywiththegoalofcreatingmethodsforpartiestojointlycomputeafunctionovertheirinputswhilekeepingthoseinputsprivate.Insomeembodiments,thecreationandthemanagementofa\"privacyasset\"(asmartcontractassociatingthepartiesconsistingintherealuser,abank,theserviceproviderandthetwindatacollections)canbehandledinaplatformexecutingmulti-partycomputing.Doingso,thehandlingofsuchassetscanbeperformedwithoutexposingtheprivatedatatootherpartiesthanthepartiestothe
smartcontract.Twindatacollectionsandaggregateddatacollectionscanbehandledina
similarmanner,compartmentalizingknowledge.
Inanembodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
programmaycomprisehomomorphicencryption.Homomorphicencryptionisaformofencryptionthatallowscomputationstobecarriedoutonciphertext,thusgeneratinganencryptedresultwhich,whendecrypted,matchestheresultofoperationsperformedontheplaintext.Datastorageimplementedbytheserviceprovidercanuseencryption(inparticularend-to-endencryption).Homomorphicencryptioncanthenallowmanipulatingdirectlyciphereddata(e.g.process,augment,enrich,andreorganize),i.e.withouttheneedtodecipherand/oraccesstoplaintextorcleardata.Advantageously,suchanencryptionmechanismcanensurethatevenifeavesdroppedorotherwisehacked,datacollectionsalwaysremaininanencryptedstate.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
Inan
programmaycomprisek-Anonymity(e.g.mechanismorsteps).K-anonymitydesignatesthepropertypossessedbycertainanonymizeddata,whereingivenperson-specificfield-structureddata,areleaseofsaiddatacanbeproducedwithprovenguaranteesthattheindividualwhoarethesubjectofthedatacannotbere-identified,whilethedataremainpracticallyuseful.Differentprocessingmethodscansatisfythek-anonymityproperty.Inan
embodiment,twindatacollectionsarenotnecessarilyencryptedbutare\"granularized\".Forexample,oneormoredatafieldscanbeblurred(forexampleanagerangecanbedeclaredbetween20and40yearsold).Asanotherexample,insteadofrevealingthenameofthecitywhereanindividualisliving,itcanberespondedwiththe\"region\"informationorametadescriptionsuchas\"urban\".Incaseofdataleaksorhacks,privacycanbesafeguardedwhilethedatacanremainusefulforauthorizedthirdparties(e.g.payingforit).
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
l-diversity(e.g.mechanismorsteps)
l-diversitydesignates
Inan
programmaycomprise
anonymizationwhichisusedtopreserveprivacyindatasetsbyreducingthegranularityofadatarepresentation,byusingtechniquesincludinggeneralizationandsuppression(forexamplesuchthatanygivenrecordmapsontoatleastk-1otherrecordsinthedata).Thereductionisatradeoffwhichresultsinsomelossindatamanagementinordertogainsomeprivacy.Advantageously,anl-diversitymodelcanmitigateweaknessesink-anonymity
models(e.g.homogeneityattackorbackgroundknowledgeattack)l-diversitycanimprove
intra-groupdiversityforsensitivevaluesintheanonymizationprocess.Insomefurtherembodiments,t-closenessmodelscanbeused.At-closenessmodelextendsthel-diversity
modelbytreatingthevaluesofanattributedistinctlybytakingintoaccountthedistributionof
datavaluesforthatattribute.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
Inan
programmaycompriseoneormoreVirtualPartyProtocols.AVPPdesignatesaprotocolwhichusesvirtualpartiesandmathematicstohidetheidentityoftherealinterveningparties.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
Inan
programmaycompriseoneormoreSecureSumProtocols.ASSPallowsmultiplecooperatingpartiestocomputeasumfunctionoftheirindividualdatawithoutrevealingthedatatooneanother.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
Inan
programmayimplementdifferentialprivacy.Differentialprivacycomprisesstepsforreleasingstatisticalinformationaboutadatacollectionwithoutrevealinginformationaboutitsindividual
entries.Inparticular,itcanmaximizetheaccuracyofqueriesfromstatisticaldatabaseswhile
minimizingthechancesofidentifyingitsrecords.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
Inan
programmaycompriseanexponentialmechanism.Accordingtosuchamechanism,onecan
outputasyntheticdatasetinadifferentiallyprivatemannerandcanusethedatasettoanswerquerieswithgoodaccuracy.Otherprivatemechanisms,suchasposteriorsampling,whichreturnsparametersratherthandatasets,canbemadeequivalenttotheexponentialone.
Inanembodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
programmayusequasi-identifiers.Quasiidentifierscan,whencombined,becomeorleadtopersonallyidentifyinginformation.Quasiidentifiersarepiecesofinformationwhicharenotuniqueidentifiersassuch,butwhicharesufficientlycorrelatedsothattheycanbecombinedwithotherquasiidentifierstocreateauniqueidentifier.Quasiidentifierscanthus,whencombined,becomepersonallyidentifyinginformation.
Inanembodiment,thepartitioningbetweendatasetsand/orthelogicimplementedbythe
programcanuseStatisticalDisclosureControl(SDC).SDCdesignatestechniques(i.e.steps)usedindatadrivenresearchtoensurenopersonororganizationisidentifiablefromadataset(forexampleasusedinasurveyorresearch).SDCcanbeprinciplesbasedand/orrulesbased.SDCensuresthatindividualscannotbeidentifiedfrompublisheddata,no
matterhowdetailedorbroad,establishingabalancebetweenprotectingconfidentialityandensuringtheresultsofthedataanalysisarestilluseful(e.g.foradvertising,statisticalresearch,etc).InrulesbasedSDC,arigidsetofrulesisusedtodeterminewhetherornottheresultsofdataanalysiscanbereleased(e.g.whatkindsofoutputareacceptable).InprinciplesbasedSDC,anyoutputmaybeapprovedorrefusedbyoneormoreusers.
Inanembodiment,thelinkmechanismcanuseafederatedarchitecture(e.g.processing,
storage,learning).Theexpression\"federatedlearning\"enableslocalcomputingdevicestocollaborativelylearnasharedpredictionmodelwhilekeepingallthetrainingdataondevice,decouplingtheabilitytodomachinelearningfromtheneedtostorethedatainthecloud(andthustoendangerprivacy).Likewisefederatedprocessingreferstothedistributionof
processingpowerand/orstorageofsensitivedata.
FIG.3showsanexampleofprivacymanagementaccordingtoanembodimentofthe
invention.Thefigureprovidesanotherrepresentationofthepreviousfigure.
A(real)user330isassociatedwithtrueIdentityData310.Datacollections2301,2302and2303(\"twins\"or\"twindomains\"or\"twinprofiles\")havebeendefinedbytheuser(orareconstitutedautomatically).Thesedatacollectionsareexposedviathesmartphonetoinquiriesandrequestsbythirdparties(thecrowd).Thesmartcontract240canrulethe
relationsbetweendatacollections.Inparticular,thesmartcontractistheuniqueentity,asidetherealuser,whichcanassociatethetrueidentity310withoneormoreofthedatacollections.Thesmartcontract240isexecutedonthesmartphoneand/orintheCloud(inadistributedledger,notshown).
embodiment,theuserhastheabilitytoswitch(selectandactivate)agiventwinprofile
Inan
amongsttheplurality.Theselectedprofilewillbethe\"acting\"profileforthesmartphone(i.e.theidentityprofileconsideredbythesmartphone,forexampleforloginsandpasswords,storedname,surname,address,etc).Theusercanbegiventheabilitytoswitchprofilesatanytime.
embodiment,independentlytosuchamanualswitching,thetrueIDcanremain
Inan
protectedandthesmartcontractcancontinuouslyarbitratetheswitchingbetweenprofiles.Forexample,whenbrowsingareliableortrustablecommercewebsite,aparticulartwindata
collectionwithmanydatacanbeacting.Whencrossingasensitiveborder,susceptibleofrequestsbycustomsauthorities,anidentitywithlessdatacanbeloaded.Acontrario,whenatrustableorfriendlycustomsborderisabouttobecrossed,alessanemicidentityprofilecanbepresented.Insomeembodiments,embodimentsoftheinventioncomprisemechanismsto
\"derive\"oneormoretwindatacollectionsfromaninitialdatacollection.Forexample,entirelyfaketwindatacollectionscanbecreated,butalsoplausibleones.Theattributeofplausibilitycanbeassessedquantitatively,forexampleifdatafieldsarebeingranked(thenameand
surnamesbeingconsideredasmoresensitivedatathanstreetaddress,butpossiblylesssensitivethantheusualphonenumber).Contextualdatacanmodulatesuchrankings.Asidemanualoperations,theprivacymanagementcanbeautomated.Asaresultoftheenforcementofthesmartcontract(i.e.ofitscontractualclauses),thesmartcontractcantieorlinkthetrueidentityofauserwithoneormoredatacollectionsassociatedwiththeuser(e.g.atwinprofilebeinginstantiatedinthesmartphone).Beforeall,thesmartcontractcan
monetizeprivatedatawiththirdparties.
Forexample,athirdpartynamelyamerchantmaywanttoknowthepurchasehistoryofarealuservisitingawebsite,inordertobetterrankpages,ortoadjustadvertisements.The
smartcontract,basedonpriorchoicesmadebytheuserandencodedinthesmartcontract,
mayagreetosellsuchapurchasehistorytothemerchant(directlyviaamicro-payment,orindirectlyviaapersonalizedpromotioncode).Inanotherexample,amerchantsellingsportequipmentsmaybeinterestedinknowingsportiveactivitiesandperformancesofaparticular
userforresearchandstatisticalpurposes.Insuchcase,goingdeeperinparticularsubfieldsofpersonalactivitiescanbejustifiedandcanleadtoa(transparent)win-winoutcome.
Importantly,duringtransactions,wheninitiatedbyatrustedthirdparty,anonymitycanbe
guaranteed:thesmartcontractactsasashieldtoprotectultimatecriticaldata.Thesmartcontractempowersonetwindatacollection,forexamplethroughaKYCattribute.Incaseofwrongdoing,publicauthoritiescanstillidentifytheindividualasthebeneficiaryofthesmartcontract.Someadditionallimitationsmayapplywhennotinitiatedbyatrustedthirdparty.
FIG.4showsanembodimentoftheinventionwithemphasisonthemanagementof
encryptionkeys.
Thefigureshowsexamplesofplayers410,e.g.oneormoreofanon-trustedthirdparty411,trustedthirdparty412,auser413andaserviceprovider414.Players410handleencryptionkeys420toaccess(e.g.toreadand/orwrite)dataofdatasets430,viatherulesandlogicprovidedbyoneormoreprograms440(e.g.smartcontract220).Thelinkorrelationorassociationbetweendatasets(210,230)ruledbytheprogram440(e.g.smartcontract220)canbeenabledbycryptographic
methods,e.g.theuseofencryptionkeys.Data
communication(e.g.access,read,write)canberuledaccordingtopredefinedrules.Aprogram440canbeasmartcontract220instantiatedona(e.g.permissioned)distributedledger410(transactionsrelatedtothesmartcontractarestoredinadistributedledger).Program(s)440canhandleprivileges450,soastocommunicatedataselectedfromdataset230inrelationtodataofdataset210(e.g.aKYCvalue),associatedtoa(physical)
individual.
Players
Differentrolescanbedistinguished.Thefollowingdescriptiononlyprovidesexamples.Describedcategoriesaremere\"nicknames\":otherplayers'categoriescanbeused.
A\"consumer\"or\"user\"or\"physicaluser\"or\"contractor\"designatesanend-userwhoisinneedtosecureand/oranonymizeand/orholdhis/herdata.Aphysicalusercancreateoneor
more\"twins\"or\"beneficiaries\i.e.digitalrepresentationsoraccounts.
A\"trustedtier\"ora\"thirdpartyidentityprovider\"designatesanentitywiththeability(delegatedauthority)todeliverKYCcertification.Suchanentitycanbeabank,atelecommunicationoperator,autilityprovider,anidentityprovider,etc.Theterm\"peer\"rather
referstopermissionedledgers.Insomeembodiments,\"trustedtiers\"canbeelevatedtobe
\"trustedpeers\".
A\"Data&AnalyticsPartners\"(acronymDAP)designatesa(significant)poolof(diverse)playerswhichcanactondata,i.e.process(e.g.enrichandcross-fertilize,format,etc)and/oranalyze(e.g.analytics,statistics,BigData,predictiveanalytics)and/orvisualizeand/orrateand/orstoreand/ortrade(e.g.databroker,etc)data.DAPentitiescanthusbecompaniesinvolvedinconsolidatedmarkets(e.g.dataanalytics)orevenemergingmarkets(e.g.bigdataoperators,privacyratingagencies).DAPentitiesmaywanttocomplywithprivacyregulations,forthem,fortheirpartnersortheirend-users.
The\"serviceprovider\"(e.g.Twinpeek)designatestheentitycontrollingthesmartscontracts
(inturncontrollingaccessandusageofprivatedata).
An\"auditor\"designatesanentitycapableofrunninganaudittoassesscomplianceto
regulations(legallybindingbutalsopossiblycodesofgoodconductsetc).
A\"regulator\"designatesnationalorgovernmentalorofficialauthoritiesdeveloping,deploying
andenforcingregulations.
Datasets
Thedatasetsforexamplecancomprise\"datadomains\"210and230.
Thedataset210comprisespersonalidentifiabledata(\"user\"data).Insomeembodiment,
KYCprocedures(e.g.steps)canbeusedtocreatethedataset210(\"user\"datadomain).In
aKYCprocedure,personalinformationcanbefirstacquired(e.g.customerprovidesname,address,sourceofwealth,etc)byaninstitution(organizationassociatedwithaspecificlevel
oftrust).Anon-trustedthird-partycannothavetheabilitytodeliverKYC(aresultingsmart
contractwouldnotthenbelabeledasKYC).Receivedpersonalinformationcanbevalidated(authenticitycanbereviewedbyhumanagentsand/ormachines,i.e.possiblytechnicallycross-checked).Thereceivinginstitution(asatrustedparty)thencanstorethereceivedandvalidatedinformationinadatastoragesystem(whichcanbepotentiallyvulnerable,asanycomputerizedsystem).Theinstitutioncanupdateinformationwhenchangesarerequested.
Contractdatasetsandsmartcontracts
Aphysicalusercancreateoneormore\"twins\"or\"beneficiaries\i.e.digitalrepresentations
oraccounts.Onceasmartcontractisestablished,aphysicalusercaninstantiateoneor
more\"twins\".
Anentitypreviouslyauthorizedoractingonbehalfoftheuseroraccount(a\"Holder\")can
createorinstantiateormodifythesmartcontract220.
Thecontractdatasetcomprisestransactionsrelatedtooneormoresmartcontracts220.Atransactiondesignatesanydatarecord(suchasSQLstatements)depictinganactivity
relatedtothedatasets210and/or230.
Adistributedledger410canstoretransactionsrelatedtotheoneormoresmartcontracts.
Thecontractdatasetcanbeencrypted.Cryptography
Advantageously,cryptographycanbeused.Encryptionpreventsorimpedesorslows-downprivacybreaches(informationsecurityontopofinformationconfidentiality).
Regardingtheterminology,termslike\"ciphering\"and\"deciphering\"keyscanbegenerally
consideredasbeingrespectivesynonymsto\"encryption\"and\"decryption\"keys(thelatter
termsputtingemphasisoncryptanalysisattacks).
Examplesofmanagementofencryptionkeys
In
someembodiments,themanagementofencryptionkeys(e.g.publicandprivatekeys)is
Datasets210and/or230canbeencrypted.Thephysicaluserisa
ruled(inpartorinfull)bythesoftwareprogram(orsmartcontract,inaparticular
embodiment).
\"subscriber\").A\"beneficiary\"isa\"twin\".A\"holder\"isanentitywhichholds(raw)data,forexamplea\"trustedtier\"suchasabank,ora\"thirdpartyprovider\"(suchasane-commercemerchant).Keysaremanagedbythesuper-entityendorsedby/inthesmartcontract.
Inan
embodiment,thereisdisclosedamethodofhandlingpersonaldatacomprisingthe
stepsof:-aprogram220associatingdataofafirstdataset210withdataofasecond
dataset230,whereinthefirstdataset210comprisespersonalidentifiable/identifyingdataof
aphysicaluser(\"subscriber\")andwhereintheseconddataset230doesnotcomprisepersonalidentifiable/identifyingdata;-receivingarequestfordataofthefirstand/orseconddatasets;-determiningin/byaprogram220communicationmodalitiestosaidrequesteddata;-communicatingrequesteddataorpartsthereof.
embodiment,dataofthedataset210and/orthedataset230isciphered(orencrypted).embodiment,symmetricencryptionisused.Forexample,keysaccordingtoAES256
Inan
Inan
bitscurrentlypresentsufficientsecurity;ifneeded,thelengthofkeyscanbeadjustede.g.
increased).
Inanembodiment,asymmetricencryptionisusedi.e.publickeycryptographycanbeused.
Asymmetriccryptographydesignatesacryptographicsystemwhichusespairsofkeys:publickeyswhichmaybedisseminatedwidely(e.g.published),andprivatekeyswhichare
knownonlytotheuserorowner.Twofunctionscanbeperformed:authentication(wherein
thepublickeyisusedtoverifythataholderofthepairedprivatekeyhassentthemessage)and/orencryption(wherebyonlytheholderofthepairedprivatekeycandecipherthemessagecipheredwiththepublickey).
aparticularembodiment,theholderofthesmartcontractcanencryptpersonaldataofthe
In
subscriberusingakeypair[holderprivatekey;subscriberpublickey].Thesubscribercanthusaccessthecontentusingthedecryptionkeypair[subscriberprivatekey;holderpublic
key].
In
someembodiments,forexampletopreventwrongdoingsand/ortoprovidesome
traceabilityofactivitieswhenacontractisenrolledbyanon-trustedthirdparty,dataassociatedwithauser(depictinga\"twins'\"activity)maybedecipheredbytheserviceprovider414.Theseconddataset230insuchembodimentcanbeencrypted,forexampleby
usingstandardpublickeyencryption.Theserviceprovidercanstoreallactivitiesrelatedto
theuseroraccountortwinassociatedwiththecontract,byusingthekeypair[serviceproviderprivatekey;subscriberpublickey].Thesubscriberinthemeantimecanaccesshiscontentatanytimeusingthedecryptionkeypair[subscriberprivatekey;serviceproviderpublickey].
Inanembodiment,atleastsomedataofthedataset210and/orthedataset230maybe
personalidentifiable/identifyingdatarelatingtoausernamedbeneficiaryor\"twin\".Inanembodiment,theprogramcancompriseasmartcontractsubscribedbysaiduser
(\"beneficiary\"or\"subscriber\"or\"twin\").Inanembodiment,thesmartcontractcanbeimplementedinapermissioneddistributedcrypto-ledger;andtherequestfordatacanbereceivedfromatrustedthirdparty,saidtrustedpartybeingpartofthepermissioneddistributedcrypto-ledger.
Inanembodiment,themethodmaycompriseastepofcipheringtherequesteddatawiththe
holderprivatekeyandtheuserpublickey;andastepofdecipheringtherequesteddatawiththeholderpublickeyandtheuserprivatekey.
embodiment,atleastsomedataofthedataset210and/orthedataset230maybe
Inan
personalidentifiable/identifyingdatarelatingtoauser;theprogramcancompriseasmartcontractsubscribedbysaidbeneficiary;thesmartcontractcanbeimplementedinapermissionedorinapermissionlessdistributedcrypto-ledger;andtherequestfordatacanbereceivedfromanon-trustedthirdparty,saidnon-trustedpartybeingnotpartofthe
permissionedorpermissionlessdistributedcrypto-ledger.
Inan
embodiment,dataofthedataset210and/orofthedataset230iscipheredwithakey
paircomprisingtheuserprivatekeyandan(ephemeral/user)publickey;and,forexampleinresponsetoarequestfordataorarequesttoexercisearighttoerasure),themethodcomprisesthestepoftheuserdecipheringtherequesteddatawiththeuserprivatekeyandthepublickey.Therequesteddatacannotbedecryptedbyserviceprovider.
Inanembodiment,dataofthedataset210and/orofthedataset230iscipheredwithakey
paircomprisingtheuserpublickeyandaserviceproviderprivatekey;and,forexampleinresponsetoarequestfordatacommunicationorarequesttoexercisearighttoerasure,themethodcomprisesthestepoftheuserdecipheringtherequesteddatawiththeuserprivatekeyandtheserviceproviderpublickey;andtheserviceproviderdecipheringtherequesteddatawiththeserviceproviderprivatekeyandtheuserpublickey.
embodiment,dataofthedataset210and/orofthedataset230iscipheredwithakey
Inan
paircomprisingthetrustedpartyprivatekeyandtheuserpublickey;and,forexampleinresponsetoarequestfordataorarequesttoexercisearighttoerasure,themethodcomprisesthestepoftheuserdecipheringtherequesteddatawiththeuserprivatekeyandthetrustedpartypublickey;andthetrustedpartydecipheringtherequesteddatawiththetrustedpartyprivatekeyandtheuserpublickey.
Inan
embodiment,dataofthedataset210and/orofthedataset230iscipheredwithakey
paircomprisingtheuserpublickeyandanephemeralpublickey;andforexamplein
responsetoarequestfordatacommunicationorarequesttoexercisearighttoerasure,themethodcomprisesthestepoftheuserdecipheringtherequesteddatawiththeuserprivate
keyandtheuserpublickey.Therequesteddataissealedandcannotbedecryptedbytheserviceprovider.
In
someembodimentsoftheinvention(\"encryptandforget\"),apublickeyencryptionisused
andashort-life\"ephemeral\"keyisused.Advantageously,dataofthedatasetcanonlybe
revealedtothedataowner(theuserorbeneficiary).SuchembodimentisadvantageouswhenthecontractisKYC(accountability).
In
someoptionalandadvantageousembodiments,asymmetricencryptioncanusesealsor
sealboxes421.
A\"sealedbox\"maycompriseakeypairassociatedwithamessage(comprisingdata),andsaidkeypairincludesaprivatekeyandapublickey,saidkeypaircanbeephemeralorof
shortlifetime,andtheprivatekeypaircanbedestroyedshortlyafterencryptingthe
message(comprisingdata).
A\"sealedbox\"isdesignedtoanonymouslysendamessagetoarecipientgivenitspublickey.Onlytherecipientcandecryptthemessage,usingitsprivatekey.Whiletherecipientcan
verifytheintegrityofthemessage,itcannotverifytheidentityofthesender.Themessageisencryptedusinganephemeralkeypair,whosesecretpart(privatekey)isdestroyedrightafter(orshortlyafter)theencryptionprocess.Withoutknowingthesecretkey(privatekey)usedforagivenmessage,thesendercannotdecryptitsownmessagelater.Without
additionaldata,amessagecannotbecorrelatedwiththeidentityofitssender.Theterm\"destroyed\"canmean\"deleted\"or\"forgotten\logicallyand/physically.
In
someembodiments,theserviceprovider414forexamplecanuseasealbox421.
embodiment,forexamplewhenthecontractisenrolledbyatrustedthirdparty,the
Inan
dataset230canbeencryptedandfurthersealed(i.e.onlythebeneficiarymaydecipherthecontent).Theserviceprovidercanstoreandaccessdataofthedataset230relatedtothetwinsassociatedtothecorrespondingcontractusingthekeypair[ephemeralsecretkey;
beneficiarypublickey].Thebeneficiaryinturncanaccessthecontentbyusingthedecryptionkeypair[beneficiaryprivatekey;beneficiarypublickey].
In
someembodiments,oneormoreephemeralencryptionkeyscanbeused.Decipheringis
generallyonlyallowedwithphysicaluseragreement.
Inanembodiment,dataisfurthersecuredbyusingformat-preservingencryption.Inan
FormatPreserving
Encryption
(FPE)canbeused.
embodiment,Format-preserving
encryption(FPE)referstoencryptinginsuchawaythattheoutput(theciphertext)isinthesameformatastheinput(theplaintext).UsingFPEisadvantageoustointegrateencryptionintoexistingapplications(e.g.byallowingadrop-inreplacementofplaintextvalueswiththeir
cryptogramsinlegacyapplications).Suchanembodimentenablestheintegrationintoexistingdatasets210and/or230(e.g.ERP,CRM,e-commercemanagementstore,customerpurchasetrackingtools).UsingFPE,somerecordsand/orfieldscanbeciphered.Viewsandformsofthedatabasecanremainlargelyunchanged.Suchanembodimentalsoenablestheintegrationintolarge-scaleprivacymanagementsystems.
embodiment,dataisfurthersecuredbyusingquantumkeydistributionand/orpost-
Inan
quantumencryption.Regardingquantumkeydistribution(QKD),athirdpartytryingtoeavesdroponencryptionkeymustinsomewaymeasureit,thusintroducingdetectableanomalies.Advantageously,QKDimpedeseavesdroppingwhendeterminingandsharingencryptionkeys.Inanembodiment,post-quantumencryption(or\"quantum-resistant\"encryptionor\"quantum-safe\"encryption)canbeused.Post-quantumcryptographyreferstocryptographicalgorithms(e.g.lattice-based,multivariate,hash-based,code-based,super-singularellipticcurveisogeny,andsymmetrickeyquantumresistance)thatarethoughttobesecureagainstanattackbyaquantumcomputer,whoseadventcanbepossibleinthefuture.Byusingthistypeofencryption,transactionsstoredinthedistributedledgerand/ordatasetscanbesecuredinthelongterm.
anembodiment,dataisencryptedatrestand/orduringtransport.Dependingon
In
embodiments,encryptioncanbeperformedatrestand/orduringtransport.Forexample,whenthecontractisKYC,dataiscipheredatresttopreventbreaches.Whentheconsidered
contractisnotKYC,datacanbecipheredduringtransportonly.Theserviceprovidercanthendecipherdata,forexampletorespondtolegalinjunctions,whenrequestedbynational
authorities.
furtherembodiments,oneormoremechanismscanbeused,forexamplesteganography,
In
biometrics,warrantcanaries,physicallyunclonablefunctions.
Accesstodata
someembodiments,accesstodata(bytheserviceproviderand/orusers)canoccurat
In
anytime.
In
someembodiments,accesstodatacanbeconditionalonpredefinedconditions,for
exampleonpredefinedtimeframes(e.g.predefinedtimesorschedules)and/ortootherconditions(e.g.doubleauthentication).
Embodimentsrelatedtorolesofthethirdpartyqualityandoftheserviceprovider.
Whiletheusercanalwaysaccesshisdata,differentembodimentsofencryptionofthedatasetscanbeconsidered.Inparticularthedataset210and/orthedataset230canberenderedinaccessibletothethirdparty,oreventheserviceprovider.Accesscanbeparameterized,i.e.canberenderedconditional(e.g.topredefinedsecrets,identity,quality,biometricproofs,factsand/orrulesand/orotherparameters).Forexample,accesstodatacanbemanagedatthesametime,i.e.byhandlingsimultaneousaccess.Accesscanbe
consideredovertime,e.g.byhandlingtimeintervals.Dataaccesscanbelocked(forexamplewithsteadilyincreasinglatenciesasmoredatarequestsarereceived).
Readand/orwriteprivilegescanbeallocatedtothedifferentroles(e.g.consumerorclientoruser,trustedparty,non-trustedparty,DAP,serviceprovider,Twin,Auditor,Regulator,
Government,etc)accordingtodifferentschemes.Thegranularityofprivilegescanbeconfigurableindeed(forexamplethe\"UserKYCcitizenship\"datafieldcanberenderedaccessibletoallpartieswhilethe\"UserID\"canbeaccessibletotheserviceprovideronly).
Differentembodimentscanbeconsidered,inparticularwhenconsideringwhetherthethirdpartyistrustedornot.Twodifferentexamplesareprovided(notexhaustive).
Case1-Enrollmentfromatrustedthirdparty
Atrustedpartyforexamplecanbe\"agreed\"bythephysicaluser(legalconcepttranslatingintotechnicalfeaturesandrequirements,e.g.validitytokens,authentication,seals,etc).
Thedataset210(\"UserDomain\")canbeencryptedindifferentways.Inanembodiment,akeypaircomprises{userpublickey;trustedpartyprivatekey}.Thedataset210canbecipheredbyauserusingakeypaircomprising{userprivatekey;trustedpartypublickey}.Thedataset210canbedecipheredbyatrustedpartyusingakeypaircomprising{trustedpartyprivatekey;userpublickey}.Thedataset210canbedecipheredbytheuser.Insomeembodiments,thedataset210canbedecipheredbytheserviceprovider.Insomeembodiments,thedataset210cannotbedecipheredbytheserviceprovider.
Thedataset230(\"TwinDomain\")canbeencryptedindifferentways.Inanembodiment,akeypaircomprises{userpublickey;ephemeralkey}.Thedataset230canbedecipheredbytheuserusingakeypaircomprising{userprivatekey;userpublickey}.Inanembodiment,thedataset230canbesealed421(i.e.cannotbedecipheredthusreadbytheserviceprovider414).
Case2-Enrollmentfromanon-trustedthirdparty
Thedataset210(\"UserDomain\")canbeencryptedindifferentways.
Inanembodiment,akeypairmaycomprise{non-trustedpartyprivatekey;ephemeralkey}.
Thedataset210canbedecryptedbyanon-trustedpartyusingkeypaircomprising{non-trustedpartyprivatekey;non-trustedpartypublickey}.Thedataset210cannotbedecryptedbytheserviceprovider.
Thedataset230(\"TwinDomain\")canbeencryptedindifferentways.Inanembodiment,akeypairmaycomprise{serviceproviderpublickey;ephemeralkey}.Thedataset230canbedecipheredbytheserviceproviderusingkeypairmadeof{serviceproviderprivatekey;serviceproviderpublickey}.Storage
Thedataset210comprisessensitivedata,i.e.personalidentifiabledata.Thisdatacanbestoredinmanydifferentways,whichcanbecombined.Inanembodiment,thestorageisperformedoffline(forexample\"coldstorage\"canbeused;datastoragecanbemaintainedseparatedfromthenetworktopreventorlimitattacksorillicitaccess).Inanembodiment,oneormoredatasets(orpiecesofdata)canbestoredinanencryptedstate(atrest).
Dependingonembodiments,centralizedand/ordistributedstoragecanbeused.Forexample,inanembodiment,data(orthesensitivepartthereof)isstoredbytrustedpeersoftheserviceprovider,therebyrelyingontheirrespectivecapacitiestosecurelyholdsensitivematerial(suchmethodsmayrequireauditabilityoratleastdescriptionsthereof).Inanother
embodiment,datacanbecentralizedandstoredsecurelybytheserviceprovider.Insomeembodiments,hybridstoragesystemscanbeused,usingbothcentralizedanddistributedstorage.
Requirements
associated
todata
analyticscanleadtospecificstorage
architectures.
FIG.5showsexamplesofstepsofanembodimentoftheinvention.
Thereisdisclosedamethodofhandlingpersonaldatacomprisingthestepsof:aprogram
220associatingdataofafirstdataset210withdataofaseconddataset230,whereinthe
firstdataset210comprisespersonalidentifiabledata(forexampleofauser,orofaplurality
ofusers)andwhereintheseconddataset230doesnotcomprisepersonalidentifiabledata;
receivingarequestfordataofthefirstand/orseconddatasets;determiningin/byaprogram
220communicationmodalitiestosaidrequesteddata;communicatingrequesteddataorpartsthereof.
Thereisdisclosedacomputer-implementedmethodcomprisingthestepsof:aprogram220associatingdataofafirstdataset210withdataofapluralityoftiereddatasets(230andothersnotshown),whereinthefirstdataset210comprisespersonalidentifiabledataandthepluralityoftiereddatasetscomprisesdatawhichmaybeassociatedtopersonalidentifiable
data.
Thereisdisclosedacomputer-implementedmethodcomprisingthestepsof:aprogram220associatingdataofafirstdataset210withdataofapluralityoftiereddatasets(230andothersnotshown),whereinthefirstdataset210comprisespersonalidentifiabledataandthepluralityoftiereddatasetscomprisesdatawhichmaybeassociatedtopersonalidentifiable
data,thepartitioningofdataintiereddatasetsbeingperformedaccordingtodiscrete
associabilitylevels,saidassociabilitylevelsdeterminingtheriskofassociationofdataofatiereddatasetwithpersonalidentifiabledata.
Thereisdisclosedacomputer-implementedmethodcomprisingthestepsof:aprogram220associatingdataofafirstdataset210withdataofapluralityoftiereddatasets(230andothersnotshown),whereinthefirstdataset210comprisespersonalidentifiabledataandthepluralityoftiereddatasetscomprisesdatawhichmaybeassociatedtopersonalidentifiable
data,thepartitioningofdataintiereddatasetsbeingperformedaccordingtodiscrete
associabilitylevels,saidassociabilitylevelsdeterminingtheriskofassociationofdataofatiereddatasetwithpersonalidentifiabledata,saidriskdesignatingtherisktodirectlyunveiland/ortoindirectlyleadtothepersonalidentifiabledata;receivingarequestfordataofthefirstand/orpluralityofdatasets;determiningin/byaprogram220communicationmodalities
tosaidrequesteddata;communicatingrequesteddataorpartsthereof.
Thereisdisclosedacomputer-implementedmethodcomprisingthestepsof:aprogram220associatingdataofafirstdataset210withdataofapluralityoftiereddatasets(230andothersnotshown),whereinthefirstdataset210comprisespersonalidentifiabledataandthe
pluralityoftiereddatasetscomprisesdatawhichisassociatabletopersonalidentifiabledata,thepartitioningofdataintiereddatasetsbeingperformedaccordingtodiscreteassociabilitylevels,saidassociabilitylevelsdeterminingtheriskofassociationofdataofatiereddataset
withpersonalidentifiabledata,saidriskdesignatingtherisktodirectlyunveiland/orto
indirectlyleadtothepersonalidentifiabledata,andsaidriskbeingcontinuouslydeterminedaccordingtopredefinedcriteriacomprisingprivacybreachprobabilityorprivacybreachsimulation;receivingarequestfordataofthefirstand/orpluralityofdatasets;determiningin/byaprogram220communicationmodalitiestosaidrequesteddata;
communicating
requesteddataorpartsthereof.
embodiment,thefirstdataset210comprisestrueidentityinformation.embodiment,thefirstdataset210comprisesKYCcompliantdata.
embodiment,theseconddataset230comprisesanonymousand/oranonymizedand/or
Inan
Inan
Inan
pseudonymizedand/orde-identifieddata.
embodiment,theseconddataset230ispartitionedintoapluralityofdatasets
Inan
associatedwithdiscretelevelsofprivacybreachrisks.
embodiment,thepartitioningbetweendatasetsand/orthelogicimplementedinthe
Inan
program220usesoneormoremechanismsselectedfromthegroupcomprisingmulti-partycomputation,homomorphicencryption,k-anonymity,l-diversity,VirtualPartyProtocols,SecureSumProtocols,differentialprivacy,exponentialmechanism,
Control,doubleblindmechanismorquasi-identifiers.
Inan
StatisticalDisclosure
embodiment,theprogram220implementsoneormoreofformallogic,computational
logic,fuzzylogicorintuitionistlogic.
InanInan
embodiment,theprogramisasmartcontract.
embodiment,thesmartcontractisinstantiatedinadistributedledger.embodiment,thedistributedledgerisapermissionedledger.
Inan
Inanembodiment,thecommunicationofrequesteddataisconditionalonafinancial
transaction.
Inanembodiment,datacomprisessensordata.
In
anembodiment,dataissecuredbyusingoneormoreofsymmetricencryption,
asymmetricencryption,quantumkeydistribution,post-quantumencryption,and/orformat-preservingencryption.
Inanembodiment,theseconddataset230comprisesGDPRcompliantdata,saidGDRP
databeingassociatedwithpredefinedruleswithrespecttodisclosureconsent,databreach
monitoring,datadeletionanddataportability.
Thereisdisclosedacomputerprogramcomprisinginstructionsforcarryingoutoneormore
stepsofthemethodoftheinventionaccordingtoitsvariousembodimentswhensaid
computerprogramisexecutedonacomputer.
Inanembodiment,thereisdisclosedacomputer-implementedmethodofhandlingpersonal
datacomprisingthestepsof:-asmartcontract(220)instantiatedinacryptographicdistributedledger(220),permissionedofpermission-less,associatingdataofafirstdataset
(210)withdataofaseconddataset(230),whereinthefirstdataset(210)comprisespersonal
identifiabledatasuchastrueidentityinformationand/orKnowYourCustomerdataandwhereintheseconddataset(230)doesnotcomprisepersonalidentifiabledataorcomprisesanonymousand/oranonymizedand/orpseudonymizedand/orde-identifieddata;-receivingarequestfordataofthefirstand/orseconddatasets;-determiningin/bythesmartcontractcommunicationmodalitiestosaidrequesteddata(e.g.authorization,forbiddenaccess,requiredmodifications,preferred
modificationstominimizeprivacybreaches,etc);-
communicatingrequesteddataorpartsthereof(ifapplicable,i.e.accordingtodeterminedcommunicationmodalities,asruledbythesmartcontract).Thestepofassociatingdataofthefirstdataset(210)withdataoftheseconddataset(230)cancomprisevariouspartitioningmechanisms(datatiering,forexampleaccordingtoprivacybreachrisks)and/ordataaccessmechanisms(e.g.allocationofreadand/orwriterights,orapplicablerulesthereon,handling
ofrequeststoaccessand/ortomodifydata,etc).Dataindatasetscanbeencrypted,in
particularbyusingformat-preservingencryption.
Regulatoryframeworktranslatedintotechnicalfeatures
TheGeneralDataProtectionRegulation(GDPR,2016/679)isaregulationbywhich
EuropeanauthoritieshavedefinedtheframeworkwhereinthememberStatesshould
regulatedataprotectionforindividualswithintheEuropeanUnion.
Associatedrequirements(oflegaland/orbusinessnature)canbetranslatedintotechnicalfeatures,whichcanbecombinedwithembodimentsoftheinvention(thatisthespecificmechanismofdatasegregation/partitioning/compartmentalization
regardingassociationor
associabilitywithpersonaldata,ruledbysoftwareorsmartcontract).
particular,read/write(R/W)rightsmay-orshall,tocomplyforsomeregulations-be
In
managedinconfigurableorconfiguredways.
The\"righttobeinformed\"forexamplecantranslateintostepsofnotifyingusersoftheprocessingofpersonaldata(ofthefirstdataset210and/ortheseconddataset230).Notificationscanbeperformedindifferentways.Theycanbepushedbyemails,phonemessages,automatedphonecalls,RSS,etc.Theyalsocanbepulled(i.e.bytheuser,forlessintrusivitye.g.withamonitoringdashboardwheretheusercancheckthestatusofthe
processing).Granularitycanbeconfigurable.Insomeembodiments,eachdatafieldcanbemonitoredseparatelye.g.passportnumber.Insomeembodiments,clustersofgroupsofdatafieldscanbemanipulated(e.g.regionalongzipcodeandcityinformation).Insomeembodiments,thenumberof(effectiveand/orrequested)accessestoeachdatafield(orclusterofdatafields)canbecountedandfurtherdisplayed.Insomeembodiment,thepartyhavingaccessedaspecificdatafieldcanbetraced.Insomeembodiment,ausercan
configureoneormorealarmsoralerts(e.g.foraccesstoaspecificdatafielde.g.birthdate,orincaseofexcessiveaccesses).
The\"rightofaccess\"correspondstodiverseprivileges.Itprimarilyimpliesaccesscontrollistsmanagement.Forexample,readrightsindataset210and/or230shallbegrantedtothe
physicaluser,whiledeniedtootherparties.TheR/Wrights'schemecanbeencodedinthesmartcontract.Insomeembodiments,the\"righttoaccess\"canbetestable.Itforexample
maybetestedbyautomatedtests,forexampleperformedrandomlyand/orbyindependentparties.The\"righttoaccess\"canbeassociatedtoanescalationprocedure,whereinifauser
cannotgetacopyofdataassociatedwithhis/herprofile;anincidentticketcanbeopenedandreportedtoaregulatingparty.Inordertoprotectundueaccesstodata,the\"rightto
access\"canbeconditionalontheprovisionofaproofofidentity(e.g.biometry,two-stepsauthentication,etc).
The\"righttorectification\"andthe\"righttoerasure'(alsoknownas\"therighttobeforgotten\")
istechnicallycomplextohandle.Itgenerallyrelatetothemanagementofread/writerights.In
someaspects,technicalimplementationsofthe\"righttobeforgotten\"maycorrespondtoa\"positive\"or\"volunteer\"or\"self-controlled\"censorship.
The\"classicalcensorship\"ledtonumerousefforts,bothindefense(i.e.tocircumventcensorship)orinattack(i.e.toreinforcecensorship).Problemsandsolutionsneverthelessmaynotbeexactlysymmetricalfor\"positivecensorship\".\"Classical\"censorshipcanusetechniquescomprisingblacklistsofwords,whiteliststhereof,similaritycomputations,naturallanguageprocessingifnotsemanticreasoningforthemostadvancedtechniques;operations
atdatatransportlevel(encryptionbutalsodeeppacketinspection,manipulationsofDNS,
certificatesandSSLlevels,useofVPNsandothertunnelingtechniques,useofTORorothersimilaronionroutingtechniques,meshoradhocnetworks,proxies,refractionnetworking,
etc).Thesetechniques(pluralityofsteps)cangenerallybemodifiedtobeturnedtothe
advantageofalegitimateuser(havingsufficientlyprovedhis/hertrueidentity,i.e.bysatisfyingpredefinedcriteria).
Thegeneralproblemofthis\"positive\"censorshipcanbeseenaccordingtoaperspectiveofcentralizationversusdecentralization(distribution)ofthecontents;thisapproachcanprovidethemainclassesofforeseeableembodiments.
embodiment,the\"intelligence\"maybecentralized.Insomeembodiments,preciselyas
Inan
proposedbytheinvention,personaldatacancentralized-inasecuremannerandthereforecontrolled-byoneoracoupleofserviceproviders.Centralizingdataimpliesthatrectificationifnotdeletionofdatacanbebettercontrolled(bycontrasttomodelswithalargenumberofcopiesofdata).Themechanismspreviouslydescribedwithrespecttoasymmetric
encryptioncantechnicallyproveandguaranteetheappropriateaccesstodata(and
modificationsthereof).Acentralizedmodelprovidesincentivestofurthercentralizedatawithagivenserviceprovider.Ifandwhendataportabilityisensured,theremaynotevenremainadependencytowardstheserviceprovider(dataportabilitymeansthatserviceproviderscan
beinterchanged).
In
someembodiments,whendataisencrypted,thedeletionofkeys(keptcentralized)can
advantageouslyimpedeaccesstoclearcontent,thirdpartiespossiblyhavingacopyoftheobsoletepieceofdata(controlcanimplysomeformofcentralization,forexamplebyaprivateorganization;
alternatively,contractsbetweenpartiescancreatemultilateral,
obligations;filterscanclean-updataonthegoduringexchangesbetweennon-cooperating
parties).
Inanembodiment,withlesscentralization,the\"intelligence\"canbedistributedinthe
network.Internetserviceprovidersmaybeofficiallycontrolledorconstrainedbynationstatesandmayimplementthepositivecensorshipor\"righttobeforgotten\".
Inanembodiment,withemphasisondistribution,theintelligencecanbeattachedtothe
data:metadatacanbeconveyedalongeachpieceofdata.Metadataisdataaboutdata,e.g.statingthestatusofthedata.Metadatamaycomprisewebaddressesofeachofitscopies,
withsomesimilaritywithabitorrenttracker.Wheneverapieceofdataisreceivedby/ata
machine,therightsattachedtosaiddatapiececanbeknown.Areceivingmachinemaybecooperative(i.e.removingtherequireddataifapplicableandstoppingpropagationofobsoletedataifapplicable).Areceivingmachinemaybenon-cooperative(attheoppositeitmaybemaliciousandencouragepropagation).Astheuseofthepieceofdataincreases,sowouldtheamountofassociatedmetadata.
Thedifferentmodels,withvariousdegreesofcentralizationordistribution,maybehybridized
i.e.combinedaccordingtovariousschemes.Forexample,nation-stateapprovedserversin
Europemayfilterchecksumsofdatapiecesdeletedaccordingtotheexerciseofthe\"righttobeforgotten\"andmetadataconveyedwitheachpieceofdatacanpointtocentralized
databasescomprisingthedetailsofaddressesofthecopies,etc.Asanotherexample,ifadatafieldorpieceisdeletedbytheexerciseoftherighttobeforgotten,thenthemultiplecopiesofsaiddatafieldorpiecedcanbedeleted,eitheractively(i.e.immediatelyininternaldatabases)orpassively(e.g.filterscanmodifyreturningdataonthefly,ifcopiesofsaiddatahavebeencommunicatedtouncontrollableoruncontrolledthirdparties).Internetserviceprovidersoperatingatlargescalecanimplementsuchmutualizedfilters.Advantageously,inheritancemechanismscanadvantageouslyenablefurthertraceability.
Versusthe\"righttobeforgotten\notonlytheexerciseoftherightcanbeimplementedinatechnicalmanner,butalsotheproofthereof.
Forexample,differentlevelsofproofcanbeprovidedtoauserdemandingiftheconsidered
datafieldhasbeenrectifiedormodifiedindeed.Severalembodimentsarefurtherdescribed.
Inan
embodiment,automatedscreenshotsoftheassociatedspreadsheet,ifany,canbe
provided.Inanembodiment,thehashvalueofthefullprofilemaybecommunicated(itshallchangeifdataisdeleted).Inanembodiment,theusercanorshallbeentitledtoaccessfurtherthedatainquestionandtolaterverifythattheobsoletedatanolongerisaccessible.
Forexample,theusermaybeprovidedwithsearchfeaturestodouble-checkthatdatahasbeenactuallydeleted.Furtherlevelsofproofcanbeprovided:forexample,theservice
providercansendapaperletterconfirmingthattheconsidereddatahasbeendeleted.Asinternalmatters,theserviceprovidercanestablishmanagementrulestohandlebackup
copiesaccordingly(deletionofadatafieldcanrequiretodeletealloccurencesinbackupcopies);andsuchmanagementcanbeauditedbyanindependentthird-party.
The\"righttorestrictprocessing\"maycorrespondtoaparticularhandlingofadministrationrights(privilegesorsuperadminrole),forexampleasencodedinthesoftwareprogram240.Sucharightcanalsousepreviouslydescribedinheritanceproperties,sincemetadataabout
arawdatafieldcanspecifythatadatapiececannotbeusedinalargercomputation(forexample,thenameofapersonmaybespecifiedtobecombinablewithdatarelatingtosportbutnottodatarelatingtomedicalaffairs).
The\"righttodataportability\"maybeassociatedwithdifferentsteps.Dataportabilitymeansthatauserisabletoswitchserviceproviderswithoutundueburden.Correspondingtodataportability,themethodmaycompriseastepofdownloadinginfullorinpartdataassociatedwithagivenuserprofile(andtobeabletofurtherdeletedownloadeddatafromthe
associatedserviceprovider).Tofacilitatethehandlingofdatabytheuser,optionalfeaturessuchassearch,filterorvisualizationofdatacanbeprovided,optionallyormandatorily.For
exampleausermayorshallbeabletosearchwithinstoreddatafields,toselectspecificdatafieldsofinterest,tochooseanexportformatbetweenaplurality,inordertobeableto\"cut\\"copy\"and\"paste\"anydatapieceofhispersonaldataacrossdifferentservice
providers.Externalandindependentcontrolmechanismscanbesetupsoastocountthenumberofsteps(requiredtodumporevadedata)imposedbytheserviceprovider.
The\"righttoobject\"cantranslateintoadedicatedandsecuredcommunicationchannel,establishedbetweentherequestinguser,theserviceproviderandpossiblytheregulator(forexampleincarboncopy).Particulartimeframesmaybesetup(sothataresponseisbroughtbeforeamaximaldelay).Registeredlettersorelectronicreceiptsmaybeused.
Therightinrelationto\"automateddecisionmakingandprofiling\"canbeassociatedwithtechnicalmeasuresenabling,orslowingdown,orspeedinguporpreventingdataprocessing.Suchmechanismscanbeencodedinthesmartcontract,typically.Proof-of-worksystems(orvariantsthereof)canbeusedtoregulateorotherwiseauthorizeprocessing.Forexample,bydesign,ausermaywanttorestrictusesofhismedicalcondition.Thefirstaccessorprocessingcancausenodelays,butprogrammaticallyeachfurthermarginalprocessingcanexponentiallyincreasetherequiredproof-of-work(unlesstheusergivesexplicitanddirectconsent).
Therightdirectedthe\"validandexplicitconsentfordatacollectedandpurposesofdataused\"mayrefertoparticulardatafieldsinthemanageddatabases.Insomeembodiments,
theconsentor\"opt-in\"mayhaveageneralscopeandaspecificpredefinedduration,beforerenewal.Insomeembodiments,theconsentshallbereceivedateachprocessingstep.Insomeembodiment,consentcanbewithdrawn(forexampleatanytimefromtheuserdashboard).
Someotherrightscanbederivedfromthementionedrights.Forexample,securitybreachesmaybereportedtousers(atleastifcertainconditionsaremet,e.g.flawispatched,inapredefinedtimeframe).
FIG.6and7showexamplesofuserinterfacesofawebbrowserforprivacymanagement.
Figure6showsanexampleofaspecificwebbrowser600whichcanbeusedtohandledatacommunicationtoandfromthedatasets210and/or230.ThisbrowsercanallowtheusertosurftheInternetwhilepreservingher/hisprivacy.Anoptionalindicator610canshowwhethernavigationissecuredornot(i.e.privacy-safe).Navigationcanbesecuredbyusingoneormoreoftechniquescomprising:IPanonymization,proxies,VirtualPrivateNetworks,onionrouting,DNSspoofing,codeobfuscation,handlingofcookies(includingLSOcookies)and
otherbugs,implementationofadblockers,handlingoffingerprintingtechniques,useofvirtualmachines,etc.Atanytime,therealusercanswitchidentities620.Bytouchingorclickingtheicon620,theusercanmanageidentities(e.g.edit,delete,fork,clone,etc).Theuseralso
canmonitorandvisualizethenumberofblockedtrackers,ads,cookiesetc.Bytouchingor
clickingtheicon630,theusercanaccessdetailedreports.
Figure7showsanotherexampleofascreenofthespecificwebbrowser.Ifandwhenpromptedtofill-inaform710,acontextualhelp720canbeprovidedbydisplayingavailableidentities:theusercanchooseaprofileamongstaplurality730forauto-completion.Insomeembodiments,arecommendationcanbemadetouseaparticularprofilegiventherisksassociatedtotheformand/ortheconsideredwebsite.Anewidentityalsocanbecreated.
Thesubjectmatterofthepresentdisclosureincludesallnovelandnon-obviouscombinationsandsub-combinationsofthevariousprocesses,systemsandconfigurations,andother
features,functions,acts,and/orpropertiesdisclosedherein,aswellasanyandallequivalentsthereof.Theydonotinanywaylimitthescopeofsaidinventionwhichisdefinedbytheappendedclaims.
Furtherembodimentsarenowdescribed.
Inanembodiment,theprogramisasmartcontractinstantiatedin/ona\"distributedledger\"or
e.g.
\"blockchain\"(theblockchaincanbe\"permissioned\"e.g.namedcooperatingorganizations,or\"permissionless\"
open
to
anyonerequiringproof-of-workorotheranti-spam
mechanisms,orcancomprise\"hybrid\"blockchains,i.e.combiningsomefeaturesofbothpermissionedorpermissionlessblockchainse.g.readand/orwriteaccesses,cipheringkeysmanagement,etc).
embodiment,thefirstdataset(210)comprisestrueidentityinformationand/orKnow
Inan
YourCustomercompliantdata.
embodiment,KYCcompliantdataofauserisdeterminedfromapluralityofdocuments
Inan
hostedbyindependentsources.
Inanembodiment,websites'certificatesofoneormoreindependentsourcesareverified
whenretrievingdocumentsorpartsthereof(soastoensurethatsaiddocumentsarelegit).
Inanembodiment,retrievalaccessestodocumentshostedbyindependentsourcesare
trackedandreportedtotheuser(asamatteroftransparency).
embodiment,thestepofdeterminingKYCcompliantdatacomprisestheuseofoneor
Inan
more(mechanisms)ofmachinevision,opticalcharacterrecognitionand/ormachinelearning.
Inanembodiment,thestepofdeterminingKYCcompliantdataaccesscomprises(using)
crowdsourcing.
Inanembodiment,thestepofdeterminingKYCdataisdecoupledintothestepsof:-codeinstructionsforprocessing
personal
identifiabledataor
providingexecutable
documents;-providingpersonalidentifiabledataordocuments;-executingtheexecutablecodeinstructionsforprocessingpersonalidentifiabledataordocuments;whereinoneor
moreofsaiddecoupledstepsareperformedondifferenthardwaremachines(orsystemsor
devicesorserversorcomputers).
Inanembodiment,awearablecomputerassociatedwithauser,suchasasmartphoneora
smartwatch,isusedtoprocesspersonaldata.
Inanembodiment,thewearablecomputerisconnectingto,orbeingpartof,oneormore
blockchainsorcryptoledgers(theblockchainforpartitioningpersonaldatafromnon-personaldata,oracle'sblockchains;e.g.hyperledger,sovrin,etc)
Trustmatters.Inoneembodiment,KYCcompliantdataisprovided\"asaservice\"(or\"ondemand\"oruponrequest).Inotherwords,KYCmaynotbegivendata;embodimentsoftheinventionmaycomprisestepsofcollecting,extracting,filtering,andotherwiseverifyingdata.
Regardingtheform,KYCdatacanbeprovidedviaoneormoreAPIs,and/orviaoneormorewebservices,and/orviaotherdedicatedcommunicationchannels(encryptedand/orusingsteganographytonotevenshowthecommunicationofsensitivedata),fromoneormore
\"digitalidentityproviders\"acronymDIPor\"sourcingparties\".
Forexample,a)identityb)residencyc)revenueandd)taxcanbeextractedfromdifferent
sourcesofinformationtocreateacompleteKYC.Invoicesfromenergysuppliers,telecommunicationoperatorsforexamplecanbeusedtoprovideaproofofresidency(scannedpaper,electronicversion,etc).Employers'paychecksandofficialtaxsummarydocumentsalsocanberequestedasproofofrevenue.Universitydiplomas,driverpermitsorvehiclecertificate(forexampleasdeliveredbytheDepartmentofMotorVehicle)alsocanbe
usedascredential(s).
Paperprints,scansandelectronicdocumentscanbeforged(e.g.falsified)relativelyeasily,forexamplebyusingphotocopiersandsoftwaregraphicaleditors.ItisestimatedthatasignificantfractionofallegedUSPhDsare\"fakes\".Asaconsequence,multiplyingthenumberofindependentsourcesallowsdiminishingtheprobabilityofforgingandtherebyincreasestrust.
Regardingthesubstance,digitalidentity(KYCortrueidentity)iscomposedofa(few)finite
setof(core)datapieces.KYCdatatypicallycomprisestrueidentitysuchasfamilynameand
surnameandatleastoneaddress(physicaland/orlogical).KYCcancomprisemoredata
(e.g.email,placeofbirth,etc).
Embodimentsoftheinventionadvantageouslyallow1)avoidingusersrepeatedlyprovingtheiridentityorpartsthereofbeforedifferentrequestingparties(somecentralizationisadvantageous)2)facilitatingtherefreshingofdata(e.g.residenceaddressshallbeupdatedorverifiedfromtimetotime);embodimentsoftheinventionscanallowfora\"enteronce,usemanytimes\";3)lettingusersgetnotifiedofthedataprocessingoftheiridentitydatapieces.
In
oneembodiment,KYCdataisdeterminedbyoneuniqueparty(\"digitalidentitymanager,
DIM\"),previouslyagreedbytheuserandrequestingparties(e.g.banks).Piecesofdata
constitutingthedigitalidentity(e.g.dateofbirth,residenceaddress)maystemfromdifferentparties,hereinafternamedas\"sourcingparties\whichpartiescanbeorganized-ornot-
regardingtheprovisionofdatapiecesandproofsthereof(e.g.nationaldigitalpassportservicescanprovidecertifiedfacephotographsbutanutilitiesprovidercanlimititselftotheprovisionofelectricitybillsandnothingmore).KYCdataismadeofthegatheringofdataoriginatingfromdifferentindependentsources,thislatterfeatureincreasingtrustthatdataisnotfalsified(theprobabilityofcollusionbetweenpartiesisunlikely).Tofurtherreinforcetrust,
oneormoredatapiecesconstitutingKYCdatacan(orshall)berefreshedorrenewedover
time(e.g.residenceaddress).
someembodiments,thearchitectureforKYCdeterminationis\"centralized\"(oneorfew
In
centralpoints).Insomeotherembodiments,thearchitecturecanbe\"decentralized\"(severaldifferentcentralpoints).Insomeembodiments,thearchitecturecanbe\"distributed\"(peer-to-peernetworks).Inotherwords,onesinglecentralizingpartycanactforthegatheringofdata,butnotnecessarily:apluralityofinterconnectedpartiescanbeorchestratedsoastocentralizeKYCdata(\"decoupling\infra).
Dependingonembodiments,sourcingpartiesmaybeinvolvedtovariousextents(rangingfromtheabsenceofanyinvolvementtostandardizedcommunicationchannelsforhandling
digitalidentity).CentralizingpartiesactingasDIMscanleveragecontractualclausesaswellastechnicalproofs:e.g.releaseofextractioncodeasopensourcesoftware,sizeofthe
databasebeingdisclosedtothepublicsoastoindicatethatextremelyfewdataiscumulativelyextractedandstoredbyaDIM,directorindirectproofsregardingaccesstosourcingwebsites(duration,logs,amountofdata,etc).
oneembodiment,KYCcompliantdataisdeterminedfromapluralityofdocumentshosted
In
byindependentsources.
oneembodiment,accessestodocumentshostedbyindependentsourcescanbe
In
performedbyoneormoreindependentparties(fromtheuserassociatedwithsaidKYCdataand/orfromtheDIM).Theterm\"independent\"designatestheabsenceof(direct)externalcontroland(indirect)influence(e.g.commoninterests).
Anotheraspectoftheinventionrelatestotheroleoftheuser.Agivenusermaynotbetrusted,apriori.Trustmayincreasewhenverificationsorcrossverificationscanbemade(consistencyorcoherenceofdata).Forexample,inexistentrevenuemaynotbecompatiblewithprestigiousresidencylocation.
Someoftheseverificationscanbehandledindependentlyfromtheuser(i.e.checkingdeclaredresidencyinpublicdirectories).Theusermay-ormay-notbeinformedofsuchbackgroundverifications,dependingonembodiments.
someembodiments,someofsaidverificationsmayrequirebeingabletoactonbehalfof
In
saiduserorwithtemporaryanddelimitedagreement/cooperation.Forexample,theuser
mayprovidecredentialstoaccesstheURIand/orURLofataxdocument(hiddenlinkordataprotectedbylogin/passwordorcachedpagehostedbyasourcingparty).
someembodiments,theusercan-withintention-declareoneormoresourcingpartiesto
In
theDIM:theusercanmakeaninformedchoice.Inoneembodiment,themethodofcollectingKYCdatacancomprisethestepofretrievingdirectlyandindependentlyfromtheuserKYCdatafromoneormoresourcingparties.
In
oneembodiment,websites'certificatesareverifiedwhenretrievingdatafromsaidoneor
moreindependentsources.
In
oneembodiment,theDIMcancheckthewebsitecertificateofagivenprovidertoensure
anyextracteddatafromfilesretrievedfromwebscrappingarelegitdocuments.
oneembodiment,accessestodocumentshostedbyindependentsourcesaretrackedand
In
reportedtotheuser.
In
oneembodiment,thesharingofdata(e.g.aspreviouslyagreedbytheuser)istracked
andreportedbytothe(previouslyinformed)user.Suchembodimentscanpresenta\"win-
win\"situationorvirtuouscircle:clearandtransparentdatahandlingleadstoinformedusers,whoarebetterinformedaboutthewaytheirdataishandled,andtherebywhoare
increasinglywillingtosharemorepersonalinformation.Transparencyandtrustworkalong.
Dependingonembodiments,trackingcanincludeloggingdatasuchasdate,time,geolocationofdataprocessing,durationofconnections,nature/qualityofhandleddata,amounts/volumesorquantityofhandleddata,etc.
In
oneembodiment,thestepofdeterminingKYCcompliantdatacomprisestheuseofoneor
moreofmachinevision,opticalcharacterrecognitionand/ormachinelearning.
In
oneembodiment,thedataextractioncanbedonebyusersthemselves(forexample
providingandaddressandscanofbillsprovingsaidaddress,alongpotentiallyusablecredentials);thedigitalidentitymanagercanrandomlycountercheckorverifysaiddata(forexamplewiththesamesourcingparty,providingaccesstooneormoreinvoicesifandwhentheusergrantsauthorizationfortheDIMtoreceivean\"original\"directlyfromthesourcingparty).
In
someembodiments,oneormoreoftheindependentsourcescanprovide
(\"spontaneously\oratleast\"cooperatively\")credentialsdatatotheDIM.Forexample,alongtheprovisionofelectricity,anenergyprovidercandeliverextracteddatafromlegitdocuments.Insomeembodiments,alloftheindependentsourcescanprovidecredentialsuponrequest(e.g.byapplicablelawordefactostandard).Insomeembodiments,some
independentsourcesmayprovidesuchdata,whilesomeothersmaynot(needforextraction).
In
someembodiments,alonginvoicesfortheirservices,\"sourcingparties\"canauthenticate
andsigntheirrespectivecredentialdatapieces(theelectricityprovidercanprovideanAPI
whereintheaddressofagivencustomercanberetrieved).
In
somecases,asourcingparty(sourceofinformation)cancontributetheinformation
theplatform(i.e.notrequiringanyextraction).Inthiscase,theDIMcanstillcreate
directly
auniqueidentificationoftheorganizationsothatanycredentialcreatedbythisorganizationcanbeusedtogenerateproofsto/forotherthirdpartyinterestedinmakingdecisiononthis
trustedsource'sinformation.
In
oneembodiment,themethodcomprisesausersubmittingoneormoreaccesscredentials
tooneormorewebsitestosaiduniqueparty(forexampleutilities'bills),andsaidunique
partydeterminingoneormoredatapiecesbyaccessing(directly)saidoneormorewebsites.Advantageously,insuchaprocess,thesourceofdatacanbeverified(theusercannotsend
aninvoicebyemail,whichcommunicationwouldnotguaranteethatthepaperhavingbeing
sentisoriginali.e.notfalsified).Theconnectiontothesourcecanbecertifiedbyasecuredtransferprotocol(HTTPSforinstance).Following,auniqueDIMpartycanaccess,browseandretrieveutilitiesinvoices,performOpticalCharacterRecognitionorthelikeandextract
useraddressthereof.Inotherembodiments,imagerecognitioncanbeused(adatabaseofcorporatelogoscanfacilitateorotherwiseleadtheretrievaloftherelevantinformation).Inotherembodiments,documentparsingcanbeused(researchofkeywordsorpre-determined
X,YcoordinatesofdatainaPDFdocumentforinstance).Extractioncanbefullyautomatic,
ormanuale.g.performedbyanemployeeofDIM,orevensemi-automatic(onceaninvoice
templateisknown,theextractioncanbeautomatedforotherusersandinvoices,atleastuntiltheformatoftheconsideredinvoicechanges).Templateextractionorparserdefinition
canbecrowd-sourced.
Machinelearningcancompriseoneormoreofunsupervised,supervisedlearning,clustering,dimensionalityreduction,structuredprediction,anomalydetection,neuralnets,reinforcementlearningordeeplearning(alsoknownasdeepstructuredlearningorhierarchicallearning).
In
someotherembodiments,machinelearningcanbeusedincombinationwith
crowdsourcing(e.g.wherebytheendusercanmapretrieveddatatotheproperfieldinthedatabaseschema).
In
oneembodiment,thestepofdeterminingKYCcompliantdataaccesscomprises
crowdsourcing.
Onewaytodistributeprocessingcomprisestheuseofcrowdsourcingmechanisms(e.g.incidentallywhensolvingcaptchasorwith\"mechanicalTurk\"mechanismswhereintasksaredistributedtohumanusers,sometimesnotevenknowingthefinalpurposeofthedataprocessing).Insomeembodiments,crowdsourcedtaskscancomprisetheidentification,comparisonofcorporatelogosandextractionofdatafields(e.g.address,etc).
Variousothertopicsarenowdiscussed
Therearesometensionsbetweentrustand(de)centralization.Tosomeextent,institutionaltrustcanbereplacedbytrustlesssystemsa.k.a.blockchains.Dependingonembodiments,acertainlevelofcentralizationcanstillberequired.Insomeembodiments,theresidually
centralizedsystem(orDIM)canbefurtherdecentralizedordistributed.Thelattercanbedoneinmanydifferentways,butinparticularbydecouplingdataprocessingintoseparateprocesses.Inoneembodiment,codespecification,codeexecutionanddataprovisioncanbedecoupledandcaninvolveapluralityofindependententities.
KYCdatamayrequireproofsstemmingfromdifferentindependententities,toavoid
collusionsanddatafalsifications;handingindependentparties,trustinthedigitalidentitybeingreconstructedincreases.Thisconstructionofadigitalentity(orcredentials)may
requiresomecentralization.Atthesametime,thetrustoftheuserinthevariousinteractingpartiesmayrequireavoidingthatoneuniquepartyexcessivelygathersaccessrights,which
inturnadvocatesfordistributionofprivileges(e.g.zero-knowledgeproofmechanismsor
protocols).
oneembodiment,asprovidingandcentralizingaccesscredentialsmaybeproblematicfor
In
someusers,accessestothesourcingwebsitescanbetimestampedandlogged.Usersmayforexampleverifythataccesses'durationsareshort.ConnectingIPaddressesalsocanbecheckedandlogged,ontheendofsourcingparties.Identityofthesourcingpartiescanbepre-determinedandbecertifiedbyanexternalcertificateprovider.Certificatemechanismscanbeputinplacetosecureandguaranteetheidentityoftheservers.Insome
embodiments,moresophisticatedtechniquescanbeusedtoguaranteeparticipatingusersthattheircredentialsarenotbeingmisused.Inadditiontoacontractual\"no-logs\"policy,beamsoftechnicalproofscanbeused(cumulatively).Inoneembodiment,thesourcecodeforaccessingandretrievinginformationofagivensourcingwebsitecanbereleasedasopen
sourcesoftware(forexampleinasmartcontractinablockchainaccordingtotheinvention),
saidcodebeinghashedandtheexecutionofsaidcodebeingguaranteedorotherwise
proved.Hash-keycanbestoredandaccessible,forexampleforauditingpurposes.Inparticular,theextractioncodeorscriptcanbeexecutedbyasourcingparty(ifpreviously
agreed).Insomeembodiments,theuniquepartyDIMcanbedistributed(or\"decoupled\")intoindependententities(someexecutingcodesorscripts)whilesomeotherpartiescanbeheldresponsibleforextractioncodecontents.
Insomeembodiments,trustcanbemanagedin\"layers\";forexampleachainoftrustcanbe
establishedbetweenorganizations(e.g.electricityproviderEDFtrustsandistrustedbyBNPbank,whichtrustswaterproviderSUEZ,etc).Forexample,unilateralorbilateralcontractual
agreementscanbemade,latertranslatedintotechnicalexchanges(e.g.cipheringanddecipheringkeys).Trustcanbeorganizedinahierarchicalway(requirementsforabanktobeagreedbyatrustprovider).Inparticular,ifapieceofdigitalidentityisobtainedatlevelN,
theninferiorlevelsN-1caninheritallowancetoaccess.Suchlinksatorganizations'levelscancomplement,ifnotsupplement,thedeclarationsbeingmadebyanindividualuser.In
ordertorobustifysuchasystem,oneormoreblockchainscanused,thereby\"engraving\"thegenealogyofdata,whichbecomesverifiable(datacannotbedeletedfromablockchain,duetoitsverydesign,unless51%oftheparticipatingnodescollude).Thedifferentsuccessiveor
simultaneousresidenceaddressescanberecorded,forexample.Accesstosuchdatacan
befreeofconstraints,orcanbelimited(encryptionkeys).
Versustherighttobeforgotten,Europeanprivacylawscanrequiredatatobedeleted,pure
andsimple(e.g.erroneousorappealedcourtdecision,stoppingerror-propagation,etc).
Sucharequirementcanraisecomplexissuesinviewofhowblockchainsdowork.Insome
embodimentsoftheinvention,time-lapsecryptographyandotherkeysmanagementcanbeadvantageouslyused(forexampleinasmartcontracthostedinablockchain),therebyovercomingsuchcompatibilityissues.Inoneembodimentoftheinvention,asecuredataself-destructingschemecanbeimplemented(inacloudorblockchain).Aciphertextcanbe
labeledwithatimeintervalwhileprivatekeyisassociatedwithatimeinstant.Theciphertextcanonlybedecryptedifboththetimeinstantisintheallowedtimeintervalandtheattributes
associatedwiththeciphertextsatisfythekey'saccessstructure.Sensitivedatawillthusbesecurelyself-destructedafteragivenexpirationtime(e.g.adminconfigurable,user-specified,
etc).Variantsofsuchcryptographicmechanismsallowfortemporaryexistenceofdataina
blockchain(blockchainalsocanbeusedtostorehashvaluesofdocumentsthatarestoredoutside,asaproof).Totheopposite,ausercanencryptdatasothatitisguaranteedtobe
revealedatanexactmomentinthefuture.Insuchanembodiment,apublicutilitycanpublishacontinuousstreamofencryptionkeysandsubsequentcorrespondingtime-lapse
decryptionkeys.
oneembodiment,thestepofdeterminingKYCisdecoupledintothestepsof:-providing
In
executablecodeinstructionsforprocessingpersonaldata(\"program\");-providingpersonal
data(\"data\");-executingtheexecutablecodeforprocessingpersonaldata;whereinoneor
moreofsaidstepsareperformedondifferenthardwaremachines.
In
oneembodiment,awearablecomputerassociatedwithauserisusedtoprocesspersonal
data.
In
oneembodiment,awearablecomputerconnectsto,orispartof,oneormoreblockchains.oneembodiment,theDIMcanbecentralized.Inoneembodiment,theDIMcanbe
In
decentralizedorevenhighlydistributed,whicharchitecturebringsincreasedtrustintheoverallplatform.Regardingdistributedembodiments,executingthesamesmartcontractcode(andachievingconsensusthereon)forexampleensuressecurity(possiblywithoutanydataleakoftheuser'slogin/passwordcredentials).
In
oneembodiment,acentralized\"processingsystem\"canreceiveinstructionsorexecutable
instructions(\"programs\")and/ordatapacketsfromasetofexternalindependentsourcingparties.Instructionpacketsmayprovide,forinstance,aprogramtobeexecutedonthedata
packets(asauditableopensourcecodeorpseudo-code,orasaninterpretablecode,oras
anexecutablecodee.g.binary).Theidentityassociatedwithaninstructionpacketmaybe
knownandmaybeverifiedthroughaseparatescheme(DigitalIDfromaBlockchain
certificateprovider,forinstance).Theidentityoftheprocessingsystemmaybeknownand/ormaybeverifiedthroughasimilarscheme.Theidentityofthedatapacketproviders(e.g.oneormoresourcingparties)maybedisclosedforinstancebytheinstructionpacketprovider.Inoneembodiment,theconnectionsbetweenthecentralizedprocessingsystemandsourcing
partiescanfollowaone-to-onescheme.Securedone-to-onechannelsofcommunication(e.g.virtualprivatenetwork,tunnels,etc)betweentheprocessingsystemandthesourcing
partiescanbeset.Personalidentifiabledata(suchascredentialsforinstance)maythenbe
providedbytheuserdirectlytothecentralizedprocessingsystemthroughasecuredone-to-onechannel.Suchdatacanthenbetransferredtooneormanysourcingpartiesbythe
centralizedprocessingsystemtofetchandretrievedata.Theprocessingsystemmaythenprocessthedatausingtheprovidedprogram(s)anddelivertheresultstooneormoreapprovedentities,thereceivingparties,throughasecuredchannel.Areceivingpartyandtheinstructionpacketprovidercanbeidenticalornot(disintermediation).
Itistobenotedthattherecanbeapluralityofsuchprocessingsystems.
In
oneembodiment,oneormoreprocessingsystemscanbehostedbyabank(e.g.
acceptingtoexecutethirdpartycode),forexampleinastandaloneserver.Insomeembodiments,thecodecanbeincludedinasmartcontract,andexecutionofsaidcodecanbeperformedon/bytheblockchain,i.e.bynodesparticipatingtheblockchain(possibly
includingbanks).
In
oneadvantageousembodiment,thesmartphoneoftheusercanbeuniquelyidentifiedor
authenticated(e.g.IMEI,biometricverifications,andthelike).Itcanbeassumedthatthesmartphoneorsmartwatchaswearablecomputeristhemostpersonaldeviceownedbyanindividual.Awearablecomputercanincludewirelessconnectioncapabilitiestosurroundingdisplaysystemspresentinthevicinityoftheuser,ifnotitsownvisualprojectioncapabilities(e.g.laser,AR,VR,etc).Itcanbeassumedthatthereis\"one\"suchsystem(itcandesignate
aBodyAreaNetwork,madeofconnecteddevicescomprisingconnectedjewelry,connectedrings,connectedbands,watch,glasses,ifnotofimplantedsystems,etc).Suchasystemis
under\"physical\"controloftheuser,atleastsymbolically.Suchwearablecomputeror\"system\"canserveasaprocessingsystem.
Thisprocessingsystemcanbepartofablockchain,ornot.
In
oneembodiment,theprocessingsystemofthesmartphoneoftheusercanbeusedto
solelyprocessthepersonaldataorcredentialsofsaiduser.Suchanembodimentcanbeadvantageousinthattheprocessingofpersonaldataisperformedonthemachineownedbytheuser.Asmiscalculationsorspoofingorotherhacksmayoccur,insomeotherembodiments,theprocessingsystemofthesmartphoneoftheusercanbeusedtoprocess
alldatabutnotthepersonaldataorcredentialsofsaiduser.Suchanembodimentcanbe
advantageousinthattheprocessingofdataisprocessedbyacommunityofusers,\"verifying\"eachothers.
Theprecedingcasescanreferto\"standalone\"processingunits,off-chain,ornotpartof(any)blockchain(s).Yetinsomeembodiments,allorpartsoftheprocessingsystemsmaybepartofone(ormore)blockchain(s).Thatis,insomeembodiments,thewearablecomputer(e.g.
smartphone)oftheusercanbeanodeofa(the)blockchain.Insomeembodiments,oneuniqueblockchaincanbeused(fordataprivacymanagement).Insomeembodiments,apluralityofblockchainscanbeused,forexampleusingside-chains(e.g.onefirstblock/sidechainbeingdedicatedfordataprocessing,whileasecondblock/sidechaincanbeusedfor
referencedatastorage,forexample).
In
oneveryspecificembodiment(advantageousinviewofcontemporaryrequirementsand
correspondingtoparticularcompromises,e.g.intermsofsecurity,comfortofuse,userexperience,etc),thesmartphoneoftheusercanservea\"permanent\"identificationsystem;moreprecisely,asa\"connected\"system.Thewearablesystemoftheuserbeingconnected(oratleastconnectibleorreachable),aprivacymanagementsystemcanrequirethe
wearablesystemtoplayamajororcentralrole.Inparticular,itcanbeassignedtheroleofprocessingsystem.Anassociatedprivacyadministrationwebpagecanrequireaconnectedstateofthewearablecomputer.Thecode(instructionspackets)canbeexecutedonthewearablecomputer:forexamplethesmartphoneoftheusercanexecuteanapp,whichappconnectstoablockchain(managingprivacy).Thesystemoftheuserthenmaybecomea\"relay\i.e.alinkbetweenthewebinterfaceformanagingprivacyandtheappinterface
executedonthewearablesystem.Whilethewebinterfacemaypresentabetterusagecomfort(formanagingprivacy),thewearablecomputermaystorethecorecriticalcredentials(e.g.KYC,walletcredentials,couplesoflogin/passwords),locallyand/orremotely(e.g.
tokenstoaccesscloud-storeddata,forexampleacloud\"drive\"oftheuserreplicatinglocalcriticaldataincaseoflossoralterationoflocaldata,ora\"digitalsafe\"or\"strongbox\etc).Whenabankrequestsanupdate(\"proofs'refresh\")oftheKYCdata,thewearablecomputermaybequestioned(e.g.programmatically).Datacommunicationscanbeciphered(e.g.httpsand\"authcryptindy\").QKDoptionallycanbeused.Post-quantumcipherscanbeused.
In
oneembodiment,atdevicestartupand/orforasessionlimitedovertime,theapprunning
onthesmartphoneofthewearablesystemmayrequiretheusertoenterthewallet
passphrase.Ifandwhenrequestedbyabankoranagreedthird-party,theappisqueried.Ifnotconnected,acorrespondingdigitalsafecanbequeriedasasubstitute.Inparticular,it
canbedeterminedifoneormoreproofsrequireanyupdate.Ifnecessary,theusercanbe
notifiedviaaGUI(e.g.ofqueries\"bankAaskedforyourresidenceaddress\\"bankBrequiresanotherproofofresidence\etc).Theusermayaccessanadministrationdashboardtomanagehis/herprivacy.Somedatacommunicationsmaybepreapproved(e.g.residence
address),somemaybeforbiddenunlessexplicitexceptions(e.g.sexualorientation,religion),someothermaybeconditionale.g.tothetriggeringofpredefinedeventsorothercontextsorfacts(e.g.birthdate,placeofbirth,communicationofrunningperformancesagainstmicro-payments).Theusermayprovideadditionalcredentialstoaddsupplementaryproofs,shareoneormoreproofs,denyorallowaccesstosomerequestingparties,requestcrowdsourcedextraction,alloworforbidcodeexecutione.g.auditablecodeonablockchain
onownorexternaldevices,etc).
In
oneembodiment,thetrustintheDIMcanbeincreasedbyusingawarrantcanary(e.g.in
additiontodecouplingspecificationofprivacymanagingcode,executionandprivatedataprovision).Awarrantcanaryisamethodbywhichaserviceproviderpassivelyinformsitsusersthatithasbeenservedwithasecretgovernmentsubpoena(despitelegalprohibitions
onrevealingtheexistenceofthesubpoena).Awarrantcanaryinformsusersthattherehas
notbeenasecretsubpoenaasofaparticulardate(\"theFBIhasnotbeenhere,asof6/3/2019,refreshedeveryweek\").Ifthecanaryisnotupdated(e.g.forthetimeperiod
specifiedbythehost),usersaretoassumethatthehosthasbeenservedwithsuchasubpoena.
Regardingembodimentsinvolvingoneormoreblockchains,someaspectsoftheinventionarefurtherdescribed.
Theadvantagesof\"decoupling\"havebeendiscussed.Inoneembodiment,thepreviouslydiscussed\"codeinstructions\"(e.g.encodingKYCtemplates)or\"program\"canbea\"smartcontract\i.e.implementedonablockchain.Upstream,beforetheexecutionofsaidprogram,
nodesoftheblockchaincanensurethattheexactsamecodeispresentintheblockchain
(replicatedatnodesoftheblockchain).Anodemaystoreanerroneous-ormalicious-versionofthesmartcontractbutwillthenberejectedbydistributedconsensus.Insomeembodiment,hashesofthesmartcontractatnodesoftheblockchaincanbecomputedandcompared(stored,monitored).Downstream,theexecutionofthecodecanbeperformedby
oneormoreorallnodesoftheblockchains,andresultscanbecompared.Similarly,
consensuscanbeachieved.Suchembodimentsarethusadvantageousinthattheintegrity
oftheprogramconstitutingthesmartcontractcanbesecured,aswellasitsexecution.
Aspreviouslymentioned,oneormoreblockchainscanbeused.Itisincidentallyobserved
thatoneormoreoracles'blockchainscanbeused,toestablishfactsortruthsmadeinthephysicalworld.Forexample,variousofficialregistersorpublications(e.g.diplomas,
marriage,etc)canestablishsomefactstobetrue,andcontributetriggeringsmartcontracts
inrelationwithprivacymanagement.
Regardingthearchitecture(comprisingDIM(s),users'apps,blockchain(s),side-chains,
oracles'chains,standaloneserverse.g.inbanks,sourcingpartiesresources,etc),manyvariantscanbeenvisioned.Inparticular,theappofawearablecomputerassociatedwitha
givenusercanuseorrequestoraccessorinvolve\"validators\"nodes(blockchainwritingnodes),\"observers\"nodes(readingtheblockchain),\"edgeagents\"(e.g.mobiles,tablets,etc)
linkedto\"cloudagents\".
Selectiveornon-disclosureofpersonaldatacanusezero-knowledgeproof(ZKP)
cryptography(methodbywhichoneparty(prover)canprovetoanotherparty(verifier)that
heknowsavaluex,withoutconveyinganyinformationapartfromthefactthatsheknowsthe
valuex).Protocolsgenerallyrequireinteractions(oneormorechallenges).Inblockchains,ZKPscanbeusedtoguaranteethattransactionsarevaliddespitethefactthatinformationaboutthesender,therecipientandothertransactiondetailsremainhidden.Suchmechanismscanbeparticularlyusefulforprivacymanagement.Differentvariantsofzero-knowledgeproofmechanismscanbeusedinembodimentsoftheinvention(e.g.\"perfectzero-knowledge\\"statisticalzero-knowledge\\"computationalzero-knowledge\"etc).Multi
partycomputationalsocanbeused:whileeachpartycankeeptheirsecret,theytogethercanproducearesult.
CLAIMS
1.Acomputer-implementedmethodofhandlingpersonaldatacomprisingthestepsof:-aprogram(220)associatingdataofafirstdataset(210)withdataofaseconddataset
(230),whereinthefirstdataset(210)comprisespersonalidentifiabledataandwhereinthe
seconddataset(230)doesnotcomprisepersonalidentifiabledata;-receivingarequestfordataofthefirstand/orseconddatasets;
-determiningin/byaprogram(220)communicationmodalitiestosaidrequesteddata;-communicatingrequesteddataorpartsthereof;
whereintheprogramisasmartcontractinstantiatedinadistributedledgerorblockchain.
2.Thecomputer-implementedmethodofClaim1,whereinthefirstdataset(210)comprises
trueidentityinformationand/orKnowYourCustomercompliantdata.
3.Themethodofclaim2,whereinKYCcompliantdataofauserisdeterminedfroma
pluralityofdocumentshostedbyindependentsources.
4.Themethodofclaim3,whereinwebsites'certificatesofoneormoreindependentsources
areverifiedwhenretrievingdocuments.
5.Themethodofanyoneofclaim3to4,whereinretrievalaccessestodocumentshostedby
independentsourcesaretrackedandreportedtotheuser.
6.Themethodofanyoneofclaims3to5,whereinthestepofdeterminingKYCcompliant
datacomprisestheuseofoneormoreofmachinevision,opticalcharacterrecognitionand/ormachinelearning.
7.Themethodofanyoneofclaims3to6,whereinthestepofdeterminingKYCcompliant
dataaccesscomprisescrowdsourcing.
8.Themethodofanyoneofclaims3to7,whereinthestepofdeterminingKYCdatais
decoupledintothestepsof:
-providingexecutablecodeinstructionsforprocessingpersonalidentifiabledataordocuments;
-providingpersonalidentifiabledataordocuments;
-executingtheexecutablecodeinstructionsforprocessingpersonalidentifiabledataordocuments;
whereinoneormoreofsaiddecoupledstepsareperformedondifferenthardwareormachines.
9.Themethodofclaim8,whereinawearablecomputerassociatedwithauser,suchasa
smartphone,isusedtoprocesspersonaldata.
10.Themethodofclaim9,thewearablecomputerconnectingto,orbeingpartof,oneor
moreblockchainsorcryptoledgers.
11.
Thecomputer-implementedmethodofoneofClaims1to10,whereintheseconddataset
(230)comprisesanonymousand/oranonymizedand/orpseudonymizedand/orde-identified
data.
12.Thecomputer-implementedmethodofoneofClaims1to11,whereintheseconddataset
(230)ispartitionedintoapluralityofdatasetsassociatedwithdiscretelevelsofprivacy
breachrisks.
13.Thecomputer-implementedmethodofoneofClaims1to12,whereinthepartitioning
betweendatasetsand/orthelogicimplementedintheprogram(220)usesoneormoremechanismsselectedfromagroupcomprisingmulti-partycomputation,homomorphicencryption,
k-anonymity,l-diversity,VirtualPartyProtocols,SecureSumProtocols,
differentialprivacy,exponentialmechanism,mechanismorquasi-identifiers.
StatisticalDisclosureControl,doubleblind
14.Thecomputer-implementedmethodofoneofClaims1to13,whereintheprogram(220)
implementsoneormoreofformallogic,computationallogic,fuzzylogicorintuitionistlogic.
15.Thecomputer-implemented
methodofClaim1,whereinthedistributedledgerisa
permissionedledger.
16.Thecomputer-implementedmethodofoneofClaims1to15,whereinthecommunication
ofrequesteddataisconditionaltoafinancialtransaction.
17.Thecomputer-implementedmethodofoneofClaims1to16,whereindataissensor
data.
18.Thecomputer-implementedmethodofoneofClaims1to17,whereindataissecuredby
usingoneormoreofsymmetricencryption,asymmetricencryption,quantumkeydistribution,
post-quantumencryption,and/orformat-preservingencryption.
19.Thecomputer-implementedmethodofoneofClaims1to18,
whereintheseconddataset(230)comprisesGRDPcompliantdata,saidGDRPdatabeingassociatedwithpredefinedruleswithrespecttodisclosureconsent,databreachmonitoring,
datadeletionanddataportability;
whereinarequesttoaccessand/ortomodifydataofthefirstdataset(210)and/ortheseconddataset(230)isnotifiedtooneormoreusersassociatedwithsaiddata;
whereinanaccesstoand/oramodificationofdataofthefirstdataset(210)and/ortheseconddataset(230)isconditionaltotheacceptationbyoneormoreusersassociatedwith
saiddata;
whereinthefirstdataset(210)and/ortheseconddataset(230)isdownloadablebyoneor
moreusersassociatedwithsaiddataandhavingsufficientlyprovedtheirtrueidentity;
whereinanaccessrequestand/ormodificationofdataand/orreadand/orrightsassociated
withapieceofdataofthefirstdataset(210)and/ortheseconddataset(230)isrecordedina
metadatafile,saidmetadatafilebeingstoredseparatelyfromsaidpieceofdataorbeingconveyedlongsaidpieceofdata.
20.Acomputerprogramcomprisinginstructionsforcarryingoutthestepsofthemethodof
anyprecedingclaimwhensaidcomputerprogramisexecutedonacomputer.
A.CLASSIFICATION
INV.
ADD.
According
G06F21/62H04L29/06
OFSUBJECTMATTER
toInternationalPatentClassification(IPC)ortobothnationalclassificationandIPC
B.FIELDSSEARCHEDMinimum
documentation
searched
(classification
systemfollowed
byclassification
symbols)
G06FH04L
Documentationsearchedotherthanminimumdocumentationtotheextentthatsuchdocumentsareincludedinthefieldssearched
Electronicdatabaseconsultedduringtheinternationalsearch(nameofdatabaseand,wherepracticable,searchtermsused)
EPO-Internal,
WPI
Data
C.DOCUMENTSCategory*
CONSIDEREDTOBERELEVANTwithindication,
whereappropriate,
oftherelevant
passages
RelevanttoclaimNo.
Citationofdocument,
KAANICHENESRINEETAL:\"A1-20
blockchain-baseddatausageauditingarchitecturewithenhancedprivacyandavailabi1ity\",
2017IEEE16THINTERNATIONALSYMPOSIUM
NETWORKCOMPUTINGAND
ON
APPLICATIONS(NCA),
IEEE,
30October2017(2017-10-30),pages1-5,XP033265459,
D0I:10.1109/NCA.2017.8171384
page1,left-handcolumn,line1-page1,left-handcolumn,line23
page2,right-handcolumn,line46page4,right-handcolumn,line35
page5,right-handcolumn,line11pageright,right-handcolumn,line27
-/-X|
Furtherdocumentsarelistedinthecontinuation
:
ofBoxC.Seepatentfamilyannex.
*Specialcategoriesofciteddocuments
\"A\"documentdefiningthegeneral
tobeofparticularrelevance\"E\"earlierapplication
filingdate
stateoftheartwhichisnotconsidered
onoraftertheinternational
\"T\"laterdocumentpublishedaftertheinternationalfilingdateorpriority
dateandnotinconflictwiththeapplicationbutcitedtounderstandtheprincipleortheoryunderlyingtheinvention\"X\"documentofparticularrelevance;theclaimedinventioncannotbe
considerednovelorcannotbeconsideredtoinvolveaninventivestepwhenthedocumentistakenalone\"Y\"documentofparticularrelevance;theclaimedinventioncannotbe
consideredtoinvolveaninventivestepwhenthedocumentis
combinedwithoneormoreothersuchdocuments,suchcombinationbeingobvioustoapersonskilledintheart\"&\"document
member
ofthesamepatentfamily
searchreport
orpatentbutpublished
\"L\"documentwhichmaythrowdoubtsonpriorityclaim(s)orwhichis
citedtoestablishthepublicationdateofanothercitationorotherspecialreason(asspecified)\"O\"document
means
referring
toanoraldisclosure,
use,exhibition
orother
\"P\"documentpublishedpriortotheinternational
theprioritydateclaimedDateoftheactualcompletion
oftheinternational
filingdatebutlaterthan
searchDateofmailingoftheinternational
19November2018
Nameandmailingaddress
oftheISA/
2
EuropeanPatentOffice,P.B.5818PatentlaanNL-2280HVRijswijkTel.(+31-70)340-2040,Fax:(+31-70)340-3016
26/11/2018
Authorized
officer
Sauzon,Guillaume
C(Continuation).
Category*
DOCUMENTSCONSIDEREDTOBERELEVANT
RelevanttoclaimNo.
Citationofdocument,withindication,whereappropriate,oftherelevantpassages
WO
2017/066715Al(CAMBRIDGEBLOCKCHAINLLC[US];BHARGAVAALOK[US])20April2017(2017-04-20)
page1,line26-page3,line12page6,line26-page7,line2page8,line17-page8,line25page10,line24
page13,line4-page16,line25page25,line9-page27,line24page29,line25-page30,line19page33,line14-page36,line18claims1,3,6figures1,5
1-20
KIY0M0T0SHINSAKUETAL:\"On
blockchain-basedanonymizeddatasetdistributionplatform\",
2017IEEE15THINTERNATIONALCONFERENCEONSOFTWAREENGINEERINGRESEARCH,MANAGEMENTANDAPPLICATIONS(SERA),IEEE,7June2017(2017-06-07),pages85-92,XP033111706,
D0I:10.1109/SERA.2017.7965711page85,left-handcolumn,line1-page85,right-handcolumn,line15page86,right-handcolumn,line4page86,right-handcolumn,line28page87,left-handcolumn,line31page88,right-handcolumn,line37
1-20
PatentdocumentcitedinsearchreportPublicationdatePatentfamilymember(s)Publicationdate
WO2017066715Al20-04-2017
CA3002034CN108701276EP3234878KR20180108566SG11201803010U
2017111175201722281420182344332017066715AlAAlAAAlAlAlAl20-04201723-10201825-10201704-10201830-05201820-04201703-08201716-08201820-04-2017
因篇幅问题不能全部显示,请点此查看更多更全内容