USER-DIRECTED PRIVACY CONTROL IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

US 20090300715A1
Filed: 05/27/2009
Published: 12/03/2009
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. In an environment including at least one service provider each associated with a respective privacy policy, a system, comprising:

an identity manager configured to manage a plurality of user identities;

a plurality of privacy preferences relative to at least one user identity; and

a privacy engine operatively associated with the plurality of privacy preferences, the privacy engine configured to evaluate at least one privacy preference against a privacy policy obtained from the environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity management system incorporates privacy management processes that enable the user to exercise privacy controls over the disclosure of user identity information within the context of an authentication process. A combination includes an identity selector, a privacy engine, and a ruleset. The identity selector directs the release of a user identity in the form of a security token to satisfy the requirements dictated by a security policy. Prior to release of the user identity, the engine conducts a privacy enforcement process that examines the privacy policy of the service provider and determines if it is acceptable. The engine evaluates a ruleset against the privacy policy. A preference editor enables the user to construct, in advance, the ruleset, which embodies the user'"'"'s privacy preferences regarding the disclosure of identity information. Based on the evaluation results, the user can either approve or disapprove the privacy policy, and so decide whether to proceed with disclosure of the user identity.

Citations

20 Claims

1. In an environment including at least one service provider each associated with a respective privacy policy, a system, comprising:
- an identity manager configured to manage a plurality of user identities;
  
  a plurality of privacy preferences relative to at least one user identity; and
  
  a privacy engine operatively associated with the plurality of privacy preferences, the privacy engine configured to evaluate at least one privacy preference against a privacy policy obtained from the environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprises:
    - the identity manager includes a means for receiving from the service provider environment a security policy having requirements, and a means for determining whether any of the user identities satisfies the security policy requirements; and
      
      the privacy engine configured further to use, in the evaluation operation, the privacy preference of any user identity determined to satisfy the security policy requirements.
  - 3. The system of claim 1, wherein the privacy engine configured further to:
    - (1) receive an indication specifying at least one user identity that satisfies requirements of a security policy, (2) obtain the privacy preference for each specified user identity, and (3) use at least one obtained privacy preference in the evaluation operation.
  - 4. The system of claim 1, further comprises:
    - a means for providing at least one categorized group of user identity attributes, and for determining a privacy preference for each category.
  - 5. The system of claim 4, further comprises:
    - the identity manager includes a means for receiving from the service provider environment a security policy having requirements specifying required attributes; and
      
      the privacy engine includes a means for identifying at least one category referencing the required attributes, and for using the privacy preference of at least one identified category in the evaluation operation.
  - 6. The system of claim 1, further comprises:
    - the plurality of user identities includes at least one information card.
  - 7. The system of claim 6, further comprises:
    - the identity manager includes a means for receiving from the service provider environment a security policy having requirements, and for determining whether any of the information cards satisfies the security policy requirements; and
      
      the privacy engine includes a means for using, in the evaluation operation, the privacy preference of any information card determined to satisfy the security policy requirements.
  - 8. The system of claim 1, further comprises:
    - a policy editor configured to process a privacy policy from the environment, generate a reduced version thereof, and supply the reduced privacy policy as the privacy policy used by the privacy engine evaluation.
  - 9. The system of claim 1, wherein the privacy engine configured further to receive from the identity manager an indication of at least one user identity, and to conduct the evaluation using at least one privacy preference of any user identity specified in the indication.

10. In an environment including at least one service provider each associated with a respective privacy policy, method, comprising:
- managing a plurality of user identities;
  
  providing a plurality of privacy preferences relative to at least one user identity; and
  
  evaluating at least one privacy preference against a privacy policy obtained from the environment.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprises:
    - receiving from the environment a security policy having requirements;
      
      processing the security policy to determine whether any of the user identities satisfies the security policy requirements; and
      
      the evaluating further includes using the privacy preference of any user identity determined to satisfy the security policy requirements.
  - 12. The method of claim 10, further comprises:
    - providing at least one categorized group of user identity attributes; and
      
      determining a privacy preference for each category.
  - 13. The method of claim 12, further comprises:
    - receiving from the environment a security policy having requirements specifying required attributes;
      
      identifying at least one category referencing the required attributes; and
      
      the evaluating further includes using the privacy preference of at least one identified category in the evaluation operation.
  - 14. The method of claim 10, further comprises:
    - the providing further includes providing at least one information card.
  - 15. The method of claim 14, further comprises:
    - receiving from the environment a security policy having requirements;
      
      processing the security policy to determine whether any of the information cards satisfies the security policy requirements; and
      
      the evaluating further includes using the privacy preference of any information card determined to satisfy the security policy requirements.
  - 16. The method of claim 10, further comprises:
    - obtaining an indication of at least one user identity; and
      
      the evaluating further includes using at least one privacy preference of any user identity specified in the indication.

17. In an environment including at least one service provider each associated with a respective privacy policy, a computer-readable medium having computer-executable instructions for execution by a processor, that, when executed, cause the processor to:
- manage a plurality of user identities;
  
  provide a plurality of privacy preferences relative to at least one user identity; and
  
  evaluate at least one privacy preference against a privacy policy obtained from the environment.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, wherein the instructions further cause the processor to:
    - receive from the environment a security policy having requirements;
      
      process the security policy to determine whether any of the user identities satisfies the security policy requirements; and
      
      cause the evaluation operation to use the privacy preference of any user identity determined to satisfy the security policy requirements.
  - 19. The computer-readable medium of claim 17, wherein the instructions further cause the processor to:
    - provide at least one categorized group of user identity attributes;
      
      determine a privacy preference for each category;
      
      receive from the environment a security policy having requirements specifying required attributes;
      
      identify at least one category referencing the required attributes; and
      
      cause the evaluation operation to use the privacy preference of at least one identified category.
  - 20. The computer-readable medium of claim 17, wherein the instructions further cause the processor to:
    - provide at least one information card;
      
      receive from the environment a security policy having requirements;
      
      process the security policy to determine whether any of the information cards satisfies the security policy requirements; and
      
      cause the evaluation operation to use the privacy preference of any information card determined to satisfy the security policy requirements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Open Invention Network LLC
Inventors
Ahn, Gail-Joon

Granted Patent

US 8,793,757 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

USER-DIRECTED PRIVACY CONTROL IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USER-DIRECTED PRIVACY CONTROL IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links