System and method for preventing access to data on a compromised remote device

US 9,083,707 B2
Filed: 02/27/2014
Issued: 07/14/2015
Est. Priority Date: 08/09/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method of controlling access to data held on a mobile device, the method comprising:

maintaining, on a mobile device which is a client of a server system, a plurality of sets of data items, the plurality of sets of data items comprising;

a first set of data items comprising data items to be synchronized between the server system and the mobile device via a wireless data connection, such that values of data items of the first set are updated at the server system in response to changes thereto on the mobile device, and values of data items of the first set are updated at the mobile device in response to changes thereto at the server system; and

a second set of data items, different to the first set of data items, the second set of data items comprising data items which are not synchronized with the server system;

receiving, at the server system, an indication that the mobile device has a deauthorized status, the indication originating from a source other than the mobile device;

transmitting, from the server system to the mobile device, in response to the indication, a command to prevent access to the first set of data items; and

responsive to receipt of the command at the mobile device, selectively erasing data items on the mobile device, such that;

data items of the first set of data items are erased; and

access to data items of the second set of data items is maintained after receipt of the command.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention discloses a system and method for selective erasure, encryption and or copying of data on a remote device if the remote device has been compromised or the level of authorization of a roaming user in charge of the remote device has been modified.

Citations

32 Claims

1. A method of controlling access to data held on a mobile device, the method comprising:
- maintaining, on a mobile device which is a client of a server system, a plurality of sets of data items, the plurality of sets of data items comprising;
  
  a first set of data items comprising data items to be synchronized between the server system and the mobile device via a wireless data connection, such that values of data items of the first set are updated at the server system in response to changes thereto on the mobile device, and values of data items of the first set are updated at the mobile device in response to changes thereto at the server system; and
  
  a second set of data items, different to the first set of data items, the second set of data items comprising data items which are not synchronized with the server system;
  
  receiving, at the server system, an indication that the mobile device has a deauthorized status, the indication originating from a source other than the mobile device;
  
  transmitting, from the server system to the mobile device, in response to the indication, a command to prevent access to the first set of data items; and
  
  responsive to receipt of the command at the mobile device, selectively erasing data items on the mobile device, such that;
  
  data items of the first set of data items are erased; and
  
  access to data items of the second set of data items is maintained after receipt of the command.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, comprising selecting, at the server system, a set procedure determining data items to be erased at the mobile device, wherein the command is based on the selected set procedure.
  - 3. The method of claim 2, wherein the selected set procedure determines an extent of data erasure on the mobile device.
  - 4. The method of claim 3, wherein the selected set procedure determines that only data items of the first data items are to be erased.
  - 5. The method of claim 2, wherein the set procedure is selected from a plurality of options, including an option to erase all data items on the mobile device.
  - 6. The method of claim 2, wherein the set procedure is manually selected at the server.
  - 7. The method of claim 1, wherein the second set of data items comprises personal data belonging to the user of the mobile device.
  - 8. The method of claim 1, wherein the first set of data items comprises proprietary data items belonging to an organization.
  - 9. The method of claim 1, wherein the first set of data items comprises at least one of:
    - one of e-mail data, calendar data, file data, bookmark data, task data, sales force automation data, customer relations management data, organizational directory data, personal information manager (PIM) data and applications.
  - 10. The method of claim 1, wherein the first set of data items are synchronized periodically and automatically via the wireless data connection, and the method comprises:
    - responsive to receipt of the command, severing the wireless data connection, so as to prevent the periodic synchronization.
  - 11. The method of claim 1, wherein the wireless data connection comprises an HTTP connection.
  - 12. The method of claim 1, wherein access to data items of the second set of data items after the receipt of the command is provided via a user interface.

13. A server system for use in controlling access to data held on a mobile device, the server system comprising:
- at least one processor and a memory, wherein the at least one processor and memory is configured to cause the server system at least to perform the steps of;
  
  receiving, at the server system, an indication that a mobile device has a deauthorized status, the indication originating from a source other than the mobile device, wherein the mobile device is a client of the server system;
  
  responsive to receipt of the indication, selecting a set procedure determining data items to be erased at the mobile device;
  
  transmitting, to the mobile device, based on the selected procedure, a command to erase data items of a first set of data items, the command being based on the selected set procedure, wherein;
  
  the first set of data items comprises data items to be synchronized between a server remote from the mobile device and the mobile device via a wireless data connection, such that values of data items of the first set are updated at the remote server in response to changes thereto on the mobile device, and values of data items of the first set are updated at the mobile device in response to changes thereto at the remote server;
  
  the first set of data items are different from a second set of data items, the second set of data items comprising data items which are not synchronized with the remote server;
  
  the command results in data items of the first set of data items being erased; and
  
  access to data items of the second set of data items is maintained on the mobile device, after receipt of the command.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The server system of claim 13, wherein the server system comprises the server remote from the mobile device.
  - 15. The server system of claim 13, wherein the selected set procedure determines an extent of data erasure on the mobile device.
  - 16. The server system of claim 15, wherein the selected set procedure determines that only data items of the first data items are to be erased.
  - 17. The server system of claim 13, wherein the set procedure is selected from a plurality of options, including an option to erase all data items on the mobile device.
  - 18. The server system of claim 13, wherein the server system is configured to the indication from a user.
  - 19. The server system of claim 13, wherein the second set of data items comprises personal data belonging to the user of the mobile device.
  - 20. The server system of claim 13, wherein the first set of data items comprises proprietary data items belonging to an organization.
  - 21. The server system of claim 13, wherein the first set of data items are synchronized periodically and automatically via the wireless data connection, and the at least one processor and memory is configured to cause the server system to send a command to the mobile device to severing the wireless data connection, so as to prevent the periodic synchronization.
  - 22. The server system of claim 13, wherein the wireless data connection comprises an HTTP connection.

23. A mobile device for controlling access to data items held thereon, the mobile device holding sets of data items thereon, including:
- a first set of data items comprising data items to be synchronized between a server system and the mobile device via a wireless data connection, such that values of data items of the first set are updated at the server system in response to changes thereto on the mobile device, and values of data items of the first set are updated at the mobile device in response to changes thereto at the server system; and
  
  a second set of data items, different to the first set of data items, the second set of data items comprising data items which are not synchronized with the server system,wherein the mobile device is a client of the server system and comprises at least one processor and memory which are configured to cause the mobile device at least to perform the steps of;
  
  receiving a command from the server system to prevent access to the first set of data items, the command being received in response to an indication that the mobile device is deauthorized, the indication originating from a source other than the mobile device; and
  
  responsive to receipt of the command at the mobile device, selectively erasing data items on the mobile device, such that;
  
  data items of the first set of data are erased; and
  
  access to data items of the second set of data items is maintained after receipt of the command.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The mobile device of claim 23, wherein the command is based on a set procedure selected at the server system.
  - 25. The mobile device of claim 24, wherein the selected set procedure determines an extent of data erasure on the mobile device.
  - 26. The mobile device of claim 25, wherein the selected set procedure determines that only data items of the first data items are to be erased.
  - 27. The mobile device of claim 23, wherein the second set of data items comprises personal data belonging to the user of the mobile device.
  - 28. The mobile device of claim 23, wherein the first set of data items comprises proprietary data items belonging to an organization.
  - 29. The mobile device of claim 23, wherein the first set of data items are synchronized periodically and automatically via the wireless data connection, and the at least one processor and memory which are configured to cause the mobile device to sever the wireless data connection, responsive to receipt of the command, so as to prevent the periodic synchronization.
  - 30. The mobile device of claim 23, wherein the wireless data connection comprises an HTTP connection.

31. A non-transitory computer-readable storage medium comprising code that when executed on a server system causes the server system to perform a method, the method comprising:
- receiving, at a server system, an indication that a mobile device has a deauthorized status, the indication originating from a source other than the mobile device, wherein the mobile device is a client of the server system;
  
  responsive to receipt of the indication, selecting a set procedure determining data items to be erased at the mobile device;
  
  transmitting, to the mobile device, based on the selected procedure, a command to erase data items of a first set of data items, the command being based on the selected set procedure,wherein;
  
  the first set of data items comprises data items to be synchronized between a server remote from the mobile device and the mobile device via a wireless data connection, such that values of data items of the first set are updated at the remote server in response to changes thereto on the mobile device, and values of data items of the first set are updated at the mobile device in response to changes thereto at the remote server;
  
  the first set of data items are different from a second set of data items, the second set of data items comprising data items which are not synchronized with the remote server;
  
  the command results in data items of the first set of data items being erased; and
  
  access to data items of the second set of data items is maintained on the mobile device, after receipt of the command.

32. A non-transitory computer-readable storage medium comprising code that when executed on a mobile device causes the mobile device to perform a method, the method comprising:
- maintaining, on a mobile device which is a client of a server system, a plurality of sets of data items, the plurality of sets of data items comprising;
  
  a first set of data items comprising data items to be synchronized between the server system and the mobile device via a wireless data connection, such that values of data items of the first set are updated at the server system in response to changes thereto on the mobile device, and values of data items of the first set are updated at the mobile device in response to changes thereto at the server system; and
  
  a second set of data items, different to the first set of data items, the second set of data items comprising data items which are not synchronized with the server system;
  
  receiving a command from the server system to prevent access to the first set of data items, the command being received in response to an indication that the mobile device is deauthorized, the indication originating from a source other than the mobile device; and
  
  responsive to receipt of the command at the mobile device, selectively erasing data items on the mobile device, such that;
  
  data items of the first set of data are erased; and
  
  access to data items of the second set of data items is maintained after receipt of the command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blackberry Limited
Original Assignee
Good Technology Corporation (Blackberry Limited)
Inventors
Mendez, Daniel J., Ng, Mason
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US14/192,802
Publication Number

US 20140181918A1
Time in Patent Office

502 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/1095   Replication or mirroring of...

H04W 12/06   Authentication

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 12/128   Anti-malware arrangements, ...

System and method for preventing access to data on a compromised remote device

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing access to data on a compromised remote device

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links