System and method establishing trusted relationships to enable secure exchange of private information

摘要

The invention disclosed here is aimed at enabling a trusted third party to manage user opt-ins which would enable growth of personalized information services, that is, enabling trusted business relationships between three types of entities—an end-user, an information source/provider, and an application service provider/developer—so that they can have a controlled, secure and private exchange of sensitive and/or confidential information. The inventive system has modes of operation recommended based on various conditions, enabling a secure exchange of private information between personal information repository owners and application services providers to enable deliver of personalized services. One mode is Durable Subscription Management, which is used when per transaction approval is not needed, that is, when an end-user has given permission to access data for a given or predefined period of time. A second mode is Per-Transaction Subscription Management Without Logs and a third mode is Per-Transaction Subscription Management With Logs.

主权项

1. A system for secure exchange of private information between a personal information repository owner (PIRO) and an application services provider (ASP) to enable delivery of a personalized service to an end-user device, the system comprising:
a trusted third-party privity core on a processor, wherein the trusted third-party privity core is in communication with the PIRO, the ASP, and the end-user device; and a privity runtime engine in communication with the trusted third-party privity core, the PIRO, and the ASP; wherein the trusted third-party privity core:
stores a level of trustworthiness for the ASP;stores rules regulating dissemination of different types of private information:receives an opt-in message from the end-user device indicating a request to receive a service provided by the ASP;receives from the ASP, a request for private information of the end-user device needed for providing the requested service;determines whether the requested private information can be provided to the ASP based on the level of trustworthiness for the ASP, the rules regulating dissemination of the requested private information, and the opt-in message from the end-user device;generates a one-time subscription token that includes the received request for private information;stores the token in a token database accessible by the privity runtime engine;encrypts the token; andsends the encrypted one-time token to the ASP upon determining that the requested private information can be provided to the ASP; wherein the ASP decrypts the encrypted one-time token and sends the token and the request for private information to the privity runtime engine; and wherein the privity runtime engine:
receives the token and the request for private information from the ASP;verifies the token is valid and the request for private information matches the request sent from the privity core to the ASP; andupon verification of the token and the request, obtains the requested private information from the PIRO and sends the requested private information to the ASP.