U.S. patent application number 16/067574 was filed with the patent office on 2019-01-10 for systems and method for retroactive assignment of personally identifiable information in distribution of digital content.
This patent application is currently assigned to Verimatrix, Inc.. The applicant listed for this patent is Verimatrix, Inc.. Invention is credited to Niels J. Thorwirth.
Application Number | 20190012480 16/067574 |
Document ID | / |
Family ID | 59225504 |
Filed Date | 2019-01-10 |
![](/patent/app/20190012480/US20190012480A1-20190110-D00000.png)
![](/patent/app/20190012480/US20190012480A1-20190110-D00001.png)
![](/patent/app/20190012480/US20190012480A1-20190110-D00002.png)
![](/patent/app/20190012480/US20190012480A1-20190110-D00003.png)
![](/patent/app/20190012480/US20190012480A1-20190110-D00004.png)
![](/patent/app/20190012480/US20190012480A1-20190110-D00005.png)
![](/patent/app/20190012480/US20190012480A1-20190110-D00006.png)
United States Patent
Application |
20190012480 |
Kind Code |
A1 |
Thorwirth; Niels J. |
January 10, 2019 |
Systems and Method for Retroactive Assignment of Personally
Identifiable Information in Distribution of Digital Content
Abstract
Systems and methods for retroactive assignment of personally
identifiable information in distribution of content in accordance
with embodiments of the invention are disclosed. In one embodiment,
a method of controlling anonymity of user profiles includes
generating an intermediate identifier using a playback device,
where the intermediate identifier is random and different from
intermediate identifiers used by other playback devices and is not
known to be associated with the playback device by entities other
than the playback device, sending the intermediate identifier
associated with consumption data concerning content files that have
been accessed on the playback device to an audience measurement
server, aggregating the consumption data into an anonymous user
profile, sending personally identifiable information about a user
of the playback device to the audience measurement server, and
combining the personally identifiable information about the user
with the anonymous user profile.
Inventors: |
Thorwirth; Niels J.; (San
Diego, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Verimatrix, Inc. |
San Diego |
CA |
US |
|
|
Assignee: |
Verimatrix, Inc.
San Diego
CA
|
Family ID: |
59225504 |
Appl. No.: |
16/067574 |
Filed: |
December 30, 2016 |
PCT Filed: |
December 30, 2016 |
PCT NO: |
PCT/US2016/069552 |
371 Date: |
June 29, 2018 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
62273043 |
Dec 30, 2015 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 2221/0733 20130101;
G06Q 30/02 20130101; G06Q 50/01 20130101; H04L 9/0825 20130101;
G06F 21/6254 20130101; H04L 63/0421 20130101; G06F 21/16 20130101;
H04L 9/30 20130101; H04L 9/3213 20130101; G06Q 20/065 20130101;
H04L 9/0869 20130101; H04L 9/3073 20130101; G06F 16/951 20190101;
G06Q 30/0631 20130101 |
International
Class: |
G06F 21/62 20060101
G06F021/62; H04L 29/06 20060101 H04L029/06; G06Q 20/06 20060101
G06Q020/06 |
Claims
1. A method of controlling anonymity of user profiles in playback
of digital content, the method comprising: generating an
intermediate identifier using a playback device, where the
intermediate identifier is pseudo random and different from
intermediate identifiers used by other playback devices within a
plurality of playback devices and is not known to be associated
with the playback device by any entities other than the playback
device; sending, using the playback device, the intermediate
identifier associated with consumption data concerning content
files that have been accessed on the playback device to an audience
measurement server; aggregating, using the audience measurement
server, the consumption data into an anonymous user profile
associated with the intermediate identifier, where the audience
measurement server does not possess information concerning which
playback device the intermediate identifier is associated with;
sending, using the playback device, personally identifiable
information about a user of the playback device associated with the
intermediate identifier to the audience measurement server; and
combining, using the audience measurement server, the personally
identifiable information about the user with the anonymous user
profile linked by the intermediate identifier to generate a
personalized user profile where the personalized user profile
includes information concerning the user of the playback device the
intermediate identifier is associated with.
2. The method of claim 1, wherein generating an intermediate
identifier using a playback device comprises generating an
intermediate identifier from a known identifier associated with the
playback device using a secret transformation.
3. The method of claim 2, wherein sending, using the playback
device, personally identifiable information about a user of the
playback device to the audience measurement server comprises
sending identification of the secret transformation to the audience
measurement server as a proof of identity.
4. The method of claim 1, further comprising: generating feedback
data based upon the anonymous user profile using the audience
measurement server; broadcasting, using the audience measurement
server, a feedback message containing the intermediate identifier
and the feedback data to the plurality of playback devices
including the playback device; and receiving the broadcast feedback
message containing the intermediate identifier using the playback
device.
5. The method of claim 4, wherein broadcasting, using the audience
measurement server, a feedback message containing the intermediate
identifier and the feedback data to the plurality of playback
devices including the playback device comprises making available
the feedback message for at least some of the plurality of playback
devices to download.
6. The method of claim 1, further comprising repeatedly generating
a new intermediate identifier using the playback device after
regular intervals.
7. The method of claim 1, wherein the intermediate identifier is a
public key of a private and public key pair generated by the
playback device.
8. The method of claim 1, wherein the intermediate identifier is
encrypted.
9. A method of controlling anonymity of user profiles in playback
of digital content, the method comprising: generating an
intermediate identifier using a playback device, where the
intermediate identifier is pseudo random and distinguishable from
intermediate identifiers used by other playback devices within a
plurality of playback devices and is not known to be associated
with the playback device by any entities other than the playback
device; sending, using the playback device, the intermediate
identifier and consumption data concerning content that has been
played on the playback device to an audience measurement server;
aggregating, using the audience measurement server, the consumption
data into an anonymous user profile using the intermediate
identifier, where the audience measurement server does not possess
information concerning which playback device the intermediate
identifier is associated with; generating feedback data based upon
the anonymous user profile using the audience measurement server;
broadcasting, using the audience measurement server, a feedback
message containing the intermediate identifier and the feedback
data to the plurality of playback devices including the playback
device; receiving the broadcast feedback message containing the
intermediate identifier using the playback device; and performing a
playback feature on the playback device in response to the
broadcast feedback message when the intermediate identifier
contained in the broadcast feedback message matches the
intermediate identifier on the playback device.
10. The method of claim 9, wherein generating an intermediate
identifier using a playback device comprises generating an
intermediate identifier from a known identifier associated with the
playback device using a secret transformation.
11. The method of claim 9, wherein performing a playback feature on
the playback device in response to the broadcast feedback message
comprises providing recommendations for future content for the user
associated with the user profile.
12. The method of claim 9, wherein performing a playback feature on
the playback device in response to the broadcast feedback message
comprises displaying personalized ads during playback of
content.
13. The method of claim 9, wherein broadcasting, using the audience
measurement server, a feedback message containing the intermediate
identifier and the feedback data to the plurality of playback
devices including the playback device comprises making available
the feedback message for at least some of the plurality of playback
devices to download.
14. The method of claim 9, wherein: sending, using the playback
device, the intermediate identifier and viewing data concerning
content that has been played on the playback device to an audience
measurement server; and broadcasting, using the audience
measurement server, a feedback message containing the intermediate
identifier and the feedback data to the plurality of playback
devices including the playback device; are performed using an
anonymous communications network.
15. The method of claim 9, further comprising repeatedly generating
a new intermediate identifier using the playback device after
regular intervals.
Description
FIELD OF THE INVENTION
[0001] The present invention relates generally to building
anonymous user profiles in content systems and more specifically to
enabling communication for which the privacy status and degree of
anonymization can be controlled.
BACKGROUND OF THE INVENTION
[0002] Usage history is used in e.g. Facebook feeds, Netflix
recommendations and Google personalized ads. The history may
contain browsing history or audience measurement information
(consumption data) such as what content was consumed with content
type and duration and time for video content, or e.g. browsing
social networks or search engines. To enable this, the history is
associated with an identifier, representing the client and
resulting recommendations are delivered targeted to the device or
the user that is creating the history. The identifier is often
based on information such as credit card, name, login/password,
device ID, IP or MAC addresses. These identifiers are often
directly or indirectly personally identifiable. Indirect
identification is often accomplished by correlation of the
information with other databases allowing to create and add
personally identifiable information. This de-anonymization may not
be desired by the user at the time of data collection and may be
rejected by the user. In this case, the consumption data may not be
stored and will be irrevocably lost. A method is described that
allows storing the data anonymously and enables user control over
the usage and level of possible attribution of personally
identifiable information would.
SUMMARY OF THE INVENTION
[0003] Systems and methods for retroactive assignment of personally
identifiable information in distribution of digital content in
accordance with embodiments of the invention are disclosed. In one
embodiment, a method of controlling anonymity of user profiles in
playback of digital content includes generating an intermediate
identifier using a playback device, where the intermediate
identifier is pseudo random and different from intermediate
identifiers used by other playback devices within a plurality of
playback devices and is not known to be associated with the
playback device by any entities other than the playback device,
sending, using the playback device, the intermediate identifier
associated with consumption data concerning content files that have
been accessed on the playback device to an audience measurement
server, aggregating, using the audience measurement server, the
consumption data into an anonymous user profile associated with the
intermediate identifier, where the audience measurement server does
not possess information concerning which playback device the
intermediate identifier is associated with, sending, using the
playback device, personally identifiable information about a user
of the playback device associated with the intermediate identifier
to the audience measurement server, and combining, using the
audience measurement server, the personally identifiable
information about the user with the anonymous user profile linked
by the intermediate identifier to generate a personalized user
profile where the personalized user profile includes information
concerning the user of the playback device the intermediate
identifier is associated with.
[0004] In a further embodiment, generating an intermediate
identifier using a playback device includes generating an
intermediate identifier from a known identifier associated with the
playback device using a secret transformation.
[0005] In another embodiment, sending, using the playback device,
personally identifiable information about a user of the playback
device to the audience measurement server includes sending
identification of the secret transformation to the audience
measurement server as a proof of identity.
[0006] In a still further embodiment, the method also includes
generating feedback data based upon the anonymous user profile
using the audience measurement server, broadcasting, using the
audience measurement server, a feedback message containing the
intermediate identifier and the feedback data to the plurality of
playback devices including the playback device, and receiving the
broadcast feedback message containing the intermediate identifier
using the playback device.
[0007] In still another embodiment, broadcasting, using the
audience measurement server, a feedback message containing the
intermediate identifier and the feedback data to the plurality of
playback devices including the playback device includes making
available the feedback message for at least some of the plurality
of playback devices to download.
[0008] In a yet further embodiment, the method also includes
repeatedly generating a new intermediate identifier using the
playback device after regular intervals.
[0009] In yet another embodiment, the intermediate identifier is a
public key of a private and public key pair generated by the
playback device.
[0010] In a further embodiment again, the intermediate identifier
is encrypted.
[0011] In another embodiment again, a method of controlling
anonymity of user profiles in playback of digital content includes
generating an intermediate identifier using a playback device,
where the intermediate identifier is pseudo random and
distinguishable from intermediate identifiers used by other
playback devices within a plurality of playback devices and is not
known to be associated with the playback device by any entities
other than the playback device, sending, using the playback device,
the intermediate identifier and consumption data concerning content
that has been played on the playback device to an audience
measurement server, aggregating, using the audience measurement
server, the consumption data into an anonymous user profile using
the intermediate identifier, where the audience measurement server
does not possess information concerning which playback device the
intermediate identifier is associated with, generating feedback
data based upon the anonymous user profile using the audience
measurement server, broadcasting, using the audience measurement
server, a feedback message containing the intermediate identifier
and the feedback data to the plurality of playback devices
including the playback device, receiving the broadcast feedback
message containing the intermediate identifier using the playback
device, and performing a playback feature on the playback device in
response to the broadcast feedback message when the intermediate
identifier contained in the broadcast feedback message matches the
intermediate identifier on the playback device.
[0012] In a further additional embodiment, generating an
intermediate identifier using a playback device includes generating
an intermediate identifier from a known identifier associated with
the playback device using a secret transformation.
[0013] In another additional embodiment, performing a playback
feature on the playback device in response to the broadcast
feedback message includes providing recommendations for future
content for the user associated with the user profile.
[0014] In a still yet further embodiment, performing a playback
feature on the playback device in response to the broadcast
feedback message includes displaying personalized ads during
playback of content.
[0015] In still yet another embodiment, broadcasting, using the
audience measurement server, a feedback message containing the
intermediate identifier and the feedback data to the plurality of
playback devices including the playback device includes making
available the feedback message for at least some of the plurality
of playback devices to download.
[0016] In a still further embodiment again, sending, using the
playback device, the intermediate identifier and viewing data
concerning content that has been played on the playback device to
an audience measurement server, and broadcasting, using the
audience measurement server, a feedback message containing the
intermediate identifier and the feedback data to the plurality of
playback devices including the playback device, are performed using
an anonymous communications network.
[0017] In still another embodiment again, the method also includes
repeatedly generating a new intermediate identifier using the
playback device after regular intervals.
BRIEF DESCRIPTION OF THE DRAWINGS
[0018] FIG. 1 is a system diagram of an audience measurement system
utilizing intermediate identifiers in accordance with embodiments
of the invention.
[0019] FIG. 2 conceptually illustrates an audience measurement
server configured to collect audience measurement data and
broadcast messages in accordance with embodiments of the
invention.
[0020] FIG. 3 conceptually illustrates a playback device configured
to receive and play back content utilizing an intermediate
identifier in accordance with embodiments of the invention.
[0021] FIG. 4 illustrates a process for collecting anonymous
viewing data using intermediate identifiers in accordance with
embodiments of the invention.
[0022] FIG. 5 illustrates a process for anonymous collection of
audience measurement or consumption data using intermediate
identifiers in accordance with embodiments of the invention.
[0023] FIG. 6 illustrates a process for performing anonymous
purchase, distribution and consumption of content using an
intermediate identifier in accordance with embodiments of the
invention.
DETAILED DISCLOSURE OF THE INVENTION
Overview
[0024] Turning now to the drawings, systems and methods described
that allows storing the data anonymously and enables user control
over the usage and level of possible attribution of personally
identifiable information in accordance with embodiments of the
invention. To anonymize information, a mechanism could be used that
anonymizes information or doesn't store information at the head
end. However, in that case, the server controls the behavior and
needs to be trusted. The client cannot be sure that the information
is not stored and that the anonymization process removed the
personalization information irrevocably and that the data is not
used to de-anonymize in verification for overlap with other
datasets.
[0025] Anonymous matching has been suggested in U.S. Patent
Publication No. 2002/0052825 to Bensemana but this still requires
and intermediate proxy that stores or could store personalization
information, at least temporarily requiring the client to rely on
trusting the server.
[0026] Anonymous communication has been suggested in the
literature, e.g. by the torproject (https://www.torproject.org),
and is utilized to enable some embodiments of the present
invention, but not sufficient, as these don't contemplate any
information or anonymous identifier of the sender that can be used
to group users information into anonymous profiles that describe
several actions of a user and means to contact submitters of this
information anonymously to provide feedback.
[0027] Other approaches have been suggested in PCT Patent
Publication No. 1996/17467 to Salganicoff to secure the information
of consumption behavior in transmission or storage but don't
prevent sharing the identifying information of the source.
[0028] Embodiments of the present invention does not only enable
the client to control the generation, release and storage of data,
it also enables anonymous storage with retroactive assignment to
personally identifiable information (PII) enabling an option to
retroactively make the data more valuable by assigning personal
information to them and enabling a user action to claim, use, copy
or transfer the data. The retroactive assignment can be done for
the entire data or groups of information or intervals. In many
embodiments, the assignment is secured and the client can prove
ownership to any owner of the database.
[0029] Several embodiments of the present invention also enable
delivery of feedback data and/or viewing recommendations resulting
from analysis of a client's identifier while staying anonymous,
using a broadcast message where the single recipient addressed by
the message that has been sent to all, is not known by the server
sending the message. In some embodiments, the receipt of feedback
data enables or enforces additional functionality on the playback
device.
[0030] Collecting data associated with personal identifiable
information (PII) often may affect privacy (it may be undesirable
or illegal). In additional embodiments of the invention, the
utilization of an intermediate identifier (also referred to as a
token or private token) or alias that allows collection of
transaction data anonymously and later group transaction per user
and in a following step assigns PII to collected data upon
initiative by the client. This can enable data collection while
maintaining client control of PII (personal identifiable info) by
separating data and PII until the point when the client would like
to associate PII retroactively.
[0031] System Architecture
[0032] A playback device may use an intermediate identifier to
enable anonymous content consumption. An intermediate identifier
can be used to limit the identifiability of a user or playback
device by acting as an identifier whose association with a
particular user or playback device cannot be determined by another
entity without additional information from the user or playback
device. An intermediate identifier may be generated on a playback
device and kept secret. In several embodiments, an intermediate
identifier can be sent to other entities such as servers as part of
data gathering while keeping the user or playback device anonymous,
and/or additional information identifying the user or playback
device may be disclosed for other purposes.
[0033] An audience measurement system in accordance with
embodiments of the invention is illustrated in FIG. 1. The
illustrated system 101 includes a content server 112 configured to
distribute content to playback devices and an audience measurement
server 114 configured to receive messages and associated
intermediate identifiers from playback devices. The audience
measurement server may store information about time, length and
location of content consumption of video, computer games, apps,
social networks, teleconferencing, websites, or other digital
assets.
[0034] A variety of playback devices 116, 118, and 120 can play
back content stored locally or received from content server 112 via
a first network 122 such as the Internet. In many embodiments, a
playback device is configured to measure the user behavior during
consumption of content (e.g., information such as identification of
what and when content is played) and provide measurements to the
audience measurement server.
[0035] In the illustrated embodiment, playback devices include
mobile phone 116, television 118, and personal computer 120. In
other embodiments, playback devices can include any of various
types of consumer electronics devices such as, but not limited to,
DVD players, Blu-ray players, set top boxes, video game consoles,
tablets, e-book readers, VR displays and other devices that are
capable of connecting to a server and playing back digitally
encoded media.
[0036] In several embodiments, a playback device may communicate
with an audience measurement server, vendor server, or other
participating server via another network (a second network). The
network may provide anonymity or pseudo-anonymity when
communicating the playback device's intermediate identifier to the
server. Anonymity can refer to the complete inability of entities
other than the playback device to identify the playback device or
user account used on the playback device. Similarly,
pseudo-anonymity can refer to the ability to identify being
impracticable and/or difficult. This can be implemented by a second
network 124 that provides communications by an anonymous protocol
that preserves anonymity of the playback device. Alternatively,
this can be implemented on the same network as the first network,
but using anonymous communications such as, but not limited to, an
anonymity preserving protocol like onion routing using
implementations like Tor. While client device 120 is illustrated as
communicating with audience measurement server 114 over the second
network 124, client devices 116 and 118 may similarly communicate
with audience measurement server 114 over the second network 124.
Although a specific audience measurement system architecture is
discussed above with respect to FIG. 1, any of a variety of
streaming systems can be utilized to deliver content streams in
accordance with embodiments of the invention.
[0037] An audience measurement system for providing feedback data
messages by broadcast in accordance with embodiments of the
invention is illustrated in FIG. 1B. A variety of playback devices
116', 118', and 120' can receive a broadcast message from content
server 114' via a third network 126 that is capable of broadcast
addressing to connected devices. Alternatively, this can be
implemented on the same network as the first or second network, but
using a communications protocol that is capable of broadcast
addressing.
[0038] While specific system architectures are discussed above with
respect to FIGS. 1 and 1B, one skilled in the art will recognize
that any of a variety of architectures may be utilized in
accordance with embodiments of the invention as appropriate to a
particular application.
[0039] Audience measurement servers in accordance with many
embodiments of the invention can load a collection application
and/or a message broadcast application as machine readable
instructions from memory or other storage. An audience measurement
server in accordance with an embodiment of the invention is
illustrated in FIG. 2. The audience measurement server 202 includes
a processor 204 and non-volatile memory 210 that includes a
collection application 212 and a message broadcast application 214.
In the illustrated embodiment, the non-volatile memory 210 is
utilized to store instructions that configure the processor 204 to
perform processes such as those discussed further below. In several
embodiments, a collection application and/or message broadcast
application can be loaded from any kind of memory or storage device
including volatile memory in accordance with many embodiments of
the invention.
[0040] The collection application 212 can configure the audience
measurement server 202 to receive anonymous consumption data
associated with an intermediate identifier from playback devices.
The message broadcast application 214 can configure the audience
measurement server 202 to send a message containing an intermediate
identifier for a playback device to respond with enabling certain
features. As will be discussed further below, broadcast messages
can be sent containing the intermediate identifier to playback
devices so that the device having the intermediate identifier
reacts upon receipt without the content server, audience
measurement server, and/or other entities being able to identify
the playback device. In many embodiments, broadcast messages
include feedback data generated from analysis of consumption data.
Upon receipt by a playback device, feedback data can enable
additional functionality and/or provide content recommendations. In
different embodiments, the collection application 212 and message
broadcast application 214 can be implemented as a single
application on the audience measurement server or as separate
applications on separate servers (e.g., a collection server and a
broadcast server).
[0041] Playback devices in accordance with many embodiments of the
invention can load a playback application as instructions from
memory. A playback device in accordance with an embodiment of the
invention is illustrated in FIG. 3. The playback device 302
includes a processor 304 and non-volatile memory 310 that includes
a playback application 312, intermediate identifier generation
application 316, and intermediate identifier 314. In many
embodiments, the applications can be loaded from any kind of memory
or storage device including volatile memory in accordance with many
embodiments of the invention. In the illustrated embodiment, the
non-volatile memory 310 is utilized to store instructions that
configure the processor 302. Here, the non-volatile memory 310
contains the instructions of a playback application 312, which can
be utilized to configure the processor 304 to receive and decode
media content. In further embodiments, the playback application 312
configures the processor to take certain enhanced playback actions
when a broadcast message containing the intermediate identifier
associated with the playback device (e.g., feedback data) is
received by the playback device as will be discussed further
below.
[0042] The intermediate identifier generation application 316 can
configure the playback device 302 to generate an intermediate
identifier 314 by generating a long random number or using a
process such as those discussed further below. In many embodiments,
an intermediate identifier is typically stored on the playback
device sent to participate in interactions anonymously without
personally identifiable information. In additional embodiments, an
intermediate identifier may be provided to a server for anonymously
purchasing content, anonymously reporting viewing statistics or
other purposes such as those discussed further below. In many
embodiments of the invention, disclosures of the intermediate
identifier to another entity are only made by secure (e.g.,
encrypted) and/or anonymous methods whereby the playback device
and/or user identity (e.g., user account) associated with the
intermediate identifier cannot be identified. In this way, the user
can maintain his or her privacy.
[0043] Although an anonymous audience measurement system utilizing
intermediate identifiers is described above with respect to a
specific audience measurement server and playback device, any of a
variety of transmitting or decoding systems can be utilized in the
transmission and decoding of content as appropriate to specific
applications in accordance with embodiments of the invention.
Intermediate Identifier Generation
[0044] In many embodiments of the invention, an intermediate
identifier (also called token) is generated or selected by a client
playback device to allow identification of that device or a user
account on the device, and is not known by any other entity (e.g.,
device or server) to be associated with that device or user
account, and the device that generated the intermediate identifier
cannot be easily identified from the intermediate identifier alone
without additional information. The intermediate identifier is
shared with other entities, such as an audience measurement server,
for anonymous collection of data, i.e., that initially cannot be
traced back to that particular playback device or user account
until and unless the client reveals the association. As discussed
below, any of a number of techniques can be utilized alone or in
combination to select or generate an intermediate identifier for a
playback device in accordance with embodiments of the
invention.
[0045] An intermediate identifier may be a random or pseudo-random
number. Collision may occur where two or more devices have the same
intermediate identifier. The risk of collision can be reduced to a
negligible risk by using a larger degree of randomness in
generating the number and/or using a larger number.
[0046] In several embodiments, an intermediate identifier is
generated using a fixed, seed number in combination with a random
or pseudo-random number encrypted with a secret key that is unique
and permanently associated with the playback device or user
account. The playback device can provide proof of its identity and
having generated the intermediate identifier by including the
fixed, seed number.
[0047] In some embodiments, an intermediate identifier is generated
from a device identifier that is unique to and associated with the
device. A device identifier may be static and may have been
generated during device provisioning or registration. The device
identifier may be unique to the device. Also, a serial number of a
device component such as hard drive, chip, soundcard, may be used
directly or after a transformation such as hashing. These existing
identifiers are useful, in particular since they may be unique,
static and not traceable if not record of the link to the device
exists.
[0048] An intermediate identifier may be generated using
encryption, where the process of generating the intermediate
identifier includes selecting an encryption key.
[0049] An intermediate identifier may be generated using a hash
algorithm using a device identifier, such that the device
identifier cannot be recovered using only the intermediate
identifier, but it can be verified that the intermediate identifier
was generated using that device identifier by performing the hash
again and comparing the results. The hash can be seeded for greater
variety over time and the seed may be provided by broadcast message
to all playback devices.
[0050] An intermediate identifier may be a public key in an
asymmetric key (encryption) scheme or, to reduce the size, a hash
thereof. The private key utilized in the scheme would be known only
to the device or user and not released to the public. This allows a
playback device to prove that it had generated the intermediate
identifier and allows a broadcaster of a message to encrypt the
message in such a way that only the intermediate identifier holder,
the playback device, can decrypt using the private key.
[0051] In several embodiments of the invention, an intermediate
identifier is encrypted to prevent disclosure, such as repeated use
of the same private payload, to entities other than the playback
device and/or server. It may be encrypted using a shared secret key
that is known to the playback device and the server or using a
public key associated with the server. This allows the server to
derive an encryption key from the client to establish secure
communications.
[0052] In additional embodiments, an intermediate identifier
includes a component that is static and associated with a group of
clients, e.g. certain members of a network, such that broadcast
messages are accessible to the group. The component can be any type
of additional information identifier such as, but not limited to, a
time stamp and/or device type.
[0053] The generation and change to the intermediate identifier may
be signaled to and/or requested by the user's client device to
foster transparency or discourage illegal content distribution.
[0054] In some embodiments, the user's client device may generate
its own private identifier like a pseudonym or alias. Typically in
such embodiments this cannot be altered at will, since a user who
is distributing content may not want to avoid enforcement actions
if his client device will receive them. However there can be
scenarios where the person able to choose the alias or pseudonym
can be trusted e.g. a system administrator that is choosing an ID
for a group of users or on campus or scenarios where no enforcement
action is envisioned.
[0055] The alias is an identifier relating to a user or client id,
like a pseudonym, moniker. It can be derived from a base identifier
that is known to the server and client e.g. assigned by the server
and transformed by the client. In the preferred embodiment, the
transformation is not reversible and contains a secret component
that is revealed to proof the client's identity. Several processes
can accomplish that. E.g. the server assigns a unique number, the
client is returned a transaction with the unique number and a
transformation thereof such as a hash of the unique number combined
with a random number that the client has generate and stored.
Encryption using the random number accomplishes a similar
result.
[0056] Alternatively to storing the random number it may be a
function to reproduce this number such as a seed to a random number
generator or a hash of the timestamp combined with a constant
password. The seed may be randomly generated and stored on the
client or it may be a static number already present on the device
like a hard-drive serial number or other number assigned to the
device or application.
[0057] The alias may be changed regularly, to allow time
granularity when claiming data or personal information to data.
E.g. the base identifier and random number to generate the alias
may change on a daily basis or with every set of transaction
information submitted to the server. This would prevent the server
from linking the data between days or transactions but would allow
the client to only reveal its identity for selected portions while
revealing the identity for other portions at a later time, if at
all.
[0058] Similarly, the alias may be changed for different groups of
information, such as channel change or trickplay in media
consumption to allow attribution of a subset of the data in a later
stage. This may go as far as using a different alias for every
transaction to provide maximum granularity and to later allow
individual assignment.
[0059] The alias generation may be used on multiple devices to
share the same alias between different devices to allow combining
data from different devices in a single step. A gateway in the home
may manage these multiple aliases.
[0060] In several embodiments, the intermediate identifier is
pseudo random, i.e. varying between different intermediate
identifiers with a high entropy and from the intermediate
identifiers itself there is no apparent structure in
generation.
Additional Security Benefits
[0061] A benefit of certain embodiments of the present invention,
as described above, is the control that the client has in releasing
information to the server, so the client does not need to trust the
server that the information will be removed and maintains the
ability to later claim and enhance the information. Alternatively
the present invention is useful to enhance the security of the
total solution against hacking by a 3.sup.rd party. To enable this,
the client provides its identity occasionally but the server does
not store it and only has a small subset of identities at the same
time. Even if a hacker gains access to the head end, she will not
be able to steal all identities as they are managed decentralized
and not all will be accessible at the same time. In addition to the
anonymity the intermediate identifier provides, any consumption
data that is stored may also be encrypted with a key, initially
known to the client only. This distributed security allows keeping
the data confidential, i.e. the data is resolved on request only
but the client device is the only location that permanently stores
the intermediate identifier. This is helpful to prevent a central
database that can be hacked.
Intermediate Identifier Length and Collision
[0062] Collision may occur where two or more playback devices
independently generate the same intermediate identifier R by
accident e.g. as output of a random process. This scenario can
cause confusion among the playback devices as messages or actions
that are meant to apply to one device having the intermediate
identifier R may affect all the devices having the same
intermediate identifier R. The likelihood of collision can be
expressed as the well-known birthday problem, for example, the
probability that some pair of randomly chosen people in a set will
have the same birthday (see
https://en.wikipedia.org/wiki/Birthday_problem#Probability_table).
For an intermediate identifier length of 32 bits and 2,900 clients,
the probability is 0.1% that two or more clients are using the same
hash. For larger populations a longer string may be chosen, e.g.,
for a length of 64 bits and 190,000,000 clients the probability is
0.1% that two or more clients are using the same hash. Even longer
intermediate identifier lengths would result in lower likelihoods,
for example, for a length of 128 bits and 2.6.times.10.sup.13
clients, the probability is p=10.sup.12. A longer string length can
be chosen as appropriate to a particular application considering
any burden on communications efficiency. The risk of collision may
also be limited and could be that a device that is not responsible
for illegally distributing content is disabled for a limited period
of time.
Processes for Anonymous Storage of Viewing Data and Retroactive
Assignment of PII
[0063] Intermediate identifiers are used in various embodiments of
the invention to provide anonymous storage of viewing data with
retroactive assignment of personally identifiable information
(PII). A process for anonymous storage and retroactive assignment
using an intermediate identifier in accordance with embodiments of
the invention is illustrated in FIG. 4. In the illustrated process,
the client playback device generates (402) an intermediate
identifier and submits it together with a transaction to an
audience measurement server for anonymous data collection.
Transactions can be any of a variety of interactions or messages
related to content consumption such as, but not limited to, a
video-on-demand (VOD) purchase, consumption (i.e. playback or
viewing), ad watching, channel change, consumption device, etc.
[0064] The generation of the intermediate identifier may be
performed the same way for multiple devices and may be different
for different times. It can be in the user's control to create the
same intermediate identifier for all devices controlled by the user
using an account or login, or different intermediate identifiers,
in order to create different user profiles in one account e.g. for
different members of a family sharing the same account.
[0065] The client playback device sends (404) the intermediate
identifier and transaction information to an audience measurement
server. The audience measurement server stores (406) the
information as history and is able to group all transactions that
have been registered under one intermediate identifier to create a
profile.
[0066] The profile is analyzed (408) for patterns in the
consumption (i.e., viewing or playback) of various pieces of
content and/or related activities. Patterns may help to identify
consumer preferences for content or consumption time or a
combination thereof to establish recommendations for future
consumption of e.g. linear programming, video on demand
consumption, or other media like websites. Alternatively, the
pattern can be used to analyze for technical issues with playback
such as malfunctioning devices or limits in smooth playback due to
limited device processing or bandwidth. The analysis can be
performed by the audience measurement server that may include
functionality of an analytics server.
[0067] In some embodiments, results of the analysis is supplied
(410) as feedback data to the client device by the audience
measurement server or other server that had performed the analysis.
If the identity of the client is not known, the feedback data is
made available to all clients anonymously e.g. by broadcasting the
result as a message to all client devices, e.g. embedded in
transport stream packages on cable or satellite such as EMM
packets, delivering information with software upgrade to clients or
made available for anonymous download using existing mechanism for
anonymous communication that e.g. utilize several clients and
intermediaries to download the information for the ultimate
recipient that is looking for the information. The message is
addressed to the intended client device by using the intermediate
identifier that only the receiving client device knows is
associated with it. If the information should be protected from
others it may be encrypted with a key (that can be secret or
public) submitted by the client device with the intermediate
identifier. In several embodiments, this communication is similar
to a private token used for communication disclosed in U.S. Patent
Application Ser. No. 62/273,043 to Thorwirth et al. entitled
"Systems and Methods for Preserving Privacy in Distribution of
Digital Content Using Private Tokens," the relevant disclosure from
which is hereby incorporated by reference in its entirety.
[0068] The feedback data received by the client device can be
useful for executing (412) any of a number of enhanced features,
including, but not limited to, displaying of recommendations,
information about warning and remedy of malfunctions, or ads that
match the consumption profile of the user. In other embodiments,
the aggregated data is only used on the sever.
[0069] In additional embodiments, the client device is in control
to release some parts of the information individually, i.e.
personally identifiable information (PII), profile information
consumption per day or all consumption. The client device can
maintain control what to release and at what time and to whom. At
any point the user of the client device may be motivated to provide
(414) more information e.g. using financial incentives or an
improved service offering. This information may include additional
transactions, or personal information, such as demographic (gender,
age, zip, income, etc.) or information such as name, social
security number, date and place of birth, mother's maiden name, or
biometric records; and medical, educational, financial, and
employment information, or information correlating to other public
statements e.g. posted on platforms like Facebook, Twitter, etc.
Another source of information to provide can also be a link to
identifiers in other databases that may not use an intermediate
identifier as described here or other identifier that is personally
identifiable. Additional information can include browsing history,
credit card transactions, email. The user may be motived to release
this information with financial incentives or additional services
or for better feedback from the data analysis. In this way, an
intermediate identifier can be used to retroactively assign
personally identifiable information to information that was
previously anonymized.
[0070] Another reason to use retroactive assignment may be the
change of legal requirements that later allow the use of this
information.
[0071] If the client desires to provide history, the intermediate
identifiers for the relevant duration are provided for data
collection to groups all transactions associated with these
identifiers together.
[0072] In several embodiments, a retroactive assignment of PII to
an intermediate identifier and the associated user profile enables
retroactive recommendations where the data is stored but only used
once the data is retroactively enabled to allow this service.
[0073] In other embodiment the approach is useful for client to
prove limited usage and to decide to pay for lower usage fees than
a unlimited bundle by proving usage when enabling PII
association.
[0074] In additional embodiments, a retroactive assignment of PII
to an intermediate identifier and the associated user profile
enables an entity to buy transaction data from an individual
customer and/or sell transaction data of the individual
customer.
[0075] In some embodiments of the invention, the intermediate
identifier is rotated or changed (416) on the client device after
some period of time or at regular intervals of time. In some
embodiments, a previous intermediate identifier is used for the
next submission to the audience measurement server. In other
embodiments, a new intermediate identifier is generated by the
client device. The rotation may occur after the client disclosed it
personal information to keep future information anonymous or before
in order to allow de-anonymization by providing personal
information for some identifiers only. Although a specific process
for generating an intermediate identifier and building a user
profile is discussed above with respect to FIG. 4, any of a variety
of processes may be utilized in accordance with embodiments of the
invention as appropriate to a particular application.
Examples of Data to be Processed and User Profiles
[0076] In one embodiment, data, consumption data and audience
measurement data refer to information about user behavior. It can
be observed on the client when content us consumed or on the server
when content is prepared and delivered. Examples include the
consumption of video, linear TV, radio, music files, games, apps,
social networks, teleconferencing and websites. Observation
includes the consumption title, duration, location, interaction or
processes like download requests, or derivative processes like
requests for decryption keys required to decrypt the data. Data can
be registered at the server e.g. during download request or, during
offline consumption stored on the client and transmitted later.
[0077] The data can be assembled to characterize the consumer;
characterization may include viewing preferences that may be
combined with learned preferences from collaborative filtering to
conclude other content that may be interesting for the consumer.
Consumption data can also be analyzed to allow conclusions about
the consumer's gender, age, income or other demographics, as well
as consumption preferences that will help to target advertisement.
Other profiles group consumers into how they prefer consumption
(i.e. device type, time of day, available bandwidth etc.). Profiles
can be compared to other important properties such as consumption
of other goods and services (for purchase or subscription) or
cancellation of service (also known as churn prediction).
Anonymous User Recommendations for Content
[0078] A process for anonymously collecting viewing data and
creating user recommendations in accordance with embodiments of the
invention is illustrated in FIG. 5. The process 500 includes
generating (502) an intermediate identifier. An intermediate
identifier may be generated by any of a variety of techniques
including those discussed further above. In many embodiments, a
playback device generates the intermediate identifier. The playback
device sends (504) the intermediate identifier with audience
measurement data for anonymous data collection to an audience
measurement server, which may be a content server or other server
dedicated to collecting audience measurement data. Audience
measurement data may describe usage statistics such as, but not
limited to, the titles of content that was played back by the
device and watched by the user, number of times that each piece of
content was played, times of day of use, and other information
concerning the content that was watched by the user. The
intermediate identifier and audience measurement data can be sent
at a regular interval and/or with purchase transactions or playback
requests sent by the playback device.
[0079] The audience measurement server aggregates (506) the
received data. The received data can be used to build a user
profile that describes past viewing habits or patterns and/or the
likelihood that a user would enjoy certain categories or
characteristics of content. In several embodiments, the audience
measurement server may utilize audience measurement data from other
playback devices or users in generating (508) viewer profiles
and/or content recommendations.
[0080] Generated content recommendations or feedback data may be
sent (510) anonymously from the audience measurement server by
broadcast message that includes the intermediate identifier of the
playback device. The playback device having that intermediate
identifier can present the recommendations to the user on a user
interface or by integrating the recommendations into a playback
application. When the audience measurement server can identify the
playback device, it can send the content recommendations directly,
i.e., by unicast, rather than by broadcast. Although a specific
process for collecting audience measurement data anonymously and
generating content recommendations using intermediate identifiers
is described above with respect to FIG. 5, one skilled in the art
will recognize that any of a variety of processes may be utilized
in accordance with embodiments of the invention.
Processes for Anonymous Content Consumption
[0081] A process for anonymous content consumption in accordance
with embodiments of the invention is illustrated in FIG. 6. The
process 600 includes a playback device generating (602) an
intermediate identifier P. The intermediate identifier P or a
derivative of P (e.g., a hash) may be displayed to a user on a
screen on the playback device or on a display that is in
communication with the device. In some embodiments the intermediate
identifier P is converted into a bar code or QR code that is
displayed on a TV screen connected to a satellite TV set top box
(STB). In other embodiments, the intermediate identifier P or
derivative of P may be communicated to the user by other methods or
may be saved in a file to be sent by the playback device.
[0082] The intermediate identifier P is sent (604) to a vendor
server. A vendor server may be a content server, web server, or
storefront server or combination thereof that is configured to
provide access to content in exchange for payment and is controlled
by a content retailer, reseller, or distributor. As discussed
further above, the intermediate identifier P may be communicated
via another network (a second network) or another type of
communications that provides anonymity or pseudo-anonymity when
communicating the playback device's intermediate identifier to the
vendor server. Payment for the content can be made by similar
methods. Payment may also be given by other anonymous methods such
as Bitcoin or Bitcoin pooling or being anonymized by an
intermediary such that the playback device and/or user cannot be
identified. In several embodiments, the intermediate identifier P
and payment are sent together. In other embodiments, they are sent
separately.
[0083] The vendor server or an associated rights management server
sends (606) a broadcast message containing a decryption key that
enables access to the purchased content, where the decryption key
is encrypted using the intermediate identifier R, a derivative of P
(e.g., a hash), or identifier that identifies P. In many
embodiments, the decryption key is a frame key that can be used to
decrypt one or more frames of the content. In other embodiments,
the decryption key is a content key that can be used to decrypt one
or more frame keys. In additional embodiments, the decryption key
may be any key that is used in a digital rights management scheme
to access the content by itself or in combination with other keys.
In several embodiments, playback devices that do not possess the
intermediate identifier P are unable to access the decryption key
from the broadcast message and only the playback device that
possesses the intermediate identifier P can recover the decryption
key from the broadcast message using the intermediate identifier
P.
[0084] The encrypted content is sent to and received (608) by the
playback device. The playback device decrypts (610) the encrypted
decryption key contained in the broadcast message using the
intermediate identifier P and uses the decryption key to access
(612) the content. In several embodiments utilizing the process
described above, the vendor provides content that is accessible
only by the playback device that has intermediate identifier P but
cannot identify which playback device is the device that has
intermediate identifier P. In other embodiments the content can be
distributed widely, e.g. encrypted on peer to peer networks where
content acquisition is hard to observe. In this way, privacy of the
playback device and/or user can be preserved. Although a specific
process for anonymous content playback is described above with
respect to FIG. 6, one skilled in the art will recognize that any
of a variety of processes may be utilized in accordance with
embodiments of the invention to distribute content secured with an
intermediate identifier that protects the identity of the playback
device.
Securing Distributed Data
[0085] The ability to distribute information that enhances the data
is also useful to secure the data. Since the intermediate
identifier is controlled by the client and required to enhance the
data a central breach of the data base would be less harmful
without the required intermediate identifiers. Storing the data
centrally and the intermediate identifier locally in the client
devices enhances the security of the central storage. In this case
the client permission or accessibility or delay when providing the
intermediate identifier would prevent a quick and easy theft of the
central data. For example medical records may be stored in a
central location but the intermediate identifiers are stored with
the clients and need to be requested with every access to build
hurdles for easy access, enhancing security against illegal use.
Other use cases include the securing of the content as prescribed
from legal conditions where data that is personally identifiable
may not be stored, stored long term or transmitted or shared. If
the data is stored with anonymous intermediate identifiers, these
processes may be legal and personal information is associated if
legal conditions change or user consent is acquired.
Additional Applications
[0086] The general system discussed above can be used in a variety
of data collection and storage applications. Media consumption is
an example that can be extended past linear TV and VOD to OTT (over
the top) video, video in websites, online radio channels and
individual radio channels like Pandora. Use of recommendations can
be presented to be selected by the user or aligned in a
personalized TV channel. One example of the implementation of a
personalized TV channel that may be utilized in accordance with
embodiments of the invention is outlined in U.S. Patent Publication
No. 2014/0026052 to Thorwirth entitled "Systems and Methods for
Rapid Content Switching to Provide a Linear TV Experience Using
Streaming Content Distribution," the disclosure from which relevant
to displaying and playing back streaming content in channels is
hereby incorporated by reference in its entirety.
[0087] Other applications include consumption of utilities such as,
power, gas, water with feedback on consumption patterns and
information on how to reduce or replace consumption or how to shift
consumption to other times to be more efficient. Other information
can be provided such as time comparison or comparison to other
households that are similar in occupancy, location or size.
[0088] Other sensors in the house connected to the internet (often
called IoT--internet of things) like light switches, sprinkler
systems, thermostats, picture frames, fridges, shopping lists or
home security system including cameras, motion sensors, sensors for
temperature and gases create data that is useful to store and
contains information that the user may want to have accessible but
not associable with herself and can be usefully managed with
embodiments of the present invention.
[0089] Although the present invention has been described in certain
specific aspects, many additional modifications and variations
would be apparent to those skilled in the art. It is therefore to
be understood that the present invention may be practiced otherwise
than specifically described, including various changes in the
implementation such as utilizing encoders and decoders that support
features beyond those specified within a particular standard with
which they comply, without departing from the scope and spirit of
the present invention. Thus, embodiments of the present invention
should be considered in all respects as illustrative and not
restrictive.
* * * * *
References