1. Field of the Invention
This invention generally relates to the field of communications and more particularly to systems and methods for providing anonymous and secure communications over a network.
2. Description of the Related Art
It is well known that individuals using telecommunications networks are continuously exposed to compromises of their privacy. This issue has become particularly acute with respect to the Internet. In many cases Internet hosts, service providers and Web sites can link users with their identities, and track and create databases of their activities. Voluntary privacy policies and related certification organizations such as Truste(copyright)) have imposed some limits on Internet privacy abuses, but do not by any means assure end user privacy or anonymity.
As shown in FIG. 1, a client system 100 is connected over a telecommunications link 110 to an Internet Service Provider (ISP) (not shown) and ultimately to the Internet 150. A Web server (Third-Party HTTP server 160) is connected over its own link 161 to the Internet 150. Properly addressed Internet Protocol (IP) packets may be exchanged over the Internet 150 between client 100 and Web server 160. FIG. 1A shows the layout of a typical IP packet, including a header 191 containing, among other information, a source address 192 and a destination address 193, as well as data portions, 194, 195, comprising, in this example, 452 xe2x80x9coctetsxe2x80x9d (bytes) of data.
Client system 100 runs Web browser software 105 which establishes a display window visible to the user. Web browser 105 submits an http request 125 over the internet. The IP packet containing request 105 contains a header that is encoded with the IP address of client 100. Furthermore, Web server 160 may have previously given a xe2x80x9ccookiexe2x80x9d to client 100, containing information regarding the user of client 100. Information from this cookie may also be encoded as data within the IP request. Thus, when Web server 160 receives http request 125, it may acquire considerable identity information regarding the user, and will of course further have complete information about the action requested by the http request. The correlation of action and identity is particularly valuable to marketers, yet at the same time most threatening to users when in the hands or people out-side their confidence and control.
Web server 160 parses the http request, and processes it, serving up the Web page requested by the user, and/or conducting further processing via a xe2x80x9ccommon gateway interfacexe2x80x9d (CGI) 185, which in turn may invoke further processing via scripts and programs 180, which may in turn communicate with databases such as database 190 and/or other facilities. The requested information is sent back to client 100 by http response 175, again encoded in addressed IP packets and sent to client 100 over the Internet 150. Web browser software 105 receives the http response 175 and from it creates the appropriate screen displays or multimedia effects for the end user.
The system commonly used in the prior art to provide some means of isolating an end user from total exposure to the Internet is known as a xe2x80x9cfirewallxe2x80x9d or xe2x80x9cproxy serverxe2x80x9d. Proxy server 140 is shown in FIG. 1 as an optional addition to a prior art Internet communication system. Web browser software 105 is adjusted through a setup or configuration facility to direct and receive IP packets in the first instance from proxy server 140, instead of the usual router, gateway or similar facility of the ISP. Proxy server 140 can then intermediate, and thereby filter undesired or unacceptable input or output (which may be so deemed for any number of reasons, including security and censorship, in addition to privacy), and can also reconstruct IP packets so as to some extent mask the user""s identity. However, the operator of the proxy serve can readily retrieve, and perhaps secretly misuse, any of this information. Therefore, to be effective, the end user must trust the administrator of the proxy server in question. In a commercial setting, and most particularly in a mass market setting, establishing and maintaining such trust in an entity may not be practicable.
Another set of privacy-related systems that has been deployed to a limited extent are xe2x80x9canonymous remailersxe2x80x9d. These use various techniques to separate the body of an email message from its identifying header and to resend it the intended recipient under the remailer""s headers. The difficulty with such systems, such as the well-known remailer at anon.penet.fi in Finland, is that the server administrator has access to both the identity and content information, rendering it vulnerable to abuse or disclosure. In the case of anon.penet.fi, the disclosure was forced by a subpoena obtained by the Church of Scientology and enforced in Finland, which required the server administrator to hand over records of communications from a user that were the subject of a lawsuit by the Church against the user.
Other systems for protecting end user privacy have been developed. Typically such systems involve setting one or more proxies in series either locally on an end user""s computer or on one or more servers. Such systems generally provide privacy protection by masking the identity of the sender from third party servers.
For example, one system, Crowds, which was developed by ATandT, enhances privacy by sharing http requests randomly among a group of subscribed users. With Crowds, although the identity of a request sender can trace the identity of a request sender to the group of users, the third party cannot be traced to any specific user.
The system disclosed here provides greater security than prior solutions. The system described here goes beyond masking the identity of the sender from third parties and masks the identity of the sender from both third parties and the system itself. This masking is accomplished by separating action from identity on the client computer. By way of comparison, while the Crowds system prevents third-parties from knowing the identities of senders, the Crowds system itself has the ability to know both the identity and actions of its users. The greater security provided by the system has the additional benefit of enabling more personal communications to be sent through the system. Because the system does not rely on removing identifying information for its functionality, end users can receive the benefits of identity protection without sacrificing the ability to act as individuals rather than anonymous entities.
It is an object of the present invention to provide a system whereby, without relying on trust, an end user can securely and anonymously use communications networks. The invention seeks to provide users with a greater degree of anonymity than is available with existing technologies.
Other objects of the invention include the following:
A system that is secure. Both operational and cryptographic security are desirable. Cryptographic protocols employed in this project must preferably be both proven and xe2x80x9cstrongxe2x80x9d.
A system that does not record the actions of its users. The system should not be able to link the actions of users to the identities of users, though it may record either separately. This separation is a fundamental design objective in providing personal and portable privacy protection.
A system that functions in a reliable manner. Operation should be consistent and, in the event of failure, the system should notify its users and terminate without interfering with other functioning processes on its host computers.
A system that reduces the need for user interaction. Preferably, the services provided by the system should be transparent to its users
Preferably, a system that functions without the persistent installation of software on client computers, and is instead accessible from any compatible network computer or other access device.
Preferably, a system that functions on a wide variety of host platforms and architectures.
Preferably, a system that is able to accommodate a large number of concurrent users.
The foregoing and other objects of the invention are accomplished in an embodiment of the invention by imposing mechanisms on the client that separate users"" actions from their identity. This separation provides the basic foundation from which individuals can then take control over manifestations of themselves that exist in digital form on networks.
In one embodiment, involving use of the Internet, an http request, which normally contains both identity and action information, is separated in the first instance on the client side into action request and identity components, which are encrypted. The encrypted action and identity components are transmitted to a facility comprising an xe2x80x9cidentity serverxe2x80x9d and an xe2x80x9caction serverxe2x80x9d, wherein the identity server receives the two encrypted request components and forwards the encrypted action request component to an action server. The identity server has the key to decrypt the identity component (but not the action component), and the action server has the key to decrypt the action component (but not the identity component). The action server decrypts the action request and forwards it to the third-party server. The third-party server sends the http response back to the action server. The action server receives and encrypts the action response, and forwards it to the identity server. The identity server, which has been holding the unencrypted user identity information, receives the encrypted action response (which it cannot decipher), and forwards it to the client system, wherein the user""s browser software uses the action response in the normal manner, so as to create the appropriate displays and/or multimedia output.
The manner in which the invention achieves these and other objects is more particularly shown by the drawings enumerated below, and by the detailed description that follows.