The “Internet of Things” describes the increasing levels of electronic interconnectedness, computing power and autonomy of behavior featured in everyday objects. Devices tend more commonly to be called “intelligent” or “smart”, reflecting built-in computational abilities that allow them to control their own behavior in response to environmental changes as well as (or instead of) user controls. Such devices typically log relatively large amounts of data, and transmit that data to other places for processing, to help monitor and improve performance.
Current and predicted examples of “intelligent” and interconnected devices include:                medical monitoring equipment in the home that receives data from medical devices, biological sensors and/or implants, and forwards the data to physicians, hospitals, device companies, researchers and so on;        wrist-worn activity trackers, with the ability to transfer logged health data to a user's computer, and to the manufacturer's servers for analysis; one example is the “Fuel Band” marketed by Nike Inc.;        the whole category of “wearable computing” including clothing made of “smart fabrics” with built-in sensors for health, sports and/or safety and the ability to alter their fabric's properties in response to feedback, as well as “smart watches” with built-in computer and Bluetooth connectivity as envisaged in this press report: http://bits.blogs.nytimes.com/2013/02/10/disruptions-apple-is-said-to-be-developing-a-curved-glass-smart-watch;        utilities “smart meters” which measure and digitize consumption of electricity and/or gas and/or water in a household at intervals of just a few minutes, and share that information with utilities companies and regulators, service providers, information brokers, and suitably enabled domestic appliances connected over Home Area Networks (HANs);        “smart” appliances are rapidly emerging on the market which offer enhanced functionality for home owners through autonomous operation and interconnectivity over local networks and/or the Internet; examples include the “smart” smoke detector and thermostat of Nest Inc. reported by Wired Magazine in 2013: http://www.wired.com/business/2013/10/nest-smoke-detector/all;        augmented reality eye glasses, an example of which is the “Google Glass”, which is reportedly able to continuously monitor the wearer's surroundings by video, apply object and face recognition, and provide rich real-time information to the wearer via acoustic speakers and/or a visual heads-up display;        automobiles with “black box data recorders” to monitor speed, location, engine functions and so on, for use in analysis of accidents or of routine performance; data recorders have been widespread in American vehicles for several years; recently the US Senate passed bill 1813 that would mandate the inclusion of data recorders in American made cars (see http://www.gpo.gov/fdsys/pkg/BILLS-112s1813es/pdf/BILLS-112s1813es.pdf); these developments arouse privacy concerns because personally identifiable information can be associated with the data recordings        networked cars that communicate with one another and/or a base station over wireless networks for many possible purposes such as tracking and scheduling hire cars, tracing driver movements for calculating variable “pay as you drive” insurance premiums, exchanging information about driver ability, and to help avoid collisions in real time; one report playfully described a future “Internet of cars” http://www.wired.com/opinion/2013/01/forget-the-internet-of-things-here-comes-the-internet-of-cars;        fully autonomous vehicles that can navigate for themselves with the assistance of geolocation information and real time image processing to make sense of the immediate surroundings; “driverless” cars have received limited regulatory approval in California: http//www.leginfo.ca.gov/pub/l1-12/bill/sen/sb1251-1300/sb1298bill20120223introduced html;        “smart cities” are being designed with widespread instrumentation of the built environment to help enhance energy distribution and efficiency, traffic management, roads maintenance and so on.        
Tensions arise around these sorts of technologies between the need for high integrity and authenticity of data, and the need to preserve privacy of users. The Collection Limitation Principle in international privacy regimes holds that personally identifiable information should not be collected unless necessary for an explicit purpose. Therefore data generated by the sorts of networked devices described above should as a rule not be identified unless necessary. Moreover, re-identification of data by linking to third party datasets is an increasing privacy threat (see for example Latanya Sweeney “Simple Demographics Often Identify People Uniquely”, Carnegie Mellon University, Data Privacy Working Paper 3, Pittsburgh 2000). Therefore it is becoming ever more imperative that information disclosed in routine transactions relating even indirectly to people be kept to a minimum. Whenever identity is not relevant, users should where possible be assigned impersonal identifiers or pseudonyms, and data pertaining to the users indexed by those identifiers or pseudonyms. In general, by using different identifiers or pseudonyms in different contexts, it becomes more difficult for third parties to re-identify users, because data sets are harder to link.
The present invention addresses the need to decouple personal information about a person associated with a networked device from data originating from that device. The present invention provides high integrity and authenticity of data in “machine-to-machine” interactions and the “Internet of Things” while minimizing the disclosure of personally identifiable information.
Prior Art
The present invention makes use of Public Key Certificates containing limited information relating to the user or operator of an intelligent device.
A Public Key Certificate (also known in the background art as a Digital Certificate) generally contains a copy of the certificate subject's details together with a cryptographic Public Key. Said Public Key corresponds mathematically to a Private Key which is stored securely in a device controlled by the certificate subject. The Public Key Certificate is digitally signed by an issuing authority generally referred to as a Certification Authority. Public Key Certificates usually contain additional administrative data such as cryptographic specifications to indicate compatibility with software that would make use of the certificate, validity periods, serial numbers, terms & conditions (or references to terms & conditions) and so on. Infrastructure comprising hardware, software, managed services, personnel, policy documents and administrative processes is required to manage the issuance, distribution, integration, verification and renewal of Public Key Certificates. Such infrastructure is generally known as Public Key Infrastructure (PKI).
The aforementioned characteristics of Public Key Certificates and PKI will be familiar to those skilled in computer security. It will be particularly familiar to those skilled in the art that Public Key Certificates may be configured in a variety of ways, containing different sorts of details, and that PKI may be assembled in different ways, with Public Key Certificate management functions being carried out by different sorts of organisation. Certain Certification Authorities provide means to customise Public Key Certificates to contain different sorts of details. It is also possible for organisations to procure security software and hardware with which they can issue customised Public Key Certificates for their own purpose and applications.
There exists a range of cryptographic algorithms, well known in security literature, based on diverse mathematical operations with which PKI systems may be built. Examples include the RSA algorithm based on the factorization of large integers, and elliptic curve cryptography based on discrete logarithms. The present invention may be embodied using these or other public key algorithms. Those skilled in cryptography will appreciate that continuous research and development occasionally leads to novel public key algorithms, and that the search for new algorithms continues in part because of the possibility that currently popular approaches may one day be obsolete. In addition to algorithms such as RSA and elliptic curve cryptography, the present invention will be compatible with future public key algorithms as yet undiscovered provided such future algorithms exhibit the essential asymmetry in which a Private Key value cannot be feasibly derived from knowledge of the corresponding Public Key.
We now recite aspects of the prior art known to us and relevant to understanding the improvements brought about by the present invention.
S. Wilson “System and method for anonymously indexing electronic record systems” U.S. Pat. No. 8,347,101 (hereinafter referred to as “Wilson”) describes how to use anonymous Public Key Certificates to bind a record system pointer to a portable storage device such as a smartcard under the control of an individual. Wilson provides for anonymous indexing of records such as electronic health records when the individual is present at the time of the records being created and by unlocking their smartcard consents to be represented in the records. The present invention addresses the more general problem of privacy of data produced automatically by intelligent and networked devices, by arranging for Public Key Certificates containing limited information to be associated directly with the intelligent device.
The present invention is particularly concerned what may be called “embedded” cryptographic functions in intelligent devices; that is, functions involving cryptographic keys stored within the device and invoked automatically by the device (through programmed or hard wired logic) to perform security operations such as authentication. There is abundant prior art describing embedded cryptographic functions in devices such as digital cameras; see for example Friedman (U.S. Pat. No. 5,499,294), Buer et al (European Patent EP 1072149) and J. Kelsey, B. Schneier and C. Hall “An Authenticated Camera” in Proceedings of 12th Annual Computer Security Applications Conference, 1996.
Digital signature functions are included in some commercial digital cameras; see for instance http://cpn.canon-europe.com/content/education/infobank/image verification/canon data verification system.do and http://imaging.nikon.com/lineup/software/imag auth.
The aforementioned patent specifications and academic paper all describe digital signatures on photographs being produced by a digital camera. Buer et al discloses that a public/private key pair is generated when a digital camera is manufactured, and the public key is recorded by a Certification Authority so that the public key may later he used to authenticate a photograph produced by a particular camera. Public Key Certificates described in the digital camera prior art are used to disseminate reliable copies of public keys corresponding to private keys that generate digital signatures, so that those digital signatures may he verified to evince the authenticity of the signed photograph. However, Public Key Certificates described in the digital camera prior art do not provide for conveying selected particulars about the photographer. In contrast the present invention provides for a photographer controlling a digital camera to have selected particulars about themselves represented in a Public Key Certificate associated with a Private Key held in the camera and for those particulars to be reliably bound via digital signature to the photographs produced by the camera, without necessarily disclosing any other identifying information.
Embedded authentication functions are becoming increasingly widespread in intelligent devices. The advent of the Internet of Things has driven the development and deployment of general purpose security elements suitable for embedding in the manufacture of many different sorts of devices. An exemplar is the “Machine-to-Machine Identification Module” (MIM) which is based on the long standing Subscriber Identification Module (SIM) integrated circuit familiar in mobile telecommunications. MIMs typically include the ability to store one or more private keys associated with Public Key Certificates, and to create digital signatures using those private keys.