Increasing use of the Internet has created new and expanded concerns relating to security of personal information disclosed by consumers or other users in the course of online transactions. For example, online purchase transactions often require a consumer to disclose potentially sensitive personal information to the corresponding web site operator or vendor. Such information generally includes the name, address and payment card number of the consumer, but may also include more sensitive information such as passwords, date of birth, social security number, drivers license information, mother's maiden name, bank account information, etc.
Disclosure of such information to multiple online vendors or other web site operators, e.g., by entering into a series of transactions with different web site operators over a period of time, substantially increases the likelihood that such information will be misappropriated and lead to fraud, identity theft or other undesirable consequences for the consumer.
Another problem associated with the disclosure of personal information to web site operators is that the operators may make use of the personal information in a manner that the consumer may well consider unacceptable. Currently, web site operators routinely place a “cookie” on the consumer's machine during an initial web session. The cookie is often correlated with a consumer profile developed in the operator database, such that information freely given by the consumer can be combined with other information either deduced from the consumers actions during a web session, e.g., purchasing patterns or other behaviors, or combined with other profile information, available from other parties, that can be matched up with one or more identifying characteristics of the consumer, such as name, address, etc. And, with such cookies in place, a web site operator can identify consumers as they re-visit the site and thereby provide more directed content, marketing or other offers to the consumer. More recently, online profiling has reached new heights in obtaining information about consumers online, as well as combining such information with data obtained in the offline world. While there are certain benefits to the consumer resulting from such profiling, e.g., personalized marketing resulting in better offerings to consumers, it is at the expense of the uncontrolled proliferation of databases containing what in many cases may be confidential information about the consumer.
One approach to providing protection of personal information in online transactions is through the use of so-called “anonymous currency.” This approach generally incorporates cryptography-based authentication verification processes, and allows electronic currency to be passed between entities without the disclosure of personal information. A consumer can thus make a purchase online by transmitting to an online vendor electronic dollars having a verifiable value but carrying no personal information regarding the consumer. Although this approach is technically feasible, it suffers from a number of significant drawbacks. For example, anonymous currency generally requires specialized devices at various points in the transaction processing path, such as at the consumer and vendor machines. Many consumers and vendors are understandably reluctant to invest in this new infrastructure without some assurance of widespread adoption by others, i.e., a “critical mass” of adoption.
A second problem with anonymous currency is that there are multiple competing anonymous currency protocols, each with their own backers and benefits, all vying for the opportunity to be adopted as a standard. Thus, independent of any specific technical merit of the approach, the industry has been unable to reach agreement on a particular anonymous currency protocol, and as a result the needed infrastructure has not been deployed by consumers and vendors.
Another approach has been to attempt to develop an online payment card clearinghouse mechanism analogous to that used for offline transactions. An example of this approach is the Secure Electronic Transactions (SET) protocol proposed by VISA and MasterCard. The SET protocol utilizes digital certificates to verify that customers are authorized to use corresponding payment cards for online transactions and that merchants are authorized to accept such cards. The SET protocol has been described at http://www.visa.com/nt/ecomm/security/set.html as “the electronic equivalent of a consumer looking for a Visa decal in a merchant's store window, and a merchant checking the consumer's signature on the back of a Visa card.” The SET protocol also provides for the protection of consumer payment information through the use of encryption. However, as another broad-based infrastructure solution, SET suffers from problems similar to those of anonymous currency, i.e., a hurdle of critical mass adoption, and difficulty in resolving standards issues relating to industry adoption of new protocol.
Given the problems associated with the above-described anonymous currency and payment card clearinghouse approaches, the escalation of electronic commerce has been enabled in part by another approach, known as the secure socket layer (SSL). SSL is an Internet protocol which creates a secure session key to protect communications between a server, e.g., a host web site, and a client, e.g., a browser running on a consumer machine. SSL protects information transmitted over an otherwise insecure channel from unauthorized surveillance or eavesdropping. With the protection afforded by SSL, consumers have shown greater willingness to provide their personal information over the Internet for the purposes of online transactions. Unfortunately, although SSL does secure the communication link over which the personal information is transmitted, it does not protect that information in any way once it emerges at its destination, i.e., the web site server. Accordingly, vast amounts of personal information have continued to accumulate in an unprotected manner in the databases maintained by web site operators.
Consumers are becoming increasingly aware of the problem posed by the accumulation of their personal information by web site operators. See, e.g., “Privacy: Outrage on the Web,” Business Week, pp. 38-40, Feb. 14, 2000, and Q. Hardy, “Window Shopping,” Forbes, pp. 62-64, Jan. 24, 2000. In addition, hackers have recently engineered high-profile thefts of payment card numbers and other consumer personal information from web site operator databases, thereby making the problem even more apparent to consumers.
Although a number of anonymity services have been developed to provide anonymous web browsing, such services generally fail to extend anonymity into the context of purchases or other online transactions, and thus fail to solve the problems associated with personal information being stored by web site operators. Examples of such anonymity services include the Enonymous™ advisor from enonymous.com, http://www.enonymous.com, and the Freedom™ product from ZeroKnowledge, http://www.freedom.net. These and other similar services generally allow a user to protect their personal information during web browsing. However, once a user wants to enter into a transaction at a given web site, e.g., to purchase an item for delivery or download, that user must give up his or her anonymity and deliver personal information to the web site operator in a conventional manner, e.g., via an SSL connection. The personal information so delivered is then subject to the problems previously described. Moreover, once the personal information has been delivered, the web site operator can make a connection between the alias and the actual user, such that the user will need to select another alias in order to ensure anonymity for future browsing activities.
Accordingly, what is needed are techniques for providing end-to-end user anonymity for online transactions, such that users need not be required to disclose personal information to multiple web site operators in order to enter transactions with those operators. Such techniques should also be implementable without the need for infrastructure changes or new standards that require a certain critical mass point for adoption.