Historically, the area of user authentication and content control generally involved users authenticating against factors or secrets to gain access to a device, web or cloud-based resource, or assets. All such security assertions emanated from and was authored and controlled by the hosting site or application, be it a website, cloud storage, game, media content, social media platform, chat, or messaging platform. Despite end users independently sharing content over many of said sites, apps, and networks, the security was hosted and controlled by the central site, acting as a hub and spoke. Peer-to-peer trust and security, as defined, authored, and controlled by the peers (as opposed to a central website or asset/resource host) has thus remained elusive and the subject of “alternate” networks, channels or secret methods offline from the general online milieu. Users could only establish trust of the other peer user(s) or enforce access to their shared content through permissions and mechanisms, both unique to (isolated) and under the guise of the central site, app platform, or network itself, such as Facebook® or Dropbox®. Users presently share over 50 billion pieces of content per day on mobile devices, peer-to-peer, without any such individual trust, control, or capabilities.
This reality has left a missing area in existing systems with respect to end user peer authenticity validation and content control over assets and information, in which users independently share between or among third party sites, apps, and networks. In addition, user-authored tools and techniques to construct, apply, and enforce said security amongst their assets and peers have been wholly absent from the prior solution due to three primary reasons. First, the hosting sites, apps, and networks hold a commercial interest in maintaining sole control over the end user security, identity, privacy (or lack thereof), encryption, and authenticity in so much that their commercial purposes and competitive advantage are being served. Second, these site, app, and network security tools are typically limited to the platform in question and generally do not transcend particular platforms, as end users do themselves during the normal course of their digital lifecycle. Third, such walled-garden authentication tools serve primarily to verify the end user only to the platform itself, thereby causing the site to proxy that trust to other users and other content without distinct and individual user control, configuration management, application, obfuscation, and repudiation of said credentials and contexts.
Existing digital identity solutions, secure messaging apps, and account-based platforms (e.g., social networks, cloud storage, email, voice calls, and secure or encrypted messaging) force the sending user to trust the interim platform identity mechanism without tools or any options to assert, interrogate, or increase the trust rigor on a peer-to-peer, one-to-one, or one to many basis. The sender must simply take the cloud's word for it when it comes to trusting his or her crowd on the other side of the channel. The sender must also relinquish all control over content sharing to the cloud in terms of delivery, verification of the accessor (the person accessing the system), and what happens to the content once it has left the sender device or platform walled garden, such as revocation and modification after the fact. Once again, the sender has no tools or methods at their disposal to enforce real-time, granular controls over who, what, where, when and how content is accessed and shared on a peer-to-peer basis or even monetize the access to that content over any channel. The majority of hacks, breaches, and digital crimes fall into exactly these two categories: user-to-user trust at third party sites, platforms and payments, and the account takeover to access and illicitly share content, whether it be hacked, stolen, or posted on the Internet without the author's or sender's permission (e.g., Sony). It is never the case that the perpetrator presents invalid credentials to breach and access the content or trust. In fact, it is most often the stolen but proper credentials that are used in the wrong context, but that the primary platform cannot discern and protect. As a result the valid end user or content owner is left without tools or notification to protect himself or herself and his or her assets in these instances.
Finally, the current approach to authentication security and content control as covered by traditional measures (shared secrets, device recognition, location, biometrics, tokens, out-of-band, one-time-passwords, key-based encryption) are too linear, cumbersome, costly, unscalable, and uncreative to serve the needs of a contemporary, omni-channel, and user-driven approach to customize trust and security. These security measures have failed to produce a fully interactive, private, user-controlled approach to peer-to-peer trust and peer-to-peer sharing of assets and information, either by value or reference, across existing public and private networks, devices, sites, applications and platforms. These security authentication measures also have failed to provide a solution of this caliber that does not require physical installation of tokens, certificates, or credentials on one or more mobile devices whose counterpart lives in the host or website database for the purposes of establishing user or device identity and the keys for asset integrity, encryption/decryption. The way to overcome this dearth of innovation is to craft an autonomous and interactive system and method that provides crowd, versus cloud, control over identity, privacy, authenticity, and content.
The first challenge is to design a system where users can simply and easily identify and independently authenticate other peer users across public networks, over and above the assumed identity and authenticity offered by the interim platform in the form of an account name, account ID, or other hosted security components the user must trust implicitly. Outside of that patronized channel or device, the user must be able to triangulate and impose their own requirements of rigor in order to validate the user against his or her identity, location, device, action(s), knowledge, or a combination thereof, against fixed or dynamic thresholds. They must be able to do this mutually, synchronously, asynchronously, and across disparate networks, platforms, devices, and contexts.
The second challenge is to design a system where users can independently control and natively monetize content shared with other users across any device, network or platform, regardless of the content asset type, location, duplication, transmission or format, and regardless of its ownership or hosting status—in terms of content by reference (a link) or by value (an attachment). Current authentication measures generally cover control of said content at the vendor level in bespoke or proprietary walled gardens, such as Facebook®, Instagram®, WhatsApp®, Box®, Dropbox®, or other custom silos where rules are enforced at the point of local access, according to those platform's rules. Despite owning the hosted or shared content, users are capable of only manipulating those rules and monitoring the enforcement, rather than, authoring or controlling them, regardless of the hosting platform or network. The goal is to treat monetization just like any other security factor that must be holistically “passed” in context in order to achieve access. In addition, the nature of the payments between peers must reflect the privacy, freedom, and individuality of the share control itself, thus avoiding the platform control, permission or fees related to such transactions made between peers. This would result in saving up to thirty percent of in-app fees for P2P content monetization transactions without having that revenue shared with platform. The challenge also involves both independent encryption and reverse proxy methods, both of which put the power to control and revoke in the hand of the users and blind the hackers' interim plumbing with respect to the source origin and content of the shares as well as its authors or lineage.
The third challenge is to design a system where users can ideally merge the concepts of user authentication, share or asset authentication/control, and monetization into a single, combined, contextual event—with individual, real-time control regardless of the interim channels. No share or asset is considered independent (and therefore accessible) outside of the event of access by a user(s) in a particular context. In short, assets should be protected in contextual motion (during access) rather than at static rest. Balancing security in favor of this user+share authentication context generally increases protection and customization while reducing persistence and predictability, along with a host of other techniques that sidestep the liabilities, cost, complexity, lack of scalability, risk, and management of traditional multi-factor or file encryption methods.
The fourth challenge is to design a system that preferably contextualizes all possible security factors into a dynamic, dependent, and interactive context, as opposed to mere validation of static stored, linear, or sequential credentials. The ideal trust context would preferably comprise: a) one or more devices and their unique properties, presence, and performance; b) location and proximity measurements according to individual or composite perspectives of the sender, recipient, device and invention service; c) the voluntary or involuntary behavior of the user and his or her device(s), such as touch, gesture, motion, orientation, biometrics, sound, vision, etc.; d) knowledge or secret data information, whether challenged and responded, shared, and/or self-authentication for derived/algorithmic; e) the ability to time, trigger, or revoke the trust or content access based on fixed, relative, or dynamic criteria; and f) the ability to conduct direct, peer-to-peer electronic payments between senders and recipients, as criteria for optional user access are programmatically treated like any other security test. A combination or isolation of one, several, or all of these factors, in a particular context, would be required to simultaneously and interdependently authenticate the share asset and its user access, together. Ideally, these contexts are peer-to-peer authored and enforced, rather than centrally managed by the shared host, website, or federated identity system outside of the invention, disclosed herein. Also, ideally, the mechanisms for validating authentication, decrypting assets, or monetizing access are neither: (1) stored on the device or social/messaging network platform nor (2) transmitted as key-value pairs over the network during any portion of the transaction.
The fifth and final challenge is to design a system that preferably maintains the end-user privacy and utmost control (at a peer-to-peer level) through all of these mechanisms, offering the ultimate freedom to trust, share, secure, and monetize the peers and content without fear of hacks, compromise, privacy invasion, or reprisal. By creating an intelligent system of access, denial, assertion and even validation, the sender, receiver, and assets would remain secure and private, both physically and cognitively. It also requires systemic protection from privacy exposure with commensurate assurances the security in question is offline from the asset and platform in terms of independence and anonymity.
Current peer trust and content security measures fail to offer a solution that covers the unique present system without the following traditional pitfalls of: a) relying on stored value tokens, cookies, or certificates (e.g., pretty-good-privacy (PGP)) to pre-bake user endpoints and devices as trusted participants; b) relying on key, shared-secret, or identity-based encryption between peers that must be authored, stored, or shared with the hosting messaging channels or networks themselves; c) reliance on third-party transmission of out-of-band or one-time passwords or tokens; d) naive federation of trust among different vendor systems outside the user control, thus offering a single point of repeatable failure; e) a cumbersome local storage of keys and encryption tools to simply “obfuscate” the validation or protection in terms of mathematical indirection versus true, derived, and universally unique authentication; f) complete obviation of cross-context user control over their security, trust, content, and privacy in deference to the moonlighting or federated hosting site, server, or issued credentials; g) lack of independent user or peer authorship, participation, and ownership of the security process; h) lack of capabilities to support user or peer maintenance or enforcement of their own privacy and integrity across disparate communication channels and platforms; and i) a lack of support for both synchronous or asynchronous enforcement of authentication and asset control.
Current end-to-end encryption systems for content control implemented by DropBox®, Whisper®, WhatsApp® and Telegram® also fail to serve the need by retaining central and platform-specific control of the encryption and identity permissions to unroll and access the encrypted share content without individual and independent power over those elements by the end users themselves. All systems before the current system fail to reverse-proxy (hide the source origin) of content once accessed, making unsecured duplication and illicit transmission of said content to other unauthorized users a trivial exercise. The primary owner/sender of the shared content has no ability to rescind, revoke, or retrieve the content beyond the initial sharing platform plumbing. These systems also require users to leave their current messaging or social channels and “join” another secret channel. This switching mandate creates friction and fracturing of the already existing lines of connection and communication. The ideal solution would work over any existing social or messaging channel, eschewing the need to switch platforms, identities, or applications to conduct secure, controlled, and monetized sharing.
Current content-monetization platforms deny peer-to-peer implementation where one user shares and monetizes content directly with another user, irrespective of the platform or their commerce capabilities and fees. Only command-and-control style content monetization, driven by ads or platform-specific in-app purchases, and subsidized by huge platform fees upwards of thirty percent of the transaction, is presently supported by the major social and messaging networks. This traditional approach has stifled the potential growth of monetizing shared social and personal content and denied the portability of peers to transact privately and profitably across any communication or messaging channel.
There are various examples of inferior authentication, content protection, and monetization measures, and inadequate historical as well as contemporary embodiments of solutions in this invention area, all of which will be detailed and contrasted in the balance of this application.
The following table includes a representative selection of references that are: (1) relevant to the present system; (2) inferior to the present system; (3) have significant deficiencies; and (4) fail to solve the problems addressed above that are solved by the present system, which is described below.
Pat. No.TitleInventor(s)US 20140129953 A1Apparatus and method for singleSpiegelaction control of social networkprofile accessU.S. Pat. No. 9,237,202 B1Content delivery network forSehnephemeral objectsU.S. Pat. No. 8,909,725 B1Content delivery network forSehnephemeral objectsU.S. Pat. No. 8,428,453 B1Single mode visual media captureSpiegel, MurphyU.S. Pat. No. 9,251,370 B2Personal content control on mediaKowalik, Wielgusdevice using mobile user deviceU.S. Pat. No. 8,423,409 B2System and method for monetizingRaouser-generated web contentUS 20090132341 A1Method and System for MonetizingKlinger, WadaUser-Generated ContentEP 2887246 A1Method to share content with anJiang, Valverdeuntrusted deviceU.S. Pat. No. 9,294,485 B2Controlling access to shared contentAllain, Subrahamiin an online content managementsystemU.S. Pat. No. 8,904,480 B2Social authentication of usersCastro, TopkaraU.S. Pat. No. 7,003,117 B2Identity-based encryption system forKacker, Appenzeller,secure data distributionPauker, Spies
Thus, based on the foregoing, a need exists for a peer-based authentication and content control system and method for providing the same. The peer-based authentication and content control system and method preferably overcome the deficiencies in the systems currently available. The embodiments in the present disclosure preferably solves these deficiencies and generally represents a new and useful innovation in the space of independent and interactive peer-to-peer authentication and content protection and monetization across all mobile networks, platforms and devices.