As Peter Steiner observed in a famous New Yorker cartoon, “On the Internet, Nobody Knows You Are A Dog.” New Yorker, p. 61, Vol. 69, No. 20, Jul. 5, 1993. From the earliest days of the World Wide Web, anonymous usage has been the primary method for surfing the Web. Generally, Web surfers can visit a Web site without telling the Web site who they are. Instead, based on standard Internet protocols, the Web site (having a Web server) is told the surfer's IP address. The Web server just needs to know where the information is to be sent, not who the viewer is.
Often there is a third party facilitating the communications between a Web surfer and a Web server—an Internet Service Provider (ISP). An ISP may take on a variety of forms. It can be a standard commercial ISP, such as MSN or AMERICA ON LINE. An information technology department of a business may provide Internet access to the employees of the business and others. A home computer can host a LAN to share a DSL or cable modem line. For the purposes of this invention, an ISP is an intermediary that provides the routing of a message to a client computer system and can additionally provide other services such as e-mail, news, chat rooms, and the like.
Typically, the ISP uses one of two methods to map IP addresses to its users' computers—static IP addresses and dynamic IP addresses. Static IP addresses are permanently assigned to a user's computer. Even if the user's computer is only connected to the Internet for a few minutes each day, no one else uses the IP address assigned to that computer. Dynamic addresses are IP addresses that are placed in a pool by the ISP and assigned to users' computers on an as-needed basis. It is, therefore, possible that a single IP address will be used by a large number of computers in the course of a day. It is also possible that a single user who surfs the Web from a single computer, but in multiple sessions, in a single day would have a different IP address for each session. In addition, even if an ISP reliably identifies the computer from which a request comes, it has no way of knowing which individual is using the computer. It could be the person who set up the account with the ISP (the account holder), the spouse of the account holder, a child of the account holder, an employee of the account holder, or someone else who obtains access to the computer.
A variety of other existing conditions generally prevent a Web site from reliably ascertaining the identity of a user through the use of technologies, such as proxy servers. Among those, a proxy server discloses an IP address that may not be the IP address of the computer making the request of the server. When a proxy server is used, the Web server sends the Web page to the proxy server, and the proxy server, in turn, determines which computer has been assigned that IP address in order to send a page to the right computer. Therefore, even though the Web server does not know which computer has requested a Web page, it can use the knowledge that it has (an IP address) to send the page to the correct computer and depend on the proxy server to use the knowledge that it has (a correct mapping of IP addresses to its users' computers) to send the page to the correct computer. Also, a user may employ an anonymizing server to aid protecting the user's identity.
Further, even if a Web server knows who the current user of an account is, the Web server does not necessarily know who the account owner, the person responsible for the use of that account or who is responsible for supervising that account, is. For example, companies provide Internet access to their employees, and parents provide Internet access to their children.
Because a Web site cannot reliably depend on IP addresses to identify who a user is or even if a current user is the same person who visited a few minutes earlier, numerous techniques have been developed to identify users. The most well-known is a “cookie” that the Web site “plants” on the user's computer. A cookie is a small file that the Web site places on the user's computer that the Web site can find each time the user revisits the Web site. If the Web site finds a cookie that it planted in an earlier session, it knows that it is communicating with the same computer. Cookies are based on a “pull” technology, i.e., the Web site has no ability to contact the user, and it must wait for the user to visit it. Once the user visits the Web site, however, the Web site can read the cookie and instantly know which computer is communicating with it. However, cookies are less than foolproof because people can access an account from a friend's computer using their own account username and password and thereby make repeatable, reliable identification of a user problematic.
Another technique is to ask the user for the user's email address. Possession of a user's email address allows the Web site to use “push” technology to contact a user, i.e., the Web site can, without waiting for the user to visit the site, contact the user. Unfortunately, mere possession of a user's email address does not help the Web site identify the user the next time that the user comes to the site. In addition, many users supply false email addresses or supply email addresses acquired from free Web-based email services that they seldom, if ever, check. Also, in any case in which multiple users access a single computer and use a single email address, possession of an email address does not allow the Web site to contact a particular person.
Another technique is the use of passwords. By requiring a user to supply a password each time the user visits a site, the Web site can assume with reasonable certainty that it is dealing with the same person to whom it issued the password in an earlier session. Like cookies, passwords are a “pull” technology and not a “push” technology.
Although combinations of the above-described technologies can achieve a number of the user's and the Web site's needs, they have not solved some vexing problems. For example, Web sites catering to children now need to verify children's ages and, in some cases, need to obtain parental consent, such as under The Child Privacy Protection Act. Since children do not necessarily want their parents to know what they are doing on the Internet, they have found ways to defeat current parental notification and consent mechanisms. For example, if a Web site asks for a parent's email address, the child can create his or her own address and give it to the Web site as if it were a parent's email address. Any subsequent communications from the Web site to the parent would in fact be sent to the child. Although some procedures have been crafted to deal with this issue, they are either cumbersome or unreliable.
Another example is a teenager looking for pornography. Even if a Web site is willing to restrict access to adults, it has no practical way to distinguish between child and adult users (especially when the child does not want to be found out). The two basic solutions are to implement a registration system that enables someone to prove in advance that he or she is eighteen years old or older or to depend on the parents of the child user to purchase and install filtering software). None of the registration systems proposed to date have passed constitutional muster. Therefore, none of the burden of policing porn surfing by children currently rests with the porn site.
Therefore, it is desirous to find a solution to the deficiencies of the current systems. Desirably such a solution would implement a method to enable Web sites and other servers to reliably contact account holders without requiring the account holder to tell the Web site who the account holder is. Desirably such a system would distinguish between the user of the account and the person responsible for the account.