In order to transact business or conduct any other interaction, it is necessary for the parties involved to exchange certain information about themselves. But when this information is private or otherwise valuable, there is a risk that the information provided will be revealed in undesirable ways. Breaches of computer security at online commerce sites have resulted in the compromise of sensitive customer data on numerous occasions; loose administrative procedures, corporate acquisitions, and the sale of customer databases have had the same result at least as often. Because of these risks, it is desirable to minimize the amount of information that is exchanged, and in particular to avoid providing private information to any party that does not in fact need to have it.
In carrying out multi-party transactions, it is common for information to be passed to a party that does not actually use the information itself, but merely passes it on to a third party for their use. For instance, in a retail e-commerce transaction where an individual purchases a book at a Web site, the individual will usually provide a mailing address to the Web site, even though the Web site does not use the address itself; it merely passes it along to the shipping company. The present invention reduces the amount of such unnecessary provision of information.
In the recent past, considerable attention has been paid to protecting private information, particularly in on-line systems such as the World Wide Web. The Platform for Privacy Preferences Project (“http://www.w3.org/P3P/”) seeks to standardize the representation of Web site privacy policies, and the privacy desires of users, in order to give users more knowledge of and control over the information that they give out. Standards of practice such as the U.S. Code of Fair Information Practices (Secretary's Advisory Comm. on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, U.S. Dept. of Health, Education and Welfare, July 1973), the Canadian Standards Association's Model Privacy Code (“http://www.media-awareness.ca/eng/issues/priv/resource/csa.htm”) and similar practices legally required within the European Community attempt to define, through standards or legislation, the measures that parties which are in possession of private information must take to reduce the likelihood that the information will be misused. The American Express “Private Payments” service (“http://www.americanexpress.com/privatepayments”) provides a temporary limited-life credit-card number, to reduce the time-window during which the information could be abused. Internet RFC 2778 (“http://www.ietf.org/rfc/rfc2778.txt”) provides for methods whereby the user of an instant messaging system may conceal or otherwise obscure certain private information (in particular, presence information) from other users. None of these ideas address the specific issue of unnecessary information exposure in multi-party transactions.
The present invention solves the problem of providing unnecessary information to parties in a multi-party transaction by providing each party only that private user information that the party actually requires in order to carry out its role in the transaction, while at the same time providing enough information to allow the various parties to the transaction to make the necessary correlations between their views of the user.
For instance, in the simple case of buying a book at a Web site, the user would (in one embodiment) first obtain from the bookseller contact information for the shipper and the credit-card fulfillment service the bookseller wishes to use. Next, the user would obtain (in a manner that will be specified below) a unique identifier. The user would provide the unique identifier and a list of the desired books to the book-selling site. The user would next provide the unique identifier and the proper mailing address to the shipper, and the unique identifier and the appropriate credit-card number to the credit-card site. The book-selling site would send a request to the credit-card site, giving only the amount of the transaction and the unique identifier; the credit-card site would find the credit-card number based on the previous message from the user, debit the account, and return an acknowledgment to the book-seller. The book-selling site would then package up the book and request that the shipper ship it to the address corresponding to the unique identifier (that address is known to the shipper from the previous message from the user, but unknown to the book-seller). The user has now obtained and paid for a book, without revealing to the bookseller either the shipping address or the credit-card number. The user has exposed less private data to fewer parties, and the parties have less private data that they must safeguard. The customer may be willing to pay a premium, or at any rate may have increased feelings of loyalty and comfort toward the parties involved, because of these improvements to the transaction.
Note that in the current, known system, where many vendors possess databases containing significant amounts of personal information about a multitude of users and customers, compromise of any one of these vendors exposes all that personal information. An advantage of the present invention is that, when each vendor possesses only that information that is actually needed for one part of a transaction, the full set of personal information is exposed only if all the vendors involved in some transaction are compromised simultaneously. This drastically reduces the likelihood of the event.
Vendors typically desire to provide many services in addition to simple selling: discounts, frequent-buyer programs, recommendation services and so on are important value-added services in the modern market. The use of this invention does not prevent vendors from providing these services; it does not “blind” vendors to necessary information about customers, it only relieves them of the burden of receiving private customer information that they do not in fact need.