EP3818461A1 - Vehicular data privacy management systems and methods - Google Patents
Vehicular data privacy management systems and methodsInfo
- Publication number
- EP3818461A1 EP3818461A1 EP19745851.6A EP19745851A EP3818461A1 EP 3818461 A1 EP3818461 A1 EP 3818461A1 EP 19745851 A EP19745851 A EP 19745851A EP 3818461 A1 EP3818461 A1 EP 3818461A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- data
- user
- vehicle
- shadow file
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000004044 response Effects 0.000 claims description 7
- 238000012545 processing Methods 0.000 abstract description 17
- 238000013500 data storage Methods 0.000 abstract description 6
- 230000015654 memory Effects 0.000 description 40
- 238000010586 diagram Methods 0.000 description 22
- 238000004891 communication Methods 0.000 description 21
- 230000003993 interaction Effects 0.000 description 15
- 230000008569 process Effects 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 238000012217 deletion Methods 0.000 description 6
- 230000037430 deletion Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005192 partition Methods 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 238000009877 rendering Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/106—Enforcing content protection by specific content processing
- G06F21/1066—Hiding content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
Definitions
- This disclosure generally relates to data privacy and the management of data privacy on devices, such as techniques for enabling shared portable and/or embedded systems to comply with data privacy regulations.
- Private user data can include any of a variety of data that is generated by or related to users.
- private user data can include data that users actively provide, such as name, address, images, search queries the user enters into a search engine, and/or other information.
- Private user data can also include data that is passively generated in association with users, such as a log of geographic locations a user has visited that is generated by a user’s mobile device (e.g., smartphone, wearable device), audio that is passively captured by a user’s smart speaker device, and/or other passive information.
- GDPR defines a number of“data subject rights.”
- One such right is“right to be forgotten,” also known as Data Erasure.
- the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further
- GDPR also introduces a requirement for data portability. Data subjects have a right to receive the personal data that they have previously provided back in a commonly used and machine-readable format.
- GDPR also requires“privacy by design,” which calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, controllers are required to implement appropriate technical and
- Controllers are also required to hold and process only the data that is absolutely necessary for the completion of its duties (data minimization), as well as limit access to personal data to those needing to act out the processing.
- this document describes systems and techniques for better protecting and managing data privacy, which can permit users to maintain better control over their private data and can also assist device manufacturers in complying with data privacy regulations.
- Data privacy and new regulations pose a variety of challenges to both individuals and device/service providers, including how to comply with government regulations on data privacy.
- the disclosed technology can assist both groups in better managing data privacy and complying with data privacy regulations, including on devices and in systems that are shared across multiple different users.
- a system for managing private user data includes a processing system, a data storage system configured to store instructions for the processing system, and a shadow file system configured to store private user data that is generated or used by the processing system, wherein the shadow file system is positioned between the processing system and the data storage system.
- the system can further include a non-transitory computer-readable medium coupled to the processing system and having instructions stored thereon that, when executed by the processing system, cause the shadow file system to perform operations including:
- the shadow file system can be configured to store a plurality of collections of private user data for a plurality of users, wherein each collection of private user data comprises all of the data associated with corresponding ones of the plurality of users.
- the operations can further include receiving an identifier that identifies a user; receiving a request to perform a data interaction to add, read, write, modify, or delete a collection of data; identifying the request as a request to perform operations upon data associated with the identified user; identifying a collection of data associated with the identified user; and performing the requested interaction upon the identified collection of data in the shadow file system.
- Performing the requested interaction upon the identified collection of data can further include performing the requested interaction upon only the identified collection of data.
- the data interaction can be a request to delete the collection of data associated with the identified user.
- Performing the requested interaction can include deleting the collection of data associated with the identified user such that all of the identified user's data stored by the system is deleted from the system.
- the operations can further include rendering the deleted collection of data substantially unrecoverable.
- the data interaction can be a request for a copy of the collection of data associated with the identified user.
- Performing the requested interaction can include providing another collection of data that comprises copies of the data within the collection of data associated with the identified user, such that all of the identified user's data stored by the system is exported from the system.
- the disclosed technology can provide enhanced and improved data privacy management, including for devices and systems that are used and accessed by multiple different users. This can aid users in more effectively controlling and managing their private user data, and can also assist companies in complying with data privacy regulations.
- the disclosed technology can provide mechanisms for companies to comply with regional data privacy regulations without having to revamp or reengineer their systems. Without the disclosed
- an additional layer can be added between the operating system and the file system to create a data privacy layer that can provide automatic compliance with government data privacy regulations without having to reconfigure or reengineer the system.
- the disclosed technology can enable systems to keep multiple users’ data separated and private, even though their data is being stored on the same file system and the same devices.
- FIG. 1 is a schematic diagram that shows an example of a system for providing data privacy.
- FIG. 2 is a block diagram that shows additional details of a system for providing data privacy.
- FIG. 3 is schematic diagram of users and data enabled devices.
- FIG. 4 is a schematic diagram of an example data enabled device.
- FIG. 5 is a flow diagram of a process for providing data privacy.
- FIG. 6 is a block diagram of computing devices.
- GDPR European Union’s
- EU General Data Protection Regulation
- GDPR presents a number of challenges for vendors who traditionally handle private user data; vendors such as online websites that use user accounts, database providers who store user data, application developers and providers who handle data that could be considered as being private.
- Such systems and vendors are challenged by the requirements of GDPR, but the solutions to such challenges can be built upon capabilities that generally already exist in their underlying systems. For example, it is more of a logistical challenge than a technical one to add a function to a website user account to export or erase all the data pertaining to a particular user.
- the systems and techniques described below provide ways for shared data devices to keep user data private, exportable, and removable (e.g., forgettable) by utilizing a shadow file system for private user data.
- all the data that is stored for a particular user is stored in its own separate store (e.g., file, folder, partition, volume).
- the contents of the store can be exported.
- the store can simply be deleted or reformatted, and in some cases, anonymized (e.g., overwritten to thwart recovery of the deleted data, modified to remove user identifiers from data).
- Such operations can take place locally, such as through a user interface provided by the device (e.g., a touchscreen of a car infotainment system), and/or the operations can be performed remotely (e.g., remote administration console of a car rental company in wireless communication with the rental vehicle, another ECU in the vehicle, etc.).
- a user interface provided by the device (e.g., a touchscreen of a car infotainment system)
- the operations can be performed remotely (e.g., remote administration console of a car rental company in wireless communication with the rental vehicle, another ECU in the vehicle, etc.).
- FIG. 1 is a schematic diagram that shows an example of a system 100 for providing data privacy.
- the system 100 includes a server 102, a collection of client devices 104, and a client device 110 in communication over a network 106 (e.g., the Internet, cellular data network).
- the server 102, the client devices 104, and the client device 110 can be configured to collect and/or store private user data.
- the server 102 can be a database or web application server that makes use of user accounts.
- the client devices 104 and 110 can be computers (e.g., PCs), smart phones, tablet computers, embedded infotainment systems (e.g., car onboard navigation and communication systems),“smart” televisions, video game consoles, smart home controllers, or any other appropriate system that can store data that might be considered as being private for a particular user.
- computers e.g., PCs
- smart phones e.g., tablet computers
- embedded infotainment systems e.g., car onboard navigation and communication systems
- “smart” televisions e.g., car onboard navigation and communication systems
- video game consoles e.g., smart home controllers, or any other appropriate system that can store data that might be considered as being private for a particular user.
- the client device 110 includes an operating system 115 that is accessible by one or more applications 120 (e.g., apps, software programs).
- the applications 120 process data, including private user data, for storage in a file system 125.
- the client device 110 includes a shadow file system 130 for the storage of private user data.
- the shadow file system 130 sits on top of the file system 125 and is configured to determine whether a file will be stored in the file system 125 (non-user data) or the shadow file system 130 (private user data).
- FIG. 2 is a block diagram that shows additional details of an example of a system 200 for providing data privacy.
- the system 200 can be all or part of the example shadow file system 130 of FIG. 1.
- the system 200 includes a shadow file system coordinator 210.
- the coordinator 210 acts as a middleware layer between one or more software applications 220 and a file system 230.
- the file system 230 is a data storage system (e.g., hard drive, flash memory, RAM, ROM) that stores various kinds of data.
- the file system 230 stores data that is user-agnostic, such as an operating system 232 and application data 234.
- the file system 230 also stores sets of user-specific data 236a-236n. Each set of user-specific data 236a-236n represents data stored by the operating system 232 and/or applications 220 for a specific user or user account.
- one of the applications 220 can be a contact database application, where the user-specific data 236a can store the contacts of User A, and the user-specific data 236b can store the contacts of User B.
- the coordinator 210 is configured to receive a user identifier 240.
- the user identifier 240 is information that can uniquely identify a user among many such users.
- the user identifier 240 uniquely identifies“User B” from, e.g., User A, and User C through User N. Based on the user identifier 240, the coordinator directs file system operations to a specific one of the sets of user-specific data 236a- 236n. In the illustrated example, since the user identifier 240 identifies User B, the coordinator directs file system operations to the user-specific data 236b, effectively isolating the user-specific data 236b from being accessed by the operating system 232 and the applications 220 while User B is active, and effectively prevents User B from accessing the user-specific data 236a and 236c-236n.
- Each of the sets of user-specific data 236a-236n is effectively independent and separable from each of the other sets.
- each of the sets of user-specific data 236a-236n can be stored as a separate volume or partition of the file system 230.
- the user identifier 240 can be used to help determine which volume or partition to mount for use by the operating system 232 and the applications 220 while a particular identified user is using the system 200.
- the user identifier 240 can be used as part of a middleware process performed by the shadow file system coordinator 210, in which file system operations (e.g., from the operating system 232 and/or applications 220) are intercepted and redirected to a specific one of the sets of user-specific data 236a-236n.
- file system operations e.g., from the operating system 232 and/or applications 220
- user-agnostic and/or privacy-unaware data storage operations performed by the operating system 232 and/or the applications 220 may be in a data-isolated manner without requiring modification of the operating system 232 or application data 234, due to the operational modifications provided by the shadow file system coordinator 210.
- the shadow file system coordinator 210 can be also configured to receive one or more user data requests 250 from a user 260 (e.g., User B).
- the user data requests 250 can be requests for a variety of operations, particularly those related to data privacy and compliance with various regulatory requirements.
- the user 260 has a right to export his/her private data.
- the coordinator 210 can be configured to comply with this requirement by permitting the user 260 (e.g., User B) to identify himself/herself (e.g., by logging in and providing the user identifier 240) and submit a data export request as the data request 250.
- the coordinator 210 can access the user-specific data 236b for User B and transmit or otherwise provide (e.g., as an archive file) the user-specific data 236b to the user 260.
- the user 260 has a right to be“forgotten”.
- the coordinator 210 can be configured to comply with this requirement by permitting the user 260 (e.g., User B) to identify himself/herself (e.g., by logging in to provide the user identifier 240) and submit a data deletion request as the data request 250.
- the coordinator 210 can delete, overwrite, reformat, or otherwise remove the user-specific data 236b from the file system 230.
- the coordinator 210 can be also configured to prevent recovery or reconstruction of private data.
- the coordinator 210 can be configured to encrypt each of the sets of user-specific data 236a-236n separately based on the user identifier 240 or some other data that can be used as an encryption key, without which the user-specific data 236a-236n would be useless even if copied, discovered, or stolen.
- the coordinator 210 can be configured to obfuscate the locations where user-specific data was stored.
- the coordinator 210 can delete the user-specific data 236b in response to the user data request 250.
- simple deletion of stored data merely removes directory
- the coordinator 210 can be configured to thwart discovery and recovery of private data by, for example, overwriting the storage locations within the file system 230 that were used to store deleted data with one or multiple passes of predetermined or randomized data.
- the user data requests 250 can come from the user 260 in several different ways.
- the requests 250 can be performed locally.
- a car infotainment system or a smart phone can be configured to provide a user interface (e.g., touch screen, mechanical buttons, voice commands) that provide the user 260 with ways to request, delete, or perform other appropriate privacy actions on the sets of user-specific data to which the user 260 has the appropriate rights.
- the requests 250 can be made automatically.
- coordinator 210 and the file system 230 can be part of a rental car.
- the coordinator 210 may be configured to detect the check-in process and automatically export and/or delete the user-specific data 326a- 236n belonging to the user 260.
- the requests 250 can be made remotely.
- the user 260 can choose an action to be performed with his/her private data (e.g., export, delete, opt-out of storing user data - permit temporary storage during runtime but automatic deletion when car shuts down) during the rental car contract signing and before using the rental car, which can be recorded and used to automatically perform the user’s requested actions when the user returns the rental car.
- the user 260 can be an employee of a company, and the
- coordinator 210 can be part of a company-owned smartphone.
- the coordinator 210 can be configured to receive the data requests 250 wirelessly (e.g., over the Internet or other network) from a remote administration console.
- An operator of the administration console can issue a command to have the user’s 260 private data wiped from all company-owned smartphones.
- the coordinator 210 can receive such a command and respond accordingly.
- FIG. 3 is schematic diagram of users and data enabled devices.
- a collection of users 301 a-301d can use a collection of client devices, such as a client device 310 (e.g., a server computer system), a client device 320 (e.g., a vehicle infotainment or guidance system), and a client device 330 (e.g., a personal computing device such as a smartphone, PC, or tablet).
- client devices 310-330 may be used by one or more of the users 301a-301 d, thus allowing or even requiring the client devices to store or otherwise interact with data that is specific (and potentially private and/or sensitive) to one or more of the users 301 a-301 d.
- Each of the client devices 310-330 can include an appropriate implementation of example shadow file coordinator system 210 of FIG. 2 to provide data privacy functions for the users 301 a-301 d.
- FIG. 4 is a conceptual diagram of an example system 100 providing robust end-to-end communication security that is able to establish and maintain data privacy between example electronic control units (ECUs) 406a-n that are part of a client device 408, which in this example is a vehicle.
- the example system 400 is an example implementation in a specific Internet of Things (loT) context (vehicle) and can be implemented on a variety of other loT devices and systems, such as security systems, smart home systems, and others.
- LoT Internet of Things
- the ECUs 406a-406n are depicted as being communicatively connected to each other via a communication network 402, which in the depicted example is a CAN bus within the vehicle 408.
- the system 400 can be implemented with other communication networks, as well as with other loT devices.
- Messages between the ECUs 406a-n are broadcast over the CAN bus 402 with message identifiers.
- Each of the ECUs 406a-n can be configured to transmit and listen for particular message identifiers broadcast over the CAN bus 402.
- messages may be transmitted additionally and/or alternatively with sender and recipient information that directs the delivery of messages to the correct ECUs.
- any of the ECUs 406a-n can read or store user-specific data transmitted in the contents of the messages. Furthermore, without any sort of data privacy enforcement, any one of the ECUs 406a-n may contain information of which a user would want to have control. For example, an ECU that is configured to handle hands-free telephone calls may store a user’s call history or a copy of his/her contact database, while an ECU that is configured for vehicle control may store a history of the user’s accelerations, speeds, braking, and other behavior while operating the vehicle.
- the messages over the CAN bus 402 are susceptible privacy threats, such as unwanted copying and retrieval.
- each of the ECUs 406a-n is programmed to operate based on user data provided and/or maintained by a central privacy provider.
- the ECU 406a can be an ECU that is in communication with a user interface (e.g., infotainment system, RFID receiver) that can identify a specific user (e.g., User B) from among a number of such users (e.g., User A and User B).
- the ECU 406a includes a user interface 460 that interfaces with a shadow file coordinator system 470a (e.g., the example coordinator 210 of FIG. 2).
- the shadow file coordinator 470a includes one or more sets of user-specific data 462a-462b for one or more drivers.
- the ECU 406a can be a controller for an infotainment system on the vehicle 408, which can include a user interface 460 through which the user can direct and/or provide instructions to the shadow file coordinator 470a, such as providing instructions to export personal user data, delete personal user data, opt-out of persistently storing personal user data (e.g., temporarily store personal user data so that applications can operate appropriately, but then delete the data when the vehicle 408 shuts down), and/or other instructions.
- Each of the ECUs 406a-n can have a corresponding shadow file coordinator 470a-n, which can also store personal user data that is associated with specific users (e.g.,“User A” personal data,“User B” personal data). However, not all of the ECUs 406a-n may have a corresponding user interface through which a user can provide instructions to the shadow file system. Accordingly, the shadow file coordinators 470a-n can echo and provide user directions/instructions to each other regarding the
- user instructions to delete private user data received by the shadow file coordinator 470a via the user interface 460 can be transmitted over the CAN bus 402 to the other shadow file coordinators 470b-n, and can cause each of the shadow file coordinators 470a-n to delete their respective private user data.
- the shadow file coordinators 470a-n can select user-specific data for the identified driver, e.g., user-specific data 462b for User B. Again, since not all ECUs 406a-n have a user interface through which a user can identify himself/herself, such user identification receive via one of the ECUs 406a-n can be transmitted to the other ECUs (e.g., user identification to the shadow file coordinator 470a via the interface 460 can be transmitted to the other shadow file coordinators 470b-n). The shadow file coordinator 470a can then provide the user identification and user-specific data 462b, or appropriate sub-portions thereof, over the CAN bus 402 to the other ECUs 406a-n.
- a climate control system may receive only the identified user’s temperature preferences, while a radio may receive only the identified user’s station presets.
- the ECU 406a and the shadow file coordinator system 470a can request the settings of the other ECUs 406b-406n, and store the settings as the user-specific data 462b.
- the shadow file coordinator system 470a can also request that the other ECUs 406b-406n wipe their respective data storage systems 470b-n, thus removing user-specific data from their memories.
- This data can be restored by the ECU 406a and the coordinator 470a the next time the same driver returns to the vehicle, or it can be replaced by the user-specific data of another driver when that driver is identified.
- the driver can also interact with the ECU 406a to request a copy and/or a complete deletion of their user-specific data, such as through the user interface 460.
- the example system 400 is also depicted as including a gateway 404 between the CAN bus 402 and one or more remote computer systems 412
- management computer system which can communicate remotely with the ECUs 406a-n for any of a variety of purposes.
- the remote computer systems 412 can manage and monitor the privacy status of the ECUs 406a-n in the vehicle 408, as well as the privacy status of ECUs in other vehicles and loT devices.
- the car 408 can be a rental vehicle, and when the driver (e.g., User B) checks the car back in at a rental return kiosk, the kiosk can trigger a process in which one or more data requests are sent to the ECUs 406a-n and their shadow file coordinators 470a-n via the gateway 404 to request an export and/or deletion of the user-specific data 462b in order to wipe the car 408 of the previous driver’s information and make the car 408 ready for the next driver while rendering the data 462b inaccessible to the next driver.
- FIG. 5 is a flow diagram of a process 500 for providing data privacy.
- the process 500 can be performed by all or parts of the example systems 100, 200, and 400 of FIGs. 1 , 2, and 4.
- an identifier that identifies a user is received.
- the shadow file coordinator system 210 can receive user login information as the user identifier 240.
- a request to perform a data interaction to add, read, write, modify, or delete a collection of data is received.
- the coordinator 210 can receive the data request 250.
- the requested interaction is performed upon the identified collection of data.
- a“delete data” request from User B can cause the coordinator 210 to delete the user-specific data 236b, but not the user-specific data 236a or 236c-236n.
- performing the requested interaction upon the identified collection of data can also include performing the requested interaction upon only the identified collection of data.
- the coordinator 210 can effectively isolate the data of other users from operations being performed by the identified user (e.g., User B cannot export User A’s user-specific data 236a).
- the data interaction can be a request to delete the collection of data associated with the identified user and/or to copy the collection of data associated with the identified user.
- the requested interaction can include deleting the collection of data associated with the identified user such that all of the identified user’s data stored by the system is deleted from the system.
- the process 500 can also include rendering the deleted collection of data substantially unrecoverable (e.g., overwriting the storage locations with new information that is not private).
- the requested interaction can include providing another collection of data that comprises copies of the data within the collection of data associated with the identified user, such that all of the identified user’s data stored by the system is exported from the system.
- FIG. 6 is a block diagram of computing devices 600, 650 that may be used to implement the systems and methods described in this document, either as a client or as a server or plurality of servers.
- Computing device 600 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.
- Computing device 650 is intended to represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smartphones, and other similar computing devices.
- the components shown here, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed in this document.
- Computing device 600 includes a processor 602, memory 604, a storage device 606, a high-speed interface 608 connecting to memory 604 and high-speed expansion ports 610, and a low speed interface 612 connecting to low speed bus 614 and storage device 606.
- processor 602 memory 604
- storage device 606 storage device 606
- high-speed interface 608 connecting to memory 604 and high-speed expansion ports 610
- low speed interface 612 connecting to low speed bus 614 and storage device 606.
- Each of the components 602, 604, 606, 608, 610, and 612 are interconnected using various busses, and may be mounted on a common
- the processor 602 can process instructions for execution within the computing device 600, including instructions stored in the memory 604 or on the storage device 606 to display graphical information for a GUI on an external input/output device, such as display 616 coupled to high-speed interface 608.
- an external input/output device such as display 616 coupled to high-speed interface 608.
- multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory.
- multiple computing devices 600 may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi- processor system).
- the memory 604 stores information within the computing device 600.
- the memory 604 is a computer-readable medium. In one
- the memory 604 is a volatile memory unit or units. In another implementation, the memory 604 is a non-volatile memory unit or units.
- the storage device 606 is capable of providing mass storage for the computing device 600.
- the storage device 606 is a
- the storage device 606 may be a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid state memory device, or an array of devices, including devices in a storage area network or other configurations.
- a computer program product is tangibly embodied in an information carrier.
- the computer program product contains instructions that, when executed, perform one or more methods, such as those described above.
- the information carrier can be a computer- or machine-readable medium, such as the memory 604, the storage device 606, or memory on processor 602.
- the high-speed controller 608 manages bandwidth-intensive operations for the computing device 600, while the low speed controller 612 manages lower bandwidth-intensive operations. Such allocation of duties is exemplary only.
- the high-speed controller 608 is coupled to memory 604, display 616 (e.g., through a graphics processor or accelerator), and to high-speed expansion ports 610, which may accept various expansion cards (not shown).
- low-speed controller 612 is coupled to storage device 606 and low-speed expansion port 614.
- the low-speed expansion port which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet) may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
- input/output devices such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
- the computing device 600 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a standard server 620, or multiple times in a group of such servers. It may also be implemented as part of a rack server system 624. In addition, it may be implemented in a personal computer such as a laptop computer 622. Alternatively, components from computing device 600 may be combined with other components in a mobile device (not shown), such as device 650. Each of such devices may contain one or more of computing device 600, 650, and an entire system may be made up of multiple computing devices 600, 650 communicating with each other.
- Computing device 650 includes a processor 652, memory 664, an
- the device 650 may also be provided with a storage device, such as a microdrive or other device, to provide additional storage.
- a storage device such as a microdrive or other device, to provide additional storage.
- Each of the components 650, 652, 664, 654, 666, and 668, are interconnected using various buses, and several of the components may be mounted on a common
- the processor 652 can process instructions for execution within the
- the processor may also include separate analog and digital processors.
- the processor may provide, for example, for coordination of the other components of the device 650, such as control of user interfaces, applications run by device 650, and wireless communication by device 650.
- Processor 652 may communicate with a user through control interface 658 and display interface 656 coupled to a display 654.
- the display 654 may be, for example, a TFT LCD display or an OLED display, or other appropriate display
- the display interface 656 may comprise appropriate circuitry for driving the display 654 to present graphical and other information to a user.
- the control interface 658 may receive commands from a user and convert them for submission to the processor 652.
- an external interface 662 may be provide in communication with processor 652, so as to enable near area communication of device 650 with other devices.
- External interface 662 may provide, for example, for wired communication (e.g., via a docking procedure) or for wireless communication (e.g., via Bluetooth or other such technologies).
- the memory 664 stores information within the computing device 650.
- the memory 664 is a computer-readable medium. In one
- the memory 664 is a volatile memory unit or units. In another implementation, the memory 664 is a non-volatile memory unit or units. Expansion memory 674 may also be provided and connected to device 650 through expansion interface 672, which may include, for example, a SIMM card interface. Such expansion memory 674 may provide extra storage space for device 650, or may also store applications or other information for device 650. Specifically, expansion memory 674 may include instructions to carry out or supplement the processes described above, and may include secure information also. Thus, for example, expansion memory 674 may be provide as a security module for device 650, and may be programmed with instructions that permit secure use of device 650. In addition, secure applications may be provided via the SIMM cards, along with additional information, such as placing identifying information on the SIMM card in a non-hackable manner.
- the memory may include for example, flash memory and/or MRAM memory, as discussed below.
- a computer program product is tangibly embodied in an information carrier.
- the computer program product contains instructions that, when executed, perform one or more methods, such as those described above.
- the information carrier can be a computer- or machine-readable medium, such as the memory 664, expansion memory 674, or memory on processor 652.
- Device 650 may communicate wirelessly through communication interface 666, which may include digital signal processing circuitry where necessary.
- Communication interface 666 may provide for communications under various modes or protocols, such as GSM voice calls, Voice Over LTE (VOLTE) calls, SMS, EMS, or MMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, GPRS, WiMAX, LTE, among others. Such communication may occur, for example, through radio-frequency transceiver 668. In addition, short-range communication may occur, such as using a Bluetooth, WiFi, or other such transceiver (not shown). In addition, GPS receiver module 670 may provide additional wireless data to device 650, which may be used as appropriate by applications running on device 650.
- Device 650 may also communication audibly using audio codec 660, which may receive spoken information from a user and convert it to usable digital information. Audio codex 660 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset of device 650. Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, etc.) and may also include sound generated by applications operating on device 650.
- Audio codec 660 may receive spoken information from a user and convert it to usable digital information. Audio codex 660 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset of device 650. Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, etc.) and may also include sound generated by applications operating on device 650.
- the computing device 650 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a cellular telephone 680. It may also be implemented as part of a smartphone 682, personal digital assistant, or other similar mobile device.
- the disclosed embodiments may be implemented in a system, a method, and/or a computer program product.
- the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present disclosure.
- the computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.
- the computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an
- a non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing.
- a computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves,
- electromagnetic waves propagating through a waveguide or other transmission media e.g., light pulses passing through a fiber-optic cable
- electrical signals transmitted through a wire e.g., electrical signals transmitted through a wire.
- Computer readable program instructions described herein can be
- the network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers.
- computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
- Computer readable program instructions for carrying out operations of the present disclosure may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the“C” programming language or similar programming languages.
- the computer readable program instructions may execute entirely on the user’s computer, partly on the user’s computer, as a stand-alone software package, partly on the user’s computer and partly on a remote computer or entirely on the remote computer or server.
- the remote computer may be connected to the user’s computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- LAN local area network
- WAN wide area network
- electronic circuitry including, for example,
- programmable logic circuitry may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present disclosure.
- FPGA field-programmable gate arrays
- PLA programmable logic arrays
- These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
- the computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
- each block in the flowcharts or block diagrams may represent a software program, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
- each block in the flowcharts or block diagrams may represent a software program, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
- the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201862694771P | 2018-07-06 | 2018-07-06 | |
PCT/US2019/040484 WO2020010192A1 (en) | 2018-07-06 | 2019-07-03 | Vehicular data privacy management systems and methods |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3818461A1 true EP3818461A1 (en) | 2021-05-12 |
Family
ID=67470663
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19745851.6A Pending EP3818461A1 (en) | 2018-07-06 | 2019-07-03 | Vehicular data privacy management systems and methods |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP3818461A1 (en) |
WO (1) | WO2020010192A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220343014A1 (en) * | 2021-04-22 | 2022-10-27 | Soundhound, Inc. | Api for service provider fulfillment of data privacy requests |
WO2022251020A1 (en) * | 2021-05-24 | 2022-12-01 | Termson Management Llc | Device management and configuration |
GB2608376A (en) * | 2021-06-29 | 2023-01-04 | Continental Automotive Gmbh | A system and method for data management in a vehicle |
EP4320814A1 (en) | 2021-10-05 | 2024-02-14 | Volkswagen Aktiengesellschaft | Apparatus, method and computer program for managing a plurality of sets of access settings for a vehicular gateway |
CN115879147B (en) * | 2022-11-30 | 2023-07-18 | 深圳市杰讯互联科技有限公司 | Big data-based computer information security management method and system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3084676B1 (en) * | 2013-12-19 | 2022-04-20 | Intel Corporation | Secure vehicular data management with enhanced privacy |
US9729707B2 (en) * | 2014-12-31 | 2017-08-08 | GM Global Technology Operations LLC | Method and system to manage personalized vehicle user information |
-
2019
- 2019-07-03 EP EP19745851.6A patent/EP3818461A1/en active Pending
- 2019-07-03 WO PCT/US2019/040484 patent/WO2020010192A1/en unknown
Also Published As
Publication number | Publication date |
---|---|
WO2020010192A1 (en) | 2020-01-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3818461A1 (en) | Vehicular data privacy management systems and methods | |
US9898592B2 (en) | Application marketplace administrative controls | |
US10375116B2 (en) | System and method to provide server control for access to mobile client data | |
US9641630B2 (en) | Location-enforced data management in complex multi-region computing | |
US8656016B1 (en) | Managing application execution and data access on a device | |
US8839354B2 (en) | Mobile enterprise server and client device interaction | |
US9584494B2 (en) | Terminal and server for applying security policy, and method of controlling the same | |
US10938573B2 (en) | Distributed transaction processing | |
CN104516783A (en) | Authority control method and device | |
US11706077B2 (en) | Contextual generation of ephemeral networks | |
CN105518698A (en) | Broker for evaluating application requests to access peripheral devices | |
US20230229760A1 (en) | Mobile device with secure private memory | |
US9510182B2 (en) | User onboarding for newly enrolled devices | |
CA2829805C (en) | Managing application execution and data access on a device | |
CN112911550A (en) | Vehicle data configuration method and electronic equipment | |
US10650134B2 (en) | Discreet user identification and multiple device modes of operations | |
CN117413269A (en) | Data protection method and vehicle | |
US20210064658A1 (en) | Geofencing queries based on query intent and result semantics | |
CN105791528A (en) | System and method for limiting linkage between devices | |
CN103984884A (en) | Method and system for licensing software | |
CN115361414A (en) | Vehicle personalized permission customization method and system based on multiple users and vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20210204 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20230217 |