WO2004079608A2 - Apparatus and method for data file distribution - Google Patents

Description

APPARATUS AND METHOD FOR DATA FILE DISTRIBUTION

The present invention relates generally to an apparatus and method for distributing data files over a network. In particular, the present invention relates to the purchasing of music data files over the Internet using a smart card payment system. The invention also relates generally to smart cards and to a method of distributing smart cards.

The popularity of Internet shopping is increasing as more people obtain access, as connection speeds become faster, and as the range of available goods rises. However, the purchaser must send their credit card details over a potentially unsecured Internet link to effect payment. Despite improvements in security, many Internet users have concerns and many avoid Internet shopping completely for this reason. Furthermore, children and those without credit cards are unable to take advantage of the wide range of goods and services that the Internet has to offer.

US Patent Application No. 2002/0007351 suggests using digital tokens stored on a computer which can be spent when carrying out a transaction over the Internet in lieu of a credit card. However, the tokens themselves are still purchased over the Internet using a credit card such that a security problem still exists. The tokens, being essentially data, are also of limited worth as a gift since the recipient may prefer to receive a tangible item. Some websites, rather than selling tangible goods or services, offer data files such as music data files in the well-known MP3 format, or other copyrighted data. Such data files may be downloaded to a computer connected to the Internet for viewing or playback. However, the wide availability of these data files and the ease with which they are transferred between computers has resulted in an dramatic and well-publicised upturn in the amount of copyright infringement or piracy. Music piracy is especially prevalent, causing damage to the music industry and draining resources which could otherwise have been used to promote new artists or to reduce the cost of legitimate music. Much effort has therefore been spent in policing the transfer of copyrighted material over the Internet and to ensure that the copyright holders receive payment for their work.

International Patent Publication No. WO-A- 01/88675 describes a media player for downloading audio and music content in the form of MP3 files from a private website which is only accessible with a registered media player. Registration requires a user to provide the website with credit card information, such that a security risk remains. Furthermore, the user only has access to those music files stored at the private website and, after downloading, transfer of the files to another playback device is prevented, limiting the usefulness of the device.

The invention provides a data download arrangement using an apparatus connectable to a network and incorporating means to read from and write to a smart card. The download apparatus is adapted to connect to a server computer over the network to obtain details of available data products with the associated costs. The server only sends one or more of the data products to the download apparatus if it has first received a valid identification code read by the download apparatus from the smart card, or otherwise derived from data read from the smart card. The apparatus writes to the smart card to adjust the credit amount stored thereon in accordance with the cost of any downloaded data products.

According to one aspect of the present invention there is provided a data file download apparatus for receiving data files over a network from a remote server comprising: a network connection device for connecting the apparatus to a network; and a smart card reader/writer; the apparatus being arranged to: read a smart card identification code and a credit amount or credit indicator from a smart card inserted into the smart card reader/writer; send the smart card identification code, or data derived from the identification code, to the remote server; receive a list of data files from the server computer, the list including cost information indicating a cost associated with each data file; send a request for a data file selected from the list of data files to the server computer; receive the requested data file, usually from the server computer or via the server computer; and write to the smart card the read credit amount reduced by an amount equal to the cost of the selected data file. Embodiments of this aspect of the present invention are therefore advantageous in that a data file purchaser need not send their credit card details over a potentially unsecured network, such as the Internet. Instead, a smart card identification code is sent over the network. Since this identification code simply identifies a smart card, even if this information is intercepted, it cannot be used by the interceptor for monetary gain and there is no risk to the purchaser. As a further security measure, the identification code may be encrypted on the smart card and sent to the remote server as encrypted data which is only decrypted by the remote server. The encrypted data sent to the server may be data derivable from the identification code, and the server then recovers the identification code from the sent data. In writing to the smart card, the apparatus may calculate what the new credit amount should be and then direct the smart card to store that new credit amount. Alternatively, the apparatus may simply provide the smart card with an adjustment amount dependent on the cost of the received data file, and the smart card performs the necessary calculations to reduce the stored credit amount. In one embodiment of this aspect of the invention, the apparatus is further arranged to: send a request for the selected data file only if the cost associated with the data file is less than or equal to the credit amount read from the smart card. Advantageously, this ensures that the purchaser is unable to purchase data files for which he has insufficient credit.

In a further embodiment, the apparatus further comprises an apparatus identification code, the apparatus further being arranged to send the apparatus identification code, or data derivable from the identification code, to the server. In this way, the apparatus is able to identify itself to the server computer without sending any personal information about the user, thereby ensuring personal privacy and security for the user. Further security measures in encrypting the transmitted data may be used as described above in connection with the smart card identification code.

In further embodiments, the apparatus comprises a data recording device for recording the received data file to a physical medium. For example, the data recording device may be a printer for recording the data to a print receiving medium, or a digital data recording device for recording the data to a digital data storage medium such as a compact disc. Advantageously, these embodiments permit the purchaser to permanently record received data files to paper, or to a compact disc or to some other medium for review or playback at a later time. The purchaser therefore receives full use of the purchased data file, increasing the perceived value of the transaction from the perspective of the purchaser.

Preferably, the apparatus is arranged to communicate with a pre-determined server on the network. In this way, a user can be confident that the data files that they purchase are genuine since they have been received from a trusted source, this trusted source being the pre-determined server. Preferably, the apparatus comprises a single dedicated device. By providing a dedicated device, the functionality of that device can be easily controlled and limited to the purchase and playback of data files without being able to browse a network such as the Internet at will. Parents will therefore be reassured that their children, when using the device, are able to safely purchase data files without the risk that they will be presented with any of the unsuitable material which pervades networks such as the Internet. Alternatively, in another embodiment, the apparatus comprises a personal computer and a smart card reader/writer connectable to the personal computer. In this way, a user can take full advantage of the personal computer hardware that they already own and, with the simple addition of a smart card reader/writer and suitable operational software are able to purchase data files using a smart card. As another alternative, the apparatus is suitable for installation in a retail environment, thus bringing the advantages of Internet shopping to the general public in a prominent and convenient way. According to a further aspect of the present invention, there is provided a server apparatus for distributing data files over a network comprising: a network connection device; a database containing a list of data files and location information identifying the location of each data file on the network; and a database containing a list of smart card identification codes; the apparatus being arranged to: receive a smart card identification code, or data derived from a smart card identification code, from a remote user system also connected to the network; provide the list of data files to the user system; receive from the user system a request for a data file selected from the list of data files; then either retrieve the selected data file from its location on the network and provide the retrieved data file to the user system, or alternatively provide the selected data file to the user system. Advantageously, embodiments of this aspect of the present invention offer an efficient server apparatus for distributing data files over a network such as the Internet and for receiving a smart card identification code in place of credit card details as part of the payment trail in a larger smart card distribution network. The data files may be stored locally on the server apparatus, but are more usually stored on other servers also connected to the network. A data filed stored remotely from the portal on the network may be delivered directly from its location on the network to the user system, but is more usually transmitted to the user system via the portal.

Preferably, the apparatus is further arranged to compare the received smart card identification code with the list of smart card identification codes and to provide the list of data files to the user system only if the received smart card identification code is on the list of smart card identification codes. Advantageously, this ensures that only smart cards bearing a recognised identification code may be used to purchase data files .

In a further preferred embodiment, the list of smart card identification codes includes information on whether a smart card is a valid smart card, the apparatus further being arranged to compare the received smart card identification code with the list of smart card identification codes and to provide the list of data files to the user system only if the received smart card identification code identifies a valid smart card. This embodiment has the additional advantage that a record of invalid smart cards can be maintained on the server computer as a further security measure to ensure that proper payment for downloaded data files is made. Preferably, the apparatus further comprises a database containing a list of user system identification codes, the apparatus further being arranged to: receive a user system identification code from the user system; and compare the received user system identification code with the list of user system identification codes and to provide the list of data files to the user system only if the received user system identification code is on the list of user system identification codes. Advantageously, this ensures that only a user system bearing a recognised user system identification code may be used in a smart card transaction.

Preferably, the list of data files further includes cost information identifying a cost associated with each data file, the apparatus further being arranged to: receive a smart card credit amount from the user system; and retrieve the selected data file only if the cost of the data file is less than or equal to the smart card credit amount. Advantageously, this ensures that the user has sufficient credits on their smart card to "pay" for a selected data file.

Alternatively, the list of data files further includes cost information identifying a cost associated with each data file, and the list of smart card identification codes further includes credit amount information indicating a credit amount stored on a smart card identified by the smart card identification code. In this embodiment, the server apparatus keeps an independent record of how much credit is stored on each smart card on the list as an additional security measure. The server apparatus does not then need to rely on receiving an indication from the user system of how much credit there is left on the user's smart card. In one preferred embodiment, the apparatus can then be further arranged to: retrieve the selected data file only if the cost of the data file is less than or equal to the indicated credit amount. Alternatively, or in addition, the apparatus is further arranged to reduce the indicated credit amount by the cost associated with a retrieved data file once the retrieved data file has been provided to the user system. This ensures that the records stored on the server apparatus are kept up to date.

According to a yet further aspect of the present invention there is provided a data file download method for obtaining data files over a network comprising: reading a smart card identification code and a credit amount from a smart card; sending the smart card identification code to a server computer connected to the network; receiving a list of data files from the server computer, the list including cost information indicating a cost associated with each data file; sending a request for a data file selected from the list of data files to the server computer; receiving the requested data file from the server computer; and writing to the smart card the read credit amount reduced by an amount equal to the cost of the selected data file. Advantages of this aspect of the present invention will be apparent from the discussion of other aspects above.

According to another aspect of the present invention there is provided a data file distribution method for distributing data files over a network comprising the steps of: storing on a portal server: a list of data files, location information identifying the location of each data file on the network, and a list of smart card identification codes; receiving a smart card identification code from a remote user system also connected to the network; providing the list of data files to the user system; receiving from the user system a request for a data file selected from the list of data files; retrieving the selected data file from its location on the network; and providing the retrieved data file to the user system. Advantages of this aspect of the present invention will be apparent from the discussion of other aspects above. Aspects of the present invention also provide computer software for carrying out the above described methods when executed on computer or a suitable computer apparatus including network facilities as appropriate.

A further aspect of the present invention provides a smart card for use in carrying out transactions over a network wherein the smart card has a non-replenishable credit amount stored thereon, the smart card having additional value once the credit amount is depleted. Advantageously, smart cards embodying this aspect of the present invention are more attractive to users in that there is additional value in the smart card even when the credit amount on the smart card has been depleted. The additional value of the smart card may be as a gift token redeemable for goods or services at a retail outlet, as a collectable item, or in that a plurality of smart cards on which the credit amount has been depleted may be exchanged for a new smart card having a credit amount stored thereon. Usually only one type of additional value will be provided on a single smart card, but combinations of additional value measures may be included on one smart card to make the card more attractive to as broad a range of users as possible.

In yet another aspect of the present invention there is provided a dispensing apparatus for dispensing physical media having data files recorded thereon, comprising: a smart card reader/writer for reading a smart card identification code and a credit amount from a smart card inserted into the smart card reader/writer; a user interface for providing a list of data files to a user and for receiving a selection of data files from the user; a network connection device for connecting to a remote server computer on a network and for receiving selected data files from the server computer over the network; a data output device for recording the received data files to a physical medium.

Advantageously, embodiments of this aspect of the present invention are suitable for installing in a retail environment and may be used by shoppers having a smart card to purchase data files and to have those data files locally recorded to a physical medium. Advantageously, the apparatus may further comprise a data storage device for storing commonly selected data files such that those files need not be downloaded from the server every time a user selects them.

A further aspect of the present invention provides a method of distributing smart cards to be used in carrying out a transaction over the Internet, comprising: encoding each of a plurality of smart cards with a credit amount and an identification code, the identification code for identifying a smart card when carrying out the transaction; distributing said smart cards to a plurality of retail outlets; for each distributed smart card, keeping a record of the identification number encoded on the smart card and the location of the retail outlet to which the smart card was distributed. Advantageously, this aspect of the present invention permits the tracking of smart cards which may be used in illegal transactions on the Internet, while nevertheless ensuring personal privacy and security for the majority of lawful users.

Preferred embodiments of the present invention will now be described by way of example only and with reference to the accompanying drawings, in which:

Figure 1 shows schematically a data file distribution network embodying the present invention;

Figure 2 illustrates in more detail the user system of Figure 1;

Figure 3 illustrates in more detail the provider system of Figure 1;

Figure 4 illustrates in more detail the portal system of Figure 1;

Figure 5 depicts an exemplary smart card; Figure β shows schematically a smart card distribution network and its relationship to the data file distribution network of Figure 1;

Figure 7 shows an embodiment of a user system implemented as a dedicated device;

Figure 8 shows an exemplary startup menu through which a user interacts with the user system; Figure 9 shows an embodiment of a user system implemented as a smart card reader connectable to a personal computer; and

Figures 10a to 10c show embodiments of user systems suitable for installation in a retail environment. System Overview

Figure 1 depicts schematically a network system 2 for distributing data files over a network 4. The network system 2 includes a user system 100 operated by a user wishing to acquire data files and one or more provider systems 200 having data files stored thereon. A portal system 300 acts as an intermediary between the user system 100 and the provider systems 200 and communications between the systems is carried out over the network 4.

In practice, there will be a large number of user systems 100, each typically comprising a computer or other suitable apparatus configured to access the network 4. Each provider system 200 will typically comprise a server computer storing the data files and connected to the network 4 and there may be many such provider systems 200. The portal system 300 will typically comprise a server computer connected to the network 4. There may be more than one portal system 300 on the network 4. In practice, however, there will be far fewer portal systems than user systems. There will also usually be fewer portal systems than provider systems, but this need not necessarily be the case. The network 4 may be the Internet or a local area network, for example. Figure 2 depicts a typical user system 100 in more detail. The user system 100 includes a central processing unit (CPU) 102 which communicates with the network 4 via a network connection device 104 such as a modem. The user system 100 further includes: a system memory area 106 for storing operating system software; a data memory area 108 for temporary storage or buffering of received data files; a data storage area 110 such as a hard disk for long term storage of received data files; user interaction devices 112 such as a video display unit, keyboard, touch sensitive screen, audio speakers, and other suitable control and input/output devices; data output devices 114 such as a printer or compact disc writer for recording received data files to a physical medium; and a smart card reader 116.

Figure 3 shows a typical provider system 200 in more detail. The provider system 200 includes: a server computer 202 for connecting to the network 4; a data file storage area 204 for storing data files to be distributed over the network 4; and a payment database 206 for storing a record of data files that have been distributed over the network 4. Figure 4 shows a typical portal system 300 in more detail. The portal system 300 includes: a server computer 302 for connecting to the network 4; a data file storage area 304 for storing data files to be distributed over the network 4; a data file database 306 listing data files available for distribution; a payment database 308 for storing a record of data files that have been distributed over the network 4; a smart card database 310 for keeping a record of valid smart cards; and a user system database 312 for keeping a record of valid user systems .

File Distribution

The portal system 300 maintains a list of available data files 306, the list including location information identifying the location of each data file on the network 4. The data files are stored on one or more provider systems 200 connected to the network 4. The provider systems 200 may be maintained by music, book or video publishers, software houses, or other groups or companies having data files that they wish to distribute. Data files may also be stored locally in the data file storage area 304 of the portal system 300. Preferably, however, the only data files stored locally are particularly popular files, or 'demo' files which have reduced content compared to the original data files stored at the provider system 200. This reduces the time and expense required to set up and maintain the portal system 300 since less storage space and file maintenance is required. Of course, a portal system 300 may also be also be a data file provider either for commercial reasons or to optimise transmission times, or alternatively because they wish to offer specialist data files not commonly available from mainstream providers.

The portal system 300 receives or obtains regular updates of which data files are stored in the data file storage area 204 of each provider system 200 in order to maintain an up to date list of data files available for downloading. The portal system 300 could receive updates once a week for example. Alternatively, each provider system 200 notifies the portal system 300 of any changes or updates to the available data files on a substantially real-time basis.

A user wishing to obtain one or more data files operates the user system 100 to access the portal system 300. Subject to one or more security checks, the user is presented with the list of available data files, excluding the location information. The list of data files is preferably arranged to permit efficient browsing or searching by the user, who reviews the list and selects a desired data file. A request 10 for the selected data file is sent by the user system 100 over the network to the portal system 300. The portal system 300 then sends a request 12 to the appropriate provider system 200 and retrieves 14 the requested file over the network. Once the requested file has been received, it is downloaded 16 to the user system 100 over the network. Preferably, however, data files are never actually stored on the portal system 300. Rather, the portal system 300 just passes the data file on to the user system 100. A lossless compression protocol such as "OGG" may be used when transmitting files in order to maximise transmission speed.

Since the portal system 300 acts as an intermediary between the user system 100 and the provider system 200, the user has no direct access to the provider system 200, thus improving the security of data files stored on the provider system 200. Alternatively, the requested data file may be downloaded directly 18 to the user system 100 from the provider system 200 to increase transmission speed.

Payment

To reduce the security risks associated with sending credit card details over a network such as the Internet, payment for data files distributed over the network 4 is achieved using a smart card system. Generally, as indicated by Figure 5, a smart card 20 comprises a plastic card 22 of a similar size and shape to a credit card. Embedded in the plastic card 22 is a microchip 24 including a microcontroller, a readable and writable memory, and a communications interface. The microcontroller typically acts as a simple computational device and may be capable of encrypting and decrypting data, as well as other operations. Contacts on the card 22 or more usually the microchip 24 draw power and transfer data to or from a card reader into which the smart card 20 is inserted. For the purposes of the present invention, a smart card 20 may be any device that is capable of storing (i) an identification code identifying the smart card and (ii) a credit amount which is reduced as the card is used to purchase data files. Consequently, to reduce costs, the smart card may have no processing capability and be simply a secure memory device.

Figure 6 shows an exemplary smart card distribution and payment network 50.

A smart card manufacturer encodes smart cards with a credit amount and identification code before delivering them to a distributor 400. Alternatively, the distributor 400 may also be a smart card manufacturer. The credit amount may be an actual monetary value in the currency of the country of issue, or may be in the form of arbitrary units of credit. By using units of credit rather than an actual monetary value, the smart card is more easily used on a worldwide network such as the Internet. In either situation, the smart card has an associated cash value which will normally be printed on the card and may be £5, £10, £20 or other suitable amounts in the currency of the country in which the card is to be distributed.

The encoded cards are distributed 52 to retail outlets 500 such as post offices, newsagents, bookstores, music stores, video stores and other suitable outlets. The distributor 400 receives payment 54 from the retail outlet 500 equal to the total cash value of the smart cards minus a percentage (eg 10%) of that total value which the retail outlet 500 retains as a fee for handling the sale of smart cards to users.

A user, on purchasing a smart card from the retail outlet 500, receives the smart card 56 and pays 58 the retail outlet 500 an amount equal to the cash value of the smart card.

The user inserts the purchased smart card into the card reader 116 of the user system 100, accesses the portal system 300 and selects a data file, as described above in File Distribution. Each data file has an associated cost, either as an actual cash value or in units of credit. A popular or large data file, for example, may have a "cost" of three credits, while a less popular or small file may only cost one credit. The user is only able to select a data file if the smart card has sufficient credit. If the smart card does have sufficient credit, then the selected data file is downloaded 60, 62 from the provider system 200 to the user system 100 via the portal system 300. Alternatively, the data file may be downloaded directly 64 from the provider system 200 to the user system 100. Once the user system 100 receives the data file, the appropriate credit amount is subtracted from the smart card. If transmission of the data file to the user system 100 is not successful, then the credit amount on the smart card is not reduced. Additionally, if the smart card is removed from the card reader 116 before the credit amount has been reduced, then transmission of the data file is stopped. This ensures that the user pays for all files he receives, but does not pay for those files which are not successfully transmitted.

Details of downloaded data files are stored in the provider payment database 206 and the portal payment database 308. The payment details include information on which files were downloaded from which provider 200 and the cost of each data file as an actual monetary value. As files are downloaded, or alternatively at regular intervals (daily, for example) , the portal system 300 sends the payment details 66 to the distributor 400 who arranges the necessary payment 67 to the appropriate provider 200. The distributor 400 also arranges payment 72 to the portal system 300 equal to a percentage (eg 10%) of the total cash value of the smart cards sold which the portal system 300 retains as a fee for handling the distribution of data files to users. The distributor 400 retains a percentage (eg 10%) of the total cash value of the smart cards sold as a fee for handling distribution of the smart cards to retail outlets 500. The provider 200 ties received payments in with the payment details stored on the provider payment database 206 to ensure that the correct payments have been made.

Alternatively, the distributor 400 may send payment 68 to the portal system 300, retaining a percentage (eg 10%) as a smart card distribution fee. The portal system 300 then arranges the necessary payment 70 to the appropriate provider

200, retaining a percentage (eg 10%) as a data file distribution fee. As before, the provider 200 ties in received payments with the payment details stored on the payment database 206 to ensure that the correct payments have been made.

Of course, if the portal is also a provider then some payment for the distributed data files will be retained by the portal, reducing the profits lost in terms of distribution and handling fees. While the system 10 shown in Figure 6 depicts only a single user system 100, provider system 200, portal system 300, smart card distributor 400 and retail outlet 500, it will of course be understood that in practice there can be several of each type of system.

Security

In addition to being encoded with a credit amount, each smart card 20 is also provided with a unique identification number or code. Preferably the identification number is an encrypted 32-bit serial number. When a smart card is sold 52 by the distributor 400 to a retail outlet 500, the distributor 400 also sends 72 the ID number to the portal system 300, which stores ID numbers of issued cards in the smart card database 310.

When the user inserts his smart card into the card reader 116 of the user system 100 and accesses the portal system 300, the card ID number is sent 74 to the portal system 300. The portal system 300 checks the received ID number against the list of issued cards stored in the smart card database 310. If the ID number is not valid, then the user system 100 displays a suitable error message to the user and access to the portal system 300 is blocked.

Preferably, the credit amount on the smart card cannot be 'topped-up' or increased after the initial encoding and, once the credit amount has been depleted, the card can no longer be used to purchase data files. When the credit amount on a smart card has been reduced to zero, the user system 100 automatically notifies the portal system 300 and the entry for that smart card on the smart card database 310 is updated accordingly. If a user attempts to use the depleted card again, then the user system 100 displays a suitable error message to the user and the user is only able to browse the list of available data files without the option to download. The portal system 300 may delete records associated with smart cards that have been depleted.

Preferably, however, all of the records are kept in order to perform audits on smart card and data file sales and to retain potentially useful information on which smart cards have been used to purchase particular data files.

The smart card database 310 may also keep a record of the credit amount initially stored on each smart card, and a running tally of the cost of data files purchased using that card. The portal system 300 can therefore determine whether specific cards have been depleted without receiving a specific notification from the user system 100 reading the card. If a user attempts to use a card which is known to have been depleted, but the user system 100 reports that the smart card still has credit, this indicates that the user has fraudulently 'recharged' or increased the credit amount on his card. In this situation, the user system 100 displays a suitable error message to the user, access to the portal system 300 is blocked and further investigations are made .

Preferably, further security checks are made at the user system level. The user system 100 and smart card are provided with local 128-bit access encryption. If the user system 100 determines that the smart card inserted into it has not been properly encoded, or does not recognise the card, then access to the portal system 300 is prevented. Furthermore, the user system 100 sends a warning message to the portal system 300, the warning message containing the identification number of the invalid card, such that any necessary investigations may be made .

Each user system 100 is also preferably provided with a unique identification number, an encrypted 32-bit serial number for example. A record of valid user systems is stored at the portal system 300 in the user system database 312. When a user accesses the portal system 300, the user system ID number is sent to the portal system 300. The portal system 300 checks the received ID number against the list of valid user systems stored in the user system database 312. If the ID number is not valid, then the user system 100 displays a suitable error message to the user and access to the portal system 300 is blocked. The user system ID number may be encoded onto the user system hardware or be a part of the operational software. Preferably, the ID numbers are added to the user system database 312 of the portal system 300 when a user system 100 is sold. The user then registers their user system 100 with the portal system 300 when they first access the portal system 300. The portal system 300 can therefore keep track of sold and active user systems 100.

Embodiment implemented in a Dedicated Device

Figure 7 depicts a user system embodied as a dedicated device 100a. This embodiment of the user system 100a comprises a casing 118 in which are housed the device components. CPU 102 may comprise any suitable chip and will generally be custom made. Network connection device 104 may comprise a broadband modem or ethernet connector, connectable to the network via a suitable port in the casing (not shown) . System memory area 106 may comprise a Flash (RTM) memory card for storing any suitable operating system such as "Intent" (RTM) and preferably Java based operating software for controlling the user interface and to carry out device operations. Data memory area 108 may comprise a 128Mb DRAM memory board. Data storage area 110 may comprise a hard disk such as a Maxtor Plus8 (RTM) having between 20 and 50 Gb of available storage. User interaction devices 112 may comprise a touch screen display 112a such as the Trident QVGA 5.7 (RTM), and a headphone socket 112b. The device 100a may also be provided with one or more built-in speakers 112c. Data output device 114 may comprise a compact disc writer or re-writer 114a such as the Aopen CRW4048 (RTM) or LGGCE-8320BB (RTM) , or a suitable disc drive manufactured by Plextor (RTM) . Smart card reader 116a may comprise any suitable device, for example a card reader manufactured by Gem Plus (RTM) , for reading a Schlumberger

PrimeFlex+ (RTM) or other suitable smart card. Power is supplied by a power cable 122 communicating with an integral AC power supply operating in Universal Switched Mode at 80 to 265 Volts DC and at 50 or 60 Hz, and a power switch 123 is operable to activate the device.

The dedicated device 100a of this embodiment of the invention is particularly suited to downloading music data files over the Internet or a local ethernet and recording them to a writable compact disc. In this embodiment, the network 4 of Figures 1 to 4 is the Internet or local ethernet and the portal system server 302 and provider system server 202 are connected to the Internet or local ethernet. The provider system 200 may be operated by music publishers such as Universal (RTM) , BMG (RTM) , EMI (RTM) , Sony (RTM) and Warner (RTM) , for example, or by their agents such as OD2 (RTM) , PressPlay (RTM) , Liquid Audio (RTM) , or MusicNet (RTM) . The music data files may be stored on the provider systems 200 in any suitable format such as WAV, MP3, MPEG, Windows Media format, or Real Player format.

As shown in Figure 8, when the device 100a is first turned on a startup menu 600 is displayed on the touch sensitive screen 112a. The menu provides the user with the options of "Check Card Status" 602, "Display Available Credits" 604, "Go On-Line" 606, "Create CD" 608, and "Disk Maintenance" 610. If the user selects "Check Card Status", the device 100a checks whether a smart card has been inserted into the card reader 116a. If no card is detected, a suitable message is displayed on the touch sensitive screen 112a and the user is given the option of checking the card again or returning to the startup menu 600. Alternatively, the user could be returned to the startup menu 600 automatically. The displayed message could ask the user to ensure that the card has been inserted correctly into the card reader, for example. If a card is detected, the device 100a checks that it is a valid card using the local 128-bit access encryption built into the card and the user system 100a as described above. If the card is identified as an invalid card, a suitable message is displayed on the touch sensitive screen 112a and the user is returned to the startup menu 600. The displayed message could inform the user that his card is invalid and that a valid card is required to go online, for example. As previously discussed, a warning message is sent to the portal system 300 if the device 100a is connected to a telephone line or the local ethernet. However, if a valid card is detected, a suitable message is displayed on the touch sensitive screen 112a informing the user that he may proceed to go on-line. Again, the device 100a then displays the startup menu 600 either automatically or after receiveing a prompt from the user.

If the user selects "Display Available Credits" 604, the device first checks that a valid smart card has been inserted into the card reader, in the same way as if the user had selected "Check Card Status" 602. If a valid card is detected, the card reader 116a reads the smart card and displays the credit amount remaining on the card. If the credit amount is zero, an additional message warning the user that he will only be able to browse the list of data files is also displayed. The user is then returned to the startup menu 600 either automatically or following a prompt.

In some embodiments of the user system the "Check Card Status" 602 and "Display Available Credits" 604 routines are run automatically on startup or when a smart card is inserted into or removed from the smart card reader. In such an embodiment, the startup menu 600, instead of having user interactive options for checking card status or displaying available credits simply displays the results of the smart card check. If the user selects "Go On-Line" 606, the device 100a first runs the card validity and credit amount checks discussed above, and checks that the device is connected to a telephone line or local ethernet. If any of these checks fails, then a suitable error message is displayed and the user is either returned to the startup menu 600, or is allowed to go online, but only to browse the list of data files.

The device 100a may be pre-programmed to access a specified website provided by one portal system 300. Alternatively, the user may be presented with a list of available portal websites or be able to search the Internet for websites provided by different portal systems. The accessed portal system 300 conducts the security checks on the smart card and user system identification numbers as described above and, if the card and user system pass the checks, downloads the list of data files to the user system 100a. The list of data files may be presented as one or more web pages coded in a suitable language such as HTML or Java which is decoded by browser software stored in the system memory area 106 of the user system 100a. The list of data files is displayed on the touch sensitive screen 112a, and the user navigates the list using the touch sensitive screen and selects a desired file. If the smart card has sufficient credit, the selected file is downloaded to the device 100a as discussed above and written to either the data memory area 108 or to the hard disk 110. Usually, the data memory area 108 will be used only to buffer incoming data as it is written to the hard disk 110. The user may select and download as many data files as he wishes provided that he has sufficient credit and sufficient space on the hard disk 110. Once the user has finished downloading files, he can close the connection and return to the startup menu 600. If the user selects "Create CD" 608 on the startup menu 600, the touch sensitive screen 112a displays a list of music data files which have been downloaded. If a writable compact disc has been inserted into the compact disc writer 114a, the total amount of space, and the amount of space available on the compact disc are also displayed and the user is able to review tracks already written to the compact disc. The user selects one or more data files which are to be written to a compact disc by the compact disc writer 114a. Once the required data files have been chosen, they are written or "burned" to the compact disc, preferably using the data memory area 108 as a data buffer between the hard disk 110 and the compact disc writer 114a. Although the compact disc writer 114a may be capable of writing and re-writing to a compact disc several times, the user system 100a preferably will not overwrite previously written tracks to ensure that the user does not accidentally delete tracks he actually wishes to keep.

If the user selects "Disk Maintenance" 610, the touch sensitive screen 112a displays a new menu listing various disk maintenance options. These options may include: deleting files stored on the hard disk 110; defragmenting the hard disk 110 to change non-contiguous files into contiguous files; and formatting the hard disk 110 in the event of a serious disk error or if the user wishes to efficiently wipe all of the music data files from the hard disk 110. Other options may be provided if necessary. For example, the user may be able to delete tracks which have been written to a compact disc. Preferably, however, the user is not permitted to do this to ensure that the user does not accidentally delete tracks that he actually wishes to keep.

Although the device 100a has been described as relying on a touch sensitive screen 112a as both a display and a user input device, it will be appreciated that the device 100a may instead be provided with any suitable input device such as a keyboard, a touchpad, a track ball, or buttons positioned adjacent the screen to allow the user to select the desired option from menus displayed on the screen, or to select a desired data file from the displayed list of data files.

Data files are described as being downloaded from the provider system 300 to the hard disk 110 of the user system 100 before being written to a compact disc in a separate step. However, it will be appreciated that data files could be written directly to a compact disc as they are downloaded, with the data memory area 108 being used as a temporary storage or buffer to ensure a constant write speed to the compact disc. For this direct writing to compact disc to be successful, the rate at which data can be downloaded to the user system 100a from the provider system 300 must be greater than the minimum rate at which data can be written to the compact disc by the compact disc writer 114a. However, this is not a preferred method of writing to the compact disc since any interruption of the data file signal may result in the data file being corrupted or the compact disc being ruined.

This embodiment of the user system 100a has been described in terms of downloading music data files. However, it will be appreciated that other types of data file may be downloaded. For example, book data files may be downloaded in any suitable format such as ASCII text, Microsoft (RTM) Word, or Adobe (RTM) PDF ormat. Although these data files may be written to a compact disc, a device for downloading book data preferably includes a printer or a port for connecting the device to a printer in order to output the data file onto paper. In addition, the display 112a of the device 100a should be sufficiently large and of a high enough resolution for the user to be able to read the text displayed on it without difficulty. Video data may also be downloaded to the device 100a in MPEG, QuickTime or other suitable formats. A device for receiving video data preferably includes a DVD writer for writing to a Digital Video Disc, or an output port for connection to a television or other display.

Embodiment implemented on a Personal Computer Most home computers now include a modem or other network connection device in addition to a compact disc writer. Many home users will also have a printer as well as a television or other display device for displaying video images, and DVD writers are also becoming common. A large proportion of computer owners therefore already have much of the necessary hardware for retrieving data files from the Internet and recording them to a physical medium. Embodiments of the present invention therefore take advantage of hardware already owned by many home users by providing only a smart card reader and suitable computer software to enable home users to experience the benefits of the present invention at minimum cost. Figure 9 shows a user system 100b comprising a smart card reader 116b connectable to a home computer 124 via a connection lead 126. A base station 128 of the computer 124 houses the CPU 102, network connection device 104 such as a broadband modem, memory areas 106, 108, and a hard disk drive 110. The computer will typically be running an operating system such as Microsoft Windows (RTM) , or MacOS (RTM) . The computer 124 also includes a display 112e, a compact disc writer 114b, a keyboard 112f and typically other input or control devices such as a mouse. Connection of the smart card reader 116 to the base station 128 of the home computer 124 may be via a serial port, parallel port, USB port, or any other suitable port provided in the base station 128.

Software installed on the home computer 124 operates to enable the computer 124 to recognise a smart card reader 116b connected to it and to receive data from a smart card 20b inserted into the card reader 116b. The software further operates to carry out the steps described above in connection with the dedicated device, ie checking card status, displaying available credits, going on-line and downloading data files. Preferably, the operational software is programmed in Java or any other suitable programming language. Software for writing the received data files to a compact disc or for carrying out disk maintenance functions is not vital since the operating system of the home computer will typically already include such software. Disk maintenance functionality may nevertheless be included to provide the user with a complete integrated system for downloading and purchasing data files, and then performing disk maintenance options .

User system identification codes for security purposes may be included in the card reader hardware 116b. Preferably, however, the identification code is encrypted as part of the operational software. Embodiments implemented in a Retail Environment

Figures 10a, 10b and 10c show three embodiments of a user system embodiment suitable for installation in a retail environment such as a music store, or any public area such as in the forecourt of a shopping centre.

The retail unit 100c of Figure 10a comprises a base unit 130 housing the CPU 102, network connection device 104, memory areas 106, 108, data storage area 110 such as a hard disk, and data output devices 114 including a compact disc writer and a printer. The base unit 130 further includes a smart card reader 116c, a touch sensitive display screen 112g, speakers 112h, an output tray 132 or slot for the unit 110c to deliver a burned compact disc to a user, and advertisement boarding 134.

The retail unit lOOd of Figure 10b comprises a base unit 136 housing the CPU 102, network connection device 104, memory areas 106, 108, data storage area 110 such as a hard disk, and a data output devices 114 including a compact disc writer and a printer. The base unit 136 further includes a smart card reader 116d, a touch sensitive display screen 112i, an audio headset 112j connected to the base unit 136 by an adjustable connection member

138, a seat 140, an output tray 142 or slot for the unit llOd to deliver a burned compact disc to a user, and advertisement boarding 144.

The multi-user retail unit lOOe of Figure 10c comprises a base unit 146 housing the CPU 102, network connection device 104, memory areas 106, 108, data storage area 110 such as a hard disk, and data output devices 114 including at least one compact disc writer and at least one printer. The base unit 136 further includes a plurality of smart card readers (not shown) , a plurality of touch sensitive display screens 112k each connected to the base unit 136 by a respective adjustable connection member 147, a plurality of audio headsets 112m each connected to the base unit 136 by a respective adjustable connection member 148, a plurality of seats 150 each connected to the base unit 136 by a respective adjustable connection member 152, an output tray or slot (not shown) for the unit llOe to deliver a burned compact disc to a user, and advertisement boarding 154.

In operation, each retail unit presents the user with a startup menu similar to that shown in Figure 8. The user can check card status, display available credits, go on-line to browse the list of data files and create compact discs. However, the user is not provided with the option of performing disk maintenance. These functions are instead performed automatically by the retail unit. Alternatively, or in addition, a smart card having a particular identification number or encrypted access code may activate the disk maintenance options allowing authorised personnel to perform any necessary maintenance. The retail unit contains a store of blank compact discs, compact disc cases or sleeves and cards for receiving printed information. Once a user has selected a number of tracks, and these tracks have been downloaded to the hard disk, the compact disc writer burns the tracks to a compact disc. The printer then prints a record of the tracks, plus any other useful information such as track length, onto a card. The compact disk, card and a compact disc case or sleeve are then delivered to the user via the output tray 132, 142. In an alternative embodiment, the printer, compact disc writer and supplies are stored externally of the user system and the user can retrieve their compact disc from a service desk in a music store, for example. Preferably, the compact discs stored in the retail unit are capable of being written to once only such that the user cannot later re-write to the compact disk using another compact disc writer. Ths ensures that the user does not accidentally damage or delete tracks from the compact disc that he actually wished to keep.

The retail unit embodiments of the present invention are particularly suited to operation over a local network rather than over the Internet. For example, a music store or other retail outlet could maintain their own portal server 300 connected to the retail unit via a local network connection. The portal server 300 then communicates with one or more provider servers 200 over the Internet. Alternatively, the music store may maintain their own provider server 200 which is connected to the retail unit and which can deliver data files to the retail unit. In this embodiment, the retail unit will normally serve as both user system 100 and portal system 300.

The retail unit embodiments preferably store popular data files on the hard disk 110 so that these files can be written to a compact disc when selected by a user without the need to download them first. For example, the hard disk may store new releases or the top one hundred tracks of the week. The retail unit embodiment keeps a record of how often the locally stored tracks are selected by users to ensure that the proper billing arrangements are made. The retail units described above are specifically concerned with the writing of music data files to a compact disc. However, it will be appreciated that other forms of data may be written to different physical media. Embodiments of the present invention also relate generally to media dispensing devices for dispensing physical media such as books, DVDs and so forth as well as compact discs to which have been written the data from data files selected by the user.

Technical Summary

In summary, a preferred embodiment of the present invention operates in the following manner. The user initiates a purchase for a particular data file or selection of data files, and an information bundle is transmitted from the portal server (usually a web server) to the user system. This information bundle will typically contain at least the following items: a transaction identifier (T) ; a resumption identifier (U) so that a transaction can be resumed in the event of communication failure or interruption; a digital certificate including a merchant identifier (I) and public signing and encryption keys; a brief textual description of the goods (data files) to be purchased (D) ; a value for the goods (V) ; a currency identifier for the value (C) ; and a time stamp.

On receiving the bundle, the user system checks the digital certificate and uses public encryption keys to verify that the bundle has not been tampered with. The time stamp is checked to ensure timeliness of the information bundle and to prevent malicious users from making "replay" attacks on the portal. Once the above security checks are completed, the user system reads from the card the following items: a public card identifier; a secret card identifier; a currency type; and a credit amount. Simple validity checks are made to check that the currency type match and that the card is still in credit. The user system then prompts the user to approve the transaction, typically by displaying the textual description (D) and an OK/Cancel dialog. Advantageously, this prevents malicious users from making invisible purchases since each purchase must be manually approved.

If the transaction is approved, the user system writes the values of T, U, D and V to the smart card as a record of the ongoing transaction. A secret identifier (S) for the transaction is also created and written to the card. The credit amount stored on the card itself is not yet updated in case the transaction fails before the data files have been downloaded, but if the credit amount is checked from this point on until completion of the transaction, the returned value is the actual credit amount minus V.

The user system then prepares response information to be sent over the network to the portal. The response information comprises merchant information which is kept by the portal to allow the user system to identify itself securely to the portal system in the event that the network connection is lost, and authorisation information which will be passed from the portal on to an authorisation service to verify the identity of the smart card being used.

The merchant information typically includes the following items: the transaction id (T) ; the secret identifier (S) ; a time stamp; and random padding data for improved security. This portion of the response information is encrypted using a public encryption key contained in the digital certificate. The authorisation information typically includes the following items: the public card identifier; the transaction id (T) ; the merchant id (I); the currency (C) ; the value (V); a time stamp; and random padding data for improved security.

The response information as a whole is signed using the secret card identifier and transmitted to the portal server. The portal sever then saves the merchant information and passes the authorisation information to an authorisation server as an authorisation request. The authorisation server holds records of secret card identifiers and can therefore check that the authorisation data is validly signed. The authorisation server also checks that the portal sending the authorisation request is the same portal as identified by the merchant id (I) contained in the authorisation information, that the timestamp is current, and that the card has sufficient credit to cover the transaction. If these checks are successful then a transaction authorisation message including an authorisation code (A) is transmitted back to the portal server.

On receiving and recording the authorisation code, the portal server releases the goods for download and the download starts. Once the download is completed the user system reduces the smart card's credit amount the transaction value (V) and deletes the record of the transaction that had previously been stored on the card. Once this is done, a suitable message is sent back to the portal server causing the portal server to delete the merchant information stored on it. The transaction has now been completed.

If several cards are to be used in a single transaction, the steps between the user system reading the smart card information up to the credit amount on the card being reduced are repeated for each different card inserted into the card reader of the user system.

In the event of a communication interruption after the response information has been transmitted, the transaction can be resumed in the following manner. The resumption id (U) is read from the card and transmitted to the portal. The portal then retransmits the original information bundle to the user system. The user system does not need to write the record of the ongoing transaction to the card again and so proceeds directly to the step of preparing a new set of response information. The same secret identifier (S) previously written to the smart card is used when creating the new response information, but different random padding data and a different time stamp are used. The new response information is then transmitted to the portal which checks that the secret identifier (S) is the same as in the previous response information transmitted as part of the interrupted transaction. If the secret ids (S) match, then the transaction is continued from where it left off.

At the end of each trading period (typically a trading day) the portal will have a record of authorised and completed transactions including the value (V) and the authorisation id (A) for each transaction. The merchant sends these values to the authorisation server where they are checked against records kept in the authorisation server and payment is made to the merchant if these checks are successfully completed.

User Incentives and Environmental Protection Numerous user incentives can be put in place to ensure that the smart card payment system described above is used to the full.

A home user system 100a, 100b may include a free smart card having a small credit amount stored thereon to get the user started. Furthermore, when a user purchases a new smart card, he is also provided with a blank, writable compact disc such that the user feels that he is receiving all of the necessary equipment to purchase data files and to record them to a physical medium.

Collectable or promotional smart cards may be issued to coincide with the release of a particular album, or the start of a music festival. A depleted smart card may also be used as a gift token in a music store or other retail outlet. For example, a smart card having a cash value of £13.99 may have a credit amount of £10 encoded on it, and an additional £5 cash value redeemable at a retail outlet against goods or services, such as compact discs. This provides the smart card with value even after the credit on the card has been depleted.

Recycling of smart cards is not only desirable, but may well be a legal requirement in the future. World governments are now beginning to oblige manufacturers to reclaim, recycle, or responsibly dispose of non-biodegradable items and materials such as cars, refrigerators and mobile telephones. It can be envisioned that the same demands will be made of manufacturers of plastic smart cards. In order to minimise the potential environmental impact of producing large numbers of non-rechargeable smart cards, and to ensure compliance with any future recycling directive, the collectable or promotional smart card incentives may also be combined with smart card recycling initiatives.

For example, the collectable cards should be issued in strictly limited print runs, to increase their value as collectable items. Such cards would rarely, if ever, be thrown away and could instead be traded between collectors.

Smart cards having value additional value as a gift token will also not normally be thrown away by a user, but will instead be returned to a retail outlet offering to redeem the card for the offered goods or services. The smart card manufacturer or distributor 400 can arrange to collect depleted smart cards from these retail outlets to ensure that they are properly disposed of or recycled. Alternatively, the retail outlet could themselves return redeemed smart cards to the manufacturer, distributor or to third party agency for disposal or recycling.

As another alternative, each smart card may be provided with a small token value of fifty pence, for example. This token value would not be redeemable for goods, services or cash, but once a user has collected twenty smart cards, having a total token value of £10, these cards may be redeemed at a smart card retail outlet 500 for a new smart card having a cash value of £10. The redeemed smart cards can then be suitably disposed of or recycled.

Prevention of Dissemination of Illegal Materials

It is an unfortunate truth that the Internet is sometimes used for the dissemination of illegal and morally reprehensible materials such as child pornography. Potentially, smart cards could be used in such illegal transactions with the managers of an Internet portal system being unaware that a provider is using the portal to disseminate illegal materials. For example, the provider could be using an innocent sounding name when in fact the data files it makes available to users contain illegal content . Additionally, portal system managers or Internet Service Providers (ISPs) who may unwillingly and unknowingly be providing criminals with the means for transmitting illegal materials over the Internet may nevertheless be at risk of law suits from aggrieved parties if they are unable to police the traffic passing through their server computers .

Furthermore, it is envisaged that smart card payment systems similar to that described above will become popular in carrying out numerous transactions over networks such as the Internet. As smart card systems become more popular, the need for specific portal websites will diminish as individual providers enter into agreements directly with smart card distributors or manufacturers such that they can obtain payment not only for data files, but also for tangible goods or services that they provide in a smart card transaction. In such an enlarged environment, using smart cards in illegal transactions becomes a simpler task since those wishing to disseminate illegal materials need not rely upon the services of a portal system.

Accordingly, embodiments of the present invention enable determination of areas where such material is being purchased in order to assist the law authorities in apprehending offenders.

Smart card transactions are, at first sight, anonymous since neither the portal system 300 nor an ISP hold any personal details on smart card users. Instead, the portal system or ISP keeps a record only of the smart card identification number that is transmitted from the user system, the data files that have been downloaded using that smart card, and the amount debited from the card. If authorities investigating the trafficking of illegal materials become aware that smart cards are being used, then the ISP or the portal system will be able to provide them with the identification number of the smart card being used in a specific transaction. The distributor 400 who originally distributed the smart card with that identification number will have records of the location of the retail outlet 500 to which that smart card was sold, and of the date on which it was sold to that retail outlet. Using this information, the authorities will be able to identify areas where smart cards are being used in illegal transactions, possibly highlighting hotspots of illegal activity and improving the likelihood that offenders will be caught. Furthermore by reviewing security camera footage at the retail outlet in which the mis-used smart card was sold, it may be possible to identify potential suspects. A retail outlet may have records of when a specific smart card was sold and will be able to identify if a credit card was used in the purchase, allowing the authorities to identify the purchaser.

It may not be possible for the authorities to locate the provider server distributing the data files containing illegal content. However, if that provider has entered into a payment agreement with a portal system or a smart card distributor, then there will be an audit trail of payments for smart card purchases to that provider which the authorities may be able to trace in order to apprehend the distributors of the illegal material.

While numerous specific embodiments of the present invention have been described, it will be understood that these are presented by way of an example only, and should not be construed as limiting the present invention. The scope of the present invention is instead defined by the appended claims .

Claims

CLAIMS :

1. A data file download apparatus for receiving data files over a network from a remote server comprising: a network connection device for connecting the apparatus to a network; and a smart card reader/writer; the apparatus being arranged to: read a smart card identification code and a credit amount from a smart card inserted into the smart card reader/writer; send the smart card identification code to the server; receive a list of data files from the server, the list including cost information indicating a cost associated with each data file; send a request for a data file selected from the list of data files to the server; receive the requested data file; and write to the smart card to adjust the recorded credit amount by an amount equal to the cost of the selected data file.

2. An apparatus as claimed in claim 1, the apparatus further being arranged to: send a request for the selected data file only if the cost associated with the data file is less than or equal to the credit amount read from the smart card.

3. An apparatus as claimed in any preceding claim further comprising a data recording device for recording the received data file to a physical medium.

4. An apparatus as claimed in claim 3, further comprising a data storage area for storing received data prior to the data being recorded to the physical medium by the data recording device.

5. An apparatus as claimed in claim 4, wherein the data storage area comprises a hard disk drive.

6. An apparatus as claimed in any of claims 3 to 5, wherein the data recording device is a printer for recording the data to a print receiving medium.

7. An apparatus as claimed in any of claims 3 to 5, wherein the data recording device is a digital data recording device for recording the data to a digital data storage medium.

8. An apparatus as claimed in claim 7, wherein the data recording device is a compact disc writer.

9. An apparatus as claimed in any preceding claim wherein the apparatus further comprises an apparatus identification code, the apparatus further being arranged to send the apparatus identification code to the server.

10. An apparatus as claimed in any preceding claim wherein the apparatus is arranged to communicate with a pre-determined server.

11. An apparatus as claimed in any preceding claim wherein the network connection device is a modem.

12. An apparatus as claimed in any preceding claim wherein the network is the Internet.

13. An apparatus as claimed in any preceding claim wherein the apparatus comprises a dedicated device.

14. An apparatus as claimed in any of claims 1 to 12 wherein the apparatus comprises a personal computer and a smart card reader/writer connectable to the personal computer.

15. An apparatus as claimed in any of claims 1 to 12 wherein the apparatus is suitable for installation in a retail environment.

16. A server apparatus for distributing data files over a network comprising: a network connection device; a database containing a list of data files and location information identifying the location of each data file on the network; and a database containing a list of smart card identification codes; the apparatus being arranged to: receive a smart card identification code from a remote user apparatus also connected the network; provide the list of data files to the user apparatus; receive from the user system a request for a data file selected from the list of data files; and provide the selected data file to the user apparatus .

17. An apparatus as claimed in claim 16 wherein the apparatus is further arranged to compare the received smart card identification code with the list of smart card identification codes and to provide the list of data files to the user apparatus only if the received smart card identification code is on the list of smart card identification codes.

18. An apparatus as claimed in claim 16 or 17 wherein the list of smart card identification codes includes information on whether a smart card is a valid smart card, the apparatus further being arranged to compare the received smart card identification code with the list of smart card identification codes and to provide the list of data files to the user apparatus only if the received smart card identification code identifies a valid smart card.

19. An apparatus as claimed in any of claims 16 to 18 further comprising a database containing a list of user system identification codes, the apparatus further being arranged to: receive a user apparatus identification code from the user apparatus; and compare the received user apparatus identification code with the list of user apparatus identification codes and to provide the list of data files to the user apparatus only if the received user apparatus identification code is on the list of user apparatus identification codes.

20. An apparatus as claimed in claim 19 wherein the list of user apparatus identification codes includes information on whether a user apparatus is a valid user apparatus, the apparatus further being arranged to compare the received user apparatus identification code with the list of user apparatus identification codes and to provide the list of data files to the user apparatus only if the received user apparatus identification code identifies a valid user apparatus.

21. An apparatus as claimed in any of claims 16 to 20, wherein the list of data files further includes cost information identifying a cost associated with each data file, the apparatus further being arranged to : receive a smart card credit amount from the user apparatus; and provide the selected data file to the user apparatus only if the cost of the data file is less than or equal to the smart card credit amount.

22. An apparatus as claimed in any of claims 16 to 20, wherein the list of data files further includes cost information identifying a cost associated with each data file, and the list of smart card identification codes further includes credit amount information indicating a credit amount stored on a smart card identified by the smart card identification code.

23. An apparatus as claimed in claim 22, the apparatus further being arranged to: provide the selected data file to the user apparatus only if the cost of the data file is less than or equal to the indicated credit amount.

24. An apparatus as claimed in claim 22 or 23, the apparatus further being arranged to reduce the indicated credit amount by the cost associated with the selected data file once the selected data file has been provided to the user system.

25. A data file download method for obtaining data files from a server over a network comprising: reading a smart card identification code and a credit amount from a smart card; sending the smart card identification code to a server; receiving a list of data files from the server, the list including cost information indicating a cost associated with each data file; sending a request for a data file selected from the list of data files to the server; receiving the requested data file; and adjusting the credit amount recorded on the smart card by an amount equal to the cost of the selected data file.

26. A method as claimed in claim 25 further comprising sending a request for the selected data file only if the cost associated with the data file is less than .or equal to the credit amount read from the smart card.

27. A method as claimed in claim 25 or claim 26, further comprising recording the received data file to a physical medium.

28. A method as claimed in claim 27 wherein recording the received data file to a physical medium comprises printing the data file to a print receiving medium.

29. A method as claimed in claim 27 wherein recording the received data file to a physical medium comprises recording the data file to a digital data storage medium.

30. A method as claimed in any of claims 25 to 29 further comprising reading an apparatus identification code from an apparatus used for reading the smart card and sending the apparatus identification code to the server computer over the network.

31. The method of any of claims 25 to 30, further comprising communicating with a pre-determined server computer.

32. A data file distribution method for distributing data files over a network comprising the steps of: storing on a portal server: a list of data files, location information identifying the location of each data file on the network, and a list of smart card identification codes; receiving a smart card identification code from a remote user apparatus also connected to the network; providing the list of data files to the user apparatus; receiving from the user apparatus a request for a data file selected from the list of data files; and providing the selected data file to the user apparatus .

33. A method as claimed in claim 32 further comprising comparing the received smart card identification code with the list of smart card identification codes and to provide the list of data files to the user apparatus only if the received smart card identification code is on the list of smart card identification codes.

34. A method as claimed in claim 32 or claim 33 wherein the list of smart card identification codes includes information on whether a smart card is a valid smart card, the method further comprising comparing the received smart card identification code with the list of smart card identification codes and providing the list of data files to the user apparatus only if the received smart card identification code identifies a valid smart card.

35. A method as claimed in any of claims 32 to 34 further comprising: storing on the portal server a list of user apparatus identification codes; receiving a user apparatus identification code from the user apparatus; and comparing the received user apparatus identification code with the list of user apparatus identification codes and providing the list of data files to the user apparatus only if the received user apparatus identification code is on the list of user apparatus identification codes.

36. A method as claimed in claim 35 wherein the list of user apparatus identification codes includes information on whether a user apparatus is a valid user apparatus, the method further comprising comparing the received user apparatus identification code with the list of user apparatus identification codes and providing the list of data files to the user apparatus only if the received user apparatus identification code identifies a valid user apparatus .

37. A method as claimed in any of claims 32 to 36, wherein the list of data files further includes cost information identifying a cost associated with each data file, the method further copmrising: receiving a smart card credit amount from the user apparatus; and providing the selected data file to the user apparatus only if the cost of the data file is less than or equal to the smart card credit amount.

38. A method as claimed in any of claims 32 to 36, wherein the list of data files further includes cost information identifying a cost associated with each data file, and the list of smart card identification codes further includes credit amount information indicating a credit amount stored on a smart card identified by the smart card identification code.

39. A method as claimed in claim 38, further comprising providing the selected data file to the user apparatus only if the cost of the data file is less than or equal to the indicated credit amount.

40. A method as claimed in claim 38 or claim 39 further comprising reducing the indicated credit amount by the cost associated with the selected data file once the selected data file has been provided to the user apparatus .

41. Computer software for carrying out the method of any of claims 25 to 40 when executed on a computer apparatus .

42. A dispensing apparatus for dispensing physical media having data files recorded thereon, comprising: a smart card reader/writer for reading a smart card identification code and a credit amount from a smart card inserted into the smart card reader/writer; a user interface device for providing a list of data files to a user and for receiving a selection of data files from the user; a network connection device for connecting to a remote server computer on a network and for receiving selected data files from the server computer; a data output device for recording the received data files to a physical medium.

43. An apparatus as claimed in claim 42 wherein the . apparatus is suitable for installation in a retail environment.

44.. An apparatus as claimed in claim 42 or claim 43 further comprising a data storage device for storing data files thereon.

45. A smart card for use in carrying out transactions over a network wherein the smart card has a non-replenishable credit amount stored thereon, the smart card having additional value once the credit amount is depleted.

46. A smart card as claimed in claim 45 wherein the smart card has additional value as a collectable item.

47. A smart card as claimed in claim 45 or claim 46 wherein the smart card has additional value as a gift token .

48. A smart card as claimed in any of claims 45 to 47 wherein the smart card has additional value in that a plurality of smart cards on which the credit amount has been depleted are exchangeable for a new smart card having a credit amount stored thereon.

49. A method of distributing smart cards to be used in carrying out a transaction over the Internet, comprising : encoding each of a plurality of smart cards with a credit amount and an identification code, the identification code for identifying a smart card when carrying out the transaction; distributing said smart cards to a plurality of retail outlets; for each distributed smart card, keeping a record of the identification number encoded on the smart card and the location of the retail outlet to which the smart card was distributed.

50. A method as claimed in claim 49 further comprising, for each smart card, keeping a record of the date on which the smart card was distributed to the retail outlet.