The present invention relates to a system and a method for enhanced user control of private information on mobile devices. The method and system provide the user with a control that limits non-local data flows of the user's privacy- sensitive information, including sensor data and the user's personal information.

Mobiles devices for example mobile phones are emerging in recent years. A mobile device is a small, handheld computing device usually outfitted with a display screen and input means, either a touch screen or a miniature keyboard.

Many portable mobile devices have operating systems that can run applications (Apps). Apps allow the mobile devices to expand its functionality and to be used as, e.g., gaming devices, media players, calculators, and/or navigators. Most mobile devices nowadays are equipped with sensors like cameras, accelerometers, compasses, magnetometers, and/or gyroscopes. Mobile devices provide many functionalities such as communication, entertainment, Internet access, and/or photography, all of which significantly simplify the user's everyday life. However, despite all the advantages, these devices also give rise to challenges about privacy.

For example sensors may record faces and voices. Photos and videos of people from the mobile device camera can be processed with facial recognition software and a person can be identified. Once identified, the holder of the device could be presented with further data associated with the person, e.g., the person's social media profiles, such as the persons Facebook profile or Twitter feed, and/or other Internet search results linked to his/her profile. Individuals typically do not expect such an automated link with their internet data when they move in public. They have an expectation of anonymity.

For example, wearable electronics, such as smart glass devices, e.g. "Google Glass TM", are known in the art. Such smart glass devices are capable of recording audio, video, and photos. Such devices can also use Global Positioning System (GPS) to acquire a location and/or to tracking locations and/or directions. The devices are further capable of handling computational tasks as they are also equipped with a processor chip and a GPU. For instance, there are existing Apps that allow the user to take pictures surreptitiously by winking. To an outside individual it may be difficult or even impossible to recognize whether the user of the smart glass device is recording audio or video with the smart glasses. All data recorded by the smart glass device, including photos, videos, audio, location data, and user data, may be stored in a cloud server, e.g., on Google's cloud servers. Present mobile devices may also connect to the Internet via an own WiFi connection, or by tethering to the user's smartphone. Moreover, even when temporary offline, the devices may record the audio and/or video and upload the data at a later time.

Furthermore, the often permanent connection to the internet and other networks may allow the data to be accessed by and/or to be send to a third party, potentially without knowledge of the user and/or explicit consent of the user. There are already some efforts to change the privacy policy for mobile devices. For instance, the sale of any applications (Apps) which use face recognition or which record video without turning on an indication light on the device is restricted or forbidden in official market places. Furthermore, regulatory efforts have attempted to preserve user privacy.

Although there are already efforts to reduce the above mentioned privacy risk by mobile devices, the known methods are not sufficient to grantee privacy. For example blocking of face recognition Apps in an official app market cannot restrict developers to develop face recognition Apps.

It is an object of the invention to provide a system and a method for enhanced user control of private information on mobile devices. The object is achieved with the subject-matter of the independent claims. The dependent claims relate to further aspects of the invention.

In accordance with an aspect of the present invention a system for user control of privacy-sensitive information on mobile devices is provided. The system comprises, a user's profile database configured to receive and/or store and/or manage the privacy-sensitive information. The System further comprises a privacy policy database configured to receive and/or store and/or manage at least one privacy policy and/or at least one privacy preference with respect to at least one of the following: to at least one different user, to at least one different application, to at least one different scenario of use, and to at least one different type of original request. Still further, the system comprises a privacy engine operationally connected to the user's profile database and/or operationally connected to the privacy policy database, and configured to process the

privacy-sensitive information, the privacy policy, and/or the privacy preferences.

In another aspect of the invention the privacy-sensitive information comprises real-time information generated by at least one sensor, preferably as raw data and preferably transmitted from the at least one sensor to the user's profile database. Alternatively or in addition the privacy-sensitive information may comprise static privacy-sensitive information and/or user defined privacy-sensitive information.

In another aspect of the invention the privacy engine comprises a privacy processing unit configured to calculate an appropriate accuracy level for the privacy-sensitive information preferably based on the original request and/or information from the privacy policy database. In another aspect of the invention the privacy engine further comprises an accuracy processing unit. The accuracy processing unit is configured to process the privacy- sensitive information from the user's profile database and/or further privacy-sensitive information related data received from the outside of the system. Further, the accuracy processing unit is configured to refine the

privacy-sensitive information and/or the further privacy-sensitive information related data.

In another aspect of the invention the accuracy processing unit comprises an information adder, being configured to add corresponding ambiguities to the privacy-sensitive information and/or to the further privacy-sensitive information related data, based on the appropriate accuracy level. Further, the information adder is configured to generate a completed request. In another aspect of the invention the system further comprises a set of privacy-sensitive application programming interfaces (APIs) configured to provide a set of interfaces between the system and further applications.

In another aspect of the invention the system further comprises a privacy setting user interface. The privacy setting user interface is configured to provide a graphical user interface for visualizing the privacy-sensitive information and/or further privacy-sensitive information related data. Further, the privacy setting user interface is being configured to manually update the user's profile database; and/or is configured to manually update the privacy policy database.

In another aspect of the invention a method for user control of privacy-sensitive information on mobile devices is provided, preferably using a system according to any one of the preceding aspects of the invention. The method comprises the steps of retrieving privacy sensitive information from the user's profile database, calculating an appropriate accuracy level for the privacy-sensitive information and/or further privacy- sensitive information related data, adding corresponding ambiguities to the privacy-sensitive information and/or to the further

privacy-sensitive information related data, and generating a completed request. In another aspect of the invention the method comprises prior to the step of retrieving privacy sensitive information from the user's profile database, the step of receiving an original request and deciding whether the original request is privacy-sensitive or not. In case the original request is not privacy-sensitive the original request is completed directly. In case the original request is privacy-sensitive the original request is send to the privacy-engine for completion.

In another aspect of the invention a mobile device is provided, such as a mobile phone. The mobile device comprises a system according to any one of the preceding aspects of the invention and at least one of the following components: a memory, a memory controller, a processor, a peripheral interface, RF circuitry, audio circuitry, a speaker, a microphone, an input/output subsystem, a display, a camera, software components, and input and control devices.

In another aspect of the invention the software components comprise at least one of the following components: an operating system kernel, core libraries, a virtual machine, run time libraries, an application framework, and at least one application.

According to an aspect of the present invention the system provides a privacy-ensured communication between the applications and a data receiver and/or a responder outside.

Furthermore the system ensures the accuracy of the response with respect to user's information meanwhile only disposing an allowed set of privacy information to the responder outside. The privacy sensitive system according to the invention is used on mobile devices, wherein at least one application, being installed on the mobile device, requests privacy-sensitive information, that may include sensor data and/or personal information.

In one embodiment of the invention the information generated by at least one sensor may, e.g., include camera data and GPS data. The acquired data is not directly accessible for the Apps, but is rather send to the user's profile database. The user's profile database also stores further privacy-sensitive information and/or user defined privacy-sensitive information. For example, privacy-sensitive information comprises the user's personal information such as name, address, contacts preferably further privacy-sensitive information and/or user defined privacy-sensitive information.

In an exemplary embodiment the mobile operating system includes a privacy engine/module, APIs for developers to retrieve required data, and a User Interface for user's to manipulate the privacy engine. The privacy engine is a software module that controls the responses of the requests from applications about sensitive information, including private data and personal information that should be kept enclosed as much as possible. The privacy engine preferably includes a privacy processing unit that determines what information should be provided to a certain app. The privacy engine preferably is locally connected to the sensors that provide sensitive data that may affect user's privacy. Advantageously, the privacy engine offers interfaces for the development of applications to request data, which enables private-sensitive data, flows between the local profile content and the application.

A mobile device is preferably a device having at least one of the following characteristics: being a handheld or wearable, having compact dimensions, having a display means, having input means, e.g., a touchscreen and/or keyboard, having at least one sensor, e.g., a camera and/or geosensor, and having at least one connecting means, e.g., WiFi connecting means, mobile data connecting means, and/or Bluetooth connecting means. As a computing device the mobile device has at least one of the following: a computing unit, storage means, several layers of software, e.g., an operating system layer, a library layer, and/or a driver layer. Among others, mobile phones, tablet computers, and wearable electronics are considered as a mobile device according to the invention. It is noted that none of the above lists are exclusive or limiting to the scope of the invention.

The privacy sensitive system comprises at least one of the following: a) a privacy engine, including a privacy processing unit, wherein the privacy engine determines whether requests of privacy-sensitive data are necessary and further determines the appropriate response with respect to the privacy policy the user defined; b) a privacy policy database, operatively coupled and responsive to the privacy engine, wherein the privacy policy database stores the privacy policies and/or the privacy preferences with respect to at least one of the following: to at least one different user, to at least one different application, to at least one different scenario of use, and to at least one different type of original request; c) a user's profile database, operatively coupled and responsive to the privacy engine, wherein the user's profile database receives all the privacy- sensitive data, preferably the sensors' raw data and the users' input, and operatively storing and managing these data; d) a privacy setting user interface, which enables the user to define the content of the profile and the parameters of the privacy processing unit; e) an accuracy processing unit, which filters the inflowing data to make the data response to the application to be accurate with user's privacy information; f) a set of privacy-sensitive application programming interfaces (APIs), which enables private- sensitive data to flow between the local profile content and the application.

Brief description of the drawings

The accompanying drawings, which are included to provide a further understanding of the present invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the present invention, and together with the description serve to explain the principle of the present invention. In the drawings: Fig. 1 shows the schematic of an embodiment of the invention;

Fig. 2 shows the architecture for producing a user profile of another embodiment of the invention;

Fig. 3 shows the workflow according to another embodiment of the invention; Fig. 4 shows the basic components of a mobile device according to an embodiment of the invention; and

Fig. 5 shows a detailed overview of the software components according to an embodiment of the invention.

Detailed description of the invention

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Meanwhile, the configuration of a system and method, which will be described below, are merely given to describe the preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. The same reference numerals used throughout the specification refer to the same constituent elements.

Figure 1 shows the schematic of the system according to an embodiment of the invention. The system comprises a privacy policy database 101, a privacy engine 102, a privacy processing unit 102a, an accuracy processing unitl02b, a user's profile database 104, a privacy setting user interface 105 and a set of privacy APIs 108. At least one App 110 might communicate with the system. The sensors 106 of the mobile device may send data to the user's profile database 104. Furthermore, further data 107 may be sent to the system, more specifically to the accuracy processing unit 102b. In one embodiment of the invention the privacy setting user interface 105 is operationally connected to the privacy policy database 101 and the user's profile database 104. The privacy policy database 101 is operationally connected to the privacy engine 102 and the privacy setting user interface 105. The user's profile database 104 is operationally connected to the privacy setting user interface 105, the at least one sensor 106, and the privacy engine 102, preferably to the privacy processing unit 102a and the accuracy processing unit 102b. The privacy engine 102 is operationally connected to the privacy policy database 101 , the user's profile database 104, the further data 107, and outside Apps 110. More specifically the privacy processing unit 102a is operationally connected to the privacy policy database 101 and the user's profile database 104; the accuracy processing unit 102b is connected to the further data 107 and the user's profile database 104; and the set of privacy APIs 108 is connected to the Apps 110. The set of privacy APIs 108 is operationally connected to the privacy processing unit 102a and the accuracy processing unit 102b. The privacy processing unit 102a is connected to the accuracy processing unit 102b and the set of privacy APIs 108. The accuracy processing unit 102b is connected to the set of privacy APIs 108 and the privacy processing unit 102a.

In one embodiment of the invention the user privacy policy database 101 is adapted to receive and/or store and/or manage at least one privacy policy and/or at least one privacy preference with respect to at least one of the following: to at least one different user, to at least one different application, to at least one different scenario of use, and to at least one different type of original request.

Managing preferably includes creation and/or deletion and/or update of the user's assigned privacy policies and the user's privacy preferences. Furthermore, the privacy policy database 101 may receive an input from the privacy setting user interface 105 and send data to the privacy engine 102, preferably to the privacy processing unit 102a. In one embodiment of the invention the privacy engine 102 is adapted to receive the user's privacy-sensitive information from the user's profile database 104, to receive the privacy information related requests transmitted through the privacy-sensitive APIs 108 and requested by applications 110. The privacy engine 102 is further adapted to receive the user's assigned privacy policy and preferences from privacy policy database 101 and to transmit the refined privacy information related requests to the outside, e.g., an application server and/or a router. The privacy engine 102 is still further adapted to refine the privacy information related requests sent requested by applications according to user's assigned privacy policies and preferences stored in the privacy policy database 101 to assure the completed request transmitted to the outside is safe.

In one embodiment of the invention the accuracy processing unit 102b is adapted to receive the privacy-sensitive information from the user profile 104, and to receive the privacy-sensitive information related data from outside 107, e.g., an application server and/or a connection information, which shall be used by the applications through the privacy-sensitive APIs 108. The accuracy processing unit 102b is further adapted to refine the privacy-sensitive information related data sent from outside 107 with respect to the accurate private-sensitive information from the user profile 104, to make the privacy-sensitive information related data to be accurate with respect to user's privacy information.

In one embodiment of the invention the user's profile database 104 is adapted to receive the static user's privacy-sensitive information 104a (c.f., Fig 2), e.g., name and/or address, by user's inputs through privacy setting user interface 105 and to receive the real time user's privacy-sensitive information 104b (c.f., Fig 2), e.g. location, moving mode, directly from sensors. The user's profile database 104 is further adapted to update automatically the user's privacy-sensitive information e.g., name, address, age, weight, credit card number, location, time from both the sensors 106 and user's inputs through privacy setting user interface 105 when the data is changed.

In one embodiment of the invention the privacy setting user interface 105 is configured to provide an adaptive Graphical User Interface (GUI) allowing the user to visualize and define the privacy-sensitive information, context-sensitive privacy policies, and privacy preferences with respect to different applications and different scenarios. Further, the privacy setting user interface 105 is configured to transmit the user's assigned context-sensitive privacy policies and privacy preferences to the privacy policy database 101 and to transmit the user's privacy-sensitive information to the user's profile database 104.

In one embodiment of the invention the privacy- sensitive APIs 108 are configured to provide a set of interfaces between the privacy-sensitive operating system and Apps 110. Further, the privacy-sensitive APIs 108 are adapted to transmit the requests of data from the Apps 110 to privacy engine 102 and to transmit the data of response to the Apps 110. Figure 2 shows the architecture of one embodiment for producing a mobile user profile in the user's profile database 104. The user's profile database 104 is adapted to store and manage user's private-sensitive information and transmit it to the privacy-engine 102. A user profile is composed of two types of privacy-sensitive information.

Firstly, the user profile contains the static user's privacy information 104a that is generated by manual input through the privacy setting user interface 105. The content of the static user 's privacy information 104a includes but is not limited to the user's name, age, the date of birth, relationships with other users, telephone number, weight, and/or height. Preferably, some of the information is generated by the system to eliminate the redundancy for the user, when inputting the same information more than once. In one embodiment of the invention the information related to personal information by input is updated when the user inputs new information through the privacy setting user interface 105.

Secondly, the user's profile contains the real time user's privacy-sensitive 104b that is generated by sensors 106 as raw data, and is transmitted from at least one sensor 106 to the user profile. The content of real time privacy-sensitive includes but is not limited to the user's location (generated by GPS), moving mode (generated by a accelerometer and/or a gyrometer), battery life (generated by battery manager), and gesture history (generated by a touch screen). The sensors transmit the privacy-sensitive information generated by hardware as raw data to the user's profile database 104 in the system. The real-time privacy-sensitive information 104b generated by and transmitted from sensors 106 is updated when the sensors 106 generate and transmit new data.

Figure 3 illustrates the workflow of the method in one embodiment of the invention, in particular how the privacy engine 102 works with respect to an original information request to the server outside the system.

It is convenient to describe the privacy engine in terms of two working modules: First, a privacy processing unit 102a, which uses built-in algorithm to calculate the appropriate accuracy level of privacy-sensitive information based on the request itself and the user assigned privacy policy

Second, an accuracy processing unit 102b including information adder, which adds corresponding ambiguities to the privacy-sensitive information based on the calculated accuracy level, and generates a completed privacy-safe request.

However, it is noted that this differentiation is merely for the ease of understanding. In particular, the described functionality may be implemented in a single soft- and/or hardware module.

In one embodiment of the invention, the workflow starts with the App 110 sending out a original request. The App 110 sends the request by using the privacy-sensitive APIs 108. The APIs 108 pass the request to the privacy engine 102.

Starting from the original request, it is first decided whether the request is privacy sensitive or not, that is, whether there is a need to access some privacy-sensitive information to complete the request. If not, the request is seen as an already safe request and completed. If yes, it enters the workflow of the privacy engine 102 for completion.

In one embodiment of the invention within the privacy engine 102 in a first step the request is processed in the privacy processing unit 102a. In this step the privacy processing unit 102a uses the request itself, i.e., its type, the privacy-sensitive information it requires for completion, the App 110 which submitted the original request. The processing unit 102a further uses information from the privacy policy database 104. Then the privacy processing unit 102a calculates the appropriate accuracy level for the request. The calculated result is then transmitted to the next stage.

In one embodiment of the invention within the privacy engine 102 in a second step the request is processed in the accuracy processing unit 102b, preferably by the information adder. To achieve a certain calculated accuracy level, the information adder may need to add some noise or corresponding ambiguities to the privacy-sensitive information. After the adding, the request becomes a completed request with the privacy-sensitive information it required and is then considered a safe and completed request.

Then accuracy processing unit 102b sends out the refined request to the APIs 108 which return the request to the App 110. Upon this point, the user's privacy-sensitive information is kept enclosed within the system.

Figure 4 shows a mobile device according to an embodiment of the invention. The device consists of at least one of the following features: a memory (not shown), a memory controller 202, a processor (CPU) 203, a peripheral interface 204, RF circuitry 205, an external port 206, an audio circuitry 207, a speaker 213, a microphone 210, an input output subsystem 208, a display 211 , a camera 212, software components 201 and inputs or control devices 209. These components can communicate with each other over at least one communication bus or signal line. The device may have more or fewer components as shown in Fig. 4. The various components shown in Fig. 4 may be implemented in hardware and/or software. Figure 5 shows a detailed overview of software components of a mobile device according to an embodiment of the invention. The software components comprise at least one of the following components: operating system kernel 505, core libraries 504, a virtual machine run time libraries 503, an application framework 502, and at least one application 501. According to the present invention, the device is not restricted to the shown components. It is possible that more or fewer components are used in the invention.

The operating system kernel 505 consists of components and drivers to control general system tasks as well as to manage communication between software and hardware components. For instance, the operating system kernel 505 may have: a display driver, a Wi-Fi driver, a camera driver, a power management, a memory driver, and/or other drivers.

There are core libraries 504 on top of kernel 505. These libraries comprise instructions for the device to handle data. The core libraries may comprise a couple of modules, such as a open-source Web browser engine, SQLite database, a surface manager, a webkit, an audio manager, a graphics library, a camera library, a media framework, and SSL. The modules will be useful for storing and sharing of application data, to play and record audio and/or video, and Internet security.

Furthermore, the core libraries include other support libraries to run the methods and algorithms involved in the modules of the framework.

On the next layer, there may be a virtual machine and/or runtime libraries 503 designed to ensure the independence of individual applications. It further provides an advantage in case of application crashes with such virtual machines construction, since it can be easily ensured that the remaining applications are not affected by any other applications running on the device. In other words, a crashed application preferably does not influence the other running applications.

The applications 501 may include, e.g., a home application, a camera application, a calculator application, a media player application, a resource manager application, and a content provider application.

While the present invention has been described in connection with certain preferred embodiments, it is to be understood that the subject-matter encompassed by the present invention is not limited to those specific embodiments. On the contrary, it is intended to include any alternatives and modifications within the scope of the appended claims.