WO2001086373A2 - A quality-of-privacy assurance protocol - Google Patents

Abstract

A virtual quality-of-privacy assurance protocol, for multi-distributed database networking, and appurtenances useful therewith are disclosed. The assurance includes a method (and a system embodying this method), the method including the steps of: forming (201) an ensemble of virtual circuits within a data-communications media's infrastructure; managing (202) a transaction protocol between participants to at least one of the virtual circuits; and, for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data. The present invention furthermore relates to A Virtual Quality-of-Privacy Assurance Protocol currency economy. The preferred embodiment of the invention relates to wireless appurtenances, embodying portions of the protocol, for use with personal communications devices or with public or private base stations associated therewith.

Description

A Quality-Of-Privacy Assurance Protocol

FIELD OF THE INVENTION

The present invention generally relates to command, control, and communications transaction processing methods, systems, and appurtenances. More specifically, the present invention relates to specific classes of electronic communications-infrastructure protocols that are useful for facilitating quasi-private information-type or business-type transactions.

BACKGROUND OF THE INVENTION

There are numerous well-known data-communications media that facilitate information- type or business-type transactions between curious, interested, or contracting parties. For most such transactions, there is a disparity in a quality-of-privacy expectation between each of the respective transacting parties. For example, in an electronic transaction between a private individual and a large commercial concern, both the individual and the concern are each respectively associated with a virtual data-universe of peripheral quasi-private information. Security considerations surrounding the transaction dictate that each party is reasonably precluded from breaching the privacy of the other party's data-universe, substantially within the need-to-know basis of the transaction.

There are numerous examples of electronic infrastructure media that support these well- known information-type or business-type transactions. One example of such media is the Internet (or an extra-net virtually defined therein), which provides a facile conduit for facilitating a plurality of electronic commerce transactions. Under other circumstances, a plurality of wireless data-communications devices, be they respectively interconnected via an infrastructure of mutually associated antennas or be they utilizing their own respective direct mutual transmission and reception modalities, also constitute a facile conduit for facilitating a plurality of information or commerce transactions. Using other hybrid data-communications architecture conduits, transactions in a command-control-communications environment are likewise accomplished. With the single exception of transactions between completely mutually trusting parties, which can be facilitated using an acceptably strong security protocol, there is a long felt limitation, to the free use of the aforesaid well-known data-communications media, between less than fully mutually trusting parties. Accordingly, there is a need in the art for a protocol that will extend the benefits of transacting, via these well-known data-communications media, while simultaneously extending a better quality-of-privacy between the respectively mutually communicating parties.

The present inventor once presented some of the theoretical underpinnings of the present invention in a public forum. This occurred in the 1980's when the inventor, then a student at the Weizmann Institute of Science (Rehovot, Israel), unilaterally elected to present a public seminar on "Mapless-Networks" there; an announcement of which was posted on the Internet. While this seminar was especially well attended, no further discussion or development of the Mapless-Networks concept resulted from the seminar. Furthermore, no prior or subsequent aspect of the Mapless-Networks seminar derived from any study or work at the Weizmann Institute.

Mapless-Networks substantially related to a new class of distributed asynchronous algorithms for dynamic data-communications channel allocation for wired, wireless, and mixed infrastructures. The seminar presented Mapless-Networks' related proofs of metric limits on a class for robustness, security, integrity, proliferation of quasi-compatible variations, and local poly-version compatible integration. However, the Mapless-Networks concept had not yet evolved to address numerous other issues, such as quality-of-privacy.

Simply stated, everyone at the seminar agreed that neither the requisite super- computational end-user devices nor the requisite super-bandwidth data-communications conduit for virtually interconnecting the devices existed at that time, nor were they foreseen to exist on the then accepted technological horizon. The Mapless-Networks concept appeared to have only spurious theoretical antecedents in switching protocols for trunking systems. Accordingly, any eventual application for the Mapless-Networks concept was deemed to be completely unlikely. Furthermore, the econometrics of a low-tariff global communications infrastructure, essential to the viability of the Mapless-Networks concept's realization, was there deemed to be excessively Utopian. In light of the peculiarly practical critique of the Mapless-Networks concept that was articulate by members of the audience at the seminar, there has not been any further known public mention of the concept; until the present application. It therefore comes as a surprise to observe that a fragment of that seminar, which is only remembered in the Internet's archive as an abstract, articulated basic postulates which, when correctly modified to conform firstly to today's data-communications media and secondly to today's accepted end-user computation devices, allows significant improvements to be configured for transactions between less than fully mutually trusting parties. Nevertheless, further analysis has been necessary to arrive at a viable method for solving this essentially long-standing albeit never properly articulated problem (quality-of-privacy), and this further analysis is observed to be laden with numerous not-insignificant inventive steps; none of which have any know antecedent publication.

From the perspective of data-communications infrastructure, the closest present prior art to Mapless-Networks is the extranet concept, wherein a conglomeration of virtual circuits are united to create a private network; having therein a predetermined accepted level of mutual trust between participating members. More specifically, an extranet is a private network that uses the Internet protocols and the public telecommunication system to securely share part of a business's information or operations with outsiders; e.g. suppliers, vendors, partners, customers, or other businesses.

Netscape, Oracle, and Sun Microsystems are jointly standardizing on JavaScript and the Common Object Request Broker Architecture (CORBA) in order to facilitate mutual extranet implementation compatibility. Microsoft is directing its extranet efforts to Point-to-Point Tunneling Protocol (PPTP) so that commercial credit transacting agencies can implement a standard for Open Buying on the Internet (OBI), and Lotus Corporation is promoting its own Group Ware product, Notes, for extranet use.

Using an extranet requires special consideration of security and privacy issues. These considerations include special firewall server management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of virtual private networks (VPNs) that tunnel through the public network. Many of these security and privacy features are necessary because the extranet is a part of a company's intranet that is extended to users outside the company; and these external user are considered to be less trustworthy than internal users.

The cooperative virtual topology of the extranet also is substantially enjoyed in the domain of wireless media; especially for personal information devices such as cellular telephones, wireless internet, and in experimental interactive multimedia projection apparatuses of internet II technologies. Nevertheless, designers of wireless personal data- communications devices, per se, do not generally appreciate this observation. Accordingly, an intermediate quality-of-privacy service policy has not been addressed by data-communications infrastructure facilitators for wireless personal devices.

What is common to all of the aforesaid examples, except Mapless-Networks, is that for any community of users there is defined a substantially central view of the community. This is essentially true even when this actual embodiment of a central index is distributed amongst a plurality of asynchronous server-type data-routing apparatuses. It is the potential to form a central unified view of the community and of user specific patterns of activities therein that degrades the quality-of-privacy. Formation of a centralized view either limits membership in the community to a chosen few (who accept the degraded quality-of-privacy) and precludes full participation by cautious members. Actually, it is this same motivating caution which first directs many internet users to set up multiple electronic mail accounts and which then forces them to seek facile unification tools in order to manage the plurality of accounts.

More specifically, there is a need in the art for a protocol or a method that will facilitate new uses of these well-known data-communications media, while simultaneously improving intermediate quality-of-privacy services for respectively mutually communicating parties therein.

ADVANTAGES, OBJECTS AND BENEFITS OF THE INVENTION

Technical Issues: The Virtual Quality-of-Privacy Assurance Protocol method of the present invention relates to a cost-benefit tradeoff between bandwidth efficient methods for utilizing a data-communications media and privacy protecting methods for transferring transactions over the media. While this aspect of the present invention may be of only passing technical interest for terrestrial network communications infrastructures, such as the Internet, this same aspect represents a novel utilization of scarce wireless bandwidth resources.

Ergonomic Issues: Since the Virtual Quality-of-Privacy Assurance Protocol method of the present invention relates to a class of asynchronous distributed transaction processes which electively propagate, numerous new forms of search transactions are directly facilitated; the preponderance of which are quality-of-privacy compliant. Economic Issues: The Virtual Quality-of-Privacy Assurance Protocol method of the present invention relates to two important classes of economic benefits. Firstly, for classical terrestrial data-communications networks, the present invention creates a new class of intermediate quality-of-privacy transactions which both allow new variations of mercantile intercourse and simultaneous preserve the global security of each participant from being disclosed. Secondly, for wireless and hybrid data-communications media utilization, the method of the present invention facilitates a potentially significant reduction in the associated rates and tariffs necessary for supporting these media.

NOTICES

Numbers, alphabetic characters, and roman symbols are designated in the following sections for convenience of explanations only, and should by no means be regarded as imposing particular order on any method steps. Likewise, the present invention will forthwith be described with a certain degree of particularity, however those versed in the art will readily appreciate that various modifications and alterations may be carried out without departing from either the spirit or scope, as hereinafter claimed.

In describing the present invention, explanations are presented in light of currently accepted scientific, technological or mercantile theories and models. Such theories and models are subject to changes, both adiabatic and radical. Often these changes occur because representations for fundamental component elements are innovated, because new transformations between these elements are conceived, or because new interpretations arise for these elements or for their transformations. Therefore, it is important to note that the present invention relates to specific technological actualization in embodiments. Accordingly, theory or model dependent explanations herein, related to these embodiments, are presented for the purpose of teaching, the current man of the art or the current team of the art, how these embodiments may be substantially realized in practice. Alternative or equivalent explanations for these embodiments may neither deny nor alter their realization. SUMMARY OF THE INVENTION

The present invention generally relates to embodiments of A Virtual Quality-of-Privacy Assurance Protocol, for Multi-Distributed Database Networking, and to appurtenances useful therewith.

More specifically, the present invention relates to A Virtual Quality-of-Privacy Assurance Protocol method (and to a system embodying this method), the method including the steps of: a) forming an ensemble of virtual circuits within a data-communications media's infrastructure; b) managing a transaction protocol between participants to at least one of the virtual circuits; and c) for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data.

In the context of the present invention a "data-communications media" generally relates to a media which supports multi-distributed database networking. More specifically, multi- distributed database networking is performed when the media supports a communications protocol for transferring a transaction between two address respectively associated portions of one or more databases within the media. For example, two telephones using respective interconnected service providers, two computer work-stations respective interconnected to a common internet or intranet or extranet, or two wireless communications devices interconnected using at least one common transmission frequency or using respective interconnected service providers' proximate base stations, or combinations of the aforesaid. So the media ultimately is the circuit or frequency that supports the transferring and also the active or passive facilitating interfaces and intrafaces associated therewith.

In the context of the present invention a data-communications media's "infrastructure" generally relates to specific aspects of the interfaces and intrafaces. For example, a frequency assignment table or algorithm, a switching circuit assigning table or algorithm, or a packet routing table or algorithm.

Furthermore, a "virtual circuit" relates to a specific static or dynamic configuration for an inter-related plurality of tables, algorithms, or mixtures thereof. Each virtual circuit is essentially a conduit for broadcasting a transaction, a distance of one tier, to a t least one associate; or preferably to a plurality of associates.

Finally, an "ensemble" is a large number. Clearly, one needs to understand how to consider if a number is "large"; and, more importantly, why a large number of virtual circuits are requisite to the present method. In order to convey these notions one must appreciate what is "quality-of-privacy" and how an assurance of it can be achieved.

Simply stated, quality-of-privacy relates, on one side, to an ability of a participant to disclose information to individual associates, and relates, on the other side, to a substantial inability of any participant to coherently aggregate enough disclosures (by the participant of the first side) to reveal important secrets of that party; such as personal life practices or proprietary business methods. Essentially, quality-of-privacy allows each first side participant to monitor and limit how much disclosure he conveys to any specific associate, and in addition quality-of-privacy substantially precludes any other participant from coherently aggregate the disclosures. Accordingly, the size of the ensemble must be sufficiently large to substantially preclude a clever participant from successfully correlating externally derived intelligence materials with dis-coherent aggregations of disclosure.

The substantially assurance of quality-of-privacy for participants in an ensemble derives from the substantial response-for-response parity maintenance of the method, because this forces the participant who is an object of curiosity to be mutually curious about the participant who is trying to breach his privacy. Simply stated, two mutually curious participants, who allow each to satisfy the other's curiosity, are actually mutually trusting parties; who are not interested in maintaining substantial respective quality-of-privacy between them.

Aspects of quality of privacy relate to using virtual circuits so as to preclude spurious breaches of transient disclosures, to using mutual transaction disclosing protocols between any two participants who accept conditions of bilateral association, and to preserving response-for- response parity between bilateral associates.

Preserving response-for-response parity prevents an associate to a bilateral relationship from unilaterally breaching the privacy of the other associate. The preserving response-for- response parity may be on a temporal basis, such as not exceeding a predetermined disparity for transactions within the previous 30 days or the previous 500 operational cycles or the previous 5 randomly occurring spot-auditing events. The preserving response-for-response parity may be on a half-life type basis formulation, in the same way that human associates tend to honor recent favors for recent favors more than they may honor calling up the repayment of an ancient favor. Furthermore, the preserving response-for-response parity may be relaxed below some arbitrarily elected threshold by exchanging credits from one associate for credits to another associate, or by selling credits of some associate for cash or the likes.

Therefore, the present invention furthermore relates to A Virtual Quality-of-Privacy Assurance Protocol currency economy including a) a virtual currency linked to substantially each two participant transaction of a predetermined Virtual Quality-of-Privacy Assurance Protocol; b) at least one virtual banking institution for managing accounts containing the virtual currency; c) at least one external auditing agent automated to preserve the currency's integrity for a preponderance of the participants and for substantially all of the institutions; and d) at least one central banking authority for administering exchange rates between the virtual currency and either nation-state recognized currencies or electronic- commerce facilitating information- value quantum.

Furthermore, the present invention also relates to numerous other embodiments and appurtenances for use therewith, including: a software Plug-in, a software Browser, and a trusted agency for use with a Virtual Quality-of-Privacy Assurance Protocol; articles of manufacture including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol; and a program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for A Virtual Quality-of- Privacy Assurance Protocol.

BRIEF DESCRIPTION OF THE FIGURES

In order to understand the invention and to see how it may be carried out in practice, embodiments including the preferred embodiment will now be described, by way of non- limiting example only, with reference to the accompanying drawings, in which:

Figure 1 illustrates a schematic view of a data-communications media infrastructure; Figure 2 illustrates a schematic block diagram of the preferred virtual quality-of-privacy assurance protocol method;

Figure 3-5 illustrate schematic block diagrams of further details of significant preferred sub-steps which may be applied to the preferred virtual quality-of-privacy assurance protocol method; as shown in figure 2;

Figure 6 illustrates a schematic view of a quality-of-privacy sensitive communication system; and i

Figure 7 illustrates a schematic block diagram block diagram of a Virtual Quality-of- Privacy Assurance Protocol currency economy.

GENERAL DESCRIPTION OF THE INVENTION

The present invention generally relates to A Virtual Quality-of-Privacy Assurance Protocol, for Multi-Distributed Database Networking, and appurtenances useful therewith.

Turing to figure 1, a schematic illustration of a data-communications media infrastructure (101) supporting Multi-Distributed Database Networking transactions between a plurality of participants A-G (102-108). Each participant maintains a database containing information with varying degrees of privacy associated with contents of the database, depending primarily on who is querying for that particular contents. A first tier query transaction may proceed from participant A to his community of associates represented by G and B. This first tier query may be transferred directly as respective bilateral queries between the participants or indirectly using the query propagation services of an external agency 109 who is mutually accessible to all of the participants. Should the first tier query fail to answer A's question, then A may further propagate the query to second tier participants; being all or some of the associates of both G and B. Since G and B may have bilateral association or may have other common bilateral associates such as E, it will become difficult for A to recognize that certain types of redundancies in the aggregated reporting of the results of his propagated query. Eventually, for any data-communications media infrastructure, a higher order tier query from one participant will substantially reach every other participant. Nevertheless, the degree of anonymity, of the sources of aggregated results, increases with higher order tier queries, especially when using at least one external agency for propagating and aggregating results.

The present invention furthermore relates to a protocol and a method for transferring information between multiple levels of groups of users, wherein some users provide information directly to the seeker, or themselves respectively seek information on the seeker's behalf, in exchange for corresponding treatment by other users. A key element of the invention is that the privacy and anonymity of the seeker, provider and transferor of the information is substantially maintained or otherwise preserved, such as by a mutual accounting of parity between cooperating participants on a bilateral basis.

Information has always been a valuable commodity. There is a well-established business in providing information. Some examples are: all people in a certain trade, all people in a certain geographic locality, or all people who purchased a certain commodity.

Corresponding to the desire by some to acquire information, which is in the hands of others, there is likewise a resistance on the part of the holder of the information to reveal it. This is for privacy considerations or due to the fact that it compromises a business position. Indeed, so strong is the resistance to provide information for these reasons, that almost every request for information stresses that many of the questions are optional or voluntary, and that the information will not be transferred to others.

Since currently, the pursuit of information gathering is thus limited and restricted, the effectiveness or suitability of the information obtained is similarly limited and restricted by virtue of a protocol deadlock of mutually incompatible quality of privacy constraints.

More specifically, the present invention relates to a substantially automated method for conducting a common interpersonal activity, an inter-corporate activity, an inter-organizational activity, or an information sharing activity between disparate parties. The common activity is the inquiring about and passing on of information of various sorts between individuals who interact with one another at varying degrees of familiarity. When this activity is done by people directly communicating with one another, the parties take into account, either knowingly or subconsciously, the need for privacy, business secrecy, and/or anonymity.

For example, two travelers on public conveyance who see each other frequently, but could not be said to be friends, might exchange information to each other about a recommended eating place downtown. On the other hand, each would most likely be reluctant to provide more private information to someone who amounts to little more than a perfect stranger. Thus if the information seeker is in need of a loan, and is seeking a source for that loan, the request for the information is itself a revelation of privacy and may never be made. Similarly, responding to the request is a revelation of privacy and may never be made. Yet if the request and the sought information were given over without the seeker or source being ascertainable, the reluctance would likely drop. So if our traveler would be able, upon his entry into the commuter train, to secretly place a slip of paper into a hopper asking for the name of a lending source, and the conductor could check each traveler's personal phone book for such an entry, without the phonebook owner being aware of the specific request, the conductor could then, in turn, secretly provide the information to its seeker, without revealing its source. The unfeasibility of the last suggestion is obvious. The present invention facilitates this transfer of information, and does so while maintaining privacy, business secrecy, and anonymity.

Furthermore, the present invention generally relates to a protocol method whereby participants can give and receive information, which would otherwise be withheld. The invention teaches a program designed to let users exchange information, after selecting parameters or filters limiting the type and amount of information exchanged or shared with other members of the program. As an example of one type of embodiment of the invention, let us postulate that all of the accountants in a city agreed to share the information in their private telephone directories. They do this in order to make available to themselves information in the directories of their associates, and to get this benefit, they are willing to make the information, which they have, available to others. All of this is done, with the stipulation that they maintain a certain amount of privacy and anonymity.

One of the accountants may be in need of the name of a good tax lawyer, who can provide assistance in an investigation. The seeker wants to know the name of a good tax attorney, but does not want others to know of the investigation. Similarly, others are prepared to provide him with the referral that is needed, but only on condition of anonymity. Thus is provided in this embodiment of the invention, means to protect the anonymity of the seeker of information, and the provider of any particular piece of information.

A further level of anonymity can be offered if the provided information is only given to the seeker where the inquiry results in other responses. Using the above accountant/attorney example, the protocol would not reveal the name of any tax attorney, unless at least a certain predetermined minimal number, say four, tax attorneys were named. Thus any of the four or more providers of the name of their tax attorney, would feel shielded with this anonymity.

A still further level of anonymity can be offered if the provided information is only given to the seeker where the inquiry results in a minimal number of identical responses, e.g. Attorney John Doe is mentioned three times. Thus the providers of the name of this particular tax attorney would have a higher level of anonymity. The responses that did not meet this threshold would not be revealed.

In the foregoing examples, users, be they seekers of providers or transferors of requests and replies for information are described as having the ability to choose numerical value metrics to determine if the particular user in question is giving up too much information or too much privacy.

In a further embodiment of the invention, values are assigned to the information sought and provided, much like monetary values assigned to goods and services in the market place. The values can be monetary in value, or they can be merely indicative of how much information any particular user has received from or provided to other users. Where the values are monetary, a normal cost-benefit approach will determine how much each user will participate. Where the values are relative to use of the system in either direction, a credit balance will permit further use, while a debit balance will restrict further use.

In still a further embodiment of the invention, the invention is used as a means to connect users together, for the exchange of goods or services. This embodiment provides a means for maximizing contacts in a geographically limited area. It should be noted that the trend to Internet marketing does just the opposite. Internet marketing has successfully matched two parties to a transaction, without regard to the geographic distance separating them. This embodiment of the invention enables connection to be made between users of a similar geographic area, and takes advantage of the fact that not all parties to a transaction were seeking the transaction before it was consummated.

This embodiment is particularly suited, though not limited to, mobile personal communication devices; such as those in broad use today.

As an example of this embodiment, let us suppose that a user has two theatre tickets for a performance that evening, which he is unable to use. The user has not the time nor capability to neither call all of his acquaintances, nor would it be effective for him to advertise by means of a radio station which reaches too broad a geographically distant group of people.

In this embodiment of the invention, however, the user would communicate his offer through his personal communication device. He would reach all other members of the program within a certain geographic distance. If that area brought no purchaser for his tickets, the program would automatically seek out a customer in the next farther geographic area.

Similarly, users could seek and offer ride sharing by being able to, on the one hand limit their offer to a relatively small geographic area, and on the other hand expand their offer to users who are not personally acquainted with each other.

The present invention generally relates to a protocol and a method for transferring information between multiple levels of groups of users, wherein some users provide information directly to the seeker, or themselves seek information on the seeker's behalf, in exchange for corresponding treatment by other users. A key element of the invention is that the privacy and anonymity of the seeker, provider and transferor of the information is substantially maintained or otherwise preserved, such as by a mutual accounting of parity between cooperating participants.

Information has always been a valuable commodity. There is a well-established business in providing information. Some examples are: all people in a certain trade, all people in a certain geographic locality, or all people who purchased a certain commodity.

Corresponding to the desire by some to acquire information, which is in the hands of others, there is likewise a resistance on the part of the holder of the information to reveal it. This is for privacy considerations or due to the fact that it compromises a business position. Indeed, so strong is the resistance to provide information for these reasons, that almost every request for information stresses that many of the questions are optional or voluntary, and that the information will not be transferred to others.

Since currently, the pursuit of information gathering is thus limited and restricted, the effectiveness or suitability of the information obtained is similarly limited and restricted by virtue of a protocol deadlock of mutually incompatible quality of privacy constraints.

More specifically, the present invention relates to a substantially automated method for conducting a common interpersonal activity, an inter-corporate activity, an inter-organizational activity, or an information sharing activity between disparate parties. The common activity is the inquiring about and passing on of information of various sorts between individuals who interact with one another at varying degrees of familiarity. When this activity is done by people directly communicating with one another, the parties take into account, either knowingly or subconsciously, the need for privacy, business secrecy, and/or anonymity.

For example, two travelers on public conveyance who see each other frequently, but could not be said to be friends, might exchange information to each other about a recommended eating place downtown. On the other hand, each would most likely be reluctant to provide more private information to someone who amounts to little more than a perfect stranger. Thus if the information seeker is in need of a loan, and is seeking a source for that loan, the request for the information is itself a revelation of privacy and may never be made.

Similarly, responding to the request is a revelation of privacy and may never be made. Yet if the request and the sought information were given over without the seeker or source being ascertainable, the reluctance would likely drop. So if our traveler would be able, upon his entry into the commuter train, to secretly place a slip of paper into a hopper asking for the name of a lending source, and the conductor could check each traveler's personal phone book for such an entry, without the phonebook owner being aware of the specific request, the conductor could then, in turn, secretly provide the information to its seeker, without revealing its source. The unfeasibility of the last suggestion is obvious. The present invention facilitates this transfer of information, and does so while maintaining privacy, business secrecy, and anonymity.

Furthermore, the present invention generally relates to a protocol method whereby participants can give and receive information, which would otherwise be withheld. The invention teaches a program designed to let users exchange information, after selecting parameters or filters limiting the type and amount of information exchanged or shared with other members of the program. As an example of one type of embodiment of the invention, let us postulate that all of the accountants in a city agreed to share the information in their private telephone directories. They do this in order to make available to themselves information in the directories of their associates, and to get this benefit, they are willing to make the information, which they have, available to others. All of this is done, with the stipulation that they maintain a certain amount of privacy and anonymity.

One of the accountants may be in need of the name of a good tax lawyer, who can provide assistance in an investigation. The seeker wants to know the name of a good tax attorney, but does not want others to know of the investigation. Similarly, others are prepared to provide him with the referral that is needed, but only on condition of anonymity. Thus is provided in this embodiment of the invention, means to protect the anonymity of the seeker of information, and the provider of any particular piece of information.

A further level of anonymity can be offered if the provided information is only given to the seeker where the inquiry results in other responses. Using the above accountant/attorney example, the protocol would not reveal the name of any tax attorney, unless at least a certain predetermined minimal number, say four, tax attorneys were named. Thus any of the four or more providers of the name of their tax attorney, would feel shielded with this anonymity.

A still further level of anonymity can be offered if the provided information is only given to the seeker where the inquiry results in a minimal number of identical responses, e.g. Attorney John Doe is mentioned three times. Thus the providers of the name of this particular tax attorney would have a higher level of anonymity. The responses that did not meet this threshold would not be revealed.

In the foregoing examples, users, be they seekers of providers or transferors of requests and replies for information are described as having the ability to choose numerical value metrics to determine if the particular user in question is giving up too much information or too much privacy. In a further embodiment of the invention, values are assigned to the information sought and provided, much like monetary values assigned to goods and services in the market place. The values can be monetary in value, or they can be merely indicative of how much information any particular user has received from or provided to other users. Where the values are monetary, a normal cost-benefit approach will determine how much each user will participate. Where the values are relative to use of the system in either direction, a credit balance will permit further use, while a debit balance will restrict further use.

In still a further embodiment of the invention, the invention is used as a means to connect users together, for the exchange of goods or services. This embodiment provides a means for maximizing contacts in a geographically limited area. It should be noted that the trend to Internet marketing does just the opposite. Internet marketing has successfully matched two parties to a transaction, without regard to the geographic distance separating them. This embodiment of the invention enables connection to be made between users of a similar geographic area, and takes advantage of the fact that not all parties to a transaction were seeking the transaction before it was consummated.

This embodiment is particularly suited, though not limited to, mobile personal communication devices in broad use today.

As an example of this embodiment, let us suppose that a user has two theatre tickets for ^J a performance that evening, which he is unable to use. The user has not the time nor capability to neither call all of his acquaintances, nor would it be effective for him to advertise by means of a radio station which reaches too broad a geographically distant group of people.

In this embodiment of the invention, however, the user would communicate his offer through his personal communication device. He would reach all other members of the program within a certain geographic distance. If that area brought no purchaser for his tickets, the program would automatically seek out a customer in the next farther geographic area.

Similarly, users could seek and offer ride sharing by being able to, on the one hand limit their offer to a relatively small geographic area, and on the other hand expand their offer to users who are not personally acquainted with each other.

Alternatively stated, the present invention also generally relates to a group of participants connected by a common data or communications media, with each participant interacting directly only with a portion of the group, or with a community, and with each participant maintaining a list or database indicating how that participant interacts with his community. The relationships between the various participants include varying degrees of trust and cooperation. Embodiments of the present invention create mechanisms which allows a participant to ask his associates (members of his personally defined community) a question which he himself may not be able to answer, or where he wants a more specific or directed answer than would be available through other (e.g. public) channels. The question may be directed to the entire community or to a predetermined subset of the community. In order to protect the privacy of the members of the community, the answers are given anonymously to a secured mechanism, where they are pooled together and presented collectively to the party who asked the question, or are transferred using collateral agreements between the participants so as to maintain privacy of the source or to facilitate information sharing reciprocity between a predetermined pairing or plurality of participants. In certain circumstances, in order to further insure the privacy and anonymity of the parties giving answers, a minimum number of answers may be required for the collection of answers to be revealed.

In an Internet-media community, for example, each member compiles a list of associates. One's direct associates are labeled first tier friends. One may add to one's list of friends by requesting reciprocal ties with another member, or one may rely on substantially anonymous information gleaned from second or more distant tier sources. A second tier source is friend of a friend, and by extension a further tier source is at least one further tier therefrom. The measurement of tier source distance should be according to least distance, such a friend who is both a first tier friend and a third tier friend should be considered as a first tier friend only. However, since most transactions responses are aggregated and returned anonymously, reporting ambiguities and anomalies are possible.

When an inter-friend establishment request is made, the other member is contacted for approval which may be granted or denied. The other member becomes a friend only if he grants the approval. Periodically, as new members join the community of first tier friends, one is encouraged to review the lists of new second tier friend members and make requests for direct reciprocal ties; when relevant. Additionally, broader sub-communities, based on common ground such as membership in professional organizations or members' alma maters, exist, and each member may elect to join any of the sub-communities. A profiles is maintained by and for each member, which includes organizational or personal profile information such as cooperate service and service rate structure or personal birth date, address, and electronic mail address, or a list of the member's friends or the sub-communities to which the member belongs. The member may store additional information in his profiles, such as an address book, or a list of professional consultants or favorite restaurants. Members cannot access each others' profiles or personal directories or proprietary data banks directly. However, in the event that a member is seeking a recommendation, he may generate an automated query that goes to his first tier "friends"; his associates. The associates' profiles are then queried and the responses are returned under collateral privacy agreement or are stored anonymously in a designated trusted third party site. If at least a predetermined quantum such as 10 answers were received, the contents of the site are then forwarded to the member. If, however, fewer than 10 answers quantum were received, the member who originated the query receives an error message indicating that not enough data was given. The associates to whom the query is directed may include a predetermined minimum quantum or all of one's associates, their respective propagation of the query to further tier friends, other members in the various sub-communities to which one belongs, or a smaller designated group from among them, such as the friends who also belong to the alma mater group.

A member preparing to move, for instance, may wish to receive recommendations for a health club, a school, and for specialist doctor in the area of her new home. Though she could open a telephone directory or call national organizations for a recommendation, she wishes to have a recommendation from a source she considers more reliable. She generates queries to all of her 50 associates requesting the recommendations. The first query, for a health club, receives 14 answers and the results are forwarded to her. The other two queries, however, receive fewer than 10 responses each, and neither query is answered.

While the member of such a community cannot necessarily know or discover the reason why too few responses were received, the primary reasons why this may happen may be as follows: i. The associates to whom the query was directed did not have the information requested. ii. The mechanism may be set to discard identical responses, and there was extensive overlap between the responses which were received. iii. The associates to whom the query was directed did not wish to share the information requested.

It is sometimes possible to overcome the first of these reasons. In the event that one's associates do not have the necessary information, it is possible to request another, more extensive query, which extends to the associates' associates without breaching a predetermined quality of privacy. When the results of a query addressed to one's friends does not yield sufficient results, the query may be redirected by the first tier friends to second tier friends or beyond, or, where appropriate, to the friends of the members of one's common interest groups. For example, someone looking for a recommendation of a doctor in a given city may address her query to her friends. However, as none of her friends live in or near the given city, none can provide her with information. Without disclosing the source of the query, she propagates or redirects her query to all of her friends with a request to further propagate the query to their respective friends, the friends of her friends, in order to gain a broader base from which information may be obtained, and in fact, receives multiple recommendations for doctors in the area. The number of recommendations is sufficient to meet the 10-answer minimum and the results of the query are forwarded to the originator of the query.

The second reason why the number of responses may appear insufficient is that the secured mechanism, which accepts the responses, automatically may discard duplicate responses. However, various systems for considering duplicate responses may be implemented according to the preferred system. The results may be misleading in any case, since the originator of the query does not know the origin of any given response, and the prominence of the response in the responder's overall profile, list, or database. In the case of a recommendation for a professional, for example, there may be 25 responders who have consulted with professional A once each, and another responder who consulted with professional B (in the same profession) 100 times, and continues to do so on an ongoing basis. If a list of responses is given with each response showing individually despite duplication, a "vote" system, professional A will have received an overwhelming majority of the votes, despite the fact that professional B has been consulted more often, and may be the only one who is still being consulted.

The matter could then be further confused if the same request were addressed, for instance, to 31 associates, 10 of whom responded with one answer (professional A, who has been consulted only once by these associates), and 10 of whom offered two answers (professional A, who had been consulted once by each of these associates, and professional C, who was consulted by all of the same 10 associates since they were dissatisfied with the services offered by professional A). Of the remaining 11 associates, 10 have no answer and 1 offers one answer (professional B, consulted over 100 times on an ongoing basis). In the final list presented to the requester of the query, professional A would appear to be the overall "winner," despite the fact that 50% of those asked were dissatisfied enough to turn to another professional, and professional B would still be ranked last. Since the originator of the query has no access to the added information, this type of answer may be extremely misleading.

The issue is perhaps more pronounced when the community comprises not individuals, but businesses or companies, and the recommendation is also for a company or a service of some kind. Of 15 responses received, 14 may be for the same company, but all 14 together may give that company an annual volume of business amounting to a given sum. The 15^th recommendation may be the only one for another company, but the volume of business between the responder and the company may far exceed the total of the other 14 responders. Since the originator of the question does not receive this information, and from the answers he cannot guess which responder gave which answer, he remains no better informed than if he had simply received the two recommendations. Hence, an alternative mechanism may sort the results by popularity without disclosing an actual vote count.

As such, listing each answer only once, giving no weight to the number of times it was given, is the preferred way to gather answers from a quality of privacy standpoint albeit not necessarily from a practicability standpoint.. This system may also be misleading, as the originator of the question cannot know the number of times that each response was given. However, in either case, the originator of the query is aware that he is receiving limited information and must consider it as such.

The issue of limited information is directly related to the third main reason why the number of responses may be insufficient: those asked were unwilling to provide the information solicited. Given the assumption that the level of trust and cooperation between the members of the community varies, the participants in such a community may be willing to share information about themselves that anything concerning them in varying degrees. The originator of a question is aware upon requesting information that he may receive only limited information, depending on the nature of his relationship with the other members of his community, and moreover, if the query is extended (to the associates' associates, for example), it is possible that the information will be even more limited.

In order to limit the information provided, members may place various restrictions, or filters, on the queries they receive and answer. Members may, for example, limit the type of questions that they will accept. For example, a company may accept questions requesting information about suppliers, but not about financial information or volume of transactions, even if it pertains to the suppliers. A doctor's office, for instance, may accept questions about professional affiliations and types of treatments available, but not about patients or the number of times any given treatment has been performed. Another type of filter may limit the questions originating from certain sources or block them altogether, but allow complete disclosure to other sources, depending on the member's relationship with the sources of the questions. A simple example of such a filter would be to limit queries to "first tier" queries. That is, one accepts questions from one's direct associates, but not from one's associate's associates or from their associates. Another type of filter by origin is based on "classes," where members of the community are divided into categories, such as "suppliers," "direct retailers," "consumers," and so on. Certain queries from certain classes or type of classes of associates may be accepted, while other types of queries from the same or from other classes may not. Such filters may be symmetric or asymmetric. In other words, if one is unwilling to provide certain information to a certain party, he may or may not be able to receive similar information from that party, depending on the filter system that the other party has set. For instance, a company which refuses queries from its associates regarding suppliers in a certain country may be blocked from receiving similar information from their respective associates.

Another mechanism which may be implemented to prevent any given member from amassing excessive amounts of information from associates is a currency system. A debit or credit system may be established, and various types of queries may be "priced" differently. A request for a recommendation for a school, for example, may "cost" 2 units, whereas a request for information about business contacts may "cost" 10 units. Various members of the community may then place different values on different queries, depending on the information requested and the source of the request. Members may also reach agreements regarding a maximum allowable debt between them. Two members may agree, for instance, that the maximum allowable debt between them is 50 units, knowing the tariff schedule for various queries. By placing a maximum on the allowable debt, each party has protected itself from excessive unilateral exposure. Neither member may request an excessive quantity of information from the other unless the other is also requesting information. The debit system is automatic, since members cannot know where the query results originated. Thus, it is the system itself which blocks the query according to predetermined criteria, and the party originating the query cannot even know which associates blocked his query.

Another currency system which may be used to limit members' access to each others' information is a "coupon" system which includes an expiration for query rights earned by a member. Each query that a member answers entitles that member to request similar information from the associate that originated the query. However, the right to request the specified information (or type of information) may be limited to a given time frame. For example, a company with a new project in the Los Angeles metropolitan may send 30 queries its associates over a span of six months, thereby giving each associate who provides an answer the right to request similar information. Each request right, however, is limited to 90 days from the original query. Thus, at the end of nine months, the company knows that it has no outstanding query debts. A third way in which queries can be translated into currency is to place a value on transactions or sales not related to the query, where the earned amount can then be used to "purchase" information (in the form of queries). In such a system, the purchase (or sale) of an item entitles the purchaser (or seller) to query rights. For example, a wholesaler may agree to disclose certain types of information to a customer who purchases a specified amount annually.

Other than queries requesting information, other types of queries may exist. One other type of query is a request for a transaction referral. In this type of query, the requester does not ask for a information regarding a job or service, whether it can be performed, or who can perform it. Instead, this type of query assumes that a job can be performed or a service can be given and requests this service. For example, a company wishing to purchase a large quantity of a given item within a certain (short) time frame may query 15 of its suppliers regarding the available quantity of the item. The query indicates that none has the complete quantity, but at least 6 suppliers exist with at least 15% of the desired quantity. Since the company would rather overstock than fall short, the company may place an "order query." In other words, the company directs a query to its suppliers requesting a quantity equaling 15% of the total desired quantity to be shipped immediately. The company places the orders with trusted suppliers, without knowing specifically where the orders have been placed. In this manner, at least 90% of the desired quantity may be obtained quickly. (It is possible that a larger quantity will arrive, depending on how many of the suppliers were able to fill the order.)

In this manner, a purchase sale may be divided among several agents. For example, someone wishing to buy or sell a large quantity of stock may wish to divide the sale among several brokers to make it less conspicuous. The seller may send out a transaction referral query to multiple brokers with whom he deals, requesting the sale of some portion of the stock. Each of the brokers would then sell that portion accordingly, without knowing directly that the larger quantity was being sold.

This query system provides a means for users of a common medium to access and give information and services to other users, while still placing restrictions on the types and quantity of information that can be viewed and who is allowed to view the information. The privacy of individual users is also protected, while still allowing these users to disclose some amount of information.

For some companies, such a system provides them, in effect, with a limited extranet.

The company can supply information and services, but do so anonymously and place various restrictions for different users. A simple extranet doe not give this anonymity, and some companies are therefore more limited in what they can make available through an extranet. With a system that offers anonymity and varying restrictions, however, more information can sometimes be disclosed when it is desirable. Similarly, individual members of a community with a common means of communication (such as an intranet, an Internet community, or a wired or wireless connection) may also be willing to reveal some personal information to some members, but not complete information or not to all of the other members. This system allows these members to automatically request and supply information in varying degrees from and to other members, while maintaining privacy and anonymity. The system may thus be used to obtain recommendations for anything from an ethnic restaurant to a medical specialist. The requester does not know the source of the recommendation, but he knows that it is from someone whom he trusts to some degree either personally or professionally. Or the system may be used to request a service. For instance, in a community linked by hand-held communication devices (such as cellular telephones which are also wireless two-way radios and include a chip containing information), an individual may receive a query requesting that the nearest doctor be paged to the site of a local medical emergency. The request is then passed to the community, and doctors are paged to the site. The query results do not indicate the identity of the doctors or any other information about them. The result of the query is simply to page the doctor, and to indicate how many doctors were paged. In a similar manner, in a large facility, the dispatching system may receive a request for a maintenance engineer. The dispatching system automatically pages the engineers, and those within range of the problem respond. The system does not reveal to the requester the identity of the responding engineers. Instead, it indicates only that the problem will be addressed. The system thus protects the privacy and anonymity of the responder, while providing information or a service to the requester.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention directly relates to A Virtual Quality-of-Privacy Assurance Protocol method. Figure 2 is a block diagram presenting the most significant categorical steps of this method, and figures 3-5 present further details of significant preferred sub-steps which may be applied therein. This method (200) includes the steps of: a) forming (201) an ensemble of virtual circuits within a data-communications media's infrastructure; b) managing (202) a transaction protocol between participants to at least one of the virtual circuits; and c) for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, maintaining (203) substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data.

A proof for Quality-of-Privacy Assurance may be constructed by considering a worst case scenario. According to this scenario, a competitor desires to disclose the business methods of a successful establishment. The competitor may have direct business contact with this establishment and also with numerous associates of this establishment. In order for the competitor to breach the privacy of the establishment to a degree that the business methods will be disclosed, the competitor must substantially trade information with the establishment and the establishment's associates. The information that the competitor will need to reveal must be of sufficient interest for the establishment and the establishment's associates to unilaterally query the competitor; otherwise no substantially response-for-response parity can exist. For this to be practical, the competitor must be larger, in an information quanta evaluation sense, than the aggregate of the establishment and the establishment's associates the establishment and the establishment's associates. It is excessively unlikely that the gigantic competitor will be willing to reveal its entire proprietary information archive in order to perhaps discover some secret of a comparatively infinitesimal establishment.

This dis-proportionality is so large that introduction of controlled relaxation of the basic bilateral response-for-response parity metrics will not substantially improve a competitor's ability to breach the secrecy of a target establishment. This relaxation may include exchanging metrics for money or allowing metrics to accumulate or to be traded or the like. Furthermore, even providing for any establishment to elect a relaxation of metrics for a plurality of its bilateral associations, the Quality-of-Privacy for that establishment remains Assured.

According to an aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention that is presented using figure 3, forming (201) an ensemble of virtual circuits within a data-communications media's infrastructure includes: a) substantially each participant of a plurality of participants agreeing (301) with at least one other participant of the plurality of participants to the establishment of a mutual virtual circuit data-communications conduit facility in the infrastructure; b) accessing (302) or establishing (303) of at least one mutual virtual circuit data- communications conduit facility in the infrastructure; and c) each of the agreeing participants respectively adding (304) a tuple to a private databank of mutually agreeing participants, wherein the tuple provides a record of predetermined communications enabling particulars of the at least one other participant and of accessing a mutual virtual circuit of the at least one mutual virtual circuit data-communications conduit facility.

According to a preferred variation of the immediately preceding aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, agreeing (301) includes negotiating (305) via a mutually trusted participant.

According to another aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data- communications media's infrastructure includes specifying (306A) a terrestrial network or subset thereof as the data-communications media's infrastructure. In this context, a terrestrial network is a wide area network or a telephone system, or a cable-based communications system or a community of wireless base stations or the like or a mutual service mixture of any combination of the aforesaid.

According to a further aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data- communications media's infrastructure includes specifying (306B) a predetermined Internet or a subset thereof as the data-communications media's infrastructure.

According to yet another aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data- communications media's infrastructure includes specifying (306C) at least one wireless data- communications service provider or a subset thereof as the data-communications media's infrastructure.

According to still a further aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data- communications media's infrastructure includes specifying (306D) at least one intermediary base station or a subset thereof as requisite to the data-communications media's infrastructure. Furthermore, according to an aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data- communications media's infrastructure includes specifying (306F) at least one transmission frequency and at least one reception frequency as requisite to the data-communications media's infrastructure.

Additionally, according to an aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying (306G) at least one encryption standard as requisite to the data-communications media's infrastructure.

Furthermore, according to yet another aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying (306H) a terrestrial telephone end user identification as requisite to the data-communications media's infrastructure.

Also, according to still another aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, forming (201) an ensemble of virtual circuits within a data-communications media's infrastructure includes verifying (3061) a referral from one participant to another participant of a third participant.

Furthermore, according to an aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, managing (202) a transaction protocol between participants to at least one of the virtual circuits includes using (401) an extranet.

Likewise, according to an aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, managing (202) a transaction protocol between participants to at least one of the virtual circuits includes, for a query that originated at a first participant, an intermediary participant propagating (402A) the query to at least one other participant who is associated with the intermediary participant.

In addition, according to an aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, managing (202) a transaction protocol between participants to at least one of the virtual circuits includes, for a query that originated at a first participant, using a central data-communications emulation repository to bypass an intermediary participant while simultaneously propagating (402B) the query to at least one other participant who is associated with the intermediary participant.

Again, according to another new aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, maintaining (203) substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data includes defining (503) at least one discrete or fuzzy data category.

Now, according to a further aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, maintaining (203) substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data includes, to a trusted external participant, at least one participant of a pair of mutually transacting participants reporting (504) a parity-metric of transaction weight or volume for transactions between the pair.

According to still a further new aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, maintaining (203) substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data includes a trusted external participant finding (505) a set of known intermediary participants that are common to a plurality of two-or-more mutually transacting participants.

In addition, according to an additional further aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, managing (202) a transaction protocol between participants to at least one of the virtual circuits includes docketing (406) the transaction using a transaction-type specific continuation of transaction-events schedule and, thereafter according to the docketing, sending (407) alerts or alarms or reports, to at least one party to the transaction, according to predetermined messaging recipients specified substantially at the time of docketing or to subsequently designated proxy recipients specified thereafter. Likewise, according to a new aspect of the Virtual Quality-of-Privacy Assurance Protocol method of the present invention, managing (202) a transaction protocol between participants to at least one of the virtual circuits includes, automatically propagating (408) a query to a predetermined tier of participant association.

The present invention also relates to A quality-of-privacy sensitive communication system; schematically illustrated in figure 6. The system (600) includes: a) an ensemble of virtual circuits (601) located within a data-communications media's infrastructure (602); b) first software (603A-603E) substantially resident at each data-communications terminal interface of a plurality of participants with the media's infrastructure, wherein the software conforms any elected transaction a predetermined class of transactions into a predetermined Virtual Quality-of-Privacy Assurance protocol (such as is illustrated in figure 2) between the respective participants and an at least one of the virtual circuit of the ensemble; and c) linked to the first software, second software (604) wherein for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, the second software maintains substantial response-for-response parity for query-type transactions within at least one predetermined class of respectively maintained proprietary data.

According to an aspect of the quality-of-privacy sensitive communication system of the present invention, the second software (604A-604C) is resident proximate to the first software.

According to another aspect of the quality-of-privacy sensitive communication system of the present invention the second software is resident in at least one server (605) of the data- communications media's infrastructure.

According to a further aspect of the quality-of-privacy sensitive communication system of the present invention, the second software (604E) is resident in at least one base station (606 A, 606B) of a wireless interface to the data-communications media's infrastructure.

According to another new aspect of the quality-of-privacy sensitive communication system of the present invention, the second software is resident in at least one base station of a wireless interface (604D) to a participant's data-communications terminal interface. The present invention furthermore relates to A quality-of-privacy sensitive communication system; A Virtual Quality-of-Privacy Assurance Protocol currency economy, illustrated in figure 7. The economy (700) of the present invention includes: a) a virtual currency (701) linked to substantially each two participant transaction of a predetermined Virtual Quality-of-Privacy Assurance Protocol (702), such as is illustrated in figure 2; b) at least one virtual banking institution (703) for managing accounts containing the virtual currency; c) at least one external auditing agent (703 A, 703B) automated to preserve the currency's integrity for a preponderance of the participants and for substantially all of the institutions; and d) at least one central banking authority (704) for administering exchange rates between the virtual currency and either nation-state recognized currencies or electronic-commerce facilitating information- value quantum.

The preferred embodiment of the Virtual Quality-of-Privacy Assurance Protocol currency economy furthermore includes at least one electronic-commerce facilitating information-value virtual-quantum (705) debit or credit selected from the list: a Virtual Quality-of-Privacy Assurance Protocol compatible currency, a Virtual Quality-of-Privacy Assurance Protocol compatible coupon, a Virtual Quality-of-Privacy Assurance Protocol compatible check, a Virtual Quality-of-Privacy Assurance Protocol compatible bond, a Virtual Quality-of-Privacy Assurance Protocol compatible stock, a Virtual Quality-of-Privacy Assurance Protocol compatible promissory note, a Virtual Quality-of-Privacy Assurance Protocol compatible receipt, a Virtual Quality-of-Privacy Assurance Protocol compatible certificate, or the like.

The present invention substantially furthermore relates to A Virtual Quality-of- Privacy Assurance Protocol software Plug-in (710) for transferring, from a source in a data- communications media's infrastructure to a participant to a quality of privacy sensitive communications system (such as is illustrated in figure 6), at least one operational thread or kernel of first software substantially resident at a data-communications terminal interface of a participants with the media's infrastructure, wherein the software conforms any elected transaction a predetermined class of transactions into a predetermined Virtual Quality-of- Privacy Assurance protocol between the participant and an at least one virtual circuit of the infrastructure.

The present invention also substantially relates to A Virtual Quality-of-Privacy Assurance Protocol software Browser (720) for transferring queries or respective responses, between on a far side either a source in a data-communications media's infrastructure or at least one designated participant associated there with and on a near side a participant to a quality of privacy sensitive communications system (such as is illustrated in figure 6), at least one operational thread or kernel of first software substantially resident at a data-communications terminal interface of a participants with the media's infrastructure, wherein the software conforms any elected transaction a predetermined class of transactions into a predetermined Virtual Quality-of-Privacy Assurance protocol between the participant and an at least one virtual circuit of the infrastructure.

Furthermore, the present invention relates to A trusted agency for use with a Virtual Quality-of-Privacy Assurance Protocol wherein the trusted agency includes software (730) for use by at least one external auditing agent automated to preserve integrity of currency in a Virtual Quality-of-Privacy Assurance Protocol currency economy (such as is illustrated in figure 7), and the software is resident in a data-communications media's infrastructure having a quality-of-privacy sensitive communication system (such as is illustrated in figure 6) associated therewith.

Also, the present invention relates to an article of manufacture (740) including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, the computer readable program code in the article of manufacture including: computer readable program code for causing a computer to form at least one virtual circuits of an ensemble of virtual circuits, and a preponderance of the virtual circuits are within a data-communications media's infrastructure.

According to an aspect (750) of the immediately above mentioned article of manufacture of the present invention the computer usable medium, having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, is integral to a private base station that manages wireless communications with on one side at least one personal communications device and on the other side a data-communications media's infrastructure which has associated therewith - at least one other private base station or at least one public-service-provider base station or at least one data-communications conduit to a wide area network or at least one data-communications conduit to a local area network or at least one data-communications conduit to a public-service-provider telephone network.

Additionally, the present invention also relates to An article of manufacture (760) including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, the computer readable program code in the article of manufacture including: computer readable program code for causing a computer to manage a transaction protocol between at least two participants associated with a data-communications transmission over at least one of the virtual circuit of an ensemble of virtual circuits, and a preponderance of the virtual circuits are within a data-communications media's infrastructure.

The present invention likewise relates to An article of manufacture (770) including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, the computer readable program code in the article of manufacture including: computer readable program code for causing a computer to maintain substantial response-for-response parity, for querying within at least one predetermined class of respectively maintained proprietary data, for at least one pair of mutually transacting participants over at least one virtual circuit of the ensemble of virtual circuits, and a preponderance of the ensemble of virtual circuits are within a data- communications media's infrastructure.

Furthermore, the present invention also relates to A program storage device (780) readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for A Virtual Quality-of-Privacy Assurance Protocol, the method steps including: a) forming an ensemble of virtual circuits within a data-communications media's infrastructure; b) managing a transaction protocol between participants to at least one of the virtual circuits; and c) for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data.

Collectively, the detailed description of the preferred embodiment relates to virtual quality-of-privacy assurance in the context of global media convergence. Nevertheless, each facet of the preferred embodiment is, in and of itself, a top-down specification for at least one implementation, such as those that are referred to in the General Description of the Invention section.

Claims

1. A Virtual Quality-of-Privacy Assurance Protocol method, the method including the steps of: a) forming an ensemble of virtual circuits within a data-communications media's infrastructure; b) managing a transaction protocol between participants to at least one of the virtual circuits; and c) for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data.

2. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes: a) substantially each participant of a plurality of participants agreeing with at least one other participant of the plurality of participants to the establishment of a mutual virtual circuit data-communications conduit facility in the infrastructure; b) accessing or establishing of at least one mutual virtual circuit data-communications conduit facility in the infrastructure; and c) each of the agreeing participants respectively adding a tuple to a private databank of mutually agreeing participants, wherein the tuple provides a record of predetermined communications enabling particulars of the at least one other participant and of accessing a mutual virtual circuit of the at least one mutual virtual circuit data-communications conduit facility.

3. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 2 wherein agreeing includes negotiating via a mutually trusted participant.

4. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying a terrestrial network or subset thereof as the data-communications media's infrastructure.

5. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying a a predetermined Internet or a subset thereof as the data-communications media's infrastructure.

6. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying at least one wireless data-communications service provider or a subset thereof as the data-communications media's infrastructure.

7. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying at least one intermediary base station or a subset thereof as requisite to the data-communications media's infrastructure.

8. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying at least one transmission frequency and at least one reception frequency as requisite to the data-communications media's infrastructure.

9. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying at least one encryption standard as requisite to the data-communications media's infrastructure.

10. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes specifying a terrestrial telephone end user identification as requisite to the data-communications media's infrastructure.

11. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein forming an ensemble of virtual circuits within a data-communications media's infrastructure includes verifying a referral from one participant to another participant of a third participant.

12. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein managing a transaction protocol between participants to at least one of the virtual circuits includes using an extranet.

13. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein managing a transaction protocol between participants to at least one of the virtual circuits includes, for a query that originated at a first participant, an intermediary participant propagating the query to at least one other participant who is associated with the intermediary participant.

14. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein managing a transaction protocol between participants to at least one of the virtual circuits includes, for a query that originated at a first participant, using a central data- communications emulation repository to bypass an intermediary participant while simultaneously propagating the query to at least one other participant who is associated with the intermediary participant.

15. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data includes defining at least one discrete or fuzzy data category.

16. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data includes, to a trusted external participant, at least one participant of a pair of mutually transacting participants reporting a parity-metric of transaction weight or volume for transactions between the pair.

17. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data includes a trusted external participant finding a set of known intermediary participants that are common to a plurality of two-or-more mutually transacting participants.

18. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein managing a transaction protocol between participants to at least one of the virtual circuits includes docketing the transaction using a transaction-type specific continuation of transaction-events schedule and, thereafter according to the docketing, sending alerts or alarms or reports, to at least one party to the transaction, according to predetermined messaging recipients specified substantially at the time of docketing or to subsequently designated proxy recipients specified thereafter.

19. The Virtual Quality-of-Privacy Assurance Protocol method according to claim 1 wherein managing a transaction protocol between participants to at least one of the virtual circuits includes, automatically propagating a query to a predetermined tier of participant association.

20. A quality-of-privacy sensitive communication system including a) an ensemble of virtual circuits located within a data-communications media's infrastructure; b) first software substantially resident at each data-communications terminal interface of a plurality of participants with the media's infrastructure, wherein the software conforms any elected transaction a predetermined class of transactions into a predetermined Virtual Quality-of-Privacy Assurance protocol, according to claim 1, between the respective participants and an at least one of the virtual circuit of the ensemble; and c) linked to the first software, second software wherein for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, the second software maintains substantial response-for-response parity for query-type transactions within at least one predetermined class of respectively maintained proprietary data.

21. The quality-of-privacy sensitive communication system according to claim 20 wherein the second software is resident proximate to the first software.

22. The quality-of-privacy sensitive communication system according to claim 20 wherein the second software is resident in at least one server of the data- communications media's infrastructure. The quality-of-privacy sensitive communication system according to claim 20 wherein the second software is resident in at least one base station of a wireless interface to the data-communications media's infrastructure.

The quality-of-privacy sensitive communication system according to claim 20 wherein the second software is resident in at least one base station of a wireless interface to a participant's data-communications terminal interface.

An Virtual Quality-of-Privacy Assurance Protocol currency economy including a) a virtual currency linked to substantially each two participant transaction of a predetermined Virtual Quality-of-Privacy Assurance Protocol, according to claim 1 ; b) at least one virtual banking institution for managing accounts containing the virtual currency; c) at least one external auditing agent automated to preserve the currency's integrity for a preponderance of the participants and for substantially all of the institutions; and d) at least one central banking authority for administering exchange rates between the virtual currency and either nation-state recognized currencies or electronic-commerce facilitating information-value quantum.

The Virtual Quality-of-Privacy Assurance Protocol currency economy according to claim 25 further including at least one electronic-commerce facilitating information- value virtual-quantum debit or credit selected from the list: a Virtual Quality-of-Privacy Assurance Protocol compatible currency, a Virtual Quality-of-Privacy Assurance Protocol compatible coupon, a Virtual Quality-of-Privacy Assurance Protocol compatible check, a Virtual Quality-of-Privacy Assurance Protocol compatible bond, a Virtual Quality-of-Privacy Assurance Protocol compatible stock, a Virtual Quality-of- Privacy Assurance Protocol compatible promissory note, a Virtual Quality-of-Privacy Assurance Protocol compatible receipt, or a Virtual Quality-of-Privacy Assurance Protocol compatible certificate.

A Virtual Quality-of-Privacy Assurance Protocol software Plug-in for transferring, from a source in a data-communications media's infrastructure to a participant to a quality of privacy sensitive communications system according to claim 20, at least one operational thread or kernel of first software substantially resident at a data- communications terminal interface of a participants with the media's infrastructure, wherein said software conforms any elected transaction a predetermined class of transactions into a predetermined Virtual Quality-of-Privacy Assurance protocol between the participant and an at least one virtual circuit of the infrastructure.

A Virtual Quality-of-Privacy Assurance Protocol software Browser for transferring queries or respective responses, between on a far side either a source in a data- communications media's infrastructure or at least one designated participant associated there with and on a near side a participant to a quality of privacy sensitive communications system according to claim 20, at least one operational thread or kernel of first software substantially resident at a data-communications terminal interface of a participants with the media's infrastructure, wherein said software conforms any elected transaction a predetermined class of transactions into a predetermined Virtual Quality-of-Privacy Assurance protocol between the participant and an at least one virtual circuit of the infrastructure.

A trusted agency for use with a Virtual Quality-of-Privacy Assurance Protocol wherein said trusted agency includes software for use by at least one external auditing agent automated to preserve integrity of currency in a Virtual Quality-of-Privacy Assurance Protocol currency economy according to claim 25, and the software is resident in a data-communications media's infrastructure having a quality-of-privacy sensitive communication system according to claim 20 associated therewith.

An article of manufacture including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, the computer readable program code in said article of manufacture including: computer readable program code for causing a computer to form at least one virtual circuits of an ensemble of virtual circuits, and a preponderance of the virtual circuits are within a data-communications media's infrastructure.

The article of manufacture according to claim 30 wherein the computer usable medium, having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, is integral to a private base station that manages wireless communications with on one side at least one personal communications device and on the other side a data-communications media's infrastructure which has associated therewith - at least one other private base station or at least one public-service-provider base station or at least one data-communications conduit to a wide area network or at least one data-communications conduit to a local area network or at least one data-communications conduit to a public-service-provider telephone network.

32. An article of manufacture including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, the computer readable program code in said article of manufacture including: computer readable program code for causing a computer to manage a transaction protocol between at least two participants associated with a data- communications transmission over at least one of the virtual circuit of an ensemble of virtual circuits, and a preponderance of the virtual circuits are within a data- communications media's infrastructure.

33. An article of manufacture including a computer usable medium having computer readable program code embodied therein for use with A Virtual Quality-of-Privacy Assurance Protocol, the computer readable program code in said article of manufacture including: computer readable program code for causing a computer to maintain substantial response-for-response parity, for querying within at least one predetermined class of respectively maintained proprietary data, for at least one pair of mutually transacting participants over at least one virtual circuit of the ensemble of virtual circuits, and a preponderance of the ensemble of virtual circuits are within a data- communications media's infrastructure.

34. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for A Virtual Quality-of- Privacy Assurance Protocol, said method steps including: a) forming an ensemble of virtual circuits within a data-communications media's infrastructure; b) managing a transaction protocol between participants to at least one of the virtual circuits; and c) for any pair of mutually transacting participants over any virtual circuit of the ensemble of virtual circuits, maintaining substantial response-for-response parity for querying within at least one predetermined class of respectively maintained proprietary data.