Method for protecting confidential data sent out with an electronic message
The invention relates to a method for protecting confidential data which are sent in or with an electronic short message from a first telecommunication device to a second telecommunication device. In addition, the invention relates to program means for carrying out the method that are stored and are executable on each of the first and the second telecommunication device.
It is known to generate electronic messages such as, for example, e-mails, multimedia messages (MMS, multimedia messaging service) or short messages (SMS, short message service) on data-processing stationary and mobile telecommunication devices, particularly terminals for telecommunication, and to send these to one or more further terminals for telecommunication. Apart from less confidential text contents, these messages can also contain other personal or sensitive data contents which are either incorporated directly in the message itself or are appended to this message as so-called attachment. These can be, for example, personal documents which are generated by a text processing program, personal digital photos which have been recorded with a digital camera integrated in the mobile terminal, self-generated multimedia contents, for example personal ringtone compositions, videos etc., address data or also calendar data.
Such messages can be generated within an application, for example an e-mail application and sent from a mobile or stationary terminal to a second mobile or stationary terminal via a telecommunication network, for example a fixed line network or a mobile radio network. Generally, the contents of such messages are not protected, i.e. neither encrypted nor provided with access conditions which restrict the utilization of the data contents. Consequently, the author of a message loses control of its further utilization or distribution as soon as the message has left his terminal device.
It is known to provide messages with copy or forward protection. This copy or forward protection prevents the forwarding of a received message to third parties so that utilization of the data sent with a message is restricted. However, since the message is still stored on the second terminal device which originally received the message, any third party can still take notice of the confidential data on this terminal device. An absolute confidentiality protection is therefore not achieved by means of such copy or retransmission protection.
In the prior art, furthermore, it is known to grant the right of access to messages and their contents only to individual persons as is implemented, for example, by means of the Pretty Good Privacy (PGP) application and an asymmetric encryption method which requires administrative expenditure for the protected distribution of so-called public keys. Such an administrative expenditure including the distribution of keys cannot be expected from a terminal user, especially for sending out electronic short messages from a mobile telephone.
Furthermore, there are "digital rights management (DRM)" mechanisms which define the access conditions of messages and their contents, respectively, and can ensure that these are met so that, for example, a forwarding of a file can be prevented by means of DRM. Digital Rights Management mechanisms control the access to digital media and are used especially in the distribution of film or sound recordings, software, electronic books or documents. To control the access to digital contents, cryptographic methods are used. In this context, the contents are unambiguously tied to a license by means of encryption. Without the valid license belonging to the digital content, a user cannot obtain access to the corresponding content.
Due to the necessity that a receiver of an electronic message must have a corresponding access license, i.e. a corresponding authorization for access to the message, this possibility of access restriction, for practical reasons, can also not be transferred to messages which are transmitted in large numbers from one telecommunication terminal device to another telecommunication terminal device. In particular, these mechanisms are not suitable for electronic short messages (SMS) sent out from mobile telephones.
It is the object of the invention, therefore, to provide a method for protecting confidential data to be sent out with an electronic short message, which can be implemented without great technical expenditure and provides the users involved with the confidentiality protection of the data without unreasonable additional expenditure.
This object is achieved by the method as claimed in the features of claim 1 and by the program means having the features of claims 14 and 15. Advantageous developments of the invention are formulated in the respective subclaims.
According to the invention, a method for protecting confidential data is proposed which are sent in or with an electronic short message from a first telecommunication device to a second telecommunication device, wherein before the message is sent out, at least one attribute is appended and/or one attribute value is assigned to the message and sent together with the message to the second telecommunication device, the second telecommunication device restricting the utilization of the data to a singular access in dependence on the attribute and/or attribute value.
It is the basic idea of the present invention that confidential messages are only made available, i.e. represented or reproduced, to the addressee or the receiving and processing application for a single time, and after this singular utilization are automatically and without further user interaction not available anymore and for further utilization. This is achieved especially by the fact that a user, before sending out his generated messages, has the possibility of providing these with an attribute or an attribute value which ensures that the message is deleted, blocked or made unusable automatically and irrevocably, after the massage being used by the receiver or the receiving application for the first time, so that the message itself or the confidential information contained in the message, is no longer available after this singular access. The method according to the invention is applicable to any messages, especially electronic short messages such as SMS or MMS which are sent from a first stationary or mobile telecommunication device, particularly a terminal device, to a second stationary or mobile telecommunication device. The first telecommunication device can be, for example, a fixed line network telephone, a mobile telephone or a computer. The second telecommunication device can be formed, for example, by a fixed line network telephone, a mobile telephone, a computer or also by a server in which a message is provided for downloading to a terminal.
An attribute is a feature which is represented in the form of a parameter which is attachable to the message to be sent out, wherein the parameter can be set with a corresponding value. In principle, it may be sufficient that the mere fact that an attribute according to the invention exists in the following also called confidentiality attribute, causes the second telecommunication device to restrict the utilization of the message. However, it is also possible that each message sent by the first telecommunication device has a confidentiality attribute and the second telecommunication device restricts the utilization of the message only if the confidentiality attribute has a certain value which identifies the confidentiality of the message.
The confidential data can be, for example, text information such as address or calendar information which is contained directly in the body of the message. In this case, the attribute and/or the attribute value can be allocated directly to the electronic message. This enables the message in its entirety being restricted to a singular access with regard to its utilization.
As an alternative or in combination, it can also be provided that not only an entire message can be equipped with a confidentiality attribute according to the invention or a corresponding attribute value, respectively, but that attachments can also be added to this message and these attachments, as far as desired, can also be equipped with a corresponding confidentiality attribute or a corresponding attribute value. Such attachments can be, for example, personal documents, digital photos or multimedia contents which are appended as a separate file to the message to be sent out. The attribute or the attribute value or a further attribute or a further attribute value is then allocated to this appended file. This enables the received message to be accessed as such several times but the file or files containing the confidential data can only be displayed and/or reproduced once.
According to the invention, the existence of the attribute and/or the value of the attribute is checked after having been received on the second telecommunication device, wherein the utilization of the data being restricted to a singular access if the attribute exists and/or the attribute has a certain value. This ensures that received messages which do not have a corresponding confidentiality attribute or which have an attribute, but its value does not specify confidentiality can be treated and processed without being restricted in access.
The type of access restriction can be a singular reproduction, i.e. a graphical display or replaying of the confidential data.
According to the invention, the data and/or the entire message can be deleted automatically after the first access, so that it is ensured that no further access to the confidential data is possible. This could be done, for example, by overwriting the electronic short message, in particular by overwriting its textual content with letters like 'A1, 'content deleted' or the like. As an alternative, the data and/or the message can be made unusable so that no new direct access to the data is possible. In this case, the existence of the message can still be displayed on the second telecommunication device, but it cannot be selected for reproduction or display of its content. In a further alternative variant of the embodiment, the message and/or the data can also be blocked so that a new access is only possible by naming a special code word. This code word can be preferably set exclusively by the sender of the message.
As an alternative or in combination with the deleting, making unusable or inhibiting of the confidential data or the whole message, the confidentiality protection attribute can also prevent the storage, the printing and/or the forwarding of the data and/or of the message. This ensures that no other receiver than the one determined by the first terminal can get notice of the content of the message. In an advantageous development of the method according to the invention, a separate attribute can be appended to the message for each restriction of use. Consequently, the message can comprise attributes each of which either prohibits the singular access, or the storage, or the printing or the forwarding. As an alternative, a single attribute can be appended to the message, the attribute value of which predetermines the type of access restriction. Thus, for example, an attribute value can express that only a singular access to the message is possible and any storage, printing and/or forwarding of the message is prohibited. A further attribute value could specify, for example, that only a singular access to the data is possible, the storage and forwarding of the message is prohibited but the printing of the message is allowed at least once. In this sense, further attribute values can be used which restrict or allow the individual uses in their combination.
It is also of advantage if the attribute or attributes are only appended to the message to be sent out or the attribute value or values are only assigned to the message to be sent out, and no attribute or no attribute value restricting the access is allocated to a copy of the message to be stored on the first telecommunication device. This ensures that, although the access to the message or the data is restricted at the receiver, the sender can access the message at any time.
According to the invention a user identifier can be requested by the second telecommunication device and data access can only be permitted if a user identifier received at the second telecommunication device is identical to a predetermined receiver identifier. This ensures that only that person who has permission to access the confidential data, i.e. who has the correct user identifier, can retrieve these data from the message. The user identifier can be input into the second telecommunication device by its user by typing for instance. It is then compared with the receiver identifier. Only if the user identifier is identical to the receiver identifier access to the confidential data is granted.
The receiver identifier can be an alphanumeric code word, a number, a name or the like. It could have been agreed between the sending and the receiving user. This ensures that no one else but the person who has received the correct identifier from the sending user is able to get access to the confidential data.
In order that the second telecommunication device is able to compare the user identifier with the predetermined receiver identifier the receiver identifier can be allocated to the message at the first telecommunication device and can be sent together with the message to the second telecommunication device.
In addition, the invention relates to a program means that is stored and is executable on the first telecommunication device, for protecting confidential data which can be sent out in or with an electronic short message, the program means being set up for appending at least one attribute and/or assigning an attribute value to the message before it is sent out, and sending it together with the message to the second telecommunication device. The program means can be an application for generating electronic short messages like SMS or MMS on the first telecommunication device.
Correspondingly, a program means that is stored and is executable on the second telecommunication device is proposed which is provided for processing electronic short messages like SMS or MMS, this program means being set up for checking whether an attribute is appended to a message or a corresponding attribute value is assigned to this attribute, and this program means restricting the utilization of the data in dependence on the attribute and/or of the attribute value.
Preferably, the program means stored on the second telecommunication device can automatically delete, in particular override, the data after a singular access when the attribute exists and/or the attribute has a predetermined value. Furthermore, it can be set up to request a user identifier and to permit data access only if an identifier received at the second telecommunication device is identical to a predetermined receiver identifier. Additionally, the program means can provide an information item about the restricted usability when the attribute exists and/or the attribute has a certain value.
In the text which follows, the individual steps of the method according to the invention will be explained by way of example. The method according to the invention describes an approach which makes it possible that a user, before sending out messages generated by him, has the possibility of providing these messages with an attribute which ensures that the message is destroyed automatically and irrevocably after a singular access by the receiver. As previously mentioned, this attribute can be designated as confidentiality protection attribute.
It is an essential component of the method that the message is provided with the confidentiality attribute before being sent out. This confidentiality protection attribute becomes a component of the message and is transmitted together with this message. The attribute specifies that a runtime environment must only grant a singular access to the useful data to a user or an application, after which these are irrevocably deleted. The access rule for a message which is specified by means of the attribute can be applied and adhered to by a program means running on the second telecommunication device i.e., for example by an application for processing electronic short messages, by a runtime environment or an operating system.
If an application supporting the confidentiality protection attribute processes an electronic short message in which this attribute is set in order to display the message on a graphical display, this application can delete the message automatically after it has been displayed or reproduced according to the access rule. This ensures that this application, or also another application on the second telecommunication device, cannot process the message again since it no longer exists.
If the receiving of messages is implemented within a runtime environment or in an operating system separately from an application for processing and display, the runtime environment or the operating system can adhere to the access rule in such a manner that the message is automatically deleted by the runtime environment or the operating system after having been read out by or transmitted to an application. If this message is requested again by this or another application from the runtime environment or the operating system it no longer exists. The application requesting the message does not need to support the confidentiality protection attribute in this case. One case of application of this exemplary method is, for example, keeping a confidential message available on a server from which the message can be called up by a terminal. According to the invention, this calling-up is possible only once since the message is deleted after the first call-up. In this case, the calling-up also represents an access to the message.
If the confidential data are contained in individual parts of the message e.g. in files of different formats in the attachment to the message, it is not or not only the entire message which is provided with the confidentiality protection attribute but those or also those parts of the message which contain the confidential data. As a result, it is possible that only the parts of the message which are considered to be confidential by the sender are protected.
Apart from the confidentiality protection attribute, other access rules such as, e.g. the storage, the printing or the retransmission can be specified which are restricted or prevented after an access to the message.
To prevent the sender from also being able to use his transmitted message only once, the attribute or the attributes for specifying the access rules is or are not set in the message which is stored as copy in the terminal of the sender after having sent out the message. It is only the message to be sent out which is given, or the message sent out which contains, the confidentiality protection attribute according to the invention.
According to the invention, an application which supports attributes for specifying access rules provides the user with an information item about the restricted accessibility of a message before the user orders the application to process, i.e. display or play such a message. The checking of a message with regard to the presence of attributes or certain attribute values for access control is not to be considered as processing of the message itself by an application since otherwise the messages provided with a confidentiality protection attribute would have to be deleted after the checking and creating an overview of all messages in the terminal, before a user can inform himself of the content of the messages. In the text which follows, two exemplary access variants of the method according to the invention are represented:
A user sends an electronic short message via a mobile radio network from a first mobile telephone to a second mobile telephone, for example an SMS in a GSM (Global System for Mobile Communications) or UMTS (Universal Mobile Telecommunications System) network with explosive information to a certain person, but wishes to ensure that this short message is not available to any other person or application after its first use, not even in the case of a rental or theft of the receiving terminal.
A user sends a highly personal photo in a multimedia message (MMS) to a friend but wishes to ensure that the photo cannot be printed out, forwarded or provided to any other application by this person.