A system allows a user to store his personally identifiable information (PII) on a personal device. When a third party wants to access the user's PII (e.g., to update the PII or to retrieve the PII), a notification will be presented to the user on the personal device seeking consent to the access. The notification may inform the user as to what information is being requested and which entity is requesting the access. The requested access will be denied unless the user consents to the access. In this manner, the user is given control over the dissemination of his PII. Additionally, the system alters or adjusts the PII that is stored in third-party servers so that even if these servers are breached, the user's actual PII is not exposed.

A method including receiving, at a first VPN server during an established VPN connection, a first data request and a second data request from a user device; transmitting, by the first VPN server during the established VPN connection, the first data request and the second data request to a second VPN server; and receiving, by the first VPN server from the second VPN server during the established VPN connection, first data associated with the first data request and second data associated with the second data request, the first data being retrieved by the second VPN server using a first exit IP address associated with the second VPN server and the second data being retrieved by the second VPN server using a second exit IP address associated with the second VPN server, the second exit IP address being different from the first exit IP address. Various other aspects are contemplated.

This technology maintains de-identified visit data to a plurality of websites from assigned user identifiers (UIDs) corresponding to a plurality of clients. The assigned UIDs include a different assigned UID for each client-website pair, the de-identified visit data associating the assigned UIDs to a plurality of groups. A first group from the groups is determined based on first request data corresponding to a first request from a client to a web server system. First group visit data describing visits to a set of the websites by assigned UIDs belonging to the first group is obtained from the de-identified visit data. Affinity data, comprising at least one affinity score for at least one of the websites, is generated based on the first group visit data. Generation of affiliate content based on the affinity data is caused, where the affiliate content corresponds to the at least one of the websites.

A system performs a method including: generating a posture of a first microservice in a microservice based network environment; implementing the posture of the first microservice at a sidecar of the first microservice; distributing the posture of the first microservice to a sidecar of a second microservice in the microservice based network environment; implementing the posture of the first microservice at the sidecar of the second microservice; and controlling communication of personally identifiable information between the first microservice and the second microservice based on the posture of the first microservice through either or both the sidecar of the first microservice and the sidecar of the second microservice. The posture of the first microservice includes an identification of one or more types of personally identifiable information that the first microservice is authorized to distribute and one or more types of personally identifiable information that the first microservice is authorized to receive.

Conventional Bluetooth low energy (or like personal wireless network) controllers cannot resolve private addresses without some calculation from a host processor but leaving the host processor on or awaking it from a sleep each time a non-trusted device attempts to connect wastes power. Hostless private address resolution allows a host controller to enter a sleep state off while the Bluetooth controller advertises its device name, primary services, rejects connection requests from non-trusted devices with public and private addresses, and awakens the host controller upon a connection request from a trusted client device with a public or private address. Not only does this approach reduce power consumption by allowing the host processor to remain in the sleep state it simultaneously ensures security by allowing the private address resolution to remain active on the Bluetooth controller.

Embodiments are provided for sealed network servers. A sealed network does not require administrators and may run on hardware and software that has been stripped of privileged capabilities. In one embodiment, a server is added using a root. A root is the first instance of a sealed network. All roots verify that the server identifier is unique, and if so, then a node generates the server using an obfuscator. Any obfuscator may be used. In one embodiment, an application is added to a server in a sealed network. In one embodiment, a method of finding a public application in a sealed network is described.

Methods and systems are provided for authenticating a message μ, at a user computer of a group signature scheme, to a verifier computer. The method includes, at the user computer, storing a user id m for the user computer and a user signing key which comprises a signature on the user id m under a secret key of a selectively-secure signature scheme. The user id m is an element of a predetermined subring, isomorphic to .sub.q[x]/(g(x)), of a ring R=.sub.q[x]/(f(x)), where f(x) and g(x) are polynomials of degree deg(f) and deg(g) respectively such that deg(f)>deg(g)>1. The method includes, at the user computer, generating a first cryptographic proof Π.sub.1 comprising a zero-knowledge proof of knowledge of the user signing key and including the message μ in this proof of knowledge. The user computer sends the message μ and a group signature, comprising the first proof Π.sub.1, to the verifier computer.

Certain examples described herein relate to zero knowledge attestation systems and methods. In one example method, a computing entity obtains query data over at least one network from a messaging service. A query defined by the query data is matched against private data for the computing entity. A use-limited private-public key pair is obtained for the query and an identifier is generated or the computing entity using the public key. A query result package is then generated based on a match for the query. The query result package includes the generated identifier and acts as a zero knowledge attestation. The computing entity obtains content associated with the query that is addressed to the identifier uses the private key of the private-public key pair to authenticate communications that relate to the query.

Techniques are described herein that are capable of using entity name mapping for routing network traffic having encrypted SNI headers. A name resolution request that specifies an entity name is intercepted. Translation of the entity name to a representation of an IP address associated with the entity name is caused. A mapping that cross-references the representation of the IP address to the entity name is stored. A data transfer request that requests establishment of a connection to a destination corresponding to the representation of the IP address is intercepted. The data transfer request includes an encrypted SNI header and a payload. Establishment of the connection to the destination is initiated by providing the encrypted SNI header, the payload, and metadata toward the destination. The metadata includes the entity name based on the mapping.

Methods and systems for anonymizing data are disclosed. A proxy server receives a request directed to a web server coupled to the proxy server from a user device. The request includes one or more items of personally identifiable information (PII) associated with a user account. The proxy server assigns one or more tokens to the one or more items of PII. The proxy server processes the request, replacing the one or more items of PII in the request with one or more anonymized strings. The one or more anonymized strings include the one or more tokens. The proxy server stores the one or more items of PII in association with the one or more tokens in a database for the proxy server. The proxy server forwards the processed request including the one or more anonymized strings to the web server.