1. Patent Search
  2. Details

TRUSTED DEVICE

20210357490 · 2021-11-18

    Inventors

    Cpc classification

    International classification

    Abstract

    A trusted device, such as a wristwatch, is provided with authentication circuitry, used to perform an authentication operation to switch the trusted device into an authenticated state. Retention monitoring circuitry monitors the physical possession of the trusted device by the user following the authentication operation and switches the trusted device out of an authenticated state if the trusted device does not remain in the physical possession of the user. While the trusted device remains in the physical possession of the user, communication triggering circuitry is used to detect a request to establish communication with a target device that is one of a plurality of different target devices and communication circuitry is used to communicate with that target device using an authenticated identity of the user.

    Claims

    1. An apparatus comprising: authentication circuitry to perform an authentication operation between a user and an apparatus to authenticate the apparatus, and thereby switch said apparatus to an authenticated state; retention circuitry to determine a retention probability that said apparatus has a physical relationship with said user; and the apparatus to trigger re-authentication by performing an authentication operation when said apparatus retention probability falls below a threshold retention probability level.

    2. The apparatus as claimed in clam 1, wherein if the re-authentication operation fails or the apparatus no longer has a physical relationship with said user, the apparatus is configured to switch said apparatus to out of the authenticated state; or wherein if the re-authentication operation is successful, the apparatus is configured to increase the retention probability.

    3. The apparatus as claimed in claim 1, wherein the apparatus is in an unlocked state for use by the user when the apparatus is in the authenticated state.

    4. The apparatus as claimed in claim 1 further comprising: communication circuitry to perform authenticated communication with a target device while said apparatus remains in the authenticated state.

    5. The apparatus as claimed in claim 4, wherein the target device is in an unlocked state for use by the user when the apparatus is the authenticated state.

    6. The apparatus as claimed in claim 4, wherein the target device is configured to accept a payment when the apparatus is in the authenticated state.

    7. The apparatus as claimed in claim 1, wherein the apparatus is a wearable device.

    8. The apparatus as claimed in claim 4, wherein the target device is at least one of a point-of-sale terminal, tablet computer, laptop computer, smartphone, and door lock.

    9. An apparatus comprising: authentication circuitry to perform an authentication operation between a user and an apparatus to authenticate the apparatus, and thereby switch said apparatus to an authenticated state; retention circuitry to determine a retention probability that said apparatus has a physical relationship with said user; wherein the apparatus is configured to reduce said retention probability as time elapses since said authentication operation; and the apparatus to trigger re-authentication by performing an authentication operation when said apparatus retention probability falls below a threshold retention probability level.

    10. The apparatus as claimed in claim 9, wherein if the re-authentication operation fails or the apparatus no longer has a physical relationship with said user, the apparatus is configured to switch said apparatus to out of the authenticated state; or wherein if the re-authentication operation is successful, the apparatus is configured to increase the retention probability.

    11. The apparatus as claimed in claim 9, wherein the apparatus is in an unlocked state for use by the user when the apparatus is in the authenticated state.

    12. The apparatus as claimed in claim 9 further comprising: communication circuitry to perform authenticated communication with a target device while said apparatus remains in the authenticated state.

    13. The apparatus as claimed in claim 9, wherein the target device is in an unlocked state for use by the user when the apparatus is the authenticated state.

    14. The apparatus as claimed in claim 9, wherein the target device is configured to accept a payment when the apparatus is in the authenticated state.

    15. An apparatus comprising: authentication circuitry to perform an initial authentication operation between a user and an apparatus to authenticate the apparatus, and thereby switch said apparatus to an authenticated state; wherein the initial authentication operation has an initial authentication threshold resulting in with an initial rate of false positive authentication; retention circuitry to determine a retention probability that said apparatus has a physical relationship with said user; and the apparatus to trigger re-authentication by performing a second authentication operation when said apparatus retention probability falls below a threshold retention probability level; wherein the second authentication operation has a second authentication threshold and wherein the second authentication threshold is lower than the initial authentication threshold.

    16. The apparatus as claimed in claim 15, wherein if the re-authentication operation fails or the apparatus no longer has a physical relationship with said user, the apparatus is configured to switch said apparatus to out of the authenticated state; or where if the re-authentication operation is successful, the apparatus is configured to increase the retention probability.

    17. The apparatus as claimed in claim 15, wherein at least one of the initial authentication threshold and the second authentication threshold is dependent on the retention probability level.

    18. The apparatus as claimed in claim 15, wherein the apparatus is in an unlocked state for use by the user when the apparatus is in the authenticated state.

    19. The apparatus as claimed in claim 15 further comprising: communication circuitry to perform authenticated communication with a target device while said apparatus remains in the authenticated state.

    20. The apparatus as claimed in claim 15, wherein the target device is in an unlocked state for use by the user when the apparatus is the authenticated state.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0054] FIG. 1 schematically illustrates a trusted device in the form of a wristwatch;

    [0055] FIG. 2 schematically illustrates two wristwatches as illustrated in FIG. 1 communicating with each other;

    [0056] FIG. 3 schematically illustrates a wristwatch communicating with a point of sale terminal;

    [0057] FIG. 4 schematically illustrates circuitry within the trusted device;

    [0058] FIG. 5 schematically illustrates data specifying a plurality of authenticated identities;

    [0059] FIG. 6 is a flow diagram schematically illustrating the switching of the trusted device into an authenticated state and the action of retention monitoring circuitry in monitoring the continued physical possession of the trusted device by the user; and

    [0060] FIG. 7 schematically illustrates a variation in retention probability with time.

    DESCRIPTION OF EXAMPLE EMBODIMENTS

    [0061] FIG. 1 schematically illustrates a trusted device 2 in the form of a wristwatch. A wristwatch is a wearable device. Other forms of trusted device could be a necklace, a keyfob for physical keys, etc. The trusted device 2 includes a watch body 4 having a display 6 upon which messages may be displayed. A fingerprint reader 8 is supplied for performing an authentication operation upon a user. A button 10 provides the user with the ability to communicate with the trusted device 2, such as to confirm or reject communication requests, select target devices, input secret data to be held by the trusted device 2, etc. The trusted device 2 includes a strap 12 having a clasp 14. The clasp 14 may be configured such that when the clasp 14 is opened this is recognised by the trusted device 2 and used to switch the trusted device 2 out of the authenticated state. A user wearing the trusted device 2 may authenticate themselves using the fingerprint reader 8 and so switch the trusted device 2 into the authenticated state. Various communication operations with target devices may then be established by the trusted device 2 while it remains within the authenticated state. If the trusted device 2 recognises that the clasp 14 has been opened, then this triggers a switch out of the authenticated state as it is no longer secure to consider that the trusted device 2 has remained in the physical possession (i.e. under the control of) the user who originally authenticated the trusted device 2 using their fingerprint.

    [0062] FIG. 2 schematically illustrates two wristwatches, such as that illustrated in FIG. 1, between which communication is triggered and then performed. One of these wristwatches 16 may be considered as the trusted device and the other of these wristwatches 18 may be considered as the target device. The trusted device 16 may communicate with many different target devices for many different purposes. Both the trusted device 16 and the target device 18 may be offline (i.e. not in communication with any further device) when the communication between the trusted device 16 and the target device 18 takes place. The communication may be, for example, to pass a virtual key from one user to another user, such as to allow the user of the target device 18 to perform an operation or have access to a device that is secured by the electronic key (e.g. password) that they have just received. An example is that the user of the trusted device 16 may give the user of the target device 18 the right to use their car for a given period of time or in perpetuity by an appropriate secure (trusted) communication made between the trusted device 16 and the target device 18.

    [0063] FIG. 3 illustrates an example in which the trusted device 20 is in the form of a wristwatch and the target device 22 is in the form of a point of sale terminal The point of sale terminal 22 is in communication over the internet with the remote server 24 of, for example, a merchant or a bank. The trusted device 20 is in communication with one or more further devices over the internet cloud. The communication between the trusted device 20 and the target device 22 is bidirectional. The point of sale terminal 22 may request payment for an item from a user wearing the trusted device 20. The wearer of the trusted device 20 may confirm a displayed identity of the point of sale 22 and a displayed amount to be charged by, for example, pressing the button 10, whereupon this confirmation is sent back to the point of sale terminal 22 which may then communicate via its internet link with a bank server 24 in order to request payment from the bank account of the user of the trusted device 20. In addition, a confirmation of approval of the transaction by the user wearing the trusted device 20 may be transmitted via a separate channel using the internet cloud to reach the bank server 24 and accordingly indicate that the transaction concerned is authorised. Alternatively, the data sent back from the trusted device 20 to the point of sale terminal 22 may include sufficient encrypted data which when forwarded by the point of sale terminal 22 to the bank server 24 indicates that the user of the trusted device 20 has appropriately authorised the transaction concerned.

    [0064] FIG. 4 schematically illustrates circuitry forming part of the trusted device 2. The circuitry includes authentication circuitry 26 including a plurality of sensors 28, 30 used to recognise a user as part of an authentication operation. Retention monitoring circuitry 32 is provided with a plurality of detectors 34, 36 which are used to monitor the physical possession of the trusted device 2 by the user following the switching of the trusted device 2 into the authenticated state. The terms sensor and detector as used to assist clarity rather than to suggest any particular difference therebetween. Communication triggering circuitry 38 and communication circuitry 40 are connected to an antenna 42 to receive and transmit signals.

    [0065] The communication triggering circuitry 38 receives a request from a target device to establish communication with the trusted device 2. The communication circuitry 40 may then authenticate the target device and may permit communication if the target device passes this authentication step. Thereafter, the communication circuitry 40 communicates with the target device using an authenticated identify of the user while the trusted device 2 remains in the authenticated state.

    [0066] The circuitry illustrated in FIG. 4 includes a central processing unit 44 coupled to a memory 46 which may be used to coordinate and control the acitivies of the authentication circuitry 26, the retention monitoring circuitry 32, the communication triggering circuitry 38 and the communication circuitry 40. The memory 46 may store programs executed by the central processing unit 44, as well as data specifying a plurality of different identities associated with the user. These plurality of different identities may different in the identity information which is associated with each identity and which is communicated with the target device (e.g. a plurality of user ids may be provided). The plurality of identities may also differ in the rights associated with those identities and used during communication with the target device (e.g. what secure rights a particular authenticated identity has granted to it). The memory 46 can serve as identity storage circuitry which stores identity data for use in communicating using the authenticated identity. The identity data may comprise one or more public identity identifiers each having associated secret data (passwords).

    [0067] The detector circuits 34, 36 associated with the retention monitoring circuitry 32 can take a variety of different forms. Examples of these detection circuits include the clasp 14 illustrated in FIG. 1 which is used to hold the trusted device attached to the user when the clasp is in a closed state and which is monitored by the retention monitoring circuitry 32 such that the trusted device is switched out of the authenticated state if the clasp changes out of the closed state, e.g. the clasp is opened such that it is possible to remove the wristwatch from the wrist of the user.

    [0068] Another example of detection circuitry is contact detecting circuitry configured to detect contact between the trusted device and the user using one or more of electrical signals (e.g. ECG, EEG etc) from the user and/or temperature of a contact area between the trusted device and the user. The contact detecting circuitry may monitor the heartbeat of the user and if this signal is lost, then this would indicate that the trusted device is no longer in the physical possession of, and accordingly the control of, the user who originally authenticated that device and switched it to the authenticated state. The temperature of a contact area between the trusted device the user can be monitored to ensure that it remains consistent with the trusted device being worn by the user and the trusted device switched out of the authenticated state if the temperature changes to indicate that the trusted device was no longer being worn by the user.

    [0069] Another form of detection circuitry that may be used is proximity detecting circuitry configured to detect proximity of the trusted device and a proximity device worn by the user. Thus, a user may have a proximity device in the form of, for example, a ring worn on their finger, and the trusted device may monitor the distance between itself and the ring such that if this exceeds a certain threshold, then it indicates that the trusted device (wristwatch) is no longer being worn by the user.

    [0070] Further forms of detection circuits that may be used by the retention monitoring circuitry include a photo-detector which is shielded from the light when the trusted device is in the physical possession of the user, e.g. a photo-detector on the rear face of the watch such that when the watch is worn on the wrist of the user, this photo-detector receives no light. Removal of the watch from the wrist of the user allows the photo-detector to receive light and this indicates that the watch had been removed and accordingly may no longer be in the physical possession of the user who originally authenticated that trusted device.

    [0071] A further form of detection circuitry used by the retention monitoring circuitry is a chemical detector configured to detect a chemical characteristic of the user, e.g. a particular characteristic of the skin chemistry of the user. More generally, a biometric detector may be used to recognise one or more biometric characteristics of the user such that if those biometric characteristics are interrupted, then this indicates that the trusted device is no longer in the physical possession of the user. A motion sensor may be configured to detect motion of the trusted device as the user moves while the trusted device is in the physical possession of the user. Thus, for example, the motion sensor may be used to detect a characteristic gait of the user and if this gait signal is not received, then this would indicate that the trusted device is longer in the physical possession of the original user. Implant detection circuitry could be used to detect proximity of an implant within the user and the trusted device. The implant within a user could be an RFID tag placed under the skin of the user close to the position where they wear their wristwatch. Another example of a circuit that might be used by the retention monitoring circuitry is heat flux detection circuitry having a plurality of temperature sensors and used to detect a heat flux through the trusted device. A worn device will typically have a heat flux through it corresponding to the warmth of the user's body passing through the device and the continuation of this heat flux in an uninterrupted form may be monitored as an indication of the continued retention of the trusted device in the physical possession of the user.

    [0072] Whilst it is possible that the trusted device may comprise a single detector 34, 36 for use in retention monitoring, in some embodiments a plurality of such detection circuits may be provided and the detection results therefrom combined to determine a retention probability that the trusted device is in the physical possession of the user. A retention probability could be determined from a single detector if desired, however combining multiple detection results may increase the reliability with which the continued physical possession of the trusted device by the user may be monitored. There are many ways in which such a plurality of different detection results may be algorithmically combined. The combined result may be give rise to a retention probability and if this retention probability falls below a threshold probability, then this can serve to trigger the trusted device to switch out of the authenticated state. In some embodiments the retention monitoring circuitry 32 may be configured to reduce the retention probability as the time since the last authentication operation (e.g. valid fingerprint recognition operation) increases. Thus, the retention probability would gradually decrease with time since a valid authentication operation such that it would eventually fall below the threshold probability level and switch the trusted device out of the authenticated state even if the retention monitoring circuitry indicates that the trusted device remains within the user's possession. This behaviour can be used to force periodic re-authentication to be performed.

    [0073] In a similar way in which the detector circuits 34, 36 used by the retention monitoring circuitry 32 may take a variety of different forms, it is also possible that the authentication circuitry 26 may comprise one or more different sensors 28, 30 for performing an authentication operation to authenticate the identity of the user having physical possession of the trusted device and thereby switch the trusted device to an authenticated state. The sensors 28, 30 may include biometric recognition circuitry configured to recognise one or more biometric characteristics of the user. Another example is a fingerprint reader 8 which can recognise the fingerprint of the user. Face recognition circuitry is another possibility, such as through a camera in a face of the watch 2, which uses face recognition algorithms to authenticate the identity of the user wearing the watch. Chemical recognition circuitry may be provided to identify characteristic chemical properties of the skin of the user. Further forms of sensor 28, 30 include ECG recognition circuitry configured to recognise the characteristic ECG signal of a particular user, bioimpedance circuitry configured to recognise one or more bioimpedance characteristics of the user, gait recognition circuitry configured to recognise the characteristic gait (motion) of a user and implant recognition circuitry configured to recognise an implant within the user. It will be appreciated that there may be further different possibilities that are used to authenticate a user and switch the trusted device 2 into the authenticated state. These alternative techniques may be used instead of or in combination with those set out above.

    [0074] The action of the authentication circuitry 26 may be combined with that of the retention monitoring circuitry 32. As mentioned above, periodic reauthentication of the trusted device 2 may be required. Reauthentication might also be required if a particularly sensitive communication operation was to be performed, e.g. a transaction authorising the spending of a small amount of money might be authorised automatically based upon the trusted device 2 being in the authenticated state, whereas a transaction authorising a larger sum of money might require reauthentication even if the trusted device was in the authenticated state.

    [0075] It will also be appreciated that in some embodiments authentication circuitry not requiring the user's active attention may simultaneously serve as retention monitoring circuitry.

    [0076] When reauthentication is requested for whatever reason, if the retention monitoring circuitry 32 indicates that the trusted device 2 has remained in the physical possession of the user since the previous authentication operation, then a higher rate of false positives in the reauthentication may be tolerated and accordingly a less precise identification of the individual may be accepted to reauthentic ate the device than would otherwise be the case. In a similar way, reauthentication performed relatively close in time to a previous authentication operation might require a less precise identification of the individual user (i.e. a higher rate of false positives tolerated) than would otherwise be the case. Such features improve usability by permitting easier reauthentication whilst not significantly reducing the security of the system since what is required is effectively a “top up” of the authentication of the trusted device 2 rather than its authentication from a completely untrusted state.

    [0077] The communication triggering circuitry 38 may be configured to trigger communication of the target device in response to a plurality of different stimuli. Examples which trigger communication with the target device may include detection of a distance of less than a threshold distance between the target device and the trusted device. Thus, in the context of FIG. 3, the trusted device 20 may be moved to within a few centimetres of the point of sale terminal 22 to initiate communication, or the trusted device 20 may be “bumped” against the point of sale terminal 22 to initiate the communication. Another form of stimulus which could trigger the communication would be detection of the user touching the target device. Physical touching of the target device may be detected using electrical connection from the trusted device 2 worn on the user's wrist through the skin/body of the user to the target device. This technique of activating communication with touch is advantageously intuitive and uniquely identifies the target device in an environment which may contain multiple target devices within wireless radio communication of the trusted device 2. Further forms of stimuli which may trigger the communication are receipt of a message specifying a target device (e.g. receipt of a remote message from another person or a remote server) and/or the user manually selecting a target device with which communication is to be triggered from a list of target devices.

    [0078] Both the trusted device and/or the target device may be permitted to communicate either in one direction or bi-directionally between each other independently of whether or not they are at that point in time in communication with any further devices, i.e. both the trusted device and the target device are permitted to communicate when they are offline with other devices. Alternatively, communication may only be permitted when the target device or the trusted device itself is online with another device.

    [0079] The Communication may include presentation to the target device of credentials including one or more of: an application-program-interface key, a digital certificate, a user identity, a password and cryptographically signed data. The communication may also involve/trigger the creation of credentials for use in subsequent communications.

    [0080] The communication can involve the transfer of information such as at least one of configuration data, personalisation preferences, network settings, contracts, receipts, computer programs, data logs, transaction records and credentials.

    [0081] Also illustrated in FIG. 4 is a display driver circuit 46 used for driving the display 6 on the trusted device 2. This display 6 may be used to display information from the target device, such as information specifying the identity of the target device with which communication is currently being made, a message indicating a value of a transaction to be authenticated, etc. The central processing unit 44 may display a message to a user on the display 6 indicating that the user must provide some further information in the form of a conformation input before communication with the target device is permitted. Such a confirmation input may be made, for example, using the button 10 to confirm that a particular point of sale terminal 22 or transport system turnstile is permitted to deduct the cost of an item or the cost of a travel ticket from the bank account accessed via or cash funds loaded on the trusted device.

    [0082] The communication circuitry 40 may further include target authentication circuitry serving to authenticate the target device using information received from the target device. Thus, both the target device and the trusted device may authenticate the identity of the other party before communication is performed. This can increase the security of the system.

    [0083] FIG. 5 schematically illustrates identity information associated with a plurality of different identifies of a user. Identity 0 may specify the individual name (or user id) of the user and one or more passwords to be used with different services or devices with which the user may communicate. As an example, the individual user may have a password to use with their bank, with their front door lock, with their laptop computer etc. A second identity may be Identity 1 which indicates that the user is a tenant of a particular building and the secret information associated with that identity is the password of the car park gate for the building where that tenant lives. Thus, the trusted device may be used to securely provide the car park password without giving the car park system too much private information regarding the user since the individual identity of the user is not revealed in the communication, merely that the user is a tenant of the building and that they possess the appropriate car park password. In a similar manner, a further identity may be Identity 2 which is used on a mass transit system and indicates that the user concerned is an adult passenger and that they have a number of travel credits held in the trusted device and from which a travel fare may be deducted as the user having possession of the trusted device 2 in its authenticated state is passing through the transport system turnstile in order to gain access to the transport system. In a similar way to the previous identity, using this identity merely identifying the user as an adult passenger allows a turnstile operator to confirm that an adult passenger is passing through the turn style without giving unnecessary private information identifying the individual identity of that passenger, which is not needed.

    [0084] It will be appreciated that this privacy-preserving feature can also be achieved by regulating the set of identity information presented according to each target device.

    [0085] The credentials/information communicated may be automatically selected using a selection algorithm responsive to detected parameters of the communication (the algorithm may be optionally user configured). The algorithm may produce a suggested credential or information to communicate together with a list of alternatives that the user may manually select if they so wish.

    [0086] FIG. 6 is a flow diagram schematically illustrating the switch of the trusted device 2 into the authenticated state and the monitoring of the continued physical possession of the trusted device by the user. At step 48 an authentication operation is performed. This authentication operation may be, for example, a fingerprint recognition operation. Step 50 determines whether or not the authentication meets a threshold confidence level. If the threshold confidence level is not met, then processing returns to step 48. This threshold confidence level corresponds to a degree of false positives which is tolerated. As previously discussed, this threshold confidence level may vary depending upon the time since the last successful authentication operation or dependent upon the retention probability indicated by the retention monitoring circuitry 32.

    [0087] If the test at step 50 is that the authentication operation performed at step 48 exceeds the threshold confidence level, then step 52 switches the trusted device 2 into the authenticated state. Step 54 reads the retention detectors 34, 36 and step 56 determines a retention probability (by combining detection signals) indicating the likelihood that the trusted device 2 has remained in the continuous physical possession (control of the user) since the successful authentication operation performed at step 48. Step 58 determines whether or not the retention probability falls below a threshold value. If the retention probability does fall below the threshold value, then processing proceeds to step 60 where the trusted device is switched out of the authenticated state and processing is returned to step 48. If the test at step 58 is that the retention probability is above the threshold value, then processing proceeds to step 62 where a determination is made as to whether or not any target devices with which communication is to be triggered have been detected. If no such target devices are detected, then processing returns to step 54 whereby the retention detectors 34, 36 are read again and an update to the retention probability is performed so as to monitor the continued physical possession of the trusted device while it remains within the authenticated state.

    [0088] If the determination at step 62 is that a target device has been detected, then step 64 selects an identity from among a plurality of identities that is to be used in communicating with that target device. This selection could be, for example, by a user selecting from a list displayed on the display 6. Alternatively, the identity to be used may be inferred from the identity of the target device, e.g. a car park gate might only require the identity corresponding to that of an appropriately authorised tenant and the car park password to be used. Step 66 uses the communication circuitry 40 to establish communication with the target device using the identity selected at step 64. Processing then returns to step 54 where continued further retention of the target device is monitored.

    [0089] FIG. 7 is a graph schematically illustrating how calculated retention probability (step 56) may vary with time. Upon the initial authentication of the trusted device into the authenticated state, the retention probability is increased to a high value above the threshold for triggering re-authentication. This retention probability then gradually declines with time since the last authentication. In the period of time between A and B two retention detectors are reporting that the trusted device 2 as remaining in the physical possession of the user. Accordingly, the rate of retention probability decay is low. Between the times B and C, only a single retention detector is properly reporting the continued physical possession of the trusted device 2 by the user and accordingly the rate of decay of the retention probability increases. Between times C and D two retention detectors are again reporting continued retention of the device and accordingly the rate of decay decreases, but nevertheless falls to the threshold for triggering re-authentication at time D. At time D a reauthentication operation is triggered and performed, but a higher rate of false positives is accepted than for the initial authentication which took place before time A. At time E the user loses physical possession of the device, such as may be indicated by no retention detectors reporting physical possession of the device, or by a master detector, such as the watch clasp 14, indicating that the device has been removed.

    [0090] As well as the basic transitive trust model implemented by the trusted device, its use enables very flexible and seamless establishment and use of complex trust relationships. For example: a user gains the trust of their watch (fingerprint, wearing it, etc.), they authenticate to a laptop using a trusted wrist watch, subsequently all the websites the user visits automatically use the credentials in the trusted wrist watch to log in, and then some of these web sites may automatically use credentials in the wrist watch to gain further access to resources on other websites. How many levels the transitive relationship goes can be a function of the credentials and/or controllable on the trusted wrist watch.

    [0091] Another example of such relationships is as follows. A user buys a doorbell button. It gives the user the ‘owner key’. The user goes to www.homecontols.com on their tablet, where the site pops up a dialogue saying “you have new devices! Let homecontrols control these?”. The user says yes, their trusted wrist watch asks the user to confirm. The user clicks a button on the trusted wrist watch to confirm. Now homecontrols can monitor the user's doorbell button and make a doorbell sound in the user's house via their previously-connected HiFi system.

    [0092] Another example is as follows. A user opens up www.NHS.gov.uk and goes to the preventative medicine advisory service. It asks to connect to any ‘quantified self’ resources the user has, the user agrees and the user's trusted wrist watch beeps and displays a message asking for confirmation, the user clicks the ‘confirm’ button and NHS.gov.uk is temporarily able to get the user's fitbit.com logs, the user's polar.com training logs, the data from the user's gym usage, the ‘diet feed’ of meal pictures from the user's Google Glass, etc. NHS.gov.uk passes out this data for analytics to various third party services that can use them, collates the results, puts together a report and shows the user a page where the user can move a slider to their desired life expectancy and it tells the user what lifestyle changes they need to make to have a good chance of achieving their goal. When the user leaves, NHS.gov.uk forgets all about the user because it never knew who the user was—only that the user was a UK citizen. The third-party services forget too, because their contract with the NHS says they have to. The websites may update their aggregate dataset though before deleting the individual data.

    [0093] Although illustrative embodiments of the invention have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various changes and modifications can be effected therein by one skilled in the art without departing from the scope and spirit of the invention as defined by the appended claims.