METHODS, TERMINAL AND SERVER FOR MANAGING PERSONAL DATA

Information

  • Patent Application
  • 20250173457
  • Publication Number
    20250173457
  • Date Filed
    March 31, 2023
    2 years ago
  • Date Published
    May 29, 2025
    a month ago
  • Inventors
    • REFFE; Nicolas
  • Original Assignees
    • PIGNELA CAPITAL SA
Abstract
The invention relates to a process for constitution of a history of personal data of a user and is carried out by a terminal of the user. The process includes a step for obtaining a symmetric encryption key associated with a profile of the user. The process includes a step for collecting personal data of the user. Throughout the collection of these personal data a step for encryption of these personal data with the symmetric encryption key of this user. Throughout the collection of these personal data a recording step, in a general database, of blocks including the encrypted data. The blocks being organised according to a blockchain constituting a sub-graph of a general graph whereof the topology is defined by a preset data model. A root block of the sub-graph being associated with a dynamic non-fungible token of this user.
Description
PRIOR ART

The invention relates to the general field of the protection and management of personal data of users in a telecommunications network.


In this document, the ‘notion of personal data’ is to be understood in the widest sense and refers to any item of data over which a user wishes to retain control.


By way of non-limiting examples, the identity or the address of a physical person, the data from a banking transaction carried out by a physical or moral person, a message exchanged over a telecommunications network, geolocation data of an individual, photographs or videos acquired by an individual or received from a third party, a digital contract constitute personal data in terms of the invention.


In the current state of the art, the personal data of a user are generally managed by service providers the user subscribes to.


For example, for a user owning a bank account and a social network account it is usual for the user to provide both personal data to the banking organisation and also personal data to the operator of the social network.


This results in the user having control over his personal data, since it is very difficult for him to determine the processing carried out on these data by the service providers.


EXPLANATION OF THE INVENTION

According to a first aspect, the invention relates to a process for constitution of a history of personal data of a user, this process being executed by a terminal of the user and comprising:

    • a step for obtaining a symmetric encryption key associated with a profile of the user;
    • a step for collecting personal data of the user;
    • throughout the collection of said personal data of the user:


      (i) a step for encryption of these personal data with the symmetric encryption key of the user; and


      (ii) a recording step, in a general database, of blocks comprising said encrypted data, said blocks being organised according to a blockchain constituting a sub-graph of a general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a cryptographic datum specific to this user.


According to a second aspect, the invention relates to a management process, executed by a computer system, for managing the personal data of a plurality of users, this process comprising the management of a general database in which blocks are recorded, each block comprising said personal encrypted data of a said user, said blocks comprising the personal encrypted data of the same user being organised according to a blockchain constituting a sub-graph of the same general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a cryptographic datum specific to this user.


In an embodiment, the cryptographic datum associated with a user is a dynamic non-fungible token of this user.


In another embodiment, the cryptographic datum associated with a user is the public key of a digital wallet (digital wallet) of this user.


In this way, and in general, the invention proposes storing a history of the personal data of users in a blockchain and linking the history of the personal data to a cryptographic datum specific to this one user, for example to a dynamic non-fungible token of this user or to the public key of a digital wallet kept by this user. In terms of the invention, users can especially be physical or moral persons.


Hereinbelow ‘digital wallet’ means a material device or secure storage and management software of digital files in the broadest sense and of digital files associated uniquely with one user, such as units of cryptocurrency and/or non-fungible tokens. In this respect, a digital wallet comprises a public key associated with the user. Such a digital wallet can for example enable electronic transactions with another party when exchanging units of cryptocurrency.


In this way, in keeping with the invention a cryptographic datum specific to a user, for example a dynamic non-fungible token or the public key of a digital wallet, points to the input node of a graph representing the history of the personal data of this user (or user) according to mapping defined by the preset data model.


The fact of linking all the personal data in a block graph, due to its probative value, ensures the immutability of the history of these data. Also, when the cryptographic datum is a dynamic non-fungible token, the invention ensures that the user remains owner of all of his past and future personal data once they are integrated into the blockchain.


The act of linking all the personal data of a user to a cryptographic datum specific to the user also lets a user ensure portability of his data in heterogeneous environments and considerably simplifies access of this user to new services.


In fact, when knowledge about a user (KYC, ‘Know Your Customer’) has been obtained via verification of documents of this user associated with a cryptographic datum (dynamic non-fungible token, public key of a digital wallet) in a first environment (for example verification of identity, credentials, eligibility, . . . ) for a first service (for example on opening a bank account) and the proof of the result of this verification is integrated into the data associated with this cryptographic datum, in a second environment obtaining this cryptographic datum directly attributes rights to this user for a second service (reservation of a vehicle for example), without restarting verification of his documents.


The invention proposes using the cryptographic datum specific to a user as element of proof of the identity of the user. When the cryptographic datum is a non-fungible token this datum also presents the characteristics of being non-repudiable and unfalsifiable. The non-fungible character of the token also ensures that this property title cannot (contrary to a digital signature for example) be reproduced or utilised unknown to the user.


The use of a cryptographic datum specific to the user (non-fungible token, public key of digital wallet) in the invention tracks the activity of a physical or moral person irrespective of environment. For example, if a cryptographic datum, especially a non-fungible token, is held by a media organisation (moral person) and the digital contents produced by this media organisation are recorded in the general graph associated with this cryptographic datum, it is very simple, regardless of environment, to prove that one of these digital contents comes from this media organisation.


In the implementation, the proof of ownership constituted by a cryptographic datum specific to the user can be managed either explicitly with visible identity of the user as physical or moral person, or totally anonymously. A user can circulate digital information linked to a cryptographic datum (non-fungible token, public key of digital wallet, . . . ) anonymously, the third party however being able verify that this information is definitely associated with this cryptographic datum.


In an embodiment, the blockchain is a distributed register within a peer network, the terminal being a peer of said network configured to store locally at least one part of said sub-graph, said blocks being stored in a local database of said terminal.


The constitution and consultation of the history of personal data of a user via the terminal of this user can be done asynchronously, off-grid, and be resynchronised without degradation of functionalities and of the security of the solution.


In an embodiment, the data model defines how branches of said sub-graph comprise blocks whereof the personal encrypted data correspond to timestamped geolocation data of said terminal during detected displacement of said terminal.


In this embodiment of the invention, the terminal of a user detects displacements. When a new displacement is detected a new branch is created in the sub-graph of the user, blockchains comprising timestamped encrypted geolocation data are integrated into the branch throughout displacement and when the position of the terminal is detected unchanged during a predetermined period, the branch stops.


In an embodiment, the data model defines how blocks whereof the personal encrypted data correspond to a digital activity of the terminal on a given date or to data received from a third party on a given date is attached, in the sub-graph of the user, to a block whereof the personal encrypted data correspond to geolocation data of said terminal timestamped on said given date.


This embodiment advantageously dates and locates all the digital activities of a user. By way of example, it ensures that a photograph acquired by the terminal of a user has been acquired on a given date and while the terminal was at a given place.


In a particular embodiment of the invention, the personal geolocation data can be associated with elements of proof of the presence of the terminal at the given position at an instant, these elements of proof being for example elements of proof signed and supplied by an operator of telecommunications capable of validating these elements by demarcation.


In an embodiment, the process of constituting personal data of a user comprises a step of integration into the sub-graph of a user, of a digital contract to which this user is party, the contract being encrypted by a public key of the terminal of the user, a public key of at least one other party to the contract and a public key of a digital trust environment, said contract comprising at least:

    • the symmetric encryption key of the user encrypted with a public key of the digital trust environment; and
    • instructions able to be executed by said digital trust environment for:


      (i) decrypting at least some of said personal data of the user with the symmetric encryption key;


      (ii) verifying that the cryptographic datum specific to the user associated with the root block of the sub-graph belongs to said user;


      (iii) analysing said deciphered personal details; and


      (iv) providing a result of said analysis to at least one party to the contract.


In this embodiment of the invention, the process for management of personal data of a plurality of users comprises a step for management of a set of instances of a digital trust environment, a said instance being configured to:

    • execute instructions defined in a digital contract to analyse some of the personal data of at least one said user party to the contract, said contract comprising a symmetric encryption key of said at least one party to the contract encrypted with a public key of said instance of the digital trust environment, said symmetric encryption key able to be utilised by said instance to decrypt said personal data to be analysed;
    • provide a result of said analysis to at least one party to the contract.


According to this aspect, the invention proposes that the contracts which analyse the personal data of users are executed in an environment of trust, and not by the terminals of the parties to the contract so as not to expose the personal data of these parties. The execution in an environment of trust is also known to the skilled person by the expression ‘Confidential computing’.


In a preferred embodiment, these contracts integrate access delegations to the personal encrypted data for exclusive use of the environment of trust wherein these data are analysed, this environment of trust being configured to decrypt all or some of the personal data of a party to the contract, analyse them and transmit the results of the analysis to one or more parties to the contract.


This embodiment of the invention advantageously allows execution of contracts between parties having heterogeneous environments. The invention in particular allows portability of the data of a user in the Metaverse (registered mark), including execution, in the Metaverse, of digital contracts needing analysis of the personal data of the parties to the contract and ensuring protection of these personal data.


In an embodiment, when the cryptographic datum specific to a user is a dynamic non-fungible token, the process of constitution of a history of personal data comprises a step for generation of at least one second dynamic non-fungible token for said user and a step for association of a sub-graph of said sub-graph with said second dynamic non-fungible token.


The user owner of the dynamic non-fungible token to which the root of the sub-graph is attached comprising the history of his personal data can generate tokens pointing to a sub-part of this sub-graph, for example on a branch of this sub-graph.


This characteristic advantageously lets the user exploit a part of his history separately.


Another aim of the invention is a terminal comprising a processor configured to carry out:

    • a step for obtaining a symmetric encryption key associated with a profile of the user;
    • a step for collecting personal data of the user; and
    • throughout the collection of said personal data of the user:


      (i) a step for encryption of these personal data with the symmetric encryption key of this user; and


      (ii) a recording step, in a general database, of blocks comprising said encrypted data, said blocks being organised according to a blockchain constituting a sub-graph of a general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a cryptographic datum specific to this user (dynamic non-fungible token, public key of digital wallet).


Another aim of the invention is a server for management of personal data of a plurality of users, this server comprising a processor configured to manage a general database in which blocks are recorded, each block comprising personal encrypted data of a user, the blocks comprising the personal encrypted data of the same user being organised according to a blockchain constituting a sub-graph of the same general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a cryptographic datum specific to this user.


The general database utilised in the invention can be centralised (for example administered by the server for management of personal data) or distributed.


Another aim of the invention is a computer program on a recording medium, this program being likely to be run on a computer. This program comprises instructions adapted to executing a process for constitution of a history of personal data such as described above.


Another aim of the invention is a computer program on a recording medium, this program being likely to be run on a computer. This program comprises instructions adapted to execute a process for management of personal data of a set of users such as described above.


Each of these programs can utilise any programming language, and can be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other preferable form.


Another aim of the invention is an information medium or a recording medium legible by a computer, and comprising instructions of the first or of the second or of the third computer program such as mentioned above.


The information or recording media can be any entity or device capable of storing the programs. For example, the media can comprise storage means such as a ROM, for example a CD ROM or a ROM of microelectronic circuit, or even magnetic recording means, for example a hard drive, or a flash memory.


On the other hand, the information or recording media can be transmittable media such as an electric or optic signal which can be conveyed via an electrical or optic cable, via radio link, wireless optic link or by other means.


The programs according to the invention can be downloaded in particular over a network of Internet type.


Alternatively, each information medium or recording medium can be an integrated circuit into which a program is incorporated, the circuit being adapted to execute or to be used in the execution of one of the processes according to the invention.





BRIEF DESCRIPTION OF DRAWINGS

Other characteristics and advantages of the present invention will emerge from the following description in reference to the attached drawings which illustrate an exemplary embodiment devoid of any limiting character, in which:



FIG. 1 illustrates terminals, a server for management of personal data and instances of a digital trust environment able to be utilised in a particular embodiment of the invention;



FIG. 2A illustrates a general graph able to be implemented in a particular embodiment of the invention;



FIG. 2B illustrates a sub-graph of the general graph of FIG. 2A;



FIG. 3A illustrates a proposal of contract set up by a first party;



FIG. 3B illustrates a contract formed after acceptance of the proposal of contract of FIG. 3A by a second party;



FIG. 4 illustrates the setting up of a user account in a particular embodiment of the invention;



FIG. 5 illustrates the main steps performed for constitution of the history of personal data of a user;



FIG. 6 illustrates the main steps performed by the terminal of a user for consultation of personal data of this user;



FIG. 7 illustrates the main steps performed for setting up a contract;



FIG. 8 illustrates the main steps performed for execution of a contract;



FIG. 9 illustrates the material architecture of a terminal in keeping with a particular embodiment of the invention; and



FIG. 10 illustrates the material architecture of a server in keeping with a particular embodiment of the invention;





DESCRIPTION OF EMBODIMENTS


FIG. 1 illustrates the terminal TA of a user A, the terminal Tsp of a service provider SP, a server SDP for management of personal data of a plurality of users and instances ECNi of a digital trust environment ECN interconnected by a telecommunications network NET.


In the embodiment described here, the server SDP for management of personal data is configured to offer:

    • a historical data service HIST of personal data; and
    • a GES-CONT service for management of digital contracts using all or some of these personal data.


As described in detail hereinbelow, the historical data service HIST of personal data lets a user who subscribes to this service constitute and maintain, from his mobile terminal, a history of his personal data, to give this history a probative value and ensure its portability by linking this history to a dynamic non-fungible token as property of this user.


The GES-CONT service for management of contract executes, in a digital trust environment ECN, a digital contract passed between at least two parties, without exposing the personal data of these parties. In this respect, and as described later, the digital contracts managed by the invention integrate delegated access to the personal data of the user for the digital trust environment ECN.


In the embodiment described here, the server SDP for management of personal data also comprises a module GES-ECN for management of this digital trust environment ECN.


This digital trust environment ECN constitutes a protected environment (Trusted Execution Environment) in which contracts formed between two or more parties (users as physical or moral persons, service providers, . . . ) can be executed.


In the embodiment described here, the module GES-ECN for management of a digital trust environment of the server SDP for management of personal data is configured to dynamically administer in the network a variable number of instances ECNi, ECNj of the digital trust environment ECN as a function of the number of contracts to be executed.


In the embodiment described here, these instances ECNi, ECNj of the digital trust environment are cloned by the module GES-ECN. These cloned instances all comprise the same module EXEC-CONT for executing a contract and the same pair of keys comprising a public key KPUBECN and an associated private key KPRIVECN stored in a rewritable non-volatile memory MECN.


In the embodiment described here, the terminal TA is a mobile phone.


In this example it is assumed that the user A has downloaded and installed in his terminal TA an application APP with the server SDP for management of personal data, this application letting the user A access the services offered by the server, especially the historical data service HIST of personal data and the GES-CONT service for management of digital contracts.


The application APP comprises a cryptographic module MCY.


In the embodiment described here, it is assumed that the application APP also comprises a GEN-CONT module for generation of a contract letting the user of the terminal TA form with one or more other parts of contracts intended to be executed in the digital trust environment ECN. These operations are detailed later in reference to FIG. 7.



FIG. 1 illustrates the terminal TA after the user A has opened an account via the server SDP for management of personal data to subscribe to the historical data service HIST of his personal data. Steps E40 to E45 performed by the terminal TA for opening this account will be described later in reference to FIG. 4. Following opening of this account, a rewritable non-volatile memory MA of the terminal TA comprises, in this example:

    • identifiers LOG/MP (login, password) to let user A access his account via the local application APP;
    • a pair of keys comprising a private key KPRIVA and public key KPUBA;
    • a symmetric encryption key KSA; and
    • a confidential unique identifier IDA.


In the embodiment described here, the terminal TA comprises a module MDD for detection of displacements of the terminal TA.


In this example, the module for detection of displacements MDD comprises artificial intelligence IA, a GPS geolocation module and a detector of movement MVT comprising for example an accelerometer and a gyroscopic sensor for measuring the linear acceleration, the orientation and the angular speed of the terminal TA.


This module for detection of displacement MDD is configured to generate timestamped personal geolocation data DPGEOA of the user A, these data comprising positions Pi occupied by the terminal TA in the real world on dates Ti.


In the embodiment described here, the terminal TA also comprises a camera CAM and a payment application PAY. It is assumed that the photographs acquired by the camera CAM and that the transactions performed with the application PAY constitute personal data DPDigActA of the user A representative of digital activities performed by the user A. Other digital activities are possible, for example the sending or receipt of messages (electronic mail, short texts, . . . ) executed with messaging applications of the terminal TA, not shown.


In the embodiment described here, the terminal TA is also configured to manage personal data DP3rdPA acquired from third parties, for example from an administrative service, a bank, insurance, a business, . . .


In general, the personal data of the user A will be denoted DPA, those able for example to comprise, and in a non-limiting manner, personal geolocation data DPGEOA, personal data DPDigActA representative of digital activities and personal data DP3rdPA acquired from third parties.


In the embodiment described here, the server SDP comprises a centralised general database BDC which stores the history of the personal encrypted data of all users who have subscribed to the service HIST.


In the embodiment described here, the personal encrypted data of users are organised according to an n-dimensional blockchain.


In the embodiment described here, this n-dimensional blockchain takes the form of a general direct acyclic graph GC whereof the topology is defined by a preset data model which will be described hereinbelow in reference to FIGS. 2A and 2B.


This blockchain constitutes a distributed register which can be updated within a peer network.


In the embodiment described here, the terminal of a user who has subscribed to the historical data service HIST of his personal data is a pair of this network. By way of example, the terminal TA locally maintains:

    • a local database BDA comprising his own personal encrypted data; and
    • a copy of a sub-graph SGA of the general graph GC which comprises the history of his own encrypted personal data DPA.


The terminal TA can therefore work offline and asynchronously by exploiting the ownership of the graphs.


In this way, in the embodiment described here, and as described later in reference to FIG. 5, when the terminal TA detects new personal data DPA to be recorded, they are encrypted by the cryptographic module MCY of the terminal TA, stored in the local database BDA of the terminal TA, integrated by the terminal TA into the sub-graph SGA local at the terminal TA before being synchronised, when a connection allows it, with the blockchain of the general graph GC.


The synchronisation between the pairs is ensured by the general database BDC. When a pair creates or receives a new block, it adds it to its copy of the register and then transmits it to its pair nodes. When the latter receive it, they verify that this new block is valid. If the block is valid, they integrate it on their register and transmit it in turn to their pairs.



FIG. 2A illustrates an example of general graph GC representing the organisation of the personal encrypted data of all the users TA, Tk of the historical data service HIST stored in the general database BDC managed by the server SDP for management of personal data.


In the example illustrated here, the general graph GC comprises especially a sub-graph SGA which illustrates the organisation of encrypted personal data DPA of the user A in the general database BDC or in the local database BDA, assuming these bases are synchronised. As mentioned previously, the topology of the general graph GC (and therefore in particular of the sub-graph SGA) is defined by a preset data model.



FIG. 2B illustrates more precisely the sub-graph SGA which illustrates the organisation of the encrypted personal data DPA of the user A in keeping with a particular data model. In the particular case of this data model, the sub-graph SGA is a direct acyclic graph. It comprises especially a root BRA and a set of branches constituted by blocks interconnected by arcs.


In the embodiment described here, the module for detection of displacements MDD of the terminal TA is configured to detect a type of displacement of the terminal TA in the real world, for example travel by car or travel by foot.


In the exemplary embodiment described here, and as per the preset data model, the sub-graph of personal data of a user comprises especially a branch for each of the detected displacements of this user.


For example, in FIG. 2B:

    • each of the branches F1 to F3 comprises encrypted blocks comprising timestamped personal geolocation data DPGEOA acquired during a car trip detected by the terminal TA;
    • each of the branches F4 to F5 comprises encrypted blocks comprising timestamped personal geolocation data DPGEOA acquired during a walking trip detected by the terminal TA.


This example is non-limiting, and other types of travel not shown are possible.


As shown more precisely for the branch F5, each branch associated with a displacement comprises a set of blocks, each block Bi comprising an encrypted geolocation Pi and a date Ti, which indicate that during displacement associated with this branch F5 the terminal TA was located at the position Pi at the instant Ti.


When the module for detection of displacements MDD detects that a journey is completed, for example, when the position of the terminal TA is detected unchanged over a predetermined period, the branch stops. If a new displacement is detected, a new branch is created.


The example in FIG. 2B shows in greater detail three blocks Bi−1, Bi, Bi+1 comprising positions Pi−1, Pi , Pi+1 at successive times Ti−1, Ti, Ti+1 of the terminal TA during a journey on foot. Note that, in accordance with the blockchain mechanism, each block Bi includes, in addition to its own encrypted data, an output hash H([Bi−1A]) of the preceding block. This characteristic of hash functions means that any change to the contents of a block is immediately visible in subsequent blocks.


In line with the particular data model described here, the branches associated with detected displacements of the terminal of a user constitute the principal skeleton of the sub-graph of a user.


In the embodiment described here, the sub-graph SGA can also comprise blocks comprising encrypted personal data DPDigActA of the user A acquired during digital activities performed by the terminal TA.


In the embodiment described here, the sub-graph SGA can also comprise blocks comprising encrypted personal data DP3rdPA of the user A acquired from third parties.


In the embodiment described here, a block comprising data associated with a digital activity or received from a third party on a given date is attached in the sub-graph SGA to a block comprising this date and the geolocation of the terminal TA on this date.


In this way, by way of example, FIG. 2B shows:

    • a node Bk comprising an encrypted photograph PIX acquired by the camera CAM at the instant Ti−1 while the terminal was at the position Pi−1;
    • a node Br comprising an encrypted contract AG received from a third party at the instant Ti+1 when the terminal was at the position Pi+1.


This sub-graph evolves dynamically, growing richer from the personal data of the user.


Highly advantageously, the sub-graph SGA of the blockchain comprising the personal data DPA of a user A ensures the immutability of the history of these data and their authenticity when they are validated by an external third party of trust.


As is known to the skilled person, to give the graph its probative value it is necessary, for example at regular intervals, to integrate therein data produced by an external third party of trust (for example another blockchain). For example, the terminals can transmit the hash of the last block of the graph to this third party of trust, the third party of trust produces information from this hash, and this information signed by the third party of trust is integrated into the graph.


In a particular embodiment, the history of the personal data of a user is attached by the server SDP for management of personal data to a dynamic non-fungible token.


For example, and as described later, in reference to FIG. 4, an output hash of the root block of the sub-graph of history data of a user can be associated by the server SDP with a cryptographic datum (for example a dynamic non-fungible token or the public key of a digital wallet) attributed by this server to this user.


An embodiment of the invention is described hereinbelow in which the cryptographic datum specific to the user is a non-fungible token NFTA, the invention accordingly letting the user attach his history of personal data to his dynamic non-fungible token NFTA.


In a particular embodiment of the invention, the user A, owner of the dynamic non-fungible token NFTA can generate at least one second non-fungible token NFTA2 and associate a sub-graph of his sub-graph SGA to this second non-fungible token.


It is now assumed that the user A and the service provider SP have subscribed to the GES-CONT service for management of digital contracts and that they want to set up a digital contract AGECNA,SP intended to be executed by an instance ECNi of the digital trust environment ECN so as not to expose the personal data of the parties to the contract during execution of the contract.


It is assumed that the terminal TSP of the service provider SP has downloaded an application GEN-CONT for generation of a contract from the server SDP, compatible with that of the application APP downloaded by the terminal TA.


It is assumed that a user of the terminal SDP has used the application GEN-CONT to open an account with the server SDP for management of personal data to subscribe to the GES-CONT service for management of contract


Following opening of this account, a rewritable non-volatile memory MSP of the terminal TSP comprises, in this example:

    • identifiers LOG/MP (login, password) to let the user access his account via the local application GEN-CONT;
    • a pair of keys comprising a private key KPRIVSP and public key KPUBSP;
    • a symmetric encryption key KSSP; and
    • a confidential unique identifier IDSP.


In the embodiment described here, the service provider SP uses his application GEN-CONT to set up a contract proposal noted AGECN*A,SP. In the embodiment described here, the analyses to be performed on the data of the user, their frequency, the length of the contract, the format of the results, the rules of dissemination of the result are described explicitly in the contract proposal.


An example of contract proposal AGECN*A, SP is shown in FIG. 3A. This proposal comprises:

    • a literal interpretable description DLII by an instance ECNi of the digital trust environment ECN and/or a code CODE executable by this instance ECNi to perform analyses on personal data DPA of A;
    • a description DDP of the personal data DPA of A to which the digital trust environment ECN must refer this analysis, for example the category of personal data (timestamped data of geolocation, photographs, messages, . . . ) and the relevant time range (personal data detected between this date and that date . . . )
    • the start date DD, the finish date DF and a periodicity PER of execution of the contract;
    • a format FORM in which the digital trust environment must return the result of analyses to the different parties A, SP;
    • the encryption key KSSP of the party SP encrypted with the public key KPUBECN common to the instances ECNi of the digital trust environment configured to execute the contract; and
    • a signature SIGSP of this contract proposal with the private key KPRIVSP of the service provider.


The encryption key KSSP encrypted with the public key KPUBECN is noted [KSSPECN].


When the terminal TA obtains this encrypted contract proposal, it verifies the signature SIGSP with the public key KPUBSP of the service provider SP.


If the user A of the terminal TA accepts the contract proposal, he inserts his encryption key KSA encrypted with the public key KPUBECN common to the instances ECNi of the digital trust environment, signs this proposal completed with his private key KPRIVA, and inserts his signature SIGA into the contract proposal to form the contract AGECNA, SP. The encryption key KSA encrypted with the public key KPUBECN is noted [KSAECN].


The contract AGECNA, SP formed in this way is shown in FIG. 3B. It integrates delegations to the personal encrypted data of the parties A and SP for exclusive use of the instances ECNi of the digital trust environment ECN in which these data are analysed.


In the embodiment described here, the contract AGECNA, SP is signed with the public keys KPUBA, KPUBSP of the parties A and SP to the contract, and with the public key KPUBECN common to all the instances ECNi of the digital trust environment. Each of the parties A and SP and any instance ECNi of the digital trust environment ECN can decrypt the contract by using its sole private key.


The execution of the contract by an instance of the digital trust environment is described in reference to FIG. 8.



FIG. 4 illustrates the main steps performed in a particular embodiment of the invention to set up the account of a user and attribute a dynamic non-fungible token for him. By way of illustration, the creation of the account of a user A from his terminal TA and the creation of his non-fungible token NFTA by the server SDP for management of personal data will be considered.


The invention can be transposed directly to other embodiments in which the cryptographic datum specific to the user is not a dynamic non-fungible token, especially when it is constituted by a public key of a digital wallet.


During a step E40, the user A of the terminal TA creates his account with the historical data service HIST of personal data provided by the server SDP. In the embodiment described here, to this effect the user A utilises a local application APP previously downloaded via his terminal TA from the server SDP for management of personal data, to obtain and register in the memory MA of the terminal TA:

    • identifiers LOG/MP (login, password) to access his account via the local application APP;
    • a pair of keys comprising a private key KPRIVA and public key KPUBA;
    • a symmetric encryption key KSA; and
    • a confidential unique identifier IDA.


These elements (identifiers, pair of keys, symmetric encryption key, unique identifier) are preferably generated by the terminal TA, for example by the local application APP.


They are preferably stored in a memory MA of the terminal TA.


During a step E42, the terminal TA integrates its confidential unique identifier IDA into the root block BRA of its structure of data SGA, and encrypts the root block BRA with its symmetric encryption key KSA. This block of encrypted data is noted H[BRAA]. An output hash H([BRAA]) of the root block is calculated by applying the hash function H to the block of encrypted data [BRAA].


During a step E43, the root block BRA is associated with a descriptor DESCRA of this block, also encrypted with the symmetric encryption key KSA of the terminal TA. This encrypted descriptor is noted [DESCRAA].


The descriptor DESCRA of the root block BRA is for example the chain of characters ‘Block root’. This descriptor lets anyone who has the symmetric encryption key KSA to find the root block BRA of the structure of data of the user A.


The choice of the descriptor can be any. But in a preferred embodiment of the invention the choice of the descriptor is defined in the preset data model. This model contains for example a convention on the descriptors to be used.


In the embodiment described here the root block comprises no hash connecting it to one or more previous blocks of data.


During a step E44, the encrypted root block [BRAA] is stored in the local databases BDA of the terminal TA in association with its encrypted descriptor [DESCRAA]. The encrypted root block [BRA], and its associated encrypted descriptor [DESCRAA] are sent to the server SDP when a connection network is available. They are recorded in the general database BDC and the encrypted root block [BRA] is synchronised with the general graph GC.


During a step E45, the terminal TA transmits the hash H([BRAA]) output of the root block BRA of its graph SGA to the server SDP for management of personal data.


During a step E46, the server SDP for management of personal data creates a dynamic non-fungible token NFTA whereof it accords ownership to the user A and it associates the output hash H([BRAA]) of the root block to this non-fungible token NFTA.


It is clear that the output hash H([BRAA]) cannot be found in the different encrypted blocks and therefore cannot be associated with the data of the user A other than to keep the symmetric encryption key KSA of this user.



FIG. 5 illustrates the main steps performed for constitution of the history of personal data DPA of a user, for example for those of the user A. In the embodiment described here, the data can be any type. They can for example be declarative data, or assorted data of elements of proof, for example of a digital signature, or secure integrated links.


As mentioned previously, these personal data DPA can be timestamped personal data DPGEOA of geolocation of the terminal TA, acquired during detected displacements of the terminal TA, for example during mobility activities (walking, biking, running, car travel, . . . ). Such data comprise for example GPS positions Pi−1, Pi, Pi+1 at successive instants Ti−1, Ti, Ti+1 of the terminal TA during displacement.


As mentioned previously, these personal data DPA can be personal data DPDigActA corresponding to digital activities performed on the terminal TA, for example the taking of a photograph or a video, a message exchange, an interaction with an application of the terminal TA.


As mentioned previously, these personal data DPA can be personal data DP3rdPA acquired from third parties, for example an administrative service, a bank, insurance, a business, . . .


In the embodiment described here the personal data DPA of the user A are integrated automatically into the history of the user as soon as they are detected by the terminal TA. As a variant, at least some data are integrated only on express authorisation of the user on his terminal.


It is assumed that during a step E50 the terminal TA detects a personal datum DPA to be integrated into the history of the personal data of the user A.


During a step E52, the personal datum DPA is integrated into a block Bi of the graph SGA, the position of this block in the graph being defined by a preset data model.


As described previously in reference to FIG. 2, this block Bi comprises:

    • except for the root block BRA, the output hash Hk of each of the blocks Bk upstream of the block Bi in the graph SGA; and
    • the personal datum DPiA.


The terminal TA encrypts the block Bi with its symmetric encryption key KSA. This block of encrypted data is noted [BiA]. An output hash H([BiA]) of the block Bi is calculated by applying the hash function H to the block of encrypted data [BiA].


During a step E54, the encrypted block Bi is associated with a descriptor DESCi of this block, for example selected in keeping with the convention of the preset data model. This descriptor DESCi is also encrypted with the symmetric encryption key KSA of the terminal TA. This encrypted descriptor is noted [DESCiA].


For example:

    • the descriptor DESCi associated with a block of data Bi comprising timestamped personal data DPGEOA of geolocation of the terminal TA, acquired during car travel of the terminal TA on Jun. 4, 2021 can be the chain of characters ‘2021 Jun. 4∥By car;
    • the descriptor DESCi associated with a block of data Bi comprising personal data DPDigActA corresponding to digital activity of the terminal TA on 27 Jul. 2021 can be the chain of characters ‘2021 Jul. 27∥photo’ or ‘2021 Jul. 27∥mail’;
    • the descriptor DESCi associated with a block of data Bi comprising personal data DP3rdPA acquired from third parties by the terminal TA on Aug. 4, 2022 can be the chain of characters ‘2022 Apr. 8∥bank’.


During a step E56, the block of encrypted data [BiA] is stored in the local databases BDA of the terminal TA in association with the encrypted descriptor [DESCiA]. The block of encrypted data [BiA], associated with the encrypted descriptor [DESCiA] is synchronised with the general graph GC when a network connection is available.


It is evident that the entire graph SGA representative of the history of the personal data of the user A does not have to be stored permanently on the terminal TA. Regular updating of a collection of blocks in the local database BDA of the terminal TA can be defined for example by the data model and by the current state of the graph. The strategy of conservation of a partial history on the terminal TA can depend on functional choices (data necessary for functioning and constitution of a non-repudiable history) and performance (latency access blocks in the local database vs. online access).


The constitution and consultation of the history of personal data DPA by the terminal TA can be done asynchronously, off-network, and be resynchronised without degradation of the functionalities and security of the solution.



FIG. 6 illustrates the main steps performed by the terminal of a user for consultation of personal data of this user. By way of example the steps performed by the terminal TA of the user A are detailed for consultation of personal data DPA of this user. As a reminder any encrypted block [BiA] recorded in the blockchain, encrypted by a symmetric key KSA, is associated with a descriptor [DESCiA] of this block, also encrypted with this same symmetric encryption key KSA.


Inversely, access to a block of data Bi is done from the associated descriptor DESCi. It can be assumed that user A wants to consult the blocks associated with a descriptor DESCi, for example constituted by the chain of characters ‘2021 Jun. 4∥By car. During a step E60, the user selects a descriptor in keeping with the convention of the preset data model. During a step E62, this descriptor DESCi is encrypted with the symmetric key KSA of the user to produce an encrypted descriptor [DESCiA].


During a step E64, the encrypted blocks [BiA] corresponding to the encrypted descriptor [DESCiA] are identified.


During a step E66, the encrypted blocks [BiA] identified with the preceding step (E64) are decrypted with the symmetric key KSA of the terminal TA to produce the decrypted blocks Bi.


According to the needs of the user, the content of the decrypted blocks Bi can be presented to the user A during a step E68. The graph SGA of personal data DPA can be reconstituted by using the hierarchy (father-son links) between the blocks of the graph SGA, this hierarchy able to be deduced from the hashes contained in the blocks of data.


It is noted that the structure of the sub-graph SGA can appear before or advantageously after decryption of the personal data DPA.


The entire graph SGA can be verified by the terminal TA.



FIG. 7 illustrates the main steps performed for setting up a contract between at least two parties. By way of example, the setting up a contract AGECNA, SP between a user A and a service provider SP can be considered, who wants to carry out analyses on the personal data DPA of A, this contract being intended to be executed in a digital trust environment ECN.


In the embodiment described here, during a general step E700, the server SDP for management of personal data manages a set of instances ECNi, ECNj of the digital trust environment cloned together. As described previously, these instances all comprise the same module EXEC-CONT for executing a contract and the same pair of public key KPUBECN, private key KPRIVECN. In the embodiment described here instances are created or destroyed as a function of the number of contracts recorded in the general graph GC.


During a step E70, the party SP prepares a contract proposal AGECN*A, SP between party SP and party A.


This contract proposal AGECN*A, SP comprises, as shown in FIG. 3A:

    • a literal description interpretable by an instance ECNi of the digital trust environment ECN and/or a code CODE which will be executed by this instance ECNi to perform analyses on personal data DPA of A;
    • a literal description DLII interpretable by an instance ECNi of the digital trust environment


ECN and/or a code CODE executable by this instance ECNi to perform analyses on personal data DPA of A;

    • a description DDP of personal data DPA of A on which the digital trust environment ECN must focus this analyse, for example the category of personal data (timestamped data of geolocation, photographs, messages, . . . ) and the range of relevant times (personal data detected between this date and that date . . . )
    • the start date DD, the finish date DF and a periodicity PER of execution of the contract;
    • a format FORM in which the digital trust environment must return the result of analyses to the different parties A, SP;
    • the encryption key KSSP of the party SP encrypted with the public key KPUBECN common to the instances ECNi of the digital trust environment configured to execute the contract.


During a step E71, the party SP signs the contract proposal AGECN*A, SP with its private key KPRIVSP. This signature is noted SIGSP.


During a step E72, the party SP transmits the contract proposal AGECN*A, SP and the signature SIGSP to the party A.


If the party A accepts the contract proposal AGECN*A, SP, during a step E73, the terminal TA signs the contract proposal AGECN*A, SP, with the private key KPRIVA of A. This signature is noted SIGA.


During a step E74, the terminal TA inserts this signature SIGA into the contract proposal AGECN*A, SP as well as its public KPUBA encrypted with the public key KPUBECN common to the different instances ECNi of the digital trust environment. The public key KPUBA encrypted with the public key KPUBECN is noted [KPUBAECN].


The contract proposal AGECN*A, SP initiated by the party SP and accordingly accepted by the party A can then be qualified by contract AGECNA, SP formed between the parties A and SP. During a step E75, the contract AGECNA, SP comprising the two signatures SIGSP, SIGA is encrypted asymmetrically with the public keys KPUBA, KPUBSP of the parties A and SP and with the public key KPUBECN common to the different instances ECNi of the digital trust environment. The contract encrypted in this way is noted [AGECNA, SP].


During a step E76, the contract AGECNA, SP is associated with a descriptor DESCECNA, SP, for example the chain of characters ‘Contract between A and SP’. This descriptor DESCECNA, SP is encrypted with the public keys KPUBA, KPUBSP of the parties A, SP and with the public key KPUBECN common to the different instances ECNi of the digital trust environment. The descriptor encrypted in this way is noted [DESCECNA, SP].


Each of the parties A and SP and any instance ECNi of the digital trust environment ECN can therefore decrypt the contract by using its sole private key KPRIVA, KPRIVSP, KPRIVECN.


During a step E78, the encrypted contract [AGECNA, SP] and its encrypted descriptor [DESCECNA, SP] are integrated into the graph SGA of the user A and the general graph GC. The encrypted contract [AGECNA, SP] is indistinguishable in the general graph GC.


In the embodiment described here, the server SP is notified (E79) that the encrypted contract [AGECNA, SP] is available in the general graph GC and that this contract has been incorporated into the graph SGSP of this server.



FIG. 8 illustrates the main steps performed for execution of a contract in keeping with a particular embodiment of the invention. By way of example the execution of a contract AGECNA, SP drawn up between a user A and a service provider SP will be considered, this contract being intended to be executed by an instance ECNi of a digital trust environment.


As mentioned previously, the encrypted contracts are recorded in the graphs SGA, SGSP of the users A, SP, . . . and in the general graph GC.


In an embodiment of the invention, it is the users who verify whether contracts appear in their graph SGA, SGSP or in the general graph GC. For this, and as described previously in reference to FIG. 6, they use the descriptors for identifying the contracts in the blockchain, for example the descriptors constituted by the chain of character ‘Contract’.


As a variant, it is the instances ECNi of the digital trust environment which make these verifications in the general graph GC.


During a step E80 which is repeated for example at regular intervals, the terminal TA searches, from their descriptors, for encrypted contracts [AG] appearing in its graph SGA or in the general graph GC.


If the terminal TA identifies an encrypted contract [AGECNA, SP], it deciphers it with its private key KPRIVA during a step E81.


During a step E82, the terminal TA determines from the start date DD of the contract, the finish date DF of the contract and the periodicity PER of the contract whether execution of the contract is scheduled. If this is the case, the terminal TA notifies this at an instance ECNi of the digital trust environment during a step E83. During a step E84, this one instance ECNi of the digital trust environment obtains the encrypted contract [AGECNA, SP] and decrypts it with its private key KPRIVECN.


As described previously in reference to FIG. 3B, the encrypted contract AGECNA, SP comprises the symmetric encryption keys KSA, KSSP of each of the parties encrypted with the public key KPUBECN of the instance ECNi (noted respectively [KSAECN], [KSSPECN]).


During a step E85, the instance ECNi decrypts the encryption keys encrypted with its private key KPRIVECN, and obtains the encryption keys KSA, KSSP of each of the parties.


The contract is executed by the instance ECNi of the digital trust environment according to the terms of the contract.


During a step E86, the instance ECNi determines from the description DDP which of the personal data of the parties the analysis must focus on, then performs its analysis by interpreting the interpretable literal description DLII or by executing the code CODE included in the contract. During this analysis, the personal data of the necessary parties are decrypted by the instance ECNi with the symmetric encryption keys of the parties.


By following the parentage links defined by the hashes of the blockchain for the sub-graph of a party, the instance ECNi can verify whether the cryptographic datum specific to a user, for example the non-fungible token NFTA associated with the root block BRA of the sub-graph SGA belongs to the user A (for example associated with the public key KPUBA of the user A in a database) and reconstitute the entirety of the history of the personal data of this party and perform analysis on the personal data targeted by the description DDP.


During a step E87, the instance ECNi formats the result RES of the analysis according to the format FORM defined in the contract. It encrypts this result with the public keys KPUBA, KPUBSP of the parties A, SP. The result encrypted in this way is noted [RES].


During a step E88, the result RES is associated with a descriptor DESCRES, for example the chain of characters ‘Result of execution of the Contract between A and SP’. This descriptor DESCRES is encrypted with the public keys KPUBA, KPUSP of the parties A, SP. The descriptor encrypted in this way is noted [DESCRES].


During a step E89, the encrypted result [RES] and its encrypted descriptor [DESCRES] are integrated into the general graph GC and synchronised with the sub-graphs SGA, SGSP of the parties to the contract, and the terminals of the parties are notified.


As described previously in reference to FIG. 4, when the user A of the terminal TA creates his account with the historical data service HIST of personal data provided by the server SDP, the server SDP for management of personal data creates a cryptographic datum (for example a dynamic non-fungible token NFTA or the public key of a digital wallet) whereof it ascribes ownership to the user A and it associates the history of the personal encrypted data with this cryptographic datum.



FIG. 9 presents the material architecture of a terminal in keeping with the invention. It comprises especially a processor 10, a read-only memory 11 (of ‘ROM’ type), a rewritable non-volatile memory 12 (of ‘EEPROM’ or ‘Flash NAND’ type for example), a rewritable volatile memory 13 (of type ‘RAM’), and a communication interface 14.


The read-only memory 11 constitutes a recording medium in keeping with an exemplary embodiment of the invention, legible by the processor 10 and on which a first computer program P1 is recorded in keeping with an exemplary embodiment of the invention. As a variant, the first computer program P1 is stored in the rewritable non-volatile memory 12.


The first computer program P1 allows the terminal to carry out a process for constitution of a history of personal data in keeping with the invention.



FIG. 10 presents the material architecture of a server for management of personal data in keeping with the invention. It comprises especially a processor 20, a read-only memory 21 (of type ‘ROM’), a rewritable non-volatile memory 22 (of type ‘EEPROM’ or ‘Flash NAND’ for example), a rewritable volatile memory 23 (of type ‘RAM’), and a communication interface 24.


The read-only memory 21 constitutes a recording medium in keeping with an exemplary embodiment of the invention, legible by the processor 20 and on which a second computer program P2 is recorded in keeping with an exemplary embodiment of the invention. As a variant, the second computer program P2 is stored in the rewritable non-volatile memory 12.


The second computer program P2 lets the server for management of personal data carry out a process for management of personal data of a plurality of users in keeping with the invention.

Claims
  • 1. A process for constitution of a history of personal data of a user, this process being executed by a terminal of the user and comprising: a step for obtaining a symmetric encryption key associated with a profile of the user;a step for collecting personal data of the user;throughout the collection of said personal data of the user: (i) a step for encryption of these-said personal data with the symmetric encryption key (of this the user; and(ii) a recording step, in a general database, of blocks comprising said encrypted data, said blocks being organised according to a blockchain constituting a sub-graph of a general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a dynamic non-fungible token of this user.
  • 2. The process for constitution of a history of personal data according to claim 1, wherein said blockchain is a distributed register within a peer network, said terminal being a peer of said network configured to store locally at least one part of said sub-graph, and said blocks being stored in a local database of said terminal.
  • 3. The process for constitution of a history of personal data according to claim 1, wherein said data model defines how branches of said sub-graph comprise blocks whereof the personal encrypted data correspond to timestamped geolocation data of said terminal during detected displacement of said terminal.
  • 4. The process for constitution of a history of personal data according to claim 3, wherein said data model defines how blocks whereof the personal encrypted data correspond to digital activity of the terminal on a given date or to data received from a third party on a given date is attached in said sub-graph to a block whereof the personal encrypted data correspond to geolocation data of said terminal timestamped on said given date.
  • 5. The process for constitution of a history of personal data according to claim 1, said process comprising a step for integration in said sub-graph of a digital contract to which said user is party, said contract being encrypted by a public key of said terminal, a public key of at least one other party to the contract and a public key of a digital trust environment, said contract comprising at least: the symmetric encryption key of the user encrypted with a public key of the digital trust environment; andinstructions able to be executed by said digital trust environment to: (i) decrypt at least some of said personal data of said user with said symmetric encryption key;(ii) verify that the non-fungible token associated with the root block of the sub-graph belongs to said user;(iii) analyse said deciphered personal details; and(iv) provide a result of said analysis to at least one party to the contract.
  • 6. The constitution process of a history of personal data according to claim 1, comprising a step for generation of at least one second dynamic non-fungible token for said user and a step for association of a sub-graph of said sub-graph with a second dynamic non-fungible token.
  • 7. A management process, executed by a server for management of personal data of a plurality of users, this process comprising the management of a general database in which blocks are recorded, each block comprising said personal encrypted data of a said user, said blocks comprising the personal encrypted data of the same user being organised according to a blockchain constituting a sub-graph of the same general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a dynamic non-fungible token of this user.
  • 8. The management process according to claim 7, said process comprising a step for management of a set of instances of a digital trust environment, a said instance being configured to: execute instructions defined in a digital contract for analysing some of said personal data of at least one user party to the contract, said contract comprising a symmetric encryption key of said at least one party to the contract encrypted with a public key of said instance of digital trust environment, said symmetric encryption key able to be utilised by said instance to decrypt said personal data to be analysed; andprovide a result of said analysis to at least one party to the contract.
  • 9. A terminal comprising a processor configured to perform: a step for obtaining a symmetric encryption key associated with a profile of the user;a step for collecting personal data of the user; andthroughout the collection of said personal data of the user: (i) a step for encryption of these-the personal data with the symmetric encryption key of this the user; and(ii) a recording step, in a general database, of blocks comprising said encrypted data, said blocks being organised according to a blockchain constituting a sub-graph of a general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a dynamic non-fungible token of this user.
  • 10. A server for management of personal data of a plurality of users, this server comprising a processor configured to manage a general database in which blocks are recorded, each block comprising said personal encrypted data of a said user, said blocks comprising the personal encrypted data of the same user being organised according to a blockchain constituting a sub-graph of the same general graph whereof the topology is defined by a preset data model, a root block of said sub-graph being associated with a dynamic non-fungible token of this user.
  • 11. A computer program comprising instructions for the execution of a process for constitution of a history of personal data according to claim 1 when said program is run by a computer.
  • 12. The computer program comprising instructions for the execution of a process for management of personal data of a plurality of users according to claim 7 when said program is run by a computer.
Priority Claims (1)
Number Date Country Kind
FR2203641 Apr 2022 FR national
PCT Information
Filing Document Filing Date Country Kind
PCT/FR2023/050465 3/31/2023 WO