Pay-as-you-go business models have been used in many areas of commerce, from cellular telephones to commercial laundromats. In developing a pay-as-you go business, a provider, for example, a cellular telephone provider, offers the use of hardware (a cellular telephone) at a lower-than-market cost in exchange for a commitment to remain a subscriber to their network for a period of time. In this specific example, the customer receives a cellular phone for little or no money in exchange for signing a contract to become a subscriber for a given period of time. Over the course of the contract, the service provider recovers the cost of the hardware by charging the consumer for using the cellular phone. In addition to implementing the pay-as-you-go business model via subscriptions, another implementation of the pay-as-you-go business model allows the customer to pre-pay for a block of service units, i.e., “pay-per-use.” Using the cellular phone example, the customer may pre-pay for a block of 300 minutes. At the end of the 300 minutes, the customer may purchase additional blocks of service time or may return the phone to the service provider. The service provider may then contract out the phone to a different user.
The pay-as-you-go business model may incorporate a model of perpetual ownership. As part of a user agreement or contract, a service provider may allow the customer to take full unfettered ownership of the device after certain contractual conditions have been met. For example, the customer may take perpetual ownership of the device after a subscription period of so many years, or after having purchased so many blocks of service units. At the time of perpetual ownership, the service provider may turn off or disable pay-as-you-go features in the device and the customer may take possession of the device in a non-pay-as-you-go configuration.
The pay-as-you-go business model is predicated on the concept that the hardware provided has little or no value, or use, if disconnected from the service provider. To illustrate, should the subscriber mentioned above cease to pay his or her bill or the pay-per-use customer does not purchase additional blocks of time, the service provider deactivates the account, and while the cellular telephone may power up, calls cannot be made because the service provider will not allow them. The deactivated phone has no “salvage” value, because the phone will not work elsewhere and the component parts are not easily salvaged nor do they have a significant street value. In most cases, however, even though the phone has been deactivated it is still capable of connecting to the service provider in order to arrange restoration of the account. When the account is brought current, the service provider will re-authorize the device on its network and allow calling.
This model works well when the service provider, or other entity taking the financial risk of providing subsidized hardware, is able to enforce the terms of the contract as above. Because an electronic device, such as a computer, may have useful functions even when not connected to a network or server, a pay-as-you-go device may be responsible to self-administer contract enforcement. When the electronic device is responsible for self administration, a clock circuit may become a prime target for tampering because many business models are time based. For example, a subscription good for one calendar month may never expire if the clock is tampered with to keep the time within the valid month.
The communication between entities in the pay-as-you-go system requires a unified schema to support the various forms of packets. The schema needs to be elegant and robust to support provisioning, metering, and other types of configuration messages as well as to provide a foundation for any future messages needed for product evolution. The schema also needs to have security at multiple levels to guard against malicious users who may try to hook into the system to fraudulently use and/or configure the electronic devices for their own use and gain.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
A system supporting pay-as-you-go electronic devices requires that all communication from the electronic devices include the current time at the electronic device initiating the communication. The communication may be a request to add value to a timed usage or subscription account. If the current time at the electronic device is not within an allowable limit, a response message may include an updated time. The original request may be deferred or denied until the electronic device communicates a message with an acceptable current time. If repeated communications from the electronic device contain invalid current times, the electronic device in question may be blocked from being sent further responses until an appropriate service action may be taken to determine if tampering or a hardware failure have occurred.
If the current time at the electronic device is within the allowable limit, processing may proceed normally. To discourage fraudulent messages, application-level security may be applied to communications by encrypting and signing messages between a secure module in the electronic device and a trusted server. The trusted server may also communicate other information to the electronic device, such as how to configure to enforce terms of a service contract, any changes to contract terms, if the end-user has fulfilled the ownership requirements and has unfettered use of the electronic device, if the end-user has returned the electronic device back to the service provider and the device is not associated with any end-user, and other such provisioning information. Additionally, the service provider may also communicate with the electronic device locally to (re)configure the pay-as-you-go configuration (e.g., after end-user A has ended his/her contract and turned in the device and before it is contracted out to end-user B) or to disable pay-as-you-go altogether (e.g., if the service provider wishes to sell the electronic device in a non-pay-as-you-go mode).
Methods and a program of instruction for communicating between elements in a pay-as-you-go system may utilize a provisioning packet schema. This packet schema may be used for defining the communication from a provisioning server to an electronic device adapted for use in a pay-as-you-go system by the addition of a local provisioning system, from the electronic device to the provisioning server, or from a local service provider to the electronic device. The packet schema may take the form of a four-level schema, and may comport with XML, TLV, other such languages or combinations thereof.
The first level of the four level schema may contain the actual packet content data to be consumed by an entity in the pay-as-you-go system and additional administrative information such as but not limited to: pre-paid card/subscription, sender, sequence and tracking identifiers; creation date; conversation thread sequence numbers; and the like. The packet content data may consist of a provisioning instruction with a specific content type and any other additional data needed to process that specific content type. Examples of content types may include information from the provisioning server to the electronic device adapted for use in a pay-as-you-go environment such as an indication of the contract type and length (whether pre-paid or subscription), an indication that the end-user has fulfilled the contract obligations and fully owns the electronic device, an indication that the end-user has returned the electronic device to the service provider and provisioning needs to be suspended until the next end-user, and a desired configuration of metering and other electronic device behavior to enforce contract terms. Other content types and their associated fields are also possible.
For communication generated at an electronic device adapted for use in a pay-as-you-go environment, the packet schema may define a request content type that may contain information on the metering state, last sequence number, platform and software version indicators, pay-as-you-go contract balance, debugging code fields and state information. The packet schema may also define the packet content data received and interpreted by the electronic device. These content types may include all of the aforementioned provisioning instruction content types able to be generated by the provisioning server, as well as provisioning instructions able to be generated locally by the service provider, including but not limited to an indication to disable local service provisioning and an indication of the desired pay-as-you-go configuration.
The second level of the four level schema may contain the packet content of the first level, a version identifier of the schema, and a signature which may be RSA or may be another public-key encryption algorithm. The security at the second level may ensure that the packet content data is signed by the required source.
The third level of the four level schema may contain the encrypted data of the first and the second layers to prevent the communicated packet data from being exposed. Additional security may be provided by including the sender's identifier and the session identifier for use as keys to decrypt the data.
The fourth level of the four level schema may contain the data of the first three levels, the version of the schema, and a hash to prevent tampering. The hash may use a MAC (message authentication code) for the first, second, and third layers, or it may use another cryptographic hashing mechanism to authenticate the message.
a describes a method for communicating between a provisioning server system and an electronic device in a pay-as-you-go system;
Although the following text sets forth a detailed description of numerous different embodiments, it should be understood that the legal scope of the description is defined by the words of the claims set forth at the end of this patent. The detailed description is to be construed as exemplary only and does not describe every possible embodiment since describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.
It should also be understood that, unless a term is expressly defined in this patent using the sentence “As used herein, the term ‘______’ is hereby defined to mean . . . ” or a similar sentence, there is no intent to limit the meaning of that term, either expressly or by implication, beyond its plain or ordinary meaning, and such term should not be interpreted to be limited in scope based on any statement made in any section of this patent (other than the language of the claims). To the extent that any term recited in the claims at the end of this patent is referred to in this patent in a manner consistent with a single meaning, that is done for sake of clarity only so as to not confuse the reader, and it is not intended that such claim term by limited, by implication or otherwise, to that single meaning. Finally, unless a claim element is defined by reciting the word “means” and a function without the recital of any structure, it is not intended that the scope of any claim element be interpreted based on the application of 35 U.S.C. §112, sixth paragraph.
Much of the inventive functionality and many of the inventive principles are best implemented with or in software programs or instructions and integrated circuits (ICs) such as application specific ICs. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation. Therefore, in the interest of brevity and minimization of any risk of obscuring the principles and concepts in accordance to the present invention, further discussion of such software and ICs, if any, will be limited to the essentials with respect to the principles and concepts of the preferred embodiments.
Many prior-art high-value computers, personal digital assistants, organizers, and the like, are not suitable for use in a pre-pay or pay-for-use business model as is. The device must be adapted to support the business model by having the ability to meter time, enforce contract conditions, communicate with a provisioning system, and other such behaviors. In the pay-as-you-go business model, a service provider owns the adapted physical device (computer, PDA, organizer, etc.) and enters into a contract or service agreement for device usage with an end-user. The service agreement may be a subscription with a fee to be paid at a regular interval, it may be a pre-paid card or account with a fixed amount of usage time that may be replenished by the end-user, or it may be some other similar pay-as-you-go arrangement. When certain terms of the service agreement have been fulfilled by the end-user (e.g., paid subscription over a pre-defined length of time or paid for a pre-defined number of minutes), the service provider may transfer full ownership of the device to the end-user and the device would enter a perpetual non-metered state for unfettered use.
The ability to enforce a contract requires a service provider, or other enforcement entity, to be able to affect a device's operation even though the device may not be connected to the service provider, e.g. connected to the Internet. A first stage of enforcement may include a simple pop up warning, indicating the terms of the contract are nearing a critical point. A second stage of enforcement, for example, after pay-per-use minutes have expired or a subscription period has lapsed, may be to present a system modal user interface for adding value and restoring service. A provider's ultimate leverage for enforcing the terms of a subscription or pay-per-use agreement is to disable the device. Such a dramatic step may be appropriate when it appears that the user has made a deliberate attempt to subvert the metering or other security systems active in the device.
Uses for the ability to place an electronic device into a limited function or hardware locked mode may extend beyond subscription and pay-per-use applications. For example, techniques for capacity consumption could be used for licensing enforcement of an operating system or individual applications.
The computer 110 may include a security module 125. The security module 125 may be enabled to perform security monitoring, pay-per-use and subscription usage management, and policy enforcement related to terms and conditions associated with paid use, particularly in a subsidized purchase business model. The security module 125 may be embodied in the processing unit 120, as a standalone component, or in a hybrid, such as a multi-chip module. A clock 126 may be incorporated into the security module 125 to help ensure tamper resistance. To allow user management of local time setting, including daylight savings or movement between time zones, the clock 126 may maintain its time in a coordinated universal time (UTC) format and user time calculated using a user-settable offset. The security module 125 may also include a cryptographic function (not depicted).
Computer 110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 110 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computer 110.
The system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132. A basic input/output system 133 (BIOS), containing the basic routines that help to transfer information between elements within computer 110, such as during start-up, is typically stored in ROM 131. RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120. By way of example, and not limitation,
The computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only,
The drives and their associated computer storage media discussed above and illustrated in
The computer 110 may operate in a networked environment using logical connections to one or more remote computers (not depicted) over a network interface 170, such as broadband Ethernet connection or other known network.
An accounting server 210 may be linked to the provisioning server 202 and may maintain account data corresponding to the electronic device 204. The accounting server 210 may also serve as a clearinghouse for financial transactions related to the electronic device 204, such as replenishing or adding value to a pay-as-you-go account maintained on the electronic device 204. For example, an end-user may transfer funds to an account maintained on the accounting server 210 for use in an add-value or subscription transaction. The accounting server 210 itself may have a link to a scratch card system (not depicted) allowing the end-user to purchase a card at retail and use a hidden number to replenish his or her account. Other prepaid account funds transfer systems are well known, for example, with respect to prepaid cellular phones, and are equally applicable in this business model.
The architecture and functionality of the provisioning server 202 are discussed in detail in U.S. patent application Ser. No. 11/668,439. To paraphrase here for the reader's context, the provisioning server 202 may accept an authentication packet, or request, from an electronic device 204206 adapted for use in a pay-as-you-go system and may determine whether to process the request or reply with related information or instructions. Operations of the electronic devices 204206 adapted for use in a pay-as-you-go system are also discussed in more detail in U.S. patent application Ser. No. 11/668,439. Briefly, the metered-use electronic devices 204206 may receive a packet from a provisioning server 202 through a network 208 that may include landline, wireless, or broadband networks, or other networks known in the art. The electronic devices 204206 may also receive a packet/message from a local on-site service provider 214 via a USB, Ethernet, or other such connection known in the art. The electronic devices 204206 may determine how and if to process the message, including potentially replying with a response. The packing and unpacking of packets/messages and related subsequent processing, actions, and responses are disclosed by U.S. patent app. Ser. No. 11/668,439.
The provisioning instruction 332 may have a content type 340. This content type 340 may be one of many different types with unique meanings.
A provisioning instruction 332 with a configuration content type 362 may indicate a desired configuration of the pay-as-you-go electronic device 204206. The fields defining the desired configuration may include one or more of the following: an enforcement level 364 that may inform the local provisioning system 212 of desired action(s) (e.g., reboot, add grace time, etc.) to take when pay-as-you-go conditions expire, a maximum reserve tank time 366 to indicate a borrowed amount of time from a future pre-paid card or subscription purchase to use to when an end-user's pay-as-you-go conditions expire, an indication of time to perpetual ownership 368, and a session identification timeout value 372 to inform the local provisioning system 212 how to adjust a timeout value for a session. Other fields may also be included with configuration content type 362 to support configuring of the pay-as-you-go electronic device 204206.
Of course, the range of content types 340 in the provisioning instruction 332 is not limited to the content types listed here, but may include other types to support necessary communication between a provisioning server 202 and an electronic device adapted for use in a pay-as-you-go system 204206.
a illustrates an embodiment of a method 450 for communicating between a provisioning server system 202 and an electronic device 206 that may comport with a four-level schema. At the start 453, a provisioning instruction is generated 457 which may contain a content type 340 and associated fields. The range of the content type 340 and associated fields may be a content type and fields as described by
A pre-paid content type 623 may indicate that an end-user has purchased a set amount of time using a scratch-off card, access code, or other such means. A subscription content type 626 may indicate that an end-user has paid for an interval of subscription time (which may be daily, monthly, etc.) and may further indicate the expiration date of the subscription. A refurbish content type 630 may indicate that a pay-as-you-go electronic device 204206 has been returned to the service provider by an end-user and is temporarily in a dormant/inactive mode. A perpetual content type 633 may indicate that an end-user has fulfilled the criteria for ownership and has unlimited use of the pay-as-you-go electronic device 204206.
A provisioning instruction 612 with a configuration content type 637 may be interpreted as communicating a desired configuration of the pay-as-you-go electronic device 204206. With the configuration content type 637, additional fields used to specify the desired configuration may be similar to those defined in packet 300 of
A provisioning instruction 612 with an OEM configuration content type 638 may indicate a desired configuration of the electronic device adapted for a pay-as-you-go system 204206. The fields defining the desired configuration may include one or more of the following: an initial balance of time 640, an enforcement level 643 that may inform the local provisioning system 212 of desired action(s) (e.g., reboot, add grace time, etc.) to take when pay-as-you-go conditions expire, a maximum reserve tank time 646 to indicate a borrowed amount of time from a future pre-paid card or subscription purchase to use to when an end-user's pay-as-you-go conditions expire, a service provider identification 650, a hardware lock mode image 653, and a session identification timeout value 656.
An exemplary implementation of the packet schema may be represented by the following:
Although the forgoing text sets forth a detailed description of numerous different embodiments, it should be understood that the scope of the patent is defined by the words of the claims set forth at the end of this patent. The detailed description is to be construed as exemplary only and does not describe every possible embodiment because describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.
Thus, many modifications and variations may be made in the techniques and structures described and illustrated herein without departing from the spirit and scope of the present claims. Accordingly, it should be understood that the methods and apparatus described herein are illustrative only and are not limiting upon the scope of the claims.