Reliable reporting of location data

Abstract

A machine, such as a mobile device having telephony features, such as a voice over Internet Protocol (VoIP) telephony application, is configured with a secure environment in which a location provider within (more reliable) or external to (less reliable) the machine may determine location data for the machine and securely provide it to a telephony application program for incorporation into a call setup for calling a callee. The secure environment may be created through use of one or more of Intel's LaGrande Technology™ (LT), Vanderpool Technology (VT), or a Trusted Platform Module (TPM). The LT and VT allow defining secure independent components within the machine, such as by instantiating them as Virtual Machines, and the TPM allows components to cryptographically sign data, such as to facilitate ensuring the location data is not tampered with. A recipient of a telephone call setup including cryptographically secured location data may validate the location data and accept the call. Other embodiments may be described.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the present invention will become apparent from the following detailed description of the present invention in which:

FIG. 1 illustrates a high-level data flow according to one embodiment for a platform having securely communicating domains to prevent tampering with data generated in one domain of the platform by another domain of the platform.

FIG. 2 illustrates a system according to one embodiment that may be used in lieu of assigning static location information to mobile telephony devices.

FIG. 3 is a state diagram illustrating a call flow according to one embodiment for a call to an E911 service.

FIG. 4 illustrates a suitable computing environment in which certain aspects of the invention may be implemented.

Claims

1. A machine comprising: a first virtual machine hosting at least an application domain including a telephony application;a second virtual machine hosting at least a location provider to determine a current location for the machine;a communication channel communicatively coupling at least the application domain and the location provider; anda domain mediator to mediate access to the trusted location provider over the inter-domain communication channel, mediation including securely providing location data from the location provider to the application domain.

2. The machine of claim 1, further comprising: a trusted platform module communicatively coupled to selected ones of: the application domain and the location provider;wherein the trusted platform module is configured to cryptographically secure location data of said coupled ones of the application domain and location provider.

3. The machine of claim 2 wherein the trusted platform module signs location data determined by the location provider to prevent tampering therewith.

4. The machine of claim 3, wherein the location provider is configured to determine the location data, sign it with the trusted platform module, and send the signed location data to the domain mediator, andwherein the domain mediator is configured to secondarily sign the location data with the trusted platform module and provide the doubly signed location data to the application domain.

5. The machine of claim 1, further comprising selected ones of: a user storage in the application domain for storing at least user policies or rules constraining performing tasks, wherein the telephony application is configured to review the policies or rules to confirm availability of performing a telephony task;a policy manager component of the domain mediator for modifying data mediated by the domain mediator in accord with platform administrator policies; or a rules manager component of the domain mediator for modifying data mediated by the domain mediator in accord with platform administrator policies.

6. The machine of claim 1, further comprising: a user storage in the application domain for storing at least rules constraining performing tasks, said rules including a privacy rule requiring modifying location data;wherein the telephony application is configured to review said rules to confirm availability of performing initiating a telephony connection and to modify the location data as needed in accord with the privacy rule.

7. The machine of claim 1 further comprising a virtual machine manager configured to provide the communication channel

8. The machine of claim 1 further comprising a global positioning system (GPS) class of device to provide the current location, the GPS communicatively coupled to the location provider of the second virtual machine.

9. The machine of claim 8 wherein the GPS class of device is disposed within the machine.

10. The machine of claim 1 wherein the location provider is configured to provide a reliability factor to indicate a confidence in the current location.

11. A method for using a machine having a first virtual machine hosting a telephony application, a second virtual machine hosting a location provider to determine a current location for the machine, and a domain mediator to mediate access to the trusted location provider, comprising: configuring the telephony application to provide at least a portion of the current location of the machine along with a call;initiating the call, and responsive thereto, requesting from the domain mediator the current location from the location provider; andreceiving from the domain mediator a signed location data identifying the current location, the location data being signed by selected ones of the location provider and the domain mediator; andvalidating the location data has not been tampered with based at least in part on said signing by selected ones of the location provider and domain mediator.

12. The method of claim 11, further comprising modifying the location data as needed in accord with a user privacy policy.

13. The method of claim 11, further comprising determining the location data was altered after being provided by the location provider.

14. The method of claim 11, further comprising: cryptographically signing the location data with a trusted platform module disposed within the machine.

15. The method of claim 11 wherein said signing by selected ones of the location provider and domain mediator comprises: the location provider determining the location data and first signing it; andthe domain mediator secondarily signing the location data with the TPM and providing the doubly signed location data to the application domain.

16. The method of claim 11, further comprising: the location provider applying a first cryptographic security to the location data to facilitate identifying tampering with the location data; andthe domain mediator modifying the location data in accord with platform administrator policy and applying a second cryptographic security to facilitate determining tampering with the modified location data.

17. The method of claim 16, further comprising the telephony application reviewing policies or rules stored in a user storage in the application domain to confirm availability of performing a telephony task prior to performing said task.

18. The method of claim 11, further comprising the telephony application reviewing policies or rules stored in a user storage associated with the application domain to confirm availability of performing a telephony task.

19. The method of claim 18, further comprising: determining if a user privacy rule requires modifying location data; andmodifying the location data as needed in accord with the user privacy rule.

20. A method for reliably providing location data, comprising: initiating a telephony connection to a callee with a telephony application;checking local policy for permission to provide a current location of the telephony application with the telephony connection;requesting the current location from a trusted location services domain (TLSD) and responsive thereto the TLSD requesting the TLSD from a trusted location provider;receiving by the TLSD of a location bundle including the current location and being first cryptographically secured against tampering; andthe TLSD second cryptographically securing the location bundle against tampering and proving said secondarily secured bundle to the telephony application.

21. The method of claim 20, further comprising the telephony application checking local policy for a requirement associated with the callee to modify the current location provided with the telephony connection to the callee;

22. The method of claim 20, wherein the telephony connection includes making an E911 telephone call.

23. A method for reliably providing user identification, comprising: providing a first virtual machine hosting a user application and a local policy store storing user policies constraining operation of the user application;providing a second virtual machine hosting a trusted mediator for mediating access to resources providing confidential data including the user identification;checking the local policy store for a preventive policy precluding providing the confidential data along with establishing a data connection to a data recipient;if no preventive policy, initiating the data connection including requesting the trusted mediator obtain the confidential data for establishing the data connection; andreceiving by the trusted mediator a first cryptographically signed confidential data from a trusted source, and responsive thereto, providing a second cryptographically signed confidential data to the application program.

24. The method of claim 23, wherein the first cryptographically signed confidential data is the same as the second cryptographically signed confidential data.

25. The method of claim 23, wherein the second cryptographically signed confidential data comprises a secondary signing by the trusted mediator of the first cryptographically signed confidential data.

26. The method of claim 23, further comprising providing a eavesdrop-resistant inter-virtual machine communication channel communicatively coupling the first and second virtual machines.

27. An article comprising a machine-readable medium having one or more associated instructions for using a machine utilizing virtual machines to separately host selected operations of the machine, wherein the one or more instructions, if executed, results in the machine performing: configuring a telephony application of a first virtual machine to provide at least a portion of the current location of the machine along with a call;initiating the call, and responsive thereto, requesting from a domain mediator of a second virtual machine the current location from the location provider; andreceiving from the domain mediator a doubly signed location data identifying the current location, the location data being first signed by the location provider and second signed by the domain mediator; andvalidating the location data has not been tampered with based at least in part on selected ones of the first signature and the second signature.

28. The article of claim 27 wherein the machine-readable media further includes instructions, when executed, results in the machine modifying the location data as needed in accord with a user privacy policy.

29. The article of claim 27 wherein the machine-readable media further includes instructions, when executed, results in the machine determining the location data was altered after being provided by the location provider.

30. The article of claim 27 wherein the machine-readable media further includes instructions, when executed, results in the machine cryptographically signing the location data with a trusted platform module disposed within the machine.

31. The article of claim 27 wherein the machine-readable media further includes instructions, when executed, results in the telephony application reviewing policies or rules stored in a user storage in the application domain to confirm availability of performing a telephony task prior to performing said task.

32. The article of claim 27 wherein the machine-readable media further includes instructions, when executed, results in the machine performing: determining if a user privacy rule requires modifying location data; andmodifying the location data as needed in accord with the user privacy rule.

33. An article comprising a machine-readable medium having one or more associated instructions for reliably providing location data, wherein the one or more instructions, if executed, results in a machine performing: initiating a telephony connection to a callee with a telephony application;checking local policy for permission to provide a current location of the telephony application with the telephony connection;requesting the current location from a trusted location services domain (TLSD) and responsive thereto the TLSD requesting the TLSD from a trusted location provider;receiving by the TLSD of a location bundle including the current location and being first cryptographically secured against tampering; andthe TLSD second cryptographically securing the location bundle against tampering and proving said secondarily secured bundle to the telephony application.

34. The article of claim 33 wherein the machine-readable media further includes instructions, when executed, results in the telephony application checking local policy for a requirement associated with the callee to modify the current location provided with the telephony connection to the callee;

35. The article of claim 33, wherein the telephony connection includes making an E911 telephone call.

36. An article comprising a machine-readable medium having one or more associated instructions for reliably providing location data, wherein the one or more instructions, if executed, results in a machine performing: providing a first virtual machine hosting a user application and a local policy store storing user policies constraining operation of the user application;providing a second virtual machine hosting a trusted mediator for mediating access to resources providing confidential data including the user identification;checking the local policy store for a preventive policy precluding providing the confidential data along with establishing a data connection to a data recipient;if no preventive policy, initiating the data connection including requesting the trusted mediator obtain the confidential data for establishing the data connection; andreceiving by the trusted mediator a first cryptographically signed confidential data from a trusted source, and responsive thereto, providing a second cryptographically signed confidential data to the application program.

37. The article of claim 36, wherein the first cryptographically signed confidential data is the same as the second cryptographically signed confidential data.

38. The article of claim 36, wherein the second cryptographically signed confidential data comprises a secondary signing by the trusted mediator of the first cryptographically signed confidential data.