SECURITY ACCOUNT FOR ONLINE AND OFFLINE TRANSACTIONS

COMPTE DE SECURITE POUR TRANSACTIONS EN LIGNE ET HORS LIGNE

English Abstract

Comprised of a computer account, bearing a computer address within a data
bank, which functions somewhat
similarly to a firewall proxy, and which is assigned, by the administrators of
the data bank, to an individual
person or legal entity (the account holder(s)), usually in exchange of a
service fee, and which is used to effect
various types of transactions of information or data, stored or recorded in
subsidiary accounts, relative to the
security account, and which are exclusively accessible to the account holder
and administered by him, such
transactions having been preauthorized by the account holder in view of the
person or group or legal entity
requesting access to, or having been granted access to, or transfer of,
specific information or data from the
security account.

Claims

CLAIMS:
I claim:
1. A system of secondary proxy firewall accounts (the security accounts) which
are located behind and
subjected to the rules and control of a normal proxy firewall system,
established according to standard
available commercial practice and controlling access to a network server or
data bank (either or both being
possibly implemented in a distributed architecture), each security account
being comprised of:
a) a process and methods (computer hardware or software) permitting the
primary administrators of
the primary proxy firewall to assign a computer address, within a computer
data bank or computer server, to
each secondary proxy firewall account such that they can be accessed from a
local network, a wide area
network, or the Internet, each of the latter under the control of the primary
proxy firewall, and that
communications are occurring under normal or standard commercially available
conditions, such as the
telephone, cable or broadband Internet systems, radio link, secured virtual
private network links or leased
lines, or through customer service operations offered by banking, service or
government institutions, or
their agents;
b) a process and methods (computer hardware or software) of creating and
assigning such secondary
proxy firewall accounts (henceforth, the subsidiary security accounts) to
specific users or legal entities (the
assignees), normally in exchange of a service fee;
c) a process and computer methods (computer hardware or software) of
transferring control and
administrative priviledges of the security account to the assignee of said
security account (secondary proxy
firewall);
d) a process and computer methods (hardware or software) allowing the assignee
to create additional
subsidiary accounts (or computer addresses), relative to the assignee's
primary security account, each
of which may be provided, by the assignee of the primary security account
according to his designs,
with certain capabilities and limitations according to the possibilities to
which he has been given
access to (or her) by the administrator of the primary proxy firewall, in the
form of a tool kit of design
applications, menu of functions or function library, procedures, rule engines
and data types,
preferably in a form that makes these usable by novice users, and which are
used to effect various
types of transactions or transformations of information or data, stored or
recorded in the subsidiary
accounts, relative to the primary security account; these access rules can be
established as a function
of criteria that can be related to location, type of service offered by
incoming requests, time period or
date, frequency or periodicity;
e) a process and computer methods such that the the assignee (the account
holder) is given exclusive
access to the primary security account as well as to the subsidiary security
accounts he has created and

administers, and such access is implemented through high security encrypted
communications requiring
the use of current available techniques, such as those requiring the use of
public-private keys;
f) a process and computer methods which allow the security account assignees
(the account
holders) to enter or delete data into the security accounts, as well as to
effect and/or preauthorize, by
implementing rules into the primary security account (the secondary firewall
proxy) affecting various
transactions between the subsidiary security accounts and the primary security
account, in regards to
specific external client requests or transactions arriving at the primary
security account;
g) a process and computer methods which allow the execution, or denial of,
transactions that have
been preauthorized by the assignee (the security account holder), in view of
the person or group or legal entity
requesting access to, or having been granted access to, or transfer of,
specific information or data from the
primary security account;
h) a process and computer methods which permit the implementation, by the
assignee (the account
holder), of the rules of acceptance, or refusal of, a transaction request
submitted by a requesting party,
institution or machine, according to the nature of the information, data or
funds requested or preauthorized for
transfer, in view of a specific transaction or class of transactions or
request, which are external to the primary
security account;
h) a process and computer methods which ensures that each access or
transaction is recorded
according to a normalized format, most likely in XML, in the appropriate
designated subsidiary account
of each of the agents or participants to the security account system, that a
permanent record of the legal
framework or clauses pertaining to a particular transaction, or a permament
link to such, in both the first
party's subsidiary account pertaining to the second party, as well as the
second party's subsidiary account
pertaining to the first party.
2. A process and. computer methods such that an individual or institution
implementing such a system
needs to create its own primary security account, as described in claim (1),
comprised of:
a) a process or computer methods of adding to its own primary security
account, at least one
subsidiary security account for each agent (be it human, computer, machine or
otherwise) or
employee it has under its juridiction that will interact with the security
account system;
b) a process and computer methods of registering in subsidiary accounts
relating respectively to
each agent or employee, according to a normalized format most likely
implemented in XML
format, verified and authenticated copies of documents relating to identity,
credentials and
assigned roles of each of the agents or employees of the individual or
institution, such that each
entry becomes permamently stored in the account and to which access rules may
be
implemented, as always by the account holder;
c) a process and computer methods permitting agents or employees of the
institution or data bank

to then be assigned their own primary security account (or to use one they may
already have
access to) to which they have primary access as they are now the primary
account holders of
these new primary security accounts, as in claim (1),
d) a process and computer methods allowing the creation of read-only links
from one specific
security account or subsidiary security account to another, which belongs to a
different assignee
or administrator, such as in claim (2)(b) (such as verified credential or role-
based data being
accessed by its bearer from the emitting institution), but such information
being accessible
through a read-only link to the security subsidiary account of the institution
or data bank to which
they are related, and linked;
d) a process and computer methods allowing an assignee to implement and
export, a read-only
link to other security accounts being controlled by external agents,
individuals or institutions,
according to the rules implemented in the original link by its owning
assignee, in order, for
example, to allow communicating to an external agent the existence of a
verified authenticated
role, credential, identity, licence, and such data, in other words, creating a
read-only link, which
is exported, to a read-only link;
e) a process and computer methods allowing an assignee of a security account,
as in claim (1), to
use their security account for their own purposes and transactions, and create
additional
subsidiary security accounts pertaining to other functions, companies, data
banks or institutions,
which would be subjected to the access controls implemented by each account
holder, in regards
to each specific request for information or data pertaining to each specific
transaction with one of
these agents or entities;
f) a process and computer methods allowing a security account assignee (a
security account
holder) to establish a standard document in a subsidiary security account
which is publicly and
freely accessible by accessing its security account through the Internet, or
through another
network, which could correspond to a normal web page, or e-mail address, the
access to each
being possibly restricted according to a specific rule set.
3. A process and computer methods such that the primary or subsidiary security
accounts, as
described in (1), may be created and linked to a security account card (a
standard bank card
having a simple magnetic stripe or to a smart card or other computer memory
device) comprising:
a) A process and computer methods to permit machine reading of the computer
address or other
information relative to the said security account, or to a smart card or other
memory device, and
which allows its use as a normal debit or credit card when subsidiary accounts
are created
specifically for financial transactions, by using the appropriate data types,
for example, or

allowing linkage to regular bank debit, credit, savings or other financial
accounts, or lines of
credit, possibly active within multiple external banking or financial
institutions;
b) a process and computer methods for the security account holder to implement
the means of
restricting access to such external accounts through the security account rule
set, which is implemented on
the security account, and where such restricted access is directed to specific
requests being addressed by
external agents to the security account, and the implemented rule set allows
transactions to be fulfilled, or not,
in response to the specific requests, in accordance to the directives
implemented by the security account
holder, within the constraints of the tools, procedures and rules put at the
assignee's disposal by the primary
external proxy firewall administrators;
c) a process and computer methods implementing a secure communication channel,
possibly
through a virtual private network, or secured leased lines between the primary
firewall administrations,
whereby effecting preapproved electronic financial transactions, where both
the assignee and the remote web
site are security account holders, as in claim (1), and where one of the
parties establishes a read-only link to a
contract, purchase ordE:r or other form, while the other party establishes a
read-only link to a payment
preappoval and verified identity information, for example, but transactions
could also be effected througth the
Internet, an appropriately configured ATM, or in person at a vendor with an
active security account terminal;
d) a process and computer methods implementing a secure link, during financial
transactions, in
the vendor's new subsidiary account linked to the purchaser's identity, if
required, relating to the
particular transaction, indicating to the vendor, that this particular
transaction has in fact been
preauthorized by the purchaser, and that a transfer of funds or data, relating
to this transaction, has
been preauthorized by the purchaser (the account holder) and are available to
the vendor;
e) a process and computer methods implementing a means of guaranteeing to the
vendor (or other
party) the availability of funds or other information or data for a particular
transaction, if so required
and accepted by both parties, and the possibility of witholding preauthorized
funds, or data, relating
to a particular transaction until it can be verified, possibly through a third
party, or other agent, also
using a security account, that goods have been shipped, or that a service has
been delivered or
effected, in which case, the purchaser might have the opportunity to cancel
the transaction by
withdrawing his autorisation for this particular transaction up to the moment
of shipment, or some
other stipulation, for example;
f) a process and computer methods to implement a means for the account holder
to establish links to
permanent information maintained in the subsidiary accounts relating to him in
external security accounts with
which he may have a relationship, and where such a link is required to be
established with another account
holder's subsidiary account, or is useful is some fashion, so as to give
access to the permanent verifiable
information relevant to the first account holder, such as professional
accreditations, licenses or government
authorizations;

g) a process and computer methods to implement a means for allowing role based
access control
by a first assignee logging-in to his own security account, possibly to access
role based authorization data
in a third-party's linked security account, and then reading-in another
assignee's security card in order to
access information uniquely related to the verified role authorized by the
information obtained from the
third-party's security account, relating to the first party.

Description

CA 02507346 2006-08-14
2507346 SECURITY ACCOUNT FOR ONLINE AND OFFLINE TRANSACTIONS Pierre Richard
Godsey PAGE : 3 / 11
DESCRIPTION:
Consisting of a computer address within a data bank, which functions somewhat
similarly to a firewall proxy,
and which is assigned, by the administrators of the data bank, to an
individual person or legal entity (the
account holder(s)), usually in exchange of a service fee, and which is used to
effect various types of
transactions of information or data, such transactions having been
preauthorized by the account holder in view
of the person or group or legal entity requesting access to, or having been
granted access to, or transfer of,
specific information or data.
The distinction between this device and a normal firewall proxy is that the
administration and authorization is
established by the security account holder and not by the data bank
administrator, and also that this is not a
firewall that has an effect at the protocol or packet level, although it might
be implemented as such. The rules
of acceptance or refusal of a transaction are determined by the account holder
in relation to the nature of the
information or data requested or preauthorized for transfer, in view of a
specific transaction or class of
transactions. These rules can be established as a function of criteria that
can be related to location, type of
service offered by the requestor or according to his identity, date or time
period, frequency or periodicity, and
such rules would be made available to the account holder, by the administrator
of the data bank, in the form of
a software tool kit, rult; engine, menu of options or library of functions put
at his disposal.
The requestor (client request) would normally be the holder of, and thus have
access to, a similar security
account, so as to facilitate the transaction through the network linked to the
data bank, but transactions could
also be effected througth the Internet, or through a vendor's terminal. The
said data bank could be
implemented in a distributed fashion, or similar security accounts could be
located in distinct data banks,
capable of security and transparent communications between each other.
As an example of how this might be used, a purchaser shopping online
highlights the total amount of a
transaction and clicks his right mouse-button item which is programmed at the
vendor's site, as well as at the
client's browser to effect a bidirectional transfer of information, the
details of which vary, according to the
nature of the transaction.
In the case of a purchase of an item, or group of items, the amount, ID
number, as well as the full details of the
transaction would be transferred to the purchaser's account, in the form of a
read-only link, and the
information pertaining; to the purchaser, i.e., name, address, etc. along with
his data bank account identification
would be transferred to the vendor's account relating to this transaction,
also in the form of a read-only link,

CA 02507346 2006-08-14
2507346 SECURITY ACCOUNT FOR ONLINE AND OFFLINE TRANSACTIONS Pierre Richard
Godsey PAGE : 4 / 11
indicating to the vendor, that this particular transaction has in fact been
preauthorized by the purchaser, and
that a transfer of funds or data, relating to this transaction, has been
authorized by the purchaser (the account
holder) and are available to the vendor, or possibly, will be once shipment of
goods have been realized, in
which case, the purchaser might have the opportunity to cancel the transaction
by withdrawing his autorisation
for this particular transaction up to the moment of shipment, for example.
The transaction would then be conducted throught the data bank network, such
transaction having in fact been
preauthorized at both ends, that is the vendor-account-holder and the
purchaser-account-holder.
Behind this security account, the security account holder can establish other
accounts, for example, a debit
account, or credit accounts, medical recordt accounts, personal information
accounts, which are not directly
accessible from the security account card, which is similar to a magnetic
stripe bank card, at a minimum. The
security account holder can choose to transfer a certain amount from one of
the subsidiary accounts to his
security account, for example to go shopping, or for current expenses. At that
point, the amount that has been
transferred is exposed in the same manner as in an account linked to the
present type of debit or credit card
emitted by all banks. But the exposure is limited to the amount the security
account holder has chosen to
transfer, and which corresponds to his spending habits and comfort level.
The security account holder can also choose to preauthorize a particular
transaction with a specific vendor, for
example in the case of an Internet transaction. The transaction could also be
limited in terms of locality, date
and time slot, amount or range of amount, frequency, type of goods or service,
etc.
The security account holder would effect these authorizations or transfers of
data, information, or funds, using
the usual means of electronic banking, through the Internet, or at his local
bank, or through the data bank's
customer service, over the phone, using the normal computer-banking methods
with various levels of
authentication and encryption which are in current use.
Any transaction coming through to this security account which has not been
previously authorized by the
account holder, either by direct transfer of funds to the security account, or
a preauthorization for a transaction
directed at a specific vendor possibly for a specified amount, or approximate
amount, etc. would be deemed to
be fraudulent, and could be used to trigger a specific response, possibly
involving law authorities.
This implies that authentication of the requestor, as it relates to the
security account, could actually be
optional, and the use of security lines between the vendor/requestor, and the
data bank could also be made
optional, since the object of the transaction is controlled by authorization,
as allocated by the account holder.

CA 02507346 2006-08-14
2507346 SECURITY ACCOUNT FOR ONLINE AND OFFLINE TRANSACTIONS Pierre Richard
Godsey PAGE : 5 / I 1
The subsidiary accounts, to which only the holder of the security account has
access, when taken together,
constitute a small personal network which is controlled and administered by
the account holder for data or
funds transfers between accounts and payment authorizations. Viewed in this
context, the security account, to
which the security account card is directly linked, is in fact a type of
firewall proxy, since it does indeed
function like the main firewall that would be installed at the access point of
the data bank to the network or the
Internet. But this data bank firewall is under the authority of the system
administrators of the data bank,
whereas the personal firewall proxy is under the final authority of the
account holder.
This also allows for totally security financial and data transactions through
the Internet.
There are very interesting possibilities relating to personal information
storage, in the sense that access to this
information would be allocated by the account holder. This also applies to
medical records, such as diagnostics
rendered by a doctor, ar in a medical institution. The following is an example
of the possible use of the
security account in medical practice.
Both the doctor and the account holder subscribe to a security account. Upon
completion of the examination or
treatment, the doctor enters pertinent information in a subsidiary account
which is linked to the patient's
security account address. This creates a corresponding reference, or link, in
the the medical subsidiary account
of the patient's securit)~ account, linked to this doctor's security account
address (or number). If a prescription
is given to the patient, it is entered in the same fashion.
When the patient (security account holder) goes to a medical facility or to a
drugstore to obtain the treatment
or prescription, both o:f which would also have a security account, and
submits his card to the pharmacist or
medical practitioner, they automatically have access to the unfulfilled
prescription or diagnostic. Once the
precription or treatment has been given or administered in the specified
quantity and frequency, to the security
account holder, a record of this is entered in the pharmacist's or medical
practitioner's subsidiary account
linked to the security account holder's medical subsidiary account. A
permanent record is thus established of
the treatment which has been received by the security account holder in
relation to this practitioner or facility.
The interesting thing is that medical practitioners would have access to all
previous treatments to which the
security account holder would have been a subjected to, and thus could be
automatically informed of any and
all conflicting side-effects between present or past treatments or
prescriptions.
It would also be possible to conduct ongoing anonymous statistical analysis
regarding particular symptoms as
they relate to previously received treatments or medicines, and this could be
invaluable to medical research.

CA 02507346 2006-08-14
2507346 SECURITY ACCOUNT FOR ONLINE AND OFFLINE TRANSACTIONS Pierre Richard
Godsey PAGE : 6 / 11
The same general procedures could be applied to academic records, professional
records and accreditations,
or government sevices. Another very important application is that of voting
systems, where a permanent
record would be maintained by the data bank, and voting could be done
electronically. This would also allow,
should the account holder make his information available for such use,
verifiable surveys to be conducted,
possibly in exchange of an automatic payment, should survey firms choose to
make use of the account holder's
information, all this on a totally anonymous basis.
But the basic use of this product is still as a totally secure data bank
account, which can be tied to a magnetic
or smart card, for example.
The important aspect of all this is that the security account holder is always
the one authorizing the degree of
access to his information or data or funds, that he should choose to allow to
whatever party has a need for it
(obviously excepting legal access by government agents).
In time, this functionality would be enhanced through features built-in to the
browsers, thus greatly facilitating
transactions conducted through this system, and enhancing the commercial value
of the browser as well as that
of this security account system.