as United States
`a2) Patent Application Publication co) Pub. No.: US 2002/0174364 A1
`
` Nordmanetal. (43) Pub. Date: Nov. 21, 2002
`
`
`US 20020174364A1
`
`(54) METHOD FOR PROTECTING PRIVACY
`WHEN USING A BLUETOOTH DEVICE
`
`(52) US. CI. ieee eeecsneesseeesetenseessessnesaneeeneets 713/201
`
`(76)
`
`Inventors: Ian Nordman,Soderkulla (FI); Tero
`Alamaki, Helsinki (FD; Marko
`Vanska, Espoo (FI); Mikko
`Tarkiainen, Espoo (FI); Norbert
`Gyorbiro, Helsinki (FI); Casper
`Gripenberg, Helsinki (FI)
`
`Correspondence Address:
`MORGAN & FINNEGAN,L.L.P.
`345 Park Avenue
`New York, NY 10154 (US)
`
`(21) Appl. No.:
`
`09/860,553
`
`(22)
`
`Filed:
`
`May21, 2001
`
`Publication Classification
`
`(SV)
`
`Tint, C07 eeeeeeeeeeceeeeneeeeees HO4L 9/00
`
`(57)
`
`ABSTRACT
`
`The user’s Bluctooth device substitutes a pscudonym
`address for the Bluetooth Device Address (BD_ADDR). The
`pseudonym address
`is
`a
`randomized version of
`the
`BD_ADDR. The pseudonym address is used in all
`the
`functions of the Bluetooth device that normally use the
`BD_ADDR,including the frequency hopping sequence, the
`device access code, the initialization key in link encryption,
`the authentication code, and the various packet addresses. In
`this manner, the user’s privacy is protected by preventing the
`user’s identity, routes, and activities from being correlated
`with his/her device’s address. In addition to the Bluetooth
`standard, the technique also applies to other wireless stan-
`dards.
`
`USER'S DEVICE 100 IS MASTER IN PICONET(2) AND
`MASTER'S BD_ADDR(2) IS USED IN PICONET(2) ACCESS CODE
`
`a
`
`BLUETOOTH
`SLAVE 116
`
`BD_ADDR(B)
`
`BLUETOOTH
`/ USER'S DEVICE
`
`SLAVE 118
`PSEUDONYM ADDRESS
`
`BD_ADDR(2)
`BD_ADDR(C)
`
`
`PARKED
`
`BLUETOOTH
`SLAVE 120
` BD_ADDR(D)
`
`PICONET(1)
`
`USER'S BLUETOOTH DEVICE 100 \
`
`BROWSER102
`
`PRIVACY OPTIONS MENU
`
`SELECT OPTION:
`(A) NORMALBLUETOOTH DEVICE ADDRESS
`(B) PSEUDONYM BLUETOOTH DEVICE ADDRESS
`PSEUDONYM ADDRESS OPTIONS SUB-MENU
`
`(1) RANDOMIZE ENTIRE DEVICE ADDRESS
`
`(2) KEEP MANUFACTURER CODE AND
`RANDOMIZE REST OF DEVICE ADDRESS
`
`(3) SELECT PARTS OF ADDRESS TO RANDOMIZE
`
`[4) ADDRESS RETENTION OPTIONS:
`(a) CHANGE ADDRESSES AFTER A TIME ‘T“
`(b) CHANGEAFTER INQUIRIES/CONNECTIONS
`(c) CHANGE WHEN LOCATION CHANGES
`(d} OTHER OPTIONS TO CHANGE ADDRESSES
`
`(S) RESET RANDOM NUMBER GENERATOR
`
`KEYPAD 104
`
`POSITIONING SENSOR132
`
`APPLICATION PROGRAM 106
`
`USER’S DEVICE REAL ADDRESS BD_ADDR(O)
`
`
`
`_
`
`USER'S DEVICE
`PSEVDONYM
`
`ADDRESS
`BD_ADDR(1)
`
`
`Ws
`
`
`
`USER'S DEVICE 100 IS ACTIVE SLAVE
`
`TO MASTER 114 IN PICONET(1) AND
`MASTER'S BD_ADDR(A)IS USED IN
`PICONET(1) ACCESS CODE
`
`USER’S DEVICE 100
`IS PARKED SLAVE TO MASTER 122
`
`BLUETOOTH
`
`
`MASTER 122
`
`
`
`BD_ADDR(E)
`
`
`BLUETOOTH
`MASTER 114
`
`BD_ADDR(A)
`
`Google Exhibit 1011
`Google v. SecCommTech
`Google v. SecCommTech
`
` Google Exhibit 1011
`
`

`

`Patent Application Publication Nov. 21, 2002 Sheet 1 of 6
`
`US 2002/0174364 Al
`
`HLOOLN14
`
`021JAVIS
`
`(@adav~aa
`
`
`
`ZOdalSVWOLJAVISGandvdSI
`
`(Dadav™aa
`
`HLOOLINIG
`
`
`
`VilSSISVIN
`
`HLOOLINNAGG
`
`OLESAWIS
`
`ee
`
`—
`
`”@)ANOOId
`
`(aaqav~aa2Oanva(1)
`(@udavaevONNNWSNOUdOADWARId
`
`
`
`
`
`
`HLiOOLINIGJDIAIS.a3SNJssadday3D1AagdHLOOLaNIEWANOGNasd(a)ySSdAddV
`S3IA3CHLoo1ENESalaSnYOLVYINISYIGNNNWOUNVe13828(S)
`
`
`
`
`
`dayavdssadadyJOIAIJOLsaaAZINOAGNWa
`
`
`
`001ADIAIAS.aasSna
`celUaISVssaudav
`
`SLi3AVISssauaayWANOGNSd
`
`
`
`_SSIXdOVJOIAICFSlLNAIZIN
`
`
`
`3GODSSIDOV@)1FNODIdNIGISNSI(@AddvdaS.waIsSVAhONY(2)1INODIdNIdaISVW$1OOLJDIAIA
`
`
`S.4asn
`TAVISJAULDYSI0OLJOIAIAS.4ISN(DudavagsszddavIv3aJDIAIGS.83asNn
`
`
`
`
`
`
`
`ONY(LDISNODIdNIPLLaaISVWOL
`SLI90LWWaOudNOLLYOIIdd
`
`
`
`
`
`(udavagNNAW-8NsSNOLdOsszdaavWANOaNasd
`(DadavagvOLAVdAIy
`
`y*NONWdO19373S
`
`
`
`JOIAIHLOOLANTATVINYON(Vv)
`cOLHISMOU 001JDIAIC
`
`
`SNONDINNOO/SIMINGNIAdvJONVHS(a)
`
`
`
`SaSSadddVJONVHDO1SNOMLdOY4HLO(bp)
`
`
`S3ONVHDNOIHLYD01N3HMAONVHD(2)
`
`
`
`ol.JWIVMaidSASSIUdCYJONVHD(b)
`
`AZINOGNVaOLSSIaddv4OSlavd1933S(¢)
`
`HLOOIANTES.43SNn
`
`ANY2005sdsNOVANNVWda(2)
`
`(@adavad
`
`
`
`3dODSSIOOV(LINODId|>)|NIG3SN$i]CadaagS.agISVN
`
`WANOGNasd
`
`(LLINODId
`
`
`
`c€LlYOSNISONINOILISOd
`
`
`
`
`
`
`
`*SNOIdONOLNILIsszadav(pr)
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication Nov. 21, 2002 Sheet 2 of 6
`
`US 2002/0174364 Al
`
`APPLICATION GROUP 234
`
`MEMORY202
`
`USER’S DEVICE 100
`REAL ADDRESS BD_ADDR(O)
`
`RANDOM NUMBER
`GENERATOR 230
`
`
`
`POTENTIAL MASTER|POTENTIAL SLAVE BD_ADDR(4)
`
`
`
`POTENTIAL SLAVE|POTENTIAL MASTER BD_ADDR(S)
`
`APPLICATION PROGRAM 106
`
`MIDDLEWARE PROTOCOL GROUP 224
`
`226~)SERVICE DISCOVERY PROTOCOL|228] OBJECT EXCHANGE
`
`TRANSPORT PROTOCOL GROUP 214
`
`BLUETOOTH peyice 100
`FIG. oA
`
`
`
`PSEUDONYM ADDRESSES
`
`
`
`
` ADDRESS MANAGERTABLE 232y|
`
`PAIREDDEVICE $S|USERDEVICE 100
`
`
`
`
`
`
`
`PSEUDONYM ADDRESSES
`
`
`
`
`FREQUENCY
`ENCRYPTION/
`
`
`
`HOPPING auTuenTicaTion||PACKETBUFFERACCESSCODES
`
`
`
`
`
`
`
`
`SEQUENCE 235
`238
`
`
`
`
`
`
`212
`
`
`LOGICAL LINK CONTROL AND ADAPTATION PROTOCOL(L2CAP)
`
`216~]LINK CONTROLLER & BASEBAND 218°] LINK MANAGER
`
`
`220°
`
`
`
`BUS 204
`
`BLUETOOTH
`
`RADIO
`
`206
`
`eeap
`
`CENTRAL
`
`PROCESSOR
`
`210
`
`POSITION
`SENSOR
`132
`
`DISPLAY
`
`

`

`Patent Application Publication Nov. 21, 2002 Sheet 3 of 6
`
`US 2002/0174364 Al
`
`FIG. 2B
`
`USER’S DEVICE 100
`REAL ADDRESS BD_ADDR(O)
`
`LOW ADDRESS
`PART (LAP)
`
`HIGH ADDRESS
`PART (HAP)
`
`NON-SIGNIFICANT
`ADDRESS PART(NAP)
`
`250
`
`ENTIRE
`ADDRESS
`
`LAP
`
`HAP
`
`NAP
`
`CONTROL
`354
`
`MULTIPLEXOR
`
`
`252
`
`HAP+NAP
`MANUFACTURER’S
`CODE
`OTHER
`PARAMETERS
`256
`
`UNCHANGED
`PORTION
`
`RANDOM NUMBER
`GENERATOR 230
`
`RANDOMIZED
`PORTION
`
`CONTROL
`258
`
`ADDRESS MANAGERTABLE 232 yy|
`
`USERDEVICE 100
`PAIRED DEVICE
`PAIREDDEVICE'S
`PSEUDONYM
`
`
`
`
`
`
`
`
`
`DEVICE 114|MASTER PICONET(1) ACTIVE SLAVE BD_ADDR(1)
`
`
`
`
`
`BD_ADDR(2)
`MASTER PICONET(2)
`DEVICE 116
`ACTIVE SLAVE
`
`
`BD_ADDR(2)
`MASTER PICONET(2)
`ACTIVESLAVE
`
`
`MASTER PICONET(2)
`BD_ADDR(2)
`PARKED SLAVE
`
`
`
`
`
`
`
`DEVICE 122|MASTER PICONET(3) PARKED SLAVE BD_ADDR(3)
`
`
`
`
`
`POTENTIAL MASTER|POTENTIAL SLAVE BD_ADDR(4)
`
`PSEUDONYM ADDRESSES
`
`FREQUENCY
`ENCRYPTION /
`HOPPING EOS AUTHENTICATION
`SEQUENCE 235
`238
`
`PACKET
`ADDRESSES
`240
`
`

`

`Patent Application Publication Nov. 21, 2002 Sheet 4 of 6
`
`US 2002/0174364 Al
`
`FIG. 3
`
`PSEUDONYM ADDRESS GENERATION APPLICATION PROGRAM 106°
`¥
`
`302
`
`USER SELECTS OPTION
`TO CHANGE PSEUDONYM ADDRESSES AFTER COUNTER/TIMER= ‘T'
`OR OTHER OPTIONS TO CHANGE PSEUDONYM ADDRESSES
`
`320
`
`304
`
`306
`
`SET COUNTER TO ZERO AND
`COUNTER_MAXTO LIMIT (E.G. T=5)
`
`322
`
`IF COUNTER = COUNTER_MAX
`
`324
`
`SELECT PORTION OF REAL ADDRESS
`BD_ADDR(O) TO RANDOMIZE
`
`CONTINUE, ELSE GOTO STEP 328
`
`
`
`CHANGEAFTERCOUNTER/TIMER= Ke OTHEROPTIONSTOCHANGEADDRESSES
`
`
`BEGIN IF INQUIRY RECEIVED, OR
`WHEN INQUIRYIS TO BE SENT, OR
`
`
`WHEN A NEW ADDRESSIS NEEDED
`
`
` GET POSITIONING SENSOR READING AND
`
`
`SELECT PORTION OF REAL ADDRESS
`BD_ADDR(O) TO RANDOMIZE
`
`
`
` RANDOMIZE SELECTED PORTION TO
`OBTAIN PSEUDONYM ADDRESS
`
` iF PSEUDONYM ADDRESS IS A DUPLICATE
`
`
`OF ANY OTHER KNOWN ADDRESS,
`THEN GOTOSTEP 308
`
` STORE PSEUDONYM ADDRESSIN
`
`326
`
`RANDOMIZE SELECTED PORTION TO
`OBTAIN PSEUDONYM ADDRESS
`
`328
`
`STORE PSEUDONYM ADDRESSIN
`
`
`
`
`
`332
`
`INCREMENT COUNTER
`AND GOTO 322
`
`
`
`
`ADDRESS MANAGERTABLE USE PSEUDONYM ADDRESS INSTEAD
`OF REAL ADDRESS BD_ADDR(O)
`
`
`
`ADDRESS MANAGERTABLE
`
`
`
` USE PSEUDONYM ADDRESS INSTEAD OF
`REAL ADDRESS BD_ADDR(O)
`
` IF NO CONNECTIONIS MADEAFTER INQUIRY, OR
`
`IF PICONET CONTEXT CHANGES, OR
`
`
`IF POSITION CHANGE EXCEEDSLIMITS, OR
`
`
`IF COUNTER/TIMER EXCEEDSLIMITS, OR
`IF CONNECTIONIS TORN DOWN,
`THEN STOP USING PSEUDONYM ADDRESS AND
`
`REMOVEIT FROM ADDRESS MANAGERTABLE
`
`

`

`Patent Application Publication Nov. 21, 2002 Sheet 5 of 6
`
`JOSSVI1D|SSadddV asl
`OOL‘AAG|OOL“Aad
`ADIAIG=|yddv'ad
`
`ssaddqqvWANOdNSd0cS
`
`OO3DIA20S.d3Sn
`(pudavag
`LAMIVdSSNOdS3YAMINONINVHOSar‘SI4
`
`
`
`
`AYNLONALSLAYDVdSHAHLOOLANTG
`
`f“ais91Salg
`
`
`AYNLONALSLAWOVdHLOOLANTAVVSli
`
`
`00)SSIARCS.YASNAdLNAS
`
`OLJDIAACdONIMINONIAdLNSS
`LaMOVdAYINONINVYOd.
`
`
`US 2002/0174364 Al
`
`
`
`OreUAAANGLAMOVd
`
`
`
`00LSDIARCS.uasn
`
`WaaNnid
`
`00s
`
`
`
`S$S3DDVAUINONI
`
`
`
`vid)I|aOD
`
`IdODSSADOV
`
`
`
`
`

`

`Patent Application Publication Nov. 21, 2002 Sheet 6 of 6
`
`OOF3DIAAGS.UASNOL3DIARGGaOVdALNASawaWVsd0>sss55¥oss
`
`
`
`
`
`
`LayoVdLNSNDGS1IMONMOVFOVdVHO4ar‘ol
`|!IIIII|I||||Il/\9vSPRSorgoN/BS9SpesceS
`I|I|I|l|!!I|I||I
`JUNLONYLSLBMDVdHLOOLANIazog4
`
`
`
`OOL“AddL=L3S
`ASOD|daqvWY
`
`
`
`
`LayoVdONIDWdVHOdFUNLONULSLaMoVdHLoOLanIa«=TC)“S|4
`JOSSVID_|SSauddv
`
`OO“AIG|OOL“AIG
`JDIAIG=|dadvag
`
`
`ssgzudavWANOGNasSd|-ors
`
`OOLSDIA3q$.4asn
`Guadavdd
`-[=1a$OOLJDIARG
`
`AOIARGGAOvdOL
`
`AllaWdBat|aadw3H_|,3GODSSIDDV
`—~~.
`
`ssaddavWANOdNSd40dV1|-7G
`
`
`001JDIAIS.83SNSAQNIONI
`
`i=1as|JOIA3dd35Vvd
`
`0vzUadanaLaWoWd
`
`US 2002/0174364 Al
`
`
`
`(suqav"ag
`
`\
`
`/
`
`/
`
`
`
`
`
`
`
`

`

`US 2002/0174364 Al
`
`Nov. 21, 2002
`
`METHOD FOR PROTECTING PRIVACY WHEN
`USING A BLUETOOTH DEVICE
`
`FIELD OF THE INVENTION
`
`[0001] The invention disclosed broadly relates to ubiqui-
`tous computing and more particularly relates to improve-
`ments in short range RF technology.
`
`BACKGROUND OF THE INVENTION
`
`[0002] Bluetooth is a global de facto standard for wireless
`connectivity, which is based on a low-cost, short-range radio
`link. When two Bluetooth equipped devices come within ten
`meters range of each other, they can establish a connection
`together using a radio-based link. A Bluetooth-enabled lap-
`top computer can send information to a printer in the next
`room, or a microwave oven can send a message to one’s
`mobile phone announcing that that the meal is ready. Blue-
`tooth will become the standard in mobile phones, PCs,
`laptops and other electronic devices, enabling users to share
`information, synchronize data, access the Internet, integrate
`with LANsor actuate electromechanical devices, such as
`unlocking a car. A passenger can write e-mails on his/her
`laptop on an airplane andthen, after landing, the messages
`can be automatically forwarded to the Internet by Bluetooth
`devices that are ubiquitously located around the airport
`terminal. In another example, while waiting in an airport
`lounge, a the passenger can receive interesting duty-free
`offers directly on his/her mobile phone or play multiplayer
`games with friends.
`
`[0003] Bluetooth devices are designed to find other Blue-
`tooth devices within their ten meter communications range
`and to discover what services they offer, using a service
`discovery protocol (SDP). To accomplish this, a Bluetooth
`device sends out an inquiry message searching for other
`devices in its vicinity. Any other Bluetooth device that is
`listening by means of conducting an inquiry scan, will
`recognize the inquiry message and respond. The inquiry
`response is a message packet containing the responding
`device’s Bluetooth Device Address (BD_ADDR). The Blue-
`tooth device address is a unique, 48-bit IEEE address which
`is electronically engraved into each Bluetooth device. The
`address is virtually guaranteed to be completely unique, so
`muchso that it can be reliably associated with the device’s
`user, much as can the user’s passport number or social
`security number.
`
`[0004] As the usercarries his/her Bluetooth device about,
`traveling among other Bluetooth devices,a trail is left in the
`form of the user’s Bluetooth Device Address (BD_ADDR),
`which the device has given out at each transmission of an
`inquiry response packet. The user’s routes and activities can
`be tracked by logging the times and locations of the obser-
`vance of his/her device’s Bluetooth Device Address. To the
`extent that the user is identified with his/her device’s Blue-
`tooth Device Address, it is almost as if the user were giving
`out his/her personal identity numberto each inquiring Blue-
`tooth device. This realization will certainly be exploited in
`the future by market researchers, and possibly by more
`sinister observers,
`thereby seriously compromising the
`user’s privacy and possibly the user’s safety.
`
`[0005] What is needed is a way to provide a pseudonym
`for a Bluetooth device so that the user’s identity, routes, and
`activities cannot be correlated with his/her device’s address.
`
`SUMMARYOF THE INVENTION
`
`In accordance with the invention, the user’s Blue-
`[0006]
`tooth device substitutes a pseudonym address for the Blue-
`tooth Device Address
`(BD_ADDR). The pseudonym
`address is a randomized version of the BD_ADDR. The
`pseudonym address is used in all
`the functions of the
`Bluetooth device that normally use the BD_ADDR,includ-
`ing the frequency hopping sequence, the device access code,
`the initialization key in link encryption, the authentication
`code, and the various packet addresses.
`
`[0007] The user is provided with a menu of privacy
`options, to select the various features of the invention. Since
`the BD_ADDRincludes a manufacturer’s codepart, the user
`is given the option of preserving that part and randomizing
`the rest of the BD_ADDR. The usercan select other parts or
`all of the BD_ADDRto randomize.
`
`[0008] The user can select introducing various parameters
`into the random numbergeneratoras initialization vectors to
`combine with the BDADDR, such as time-of-day clock
`values or biometric values such as keyboard latency,
`to
`change the random number sequence and thus thwart an
`eavesdropper’s discovery of that sequence. The resulting
`randomized pseudonym addressis then stored in an address
`manager table, associating it with the paired Bluetooth
`devices with which the pseudonym address is exchanged.
`
`[0009] For example, when the user’s device receives an
`inquiry message from another Bluetaoth device,
`it sends
`back an inquiry response message that contains the uscr’s
`pseudonym addressinstead of his/her device’s BD_ADDR.
`As another example, when the user’s device has the role of
`a master device connected to a slave device in a piconet, then
`the user’s pseudonym addressis used as the piconet access
`code, instead of his/her device’s BD_ADDR.
`
`[0010] The user is also given a numberof options for the
`retention of the pseudonym address in the address manager
`table. The anonymity of the user would otherwise be under-
`mined if the same pseudonym address were to be used
`indefinitely. In accordance with the invention, the address
`can be retained for a predetermined time or countselected by
`the user. Alternately,
`the address can be retained for a
`duration that at least begins with an inquiry received from
`another device and ends if no connection is made after the
`inquiry. Similarly, if the user’s device initiated sending an
`inquiry message, the address can be retained for a duration
`that at least begins with the inquiry and ends if no connec-
`tion is made after the inquiry. Pseudonym addresses can be
`computed prior to when they are needed, and then stockpiled
`by storage in a table in the user’s device.
`
`In an alternate option, the pseudonym address can
`(0011]
`be retained for a duration that ends when a piconet context
`changes for the user’s device. When the user’s device is the
`master device in a piconet, the pseudonym address will be
`used in the piconet access code. Thus, the user’s device will
`retain the pseudonym address until the piconet is broken up
`or until the user’s device relinquishesits role as the master
`device. Alternately, the address can be retained for a duration
`that at least begins with the sensing of the current physical
`location of the user’s device, and ends if that physical
`location changes beyond a predefined distance, such as the
`nominal radio broadcast range of a Bluetooth device. Alter-
`nately, the address can be retained for a duration that at least
`
`

`

`US 2002/0174364 Al
`
`Nov. 21, 2002
`
`begins with an inquiry that establishes a connection with
`another device, and ends when that connection is torn down
`or otherwise terminated. In this wayit is not possible to track
`the usage of the user’s device nor discoverthe real, unique
`BD_ADDRofthe device.
`
`(0012] Still further in accordance with the invention, even
`though the user device’s BD_ADDRhas been randomized
`in the form of the pseudonym address,thereis still a small
`chance that the resulting pseudonym address is coinciden-
`tally the same as another device’s BD_ADDRinthevicinity.
`The invention minimizes this possibility by comparing the
`newly generated pseudonym address with known addresses
`of all other devices that have been encountered in the
`
`the pseudonym
`vicinity. If the rare chance happens that
`address is the same as another device’s address, the newly
`generated pseudonym addressis not used and another pseud-
`onym address is generated instead.
`If there are many
`repeated attempts to generate a pseudonym addressthatfail
`because of other duplicate addresses in the vicinity, then the
`user is notified and he/she can elect to use his/her device’s
`BD_ADDRfor the proposed connection. This unlikely
`occurrence may be a symptom revealing that an eavesdrop-
`per is trying to discover the sequence of random numbers
`being generated by the user’s device. The user’s device in
`this case notifies the user and gives him/her the option to
`iotroduce various parameters into the random oumber gen-
`erator to change the random number sequence and thus
`thwart the eavesdropper’s discovery of that sequence.
`
`In addition to the Bluctooth standard, the invention
`[0013]
`also applies to other wireless standards. The invention’s
`principle of substituting randomized pseudonym addresses
`for the device’s real unique address, to confer anonymity
`upon the user,
`is equally useful in many other wireless
`standards. The invention applies, for example, to the IEEE
`802.11 Wireless LAN standards, the Japanese 3rd Genera-
`tion (3G) wireless standard, the various 2G, 2.5G, and 3G
`cellular telephone system standards, the Infrared Data Asso-
`ciation (IrDA) standard,
`the Digital Enhanced Cordless
`Telecommunications (DECT) standard, the Shared Wireless
`Access Protocol (SWAP) standard, the IEEE 802.15 Wire-
`less Personal Area Network (WPAN)standard, the High
`Performance Radio Local Area Network (HIPERLAN)stan-
`dard, and the Multimedia Mobile Access Communication
`(MMAC)Systems standard of the Japanese Association of
`Radio Industries and Businesses. The invention enables each
`of these wireless standards to protect the privacy of the
`user’s identity, routes, and activities so that they cannot be
`correlated with his/her device’s address.
`
`DESCRIPTION OF THE FIGURES
`
`[0014] FIG. 1 is a network diagram showing several ad
`hoc network piconets and the user’s Bluetooth device 100
`whichis displaying the privacy options menu.
`
`{0015] FIG. 2A is a functional block diagram ofthe user’s
`Bluetooth device 100 of FIG. 1, showing the various
`program modules stored in its memory for the transport
`protocol group, middleware protocol group, and application
`group.
`
`[0016] FIG. 2B showsan example of the random number
`generator operating on various selected parts of
`the
`BD_ADDRofthe user’s Bluetooth device 100.
`
`[0017] FIG.3 isa flow diagram of the pseudonym address
`generation application program 106.
`
`[0018] FIG. 4A shows the Bluetooth packet structure for
`an inquiry packet sent
`to the user’s device 100 by an
`inquiring device.
`
`[0019] FIG. 4B showsthe Bluetooth packet structure for
`an inquiry response packet sent by the user’s device 100 to
`the inquiring device.
`
`[0020] FIG. 4C showsthe Bluetooth packet structure for
`a paging packet sent by the user’s device 100 to a paged
`device.
`
`[0021] FIG. 4D showsthe Bluetooth packet structure for
`a page acknowledgmentpacket sent by the paged device to
`the user’s device 100.
`
`DISCUSSION OF THE PREFERRED
`EMBODIMENT
`
`[0022] The Bluetooth Special Interest Group, Specifica-
`tion Of The Bluetooth System, Version 1.0B, Volumes 1 and
`2, December 1999, describes the principles of Bluetooth
`device operation and communication protocols. Up to eight
`Bluetooth devices can join together in an ad hoc commu-
`nications network called a piconet. A piconet is an arbitrary
`collection of Bluctooth-cnabled devices which are physi-
`cally close enough to be able to communicate and which are
`exchanging information on a regular basis. Each piconet has
`one master device and up to seven slave devices. All
`communication is directed between the master device and
`
`initiates an
`each respective slave device. The master
`exchangeof data and the slave respondsto the master. When
`two slave devices are to communicate with each other, they
`must do so through the master device. The master device
`maintains the piconet’s network clock and controls when
`each slave device can communicate with the master device.
`Membersof the ad hoc network piconet join and leave as
`they move into and out of the range of the master device.
`Piconets support distributed activities, such as collaborative
`work projects, collaborative games, multi-user gateways to
`the Internet, and the like. A user’s device that joins a
`particular piconet, does so to enable its user to participate in
`the currently running collaborative activity.
`
`[0023] FIG. 1 is a network diagram showing several ad
`hoc network piconets and the user’s Bluetooth device 100
`whichis displaying the privacy options menu in the browser
`102. The user’s Bluetooth device 100 includes the keypad
`104 and the positioning sensor 132. The positioning sensor
`132 can be, for example, a GPS receiver integrated in the
`device. The positioning sensor 132 can also be, for example,
`a radio beacon triangulation sensor that determines the
`location of the wireless device by means of a network of
`radio beacons,base stations, or access points, as is described
`for example, in Nokia European patent EP 0 767 594 A2,
`entitled “Mobile Station Positioning System”. The sensor
`132 provides inputs which are sampled by the wireless
`device 100 to infer a current geographical position. The
`positioning sensor 132 can also detect changes in position
`with respect to known,fixed station Bluetooth devices.
`
`[0024] Several other Bluetooth devices are within the
`operating range of the user’s device 100 of FIG. 1. In
`accordance with the invention, the user’s Bluetooth device
`has substituted a different pseudonym address for its real
`
`

`

`US 2002/0174364 Al
`
`Nov. 21, 2002
`
`Bluetooth Device Address BD_ADDR(0)inits relationship
`with each of the respective devices of FIG. 1. The user’s
`device 100 forms an ad hoc network piconet(1) with Blue-
`tooth device 114 on link 115. The user’s Bluetooth device is
`using a pseudonym address BD_ADDR(1)insteadofits real
`BD_ADDR(0)in its relationship with Bluetooth device 114.
`Bluetooth device 114 usesits real Bluetooth Device Address
`BD_ADDR(A). Since in the piconet(1), the user’s device
`100 has the role of the active slave device connected to a
`master device 114 in the piconet(1), then the master’s real
`Bluetooth Device Address BD_ADDR(A) is used as the
`piconet access code. The address manager table 232 shown
`in FIG. 2 stores the user’s pseudonym address BD_AD-
`DR(L1)insteadofits real BD_ADDR(0) for its relationship
`with Bluetooth device 114.
`
`[0025] Contrast this with ad hoc network piconet(2) in
`FIG. 1. The user’s device 100 forms ad hoc network
`piconet(2) with Bluetooth device 116 on link 117. The user’s
`Bluetooth device is using a different pseudonym address
`BD_ADDR(2)instead of its real BD_ADDR(0) in its rela-
`tionship with Bluetooth device 116. Bluetooth device 116
`uses its real Bluetooth Device Address BD_ADDR(13).
`Since in the piconet(2), the user’s device 100 has the role of
`the master device connected to a slave device 116, then the
`user’s pseudonym address BD_ADDR(2)usedasthe pico-
`net access code, instead of the user’s real Bluetooth Device
`Address BD_ADDR(0).
`‘The address manager table 232
`shown in FIG. 2 stores the user’s pseudonym address
`BD_ADDR(2) instead of its real BD_ADDR(O)
`for its
`relationship with Bluetooth device 116.
`
`[0026] There is another active slave device in ad hoc
`network piconet(2) of FIG. 1, the Bluetooth device 118
`connected on link 119. Bluetooth device 118 uses its real
`
`Bluetooth Device Address BD_ADDR(C). Since in the
`piconet(2) of FIG. 1, the user’s device 100 is the master
`device connected to slave device 118, then the user’s pseud-
`onym address BD_ADDK(2) is used as the piconet access
`code for slave device 118, as well as slave device 116. The
`address manager table 232 shownin FIG.2 stores the user’s
`pseudonym address BD_ADDR(2)
`instead of
`its
`real
`BD_ADDR(O) for its relationship with Bluetooth device
`118.
`
`[0027] There is also a parked slave device in ad hoc
`network piconet(2) of FIG. 1, the Bluetooth device 120.
`Although Bluetooth device 120 does not have an active
`connection with the user’s master device 100, it does moni-
`tor the signals from the user’s master device 100 to stay in
`synchronism with the master’s clock. Bluetooth device 120
`uses its real Bluetooth Device Address BD_ADDR(D). If
`the parked slave Bluetooth device 120 were to rejoin pico-
`net(2) as an active slave device, it would employ the user
`master device’s pseudonym address BD_ADDR(2) as the
`piconet access code, the same as for slave device 118 and
`slave device 116. The address manager table 232 shown in
`FIG.2 stores the uscr’s pscudonym address BD_ADDR(2)
`instead of its real BD_ADDR(0) forits relationship with
`Bluetooth device 120.
`
`[0028] The user’s device 100 in FIG.1 is,itself, a parked
`slave device in a third ad hoc network piconet(3), with the
`master Bluetooth device 122. Although the user’s device
`100 does not have an active connection with the master
`device 122 in piconet(3), it does monitor the signals from the
`
`master device 122 to stay in synchronism with the master’s
`clock. The master device 122 uses its real Bluetooth Device
`Address BD_ADDR(E). If the user’s parked slave device
`120 were to rejoin piconet(3) as an active slave device, it
`would employ the master device’s real Bluetooth Device
`Address BD_ADDR(E) as the piconet access code. The
`address managertable 232 shownin FIG,2 stores the user’s
`pseudonym address BD_ADDR(3)
`instead of
`its
`real
`BD_ADDR(O) for its relationship with Bluetooth device
`122.
`
`[0029] FIG. 1 shows the user’s Bluetooth device 100
`displaying the privacy options menuin the browser 102. The
`privacy options menuis rendered on the device’s display by
`the application program 106 of FIG. 3. The user can select
`one of two primary options:
`
`[0030] PRIVACY OPTIONS MENU
`
`[0031] SELECT OPTION:
`
`[A] NORMAL
`[0032]
`ADDRESS
`
`BLUETOOTH DEVICE
`
`[B] PSEUDONYM BLUETOOTH DEVICE
`[0033]
`ADDRESS
`
`If the user selects the PSEUDONYM BLUE-
`[0034]
`TOOTH DEVICE ADDRESSoption in the privacy options
`menu in the browser 102, then the user can select oneof five
`options in the PPEUDONYM ADDRESS OPTIONS SUB-
`MENU:
`
`[1]
`[0035]
`ADDRESS
`
`RANDOMIZE
`
`ENTIRE
`
`DEVICE
`
`[2] KEEP MANUFACTURER CODE AND
`[0036]
`RANDOMIZE REST OF DEVICE ADDRESS
`
`[3] SELECT PARTS OF ADDRESS TO RAN-
`[0037]
`DOMIZE
`
`[0038]
`
`[4] ADDRESS RETENTION OPTIONS
`
`[0039]
`TOR
`
`[5] RESET RANDOM NUMBER GENERA-
`
`[0040] The option [1] RANDOMIZE ENTIRE DEVICE
`ADDRESSfrom the privacy options menu in the browser
`102,
`randomizes the entire 48-bits of
`the user’s real
`BD_ADDR(Q) to produce the pseudonym address.
`
`[0041] The 48-bits of the user’s real BD_ADDR(O) is
`partitioned into three parts:
`the 24-bit lower address part
`(LAP), the 8-bit upper address part (UAP), and the 16-bit
`nonsignificant address part (NAP). The 24 bits of the UAP
`and the NAP constitute the organization unique identifier
`(OUD), which is the manufacturer’s code. The remaining 24
`bits of the LAP are assigned internally by the manufacturer.
`If the user selects from the privacy options menu in the
`browser 102,
`the option [2] KEEP MANUFACTURER
`CODE AND RANDOMIZE REST OF DEVICE
`
`ADDRESS,then only the 24-bit LAP of the user’s real
`BD_ADDR(O) is randomized to produce the pseudonym
`address. If the user selects from the privacy options menu in
`the browser 102,
`the option [3] SELECT PARTS OF
`ADDRESS TO RANDOMIZE,
`then the user can select
`combinations of the LAP, UAP, and/or NAP of the user’s
`real BD_ADDR(0)to randomize to produce the pseudonym
`address.
`
`

`

`US 2002/0174364 Al
`
`Nov. 21, 2002
`
`[0042] Reference to FIG. 2B shows an example of the
`random numbergenerator 230 operating on various selected
`parts of the user device’s BD_ADDR(0)stored in the buffer
`250. When the user makes a selection from the privacy
`options menu in the browser 102 in FIG.1, the multiplexer
`252 connects to the selected part of the user device’s
`BD_ADDR(0) stored in the buffer 250 and applies the
`selected part to the input of the random numbergenerator
`230.
`
`If the user selects the option [4] ADDRESS
`[0043]
`RETENTION OPTIONSinthe privacy options menuin the
`browser 102 of FIG. 1, then the user can select one of four
`options in the sub-menu:
`
`[0044]
`oT
`
`[a] CHANGE ADDRESSES AFTER A TIME
`
`[b] CHANGE AFTER INQUIRIES/CONNEC-
`[0045]
`TIONS
`
`[0046]
`
`[c] CHANGE WHEN LOCATION CHANGES
`
`[d] OTHER OPTIONS
`[0047]
`ADDRESSES
`
`TO
`
`CHANGE
`
`If the user selects the option [a] CHANGE
`[0048]
`ADDRESSES AFTER A TIME “T”in the privacy options
`menu in the browscr 102 of FIG. 1, then the pscudonym
`address can be retained for a predetermined time or count
`selected by the user. The method for carrying out this option
`is shownin steps 320 to 332 of the flow diagram of FIG. 3.
`
`If the user selects the option [b] CHANGE AFTER
`[0049]
`INQUIRIES/CONNECTIONSin the privacy options menu
`in the browser 102 of FIG. 1, then the pseudonym address
`can be retained for a duration that at least begins with an
`inquiry received from another device and ends if no con-
`nection is made after the inquiry. Similarly, if the user’s
`device initiated sending an inquiry message, the address can
`be retained for a duration that at least begins with the inquiry
`and ends if no connection is made after the inquiry. Pseud-
`onym addresses can be computed prior to when they are
`needed and then stockpiled by storage in the address man-
`agementtable 234 in the user’s device 100. ‘The user can also
`select that the address be retained for a duration that ends
`
`when a piconet context changes for the user’s device. When
`the user’s device 100 is the master device in a piconet, such
`as piconet(2) of FIG.1, its pseudonym address will be used
`in the piconet access code. Thus, the user’s device 100 will
`retain the pseudonym address until the piconet is broken up
`or until the user’s device 100 relinquishes its role as the
`master device of that piconet. The user can also select that
`the pseudonym address be retained for a duration thatat least
`begins with an inquiry that establishes a connection with
`another device, and ends when that connection is torn down
`or otherwise terminated. The method for carrying out this
`option is shownin steps 306 to 318 of the flow diagram of
`FIG.3.
`
`If the user selects the option [¢] CHANGE WHEN
`[0050]
`LOCATION CHANGESinthe privacy options menuin the
`browser 102 of FIG. 1, then the pseudonym address can be
`retained for a duration that at least begins with the sensing
`of the current physical location of the user’s device by the
`sensor 132, and ends if that physical
`location changes
`beyond a predefined distance, such as the nominal radio
`broadcast range of ten meters for a Bluetooth device. The
`
`method for carrying out this option is shownin steps 306 to
`318 of the flow diagram of FIG. 3.
`
`[0051] The user can also select the option [d] OTHER
`OPTIONS TO CHANGE ADDRESSESin the privacy
`options menu in the browser 102 of FIG. 1. With any of
`these options [a], [b], [c], or [d], it is more difficult for an
`eavesdropper to track the usage of the user’s device or
`discover the real, unique BD_ADDRofthe device.
`
`If the user selects the option [5] RESET RANDOM
`[0052]
`NUMBER GENERATORinthe privacy options menuin the
`browser 102 of FIG. 1, then the user can introduce various
`parameters into the random numbergenerator to change the
`random number sequence and thus thwart the eavesdrop-
`per’s discovery of that scquencc.
`
`[0053] FIG. 2A is a functional block diagramofthe user’s
`Bluetooth device 100 of FIG. 1, showing the various
`program modulesstored in its memory 202 for the transport
`protocol group 214, middleware protocol group 224, and
`application group 234. The memory 202 is connected bythe
`bus 204 to the Bluetooth radio 206, the keypad 104, the
`positioning sensor 132, the central processor 210, and the
`display 212. Program modulesstored in the memory202 are
`sequencesof operational instructions which, when executed
`by the central processor 210, carry out the methods of the
`invention.
`
`[0054] The application group 234 includes the application
`program 106, shownin greater detail in the flow diagram of
`FIG.3. The application group 234 also includes the random
`number generator 230 which randomizes the user’s real
`BD_ADDR(O) to produce the pseudonym addresses whichit
`outputs to the address manager table 232, shown in greater
`detail in FIG. 2B. The application group 234 also includes
`the frequency hopping sequence module 235,
`the device
`access code module 236, the encryption and authentication
`module 238, and the packet buffer 240. The pseudonym
`addresses in the address managertable 232 are output to the
`modules 235, 236, 238, and 240 to be used in all
`the
`functions of