Abstract: Positional information is provided while minimizing the possibility that personally identifiable information can be derived therefrom. Positional information is received in the form of trails that can be aggregated. Individual cells of a grid reflect a quantity of aggregated trails through those cells, an average intensity and direction of movement through those cells, or a more detailed distribution thereof. Alternatively, individual trails are aggregated to an aggregated trail in the form of a line. Further obfuscation of personally identifiable information occurs by resampling aggregated positional information, by introducing false positional information, or by falsely modifying existing positional information, in a manner that does not impact the overall aggregations, and by pruning, or deleting, positional information, especially around sensitive locations, such as a user's home, place of business, or other location that users typically would seek to keep private.

Abstract: Navigation instructions using low-bandwidth signaling are supported in an alternative user interface that may be utilized as either a full replacement or as an enhancement to conventional visual/audio navigation interfaces. In one illustrative example, the alternative interface makes use of the more constrained, but generally broadly available low-bandwidth signaling capability of mobile devices to encode navigation instructions in the form of varying patterns of tactile vibrations that may be imparted from the device to a user as haptic feedback. The user can sense the vibrations and readily translate them into the navigation instructions without needing any kind of special decoding equipment or using any special techniques. The vibrations may be encoded using easy to remember patterns so that a full and rich navigation feature set may be accessed with minimal training on the user's part.

Abstract: Systems and methods of authentication and authorization between a client, a server, and a gateway to facilitate communicating a message between a client and a server through a gateway. The client has a trusted relationship with each of the gateway and the server. A method includes registering the client with the gateway. The client also constructs the address space identifying the gateway and the client. The client communicates the address space to the server. The client receives an identity identifying the server. If the client authorizes to receive a message from the server through the gateway, the client informs the authorization to the gateway. The client puts the identity identifying the server on a list of servers which are authorized to send messages to the client. In addition, the client communicates the list of servers to the gateway.

Abstract: Systems and methods of authentication and authorization between a client, a server, and a gateway to facilitate communicating a message between a client and a server through a gateway. The client has a trusted relationship with each of the gateway and the server. A method includes registering the client with the gateway. The client also constructs the address space identifying the gateway and the client. The client communicates the address space to the server. The client receives an identity identifying the server. If the client authorizes to receive a message from the server through the gateway, the client informs the authorization to the gateway. The client puts the identity identifying the server on a list of servers which are authorized to send messages to the client. In addition, the client communicates the list of servers to the gateway.

Abstract: User feedback such as “crowd sourcing” is utilized for supplementing and correcting augmented location information like augmented maps and/or street view images. User feedback on missing or incorrect information is elicited through “treasure hunt” style augmented reality games, monetary or similar rewards, and comparable incentives. Various mechanisms such as authentication of data submitting users, input from known users, image or location based confirmation from a data submitting user, and similar ones may be employed to verify the new data before or after it is published.

Abstract: Techniques to verify a participant's visit to a specific location are described. An embodiment may provide a system that generates a pattern that is unique to the location, and that may further be unique to a date or time, a transaction, or other criteria. Participants may capture the pattern, for example, using a mobile device, and transmit the pattern to a verification system. The verification system may decode, translate, decrypt or otherwise obtain information from the pattern. The information obtained from the pattern may be used to verify that the pattern came from the location. The participant may then receive credit for the visit. Other embodiments are described and claimed.

Abstract: Keep-alive processing for NAT devices and reducing power consumption in wireless clients. A server driven keep-alive mechanism facilitates keep-alive messages to a NAT device currently providing a connection to a mobile client to refresh the NAT state, thereby reducing or eliminating power consumption in a wireless device to respond to the connection with keep-alive packets. In one instance, keep-alive packets are sent to the NAT device to reset the NAT timeout timer, and then to the mobile client. The client responds only when expected keep-alive packets are not received at the client. In another instance, keep-alive packets reset the NAT timer to maintain the connection but are dropped or self-destruct before reaching the mobile client thereby providing the optimum power conservation in the mobile device. Thus, the client is not forced into extra client activity to send or receive wireless data, thereby draining the battery.

Abstract: Keep-alive processing for NAT devices and reducing power consumption in wireless clients. A server driven keep-alive mechanism facilitates keep-alive messages to a NAT device currently providing a connection to a mobile client to refresh the NAT state, thereby reducing or eliminating power consumption in a wireless device to respond to the connection with keep-alive packets. In one instance, keep-alive packets are sent to the NAT device to reset the NAT timeout timer, and then to the mobile client. The client responds only when expected keep-alive packets are not received at the client. In another instance, keep-alive packets reset the NAT timer to maintain the connection but are dropped or self-destruct before reaching the mobile client thereby providing the optimum power conservation in the mobile device. Thus, the client is not forced into extra client activity to send or receive wireless data, thereby draining the battery.

Abstract: Systems and methods for performing explicit delegation with strong authentication are described herein. Systems can include one or more clients, one or more end servers, and one or more gateways intermediate or between the client and the end server. The client may include an explicit strong delegation component that is adapted to strongly authenticate the client to the gateway. The explicit strong delegation component may also explicitly delegate to the gateway a right to authenticate on behalf of the client, and to define a period of time over which the explicit delegation is valid. The system may be viewed as being self-contained, in the sense that the system need not access third-party certificate or key distribution authorities. Finally, the client controls the gateways or end servers to which the gateway may authenticate on the client's behalf.

Abstract: Web pages and applications commonly consume functionality provided by services to provide users with a rich experience. For example, a backend mapping service may provide access to these services. However, the users and application consuming the services may be anonymous and unverified. Accordingly, a two ticket validation technique is provided to validate service execution requests from anonymous applications. In particular, a user is provided with a client ticket comprising a reputation. The reputation may be adjusted over time based upon how the user consumes services. An application may request access to a service by providing the client ticket and an application ticket for validation. The reputation of the user may be used to determine an access level at which the application may access the service. Users with a high reputation may receive high quality access to the service, while users with a low reputation may receive lower quality access.

Abstract: A general-purpose proxy mobile device management architecture. The architecture serves as a proxy for a mobile client seeking services from backend systems. A virtual client image of state information associated with the mobile client is stored such that when the mobile client interacts with the proxy, the virtual image updates to the latest client state. Based on the changes to the state, the proxy system asynchronously accesses one or more arbitrary services of the backend systems on behalf of the mobile client. When the mobile client connects to the proxy, the proxy will have the latest services associated with the states of the virtual image, and updates the state of the mobile client. Updating and accessing occurs asynchronously on the frontend between the proxy and mobile devices and on the backend between the proxy and the backend systems.

Abstract: Determining geospatial patterns from device data collected from a plurality of computing devices. The devices represent, for example, a plurality of sources providing the device data. The device data describes the computing devices and/or environments thereof. Some embodiments present the determined patterns to users for editing, update maps with the edited patterns, and distribute the maps to the users. The maps are stored to create a searchable map library.

Abstract: Architecture for maintaining connection state of network address translation (NAT) devices by employing an out-of-band (OOB) technique externally to application connections without imposing additional requirements on the underlying native application(s). The OOB solution can be applied to arbitrary connections without requiring modification to an application protocol and works with TCP and UDP. A keep-alive (KA) application is employed as an OOB mechanism that injects KA packets that appear to the NAT device to be coming from the native connection. These injected packets fool the NAT device into resetting the inactivity timer for that connection, but do not fool or confuse the native application, which is oblivious to the spoofing. Accordingly, the connection will not terminate due to NAT timeouts, and therefore, a client/server protocol, for example, will not need to generate fake activity packets to keep the connection alive.

Abstract: Systems and methods for use in communication between a client and a server, via a networking device, are provided. The method may include sending a request to establish a data connection from the client to the server via the networking device, setting a data connection keep-alive interval for the data connection to a predetermined safe value, and sending a request to establish a test connection between the client and the server. The method may further include determining an efficient keep-alive interval for communication between the client and server via the networking device, using the test connection, setting the data connection keep-alive interval to the efficient keep-alive interval determined using the test connection, and uploading the efficient keep-alive interval from the client to the server in an efficient keep-alive interval notification message, for communication to other clients connected to the server.

Abstract: In a push environment having a communication path along which a service provides messages to a computing device via a gateway, an inactivity timeout value and a registration timeout value enable the computing device to detect failures in the communication path. An application executing on the computing device registers an application endpoint with the gateway. The application separately subscribes to the service to receive the messages. If there is inactivity in accordance with the inactivity timeout value, the application de-registers and re-registers with the gateway, and unsubscribes and re-subscribes with the service.

Abstract: Concurrent testing of NAT connections using different timeout values to compute a keep-alive value for the NAT device. Computation of the approximate timeout value is accomplished concurrently over multiple test connections within about a time equivalent to the actual NAT timeout value. The architecture validates the computation of the approximate timeout value by distinguishing NAT connection failure from external failure using a control connection. Moreover, computation of the keep-alive value is performed only once for a given NAT device rather than being an on-going process for that NAT device. When one of the test connections fails, it is determined that the NAT timeout value is less than the test timeout value associated with the failed test connection. Accordingly, a smaller test timeout value is then selected as the keep-alive value for keep-alive processing of the NAT device.

Abstract: A stateful cache layer is created at a mobile device client that tracks the state on both the mobile device and management service. The states are synchronized between the mobile device and the management service on every management session. Through the statefulness of the cache layer, unauthorized changes on the mobile device are detected and accordingly handled such as internal correction or reporting to the management service for actionable instructions. A cache layer on the management server is configured to identify organizational policy changes that affect specific devices and initiate unsolicited immediate management sessions to update the configuration to the specific devices.

Abstract: A stateful cache layer is created at a mobile device client that tracks the state on both the mobile device and management service. The states are synchronized between the mobile device and the management service on every management session. Through the statefulness of the cache layer, unauthorized changes on the mobile device are detected and accordingly handled such as internal correction or reporting to the management service for actionable instructions. A cache layer on the management server is configured to identify organizational policy changes that affect specific devices and initiate unsolicited immediate management sessions to update the configuration to the specific devices.

Abstract: Systems and methods of authentication and authorization between a client, a server, and a gateway to facilitate communicating a message between a client and a server through a gateway. The client has a trusted relationship with each of the gateway and the server. A method includes registering the client with the gateway. The client also constructs the address space identifying the gateway and the client. The client communicates the address space to the server. The client receives an identity identifying the server. If the client authorizes to receive a message from the server through the gateway, the client informs the authorization to the gateway. The client puts the identity identifying the server on a list of servers which are authorized to send messages to the client. In addition, the client communicates the list of servers to the gateway.

Abstract: Proxy service that enables a domain join operation for a client over a non-secure network. The join operation is achieved with minimal security exposure by using machine identity information rather than user credentials. The proxy only uses permission associated with adding a new machine account to the enterprise directory, and not for adding a user account or take ownership of existing accounts. The proxy enables authentication based on actual machine account credentials to obtain a signed certificate, rather than conventional techniques such as delegation. Moreover, the enrollment process employs an original trust relationship between the device and the proxy rather than requiring or depending on public trust.