Abstract: In a network computing environment, a user-centric system and method for controlling access to user-specific information maintained in association with a web-services service. When a web-services client desires access to the user-specific information, the client sends a request. The request identifies the reasons/intentions for accessing the desired information. The request is compared to the user's existing access permissions. If there is no existing access permission, the request is compared to the user's default preferences. If the default preferences permit the requested access, an access rule is created dynamically and the client's request is filled, without interrupting the user. If the default preferences do not permit the request to be filled, a consent user interface may be invoked. The consent user interface presents one or more consent options to a party with authority to grant consent, thereby permitting the user to control whether the client's access will be filled.

Abstract: The claimed subject matter relates to an architecture that can mitigate privacy concerns in connection with ad targeting or data collection. In particular, architecture can be included in a personal mobile communication device such as a cell phone. During communication transactions between the host device and a peer device, shared information can be extracted either from content included in the communication or from metadata. Based upon the shared information, a social graph maintained on the host device can be updated. In addition, the host device can receive a large set of ads and select or tailor a custom ad from the set based upon the social graph.

Abstract: Consent management between a client and a network server. In response to a request for consent, a central server determines if requested user information is included in a user profile associated with a user and if the user has granted consent to share the requested user information. A user interface is provided to the user via a browser of the client to collect the requested user information that is not included in the user profile and the consent to share the requested user information from the user. After receiving the user information provided by the user via the user interface, the service provided by the network server is allowed access to the received user information, and the central server updates the user profile. Other aspects of the invention are directed to computer-readable media for use with profile and consent accrual.

Abstract: A user is able to informatively control how contact information is provided to one or more applications through the use of a persona interface object, corresponding personas and contact information, and an information picker interface. The persona interface identifies available personas, each persona having different contact information. The user can select a persona to use in response to an applications request for information. The personas can be modified and developed through the information picker interface, which can also be used to inform the user about what information is being requested and how it will be used.

Abstract: A computerized method for allowing multiple applications to create groups in a common address book while maintaining control over access to the created group. A creating application creates a group within a shared address book and may provide access logic for access to the group. Additional applications may then send a request to an intermediary component such as an Application Program Interface (“API”) for access to the group. The API determines if there is access logic to execute. If there is no logic, access may be granted to the group. If there is access logic, then the logic is executed and access is granted or denied depending on the prerequisites for access found in the logic.

Abstract: Computer-implemented methods of processing contact records are provided. A user may merge and unmerge contact records to control which records are synchronized with each other. Identity claims of records may be compared to identify possible duplicate records. Identity claims may include addresses, phone numbers, instant messenger addresses or other contact data that is likely to be uniquely associated with a contact. When possible duplicate contact records are found, a dialog box is displayed that identifies the possible duplicate records and includes an option for merging the possible duplicate contact records.

Abstract: The subject disclosure pertains to a domain identification system, comprising a principal that has a key and a mnemonically meaningless identifier, the mnemonically meaningless identifier is used to identify the component in a networked environment. The mnemonically meaningless identifier can be bound to the public key by a binding. The component may be part of a neighborhood of components, and each member component knows the members' binding.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

Abstract: The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing groups entities for access control. A negative group is defined using a base group, where the negative group associated with a base group includes any entities not included in the base group. Negative groups can be implemented using certificates rather than explicit lists of negative group members. A certificate can provide evidence of membership in the negative group and can be presented for evaluation to obtain access to resources. Subtraction groups can also be used to manage access to resources. A subtraction group can be defined as the members of a first group, excluding any members of a second group.

Abstract: A contact text box interface for resolving user input with contact information selected from contact directories and compared against usage patterns. Users are provided with a list of potentially relevant contacts from which a selection can be made. When a contact is selected, the corresponding and appropriate contact information is automatically provided to the application. Various criteria can be used to identify which contacts will be presented to the user and how they will be presented.

Abstract: Managing a plurality of identities associated with a user. The invention includes a system for managing multiple credentials within the same authentication system and across federated authentication systems in such a manner that signing in with one credential allows access to content, information or services that may be associated with another credential.

Abstract: Sending potentially sensitive information with privacy expectations. A method may be practiced, for example, in a computing environment. The method includes sending potentially sensitive information. Privacy expectation information is also sent specifying how the potentially sensitive information should be protected. The information and privacy expectation information may be included in an issued token, such that the privacy expectations can be later conveyed in a token exchange.

Abstract: Methods and system of sharing information among network servers coupled to a data communication network for providing services to a user via a client on the network and data structure for use therewith. Related services provided by the network servers are grouped into service groups. A database stores user-specific information, including operational information to be shared within the service groups. A central server coupled to the network receives a request from the user for a selected service and determines whether the selected service belongs to one of the service groups. In response to the request, the central server retrieves user-specific information identifying the user with respect to the selected service. The retrieved information includes operational information to be shared within each of the service groups to which the selected service belongs.

Abstract: Systems and methods are disclosed for synchronizing data stored in remote stores. Data stored in locations such as computer applications, consumer electronic devices and Internet websites is synchronized with a central database within a computer device. The computer device may also store constraints that limit the type of data that may be synchronized with individual stores. A graphical user interface may use different formats or icons to distinguish between data stored in a store and data included within the central database.

Abstract: Methods and system for managing consent. Embodiments of the invention identify a user in connection with an application or service that requests to use selected information associated with the user according to a predefined policy. After determining whether the user previously granted permission to use the selected information according to the policy, the invention can notify the user if a change has been made to the policy since the user previously granted permission for the application to use the selected information and obtain re-consent. Other aspects of the invention are directed to computer-readable media for use with authentication, notification, and re-consent.

Abstract: Methods and system managing consent between client and network server. A user interface requests information from a user in response to a request from the network server for consent to use the information. After receiving the information, the network server is allowed access to the information received from the user. In one embodiment, the user interface displays information previously stored in a user profile associated with the user and provides a form field for editing the user-specific information previously stored in the user profile. The user can provide information via the form field. Other aspects of the invention are directed to computer-readable media for use with user editable consent.

Abstract: In a network computing environment, a user-centric system and method for controlling access to user-specific information maintained in association with a web-services service. When a web-services client desires access to the user-specific information, the client sends a request. The request identifies the reasons/intentions for accessing the desired information. The request is compared to the user's existing access permissions. If there is no existing access permission, the request is compared to the user's default preferences. If the default preferences permit the requested access, an access rule is created dynamically and the client's request is filled, without interrupting the user. If the default preferences do not permit the request to be filled, a consent user interface may be invoked. The consent user interface presents one or more consent options to a party with authority to grant consent, thereby permitting the user to control whether the client's access will be filled.

Abstract: A schema is provided that defines people, groups and organizations by their corresponding contact information and other related characteristics. The schema defines a person by personal data, name data, location data, and e-address data. A group is defined by group membership data and e-address data. An organization is defined by location data and by e-address data. The schema also defines role occupancies for interrelating the various contacts. The role occupancies are defined by role occupancy data that may include employee data, team member data, group membership data, family data, customer or business data, and other types of data that can link two or more contacts. By interrelating contacts based on role occupancies, the schema is able to provide rich querying of one or more databases for obtaining desired contact information.