阅读说明：本技术 用于内容请求数据的加密的系统和方法 (System and method for encryption of content request data ) 是由 乔纳森·保罗·皮尔森 夏天 古风 全惠源 于 2020-04-01 设计创作，主要内容包括：限制在内容请求中接收的数据的存储的系统和方法包括获得用于资源提供者的公开加密密钥的数据处理系统。该数据处理系统可以从在客户端设备上运行的资源提供者的信息资源接收内容请求。该请求可以包括与一个或多个数据键相对应的一个或多个键值。该数据处理系统可以使用特定于资源提供者的加密策略来识别数据键,并使用公开加密密钥来加密键值。该数据处理系统可以以加密形式存储键值。该数据处理系统可以使用加密形式的键值生成数据报告,并提供对数据报告的访问。(A system and method of restricting storage of data received in a content request includes a data processing system that obtains a public encryption key for a resource provider. The data processing system may receive a content request from an information resource of a resource provider running on a client device. The request may include one or more key values corresponding to one or more data keys. The data processing system may identify the data key using a resource provider-specific encryption policy and encrypt the key value using a public encryption key. The data processing system may store the key value in encrypted form. The data processing system may generate a data report using the key value in an encrypted form and provide access to the data report.)

1. A system, the system comprising:

at least one processor; and

a memory storing computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to:

receiving a public encryption key from a resource provider system associated with a resource provider to encrypt at least a portion of data received in a request for content associated with the resource provider, the resource provider system maintaining a private encryption key corresponding to the public encryption key;

receiving a request for content from a client device, the request for content identifying an information resource of the resource provider, the request including one or more data values for reporting back to the resource provider system, each of the one or more data values being associated with a respective data key;

identifying a data value of the one or more data values using an encryption policy specific to the resource provider, the encryption policy indicating a set of data keys for which data storage restrictions apply to the corresponding data value;

determining to apply the data storage restriction to the data value based on determining that the data value corresponds to a data key included in the set of data keys;

in response to applying the data storage restriction to the data value, encrypting the data value with the public encryption key to generate an encrypted data value;

storing the encrypted data value in association with data about at least one event associated with the request for content in a database associated with the data processing system;

generating a report using the encrypted data values, the report indicating performance data associated with one or more information resources of the resource provider and requests for content made by the one or more information resources; and

providing the resource provider access to the report, the encrypted data value being decrypted using the private key maintained by the resource provider system.

2. The system of claim 1, wherein the computer-executable instructions, when executed by the at least one processor, further cause the at least one processor to:

receiving an indication of the set of data keys for which a data storage restriction is applied to a corresponding data value, the set of data keys including data keys corresponding to the data value; and is

Generating, in a data structure, the encryption policy specific to the resource provider using an indication of the set of data keys for which a data storage restriction is applied to a corresponding data value.

3. The system of claim 1, wherein the computer-executable instructions, when executed by the at least one processor, further cause the at least one processor to compare a data key associated with the data value to the set of data keys for which a data storage restriction is applied to the corresponding data value.

4. The system of claim 1, wherein the computer-executable instructions, when executed by the at least one processor, further cause the at least one processor to:

concatenating the data value with a data string to generate a modified data value; and is

Encrypting the modified data value to generate a corresponding encrypted version of the data value.

5. The system of claim 4, wherein the length and location of the data string within the modified data value is specific and known to the resource provider.

6. The system of claim 1, wherein the computer-executable instructions, when executed by the at least one processor, further cause the at least one processor to transmit the report to the resource provider system.

7. The system of claim 1, wherein the at least one event associated with the request for content comprises an interaction of the client device with a content item provisioned for display on the information resource of the resource provider in response to the request for content.

8. The system of claim 1, wherein the resource provider maintains an encrypted version of the private encryption key on a computing device.

9. The system of claim 8, wherein the computer-executable instructions, when executed by the at least one processor, further cause the at least one processor to:

providing a user interface to the resource provider to access the database;

receiving a search query from the user interface;

receiving (i) a link to the encrypted version of the private encryption key on the computing device, and (ii) a password for decrypting the encrypted version of the private encryption key; and is

Decrypting the encrypted version of the private encryption key using the password.

10. The system of claim 9, wherein the computer-executable instructions, when executed by the at least one processor, further cause the at least one processor to:

generating the report indicative of performance data in response to the search query;

decrypting the respective encrypted version of the data value in the report using the private encryption key; and is

Providing the report indicative of performance data for display on the user interface.

11. A method, comprising:

receiving, by a data processing system comprising one or more processors, a public encryption key from a resource provider system associated with a resource provider to encrypt at least a portion of data received in a request for content associated with the resource provider, the resource provider system maintaining a private encryption key corresponding to the public encryption key;

receiving, by the data processing system, a request for content from a client device, the request for content identifying an information resource of the resource provider, the request including one or more data values for reporting back to the resource provider system, each of the one or more data values being associated with a respective data key;

identifying, by the data processing system, a data value of the one or more data values using an encryption policy specific to the resource provider, the encryption policy indicating a set of data keys for which data storage restrictions apply to the corresponding data value;

determining, by the data processing system, to apply the data storage restriction to the data value based on determining that the data value corresponds to a data key included in the set of data keys;

encrypting, by the data processing system, the data value with the public encryption key to generate an encrypted data value in response to applying the data storage restriction to the data value;

storing, by the data processing system, the encrypted data value in association with data about at least one event associated with the request for content in a database associated with the data processing system;

generating, by the data processing system, a report using the encrypted data, the report indicating performance data associated with one or more information resources of the resource provider and requests for content made by the one or more information resources; and

providing, by the data processing system, the resource provider access to the report, the encrypted data value being decrypted using the private key maintained by the resource provider system.

12. The method of claim 11, further comprising:

receiving, by the data processing system, an indication of the set of data keys for which a data storage restriction is applied to a corresponding data value, the set of data keys including a data key corresponding to the data value; and

generating, by the data processing system, the encryption policy specific to the resource provider in a data structure using an indication of the set of data keys for which a data storage restriction is applied to the corresponding data value.

13. The method of claim 11, wherein identifying the data value comprises:

comparing, by the data processing system, a data key associated with the data value to the set of data keys for which a data storage restriction is applied to the corresponding data value.

14. The method of claim 11, wherein encrypting the data value with the public encryption key comprises:

concatenating the data value with a data string to generate a modified data value; and

encrypting the modified data value to generate a corresponding encrypted version of the data value.

15. The method of claim 14, wherein the length and location of the data string within the modified data value is specific and known to the resource provider.

16. The method of claim 11, wherein providing the resource provider with access to the report comprises transmitting the report to the resource provider.

17. The method of claim 11, wherein the at least one event associated with the request for content comprises an interaction of the client device with a content item provisioned for display on the information resource of the resource provider in response to the request for content.

18. The method of claim 11, wherein the resource provider maintains an encrypted version of the private encryption key on a computing device, and the method further comprises:

providing a user interface to the resource provider to access the database;

receiving a search query from the user interface;

receiving (i) a link to the encrypted version of the private encryption key on the computing device, and (ii) a password for decrypting the encrypted version of the private encryption key; and

decrypting the encrypted version of the private encryption key using the password.

19. The method of claim 18, further comprising:

generating the report indicative of performance data in response to the search query;

decrypting the respective encrypted version of the data value in the report using the private encryption key; and

providing the report indicative of performance data for display on the user interface.

20. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by at least one processor, cause the at least one processor to:

receiving a request for content from a client device, the request for content identifying an information resource of a resource provider, the request including one or more data values for reporting back to the resource provider system, each of the one or more data values being associated with a respective data key;

identifying a data value of the one or more data values using an encryption policy specific to the resource provider, the encryption policy indicating a set of data keys for which data storage restrictions apply to the corresponding data value;

determining to apply the data storage restriction to the data value based on determining that the data value corresponds to a data key included in the set of data keys;

in response to applying the data storage restriction to the data value, encrypting the data value with the public encryption key to generate an encrypted data value;

storing the encrypted data value in association with data about at least one event associated with the request for content in a database associated with the data processing system;

generating a report using the encrypted data values, the report indicating performance data associated with one or more information resources of the resource provider and requests for content made by the one or more information resources; and is

Providing the resource provider access to the report, the encrypted data value being decrypted using the private key maintained by the resource provider system.

Background

In a computer networking environment, such as the internet, third-party content providers provide third-party content items for display on end-user computing devices. These third-party content items, e.g., advertisements, may be displayed on web pages associated with respective publishers, client applications, or gaming applications, among others.

Disclosure of Invention

At least one aspect is directed to a system comprising at least one processor and a memory storing computer-executable instructions. The computer-executable instructions, when executed by at least one processor, may cause the at least one processor to receive a public encryption key from a resource provider system associated with a resource provider to encrypt at least a portion of data received in a request for content associated with the resource provider. The resource provider system may maintain a private encryption key corresponding to the public encryption key. The at least one processor may receive a request for content from a client device, the request for content identifying an information resource of an asset provider. The request may include one or more data values for reporting back to the resource provider system. Each of the one or more data values may be associated with a respective data key. The at least one processor may identify a data value of the one or more data values using a resource-provider specific encryption policy. The encryption policy may indicate a set of data keys for which data storage restrictions apply to the corresponding data values. The at least one processor may determine to apply the data storage restriction to the data value based on determining that the data value corresponds to a data key included in the set of data keys. The at least one processor may encrypt the data value using the public encryption key to generate an encrypted data value in response to applying the data storage restriction to the data value. The at least one processor may store, in a database associated with the data processing system, an encrypted data value associated with data regarding at least one event associated with a request for content. The at least one processor may generate a report using the encrypted data value, the report indicating performance data associated with one or more information resources of the resource provider and requests for content by the one or more information resources. The at least one processor may provide the resource provider with access to the report. The encrypted data value may be decrypted using a private key maintained by the resource provider system.

At least one aspect is directed to a method comprising: a public encryption key is received by a data processing system comprising one or more processors from a resource provider system associated with a resource provider to encrypt at least a portion of data received in a request for content associated with the resource provider. The resource provider system may maintain a private encryption key corresponding to the public encryption key. The method may include a data processing system receiving a request for content from a client device, the request for content identifying an information resource of a resource provider. The request may include one or more data values for reporting back to the resource provider system. Each of the one or more data values may be associated with a respective data key. The method may include the data processing system identifying a data value of the one or more data values using a resource-provider specific encryption policy. The encryption policy may indicate a set of data keys for which data storage restrictions apply to the corresponding data values. The method may include the data processing system determining to apply a data storage restriction to the data value based on determining that the data value corresponds to a data key included in the set of data keys. The method can comprise the following steps: the data processing system encrypts the data value using the public encryption key to generate an encrypted data value in response to applying the data storage restriction to the data value. The method may include the data processing system storing, in a database associated with the data processing system, the encrypted data value in association with data about at least one event associated with a request for content. The method may include the data processing system generating a report using the encrypted data, the report indicating performance data associated with one or more information resources of the resource provider and requests for content made by the one or more information resources. The method may include the data processing system providing the resource provider with access to the report. The encrypted data value may be decrypted using a private key maintained by the resource provider system.

At least one aspect is directed to a non-transitory computer-readable medium storing computer-executable instructions that, when executed by at least one processor, cause the at least one processor to receive a public encryption key from a resource provider system associated with a resource provider to encrypt at least a portion of data received in a request for content associated with the resource provider. The resource provider system may maintain a private encryption key corresponding to the public encryption key. The at least one processor may receive a request for content from a client device, the request for content identifying an information resource of an asset provider. The request may include one or more data values for reporting back to the resource provider system. Each of the one or more data values may be associated with a respective data key. The at least one processor may identify a data value of the one or more data values using a resource-provider specific encryption policy. The encryption policy may indicate a set of data keys for which data storage restrictions apply to the corresponding data values. The at least one processor may determine to apply a data storage restriction to the data value based on determining that the data value corresponds to a data key included in the set of data keys. The at least one processor may encrypt the data value using the public encryption key to generate an encrypted data value in response to applying the data storage restriction to the data value. The at least one processor may store the encrypted data value in association with data regarding at least one event associated with the request for content in a database associated with the data processing system. The at least one processor may generate a report using the encrypted data value, the report indicating performance data associated with one or more information resources of the resource provider and requests for content made by the one or more information resources. The at least one processor may provide the resource provider with access to the report. The encrypted data value may be decrypted using a private key maintained by the resource provider system.

These and other aspects and embodiments are discussed in detail below. The foregoing information and the following detailed description include illustrative examples of various aspects and embodiments, and provide an overview or framework for understanding the nature and character of the claimed aspects and embodiments. The accompanying drawings are included to provide an illustration and a further understanding of the various aspects and embodiments, and are incorporated in and constitute a part of this specification. It will be understood that aspects and embodiments may be combined, and features described in the context of one aspect or embodiment may be implemented in the context of other aspects.

Drawings

The drawings are not intended to be drawn to scale. Like reference numbers and designations in the various drawings indicate like elements. For purposes of clarity, not every component may be labeled in every drawing. In the drawings:

FIG. 1 is a block diagram depicting one embodiment of an environment for enforcing data storage (or recording) restrictions on data provided in a content request, in accordance with an illustrative embodiment.

FIG. 2 is a flow chart illustrating a method for restricting storage of received data.

FIG. 3 shows the general architecture of an illustrative computer system in accordance with the illustrative embodiments.

Detailed Description

The following is a more detailed description of various concepts related to methods, apparatus, and systems for protecting the integrity and privacy of data included in a content request, such as a third party content request, and embodiments thereof. The various concepts introduced above and discussed in detail below may be implemented in any of numerous ways, as the described concepts are not limited to any particular implementation. For example, although the content or content items may be referred to herein as advertisements, it will be appreciated that the content or content items may be any suitable content.

A content distribution system, such as an advertisement distribution system, may serve third-party content, e.g., advertisements, in response to a content request from a client device. Each content request may identify an information resource of a resource provider that triggered the request for content on the corresponding client device. Examples of information resources may include web pages, client applications or components thereof, social media platforms or components thereof, gaming platforms or components thereof, or gaming applications or components thereof, among others. The resource provider may include a publisher or owner of the information resource or an agent thereof. The information resource may include executable instructions that, when executed by the client device, may cause the client device to send a request for content to the content distribution system or a data processing system thereof. For example, a web page may include a content slot (e.g., an ad slot) that includes corresponding computer-executable instructions. When executed by a client device, computer-executable instructions for a content bit cause the client device to send a request for a content item for display in the content bit.

The resource provider system of the resource provider may be in communication with the content distribution system. The resource provider system may receive performance data, for example, of one or more information resources of the resource provider from the content distribution system. The performance data may include, for example, a number of content items served on the information resource, a number or rate of client device interactions with content items served on the information resource, a number or rate of conversions of content items served on the information resource, revenue data for the resource provider, or a combination thereof. The performance data may include statistical data, deterministic data, or a combination of both. The content distribution system may rank or categorize the performance data according to one or more contextual criteria. The contextual criteria may include, for example, a date or timing of the request for content, a client device type, a client device Identifier (ID), a user account, a client device geolocation, an information resource that triggered the request for content, a phase at which the request for content was made (e.g., a game or application phase), a combination thereof, and so forth. The use of contextual criteria (or contextual data) can help the resource provider system or resource provider optimize the performance of the respective information resource.

The client device may insert or embed the data segment in the request for content after executing the instructions of the information resource (e.g., the instructions of the corresponding content bits). The data section can include one or more contextual criteria to facilitate reporting of performance data to the resource provider system according to the contextual criteria. For example, the executable instructions may cause the client device to embed one or more data values, such as a time value, a date value, a client device type, a client device ID, a user account number, a client device position, an information resource ID or URL, a game stage ID, a video frame ID or number, or a combination thereof, in the request for content. Each data value may correspond to a respective data key (or data field). The data values included in the request for content may be of a sensitive nature and may include information that the resource provider (or resource provider system) wants to remain confidential or private.

Sending data values (e.g., indicative of context data) to the content distribution system increases the risk of exposing such data to potential unauthorized access or abuse. For example, the content distribution system may store data received in a request for content in a database. Compromising the security of the database may result in unauthorized access to the data stored therein. Furthermore, performance data reports sent by the content distribution system to the resource provider system may be subject to, for example, man-in-the-middle attack (MITM) attacks. Any corruption of the data provided in the request for content may have damaging consequences to the resource provider and the content distribution system, and can increase the potential detriments of at least the content distribution system if not both.

To enhance the security of the contextual data sent in the request for content, the information resource may cause the client device to encrypt the key value (or data value corresponding to the respective data key). For example, the information resource may include encryption instructions that, when executed by a client device accessing the information resource, may cause the client device to encrypt the key value and insert the encrypted key value into the content request. However, the resource provider may select a list of data keys whose key values are to be encrypted, and such a subset may change over time. The dynamic nature of the data key list whose key values are to be encrypted requires continuous updating of the executable instructions of the information resource or communication of the data key list whose corresponding key values are to be encrypted to the client device. On the one hand, continuous updates to the executable instructions of the information resource may place an unnecessary burden on the resource provider, as changes to the list of data keys may be relatively frequent. On the other hand, communicating a list of data keys whose key values are to be encrypted to the client device with each request for content to be made results in inefficient use of communication bandwidth and computing resources of the client device.

In addition, given that the instructions of the information resource are executed on the client device, there is a risk that the client device may disturb the instructions of the information resource, for example by eliminating the corresponding encryption instructions or modifying the encryption key used therein. Finally, with respect to client device level encryption, there is an implicit expectation that all or at least most of the information resources will include encryption instructions to encrypt the key value using the resource provider's public encryption key. This expectation may be unreasonable, resulting in key values in many content requests being unencrypted.

In the present disclosure, the content distribution system may enforce data storage limitations for context data received in a request for content and recorded by the content distribution system based on policies specified by or associated with the resource provider system or a respective resource provider. The resource provider system may specify a list (or set) of data keys whose corresponding data values are to be stored or recorded by the content distribution system in encrypted form. For example, each resource provider system may provide a list of data keys whose corresponding values are to be encrypted and a corresponding public encryption key to the content distribution system. In some implementations, the content distribution system can infer a list of data keys whose corresponding values are to be encrypted based on, for example, one or more attributes known to the content distribution system. Upon receiving a request for content identifying an information resource of an resource provider system, the content distribution system can identify which data values in the request correspond to data keys in a list provided by the resource provider system. The content distribution system may encrypt the identified value and store it in an encrypted form in a database. The content distribution system may use an encrypted form of the key value when generating and/or providing reports to the resource provider system. Upon receiving the performance report, the resource provider system may decrypt any data values included in the report in encrypted form using the private key corresponding to the public key.

The above-described data storage restriction methods maintain the features of reporting data (e.g., performance reports) to the resource provider system based on various contextual data or criteria, while enhancing the integrity and security of the contextual data received in the content request. Storing (or recording) at least a portion of such data in encrypted form prevents even the data processing system from accessing the recorded data. Once the data is encrypted, the data processing cannot decrypt and access the data. Likewise, implementing encryption on the content distribution system allows data protection for all resource providers. In some implementations, the content distribution system can use a key to select the content item prior to encryption.

FIG. 1 is a block diagram depicting one embodiment of an environment 100 for enforcing data storage (or recording) restrictions on data provided in a content request, in accordance with an illustrative embodiment. The environment 100 may include at least one data processing system 110, one or more content provider computing devices 115, one or more publisher computing devices 120, one or more client devices 125, and a network 105. The data processing system 110, the one or more content provider computing devices 115, the one or more publisher computing devices 120, and the one or more client devices 125 may be communicatively coupled to each other via the network 105.

The data processing system 110 may include at least one processor (or processing circuit) and memory. The memory may store computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to perform one or more of the operations described herein. The at least one processor may comprise a microprocessor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), the like, or a combination thereof. The memory may include, but is not limited to, electronic, optical, magnetic, or any other storage or transmission device capable of providing program instructions to the at least one processor. The memory may include a floppy disk, a CD-ROM, a DVD, a magnetic disk, a memory chip, an ASIC, an FPGA, a Read Only Memory (ROM), a Random Access Memory (RAM), an electrically erasable ROM (eeprom), an erasable-programmable ROM (eprom), a flash memory, an optical medium, or any other suitable memory from which at least one processor may read instructions. The instructions may include code from any suitable computer programming language. The data processing system 110 may include one or more computing devices or servers that may perform various functions. In some implementations, the data processing system 110 can include an advertising auction system configured to host an auction. In some implementations, the data processing system 110 may not include an ad auction system, but may communicate with the ad auction system via the network 105.

Network 105 may include a computer network, such as the internet, a Local Area Network (LAN), a Wide Area Network (WAN), a metropolitan area network, one or more intranets, a satellite network, a cellular network or network, an optical network, other types of data networks, or a combination thereof. The data processing system 110 may communicate with one or more content provider computing devices 115, one or more content publisher computing devices 120, or one or more client devices 125 via the network 105. The network 105 may include any number of network devices, such as gateways, switches, routers, modems, repeaters, wireless access points, and so forth. The network 105 may also include computing devices such as computer services. The network 105 may also include any number of hardwired and/or wireless connections.

The one or more content provider computing devices 115 may include a computer server, personal computer, handheld device, smart phone, or other computing device operated by a content provider entity such as an advertiser or an agent thereof. The one or more content provider computing devices 115 may provide content, such as text content, image content, video content, animation content, content items (e.g., creatives or advertisements), and/or uniform resource locators, and other types of content, to the data processing system 110 for display in the information resources. In particular, one or more content provider computing devices 115 of a given content provider may be a source of content items or content for generating content items of the content provider. The content items may be for display in information resources rendered on the client device 125, such as websites, web pages of search results, client applications, gaming applications or platforms, open source content sharing platforms (e.g., YOUTUBE, DAILYMOTION, or VIMEO), or social media platforms, among others.

The data processing system 110 may provide one or more user interfaces accessible via the content provider computing device 115 to allow content provider entities to generate corresponding content provider accounts or to generate corresponding campaigns (e.g., advertising campaigns). The user interface may allow the content provider entity to upload corresponding content, such as a content item, a Uniform Resource Locator (URL) of a corresponding landing page, or media content used to create the content item, to the data processing system 110 or other remote system. The content provider computing device 115 may provide other information via the user interface, such as payment and budget information, preferences or restrictions with respect to when and where to provision the content item, or combinations thereof.

The content publisher computing device 120 may include a server or other computing device operated by a content publishing entity to provide primary content for display via the network 105. Primary content may include websites, web pages, client applications, gaming content, social media content, or open source content sharing web pages, etc., for display on client device 125. The page, video segment, or other unit of primary content may include executable instructions, such as instructions associated with a content slot (e.g., ad slot), that cause the client device 125 to request a third party content slot from the data processing system 110 or other remote system when the primary content is displayed on the client device. In response to such a request, the data processing system or other remote system may run an auction to determine which content items to provide to the client device 125. In some implementations, the content publisher computing device 120 can include a server for serving (or streaming) video or game content. The content publisher computing device 120 can upload the public encryption key and a list of data keys to the data processing system 110 with which the corresponding values of the list of data keys are to be encrypted.

The data processing system 110 can provide one or more user interfaces accessible via the content publisher computing device 120 to allow resource provider entities to generate respective resource provider accounts. In generating the respective account, the content publisher system (or computing device 120) may provide the respective domain name and the URL of the respective web page via the user interface. The domain name and/or web page URL allows the data processing system to identify content requests generated by the resource provider's web page. In particular, the content request may include an identifier (e.g., a URL or domain name) of the web page that triggered the content request on the client device 125. The data processing system 110 can match the identifier in the content request with a URL or domain name provided by the resource provider.

The client device 125 may include a computing device configured to acquire and display primary content associated with a content publisher (or resource provider) and third-party content (e.g., third-party content items such as advertisements) provided by the content provider computing device 115. Client devices may request and receive such content via network 105. Client devices 125 may include desktop computers, laptop computers, tablet devices, smart phones, personal digital assistants, mobile devices, consumer computing devices, servers, digital video recorders, set-top boxes, smart televisions, video game consoles, or any other computing devices capable of communicating and consuming media content via network 105. Although FIG. 1 shows a single client device 125, environment 100 may include multiple client devices 125 served by data processing system 110. Similarly, the plurality of content provider computing devices 115 and/or the plurality of content publisher computing devices 120 may be communicatively coupled to the data processing system 110 via the network 105.

The data processing system 110 may include at least one computer server having one or more processors and memory for storing computer-executable instructions. For example, the data processing system 110 may include a plurality of computer servers located in at least one data center or server farm. In some implementations, the data processing system 110 can include a third-party content placement system, such as an advertisement server or an advertisement placement system. The data processing system 110 may include a policy management module 130, an encryption module 135, a data reporting module 140, and a database 145. Each of the policy management module 130, the encryption module 135, and the data reporting module 140 may be implemented as a software module, a hardware module, or a combination of both. For example, each of these modules may include a processing unit, server, virtual server, circuit, engine, proxy, appliance, or other logic device, such as a programmable logic array configured to communicate with database 145 or with other computing devices via a network. The computer-executable instructions of data processing system 110 may include instructions that, when executed by one or more processors, cause data processing system 110 to perform the operations discussed below with respect to fig. 2 and in relation to policy management module 130, encryption module 135, data reporting module 140, and database 145.

Referring to FIG. 2, a flow diagram is depicted illustrating a method 200 for limiting storage of data received in a content request. Method 200 may include obtaining a public encryption key (step 205). The method 200 may include receiving a content request including one or more key values corresponding to one or more data keys (step 210); and identifying the data key using the encryption policy (step 215). The method 200 may include: determining to apply a data storage restriction to the data value corresponding to the identified data key (step 220); and encrypting the key value using the public encryption key (step 225). The method 200 may include storing the key value in encrypted form (step 230). The method 200 may include: generating a report using the key value in encrypted form (step 235); and providing access to the report (step 240).

Referring to fig. 1 and 2, the method 200 may include the data processing system 110 obtaining a public encryption key of a resource provider (step 205). For example, the policy management module 130 may receive a public encryption key from a resource provider system associated with the resource provider (or content publisher). The policy management module 130 may provide, for example, a user interface for access by the content publisher computing device 120. A content publisher computing device 120 associated with the resource provider may access the user interface and provide the public encryption key. The public encryption key may be used by the data processing system 110 to encrypt at least a portion of data received in a content request associated with a resource provider. The content request may be triggered by an information resource of a resource provider accessed by the client device 125. The resource provider system or its content publisher computing device 120 may maintain a private encryption key corresponding to the public encryption key.

Method 200 may include data processing system 110 receiving a request for content from client device 125 that includes one or more data values (step 205). The request may identify an information resource of the resource provider and may include one or more data values corresponding to one or more data keys. An information resource (e.g., a page or element of a web page, client application, game application, or social media platform) of the resource provider, when accessed by the client device 125, may trigger a request for third-party content sent by the client device 125 to the data processing system 110. The request for third party content may include one or more data values (or key values) representing values for one or more corresponding data keys (or data fields). The data keys may include, for example, one or more keywords for selecting a content item, a device ID of the client device 125, a user account associated with the client device 125, a geographic location of the client device 125, a stage of an information resource in which the request is triggered, a set of navigation pages prior to triggering the content request, or combinations thereof.

The data values may be used by the data processing system 110 in reports (e.g., performance reports) provided to or sent to the resource provider system. For example, the data processing system 110 can include at least a portion of the data values in the data reported back to the resource provider system. The data value may be provided as free-form text in a request for content. For example, a request may include a series of data key-data value (or key-value) pairs.

The policy management module 130 may receive an indication of the resource provider specific encryption policy from the content publisher computing device 120 via the network 105. The content publisher computing device 120 may provide the indication of the encryption policy via a user interface or Application Programming Interface (API), or the like. The encryption policy may indicate a set or list of data keys for which data storage restrictions apply to corresponding data values. For example, an encryption policy may specify a list or set of data keys (or data fields) whose corresponding data values (or key values) are to be maintained in encrypted form by the data processing system 110 when provided in a content request. The policy management module 130 may maintain a data structure that associates encryption policies, data key lists, and/or public encryption keys with a domain name of a resource provider account or resource provider. In the case where the resource provider has multiple domains or applications, then the resource provider may provide a separate public encryption key and/or a separate encryption policy for each domain or application.

In some implementations, the policy management module 130 can receive an indication of a set of data keys for which to apply data storage limitations to corresponding data values. The policy management module 130 may use the indication of the set of data keys in a data structure to generate a resource provider specific encryption policy. For example, the policy management module 130 may generate a table (or other data structure) that lists the data keys, the actions to be performed on the data values corresponding to each data key (e.g., encryption), and a description or details of each listed action. The description or details of each action may include a public encryption key for performing the encryption action. Such a data structure may allow for separate actions or separate public encryption keys to be defined for different data keys.

The database 145 may store data associated with the resource provider account, such as a URL or identifier of an information resource, a public encryption key, information indicative of an encryption policy, and/or other data provided by the resource provider system (or the content publisher computing device 120). The policy management module 130 can update the resource provider data in the database 145, for example, in response to new data or modifications provided by the resource provider system or the corresponding content publisher computing device 120. In the event that the content publisher computing device 120 provides a public encryption key but does not specify an encryption policy to use, then the policy management module 130 may associate a default encryption policy with the resource provider account. For example, a default encryption policy may enforce that all key values should be maintained in encrypted form.

The method 200 may include the data processing system 110 identifying a data key of the one or more data keys in the content request having a corresponding data value using a resource-provider specific encryption policy (step 215), and determining to apply a data storage restriction to the data value corresponding to the identified data key (step 220). The encryption policy module 130 may scan the request for content to retrieve a URL or other identifier that identifies the information resource or corresponding resource provider that generated the request. Using the retrieved URL or identifier identifying the information resource, the policy management module 130 may identify a resource provider account associated with the information resource and determine an encryption policy associated with the resource provider account. For example, the policy management module 130 may retrieve the conditions or rules of the encryption policy. The condition or rule may include a list of data keys (if any) to which the encryption policy (or data storage restriction) applies. Policy management module 130 may also identify, from the request for content, a data key having a corresponding data value included in the request.

If the resource provider account indicates a default encryption policy, the policy management module 130 may determine that the data storage restriction is to be applied to all data values (or key values) in the request for content. Data storage limitations may imply that data values are to be recorded (or stored) by the data processing system 110 in encrypted form. If the encryption policy is not the default policy, the policy management module 130 may compare the data key whose corresponding data value is included in the content request with the data keys listed in the encryption policy associated with the resource provider account. Based on the comparison, the policy management module 130 may identify a data value in the request whose corresponding data key matches one of the data keys listed by the encryption policy of the resource provider account. The policy management module 130 may identify in the request one or more data values whose corresponding data keys match other data keys listed by the encryption policy of the resource provider account. The policy management module 130 may determine that a data storage restriction is to be applied to the identified data value.

The data storage limitations may dictate that the identified data values be maintained by the data processing system 110 in encrypted form (rather than in unencrypted form). The data processing system 110 cannot maintain any of the identified data values in unencrypted form. In this way, the data storage restriction enforces an added layer of data security (e.g., encryption) on the identified data value.

The method 200 may include the data processing system 110 encrypting the data value using the public encryption key in response to applying the data storage restriction to the data value to generate a corresponding encrypted data value (step 225). The policy management module 130 may provide the identified data value to the encryption module 135. The policy management module 130 may also provide the public encryption key to the encryption module 135. The encryption module 135 may retrieve the public encryption key from the database 145 or from a data structure. The encryption module 135 may encrypt the identified data value using a public encryption key. The encryption module 135 may individually encrypt each identified data value.

The encryption module 135 may concatenate each identified data value with a "salt" value. The "salt" value may comprise a random data string or a random number. By concatenating the data value with the data string, the encryption module 135 may generate a modified data value (or a modified version of the data value). The modified data value may have, for example, "salt: value "or" value: salt "form, wherein" value "represents data value and" salt "represents salt value. The encryption module 135 may add a salt value before, after, or somewhere in the middle of the data value to form a modified data value. "salt: value "and" value: the colon in salt "is used for readability only, but the encryption module 135 need not include a colon in generating the modified data value.

The encryption module 135 may encrypt the modified data value to generate an encrypted version of the data value. Cascading the data values with the "salt" value adds another layer of data protection. Even if an intruding entity were to successfully decrypt an encrypted version of a data value, the entity would be unable to distinguish between the original data value and the salt value in the modified data value. The resource provider system or the content publisher computing device 120 may have a priori knowledge of the structure of the modified data values. For example, the content publisher computing device 120 may know the length and location of the salt value within the modified data value. The length and location of the salt values may vary from one resource provider to another. The data processing system 110 or the encryption module 135 can provide an indication of the length and location (e.g., start point and length) of the salt value to the content publisher computing device 120. In general, the length and location of the salt values within the modified data values may be specific to the resource provider.

The method 200 may include the data processing system 110 storing the encrypted data values in association with data regarding at least one event associated with a request for content (step 230). The data reporting module 140 may store and maintain data in the database 145 regarding, for example, content items served in response to each request, client device interactions with the served content items, amounts earned by the resource provider in response to displaying content on the information resource, combinations thereof, and the like. The data reporting module 140 may store such data in association with the encrypted data value.

For example, the data reporting module 140 may store an indication of content items served to the client device 125 in response to a request for content that includes a particular keyword. The data reporting module 140 may maintain a data structure (e.g., a table or linked list) that associates encrypted data values corresponding to particular keywords with indications of associated such content items. In a similar manner, the data reporting module 140 may maintain a data structure that associates encrypted data values corresponding to a geographic location (where one or more client devices 125 were located when the client devices requested content) with content items that were served to the client devices 125 at the geographic location and that triggered client device interactions. The data reporting module 140 may maintain a list of encrypted data values representing keywords that result in inappropriate or objectionable content being served to the client device 125. The data reporting module 140 can store various other data structures that associate one or more of the encrypted data values with data indicative of an event associated with a content request that includes a key value corresponding to the one or more encrypted data values.

In some implementations, the data reporting module 140 may store the encrypted data values in association with an indication of the corresponding data key. The indication of the data key may be stored in an unencrypted form. As such, when the corresponding indication is stored in unencrypted form, the data reporting module 140 can search for stored data based on the data key. In other words, encrypted data key values may be stored or recorded in association with corresponding non-encrypted plain text data keys.

The method 200 may include the data processing system 110 generating a report using the encrypted data values stored in the database (step 235). For example, the data reporting module 140 may generate one or more reports including all data logged for a given information resource or a given resource provider. In some implementations, the data reporting module 140 can receive a query for performance data from the content publisher computing device 120. The query may be directed to, for example, performance of various keywords with respect to and interaction with the served content items. The data reporting module 140 may generate reports listing the performance of various keywords. In the report, the keywords may be presented in encrypted form. In some implementations, the data reporting module 140 can generate one or more predefined reports on a periodic basis. The content publisher computing device 120 may define the data to be included in the report, for example, through a user interface provided by the data processing system 110.

The method 200 may include a data processing system 110 that provides resource provider systems (or content publisher computing devices 120) access to reports. The data reporting module 140 may send the generated report to the content publisher computing device 120. The report may include encrypted data values, such as encrypted versions of keywords or geolocations used in content requests associated with the resource provider system. After receiving the report, the content publisher computing device 120 may decrypt the encrypted data values in the report using a private decryption key corresponding to the resource provider's public encryption key.

In some implementations, the data reporting module 140 may provide access to the generated reports via a respective web page or a respective client application. For example, the resource provider system may maintain an encrypted copy of the respective private decryption key in a remote computing device, e.g., on the cloud. The data reporting module 140 may provide a user interface accessible to the content publisher computing device 120. The user interface may allow the content publisher computing device 120 to provide a link to the encrypted copy of the private decryption key and a password for decrypting the encrypted copy of the private decryption key. In some implementations, the user interface can also allow the content publisher computing device 120 to provide queries indicating data to be reported to the resource provider system or the content publisher computing device 120.

The data reporting module 140 can generate reports as discussed above for presentation to the content publisher computing device 120. For example, the data reporting module 140 may use a query or a predefined reporting format to identify data to present to the content publisher computing device 120. The data reporting module 140 can download an encrypted copy of the private decryption key using a link provided via the user interface and decrypt the encrypted copy using a password provided by the content publisher computing device 120. The data reporting module 140 may use the private decryption key to decrypt any encrypted data values in the data to be presented (or reported) to the content publisher computing device 120. The data reporting module 140 may then present the reporting data (or report) with the data values in unencrypted form on the corresponding web page or the corresponding client application. After decrypting the encrypted data value, the data reporting module 140 (or data processing) does not save or maintain any copy of the private key.

The methods and systems described herein allow for enhancing the integrity and security of resource provider data maintained by the data processing system 110 while still providing the resource provider access to such data. The data storage limitations imposed by the data processing system 110 significantly reduce any risk of compromising the privacy or integrity of the sensitive data keys and the corresponding data values embedded in the content requests made by the resource provider's information resources.

It is noted that the data (or reports) reported by the data processing system 110 to the resource provider system may be in any format. Which may include statistical performance data and/or deterministic performance data. The data may include text data, image data, chart data, video data, or data in other formats.

Where the systems discussed herein collect or may make use of personal information about a user, the user may be provided with an opportunity to control whether programs or features collect personal information (e.g., information about the user's social network, social actions or activities, the user's preferences, or the user's current position) or whether and/or how to receive content from a content server that may be more relevant to the user. Further, certain data may be processed in one or more ways before it is stored or used, such that certain information about the user is removed when generating parameters (e.g., parameters of demographics). For example, the identity of the user may be processed such that the identified information is not determinable to the user, or the geographic locality of the user may be generalized where locality information is obtained (such as to a city, zip code, or state level) such that the particular locality of the user cannot be determined. Thus, the user may control how information is collected about the user and used by the content server.

Fig. 3 shows the general architecture of an illustrative computer system 300 that may be employed to implement any of the computer systems discussed herein, including system 110 and its components, such as policy management module 130, encryption module 135, and data reporting module 140, in accordance with some embodiments. Computer system 300 may be used to provide information for display via network 105. The computer system 300 of fig. 3 includes one or more processors 320 communicatively coupled to a memory 325, one or more communication interfaces 305, and one or more output devices 310 (e.g., one or more display units) and one or more input devices 315. The processor 320 may be included in the data processing system 110 or other components of the system 110, such as the policy management module 130, the encryption module 135, and the data reporting module 140.

In computer system 300 of fig. 3, memory 325 may include any computer-readable storage medium and may store computer instructions, such as processor-executable instructions for implementing the various functionalities described herein for the respective system, as well as any data associated therewith, generated thereby, or received via a communication interface or input device (if present). Referring again to the environment 100 of FIG. 1, the data processing system 110 may include a memory 325 to store, for example, data structures and/or information related to resource provider accounts, and the like. The memory 325 may include a database 145. The processor 320 shown in fig. 3 may be used to execute instructions stored in the memory 325, and in so doing, may also read from and write to the memory various information processed and/or generated pursuant to execution of the instructions.

The processor 320 of the computer system 300 shown in fig. 3 may also be communicatively coupled to the communication interface 305 or control the communication interface 305 to transmit or receive various information in accordance with the execution of instructions. For example, communication interface 305 may be coupled to a wired or wireless network, bus, or other communication means, and thus may allow computer system 300 to transmit information to or receive information from other devices (e.g., other computer systems). Although not explicitly shown in the system of fig. 1, one or more communication interfaces facilitate the flow of information between components of the system 300. In some implementations, the communication interface may be configured (e.g., via various hardware or software components) to provide a website as an access portal to at least some aspects of the computing system 300. Examples of communication interface 305 include a user interface (e.g., within a web page) through which a user may communicate with data processing system 300.

For example, the output device 310 of the computer system 300 shown in FIG. 3 may be provided to allow various information to be viewed or otherwise perceived in connection with execution of the instructions. An input device 315 may be provided, for example, to allow a user to manually adjust, select, enter data, or otherwise interact with the processor during execution of instructions. Additional information regarding the general computer system architecture that can be used with the various systems discussed herein is further provided herein.

Embodiments of the subject matter and the operations described in this specification can be implemented in digital electronic circuitry, or in computer software embodied in tangible media, firmware, or hardware, including the structures disclosed in this specification and their equivalents, or in combinations of one or more of them. Implementations of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage media for execution by, or to control the operation of, data processing apparatus. Program instructions may be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus. The computer storage media may be or be included in a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them. Further, although the computer storage medium is not a propagated signal, the computer storage medium can comprise a source or destination of computer program instructions encoded in an artificially generated propagated signal. The computer storage media may also be or be embodied in one or more separate physical components or media (e.g., multiple CDs, disks, or other storage devices).

The operations described in this specification may be implemented as operations performed by data processing apparatus on data stored on one or more computer-readable storage devices or received from other sources.

The terms "data processing apparatus," "data processing system," "user device" or "computing device" encompass all types of apparatus, devices, and machines for processing data, including for example, a programmable processor, a computer, a system on a chip, or a plurality or combination of the foregoing. The apparatus can comprise special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). The apparatus can include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, a cross-platform runtime environment, a virtual machine, or a combination of one or more of them. The apparatus and execution environment may implement a variety of different computing model infrastructures, such as web services, distributed computing, and grid computing infrastructures. The policy management module 130, encryption module 135, and data reporting module 140 may include or share one or more data processing apparatuses, computing devices, or processors.

A computer program (also known as a program, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, declarative or procedural languages. A computer program can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, object, or other unit suitable for use in a computing environment. A computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.

The processes and logic flows described in this specification can be performed by one or more programmable processors executing one or more computer programs to perform actions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).

Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for performing actions in accordance with the instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer need not have such devices. Further, the computer may be embedded in another device, e.g., a mobile telephone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game player, a Global Positioning System (GPS) receiver, or a portable storage device (e.g., a Universal Serial Bus (USB) flash drive). Devices suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, such as internal hard disks or removable disks; magneto-optical disks; and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.

To provide for interaction with a user, embodiments of the subject matter described in this specification can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube), plasma, or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse and a trackball, by which the user can provide input to the computer. Other types of devices can also be used to provide for interaction with a user; for example, feedback provided to the user can include any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input. In addition, the computer is able to interact with the user by sending and receiving documents to and from the device used by the user; for example, by sending a web page to a web browser on the user's client device in response to a request received from the web browser.

Implementations of the subject matter described in this specification can be implemented in a computing system that includes a back end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front end component (e.g., a client computer having a graphical user interface or a web browser through which a user can interact with an implementation of the subject matter described in this specification), or a combination of one or more such back end, middleware, or front end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include local area networks ("LANs") and wide area networks ("WANs"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks).

The computing system 300 may include a server or computing device of the content provider computing device 115, the content publisher computing device 120, the client device 125, or the data processing system 110. For example, the data processing system 110 may include one or more data centers or one or more servers in a server farm. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. In some implementations, the server transmits data (e.g., HTML pages) to the client device (e.g., for the purpose of displaying data to and receiving user input from a user interacting with the client device). Data generated at the client device (e.g., a result of the user interaction) may be received from the client device at the server.

While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any inventions or of what may be claimed, but rather as descriptions of features specific to particular implementations of the systems and methods described herein. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results.

In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the implementations described above should not be understood as requiring such separation in all implementations, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products. For example, the content request module 130 and the content selection module 135 may be part of the data processing system 110, a single module, a logical device with one or more processing modules, one or more servers, or a portion of a search engine.

Having now described some illustrative embodiments and implementations, it is apparent that the foregoing is illustrative and not limiting, having been presented by way of example. In particular, although many of the examples presented herein involve specific combinations of method acts or system elements, those acts and those elements may be combined in other ways to accomplish the same objectives. Acts, elements and features discussed only in connection with one implementation are not intended to be excluded from a similar role in other implementations or implementations.

The phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of "including," "comprising," "having," "containing," "involving," "characterized by," and variations thereof herein, is meant to encompass the items listed thereafter and equivalents thereof as well as additional items and alternative embodiments that consist only of the items listed thereafter. In one embodiment, the systems and methods described herein consist of one, each combination of more than one, or all of the described elements, acts, or components.

Any reference herein to an implementation or element or act of the systems and methods in the singular may also encompass implementations including a plurality of such elements, and any reference herein to any implementation or element or act in the plural may also encompass implementations including only a single element. References in the singular or plural form are not intended to limit the presently disclosed systems or methods, their components, acts, or elements to a single or multiple configurations. References to any action or element based on any information, action, or element may include implementations in which the action or element is based, at least in part, on any information, action, or element.

Any embodiment disclosed herein may be combined with any other embodiment, and references to "an embodiment," "some embodiments," "an alternative embodiment," "various embodiments," "one embodiment," or the like are not necessarily mutually exclusive and are intended to indicate that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment. Such terms as used herein do not necessarily all refer to the same embodiment. Any embodiment may be combined, inclusively or exclusively, with any other embodiment in any manner consistent with aspects and embodiments disclosed herein.

References to "or" may be construed as inclusive such that any term described using "or" may refer to any single, more than one, and all of the described terms.

Where technical features in the drawings, detailed description or any claim are followed by reference signs, the reference signs have been included for the sole purpose of increasing the intelligibility of the drawings, detailed description, and claims. Accordingly, the reference signs or their absence have no limiting effect on the scope of any claim element.

The systems and methods described herein may be embodied in other specific forms without departing from the characteristics thereof. Although the examples provided herein relate to controlling the display of information resource content, the systems and methods described herein may include application to other environments. The foregoing embodiments are illustrative, and not limiting of the described systems and methods. The scope of the systems and methods described herein is, therefore, indicated by the appended claims rather than by the foregoing description, and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.