HK40102319A - Configurable annotations for privacy-sensitive user content - Google Patents

Description

Configurable annotations for privacy-sensitive user content

This application is a divisional application of the same patent application, filed on March 14, 2018, with application number 201880020423.6.

Background Technology

Various user productivity applications allow for data entry and analysis of user content. These applications can use spreadsheets, presentations, text documents, mixed media documents, messaging formats, or other user content formats to enable content creation, editing, and analysis. Within this user content, various text, alphanumeric, or other character-based information may include sensitive data that the user or organization may not wish to be included in published or distributed work. For example, a spreadsheet may include Social Security Numbers (SSNs), credit card information, medical identifiers, or other information. While the user entering this data or user content may have permission to view this sensitive data, other entities or distribution endpoints may not have such permission.

Information protection and management techniques, often referred to as Data Loss Prevention (DLP), attempt to prevent the misallocation and misdistribution of sensitive data. In certain content formats or types (e.g., those included in spreadsheets, slideshow-based presentations, and graphical applications), user content can be contained within various cells, objects, or other structured or semi-structured data entities. Furthermore, sensitive data can be segmented across more than one data entity. When such documents contain sensitive data, difficulties can arise in attempting to identify and prevent its loss.

Summary of the Invention

This document provides systems, methods, and software for a data privacy annotation framework for user applications. An exemplary method includes identifying at least a first threshold quantity, a resilience factor for modifying the first threshold quantity to a second threshold quantity, and an indication of a threshold bounce attribute indicating when the second threshold quantity overrides the first threshold quantity. The method includes monitoring a content editing process of user content to identify the quantity of user content containing sensitive data corresponding to one or more pre-defined data schemes, and during the content editing process, enabling and disabling the rendering of annotation indicators for the content elements based on at least: the current quantity of the content elements relative to the first threshold quantity, the resilience factor for the first threshold quantity when enabled, and the indication of the threshold bounce attribute.

This summary is provided to introduce, in a simplified form, the selection of concepts further described in the following detailed description. It should be understood that this summary is not intended to identify key or essential features of the claimed subject matter, nor is it intended to help determine the scope of the claimed subject matter.

Attached Figure Description

Many aspects of this disclosure can be better understood with reference to the following figures. Although several implementations are described in conjunction with these figures, this disclosure is not limited to the implementations disclosed herein. Rather, the aim is to cover all substitutions, modifications, and equivalents.

Figure 1 illustrates a data loss protection environment in the example.

Figure 2 shows the elements of the data loss protection environment in the example.

Figure 3 illustrates the elements of a data loss protection environment in an example.

Figure 4 illustrates the operation of the data loss protection environment in the example.

Figure 5 illustrates the operation of the data loss protection environment in the example.

Figure 6 illustrates the operation of the data loss protection environment in the example.

Figure 7 illustrates the operation of the data loss protection environment in the example.

Figure 8 illustrates the data thresholding operation of the data loss protection environment in the example.

Figure 9 illustrates a computing system suitable for implementing any of the architectures, processes, platforms, services, and operational scenarios disclosed herein.

Detailed Implementation

User productivity applications use spreadsheets, PowerPoint presentations, vector graphics elements, documents, emails, messaging content, databases, or other application data formats and types to provide user data and content creation, editing, and analysis. User content may include various text, alphanumeric, or other character-based information. For example, a spreadsheet may include Social Security Numbers (SSNs), credit card information, health identifiers, passport numbers, or other information. While the user entering this data or user content may have permission to view sensitive data, other entities or distribution endpoints may not have such permission. Various privacy policies or data privacy rules can be established to indicate which types of data or user content are sensitive in nature. Enhanced data loss protection (DLP) measures discussed herein may be included to attempt to prevent misallocation and misdistribution of such sensitive data.

In certain content formats or types (e.g., those included in spreadsheets, slideshow-based presentations, and graphical applications), user content can be contained within various cells, objects, or other structured or semi-structured data entities. Furthermore, sensitive data can be segmented across more than one data element or entry. The examples in this document provide enhanced identification of sensitive data in user data files that include structured data elements. Additionally, the examples in this document provide enhanced user interfaces to alert users to sensitive data. These user interface elements can include data elements that flag individuals containing sensitive data, as well as thresholds for triggering alerts during content editing.

In a sample application that uses structured data elements (e.g., a spreadsheet application), data can be entered into cells arranged in columns and rows. Each cell can contain user data or user content, and may also include one or more expressions for performing calculations, which can reference user-entered data in one or more other cells. Other user applications, such as slideshow presentation applications, can include user content on more than one slide, as well as user content within objects included on those slides.

Advantageously, the examples and implementations in this paper provide enhanced operations and structures for data loss protection services. These enhanced operations and structures offer the technical advantage of faster identification of sensitive content within documents, especially structured documents (e.g., spreadsheets, presentations, graphical drawings, etc.). Furthermore, multiple applications can share a single classification service that provides detection and identification of sensitive content in user data files across many different applications and end-user platforms. End-user-level annotation and blurring processes also offer significant advantages and technical effects within the application's user interface. For example, graphical annotations of sensitive content can be presented to the user, along with pop-up dialog boxes presenting various blurring or masking options. Various enhanced annotation thresholds can also be established to dynamically indicate sensitive content to the user, making user content editing and sensitive data blurring more efficient and compliant with various data loss protection policies and rules.

Figure 1 is provided as a first example of a data loss protection environment for a user application. Figure 1 illustrates an example data loss protection environment 100. Environment 100 includes a user platform 110 and a data loss protection platform 120. The elements of Figure 1 can communicate via one or more physical or logical communication links. Links 160-161 are shown in Figure 1. However, it should be understood that these links are merely exemplary and may include one or more additional links, which may include wireless, wired, optical, or logical components.

The data loss protection framework may include a portion local to a specific user application, as well as a shared portion adopted across many applications. User platform 110 provides users with an application environment for interacting with elements of user application 111 via user interface 112. During user interaction with application 111, content input and content manipulation can be performed. Application Data Loss Protection (DLP) module 113 may provide functionality for sensitive data annotation and replacement within application 111. In this example, application DLP module 113 is local to user platform 110, but may alternatively be separate from or integrated into application 111. Application DLP module 113 can provide sensitive data annotation and replacement for both the user and application 111. Data loss protection platform 120 provides the shared portion of the data loss protection framework and provides shared DLP services 121 for many applications to share, for example, applications 190 with associated location DLP portions 193.

In operation, application 111 provides a user interface 112 through which users can interact with application 111, such as entering, editing, and otherwise manipulating user content that can be loaded via one or more data files or entered via user interface 112. Figure 1 shows a spreadsheet workbook with cells arranged in rows and columns. As part of application 111, a data loss protection service is provided that identifies sensitive user content and allows users to replace it with secure text or data. Sensitive content includes content that may have privacy concerns, privacy policies/rules, or other attributes that are not expected or desired to be disseminated. Data loss in this context refers to the dissemination of private or sensitive data to unauthorized users or endpoints.

To identify sensitive content, application 111 provides user content to the data loss protection service for distribution into segments or blocks of user content. Figure 1 illustrates content portion 140, where individual content portions 141-145 are provided to DLP service 121 over time. Typically, application 111 can process user content to distribute it into said portions during idle periods (e.g., when one or more processing threads associated with application 111 are idle or below an activity threshold). As will be discussed herein, structured user content is transformed into a “flat” or unstructured arrangement during the distribution process. This unstructured arrangement offers several advantages for processing by DLP service 121.

Next, DLP service 121 processes each portion or "block" of the user content individually to determine whether said portion contains sensitive content. Various classification rules 125 (e.g., data schemes, data patterns, or privacy policies/rules) can be introduced into DLP service 121 to identify sensitive data. After DLP service 121 has parsed each individual block of the user content, it determines the location offset of the sensitive data in the user data file to indicate to the application DLP service 113. A mapper function in application DLP service 113 determines the structural relationship between the block offset and the document's structure. Indications of location offset, sensitive data length, and sensitive data type can be provided to application 111, such as a sensitive data indication 150. The location offset indicated by DLP service 121 may not result in an exact or specific location within the structural elements of the user data file for the sensitive content. In these instances, application 111's application DLP service 113 may employ a mapping process to determine the specific structural element containing the sensitive data.

Once the specific location is determined, application 111 can annotate the sensitive data within user interface 112. This annotation can include a global or individual flag or label for the sensitive data. The annotation may include a "policy hint" presented in the user interface. Then, one or more options can be presented to the user to obscure the user content or otherwise render the content in a way that makes it unrecognizable as originally sensitive content. Various thresholds for notifications regarding sensitive content can be established, triggered based on the count or quantity of sensitive data present in the user data file.

In one example, user data file 114 includes contents 115, 116, and 117 in specific cells of user data file 114, which may be associated with specific worksheets or pages of a spreadsheet workbook. Various contents can be included in the associated cells, and this content may include potentially sensitive data, such as examples of SSNs, phone numbers, and addresses visible in Figure 1. Some of this content may cross structural boundaries in the user data file, such as spanning multiple cells or multiple graphic objects. If “blocks” distribute data into rows or groupings of rows, a flattened representation (i.e., stripped of any structural content) can still identify sensitive data within one or more cells.

Elements of each of user platform 110 and DLP platform 120 may include communication interfaces, network interfaces, processing systems, computer systems, microprocessors, storage systems, storage media, or other processing devices or software systems, and may be distributed across multiple devices or geographical locations. Examples of elements of each of user platform 110 and DLP platform 120 may include software such as operating systems, applications, logs, interfaces, databases, utilities, drivers, networked software, and other software stored on computer-readable media. Elements of each of user platform 110 and DLP platform 120 may include one or more platforms hosted by a distributed computing system or cloud computing service. Elements of each of user platform 110 and DLP platform 120 may include logical interface elements, such as software-defined interfaces and application programming interfaces (APIs).

The user platform 110 includes an application 111, a user interface 112, and an application DLP module 113. In this example, application 111 includes a spreadsheet application. It should be understood that user application 111 can include any user application, such as a productivity application, a communication application, a social media application, a game application, a mobile application, or other applications. User interface 112 includes graphical user interface elements that are capable of generating output to display to the user and receiving input from the user. User interface 112 can include the elements for user interface system 908 discussed below in Figure 9. Application DLP module 113 includes one or more software elements configured to dispatch content for delivery to a classification service, indicate sensitive data with annotations, and obfuscate sensitive data, among other operations.

The elements of DLP platform 120 include DLP service 121. DLP service 121 includes an external interface in the form of an application programming interface (API) 122, but other interfaces may be used. DLP service 121 also includes tracker 123 and classification service 124, which will be discussed in more detail below. API 122 may include one or more user interfaces, such as a web interface, API, terminal interface, console interface, command-line shell interface, Extensible Markup Language (XML) interface, etc. Tracker 123 maintains a count or quantity of sensitive data found for a specific document within the flattened portion of the structured user content, and also maintains a record of the positional offset within the flattened portion of the structured user content corresponding to the position of the sensitive data within the structured user content. Tracker 123 may also perform threshold analysis to determine when a threshold number of sensitive data has been found and should be annotated by the applied DLP module 113. However, in other examples, the threshold/count portion of DLP service 121 may be included within DLP module 113. Classification service 124 parses flattened user content to determine the presence of sensitive data, and can employ various inputs that define rules and strategies for identifying sensitive data. Elements of the application DLP module 113 and the shared DLP service 121 can be configured in different arrangements or distributions as shown in Figure 1, for example, when a portion of the shared DLP service 121 is included in application DLP module 113 or application 111, and other configurations exist. In one example, a portion of the shared DLP service 121 includes a dynamic link library (DLL) that is included on user platform 110 for use by application 111 and application DLP module 113.

For clarity, each of links 160-161, along with other links not shown in Figure 1, may include one or more communication links, such as one or more network links including wireless or wired network links. The links may include various logical interfaces, physical interfaces, or application programming interfaces. Example communication links may use metal, glass, optics, air, space, or some other material as the transmission medium. Links may use various communication protocols, such as Internet Protocol (IP), Ethernet, Hybrid Fiber Coaxial (HFC), Synchronous Fiber Network (SONET), Asynchronous Transfer Mode (ATM), Time Division Multiplexing (TDM), circuit switching, communication signaling, wireless communication, or some other communication formats, including combinations, improvements, or variations thereof. The links may be direct links or may include intermediate networks, systems, or devices, and may include logical network links transmitted through multiple physical links.

To further discuss the elements and operations of environment 100, Figure 2 is presented. Figure 2 is a block diagram illustrating an example configuration 200 of the application DLP module 113, highlighting example operations of the application DLP module 113, etc. In Figure 2, the application DLP module 113 includes a content apportioner 211, an annotator 212, a mapper 213, and a blurr 214. Each of elements 211-214 may include a software module employed by the application DLP module 113 to operate as described below.

During operation, user content is provided to the application DLP module 113, such as a spreadsheet file or workbook, as can be seen in Figure 1 for user data file 114. This user data file can be organized in a structured or semi-structured format; for example, in the spreadsheet example, it is cells organized by rows and columns. Alternatively, other data formats may be used, such as slideshow presentations with pages/slides and numerous individual graphic objects, vector drawing programs with various objects on various pages, word processing documents with various objects (tables, text boxes, pictures), databases, web page content, or other formats including combinations thereof. The user data file may contain sensitive content or sensitive data. This sensitive data may include any user content suitable for one or more patterns or data schemes. Examples of sensitive data types include social security numbers, credit card numbers, passport numbers, addresses, telephone numbers, or other information.

In parallel with editing or viewing user data files, content dispatcher 211 subdivides user content into one or more parts or "chunks," which are flattened forms of the original/native structured or hierarchical format. Content dispatcher 211 then provides these content chunks, along with chunk metadata for each chunk, to a shared DLP service 121. Chunk metadata can indicate various chunk attributes, such as the chunk's positional offset within the overall content and the chunk's length. The positional offset corresponds to the chunk's position relative to the entire user document/file, and the chunk length corresponds to the chunk's size.

The shared DLP service 121 parses content blocks individually to identify sensitive data within the flattened user content of the blocks and provides indications of the sensitive data back to the application DLP module 113. In some examples discussed below, various thresholds are applied to the count or quantity of sensitive data before providing the indications to the application DLP module 113. The indications include an offset for each block containing sensitive data, the length of the block, and optionally, an indicator of the data type or data scheme associated with the sensitive data. Sensitive data indications can be used to determine the actual or specific location of sensitive content within the structured data of a user data file. Indicators for data types can be symbolically or numerically encoded indicators, such as integer values, which point to a list of indicators that mapper 213 can use to identify the data type used for annotation.

Mapper 213 can be used to translate offsets and lengths into specific locations within a document or user file. The offset and length correspond to specific block identities stored by mapper 213 and associated with a session identifier. The session identifier can be a unique identifier that lasts at least as long as the user's session for opening or viewing the document. Block metadata from content dispatcher 211 can be provided to mapper 213 to form a mapping between block offsets, lengths, and session identifiers. In response to receiving an indication of sensitive data, mapper 213 can use the mapping to identify a rough location within the document corresponding to the block offset and length for the sensitive data indication. Since a block can contain more than one structural or hierarchical element of a user data file, mapper 213 can perform additional location procedures to find the specific location of the sensitive data within the user data file.

For example, an offset can indicate a rough location, such as a specific row or column in a spreadsheet. To determine a specific location (e.g., within a cell in the indicated row or column), mapper 213 can use the offset/length along with local knowledge of the structured data and the user data file itself to locate sensitive content within the structured data. Mapper 213 determines where the block is provided from within the user data file, such as the associated row, column, and worksheet for the spreadsheet example, and the associated slides/pages and objects for the slideshow example. Other examples (e.g., word processing examples) may not have much structure, and the content may be more easily flattened, and the offset may be based on document word count or similar positioning.

In some examples, the specific location is determined by searching for sensitive content within a specific coarse location. When a particular offset involves multiple structural or hierarchical elements, mapper 213 can iteratively search or traverse each of those elements to locate the sensitive data. For example, if there are "n" levels of structure/hierarchy in a document, mapper 213 can first navigate to the upper level and then to the lower level. In the spreadsheet example, the hierarchy/structure may include worksheets with associated rows and columns. In the presentation document example, the hierarchy/structure may include slides/pages with associated shapes/objects. The exact cell or object containing the sensitive content can be found by progressively traversing each worksheet and slide indicated by the offset. In another example, the location of sensitive data can be accomplished by recreating one or more blocks associated with the coarse location and finding the sensitive data within those recreated blocks, thus finding the specific location of the sensitive data.

Once the specific location of sensitive data is determined, annotator 212 can be used to mark or otherwise annotate the sensitive data for the user. This annotation can take the form of a global flag or banner, indicating to the user the presence of sensitive content in the user data file. The annotation can also take the form of an individual flag, indicating a marker near the sensitive data. In one example, Figure 2 shows a configuration 201 with a spreadsheet user interface view featuring a currently open workbook for viewing or editing. Banner annotations 220 and individual cell annotations 221 are shown. Individual cell annotations 221 include a graphical indication of one or more portions of the user content being annotated, and include indicators located near one or more portions that can be selected in user interface 112 to present a blurring option.

When a specific annotation is selected, one or more options can be presented to the user. A pop-up menu 202 may be presented, including various viewing/editing options such as cut, copy, paste, etc. The pop-up menu 202 may also include blurring options. Selecting one of the blurring options can produce blurred content that retains the associated user content's data scheme and includes a symbol selected to prevent the identification of the associated user content while retaining the associated user content's data scheme. In some examples, the symbol is selected in part based on the associated user content's data scheme, etc. For example, if the data scheme includes a numeric data scheme, letters can be used as blurring symbols. Similarly, if the data scheme includes an alphabetic data scheme, numbers can be used as blurring symbols. Combinations of letters and numbers or other symbols can be selected as blurring symbols in alphanumeric content examples.

In Figure 2, the first blurring option includes replacing sensitive content with masked or otherwise obscured text, while the second blurring option includes replacing all content with a pattern or data scheme similar to the content of the currently selected comment. For example, if a cell contains an SSN, the user could be presented with the option to replace the numbers in the SSN with the character "X" while preserving the integrity of the SSN's data scheme, leaving the familiar "3-2-4" character arrangement separated by dashes. Furthermore, additional blurring options could include the option to replace all SSNs with a pattern suitable for the selected SSN using the character "X". It should be understood that different example blurring options can be presented, and different characters can be used during the replacement process. However, regardless of the blurring character used, the sensitive data will be anonymized, sanitized, "cleaned," or rendered unrecognizable as the original content.

Turning now to Figure 3, an example configuration 300 is shown focusing on various aspects of DLP service 121. In Figure 3, DLP service 121 receives portions of flattened user content provided by content dispatcher 211 in one or more content blocks, along with block metadata including at least the offset of the total content of the block and the length of the block. Two example types of structured user content are shown in Figure 3: spreadsheet content 301 and slideshow/presentation content 302. Spreadsheet content 301 has a structure that reflects rows 321 and columns 322 that define individual cells. Furthermore, spreadsheet content 301 may have more than one worksheet 320, which is defined by tabs below the worksheets, and each worksheet may have a separate set of rows/columns. Each cell may have user content, such as character, alphanumeric, text, numeric, or other content. Slideshow content 302 may have one or more slides or pages 323 comprising multiple objects 324. Each object may have user content, such as character, alphanumeric, text, numeric, or other content.

Content dispatcher 211 breaks down user content into fragments and removes any associated structure, such as by extracting any user content (e.g., text or alphanumeric content) from cells or objects, and then arranges the extracted content into flat or linear blocks for delivery to DLP service 121. These blocks and block metadata are provided to DLP service 121 for the discovery of potentially sensitive data.

Once DLP service 121 receives a block of individual user content, classification service 124 performs various processes on the block. Furthermore, tracker 123 maintains data record 332, which includes one or more data structures that associate offsets/lengths and session identifiers with a count of sensitive data found. Storing data record 332 for DLP service 121 provides the offset/length of the block containing sensitive data back to the requesting application, thereby further locating and annotating any sensitive content found therein.

Classification service 124 parses each block in the block according to various classification rules 331 to identify sensitive data or sensitive content. Classification rules 331 may establish one or more predetermined data schemes defined by one or more expressions, which are used to parse the flattened block/data representation to identify portions of the block as indicating one or more predetermined content patterns or one or more predetermined content types.

Sensitive content is typically identified based on data structure patterns or data “schemas” associated with it. These patterns or schemes may identify when the exact content of a block might differ, but the data may fit into a pattern or arrangement that reflects the type of sensitive data. For example, an SSN might have a data arrangement with a predetermined number of numbers mixed and separated by a predetermined number of dashes. Classification rule 331 may include various definitions and strategies used in identifying sensitive data. These classification rules may include privacy policies, data patterns, data schemes, and threshold strategies. Privacy policies may indicate that certain potentially sensitive data may not be indicated as sensitive to the application due to considerations such as company, organizational, or user policies. Threshold strategies may establish a minimum threshold for finding sensitive data in each block before reporting its presence to the application. Classification rule 331 may be established by a user or by a policy maker (e.g., an administrator).

Additionally, classification service 124 can process data content using one or more regular expressions processed by regular expression service 333. Regex service 333 may include regular expression matching and processing services, as well as various regular expressions that users or policy makers can deploy to identify sensitive data. Further examples of regex service 333 are discussed below in Figure 7.

As a concrete example, classification process 341 illustrates several content blocks _C1 - _C8 , which are linearized versions of the content originally arranged in a structured or hierarchical layout within a document or user data file. Classification service 124 processes these blocks to identify blocks containing sensitive data. If any sensitive data is found, an indication can be provided to the application. The indication may include the offset and length of the sensitive data and is provided to mapper 213 to locate the sensitive data within the structure of the user data file. After processing each block for sensitive data identification, classification service 124 may discard the block itself. Because the offset and length allow sensitive data to be found within the original data file, and the original content remains in the data file (unless edited intervention has occurred), the actual block does not need to be saved immediately upon processing.

To form the blocks, content dispatcher 211 bundles alphanumeric content (e.g., text) into one or more linear data structures, such as strings or BSTRs (basic strings or binary strings). Classification service 124 processes the linear data structures and determines a list of results. The blocks are examined for sensitive data, and portions of the linear data structures can be identified as containing sensitive content. Classification service 124, in conjunction with tracker 123, determines the offsets/lengths corresponding to the blocks containing sensitive data within the linear data structures. These offsets can indicate a coarse location, which can be converted back to a specific location in the original document (e.g., a user data file) containing the user content. When blocks are received, tracker 123 can associate each block with offset/length information indicated in the block metadata. This offset/length information can be used to back-map to the structure or hierarchy of the original document via mapper 213.

However, DLP service 121 typically only has partial context back to the original document or user data file, indicated by offsets in the originally generated linear data structure. Furthermore, the linear data structure and the user content itself can be released/deleted by classification service 124 at the end of the classification process. This can mean that classification service 124 may not be able to directly search for sensitive content to specifically locate it within the original document, and even if classification service 124 can search for precise sensitive content, it may fail to find it because the "chunking" algorithm can cross the boundaries of hierarchical structures or constructs in the original document or data file. As a concrete example, worksheet 320 in a spreadsheet document may have the text "SSN 12345 6789" spanning four adjacent cells. Advantageously, classification service 124 can identify this text as containing sensitive content. However, due to the boundary cross-analysis performed by classification service 124, at the end of the policy rule evaluation, classification service 124 typically does not have enough data to find the sensitive content in the original document to present to the user. The user may be left with the false impression that no sensitive content exists.

To efficiently scan user content for sensitive information, classification service 124 reads user content in chunks during application idle periods, performs partial analysis, and continues the process. When classification service 124 has finished reading all content, it only has a rough location of sensitive content in the original content, such as only the start/offset and length. To efficiently map back to structured or semi-structured documents, mapper 213 may employ a combination of the aforementioned techniques. It should be noted that these techniques work differently from spell checking or grammar checking, partly because the total content, not just words/sentences/paragraphs, may be needed to determine if the content exceeds a threshold.

For each level of physical hierarchy or structure present in the original document (i.e., a worksheet in a workbook, or a slide in a presentation), mapper 213 uses identifiers to indicate presence in the mapped data structure and further subdivides the content by a reasonable number of hierarchical levels (i.e., rows in a worksheet, shapes in a slide) such that as each piece of content is processed, mapper 213 tracks the length of the original content and, based on the order in which it is inserted into the map, the implicit start of that element. Identifiers can be persistent identifiers that persist across open instances of a particular document, or they can be different in each instance of a particular document. In some examples, calculations for merging the presence/absence of sensitive content are retained until there is no remaining unprocessed content and no pending edits that will further alter the content.

Assuming sensitive content exists, mapper 213 receives the start and length of each piece of sensitive content from DLP service 121, and mapper 213 searches within the identifier of the sensitive content and the mapping data structure of the inserted content in the most precise mapping region to find the exact location. For performance reasons, only a certain number of levels may be tracked, which may make it impossible to track cells within rows within tables or worksheets in individual slide shapes. Therefore, a partial re-traversal can be performed after reverse mapping to find the precise location.

In a specific example, a workbook might have 20 worksheets but millions of rows, and each of those millions of rows could have 50 columns of user data. For the relatively small amount of sensitive data (i.e., only one column in a worksheet contains sensitive data), the classification process could become extremely memory-intensive due to the 20 * 1 million * 50 memory "length + offset" data entries. Removing the last dimension saves 50 times the memory because the computational cost of actually identifying sensitive data in the original document is low. Advantageously, a small memory footprint can be maintained to backmap the start/length back to the original content.

To further illustrate the operation of the elements in Figures 1-3, a flowchart is presented in Figure 4. Figure 4 shows two main flows: a first flow 400 for identifying sensitive data, and a second flow 401 for annotating and obfuscating sensitive data. The first flow 400 can be fed into the second flow 401, but other configurations are also possible.

In Figure 4, DLP service 121 receives (410) subsets of structured user content merged into associated flattened representations, each associated flattened representation having a mapping to a corresponding subset of the structured user content. As mentioned above, the structured content may include spreadsheet content organized into tables/rows/columns, or alternatively may include other structures, such as slideshow content organized into slides/objects, drawing program content organized into pages/objects, or text content organized into pages, etc. These subsets of the structured user content may include “blocks” 141-146 shown in Figure 1 or blocks _C1 - _C8 in Figure 3, etc. The structure of the underlying user content is flattened or removed in these subsets to form blocks, and each subset can be mapped back to the original structure by referencing a structure identifier or locator (e.g., table/row/column or slide/object).

DLP service 121 receives these blocks and block metadata, for example, via link 160 or API 122 in Figure 1, and individually parses (411) the flattened representation to classify portions as including sensitive content corresponding to one or more predetermined data schemes. Classification rule 125 may establish one or more predetermined data schemes defined by one or more expressions used to parse the flattened block/data representation to identify portions of the block as indicating one or more predetermined content patterns or one or more predetermined content types.

If sensitive data (412) is found, for each of the segments, DLP service 121 determines (413) the associated offset/length related to the structured user content in tracker 123, which is indicated to be retained in data record 332. DLP service 121 then indicates (414) the associated offset/length of the segment to user application 111 for tagging sensitive content in user interface 112. If no sensitive data is found, or if no associated threshold is met, further processing of the block can continue or additional blocks can be monitored as user application 111 is provided. Furthermore, editing or altering user content can prompt additional or repeated classification processes for any altered or edited user content.

The application DLP module 113 receives (415) an indication from the classification service of the DLP service 121 that one or more portions of the user content contain sensitive content, wherein the indication includes an offset/length associated with the sensitive content. The application DLP module 113 presents (416) a graphical indication in the user interface 112 of the user application 111, the graphical indication annotating the one or more portions of the user content as containing sensitive content. The application DLP module 113 may then present (417) blurring options in the user interface 112 for masking sensitive content within at least a selected portion of one or more portions of the user content. In response to the user's selection of at least one of the blurring options, the application DLP module 113 replaces (418) the associated user content with blurred content that retains the associated user content's data scheme.

Figure 5 illustrates sequence diagram 500 to further illustrate the operation of the elements of Figures 1-3. Furthermore, Figure 5 includes detailed example structures 510 for some of the processing steps in Figure 5. In Figure 5, application 111 can open a document for a user to view or edit. This document can be detected by application DLP module 113. Any associated strategies or classification rules can be pushed to DLP service 121 to define any classification strategy. DLP service 121 can then maintain processing instances of open documents in record 332, which may include a list of several open documents. When DLP module 113 detects an idle processing time frame of application 111, it can present an idle indicator to DLP service 121, which responsively requests blocks of user content for classification. Alternatively, DLP module 113 can push blocks of user content to DLP service 121 during idle periods of application 111. DLP module 113 dispatches user content into blocks, and may determine these blocks based on text or other content included in the document's structure or hierarchical objects. Once the blocks are identified, DLP module 113 transmits them to DLP service 121 for classification. DLP service 121 classifies each block individually and applies classification rules to the blocks to identify potentially sensitive user content within them. This classification process can be iterative to ensure that all blocks transmitted by DLP module 113 have been processed. If sensitive data or content is found between blocks, DLP service 121 indicates the presence of sensitive data to DLP module 113 for further processing. As mentioned herein, sensitive data can be indicated by offset, approximate location, or other location information, as well as length information. DLP module 113 can then perform one or more annotation and obfuscation processes on the sensitive data in the document.

For example, classification rules can be established by users, administrators, policymakers, or other entities before the classification process. As seen in structure 510, various rules 511 and 512 can be based on one or more predicates. Predicates are shown in Figure 5 in two categories: content-related predicates 511 and access-related predicates 512. Content-related predicates 511 can include data schemes indicating sensitive data, such as data patterns, data structure information, or regular expressions defining data schemes. Access-related predicates 512 include user-level rules, organization-level rules, or other access-based rules, such as content-sharing rules, which define when sensitive data should not be disseminated or released by specific users, organizations, or other factors.

Policy rules 513 can be established, which combine one or more of content-related assertions and access-related assertions into policies 551-554. Each policy rule also has a priority and an associated action. Generally, the priority matches the severity of the action. For example, a policy rule could define to block the "save" feature of the application. In another example policy rule, user content may contain SSNs defined according to the content-related assertion, but these SSNs may be acceptable for propagation according to the access-related assertion. Most policy rules include at least one classification assertion in assertions 511-512. These policies can affect one or more actions 514. The actions can include various annotation actions that the application may take in response to identified or sensitive content, such as notification to the user, notification but allowing user overriding, blocking features/features (i.e., the "save" or "copy" features), and reasonable overriding, etc.

Figure 6 illustrates flowchart 600 to further illustrate the operation of the elements in Figures 1-3. Figure 6 focuses on an example overall process for sensitive data identification, annotation, and obfuscation. Subprocess 601 includes policy and rule creation, storage, and retrieval. These policies and rules can be annotation rules, classification rules, regular expressions, organization/user policies, and other information discussed herein. In operation 611 of Figure 6, various detection rules 630 and replacement rules 631 can be introduced via a user interface or API for configuring detection policies. Detection rules 630 and replacement rules 631 can include various assertions and rules as found in Figure 5. Users, administrators, policymakers, or other entities can introduce detection rules 630 and replacement rules 631, for example, by creating policies for users, organizations, or application usage, as well as other entities and activities. In operation 612, detection rules 630 and replacement rules 631 can be stored on one or more storage systems for later use. When one or more clients wish to use the strategies established by detection rule 630 and replacement rule 631, these strategies can be downloaded or obtained in operation 613. For example, annotation rules can be downloaded by the application to annotate sensitive content in the user interface, while classification rules can be downloaded by a shared DLP service to classify user content as sensitive content.

Subprocess 602 includes client-side application activities, such as loading documents for editing or viewing in a user interface, and providing blocks of these documents for categorization. In operation 614, the client application may provide one or more end-user experiences to process, edit, or view user content, as well as other operations. Operation 614 may also provide annotation and fuzzing processes, discussed later. Operation 615 provides a portion of the user content to a shared DLP service for categorizing the user content. In some examples, the portion includes flattened blocks of user content with associated structures or hierarchies stripped from the original document.

Subprocess 603 includes classifying user content to detect sensitive data within it, and annotating the user with the sensitive data. In operation 616, various detection rules are applied, such as regular expressions discussed below in Figure 7, as well as other detection rules and procedures. If sensitive data is found, operation 617 determines whether the user should be notified. If the amount of sensitive data is below an alarm threshold, no notification may occur. However, if the user is to be alerted, operation 619 can calculate the location of the sensitive data within the detected area of the structured data. As discussed herein, a mapping process can be employed to determine the specific location of the sensitive data within a structured or hierarchical element based on the flattened data offset and length of the sensitive data string or portion. Once these specific locations are determined, operation 618 can display the locations to the user. Annotations or other highlighted user interface elements are used to signal to the user that sensitive data exists in the user content.

Subprocess 604 includes obfuscating sensitive data within user content that includes structured or hierarchical elements. In operation 621, user input may be received to replace at least one instance of sensitive data with “safe” or obfuscated data/text. When a user is shown a highlighted area displaying a sensitive data fragment that causes a comment or “policy hint” to appear, the user may be presented with the option to replace the sensitive data with “safe text” that obfuscates the sensitive data. Depending on the choice made by the entity that initially sets the policy in operation 611, operations 622 and 624 determine and generate one or more replacement or obfuscation rules. The obfuscation rules may be used to replace internal code names with marketing license names, to obfuscate personally identifiable information (PII) with boilerplate names, or to replace numeric sensitive data with a set of characters that indicate the sensitive data type (i.e., credit card number, social security number, vehicle identification number, etc.) to future viewers of the document without revealing the actual sensitive data. Operation 623 replaces sensitive data with obfuscated data. Obfuscated data can be used to replace numeric sensitive data with a set of characters that can be used to identify the data scheme or content type, but are still insufficient to derive the original data even from a identified individual (i.e., identifying the content fragment as an SSN but not revealing the actual SSN). Users can use the obfuscated text to perform sensitive content replacement on an individual or single instance, or perform batch replacement from a user interface that displays multiple instances of sensitive content.

The replacement of sensitive content (e.g., text or alphanumeric content) can be accomplished using regular expressions or alternatively via nondeterministic finite automata (NFA), deterministic finite automata (DFA), pushdown automata (PDA), Turing machines, arbitrary function codes, or other processes. The replacement of sensitive content typically involves pattern matching within the text or content. By considering whether the target pattern can exist at a specified position within the string, pattern matching can leave unmasked characters or content, and these characters do not need to be masked, for example, for delimiter characters. For example, the string "123-12-1234" can become "xxx-xx-xxxx", and the string "123 121234" after the masking process can become "xxx xx xxxx". Pattern matching can also preserve certain parts for uniqueness purposes, such as using the last predetermined number of digits of a credit card number or SSN. For example, after the masking process, "1234-1234-1234-1234" can become "xxxx-xxxx-xxxx-1234". For code name masking/replacement, not all aspects are patterns and can actually be internal code names or other keywords. For example, the code name "Whistler" can become "Windows XP" after the masking process. Furthermore, patterns can be allowed to replace different numbers of characters with safe text to maintain a consistent length or to set the length to a known constant. For example, the same rule can transform "1234-1234-1234-1234" into "xxxx-xxxx-xxxx-1234" and "xxxxx-xxxxx-xl234" after the masking process. This may require patterns containing enough data to handle any of these cases. Regular expressions can handle such scenarios by expanding the regular expression by enclosing each atomic match expression in parentheses and keeping track of which expanded "match" statements are paired with which "replace" statements. Further examples of regular expression matching are seen in Figure 7 below.

To maintain the integrity of the annotation and classification process across more than one document/file, various procedures can be established. Detection/classification, annotation, and fuzzing rules and strategies are typically not included in the document file. This allows for changes to strategies and prevents reverse engineering of fuzzing techniques. For example, if a user saves a document, then closes and loads the same document, the rules regarding which parts of the document contain the sensitive data necessary to address policy issues related to sensitive data may have changed. Additionally, annotation markers should not be included in clipboard operations such as cut, copy, or paste. If a user copies content from one document and pastes it into another, different detection/classification, annotation, and fuzzing rules can be applied to that second document. If a user copies text content from a first document and pastes it into a second document, the annotations in the first document should be considered irrelevant before reclassification. Even if a user copies content from one document to the same document, any counts of sensitive content may change, and the content that needs to be highlighted throughout the document may change.

Figure 7 illustrates flowchart 700 to further illustrate the operations of the elements in Figures 1-3. Figure 7 focuses on the regular expression operations in the sensitive data blurring process. In Figure 7, given a regular expression (regex), such as the example regular expression 730 for a fictitious driver's license, and the string it matches, a complete match can be generated by expanding the regular expression at least by enclosing each separable character matching expression in parentheses (e.g., each atom), as indicated in operation 711. The expanded regular expression can then be reapplied or executed in operation 712 to perform blurring or masking. For each match, operations 713-714 determine the widest and narrowest character sets that are actually matched. For example, when the matched character is "-", the character is narrower because it is a single character. When the matched character is a set of all-letter characters, it is wider. The absolute character count in any region is a key determining factor. The blurring in operation 715 can replace characters based on the match width. For characters that match as a single character, the blurring process may remain unchanged. For characters that match in a broad group, the blurring process replaces the character with a "safe" character that is not a member of that set. For example, the set of all letters becomes "0", the set of all numbers becomes "X", and mixed alphanumeric content becomes "?", where a character backlist is used until it is exhausted. Once the text or content has passed through the blurring or masking process, operation 716 confirms that the text or content has been successfully rendered as blurred when the new text/content string no longer matches the original regex.

Figure 8 illustrates diagram 800 to further illustrate the operation of the elements in Figures 1-3. Figure 8 focuses on the enhanced thresholding process used when annotating sensitive data in the user interface. The operation in Figure 8 may include enhanced hysteresis operations for annotating sensitive data, and various threshold or annotation rules can be established by policy administrators, users, or other entities.

Figure 8 includes a chart 800, which includes a vertical axis indicating the number of sensitive data/content items present in the document, and a horizontal axis indicating time. A first threshold 820 is established, which can trigger the rendering or removal of annotations for sensitive content in the user interface. A second threshold 822 can be established, which can also trigger the rendering or removal of annotations for sensitive content. An elasticity factor 821 and a resiliency attribute 823 can be established to modify the behavior of the first and second thresholds.

When sensitive data is annotated in the user interface, such as through flags, tags, or highlighting, users can edit the sensitive content to fix sensitive content issues (e.g., by selecting one or more obfuscation options). However, once a threshold number of sensitive content issues are resolved, there may not be enough remaining instances to guarantee that the document's annotations as a whole violate the sensitive content rules for the organization or storage location. Similarly, when new sensitive content is introduced into the document, there may be enough instances to guarantee that the document's annotations indicate the sensitive content to the user.

During a user's content editing process, enabling and disabling annotation indicators for one or more content elements may be at least partially based on the current number of content elements with respect to annotation rules. Annotation rules may include at least a first threshold number 820, a springiness factor 821 for modifying the first threshold number 820 to a second threshold number 822 when enabled, and a threshold bounce or "stickiness" attribute 823 indicating when the second threshold number 822 overrides the first threshold number 820. Annotation services such as annotator 212 may determine or identify annotation rules, such as policy rules 513 and actions 514 discussed in Figure 5, which are established for target entities associated with content editing. The target entity may include the user performing the content editing, the organization of the user performing the content editing, or the application type of the user's application, etc. During user editing of a document containing sensitive content or potentially containing sensitive content, annotator 212 monitors the user content in an associated user data file, which is presented in the user application's user interface for content editing. Annotator 212 identifies the number of content elements in the user content that contain sensitive content corresponding to one or more pre-defined data schemes discussed herein. The content elements may include cells, objects, shapes, words, or other data structures or hierarchical elements.

During editing, and based at least on the number of content elements exceeding a first threshold number, the annotator 212 initiates the rendering of at least one annotation indicator in the user interface, which marks the user content in the user interface as containing at least first sensitive content. In Figure 8 (starting with annotations in the "off" state), the first threshold 820 indicates an example number "8" at transition point 830 as triggering the rendering of the annotation indicator in the user interface. The number of content elements with sensitive content can increase, for example, through user editing, and then may decrease after the user sees the presence of sensitive content and begins to select a blurring option to conceal that sensitive content.

Annotator 212 establishes a second threshold number 822, at least based on the fact that the number of content elements initially exceeds a first threshold number 820 and subsequently falls below the first threshold number 820 when a flexibility factor 821 is applied to the first threshold number 820. When the second threshold number 822 is active (i.e., when the flexibility factor 821 is applied to the first threshold number 820), the second threshold number 822 is used to initiate the removal of rendering of at least one annotation indicator when the number falls below the second threshold number 822, as can be seen at transition point 832. However, at least based on the fact that the number of content elements initially exceeds the first threshold number 820 and subsequently falls below the first threshold number 820 when a flexibility factor is not applied to the first threshold number 820, rendering of at least one annotation indicator is removed, as indicated by transition point 831.

The elasticity factor 821 can include a percentage from 0-100%, or another metric. In a specific example, an annotation rule can be established that defines a document containing more than 100 SSNs as violating company policy. During editing of a document with more than 100 SSNs, the annotation rule for a first threshold number can prompt highlighting all SSNs in the document. When the user begins to blur the SSNs, the number of remaining unblurred SSNs will decrease. Even if the first threshold number 820 for triggering annotation is no longer met, for example when 99 SSNs remain unblurred, the elasticity factor can maintain the annotation or highlighting of the SSNs. An elasticity factor 100 would correspond to the first threshold number without modification, and an elasticity factor 0 would correspond to not removing the annotation until all SSNs are blurred. An intermediate value of 50 for the elasticity factor would correspond to removing the annotation once the 50th entry is corrected after the annotation is initially triggered and presented. Thus, in the example of Figure 8, the elasticity factor establishes a second threshold number for removing the annotation once the annotation has been presented to the user. In this example, the second threshold number 822 is at “2”, and therefore the annotation will be removed when the remaining sensitive content issues are less than the remaining “2”, as indicated by the transition point 832.

If the second threshold number 822 has decreased, and then another sensitive content issue arises during content editing, the annotator 212 must decide when to warn the user by re-presenting the annotation. At least based on the fact that the number of content elements was initially below the second threshold number 822 and subsequently exceeded it when the threshold bounce attribute 823 was applied to the second threshold number 822, the annotator 212 initiates the presentation of an additional annotation in the user interface, marking the user content in the user interface as containing sensitive content, as indicated by the transition point 833.

The bounce attribute 823 includes a "sticky" property of the second threshold number 822 and is defined by an on/off or Boolean condition. When disabled, the second threshold number 822 is not used to re-render the annotation if exceeded. When enabled, the second threshold number 822 is used to re-render the annotation if exceeded. Therefore, at least based on the fact that the number of content elements was initially below the second threshold number 822 and subsequently exceeded it when the bounce attribute was not applied to the second threshold number 822, the annotator 212 refuses to render the annotation, marking the user content in the user interface as containing at least sensitive content until the number of content elements exceeds the first threshold number 820 again.

Turning now to Figure 9, computing system 901 is presented. Computing system 901 represents any system or set of systems in which the various operating architectures, scenarios, and processes disclosed herein can be implemented. For example, computing system 901 can be used to implement either user platform 110 or DLP platform 120 of Figure 1. Examples of computing system 901 include, but are not limited to, server computers, cloud computing systems, distributed computing systems, software-defined networked systems, computers, desktop computers, hybrid computers, rack servers, web servers, cloud computing platforms, and data center equipment, as well as any other type of physical or virtual server machine, and other computing systems and devices, and any variations or combinations thereof. When portions of computing system 901 are implemented on user devices, example devices include smartphones, laptops, tablets, desktop computers, gaming systems, entertainment systems, etc.

The computing system 901 can be implemented as a single device, system, or apparatus, or it can be implemented in a distributed manner as multiple devices, systems, or apparatuses. The computing system 901 includes, but is not limited to, a processing system 902, a storage system 903, software 905, a communication interface system 907, and a user interface system 908. The processing system 902 is operatively coupled to the storage system 903, the communication interface system 907, and the user interface system 908.

Processing system 902 loads and executes software 905 from storage system 903. Software 905 includes an application DLP environment 906 and/or a shared DLP environment 909, representing the processes discussed with respect to the foregoing figures. When executed by processing system 902 to process user content for the identification, annotation, and obfuscation of sensitive content, software 905 instructs processing system 902 to operate as described herein, at least with respect to the various processes, operating scenarios, and environments discussed in the foregoing implementation. Computing system 901 may optionally include additional devices, features, or functions not discussed for the sake of brevity.

Referring again to Figure 9, processing system 902 may include a microprocessor and other circuitry that retrieves software 905 from storage system 903 and executes software 905. Processing system 902 may be implemented within a single processing device, but may also be distributed across multiple processing devices or subsystems that cooperate in executing program instructions. Examples of processing system 902 include general-purpose central processing units, dedicated processors, and logic devices, as well as any other type of processing device, combinations thereof, or variations thereof.

Storage system 903 may include any computer-readable storage medium capable of being read by processing system 902 and capable of storing software 905. Storage system 903 may include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (e.g., computer-readable instructions, data structures, program modules, or other data). Examples of storage media include random access memory, read-only memory, magnetic disk, optical disk, flash memory, virtual memory and non-virtual memory, magnetic tape, magnetic tape, disk storage or other magnetic storage devices, or any other suitable storage medium. Computer-readable storage media are in any way signals that are transmitted.

In addition to computer-readable storage media, in some implementations, storage system 903 may also include computer-readable communication media through which at least some of the software in software 905 can be transmitted internally or externally. Storage system 903 may be implemented as a single storage device, but may also be implemented across multiple storage devices or subsystems located in the same location or distributed relative to each other. Storage system 903 may include additional elements, such as a controller, capable of communicating with processing system 902 or possibly other systems.

Software 905 can be implemented as program instructions, and when executed by processing system 902, software 905 guides processing system 902 to operate as described with respect to the various operational scenarios, sequences, and processes shown herein, in addition to other functions. For example, software 905 may include program instructions for implementing the dataset processing environment and platform discussed herein.

Specifically, program instructions may include various components or modules that cooperate or otherwise interact to implement the various processing and operational scenarios described herein. These components or modules may be implemented as compiled or interpreted instructions, or as some other variation or combination of instructions. They may be executed synchronously or asynchronously, sequentially or in parallel, in a single-threaded or multi-threaded environment, or according to any other suitable execution paradigm, variation, or combination thereof. Software 905 may include additional processes, programs, or components, such as operating system software, virtual machine software, or other application software, in addition to or including the application DLP environment 906 or the shared DLP environment 909. Software 905 may also include firmware or other forms of machine-readable processing instructions that can be executed by the processing system 902.

Generally, when loaded into and executed by processing system 902, software 905 can transform all suitable devices, systems, or equipment (represented by computing system 901) from a general-purpose computing system into a dedicated computing system tailored to facilitate enhanced application collaboration. In fact, encoding software 905 onto storage system 903 can transform the physical structure of storage system 903. The specific transformation of the physical structure can depend on various factors in different implementations of this specification. Examples of such factors include, but are not limited to, the technology of the storage medium used to implement storage system 903, whether the computer storage medium is characterized as primary or secondary storage, and other factors.

For example, if the computer-readable storage medium is implemented as a semiconductor-based memory, then when program instructions are encoded therein, software 905 can transform the physical state of the semiconductor memory, for example, by transforming the state of transistors, capacitors, or other discrete circuit devices constituting the semiconductor memory. Similar transformations can occur with respect to magnetic or optical media. Other transformations of the physical medium are possible without departing from the scope of this description, wherein the foregoing examples are provided merely to facilitate this discussion.

Each of the application DLP environment 906 or the shared DLP environment 909 includes one or more software elements, such as OS 921/931 and applications 922/932. These elements can describe various parts of the computing system 901 to which users, data sources, data services, or other elements interact. For example, OS 921/931 can provide a software platform on which applications 922/932 execute, and applications 922/932 can process user content for the identification, annotation, and obfuscation of sensitive content, among other functions.

In one example, the DLP service 932 includes a content dispatcher 924, an annotator 925, a mapper 926, and a blurr 927. The content dispatcher 924 flattens structured or hierarchical user content elements into linear blocks for processing by the classification service. The annotator 925 graphically highlights sensitive data or content in the user interface to alert the user of the presence of a threshold number of sensitive data. The mapper 926 can derive the specific location in the document used for sensitive data annotation, for example, when the classification service only provides offsets/lengths/IDs to locate sensitive data within various structured or hierarchical elements of the document. The blurr 927 presents blurring options for masking/replacing user content that has been identified as sensitive data. The blurr 927 also replaces sensitive content in response to the user's selection of blurring options.

In another example, DLP service 933 includes classification service 934, tracker 935, policy/rule module 936, and regex service 937. Classification service 934 parses linear blocks of data or content to identify sensitive data. Tracker 935 maintains a count or quantity of sensitive data items found by classification service 934 and indicates the sensitive data offset and length to mappers (e.g., mapper 926 and annotator 925) used for annotation in the document. Policy/rule module 936 can receive and maintain various policies and rules for annotating, classifying, detecting, obfuscating, or otherwise manipulating user content. Regex service 937 includes an example classification technique that uses regular expression matching to identify sensitive data using data patterns or data schemes and replaces the text of the matched content with obfuscated content.

The communication interface system 907 may include communication connections and communication devices that support communication with other computing systems (not shown) via a communication network (not shown). Examples of connections that jointly support inter-system communication may include: network interface cards, antennas, power amplifiers, RF circuitry, transceivers, and other communication circuitry. Connections and devices may communicate via a communication medium to exchange communication with other computing systems or networks of systems, such as metal, glass, air, or any suitable communication medium. The physical or logical elements of the communication interface system 907 may receive datasets from telemetry sources, transfer datasets and control information between one or more distributed data storage elements, and interact with users to receive data selections and provide visualizations of datasets, among other features.

User interface system 908 is optional and may include a keyboard, mouse, voice input device, and touch input device for receiving input from a user. Output devices such as displays, speakers, web interfaces, terminal interfaces, and other types of output devices may also be included in user interface system 908. User interface system 908 can provide output and receive input via a network interface (e.g., communication interface system 907). In a network example, user interface system 908 may group display or graphical data for remote display via a display system or computing system coupled to one or more network interfaces. The physical or logical elements of user interface system 908 may receive classification rules or policies from users or policy personnel, receive data editing activities from users, present sensitive content annotations to users, provide users with fuzzy options, and present users with fuzzed user content, etc. User interface system 908 may also include associated user interface software that can be executed by processing system 902 to support the various user input and output devices discussed above. Individually or in combination with each other and with other hardware and software elements, user interface software and user interface devices may support graphical user interfaces, natural user interfaces, or any other type of user interface.

Communication between computing system 901 and any other computing system (not shown) may be conducted via a communication network or multiple communication networks and according to various communication protocols, combinations of protocols, or variations thereof. Examples include: intranets, the Internet, local area networks, wide area networks, wireless networks, wired networks, virtual networks, software-defined networks, data center buses, computing backplanes, or any other type of network, combination of networks, or variations thereof. The aforementioned communication networks and protocols are well known and do not need to be discussed in detail here. However, some communication protocols that may be used include, but are not limited to: Internet Protocol (IP, IPv4, IPv6, etc.), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP), as well as any other suitable communication protocols, variations thereof, or combinations thereof.

Certain aspects of the invention can be understood from the aforementioned disclosure, among which the following are various examples.

Example 1: A method for operating a user application, the method comprising: identifying at least a first threshold quantity, a resilience factor that modifies the first threshold quantity to a second threshold quantity when enabled, and an indication of a threshold bounce attribute indicating when the second threshold quantity overrides the first threshold quantity; monitoring a content editing process of user content in a user data file to identify the number of content elements in the user content that contain sensitive data corresponding to one or more predetermined data schemes. The method includes: during the content editing process, enabling and disabling the rendering of annotation indicators for one or more content elements based at least in part on: the current number of content elements relative to the first threshold quantity, the resilience factor for the first threshold quantity when enabled, and the indication of the threshold bounce attribute.

Example 2: The method of Example 1, wherein the annotation indicator includes one or more of the following: a global indicator presented in the user interface of the user application, the global indicator being applicable to the user data file; and an individual indicator presented in the user interface, located near an individual content element containing the sensitive data.

Example 3: The method of Example 1 further includes: during the content editing process: initiating the rendering of at least one annotation indicator in the user interface based at least on the current number of content elements exceeding a first threshold number, the at least one annotation indicator marking the user content as containing at least first sensitive data in the user interface. The method further includes: during the content editing process, establishing a second threshold number based at least on the elasticity factor to remove the rendering of the at least one annotation indicator, based at least on the elasticity factor, based at least on the current number of content elements initially exceeding the first threshold number and subsequently falling below the first threshold number when the elasticity factor is applied to the first threshold number. The method further includes: during the content editing process, initiating the removal of the rendering of the at least one annotation indicator based at least on the current number of content elements falling below the second threshold number when the elasticity factor is applied to the first threshold number. The method further includes: during the content editing process, at least based on the current number of content elements initially falling below the second threshold number and subsequently exceeding the second threshold number when the threshold bounce attribute is applied to the second threshold number, initiating the rendering of at least one additional annotation indicator in the user interface, the at least one additional annotation indicator marking the user content as containing at least second sensitive data in the user interface.

Example 4: The method of Example 3 further includes: during the content editing process, at least based on the current number of content elements initially exceeding the first threshold number, and subsequently falling below the first threshold number when the elasticity factor is not applied to the first threshold number, removing the rendering of the at least one annotation indicator. The method further includes: during the content editing process, at least based on the current number of content elements initially falling below a second threshold number, and subsequently exceeding the second threshold number when the bounce attribute is not applied to the second threshold number, refusing to render at least one additional annotation indicator until the number of content elements exceeds the first threshold number, the at least one additional annotation indicator marking the user content as containing at least second sensitive data in the user interface.

Example 5: A data privacy annotation framework for a data application, comprising: one or more computer-readable storage media; a processing system operatively coupled to the one or more computer-readable storage media; and program instructions stored on the one or more computer-readable storage media. The program instructions, at least based on being read and executed by the processing system, instruct the processing system to: at least identify a first threshold number, a resilience factor for the first threshold number, and an indication of a threshold bounce attribute; monitor user content in a user data file presented during content editing in a user interface of the user application to identify the number of content elements in the user content that contain sensitive data corresponding to one or more predetermined data schemes. The program instructions also instruct the processing system to: during the content editing, and at least based on the number of content elements exceeding the first threshold number, initiate the presentation of at least one annotation indicator in the user interface, the at least one annotation indicator marking the user content in the user interface as containing at least the first sensitive data. The program instructions also instruct the processing system to: during the content editing, and at least based on the fact that the number of content elements initially exceeds the first threshold number and subsequently falls below the first threshold number when the elasticity factor is applied to the first threshold number, establish a second threshold number for removing the rendering of the at least one annotation indicator. The program instructions also instruct the processing system to: during the content editing, and at least based on the fact that the number of content elements initially falls below the second threshold number and subsequently exceeds the second threshold number when the threshold bounce attribute is applied to the second threshold number, initiate the rendering of at least one additional annotation indicator in the user interface, the at least one additional annotation indicator marking the user content as containing at least second sensitive data in the user interface.

Example 6: The data privacy annotation framework of Example 5 includes additional program instructions, which, based at least on being read and executed by the processing system, instruct the processing system to perform at least the following operations: during the content editing, at least based on the number of content elements falling below a second threshold number when the elasticity factor is applied to the first threshold number, initiate the removal of the rendering of the at least one annotation indicator.

Example 7: The data privacy annotation framework of Example 5 includes additional program instructions, which, based at least on being read and executed by the processing system, instruct the processing system to perform at least the following operations: during the content editing, at least based on the number of content elements initially exceeding the first threshold number and subsequently falling below the first threshold number when the elasticity factor is not applied to the first threshold number, remove the rendering of the at least one annotation indicator.

Example 8: The data privacy annotation framework of Example 5 includes additional program instructions, at least based on being read and executed by the processing system, to instruct the processing system to at least perform the following operations during the content editing: at least based on the number of content elements initially falling below a second threshold number and subsequently exceeding the second threshold number when the bounce attribute is not applied to the second threshold number, to refuse the rendering of at least one additional annotation indicator until the number of content elements exceeds the first threshold number, the at least one additional annotation indicator marking the user content in the user interface as containing at least second sensitive data.

Example 9: The data privacy annotation framework of Example 5, wherein identifying one or more of a first threshold number, the elasticity factor for the first threshold number, and an indication of a threshold bounce attribute includes: determining an annotation strategy established for a target entity associated with the content editing, the annotation strategy including one or more of the following: the first threshold number, the elasticity factor for the first threshold number, and the indication of a threshold bounce attribute.

Example 10: The data privacy annotation framework of Example 9, wherein the target entity includes at least one of the following: the user performing the content editing, the organization including the user performing the content editing, and the application type of the user application.

Example 11: The data privacy annotation framework of Example 5, wherein each of the at least one annotation indicator and the at least one additional annotation indicator includes one or more of the following: a global indicator presented in the user interface, the global indicator being applicable to the user data file; and an individual indicator presented in the user interface, located near the individual content element containing the sensitive data.

Example 12: The data privacy annotation framework of Example 5, wherein the one or more predetermined data schemes are defined by one or more expressions used by a classification service to parse the user content and identify content elements containing data indicating one or more predetermined content patterns or one or more predetermined content types.

Example 13: A method for providing a data privacy annotation framework for a user application, the method comprising: identifying one or more of a first threshold number, a resilience factor for the first threshold number, and an indication of a threshold bounce attribute; and monitoring user content in a user data file presented during content editing in a user interface of the user application to identify the number of content elements in the user content that contain sensitive data corresponding to one or more predetermined data schemes. The method includes, during the content editing, initiating the presentation of at least one annotation indicator in the user interface based at least on the number of content elements exceeding the first threshold number, the at least one annotation indicator marking the user content in the user interface as containing at least first sensitive data. The method further includes, during the content editing, establishing a second threshold number based at least on the resilience factor to remove the presentation of the at least one annotation indicator, based at least on the resilience factor, as the number of content elements initially exceeds the first threshold number and subsequently falls below the first threshold number when the resilience factor is applied to the first threshold number. The method includes, during the content editing, initiating the rendering of at least one additional annotation indicator in the user interface, based at least on the fact that the number of content elements initially falls below a second threshold number and subsequently exceeds the second threshold number when the threshold bounce attribute is applied to the second threshold number, the at least one additional annotation indicator marking the user content as containing at least second sensitive data in the user interface.

Example 14: The method of Example 13 further includes: during the content editing, at least based on the fact that the number of content elements falls below the second threshold number when the elasticity factor is applied to the first threshold number, initiating the removal of the rendering of the at least one annotation indicator.

Example 15: The method of Example 13 further includes: during the content editing, at least based on the fact that the number of content elements initially exceeds the first threshold number and subsequently falls below the first threshold number when the elasticity factor is not applied to the first threshold number, removing the rendering of the at least one annotation indicator.

Example 16: The method of Example 13 further includes: during the content editing, at least based on the number of content elements initially falling below the second threshold number and subsequently exceeding the second threshold number when the bounce attribute is not applied to the second threshold number, refusing to render at least one additional annotation indicator until the number of content elements exceeds the first threshold number, the at least one additional annotation indicator marking the user content in the user interface as containing at least second sensitive data.

Example 17: The method of Example 13, wherein identifying one or more of the first threshold number, the elasticity factor for the first threshold number, and the indication of the threshold bounce attribute includes: determining an annotation strategy established for a target entity associated with the content editing, the annotation strategy including one or more of the following: the first threshold number, the elasticity factor for the first threshold number, and the indication of the threshold bounce attribute.

Example 18: The method of Example 17, wherein the target entity includes at least one of the following: a user performing the content editing, an organization including the user performing the content editing, and an application type of the user application.

Example 19: The method of Example 13, wherein each of the at least one comment indicator and the at least one additional comment indicator includes one or more of the following: a global indicator presented in the user interface, the global indicator being applicable to the user data file; and an individual indicator presented in the user interface, located near the individual content element containing the sensitive data.

Example 20: The method of Example 13, wherein the one or more predetermined data schemes are defined by one or more expressions used by a classification service to parse the user content and identify content elements containing data indicating one or more predetermined content patterns or one or more predetermined content types.

The function block diagrams, operation scenarios and sequences, and flowcharts provided in the accompanying drawings represent exemplary systems, environments, and methods for performing novel aspects of this disclosure. Although methods included herein may be in the form of function block diagrams, operation scenarios or sequences, or flowcharts for the purpose of simplicity, and may be described as a series of operations, it should be understood and appreciated that the methods are not limited by the order of operations, as some operations may be performed in a different order and/or simultaneously than other operations shown and described herein. For example, those skilled in the art will understand and appreciate that methods may alternatively be represented as a series of related states or events, such as in a state diagram. Furthermore, not all operations shown in the methods are required for the novel implementation.

The included descriptions and figures depict specific implementations to teach those skilled in the art how to make and use the best options. Some conventional aspects have been simplified or omitted for the purpose of teaching the inventive principles. Variations will be understood from these implementations falling within the scope of the invention. Those skilled in the art will also understand that the features described above can be combined in various ways to form multiple implementations. As a result, the invention is not limited to the specific implementations described above, but is limited only by examples and their equivalents.