JP2003067524A - Method, device and program for protecting personal information - Google Patents

Abstract

PROBLEM TO BE SOLVED: To permit surveillance on illicit circulation of personal information. SOLUTION: A user provides his/her personal information to sites by using different pseudonyms E(B13P), E<2> (B13P) and so on for different sites MTT, MEC and so on, and stores the pseudonyms in a database in association with the corresponding sites. If an e-mail addressed to a pseudonym is sent from a site, the name of the site corresponding to the address (pseudonym) of the e-mail is found by searching the database to check to see if the name of the site matches the name of the e-mail transmitter, thereby determining if the personal information provided to the site was illicitly offered to other operators.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a personal information protection method, a personal information protection device and a program for protecting personal information on a network by using a computer system.

[0002]

2. Description of the Related Art Conventionally, when a user accesses a site through a network and takes some action on the network such as shopping, the personal information such as the address, name, age or preference information of the user is transmitted. It may be requested by the site side.

In response to a request from the site, if the user provides the site with personal information including hobbies for fishing, for example, an electronic mail for selling fishing tackles or a mail from a site other than the site will be provided at a later date. Direct mail was sometimes sent to users.

[0004]

As described above, conventionally, when personal information is provided to a certain site, the personal information may be distributed to other sites through the network. In particular, the higher the information society, the more quickly personal information provided to a certain site is spread all over the world through a network, and the privacy of users is violated on a global scale.

Therefore, in the past, P3, which is a technique developed for the purpose of protecting privacy on the network
According to P (Platform for Privacy Preferences), the site side presents the privacy policy to the user,
The user-side terminal pre-set by the user refers to the privacy policy and automatically determines which personal information on the user side to present to the site side, and only the personal information that may be presented is presented to the site side. To be done. This privacy policy includes XML (Extensible Markup Languade) such as the purpose of collecting personal information, the manner of using the collected personal information, and the disclosure range (distribution range) of the collected personal information.
Described in the document.

[0006]

However, when the user agrees to this privacy policy and provides his / her own personal information to the site side, his / her personal information exceeds the allowable distribution range defined in the privacy policy. There was no way for the user to monitor whether the information was distributed illegally.

The present invention has been conceived in view of the actual situation, and an object thereof is to enable monitoring of illegal distribution of personal information.

[0008]

The present invention according to claim 1 is a personal information protection method for protecting personal information on a network by using a computer system, wherein a user accesses through the network and Identification information used to identify the site that provides the personal information, and the identification that will be included in the mail when the person who obtained the personal information sends a mail to the user who is the personal information owner. Identification information generating step of generating information by using a processor, personal information providing step of allowing a user to access a site and provide personal information using the identification information generated by the identification information generating step, and the personal information Before being included in the mail sent to the user who is the owner of the personal information by the person who obtained the personal information provided by the providing step It is determined whether the sender of the site and the mail which is specified based on the identification information matches and a monitoring step of monitoring the distribution status of the personal information of the user.

According to a second aspect of the present invention, in addition to the configuration of the first aspect of the present invention, the identification information is anonymity of a user who uses it properly for each site.

The present invention according to claim 3 is a personal information protection apparatus for protecting personal information on a network by using a computer system, wherein a user accesses through the network and provides his own personal information. Identification information that can identify identification information used to identify a site, and if the person who obtained the personal information sends a mail to a user who is the owner of the personal information, the identification information included in the mail Identification information storing means for storing information that can specify the site, and the site specified based on the identification information included in the mail sent to the user who is the owner of the personal information by the person who obtained the personal information. And monitoring means for monitoring the distribution state of the personal information of the user by determining whether or not the sender of the mail matches.

According to a fourth aspect of the present invention, in addition to the configuration of the third aspect of the present invention, the monitoring means has the user's own personal information on the site specified based on the identification information. If the sender of the mail is not included in the permissible distribution range of the personal information that was accepted when the information was provided, it is determined to be inappropriate.

The present invention according to claim 5 is a personal information protection apparatus for protecting personal information on a network by using a computer system, wherein a user accesses through the network and provides his own personal information. Identification information that can identify identification information used to identify a site, and if the person who obtained the personal information sends a mail to a user who is the owner of the personal information, the identification information included in the mail When the user accesses the site through the network and the identification information used to identify the site is already stored in the identification information storage unit, , Identification information use control means for performing processing for using the stored identification information for the site.

According to a sixth aspect of the present invention, in addition to the configuration of the present invention according to any of the third to fifth aspects, a correspondence relationship between a user and the identification information used by the user can be specified. It further includes registration processing means for performing processing of registering information at a predetermined institution that has a confidentiality obligation.

According to a seventh aspect of the present invention, in addition to the configuration of the third aspect of the present invention, the identification information is anonymity used by the user for each site.

According to the present invention of claim 8, in addition to the configuration of the invention of claim 7, the electronic certificate for anonymity used when the user acts on the network using the anonymity. Further includes an electronic certificate issuance processing means for performing processing for issuing.

According to the present invention of claim 9, in addition to the configuration of the invention of claim 8, the electronic certificate is information capable of specifying a correspondence relationship between a user and the identification information used by the user. The certificate is issued by a specified institution that has a confidentiality obligation, and certifies that the user who uses the anonymity is a user registered in the specified institution.

The present invention according to claim 10 provides the invention according to claims 7 to 10.
In addition to the configuration of the invention according to claim 9, address setting for performing processing for setting an address when the user acts on the network using the anonymity to an address different from the address of the user. Means are further included.

The present invention according to claim 11 provides a tenth aspect.
In addition to the configuration of the invention described in (1), the address setting means sets an address of a predetermined convenience store.

The present invention according to claim 12 provides the invention according to claims 7 to.
In addition to the configuration of the invention according to claim 11, when the user uses the anonymity to access a site to act on the network, when the user acts on the network using a real name. Further, it further includes identification data control processing means for performing processing for preventing the identification data transmitted from the site side to identify the user from being transmitted to the site to be accessed.

The present invention according to claim 13 provides the invention according to claims 7 to 7.
In addition to the configuration of the invention according to claim 12, the identification data control processing means stores only the identification data sent from a site accessed using the anonymity as the identification data dedicated to the anonymity. Anonymous corresponding identification data storage means, and when the user subsequently uses the anonymity to access the site specified by the anonymity,
And an identification data search and transmission unit that searches the anonymous correspondence identification data storage unit to index the identification data corresponding to the anonymity, and transmits the identification data to the site.

The present invention according to claim 14 provides the invention according to claim 13.
In addition to the configuration of the invention described in, the action history data storage means for storing the action history when the user acts on the network using the anonymity in a manner capable of specifying which anonymity was used, and the user Is requested from the side of the site accessed using the anonymity to provide action history data on the network using the other anonymity of the user, the action history data storage means is searched and the other Further includes action history data providing processing means for performing a process for providing action history data using the anonymity to the site.

The present invention according to claim 15 provides the invention according to claim 14.
In addition to the configuration of the invention described in, the action history data providing processing means is notified of anonymity and is requested to provide action history data on the network using another anonymity of the user who uses the anonymity. In the case that the requester and the site specified based on the notified anonymity match, it further includes a monitoring unit for monitoring the distribution state of the personal information of the user.

The present invention according to claim 16 provides the invention according to claims 7 to.
In addition to the configuration of the invention according to claim 15, a process for storing a common credit number for a plurality of types of anonymity used by a certain user in a manner that can be indexed from each anonymity Credit number storage processing means to perform, and when the user makes a credit settlement on the network using the anonymity, accepts an inquiry from a credit company as to whether or not there is a credit number corresponding to the anonymity, and the credit number registration processing means. And a notifying unit for performing a process for notifying the credit company of the result of the determination by searching the credit number registered by to determine the presence or absence of the credit number corresponding to the anonymous inquiry.

The present invention according to claim 17 provides a method according to claims 7 to 7.
In addition to the configuration of the invention according to claim 16, an electronic mail addressed to the anonymity when the user acts on the network by the anonymity is accepted, and the electronic mail can be viewed by a user corresponding to the anonymity. Further includes an anonymous email transfer means for forwarding to any email address.

The present invention according to claim 18 provides the invention according to claim 17.
In addition to the configuration of the invention described in (1), whether or not the site specified based on anonymity, which is the address of the email received by the anonymous email transfer means, matches the sender of the received email. It further includes a monitoring unit that determines whether or not the distribution state of the personal information of the user is monitored.

The present invention according to claim 19 relates to claims 3 to.
In addition to the configuration of the invention according to claim 18, the monitoring means is installed in a predetermined institution that provides a personal information monitoring service to a plurality of users, and the predetermined institution monitors the monitoring by the monitoring means. A reliability calculation means for collecting the results and calculating the reliability of personal information for each site, and a reliability information providing means for providing the reliability information calculated by the reliability calculation means are provided.

The present invention according to claim 20 provides the invention according to claims 7 to.
In addition to the configuration of the invention described in any one of claim 19, the anonymity is obtained by encrypting or decrypting a name of a site that uses the anonymity with a key that can be used by a user who uses the anonymity.

The present invention according to claim 21 is a program for protecting personal information on a network, for identifying a site where a user has accessed his / her network through the network and provided his / her personal information. Information that can identify the identification information used for the above. When the person who obtained the personal information sends a mail to the user who is the owner of the personal information, the information that can identify the identification information that is included in the mail Is stored in the memory, and when the user accesses the site through the network, the identification information used to identify the site is already stored in the memory. It functions as identification information use control means for performing processing for using the identification information for the site.

The present invention according to claim 22 provides a method according to claim 21.
In addition to the configuration of the invention described in (1), the identification information is anonymity that the user uses properly for each site, and further to the processor, when the user accesses the site to act on the network using the anonymity. Is an identification data control processing means for performing processing to prevent the identification data transmitted from the site side to identify the user when the user acts on the network using the real name from being transmitted to the accessing site. Make it work.

The present invention according to claim 23 provides the invention according to claim 22.
In addition to the configuration of the invention described in, the identification data control processing means stores only the identification data sent from a site accessed using the anonymous in the memory as the identification data dedicated to the anonymous Identification data storage means, and when the user subsequently uses the anonymity to access the site specified by the anonymity, the memory is searched to identify the identification data stored corresponding to the anonymity, Identification data search and transmission processing means for performing processing for transmitting the identification data to the site.

The present invention according to claim 24 is a program for protecting personal information on a network,
When the processor uses the anonymity generated by encrypting or decrypting the name of the site with the key that the user can use for the site accessed by the user through the network, and when the email addressed to the anonymous is received, Anonymity, which is the address of an electronic mail, is decrypted or encrypted with a key to return it to a plaintext site name, which functions as a conversion unit.

The present invention according to claim 25 provides the invention according to claim 24.
In addition to the configuration of the invention described in,
A function as a monitoring unit that determines whether or not the name of the site converted by the converting unit and the name of the sender of the received electronic mail match and monitors the distribution state of the personal information of the user is performed.

[0033]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Next, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a block diagram showing a network system using broadband and showing an outline of the entire personal information protection system. Credit card issuing companies 4, through wide area / large capacity relay network 43
Member store contract company group 5, receiving station 42, member store group 6, supplier group 1, NM group (New Middleman group) 48, electronic administration group 49, XML store 50, content provider group 51, signal 52, mobile phone network 54 So that the gateway 53, the Internet I, the user home 47, the certification authority group 46, the convenience store group 2, the company group 45, the data center 44, the broadcasting station 41, the financial institution group 7, etc. connected to the It is configured. Reference numeral 40 in the figure denotes a satellite, which is for relaying broadcast radio waves from the broadcasting station 41 and sending the radio waves to the receiving station 42.

The credit card issuing company group 4 is a card issuing company that exerts a function as an issuer when making a payment by SET (Secure Electronic Transaction), for example. The member store contracting company group 5 is a company that is composed of financial institutions and the like with which the member store group 6 that constitutes an electronic mall or the like has a contract, and that functions as an acquirer in SET. The supplier group 1 is a product manufacturer or the like, and is an organization that provides products and information.
The NM group 48 is a service provider who mediates between the supplier group 1 and a consumer (natural person or corporation), and supports consumer behavior such as consumer shopping. Whereas conventional intermediaries such as wholesalers and trading companies provide sales support for a group of suppliers, the NM group 48 is different in that it provides purchase support (consumption behavior support) for consumers. As a specific example of the NM group 48, consumer preference information, purchase history information, and website access history information are accumulated as a database, and based on the accumulated consumer profile information (personal information). A service provider that recommends product information that matches the consumer and helps the consumer's consumption behavior is applicable.

The electronic administration group 49 is an electronic administration of, for example, city halls, tax offices, central government offices, and the like.
The XML store 50 is a database that stores data in a unified data structure based on XML and provides predetermined data to requesters of the data as needed. The XML store 50 stores various personal information of users and user agents (including knowledge data for agents). When the XML store 50 is accessed by the financial institution group 7 or the user, the personal data is authenticated to maintain security, and necessary data can be provided. The content provider group 51 is a group of providers that provide various contents such as images, characters, and sounds through a network. The traffic signal 52 for traffic control is also connected to the wide area / large capacity relay network 43 and configured to be remotely controllable.

Base station 5 connected to mobile telephone network 45
5, the radio wave of the browser phone (next-generation mobile phone) 30 is transmitted, and through the base station 55, the mobile phone network 45, the gateway 53, the wide area / large capacity relay network 43, the financial institution group 7, the member store group. 6, NM group 48, electronic administration group 49, XM
The L store 50, the content provider group 51, and the like can be accessed. Similarly, the vehicle 56 also has a base station 55, a mobile telephone network 54, a gateway 53,
Through the wide area / large capacity relay network 54, various service providers and various organizations can be accessed.

The certificate authority group 46 is an organization that authenticates a person who wishes to issue a digital certificate, and then issues a digital certificate. The data center 44 is an organization that stores and manages various data distributed from the broadcasting station 41 by radio waves. Member store group 6, Supplier group 1, NM group 48,
When a large amount of data is transmitted when the user requests the electronic administration group 49, the content provider group 51, etc. to transmit predetermined information, the data distributed by each of these institutions and service providers is temporarily transferred to the data center 44. Stored in
When a predetermined date and time arrives, the data is distributed from the broadcasting station 41 through radio waves, and the data received by the receiving station 42 is distributed to a predetermined user through the wide area / large capacity relay network 43.

The portions indicated by double lines in FIG. 1 are wireless LAN, CATV, satellite, xDSL (digital subscrib).
er line) and FTTH (fiber to the home).

In the present embodiment, not only the certificate authority group 46 but also the financial institution group 7 issues an electronic certificate. Figure 1
Among these, 19 is an IC terminal carried by the user, and stores profile information (personal information) of the user and the like as described later.

FIG. 2A shows an example of the group of companies 45 shown in FIG. 1, and FIG. 2B shows the user home 47 shown in FIG.
Shows an example.

An in-house LAN is built in the company 45, and a personal computer 57, a vending machine 58,
A server 59, a database 60, a notebook personal computer 62, and a facsimile 61 are connected so that information can be exchanged.

The browser phone 30 is constructed so that it can directly transmit / receive data to / from the personal computer 57, the vending machine 58, the server 59, and the other browser phones 30 using Bluetooth. The above-mentioned data center 44 encrypts and stores the information requiring security among the information such as contents to be distributed, and when distributing the encrypted information, the encrypted information is broadcast as it is. It is delivered from the station 41 by radio waves. On the other hand, the IC terminal 19 is provided with a security function such as a key for personal authentication of a user who is the holder of the IC terminal 19 and an encryption algorithm in addition to personal information. In-house L in the company 45 delivered from the above-mentioned broadcasting station 41 and passed through the wide area / large capacity relay network 43 and the like.
The encrypted information transmitted to the AN is the IC terminal 19
It can be decrypted by the key and algorithm stored in.

Furthermore, by connecting the IC terminal 19 to the browser phone 30, the browser phone 30 receives the transmitted information and the IC terminal 19 receives the encrypted information.
Can be decrypted and displayed as original information such as plain text. When the IC terminal 19 is connected to the browser phone 30, the call can be further encrypted and transmitted / received. When the browser phone 30 receives the encrypted call, the IC phone 19 decrypts the call in real time and returns the call to the original call so that the call can be played from the speaker.

By connecting the IC terminal 19 to the facsimile 61, the data transmitted / received by the facsimile 61 can be encrypted. When the facsimile 61 receives the encrypted data, it can be decrypted by the IC terminal 19 and returned to the original data such as plain text for printing.

In the RAN of the user's home 47 shown in FIG. 2B,
A set box 63, a television 67, a personal computer 68, a lighting 64, a refrigerator 69, an air conditioner 65, a telephone 66, an electronic lock 70, etc. are connected.

The personal computer 5 shown in FIG.
7, vending machine 58, server 59, facsimile 61,
The notebook personal computer 62, the set box 63, the television 67, the personal computer 68, the lighting equipment 64, the refrigerator 69, the air conditioner 65, the telephone 66, the electronic lock 70, etc. are each assigned a URL, and a wide area can be accessed from outside. Each device can be accessed by accessing its URL (Uniform Resource Locator) via the large capacity relay network 43 or the like. You can access each device, check the current status of the device, and remotely control from the outside. For example, when the electronic lock 70 is not locked and is locked by remote control, or the air conditioner 65 is accessed, the air conditioner 65 is accessed about 10 minutes before the user returns to the user home 47. Can be set to operate.

FIG. 3 is an explanatory diagram for explaining the financial institution 7. The financial institution 7 includes a VP management server 9, a settlement server 10, an authentication server 11, and databases 12a and 1a.
2b is provided. The VP management server 9 is a server for managing a virtual person (hereinafter, simply referred to as “VP”) as a virtual person. A VP is a virtual person who acts on a network that does not actually exist in the real world, and when a real person (hereinafter simply referred to as “RP”) who is a real person in the real world acts on the network, A virtual person created to impersonate a VP and act as the VP.

The VP management server 9 uses the R
When there is a birth request for a VP from P, it has a function of determining predetermined information such as the name and address of the VP, creating a VP, and storing the data of the VP in the database 12a. The VP management server 9 also has a function of creating and issuing a VP electronic certificate. When the VP conducts a legal act such as buying or selling or making a payment, by transmitting this electronic certificate to the other party, it becomes possible for the VP to act independently while being a virtual person.

The authentication server 11 has a function of creating and issuing an RP electronic certificate. The payment server 10 installed in the financial institution 7 performs not only payment using electronic money or debit card by RP but also payment using electronic money or debit card as VP. It also has a function.

The database 12a stores data relating to RP and VP. Database 12b
Stores data for managing sites (traders) connected to the wide area / large capacity relay network 43 and the Internet I.

As shown in FIG. 3, the database 12a stores RP name, address, authentication key KN, public key KT, account number and the like as RP data. The authentication key is a key for authenticating the person by the common key cryptosystem when the RP accesses the financial institution 7.
The public key is a key used in the public key cryptosystem and is a key paired with the private key. The account number is an account number opened by the RP in the financial institution 7.

The trap information is information for setting up a trap in order to identify a criminal who has done so when the site (trader) side has collected personal information and illegally distributed it. . For example, when a VP transfers its own personal information to a certain site (first transfer destination), the first
Use the name unique to the recipient. That is, the VP has a plurality of names of its own, and uses it properly for each site (trader).
Such a VP name is referred to as a trap type VP name for convenience. By doing this, when the direct mail or the E-mail is sent from the trader side, the address of the mail should be the trap type VP name. The site (trader) that sent it is a site (trader) that is different from the first transferee indexed from the trap type VP name and that exceeds the permissible disclosure range (distribution allowance range) of the transferred personal information. In the case of this, the personal information is illegally disclosed (circulated) by the first transferee. In this way, the first transferee who has performed illegal distribution (illegal disclosure) can be indexed from the trap type VP name.

In FIG. 3, Jiro is the second trap information, the third trap information, the second personal information, the third personal information,
It has two pieces of information. When Jiro acts on the network, these two types of VP information are registered in the financial institution 7 so that the two VPs can be used properly. The VP address is an address of the convenience store 2 which the RP desires or is close to the RP address, as described later. As a result, the delivery destination of the product when electronic shopping is performed as the VP is delivered to the convenience store 2 which is the address of the VP. The RP can impersonate the delivered product as a VP and go to the convenience store 2 to pick up the product. By doing this, VP and RP can be obtained by using the address as a clue.
It is possible to prevent the inconvenience that the correspondence relationship with

Details of the trap information shown in FIG. 3 are shown in FIG.
Is shown in. Each trap information of the first trap information, the second trap information, ... Includes a name (trap type VP name), a public key, an email address, a virtual account number, and a virtual credit number for each site name. For example, when the VP accesses the site name (trade name) ABC, the real name of the VP is B13P, and
VP using P's private key KSB and paired public key KPB '.
Use the true email address of
Use P's real account number, 2503, and use VP's real credit number, 3288.

On the other hand, when accessing the site name (trade name) MTT, E (B13P) obtained by encrypting the real name of the VP once with the private key of the VP is used as the trap type VP name. As the private key, the real private key KSB of the VP
E encrypted once with VP's true secret key KSB
_{Use KSB} (KSB). The public key KPB for this secret key E _KSB (KSB) is stored in the database 12a. As the e-mail address, the e-mail address that the financial institution 7 has opened for the trap-type VP Δ △△
Use ΔΔ. As the account number, E (250) is obtained by encrypting the real account number of VP once with the real private key of VP.
Use 3) as the virtual account number. As the credit number, E (3288), which is the VP's real credit number once encrypted with the VP's real secret key, is used.

Further, when accessing the site name (commercial name) MEC, E ² (B13P) obtained by encrypting the real name of the VP twice with the private key of the VP is used as the trap type VP name.

VP is trap type VP name E²(B13
When acting on the network using P),
Twice-encrypted secret which encrypted key KSB twice with secret key KSB
Secret key E ² _KSB(KSB) is used. The twice-encrypted private key
The public key paired with is KPB ″. Email
The address is the email for the trap type VP by the financial institution 7.
The open address is used. bar
Chal account number is the real account number of VP with secret key 2
E encrypted twice²(2503) is used. Credit number
No. 2 is the real credit number of the VP with the private key of the VP
Virtual credit number E encrypted once²(328
8) is used.

As described above, the number of times the trap information is encrypted varies depending on the site name. The personal information provided to the site side (the trader side) is eventually returned in the form of e-mail or direct mail after circulating on the network. The purpose of this trap information is to make it possible to trace a criminal who illegally distributes personal information by setting a trap using this personal information feedback loop. That is, it is the reverse of a tracking cookie that tracks a user on the Internet.

FIG. 5 is a diagram for explaining the personal information of the VP shown in FIG. The respective personal information of the first personal information, the second personal information, the third personal information, ...
It consists of multiple types of personal information. For example, the personal information A is the age, sex, occupation, annual income, etc. of the VP, and the personal information B is information about the preference of the VP.

As shown in FIG. 5, each personal information is provided with a digital signature by the private key KS of the financial institution 7.
For example, in the personal information A of the first personal information, a digital signature D _KS (XX) is attached to the personal information itself of XX.

As will be described later, the financial institution 7 checks the authenticity of each personal information stored in the database 12a, stores only the correct one in the database 12a, and digitally authenticates it. It will be signed.

FIG. 6 shows the database 12b of the financial institution 7.
It is a figure which shows the information stored in. Database 1
2b stores, for each site name (trade name), the value of the private information obtained by the trader illegally, the value of the private information leaked (illegal distribution), and the bad rank calculated from these two values. Has been done.

As will be described later, a site name (trade name)
If the MTT illegally obtains the personal information, the illegally obtained value is updated by adding "1", and if the personal information is illegally distributed,
The illegal distribution value is updated by adding "1". Then, the bad rank is given a value by the formula of illegally acquired value + 2 × illegal outflow value, and the larger the value, the higher the bad rank. If the value of the above formula is the largest, the bad ranking is the highest.

FIG. 7 is a diagram showing the structure of the XML store 50. A database 72 and a server 71 that controls the database 72 are installed in the XML store 50. Server 7
1 also has a function of authenticating a person who has accessed the XML store 50 and performing access control.

The database 72 stores data expressed in XML. The content of the data is VP
As information, the name of the VP, such as B13P, VP
For user agents (including knowledge data), site-specific information such as site name, ABC, digital certificate issued to VP who accessed the site, personal information of the VP, privacy policy of the site, and both of these information. The digital signature D _KSB (personal information + policy) attached by the VP, the digital signature D _KSA (personal information + policy) attached by the site ABC, the encryption count "0" as trap information, and the E of the VP It contains the email address, xxxxx. Furthermore, when the VP accesses the site name MTT, the site name MT
The electronic certificate issued to the trap-type VP that accessed T, the personal information provided by the trap-type VP to the site, the privacy policy of the site, the digital signature of the trap-type VP for both information, and the site The digital signature, the number of times of encryption “1” as the trap information, and the email address are included.

Further, as for the information of other VPs whose names are NPXA, the same items as described above are stored in the database 72. In the database 72, data is stored in the above-described items for each very large number of VPs.

As for the site name ABC, as described in FIG. 4, since the information that has not been encrypted once is used as the trap information, the number of encryption times stored in the database 72 is also “0”. Has become. As for the site name MTT, as described with reference to FIG. 4, since the information encrypted once is used as the trap information,
The number of encryption times stored in the database 72 is also "1"
Has become.

The above-mentioned VP user agent is self-supporting software that operates for the VP who is the user. This VP user agent is composed of a mobile agent so that it can move through the network.

The data shown in FIGS. 3 to 7 may be stored in each database in an encrypted state. If so, even if the data is stolen, it cannot be decrypted, and the security reliability is improved.
On the other hand, for example, when a VP (including a trap-type VP) performs a noticeable misconduct on the network (eg, an act in violation of criminal law), a VP (eg, police, etc.) responds to a request, etc. Database 1 for that VP
Search from 2a etc. to find the RP corresponding to that VP,
The address and name of the RP may be provided to the requesting prescribed organization (for example, the police).

FIG. 8 is a diagram showing the configuration of the convenience store 2. The convenience store 2 is provided with a database 75, a server 74 connected to the database 75, and a terminal 73 connected to the server. The database 75 stores the names of VPs (including trap type VPs) having addresses at the convenience stores, and the custody information of products, e-mail addresses, customer management information, etc. corresponding to each name. .

If the goods purchased by the B13P VP are delivered to the convenience store 2, the database 75
In the B13P storage area of "AB
"Product deposit from company C, unsettled" is stored. The unsettled state is a state in which B13P has purchased a product through the net but has not yet paid the product.

The E-mail address column of the database 75 stores the E-mail address corresponding to each VP. In the case of B13P, since it is not a trap type VP, it is the true email address of the VP.
X is stored.

Similarly, for the E (B13P) which is a trap type VP, for example, "commodity deposit from MTT company, settlement completed" is stored as product deposit information. Note that E (B1
Since 3P) is a trap type VP, the email address stored for the trap type VP of the financial institution 7 is stored as the email address.

As will be described later, the server 74 allows the customer who has received the merchandise as a VP (including a trap type VP) to the convenience store 2 to register the VP (trap type VP) registered in the convenience store 2 with the customer. In the case where the merchandise is stored in (including), processing for delivering the merchandise to the VP (including the trap type VP) is performed.

The convenience store 2 provides not only a product custody service but also a direct mail custody service for VPs. This is because the convenience store 2 is the address of the VP, and the direct mail addressed to the VP is mailed to the convenience store 2.

FIG. 9 is a front view showing a browser phone 30 which is an example of a terminal used by a user. The browser phone 30 is equipped with a microcomputer 199. This microcomputer 199 has a CPU
(Central Processing Unit) 197, I / O port 198, ROM 195, EEPROM 194, R
And AM 196. This browser phone 3
0 has a USB (Universal Serial Bus) port, and the IC terminal 19R or 19 is connected to the USB port.
V or 19I can be inserted. The IC terminal 19R is an IC terminal for RP. IC terminal 19V
Is an IC terminal for VP. The IC terminal 19I stores VP data and programs issued by a financial institution and is delivered to the user as described later. The delivered IC terminal 19I is a USB port of the browser phone 30. By pointing to the IC terminal 1
The data and software stored in 9I will be stored in the browser phone 30.

FIG. 10 is an explanatory diagram for explaining the VP IC terminal 19V. As described above, the VP IC terminal 19V is configured to be detachable from the USB port 18 of the browser phone 30, and by inserting it into the USB port 18, it becomes possible to exchange information with the browser phone 30. , Ready to use.

An LSI chip 20 is incorporated in the VP IC terminal 19V. In this LSI chip 20,
CPU 24 as a control center, ROM 25 in which an operation program of CPU 24 is stored, RAM 22 as a work area of CPU 24, EEPROM 26 capable of electrically erasing stored data, coprocessor 23, for inputting / outputting data to / from the outside I / O ports 21 and the like are provided, and they are connected by a bus.

The EEPROM 26 stores Mondex (including reload amount data) which is a program for electronic money, various other application software, an electronic certificate issued for VP, a personal identification number, and cookie data. .

Further, the IC terminal 19V for VP has a function as a user agent of the VP, and as the user agent knowledge data, debit card information, credit card information, VP name and address, VP email. Address, VP public key KP and private key KS, R
Various pieces of knowledge data such as the P authentication key KN, the age and occupation of the VP, various preference information of the VP, the family structure of the VP, and the like are stored.

The RP IC terminal 19R also has substantially the same configuration as the VP IC terminal 19V shown in FIG. Speaking of the difference, the contents of the user agent knowledge data recorded in the EEPROM 26 are different. Specifically, instead of the name and address of the VP, the name and address of the RP, and the E of the RP instead of the e-mail address of the VP
RP instead of email address, VP public key or private key
Public key, private key, RP instead of age and occupation of VP
Instead of the VP's various kinds of preference information such as age and occupation, the RP's various kinds of preference information, and the VP's family structure instead of the VP's family structure.

The family structure of a VP is made up of data such as the name, address, age, etc. of the VP in the case where the RP family corresponding to the VP has given birth to the VP. That is, the data of the VP family corresponding to the RP family, that is, the virtual family data is stored in the storage area of the family structure of the VP.

FIG. 11 is a diagram showing details of the cookie data shown in FIG. The cookie data storage area stores, for each VP name, a cookie sent from the site (trader) side that has accessed using the VP name. When the VP uses the real name B13P to access the site, any site other than the site that has already accessed using the trap type VP can access any site. As a result, cookie data from many sites are stored only in the real name B13P.

FIG. 12 shows the VP management server 9 shown in FIG.
3 is a flowchart showing the processing operation of FIG. Step S
By (1) (hereinafter, simply referred to as S), it is determined whether or not there is a VP birth request. If the customer (user) operates the browser phone 30 to make a VP birth request, S1
Proceeding to a, proof processing to the effect that it is a legitimate institution is performed. This certification process is a process for proving that the financial institution 7 is a legitimate institution that manages the VP, and is a process for preventing fraudulent acts by impersonating another person. This process will be described later with reference to FIG. Next, in S2, the RP name and address input request is transmitted to the browser phone 30. Then go to S3, RP
It is judged whether or not there is a reply of the name and address from the browser phone 30, and the process waits until there is.

When the user RP inputs his name and address from the browser phone 30 and sends it, a determination of YES is made in S3 and the process proceeds to S4, a random number R is generated and challenge data is sent to the browser phone 30 as challenge data. The process of sending is performed. When the user makes a VP birth request, the VP IC terminal 19V is inserted into the USB port 18 of the browser phone 30. In that state, if a random number R is transmitted from the VP management server 9, the random number is V
Input to P IC terminal 19V. Then, as will be described later, the random number R input in the IC terminal 19V for VP is input.
Is performed using the RP authentication key KN,
The encryption result is output to the browser phone 30. The browser phone 30 transmits the response data I, which is the output encrypted data, to the VP management server 9. Then, a determination of YES is made in S5 and the process proceeds to S6, in which the process of decrypting the received response data I, that is, the process of calculating DKN (I) is performed using the authentication key KN of the RP. Next, in S7, it is judged whether or not the random number R = DKN (I) generated in S4.

When the birth requester of the VP is a regular RP stored in the database 12 of the financial institution 7,
Since R = DKN (I), the control advances to S9, but if another person impersonates the RP stored in the database 12 and makes a VP birth request, R = DKN
Since (I) is not satisfied, the control advances to S8, a message of access refusal is transmitted to the browser phone 30, and the process returns to S1.

On the other hand, if YES is determined in S7, the process proceeds to S9, and it is determined whether or not the desired convenience store is input. The RP that has made the birth request for the VP, if there is a convenience store that is particularly desired for the convenience store serving as the address of the VP to be born, inputs it to the browser phone 30 and sends it to the VP management server 9. In that case, S9
After the determination of S is made, the process proceeds to S10, and the inputted information of the convenience store is stored, and then the process proceeds to S12. On the other hand, if the desired convenience store is not input, the process proceeds to S11, searches for a convenience store near the RP address, stores the convenience store, and then proceeds to S12.

At S12, the name of the VP, the address of the convenience store which is the address of the VP, the e-mail address of the VP, etc. are determined. Next, in S13, the request for transmitting the public key of the VP is transmitted to the browser phone 30. And S1
The process proceeds to step 4, and it is judged whether or not there is a reply of the public key KP, and the process waits until there is. The browser phone 30 that has received the request to send the public key of the VP is connected to the IC for VP.
A public key output request is output to the terminal 19V. Then, as will be described later, the IC terminal 19V for VP stores the stored V
The public key KP for P is output to the browser phone 30. The browser phone 30 returns the output public key KP for VP to the VP management server 9. Then S1
A determination of YES is made from 4, and the process proceeds to S15, in which the name, address, public key KP, and E-mail address of the VP are stored in the database 12 in association with the RP.

Next, in S16, a process for creating a VP electronic certificate and registering it in the XML store 50 is performed. Next, the processing proceeds to S17, and processing for mailing the IC terminal 19I storing the name of the VP, the address of the convenience store, the name of the convenience store, the e-mail address, and the electronic certificate to the RP. Next, it progresses to S18 and S12.
A process of transmitting the VP's name, e-mail address, and the name of the financial institution 7 to the convenience store of the address determined in step 1 is performed. Next, the process proceeds to S19, and a proof process to the effect that it is a legitimate institution is performed. The proof processing of the legitimate institution is the same processing as S1a described above. Then, the process returns to S1.

The "anonymous digital certificate" in the present invention means a predetermined institution (which has a duty of confidentiality) that registers information capable of specifying the correspondence between a user and anonymity (VP name) used by the user. This is a concept including a certificate issued by a financial institution 7) and certifying that the user who uses the anonymity is a user registered in the predetermined institution. Therefore,
Not only a general digital ID used for identity verification,
It is a concept that the predetermined institution includes all electronic certificates that prove to the user who uses the anonymity that the user is a user registered in the predetermined institution. For example, it is a concept including a simple certificate in which anonymity used by a user and a message in which the anonymity is registered in the predetermined institution are only digitally signed by the predetermined institution.

If NO is determined in S1, the process proceeds to S400 in S13 (a). In S400, personal information registration processing is performed, then trap information registration processing is performed in S401, personal information confirmation processing is performed in S402, and personal information verification is performed in S403.
Distribution check processing is performed, personal information sales agency processing is performed in S404, mail transfer and distribution check processing is performed in S405, and access history provision processing for other trap type VPs is performed in S406.
In S407, the reliability ranking information is totaled and provided, and the process returns to S1. There is a need on the site (trader) side that receives the personal information from the user to confirm whether or not the personal information provided is really correct. Therefore, the VP management server 9 of the financial institution 7
Receives personal information from the user, checks whether the personal information is correct personal information, and registers only the correct personal information in the database 12a. The process is S400
By.

On the other hand, when the use of the VP becomes popular on the network, a trader who collects detailed personal information of both the RP and the VP matches both personal information with each other, There is a possibility that an inconvenience may occur in which the RP name and the VP name that are matched with each other are calculated and the RP corresponding to the VP is predicted. Therefore, when registering the personal information in the database 12a, it is necessary to exclude (or change) the personal information that identifies the RP such as the work name, the department name, or the post. Such processing is performed by S400.

On the other hand, the user who is the personal information owner monitors whether his / her personal information is distributed with correct contents,
If there is a mistake, there is a need to correct it. Therefore, so that the user can check the authenticity of his / her personal information registered in the database 12b,
In step S402, confirmation processing of personal information is performed.

Further, when the user limits the disclosure range (distribution range) of his / her own personal information and then provides the personal information to the trader side (site side), the disclosure range (distribution range) is protected. There is a need to monitor whether or not there is. There is a need for the trader who receives the personal information to confirm whether or not the personal information is correct as described above. Therefore, the personal information owned by the site side (trader side) can be collated with the personal information of the database 12a in which the correct personal information is registered, while the personal information owned by the dealer side that is the collation target is The process of S403 is performed so that the distribution allowable range can be checked to check whether the distribution is correct.

The user needs to obtain some kind of service or money in return for providing personal information. Therefore, in S404, sales of personal information is performed. As explained based on FIG. 4,
Since the trap type VP uses the e-mail address for the trap type VP of the financial institution 7, the e-mail addressed to the trap type VP is opened for the trap type VP of the financial institution 7. It will be sent to your email address. Therefore, it is necessary to transfer the sent e-mail to the e-mail address of the corresponding VP. The process is performed by S405. At that time, since the e-mail address sent from the trader side is the trap type VP, the site corresponding to the trap type VP is indexed (see FIG. 4), and from the indexed site If it is not the E-mail, it is also checked in S405 whether or not the e-mail is from the site within the allowable distribution range of the personal information of the trap type VP and the distribution check is performed.

As described with reference to FIG. 4, when the trap type VP name is properly used for each site, traffic control should be performed on the user side so that the name is separated and the cookie from the site side is recorded. I need to do it.
When the same cookie is commonly attached to a plurality of trap type VPs, the plurality of trap type Vs
This is because it is discovered that P is the VP of the same person.

When such traffic control is performed,
The trader side (site side) can collect access history information and product purchase history information about a certain trap type VP, but it is possible to collect the access history when using the name of another trap type VP while using the same VP. The product purchase history information cannot be collected. In other words, the supplier side (site side)
Has the inconvenience that only a part of the history information of a certain VP can be collected.

Therefore, when there is a request from the trader side (site side), the process of providing the access history of another trap type VP is performed by S406.

When the user provides his / her own personal information to the site side (trader side), there is a need to confirm to what extent the trader can be trusted for privacy protection. Therefore, in S407, processing of totaling the reliability ranking information and providing the totalized result is performed.

FIG. 13B is a flow chart showing a subroutine program of the personal information registration processing of S400. This personal information registration process is a process when the user registers the personal information as a VP.

When the browser phone 30 receives the random number R,
The random number R is encrypted once by using the private key for VP stored in the IC terminal 19V for VP connected to the browser phone 30 to generate the response data I. Then, the response data I is transmitted to the VP management server 9 of the financial institution 7.

In S410, it is judged whether or not there is a request for registration of personal information from the user side, and if not, this subroutine program ends. If there is a registration request, the process proceeds to S411, and the legal institution certification process is performed. Next, the control advances to S412, an input request for the name of the VP is made, and it is judged at S413 whether or not there is an input. If there is an input, the control advances to S414, and a process of generating a random number R and transmitting it as challenge data to the user side who has made the registration request is performed. S41
The process proceeds to step 5 and the user side determines whether or not the response data I is received, and waits until the response data I is received. Upon reception, the process proceeds to S416, the public key KP of the VP is retrieved from the database 12a, and the received response data I
Is encrypted with the public key KP to generate D _kp (I).

Next, the control advances to S417, where it is determined whether the challenge data R and D _kp (I) are equal.
If they are not equal, it means that the user cannot be authenticated, and the process proceeds to S422, where a registration refusal process is performed. S4
When YES is determined by 17, the control is S4.
Proceeding to 18, the processing for issuing the input request of the personal information desired to be registered to the user who has issued the registration request is performed. Then S
Proceeding to 419, it is judged whether or not there is an input, and the process waits until there is an input. When there is an input, control is S4
Proceeding to 20, the authenticity of personal information to be registered is checked.

This authenticity check is performed, for example, by accessing the XML store 50 and checking the personal information of the corresponding user if it is registered, or by accessing the city hall included in the electronic administration group 49. It is performed by checking the personal information registered there. If such a collation check by machine search is not sufficient, an investigator of the financial institution 7 carries out a trade-in examination to make a genuine / counterfeit check.

Then, the control advances to S421, where it is judged whether the result is true or false as a result of the authenticity check. If the result is not correct, the process advances to S422 to perform the registration refusal process, while if the result is correct, the process advances to S423. It is determined whether the RP is personal information that is specified. If the personal information of the VP to be registered contains personal information that identifies the RP such as the work name, department name, or job title, if the personal information is registered as it is, There is a possibility that a third party may predict which VP corresponds to which RP from the registration information. This database 12
The personal information registered in a is in a state that the site side (trader side) can know by S403 and S404. as a result,
On the site side (trader side), there is a fear that the correspondence relationship between RP and VP is predicted.

Then, in S423, it is judged whether or not the RP is the specified personal information, and if it is not the predicted personal information, the process proceeds to S425, but if it is the predicted personal information, the process proceeds to S424. After the processing for processing the personal information is performed, the processing proceeds to S425. For example, when the work name is MEC, it is processed into, for example, "a certain major electric maker", or when the position is senior managing, it is processed into, for example, "executive".

In step S425, a process of adding the digital signature of the financial institution to the personal information and registering the personal information for each user name is performed. As a result, the data as shown in FIG. 5 is registered in the database 12a.

FIG. 14 is a flow chart showing a subroutine program of the trap information registration processing shown in S401. In S430, the legal institution certification process is performed, and in S431, the VP name input request is issued to the VP that has requested the trap information registration. Then S43
The process proceeds to step 2, and it is determined whether or not the VP that has requested the registration has input his or her own VP name.
31 requests are issued. Next, the control advances to S433, and a process of generating a random number R and transmitting it as challenge data to the VP who is the registration requester is performed. Through S434, it is determined whether the response data I has been received.

The VP which is the registration requester who has received the transmitted challenge data R encrypts the challenge data R with its own secret key to generate the response data I and transmits it to the VP management server 9 of the financial institution 7. To do. Then, the control proceeds to S435, where the public key KP of the VP which has requested the registration is searched from the database 12a, and the received response data I is decrypted with the public key KP. Then, by S436, the challenge data R
= D _kp (I) is determined, and if it is not equal, it means that the VP cannot be determined as the person as a result of authentication, and a registration refusal is notified to the VP in S437. On the other hand, if YES is determined in S436 and it is confirmed as a result of the authentication that the VP is the person in question, control proceeds to S438, and a process of transmitting a trap information transmission request to the VP is performed.

Whether or not the trap information desired to be registered has been transmitted from the VP is made in S439, and the process waits until it is transmitted. The control proceeds to S440 at the stage of being transmitted, and the process of storing the transmitted trap information in the database 12a is performed. This trap information is stored in the storage area corresponding to the VP who is the registration requester. Next, the control advances to S441, where the financial institution 7 generates an electronic signature for the trap information, and the electronic certificate is registered in the XML store 50. As a result, as described with reference to FIG.
The electronic certificate is stored in the database 72 of the store 50.

The electronic certificate may be stored in the IC terminal 19V of the VP that has made the registration request, instead of being stored in the XML store 50. However, as described above, the trap information is different for each website accessed by the VP, and as a result, the electronic certificate is also different for each website, and if a large number of electronic certificates are stored in the IC terminal 19V, Storage capacity issues arise. Therefore, in the present embodiment, in order to overcome the problem of the storage capacity, the XML store 50 is registered. The IC terminal 19
If the storage capacity of V is very large, financial institution 7
All or most of the electronic certificates issued by
It may be stored in the C terminal 19V.

FIG. 15 is a flowchart showing a subroutine program of the personal information confirmation processing shown in S402. When the user wants to confirm his / her personal information registered in the database 12a of the financial institution 7,
The user sends a confirmation request as a RP to the VP management server 9 of the financial institution 7. If there is a transmission of the confirmation request, S45
A determination of YES is made by 0, and the same person authentication processing as that described above is performed by S451 to S458.
The name input request in S452 is the user's R
This is a request to input the name of P. If it is confirmed that the user is the person as a result of the personal authentication, the result of S457 is YE.
The determination of S is made, and the control advances to S459.

In S459, it is determined whether the request is a confirmation request of personal information. The subroutine program for the confirmation processing of the personal information is configured to be able to deal with the case where the user makes a request for changing the personal information of the user. In the case of the personal information change request from the user, NO is determined in S459, but in the case of the personal information confirmation request, YES is determined in S459 and the control advances to S460 to input. A process of transmitting the personal information corresponding to the RP name to the user is performed.

The user who confirms the transmitted personal information, if the personal information contains wrong personal information,
Alternatively, when personal information is changed by changing jobs or moving, a request to change own personal information is sent to the financial institution 7.
To the VP management server 9. Then, the determination of YES is made in S450a, and the control advances to S451, where S
Authentication processing from 451 to S458 is performed. Then, if it is confirmed as a result of the authentication that the user is the person in question, a YES determination is made in S457, the process proceeds to S459, and it is determined whether the request is a confirmation request of personal information. In this case, the control is S45 because it is a request to change the personal information.
9a, the user is requested to send personal information (change information) to be changed.

[0115] The user sends change information to the VP management server 9 of the financial institution 7 indicating which part of his / her personal information he / she wants to change. Then, a determination of YES is made in S459b, and a true / false check is made in S461 as to whether or not the transmitted change information is correct. Next, in S462, a process of returning the check result to the user is performed. Next, in S463, it is judged whether the result of the check is correct or not. If it is not correct, this subroutine program is terminated without changing the personal information, but if it is correct, S4 is executed.
Proceeding to 64, a process of changing the corresponding part of the personal information in the database 12a is performed.

FIG. 16 is a flowchart showing a subroutine program of the personal information collation and distribution check processing shown in S403. Through S465, it is determined whether or not there is a collation request. For example, Web
On the site side, when personal information such as the address, name, age, sex, annual income, preference information of the accessing user is collected, the financial institution 7 determines whether the personal information is really correct. It is this subroutine program that can be verified. If there is a verification request from such a site side (provider side), the control is S46.
In step 6, the electronic certificate of the financial institution 7 side is transmitted to the site side (provider side), and in S467, a process of requesting transmission of the electronic certificate of the site side (provider side) is performed. If the electronic certificate is sent from the trader side, S4
A determination of YES is made by 68, and the control advances to S469 to perform a process of requesting the collation requester for the name of the user to be collated. When the site side (trader side), which is the collation requester, transmits the name of the user to be collated, the control proceeds to S473, and the requester side is requested to transmit the personal information to be collated. If the client side transmits the personal information to be collated to the financial institution 7 side, the control advances to S471.

In S471, a process of checking whether or not the trader name (site name) of the transmitted requester's electronic certificate and the transmitted user name to be verified match based on the trap information. Is done. The requester's electronic certificate describes the trader name (site name) of the requester. As described based on FIG. 4, VP is We
When accessing the b site, the real name of the VP may be used or the trap type VP may be used. That is, VP
Uses different names for each site it visits. Therefore, for example, when a request for collating personal information is issued from the MTT in FIG. 4, the user name received in S470 should originally be E (B13P). As described above, it is determined in S472 whether or not the site name and the VP name used for it match. If they match, the process proceeds to S473, but if they do not match, S4 of FIG.
Proceed to 94.

In S494, processing is performed to retrieve the corresponding personal information in the XML store and check whether the requester is included in the distribution allowable range defined in the privacy policy. If the trader name (site name) and the user name do not match, it should not be judged that the personal information was immediately illegally distributed, and within the certain allowable distribution range when the VP provides the personal information to the site side. In the case of, it may be possible that another vendor has consented to the distribution (disclosure) of the personal information. This allowable distribution range is described in the privacy policy prepared by the site. Therefore, in S494, the corresponding personal information in the XML store is searched and it is checked whether or not the requester is included in the distribution allowable range defined in the privacy policy stored therein. For example, the user name sent from the requester MTT is B13P.
(See FIG. 4), the site name ABC corresponding to the user name can be calculated.

The database 72 of the XML store 50 is searched based on the indexed site name ABC, and the "policy" stored in association with the site name ABC is searched (see FIG. 7). This privacy policy is based on We
It is presented to the user side when the b site ABC collects the personal information, and its privacy policy describes the allowable distribution range of the collected personal information. Whether or not the matching requester MTT is included in the allowable distribution range is checked in S494. If it is included, the determination of YES is made in S494a and the process proceeds to S475. If it is not included, it means that the personal information is illegally distributed, and S495.
Subsequent processing is performed.

In S495, a process of adding and updating the illegally acquired value of the personal information by "1" is performed in association with the requester name. In the above example, the requester MTT has the VP name B13P.
Means that the personal information of the VP name B13P has been illegally obtained from the site (trader) ABC. Therefore, in S495, the processing of adding and updating the illegally acquired value by "1" is performed. This illegally acquired value is stored in the database 12b (see FIG. 6).

Next, the control advances to S496, the site name (trader name) corresponding to the transmitted user name is indexed, and the unauthorized leak value of the personal information is set to "1" in association with the site name (trader name). The process of adding and updating is performed. In the example described above, the site name (provider name) ABC corresponding to the sent user name B13P is indexed, and the site name (provider name) A
The unauthorized outflow value of the personal information is updated by adding "1" in association with BC. In other words, the site (provider) ABC is VP name B
The personal information of 13P was illegally leaked to the MTT, and therefore, the illegal leak value is updated by adding "1". This unauthorized outflow value is also stored in the database 12b (see FIG. 6).

Next, the control advances to S497, where a process of notifying the relevant user of the fact that the personal information is illegal and the detailed data thereof is performed.

On the other hand, when the trader name written in the requester's electronic certificate and the sent user name match, control proceeds to S475, and the personal information sent from the requester is stored in the database. A process of collating with the personal information (see FIG. 5) of the corresponding user of 12a is performed. Then S4
The processing of calling the user agent of the user to be collated from the XML store is performed by 76. Next, in S477, a process of notifying the user agent of the collation result and asking the requester whether or not a reply may be made is performed. If there is a reply from the user agent, the control advances to S479, and if the reply is a reply to the requester, the control advances to S486, and a digital signature is added to the verification result and correct personal information. Is done. This digital signature indicates that the financial institution 7 has confirmed that the personal information is correct. Next, in S487, processing is performed in which the personal information with the digital signature is returned to the requester, and the requester is notified that the other information is incorrect. If the personal information of the user corresponding to the personal information transmitted from the requester is not in the database 12a, the request cannot be verified because the request cannot be verified because the verification cannot be performed. Reply.

On the other hand, when the result of the reply from the user agent is not OK, the control advances to S480, and a reply requesting a reward from the requester (trader) is sent as a condition for replying to the requester. A determination is made as to whether it was made by the user agent. The user agent makes three types of responses: an OK response, a return request response, and a response refusing the response to the requester. If the reply is to refuse the reply to the requester, the control is S481.
Then, the processing for returning the reply to the requester is performed.

If the reply is a request for return,
The control advances to S482, and processing for returning the issued reward request to the requester is performed. Next, in S483, it is determined whether or not there is a response from the requester, and the process waits until there is a response. When a reply is received, it is determined in S484 whether the negotiation is successful. If the negotiation has not been established, the control advances to S481, and a process of replying to the requester that the reply is rejected is performed. If it is determined that the negotiation has been established, the process proceeds to S485, and a process of notifying the user that the negotiation has been established is performed. At the same time, the VP management server 9 of the financial institution 7 stores the reward contents determined by the negotiation. Next, the control proceeds to S486.

FIG. 17B is a flow chart showing a subroutine program of the sales agent processing of personal information shown in S404. By S498, it is determined whether or not there is a purchase request for personal information. If the VP management server 9 of the financial institution 7 makes a purchase request for personal information from the trader side, the control advances to S499, in which the electronic certificate of the financial institution 7 is transmitted to the purchase requester. Next, in S500, a process of requesting the purchase requester to transmit the electronic certificate of the purchase requester is performed. If the purchase requester sends the electronic certificate, the control advances to S502, and a process of requesting the purchase requesting user name of the user to be purchased is performed. If the purchase requester transmits the user name of the purchase target, the control advances to S504, and a process of calling the user agent having the transmitted user name from the XML store 50 is performed.

Next, in S505, a process of directly negotiating between the user agent and the purchase requester is performed.
In this negotiation, whether or not personal information may be provided to the purchase requester, how much reward is required in providing it, and whether the reward content is payment of money or provision of service, etc. Negotiations. In S506, it is determined whether or not the negotiation is successful, and if not successful, in S507, a process of replying to the requester (purchase requester) to refuse the sale is performed. When it is determined that the negotiation has been established, the control advances to S508, and a privacy policy including a user name, a purchase requester name, sales conditions such as a reward, and a disclosure allowable range (a distribution allowable range) of personal information is set. In contrast, users, requesters (purchase requesters),
A process of adding and storing a digital signature of each of the financial institutions 7 is performed. Next, in step S509, a process of attaching a digital signature of the financial institution 7 determined to be sold and returning it to the client is performed.

The personal information stored in the database 12a of the financial institution 7 is checked by the financial institution for authenticity and only correct personal information is stored. When providing the collation result with the correct personal information to the trader, S48
6, the digital signature of the financial institution 7 is added in S509. Therefore, the financial institution 7
For personal information that is not digitally signed by
It can be seen at a glance that personal information that may be erroneous and that personal information with the digital signature of the financial institution 7 is correct personal information.

FIG. 18 is a flow chart showing the subroutine program of the mail transfer and distribution check shown in S405. Through S514, it is determined whether or not an email has been sent from the site (trader). Figure 4
As explained above, when the VP uses the real name to access the site, it notifies the site of the VP's e-mail address, but the trap type VP name is used to access the site. Provides the e-mail address opened for the trap type VP of the financial institution 7 to the site side. As a result, the email from the site will be sent to the email address established for the trap type VP of the financial institution 7.

At the financial institution 7, if there is a mail sent to the e-mail address opened for the trap type VP, the VP management server 9 executes the step S514.
Make a YES decision. As a result, the control proceeds to S515, and the site name (trade name) corresponding to the address included in the sent E-mail is indexed from the database 12a. As described with reference to FIG. 4, the database 12a stores the name of the VP and the site name accessed by the VP in association with each other. Using this correspondence, a process of deducing the corresponding site name (trade name) from the mail address is performed.

Next, in S516, it is determined whether or not the indexed site name and the site name to which the E-mail is sent match. Although they should match, if personal information is illegally distributed, a site that illegally obtains the illegally distributed personal information may send an e-mail to the personal information owner. In that case, the indexed site name does not match the site name that sent the mail.

When the indexed site name and the site name that sent the mail do not match, it cannot be concluded immediately that the personal information was illegally distributed. When the personal information is provided to the site side, there is a case where the user who is the personal information owner has given consent that the personal information may be distributed within a certain allowable distribution range. Therefore, as described in S494 and S494a of FIG. 17, the control proceeds to S522, the relevant personal information in the XML store is searched, and the email sender is included in the distribution allowable range defined in the policy. If it is determined to be included in S523, the control proceeds to S517. If it is determined not to be included, the control proceeds to S519.

In S519, the processing for adding and updating the illegally acquired value of the personal information by "1" is performed in correspondence with the site name to which the e-mail is sent, and in S520, the personal name is associated with the site name calculated in S515. A process of adding and updating the unauthorized outflow value of information by "1" is performed. Next, in step S521, a process of notifying the corresponding user of the fact that the personal information is illegal and detailed data thereof is performed.

On the other hand, if it is determined that the personal information has not been illicitly distributed, the control advances to S517, where the mail address of the user corresponding to the address of the E-mail is indexed. E to the given address
Processing for forwarding mail is performed.

FIG. 19 is a flow chart showing a subroutine program of the access history providing processing of another trap type VP shown in S406. As previously mentioned,
When the VP accesses the site as the trap type VP, the cookie sent from the site side stores the VP in the IC terminal 19V corresponding to only the trap type VP (see FIG. 11). Therefore, on the site side that has been accessed as a trap type VP, the trap type VP is
Only the access history and the purchase history can be collected, and the action history (access history etc.) of the trap type VP acting as another trap type VP or using the real name of the VP on the network cannot be totaled. In such a case, another trap type VP from the site side
If the financial institution 7 is requested to provide the data of the action history on the network such as the access history (including the VP using the real name), YES is determined in S530 and the control is performed. Advances to S531, and processing for transmitting the electronic certificate of the financial institution 7 is performed.

Next, in S532, a process of requesting the requester to send the requester's electronic certificate is performed. When the electronic certificate is transmitted from the requester, YES is determined in S533, the control advances to S534, and a process of requesting the requester for the name of the user to be provided is performed. Next, in S535, it is determined whether or not the requester has transmitted the user's name, and if there is, the process proceeds to S536 to request the requester to transmit the user's permit. When the user accesses the site as a trap type VP and provides personal information, the user may also provide behavior history data on the network such as access histories of other trap type VPs (including VPs using real names). In some cases, consent may be given.

That is, referring to FIG. 4, for example, the site M is designated as E ² (B13P), which is a trap type VP.
When accessing EC and providing personal information, other trap type VP E (B13P) also provides action history data on the network such as access history of VP using real name B13P to the site MEC. You may agree that you may. In that case, the user sends an electronic permit to that effect to the site. The permit is digitally signed by the user. S53
If the site sends the permit in response to the request of 6, S
A determination of YES is made by 537, and a determination of whether or not the permit is proper is made by S539. If it is not appropriate, a notification of refusing the provision of the access history is sent to the requester in S545, but if it is appropriate, in S540, another trap type VP (real name) corresponding to the transmitted user name is sent. (Including a VP using), action history data on the network such as an access history and the like are calculated and transmitted to the requester.

On the other hand, when the site as the requester does not have the user's license, a reply without the license is sent to the financial institution 7. Then, a determination of YES is made in S538, the control proceeds to S541, a process of calling the user agent of the user from the XML store 50 is performed, and a process of directly negotiating the user agent with the requesting site side in S542. Is done.

Next, in S543, it is determined whether or not the negotiation has been established. If the negotiation is not established, a notification refusing to provide the access history is transmitted to the requester side in S545. On the other hand, if the negotiation is successful, the control advances to S544, and it is determined whether or not the user who is the personal information owner has unconditionally permitted. If the license is granted unconditionally, the control proceeds to S540, and the process of transmitting the action history data such as the access history to the client side is performed. On the other hand, when the user gives the conditional permission, the control advances to S546, and after the process of storing the condition is performed, the flow advances to S540. When the conditions in S546 are stored, the names of the user and the client who are parties to the negotiation and the determined conditions are compared with the privacy policy of the client side including the disclosure allowable range (allowable distribution range) of personal information. , The parties to the negotiations and the financial institution 7 are digitally signed and stored.

FIG. 20 is a flow chart showing a subroutine program of the processing for collecting and providing the reliability ranking information shown in S407. This subroutine program is for the VP management server 9 to operate based on the data stored in the database 12b. S5
According to 50, J = illegal acquisition value + for each site (trader) +
A process of calculating an unauthorized outflow value × 2 is performed. this is,
The person who illegally leaks (distributes) the personal information is more malicious than the person who illegally obtains the personal information, and thus the crime is heavy, and thus, x2 is performed.

Next, in S551, a process of calculating a bad rank in descending order of the calculated J and storing it in the database 12b for each site (trader) is performed. Then S55
According to 2, it is judged whether or not there is a request to publish the ranking. When the ranking request from the user who is the owner of personal information or the trader is issued to the VP management server 9 of the financial institution 7, the control proceeds to S553, and the ranking data is transmitted to the requester. .

FIG. 21 shows the authentication server 11 shown in FIG.
3 is a flowchart showing the processing operation of FIG. First, in S25, it is determined whether or not the RP has issued a request for issuing an electronic certificate, and the process waits until there is a request. If the RP, which is the user, sends a request for issuing the electronic certificate of the RP from the browser phone 30 to the authentication server 11, control proceeds to S26, and the request for sending the RP address, name, and public key is sent to the browser phone 30. The process of sending is performed. Next, in S27, it is determined whether or not there is a reply of the RP address, name, and public key from the browser phone 30, and the process waits until there is. Then, when the reply is received, the control advances to S28,
A process of creating an RP electronic certificate and transmitting it to the browser phone 30 is performed. Next, in S29, the RP address,
A process of storing the name and public key KP in the database 12a is performed, and the process returns to S25.

22 to 24 show the settlement server 10 of FIG.
3 is a flowchart showing the processing operation of FIG. Through S35, it is determined whether or not there is a request for creating the RP bank account number. If not, the process proceeds to S39, where it is determined whether or not there is a request for creating the VP bank account number, and if not, S40. Then, it is judged whether or not there is a debit card issuance request, and if not, the process proceeds to S41, and it is judged whether or not there is a settlement request, and if not, the process returns to S35.

If the user goes to the financial institution 7 to request the opening of the bank account of the RP and the request to create the bank account number of the RP is input during the circulation of the loop of S35 to S41, the control goes to S36. Proceed and input request for RP address, name, etc. If there is input, control proceeds to S38,
A bank account for the RP is created, stored in the database 12a, and notified to the RP, and the process returns to S35.

If the user goes to the financial institution 7 and requests the opening of the VP bank account and the request for the creation of the VP bank account number is input, the process proceeds to S42 and the VP address, name, etc., and the RP address. , Input of name etc. is requested. The user can either enter this information manually from the keyboard or
Alternatively, the payment server 10 may be provided to the RP IC terminal 19R or VP.
The IC terminal 19V for use is connected to automatically input these data. If the data is input, the control advances to S44, where RP
Whether the correspondence between VP and VP is proper
Confirmed by searching for a.

When the correspondence between RP and VP is not proper, S
Proceed to 51, notify that the response is not appropriate, and return to S35. On the other hand, if the correspondence between RP and VP is proper, S4
Go to 5 and create a bank account for VP, database 1
After being stored in 2a and mailing the bank account to the RP corresponding to the VP, the process returns to S35.

If the user goes to the financial institution 7 to make a request for a debit card issuance request and the debit card issuance request is input, the determination in S40 is YES and the process proceeds to S46, in which the account number, name and password are entered. You will be asked to enter a number. When the user requests the issuance of a debit card for RP, he / she inputs the bank account number, name and PIN of the RP. On the other hand, when the user desires to issue a debit card for the VP, he / she inputs the bank account number of the VP, the name of the VP, and the personal identification number of the VP. Input of these data is performed by the RP IC terminal 19R or the VP I terminal.
The C terminal 19V is connected to the settlement server 10 and automatically input.

When these data are input, the control advances to S48 to store the input data in the database 12a and issue a debit card. Next, the process proceeds to S49, and the process of transmitting the stored data of the issued debit card to the RP IC terminal or the VP IC terminal is performed, and the process returns to S35.

When the payment request is sent to the payment server 10, a YES determination is made in S41 and the process proceeds to S50. After the payment process is performed, the process returns to S35.

FIG. 23 is a flow chart showing a subroutine program of the settlement processing of S50 shown in FIG. For payment requests, some of the funds in the bank account are IC for RP
Withdrawal request to the terminal 19R or VP IC terminal 19V, payment request using a debit card, and withdrawal of the amount of credit used from the credit card issuer when the payment is made using a credit card There is a request. First, from S55, the IC terminal 19R or 19
It is judged whether or not there is a request for withdrawal to V, and if not, the process proceeds to S57, and it is judged whether or not there is a request for payment using a debit card, and if not, S.
In step S58, it is judged whether or not there is a withdrawal request from the credit card issuing company.
4, the inquiry processing from the credit card issuing company is performed, and then other processing is performed in S59, and this subroutine program ends.

When the user sends a request for partial withdrawal of funds from the browser phone 30 or the like to the RP IC terminal 19R or the VP IC terminal 19V to the settlement server 10, S
A determination of YES is made by 55, and the process proceeds to S56. After the legal institution certification process is performed, the process proceeds to S60. In S60,
A process of transmitting a name input request to the browser phone 30 or the like is performed. In response to the request, the browser phone 30 transmits a name output request to the connected IC terminal 19R or 19V. Then I connected
Name is browser phone 3 from C terminal 19R or 19V
0 is transmitted to the payment server 10. The browser phone 30 transmits the transmitted name to the settlement server 10. Then, YES is determined in S61, the process proceeds to S62, and a process of generating a random number R and transmitting it to the browser phone 30 as challenge data is performed.

The browser phone 30 which has received the random number R
Transmits a random number R to the connected IC terminal 19R or 19V, as will be described later. When the IC terminal that receives the random number R is the RP IC terminal 19R, R is encrypted using the stored authentication key KN to generate response data I, which is output to the browser phone 30.
The browser phone 30 transmits the output response data I to the settlement server 10. On the other hand, the random number R
If the IC terminal that has received the VP is the IC terminal for VP 19V, the received random number R is encrypted using the stored public key KP to generate response data I, which is output to the browser phone 30. The browser phone 30 transmits the output response data I to the settlement server 10.

If the response data I is sent,
A YES determination is made in S63, and the process proceeds to S64, where S
According to 60, it is determined whether or not the inputted name is that of the RP, and in the case of the RP, the process proceeds to S65, the authentication key KN of the RP is retrieved from the database 12 and the authentication key KN is searched.
Is used to decrypt the response data I received, that is, to generate DKN (I). Then S
Proceeding to 66, it is judged whether or not R = DKN (I). If the user who issued the withdrawal request to the IC terminal is a proper user registered in the database 12, R = DKN (I) should be obtained. If a fraudulent act of impersonating and withdrawing part of the funds in a bank account is performed, R and DKN (I) do not match. In that case, the control advances to S79, a process of returning the improperness to the browser phone 30 is performed, and the subroutine program ends.

On the other hand, when R = DKN (I), the control is S
Proceed to 67, and input the withdrawal amount request to the browser phone 30.
Is sent to the browser phone 3
If it is sent from 0, control proceeds to S69, the deduction amount G is subtracted from the RP account, and G is set to the browser phone 30.
And the subroutine program ends.

On the other hand, when the user deducts the VP IC terminal 19V as the VP, the real name of the VP is used. If the entered name is the real name of the VP, S6
If NO is determined in step 4, the control advances to step S85 in FIG. In S85, the public key KP of the VP is stored in the database 12
Is performed and a process of decrypting the response data I received using the public key KP, that is, a process of generating DKP (I) is performed. Next, it progresses to S86 and R = DKP
It is determined whether or not (I). V that has made a withdrawal request is registered in the database 12
If an improper act of impersonating P and withdrawing is performed, a negative determination is made in S86, the process proceeds to S79, and the improperness is returned to the browser phone 30. On the other hand, if YES is determined in S86, the process proceeds to S87, the input request for the withdrawal amount G is transmitted to the browser phone 30, and if the withdrawal amount G is transmitted from the browser phone 30, S89 is performed. Then, the subroutine program is ended after the processing of subtracting G from the bank account of VP and transmitting G to the browser phone 30 is performed.

When the user performs a debit card use operation to make a settlement using the debit card, a debit card use request is transmitted to the settlement server 10, a YES determination is made in S57, and the process proceeds to S56. , Legitimate institution certification processing is performed. Then proceed to S70,
The personal identification number and the card information input request are transmitted to the browser phone 30 of the user. If the personal identification number of the debit card and the debit card information are transmitted from the browser phone 30 to the payment server 10, the control proceeds to S72, and it is determined whether the transmitted data is proper,
If it is inappropriate, the process proceeds to S79.

On the other hand, if it is proper, the process proceeds to S73,
Wait for input of usage amount G. If the user inputs the usage amount G and it is transmitted to the payment server 10, the control proceeds to S74, searches the corresponding account, subtracts G, and G
Is transmitted to the browser phone 30 of the user.

When the user uses the real name of RP or VP to make a payment using SET by a credit card as described later, the credit card issuing company 4
A request for withdrawing the credit payment amount is transmitted from (see FIGS. 1 and 15) to the payment server 10. If the withdrawal request is transmitted, YES is determined in S58, the legitimate institution certification process is performed in S56, and then the process proceeds to S75.
Wait for the user's name and account number. When the credit card issuing company 4 sends the user's name and account number, the control advances to S76, and the database 12 is searched to determine whether the input data is proper or not. If it is not appropriate, the process proceeds to S79, but if it is appropriate, the process proceeds to S77 to wait for the withdrawal amount G to be input. If the withdrawal amount G, that is, the total amount of the credit payment amount and the commission is transmitted from the credit card issuing company 4, the control proceeds to S78, and G is subtracted from the account and added to the account G of the credit card issuing company. That is, the transfer process of funds is performed.

If NO is determined in S58, an inquiry process from the credit issuing company 4 is performed in S554, and then the process proceeds to S59 to perform other processes.

FIG. 24B shows the above-mentioned S1a and S1.
9 is a flowchart showing a subroutine program of the legal institution certifying process shown in S56. First, in S90, a process of transmitting the electronic certificate of the institution is performed. The side receiving this digital certificate generates a random number R and transmits the random number R. Then, a determination of YES is made in S91, the process proceeds to S92, and a process of encrypting the received random number R with the secret key KS of the institution, that is, a process of calculating L = EKS (R) is performed, and the calculated L is calculated. Is returned.

On the receiving side that has received this L, R can be obtained by decrypting L using the public key KP of the relevant institution in the already received electronic certificate. By checking whether or not the R and the transmitted R are equal, it is possible to check whether or not they are legal institutions. This will be described later.

FIG. 25 is a flow chart showing a subroutine program of the inquiry processing from the credit card company shown in S554. As described above, when the VP accesses the site as a trap type VP, performs electronic shopping, etc. and makes credit settlement, the VP's own credit number is not used, but the VP's own credit number is used. An encrypted credit number that has been encrypted with the private key several times will be used. For example, as shown in FIG. 4, a VP that has accessed the site MPP as a trap type VP name E (B13P).
Uses the virtual credit number E (3288) when performing electronic shopping or the like and making credit settlement. VP is 3 for credit card issuer 4
I have registered the credit number of 288, but E (328
Up to the encrypted credit number of 8) is not registered. Therefore, when the virtual credit number of E (3288) is transmitted to the credit card issuing company 4 along with the credit settlement, the credit card issuing company 4
Cannot search the virtual credit number of E (3288) in-house to confirm the authenticity.

Therefore, in such a case, the credit card issuing company asks the financial institution 7 to inquire whether the virtual credit number is correct.

If there is an inquiry from the credit card issuing company, the control advances to S561, and the same authentication processing as that described above in S561 to S568 is performed. If the person is confirmed as a result of the authentication, a YES determination is made in S567, the process proceeds to S569, and an input request for the inquiry target data is transmitted to the credit card issuing company. The inquiry target data includes the virtual credit number and the trap type VP name described above. By inputting this trap type VP name as well, it is possible to inquire whether or not the trap type VP name corresponds to the virtual credit number.

If the inquiry target data is transmitted from the credit card issuing company, the control advances to S571, where the database 12a is searched and the transmitted inquiry target data is collated. Next, in S572,
It is determined whether or not the inquiry target data sent as the collation result is proper, and if it is proper, S573 is returned to the credit card issuing company, and if the collation result is not proper, S574 is used. Improper fact is returned to the credit card issuing company. When replying that it is appropriate in S573, a digital signature from the financial institution 7 side indicating that it is appropriate is added to the inquiry target data input in S570, and the credit card issuance issued by the data with the digital signature. It will be returned to Company 4.

26 to 31, and 33 to 36 are flowcharts for explaining the operation of the browser phone 30. Through S95, it is determined whether the IC terminal use mode is set. Browser phone 30 is I for RP
An IC terminal use mode that does not work unless at least one of the C terminal 19R and the VP IC terminal 19V is connected to the USB port 18, and an IC terminal unused mode that can operate even if the IC terminal is not connected It is configured to be able to switch to the mode. Then, if it is not in the IC unused mode, the process proceeds to S96 and other processing is performed. If it is in the IC terminal use mode, the process proceeds to S97 and whether or not the VP IC terminal 19V is connected. If it is determined that the RP IC terminal 19R is not connected, that is, if the RP IC terminal 19R is not connected, that is, if neither IC terminal is connected, , Control is S
Proceed to 99, and after the IC terminal unused warning is displayed, S
Return to 95.

On the other hand, when the IC terminal 19V for VP is connected, the control advances to S100, and the cookie processing for VP is performed. This processing will be described later with reference to FIG. The browser phone 30 does not have a storage area for storing the cookie data sent from the site side. Therefore, all the cookie data sent from the site that needs to be stored is stored in the VP IC terminal 19V or the RP IC terminal 19R. Next, the control advances to S101, and VP birth request processing is performed. This processing will be described later with reference to FIG. Next, in S102, VP input processing is performed. This process will be described later with reference to FIG. Next, in S103, the VP settlement process is performed. This process will be described with reference to FIG.

Next, the control advances to S580, where registration processing of personal information is performed. This personal information registration process is shown in FIG.
This is processing on the browser phone 30 side corresponding to the registration processing of the VP management server 9 shown in (b). First, personal identification processing as a VP is performed, and on condition that the VP management server 9 confirms the personal authentication, the personal information of the VP is transmitted to the VP management server 9 of the financial institution 7 and the database 1
2a is registered.

Next, the control advances to S582, where a personal information confirmation process is performed. This process is a process performed by the browser phone 30 corresponding to the confirmation process shown in FIG. 15 by the VP management server 9 of the financial institution 7. First VP
Is authenticated, and then the database 12a
The process of confirming one's personal information stored in is performed. On the other hand, if there is an error as a result of the confirmation, or if the personal information is changed due to a move, job change, or the like, the change information is changed in step S582.
Is transmitted to the VP management server 9.

Next, the control advances to S583, and VP Web
Browser and mail processing are done. This process is shown in FIG.
It will be described later based on (a). Next, the control advances to S585, where the address, name, and email address are transmitted. On the other hand, if the RP IC terminal 19R is connected to the USB port 18 of the browser phone 30, S9
When YES is determined by 8, the process proceeds to S104 and RP
Cookies are processed. This process is shown in Figure 2.
It will be described later based on 8 (b). Next, in S105, the electronic certificate issuance request process is performed. This processing will be described later with reference to FIG. Next, the control is S106.
Then, the processing proceeds to step RP and input processing for RP is performed. This processing will be described later with reference to FIG. Next, in S107, the RP settlement process is performed. For this process,
The control process is similar to the VP settlement process and is not shown. Next, the control advances to S584, and a false RP access process is performed. This false RP access process is shown in FIG.
It will be described later based on.

FIG. 27 is a flow chart showing a subroutine program of the cookie processing shown in S102. Through S110, it is determined whether or not it has been checked that the personal identification number is proper. If it has been checked, the process proceeds to S120, but if it has not been checked, the process proceeds to S111 to display a password input request. If the user inputs the personal identification number of the IC terminal 19V for VP from the keyboard 77 of the browser phone 30, the control advances to S113, and the input personal identification number is changed to VP.
Processing for transmission to the IC terminal 19V for VP
It waits until a response from the terminal is received (S114).
In the IC terminal 19V for the VP to which the personal identification number has been input, as will be described later, the stored personal identification number and the input personal identification number are collated to determine whether or not they match. If it does not match, a reply that it is not correct is sent. If it is returned that it is appropriate, the determination of YES is made in S115, but if it is returned that it is not appropriate, the control proceeds to S116 to notify that it is not appropriate ( (Display) is performed by the browser phone 30.

Only when it is proper, the personal identification number has been checked, the control advances to S119, and it is judged whether or not there is an access operation to the Web site. The lever subroutine program ends. On the other hand, if there is an access operation to the site, the flow advances to S590 to check whether the trap type VP is already used for the site.
Processing for inquiring the IC terminal 19V for use is performed. As described with reference to FIG. 11, the VP IC terminal 19V stores the accessed site name and the VP name used for it in the cookie data storage area. The IC terminal for VP searches the cookie data storage area and determines whether or not the trap type VP is used for the site inquired from the browser phone 30. Then, the answer is returned to the browser phone 30. Then, the control advances to S592, where it is determined whether or not the answer is that the trap type VP has been used. If the answer is that it has been used, the control advances to S593, where the trap type VP being used and the corresponding cookie are called from the cookie data storage area of the VP IC terminal,
The process of accessing the site with the cookie is performed.

Next, the control advances to S594, where it is determined whether or not a cookie has been transmitted from the accessed site, and if not, this subroutine program ends. On the other hand, even if the user accesses the site together with the cookie data, another cookie may be sent from the site when another page on the site is accessed. When such a cookie is sent, a determination of YES is made by S594, and the control advances to S595, where the trap type VP name and the sent cookie data are transferred to the IC terminal for VP. It The IC terminal for VP performs a process of storing the transmitted cookie data in association with the transmitted trap type VP name.

If it is determined in S592 that the trap type VP is a site that has not been used yet, control proceeds to S596, and a process is performed to ask the user whether or not the trap type VP is used. Specifically, "Do you want to use trap type VP?" Is displayed on the display unit 76 of the browser phone 30.

Next, in S597, it is determined whether or not an operation to use is input from the keyboard 77. When the operation not to use is performed, the control is S
If the operation to use is performed, the control proceeds to S598, and a process of requesting the VP IC terminal 19V to generate a new trap type VP is performed.
The processing of S598 is to transmit the site name accessed in S119 and the command requesting the generation of the trap type VP to the VP IC terminal 19V.

Upon receiving the request, the VP IC terminal determines how many times the last VP name stored in the cookie data area (E ³ (B13P) in FIG. 11 is encrypted ( (3 times in FIG. 11), which is one more than the number of times of encryption (four times in FIG. 11). The real name (B13P) of the VP name is encrypted and a new trap type V
P name E ⁴ (B13P) is generated. Then, the generated new trap type VP is output to the browser phone 30. Then, the determination of YES is made in S599, the process proceeds to S600, and the process of accessing the site is performed using the name of the trap type VP sent from the IC terminal for VP. Therefore, if the site requests a name,
The new trap type VP name E ⁴ (B13P) is transmitted. However, the address transmits the address of B13P, that is, the address of the convenience store of the VP himself. Further, as the e-mail address, the e-mail address ΔΔΔΔΔ opened by the financial institution 7 for the trap type VP is transmitted.

Next, the control advances to S581, where trap information registration processing is performed. In this trap information registration processing, since a new trap type VP is generated according to S598, the V of the financial institution 7 is registered in order to have the newly generated trap type VP registered in the database 12a.
This is a process for transmitting to the P management server 9. This processing is performed, for example, in S143 to S145 and S150 to be described later.
The same check processing for security as in S152 and S160 to S163 is performed, and then the newly generated trap type VP data, that is, the trap type VP name,
This is a process of transmitting the site name, public key, virtual account number, and virtual credit number using the trap type VP name.

Next, the control advances to S601, where it is judged whether or not the cookie has been transmitted from the site side. When it is transmitted, the control advances to S602, and a process of transmitting the trap type VP name used for the site and the transmitted cookie data to the VP IC terminal is performed. The IC terminal for VP performs a process of storing the transmitted cookie data in the area corresponding to the transmitted trap type VP name.

If it is determined in S597 that an operation indicating that the trap type VP is not used is made, the control is S
Proceeding to 121, the cookie for the VP from the IC terminal for the VP, that is, the cookie stored corresponding to the real name of the VP (B13P in FIG. 11) (abc, hij, a in FIG. 11).
mz, rak ...) is called and the process of accessing the site together with those cookies is performed.

In this case, the accessed VP will use the VP real name. Next, the control is S122.
Then, it is judged whether or not the cookie is transmitted from the site. If the cookie is transmitted from the site side, the control advances to S123, where the transmitted cookie is transmitted to the VP IC terminal 19V. When the cookie data is independently transmitted, the IC terminal 19V for the VP automatically performs a process of storing the transmitted cookie data in the storage area corresponding to the VP real name.

FIG. 28A is a flow chart showing a subroutine program of the processing of transmitting the address, name and E-mail address shown in S585. In S700, it is determined whether or not there is a request for transmission of the address, name and E-mail address from the site side, and if there is no request, this subroutine program ends. If so, the control advances to S701, and the VP used for the site
The name, address, and e-mail address will be sent. For example, in the case of the example shown in FIG. 11, the site MT
Since the VP name used for T is E (B13P), this name E (B13P) is transmitted. Address is B1
It is a 3P address, that is, □ △ ○ (see FIG. 3). As the e-mail address, the e-mail address ΔΔΔΔΔ opened by the financial institution 7 for the trap type VP is transmitted.

Cookie processing for this VP and address, name,
As a result of the e-mail address transmission process, when a certain site is accessed as a trap type VP, the previous trap type VP name is automatically used when the site is subsequently accessed and the previous trap type VP name is used. It becomes a state to access as. Also, the cookie data sent from the site side is the trap type V corresponding to the site.
It will be in a state of being attached to P's name. Specifically, referring to FIG. 11, the trap type VP name E (B13
Once accessed using P), the trap type VP name E (B13P) is always used when accessing the MTT after that. In that case, the cookie sent from the previous MTT is used. MTT with MTT
Will be accessed. On the other hand, VP is its real name B1
It is not possible to access the MTT using 3P. If such an access is attempted, S592
Then, a YES determination is made, and in S593, the MTT is automatically accessed as E (B13P).

When the IC terminal 19V for VP is used, the name and address of the VP may be collected on the site side, but the name and address of the RP may be collected on the site side. Since it does not exist, privacy can be protected on the user side as well.

Moreover, by using the trap type VP name, it is possible to check the illegal leakage of personal information as described above.

FIG. 28B shows the RP shown in S104.
5 is a flowchart showing a subroutine program of a cookie process for a computer. In S125, it is determined whether or not the personal identification number has been checked. If it has already been checked that the personal identification number is correct, a YES determination is made in S125 and the process proceeds to S132. On the other hand, if the check that the personal identification number is proper has not been completed, the process proceeds to S126, the personal identification number is requested, and the RP
If the user inputs the personal identification number of the IC terminal 19R for use from the keyboard, the process proceeds to S128, and the personal identification number and R
Processing for transmission to the P IC terminal is performed. Then, the process waits until there is a reply from the RP IC terminal 19R indicating that the personal identification number is appropriate (S129).

When the judgment result of the suitability of the personal identification number is returned from the RP IC terminal 19R, the process proceeds to S130, and it is judged whether or not the reply result is that it is proper. Proceeding to, a notification (display) of the improperness is given. On the other hand, if the reply is that it is appropriate, the process proceeds to S134, and it is determined whether or not there is an access operation to the site. If not, S137.
Other processing of is performed. On the other hand, if there is an access operation to the site, the process proceeds to S135, and it is determined whether or not a cookie (in this case, a tracking cookie) has been transmitted from the site. When a cookie is transmitted from the site, the process proceeds to S136, and processing for rejecting the transmitted cookie is performed. As a result, when the RP IC terminal 19R is used by connecting to the USB port 18 of the personal computer 30, all cookies (tracking type cookies) sent from the site are rejected, and the cookie is used for RP. It can be prevented from being recorded in the IC terminal 19R.

As a result, when the user acts as an RP on the network using the RP IC terminal 19R, the name and address of the RP, which is the real name of the user who is the clue of the tracking cookie, must be collected. The user's privacy is protected.

FIG. 29 is a flow chart showing a subroutine program of the VP birth request processing shown in S101. This VP birth request is a process for issuing a request for creating a new PV to the VP management server 9.
In S140, it is determined whether or not the personal identification number has been checked. If it has been checked that the personal identification number is proper, the process proceeds to S141, but the proper personal identification number is not yet checked. In this case, this subroutine program ends. If the check indicating that the password is proper is completed, the process proceeds to S141, and it is determined whether or not there is a V birth request operation. When the user operates the keyboard of the browser phone 30 to operate the VP birth request, the control proceeds to S142, and the processing of transmitting the VP birth request request to the VP management server 9 of the financial institution 7 is performed. Next, the process proceeds to S143, and the legal institution check process is performed. This legitimate institution check processing is to check whether or not the counterpart institution (in this case, the financial institution 7) is a legitimate institution, and to prevent the fraudulent act by impersonating the financial institution 7 Figure 3
The subroutine program is shown in 0 (a).

First, the subroutine program for the legitimate institution check process will be described with reference to FIG. This legitimate institution check processing is a program on the check side corresponding to the legitimate institution certification processing shown in FIG. First, in S160, it is determined whether or not the electronic certificate is received, and the process waits until it is received. In the legal institution certification process, as shown in FIG. 24, the electronic certificate is transmitted in S90. If this electronic certificate is transmitted, the control advances to S161, and a process of generating and transmitting a random number R is performed. Then, on the institution side, as shown in FIG. 24, in S92, a process of encrypting the received random number R using the secret key SK of the institution, calculating L, and transmitting it is performed. When the browser phone 30 receives the encrypted data L of R, the control proceeds to S163, the process of decrypting L using the public key KP in the received digital certificate, that is, the process of calculating DKP (L). Is performed.

Then, the processing advances to S144 in FIG. 29, where R = D
It is determined whether or not it is KP (L). If it is a legitimate institution, R = DKP (L) should be satisfied, and in that case the process proceeds to S146, but if another person is pretending to be the financial institution 7, a NO determination is made in S144. Then, the process proceeds to S145, and a warning display indicating that the institution is not valid is displayed by the browser phone 30 and the subroutine program ends.

If it is confirmed that the institution is a legitimate institution, the process proceeds to S146, it is judged whether or not an input request for the name and address of the RP is received, and the process waits until it is received.
As described above, when the VP management server 9 receives the VP birth request request, it sends an input request for the RP name and address (see S2). The RP name and address input request is sent to the browser phone. If 30 is received, YES is determined in S146 and control proceeds to S147.

In S147, the processing of displaying the input instruction of the RP name and address on the display of the browser phone 30 is performed, and the operation waits until there is an input (S148). When there is an input, the process proceeds to S149, in which the input data is transmitted to the VP management server 9 of the financial institution 7.

Next, in S150, an identification process is performed. This personal identification processing is processing for proving whether or not the user who made the VP birth request is the person himself / herself, and the subroutine program thereof is shown in FIG. 34 (a). Here, the subroutine program for the personal certificate will be described with reference to FIG.

This personal identification processing is the same as S4 and S6 described above.
When the random number R is transmitted based on 2 etc., it is for certifying the identity based on the random number. First S
It is determined by 125 whether or not the random number R is received, and the process waits until it is received. When the random number R is received, the process proceeds to S216, and the received random number R is transferred to the IC terminal 19R.
Alternatively, the process of transmitting to 19V is performed. As will be described later, the IC terminal performs a process of encrypting the random number R using the stored authentication key KN or public key KP to generate and output the response data I. If the response data I is output, a determination of YES is made in S217, the process proceeds to S218, and a process of transmitting the I to the VP management server 9 is performed.

When performing the VP birth request process shown in FIG. 29, the VP is connected to the USB port 18 of the browser phone 30.
The IC terminal 19V for use is connected. Then, in the identity verification process at the time of the VP birth request process, the IC terminal 19V for the VP is used.
A process of encrypting the random number R using the authentication key KN of the RP stored in is performed. This will be described later.

As a result, in the personal identification at the time of the VP birth request processing in S150 of FIG. 29, the proof of being an RP is made.

Next, in S151, it is determined whether or not an access refusal is received. If an access refusal is received, the flow advances to S152 to display an access refusal. On the other hand, if the access is permitted, the process proceeds to S153, and it is determined whether or not there is an input of the convenience store 2 desired by the user who has made the VP birth request.
Since the address of the born VP becomes the address of the convenience store 2, the user inputs the information specifying the convenience store 2 from the keyboard of the browser phone 30 when the convenience store 2 desired by the user is present. . If there is an input, the data of the desired convenience store 2 is sent to the VP management server 9 in S154.
Sent to. If the desired convenience store 2 is not input, as described above, the address of the convenience store 2 closest to the RP address becomes the birth VP address.

Next, in S155, it is determined whether or not there is a request to send the VP's public key, and the process waits until there is one. As described above, the VP management server 9 issues a VP public key transmission request when a VP birth request is made (see S30). When the browser phone 30 receives the transmission request, control proceeds to S156, and the IC terminal 19 for VP is used.
Issue a public key output request to V. Then, IC terminal 1 for VP
9V outputs the stored public key KP of VP. If there is the output, the control advances to S158, and the output public key KP is transmitted to the VP management server 9 of the financial institution 7.

FIG. 30B is a flowchart showing a subroutine program of the electronic certificate issuance request processing shown in S105. In S165, it is determined whether or not the identification number is proper, and if not, the subroutine program ends. On the other hand, if it has been checked that the personal identification number is appropriate, the process proceeds to S166, and it is determined whether or not there has been a request operation for issuing the RP electronic certificate. When the user operates the keyboard of the browser phone 30 to make an issuance request, control proceeds to S167, and an input instruction of the RP address and name is displayed. If the user inputs from the keyboard, control proceeds to S169,
Processing for calling the public key KP from the RP IC terminal 19R is performed. When carrying out this electronic certificate issuance request processing, the user must specify the USB port 18 of the browser phone 30.
It is necessary to connect its own RP IC terminal 19R to. When the process of S169 is performed, the public key KP for RP stored in the connected RP IC terminal 19R is output to the browser phone 30,
By S170, the output public key KP and the input address and name of the RP are transmitted to the authentication server 11 of the financial institution 7.

FIG. 31A shows a subroutine program of the VP input processing shown in S102.
(B) is a flowchart showing a subroutine program of the RP input processing shown in S106.

When the VP input processing is performed, it is necessary to connect the VP IC terminal 19V to the USB port 18 of the browser phone 30. In S175, it is determined whether or not the check for the proper secret code number has been completed. If the proper secret code number has not been checked, this subroutine program ends. If the correct PIN has been checked, S17
In step 6, it is determined whether or not there is a VP input operation. As described above, the VP management server 9 of the financial institution 7
If the birth processing of the VP is performed by, the name and address of the born VP (address of the convenience store 2),
The IC terminal 19I in which the name of the convenience store 2, the e-mail address, and the electronic certificate are stored is mailed. If the user inserts the IC terminal 19I into the browser phone 30, YES is determined in S176. Then, the process proceeds to S178, and the record data of the IC terminal 19I is read and transmitted to the connected VP IC terminal 19V.

If the user inputs the knowledge data of the VP user agent from the keyboard of the browser phone 30, a YES determination is made in S177 and S
Proceeding to 179, processing for transmitting the input knowledge data to the IC terminal 19V for VP is performed.

When the user partially withdraws the funds from his / her own account of the financial institution 7, the amount G of the withdrawal is transmitted to the browser phone 30 (see S69). The amount of withdrawal G
If is input to the browser phone 30, a determination of YES is made in S180, the process proceeds to S181, and the withdrawal amount G is transferred to the IC terminal 19V for VP and added and stored as a reload amount.

When RP input processing is performed, it is necessary to connect the RP IC terminal 19R to the USB port 18 of the browser phone 30. First, in S185, it is determined whether or not the proper personal identification number has been checked, and if so, the process proceeds to S186 and the RP
It is determined whether or not the electronic certificate has been received. When the user requests the authentication server to issue the RP electronic certificate, the RP electronic certificate is created and sent to the browser phone 30 as described above (see S28). If the electronic certificate is transmitted, YES is determined in S186 and the process proceeds to S187, the received electronic certificate is transmitted to the RP IC terminal 19R and stored in the RP IC terminal. .

When the user operates the keyboard of the browser phone 30 to input the knowledge data of the RP user agent, a YES determination is made in S188, the flow proceeds to S189, and the input knowledge data is stored in the R
Processing for transmission to the P IC terminal 19R is performed, and
The C terminal 19R stores the input knowledge data.

When the user makes a withdrawal request to the settlement server 10 for withdrawing part of the funds in his / her own account, as described above, the withdrawal amount G is from the settlement server 10 of the user. It is transmitted to the browser phone 30. Then, YES is determined in S190 and S191 is set.
Proceed to and transmit the withdrawal amount G to the RP IC terminal 19R,
A process of adding and updating G as the reload amount is performed.

FIG. 32 is a diagram showing an overall schematic system in the case where the user (there are RP and VP) pays the credit card and makes the settlement according to the SET. First, if a card member performs a credit card issuance procedure, the server installed in the credit card issuing company 4 determines that there has been an application for credit issuance and issues a credit card number to the card member. To do. At that time, when the card member requests the issuance of the credit card for the VP, the server of the credit card issuing company 4 is asked to input data such as the name and address of the VP, and based on the data. The financial institution 7 is inquired whether or not the VP is registered with a financial institution. Then, on the condition that it is confirmed that the VP is a regular VP stored in the database 12 of the financial institution 7, the server of the credit card issuing company 4 uses the V
The credit number is issued to P.

In other words, the server of the credit card issuing company 4 includes a credit number issuing step for issuing a credit number for a virtual person. It also includes credit number issuing means for issuing a credit number for a virtual person. Further, as described above, this credit number issuing step or the credit number issuing means requires that the virtual person for which the credit number is issued is confirmed to be a regular virtual person registered in the predetermined institution. As the above, the credit number is issued. A user who possesses a credit card (two types, one for RP and one for VP) issued by the credit card issuing company 4 issues a registration request for a member to perform a transaction by SET to the authentication server 11. The authentication server 11 is
A request for authentication as to whether the user is a credit member of the credit card issuing company 4 is issued to the credit card issuing company 4. The response from the credit card issuing company 4 indicating that they are a member of the credit card is the authentication server 1
If 1 is returned, the authentication server 11 creates an electronic certificate for SET and sends it to the card member.

[0209] In order for the member store 6 such as the electronic mall to enable the transaction by SET, first, the member registration request for the transaction by SET is issued to the authentication server 11. The authentication server 11 sends a request for authentication as to whether or not the member store 6 is a legitimate contract company to the member store contract company (aqua lala) 5 contracted by the member store 6. Member store contract company 5
If you receive a reply from the store that it is a valid member store,
The authentication server 11 creates an electronic certificate for SET for the member store 6 and issues it to the member store 6.

In this state, when the card member performs electronic shopping at the member store 6 and makes a transaction by SET, the card member first transmits a purchase request for goods, services, etc. to the member store 6. At the member store 6, the payment approval unit 33 sends an approval request as to whether or not the purchase request may be approved to the credit card issuing company 4 via the payment gateway 27. When the credit card issuing company 4 sends an approval response back to the member store 6 via the payment gateway 27, the member store 6 transmits the fact that the purchase has been accepted to the card member. The member store 6 also sends a payment request from the payment request unit 34 to the payment gateway 27. The payment gateway 27 sends a payment request corresponding to the payment request to the credit card issuing company 4 and returns a payment response to the member store 6.

When carrying out a purchase transaction for a product or service, the card member and the member store 6 send each other's electronic certificates to confirm that they are legitimate.

When the credit card issuing company 4 issues a credit card to the RP as a user, card information such as the credit card number is input to and stored in the RP IC terminal 19R of the user. on the other hand,
When the user receives a credit card issued by the credit card issuing company 4 as a VP, the electronic certificate issued for the VP is sent to the credit card issuing company 4 so that the financial institution 7 can verify the identity. There is a need. Then, when the credit card issuing company 4 issues a credit card, the card information such as the card number of the credit card is used for the VP I of the user.
It is input to the C terminal 19V and stored.

Issuing the electronic certificate for SET described above also
It is issued in two cases, one for RP and one for VP. Then, the respectively issued electronic certificate for SET is input and stored in each IC terminal 19R or 19V.

FIG. 33 is a flow chart showing a subroutine program of the VP settlement processing shown in S103. First, in S195, it is determined whether or not the check indicating that the personal identification number is proper has been completed. If it has not been completed, this subroutine program is terminated, and if the proper personal identification number has been checked, the process proceeds to S196. move on.

The VP settlement process includes a process of withdrawing part of the funds in the bank account of the user of the financial institution 7 and reloading it into the VP IC terminal 19V, and a process of making a settlement using a debit card. , And a case where payment is performed using a credit card and a case where payment is performed using the reload amount reloaded in the IC terminal 19V for VP.

[0216] If the user carries out an operation of partially withdrawing the funds in his / her bank account and reloading to the IC terminal for VP,
By S197, the withdrawal request is transmitted to the settlement server 10 of the financial institution 7. Next, the process proceeds to S198, and the legal institution check process (see FIG. 30A) is performed.

Next, in S199, it is determined whether R = D _KP (L), and if it is not a legal institution, S11.
A negative determination is made in step 9 and the process proceeds to step S200 to display a warning indicating that the institution is not valid. On the other hand, in the case of a legitimate institution, R = D _KP (L), so the control is S2.
The process proceeds to 01, and it is judged whether or not there is a request for inputting a name, and the process waits until there is. As described above, when there is a request for withdrawal to the IC terminal, the payment server 10 transmits a name input request (see S60). If this input request of the name is transmitted, YES is determined in S201, the process proceeds to S202, and the process of calling the VP name from the VP IC terminal 19V and transmitting it to the settlement server 10 is performed. Next, the process proceeds to S203, and the identity verification process (see FIG. 3).
4 (a)).

[0218] Next, in S204, it is judged whether or not there is an input request for the withdrawal amount.
If not, the process returns to S204. If the settlement server 10 determines that the legitimacy of the user cannot be confirmed during the circulation of the loops of 204 and 205, the settlement server 10 replies that it is improper (see S79). As a result, YES in S205
Is made, the process proceeds to S207, and the improperness is displayed on the display of the personal computer. On the other hand, when the settlement server 10 determines that the person is a legitimate person as a result of the person authentication, it sends an input request for the withdrawal amount to the browser phone 30 (see S87). Then S2
A determination of YES is made by 04 and the routine proceeds to S206.

In S206, processing for displaying the input instruction of the withdrawal amount on the display of the browser phone 30 is performed. If the user enters the withdrawal amount from the keyboard,
The determination of YES is made in S208, the process proceeds to S209, and a process of transmitting the input withdrawal amount G to the settlement server 10 is performed. In the settlement server 10, the withdrawal amount G
If it receives, the process of subtracting G from the VP account and transmitting G is performed (see S89). As a result, S210
Therefore, a YES determination is made and the process proceeds to S211, in which the withdrawal amount G is transmitted to the IC terminal 19V for VP to add G to the reload amount and update the amount.

If the determination is NO in S196, the process proceeds to S220 in FIG. 34B, and it is determined whether or not the debit card is used. If there is a debit card use operation, the process proceeds to S235, and a process of transmitting a debit card use request to the payment server 10 is performed. Next, proceeding to S221, legitimate institution check processing (see FIG. 30A) is performed. And S2
In step 22, it is judged whether or not R = D _KP (L). If it is not a legal institution, a NO determination is made and the process proceeds to S223, and a warning display indicating that it is not a legal institution is displayed. On the other hand, if it is a legal institution, the control advances to S224, it is judged whether or not there is a request for inputting the personal identification number of the debit card and the card information, and the process waits until it is present. When there is a request for using the debit card, the payment server 10 transmits a request for inputting a personal identification number and card information to the browser phone 30 (see S70). If the transmission is received, the control advances to S225, and the input instruction of the personal identification number is displayed on the display unit 76 of the browser phone 30. If the user inputs the personal identification number of the debit card from the keyboard, YES is determined in S226 and the process proceeds to S227, in which the card information is read from the IC card 19V for VP and transmitted to the settlement server 10 together with the personal identification number.

Next, in S228, it is determined whether or not there is a reply that the message is incorrect. The settlement server 10, which has received the personal identification number and the card information, judges whether or not it is proper (S72), and if it is not proper, replies that it is not proper (see S79). If an incorrectness is returned, a determination of YES is made in S228, the flow proceeds to S229, and an indication of inadequacy is displayed.
On the other hand, if the reply indicating that the amount is incorrect is not sent, the control advances to S230, and the input instruction of the used amount is displayed on the display of the personal computer. If the user inputs the amount of money for use from the keyboard, S231 returns Y.
After the ES is determined, the process proceeds to S232, and the process of transmitting the input used amount G to the settlement server 10 is performed.

The payment server 10 that has received the usage amount G
As described above, the bank account corresponding to the user is searched, the used amount G is subtracted, and the used amount G is returned to the browser phone 30 (S74).

As a result, a YES determination is made in S233, and the process proceeds to S234, in which a display to the effect that payment has been completed is displayed on the display unit 76 of the browser phone 30.

If NO is determined in S220, the control proceeds to S238. In S238, it is determined whether or not the credit card has been used.
If the user operates the keyboard 77 of the browser phone 30 and inputs the use of the credit card, the control is S23.
Proceed to 7 and request payment by credit card 6
The process of sending to is performed. This member store is a store where the user is trying to purchase a product or service. Next, the control advances to S239, and the legal institution check process is performed. This legitimate institution check processing is the one shown in FIG. Along with this legitimate institution check processing, the member store 6 transmits the electronic certificate of the member store to the browser phone 30 of the customer, and then, when receiving the random number R, uses the random number by using its own secret key KS. Encryption and the encryption result L
To the browser phone 30 of the customer.

The control advances to S240, and it is determined whether or not R = D _KP (L). Authorized retailers (member stores)
If not, a NO determination is made in S240, and the process proceeds to S241, where a warning display indicating that the store is not an authorized store is displayed. On the other hand, if the store is a valid store (member store), the process proceeds to S242, where the order information OI and the payment instruction PI are sent.
And are created. The order information OI is information for specifying a purchase target such as a product or service, a purchase quantity, and the like. The payment instruction PI is, for example, an instruction to make a credit payment using a credit card with any credit number.

[0226] Next, proceeding to S243, processing is performed to calculate a double digest MD that is a concatenation of the order information OI and the message digest of the payment instruction PI. Then S24
In step 4, the double digest MD and the VP name using the credit card are transmitted to the IC terminal 19V for the VP to issue a signature instruction, and the VP electronic certificate is requested to be output.

The IC terminal 19V for the VP, which has received the VP name using the credit card, the signature instruction, and the output request for the electronic certificate, collates the input VP name with the cookie data storage area and confirms that the VP name is VP. Real name B13P (Fig. 1
Figure out how many times it was encrypted (see 1). Then, the private key is encrypted with the private key the number of times, and the input MD is decrypted using the encrypted private key (KS) to generate a so-called double signature. This double signature will be referred to as D for convenience.
Expressed as _(KS) (MD). The IC terminal 19V for VP outputs the D _(KS) (MD) to the browser phone 30.

The VP name input according to S244 is V
If the real name of P is B13P, IC terminal 1 for VP
Since 9V stores the digital certificate for its real name, the stored digital certificate is stored in the browser phone 3
Output to 0. On the other hand, the VP input according to S244
If the name is the trap type VP name, I for VP
The C terminal 19V does not store the electronic certificate for the trap type VP name. The electronic certificate for the trap type VP name is stored in the XML store 50 as described above. Therefore, in that case, the VP IC terminal 19V
Outputs to browser phone 30 an instruction to obtain an electronic certificate from XML store 50.

After outputting the request of S244 to the IC terminal 19V for VP, if there is any reply from the IC terminal 19V for VP, a YES determination is made in S245 and S60.
Control proceeds to 5. In S605, it is determined whether the instruction is to order the electronic certificate to the XML store 50. If the order is not the order, the process proceeds to S246. If the request is the order, the control proceeds to S606. In S606, the XML store 50 is accessed to search for the electronic certificate corresponding to the trap type VP name, and S2 is searched.
In step 46, the order information OI, the payment instruction PI, the output D _(KS) (MD) as a signature, and the VP electronic certificate are transmitted to the member store 6. At the member store 6, after confirming the information, the purchase acceptance response for accepting the purchase request from the user is transmitted to the browser phone 30 of the user. Then, the determination of YES is made in S247, and the process proceeds to S248 to display that the transaction is completed.

[0230] If the determination is NO in S238, the process proceeds to S249, in which it is determined whether or not the reload amount has been used. The user uses the VP IC terminal 19
If the keyboard operation for using the reload amount stored in V is performed, the control advances to S250, and the input instruction of the used amount is displayed on the display of the browser phone 30. If the user inputs the used amount from the keyboard, a determination of YES is made in S251, the process proceeds to S252, and a request for withdrawing the input used amount G is issued to the VP IC.
Processing for transmitting to the terminal 19V is performed.

When receiving a withdrawal request, the VP IC terminal 19V subtracts and updates the reload amount by the used amount G, and returns a signal indicating that the withdrawal is completed to the browser phone 30. Then, the determination of YES is made in S252a, the process proceeds to S252b, and the G payment process is performed.

[0232] Note that the payment processing for RP is the same as V described above.
Since the processing is almost the same as the payment processing for P,
The repetition of illustration and description is omitted.

FIG. 36A shows the VP W shown in S58.
It is a flow chart which shows an eb browser and a subroutine program of mail processing. Through S607, it is determined whether or not there is a request for access to the site. If there is not, it is determined whether or not there is a request to send an email. If not, this subroutine program ends.

When the user operates the keyboard 77 of the browser phone 30 to access the site, a YES determination is made in S607 and the control is performed in S.
Proceed to 608. In S608, Bluetooth (Blueto
It is determined whether there is a terminal that can use oth) near. Bluetooth is a code name of a short-range wireless communication interface of about 10 meters, and is standardly installed in the browser phone 30. By this S608, if there is no terminal connected to the wide area / large capacity relay network 43 by 10 meters square and capable of using Bluetooth, the control proceeds to S612, and the fact that access is not possible is displayed on the display unit 76 of the browser phone 30. Processing is done. On the other hand, if there is a terminal that can use Bluetooth, the process advances to step S609 to perform processing for accessing the site via the terminal using Bluetooth.

In this way, the browser phone 30 is connected to the IC terminal 19V for the VP, and the browser phone 3 is used as the VP.
When accessing the site from 0, the site is not accessed via the mobile phone base station 55, the mobile phone network 45, and the gateway 53, but is accessed via a terminal connected to the wide area / large capacity relay network. The reason is that there is a possibility that the current position of the browser phone 30 may be indexed by a radio wave transmitted by the browser phone 30. In the case of the browser phone 30, in order to realize a call between the browser phones 30, the closest base station 55 where the browser phone 30 is located is indexed and the call radio wave is transmitted from the base station 55. For this reason, the position information of the browser phone 30 can be specified. When a browser phone 30 that can index such a position to some extent is used and the browser phone 30 is used as an RP or a site is accessed as a VP, a certain RP and a certain VP are always connected. The fact that they exist at the same position is statistically found, and there is a risk that the RP and the VP may be seen as being the same person.

Therefore, when the browser phone 30 is used as a VP to act on the network, a terminal connected to the wide area / large capacity relay network 43 by using Bluetooth without using the mobile telephone network 54. It tries to get into the network via.

On the other hand, when the user operates the keyboard 77 of the browser phone 30 to make a transmission / reception request for E-mail, a YES determination is made in S610 and control proceeds to S611, in which a Bluetooth-enabled terminal is near. It is determined whether or not If not, S6
After proceeding to 11a and performing control to display on the display unit 76 that e-mail cannot be transmitted / received, this subroutine program ends. On the other hand, if there is a terminal that can use Bluetooth nearby, the control advances to S613, and a process of transmitting / receiving an E-mail via the terminal using Bluetooth is performed.

FIG. 36B shows the false R shown in S584.
It is a flow chart which shows a subroutine program of P access processing. If the user often acts as a VP on the network, a trader who collects detailed personal information of both the RP and the VP exhaustively matches and checks both personal information, and the RP that both personal information match. There is a risk that the name and the VP name are calculated and the name of the RP corresponding to the VP is predicted. One possible solution is to reduce the reliability of RP personal information. The fake RP access process is
The name of the RP is given and the site is randomly accessed from one site to the next and automatically walked.

In S650, it is determined whether or not there is a false RP access request, and if not, this subroutine program ends. The user has a browser phone 30
When the fake RP access request is made by operating the keyboard 77, the control advances to S651, where the random number R is generated. Next, in step S652, the random number R is changed to the UR.
Processing for creating L (Uniform Resource Locator) is performed. Next, in S653, a process of trying to access the URL is performed. Next, in S654, it is determined whether or not the access is successful. Since this URL is randomly generated by a random number, there is not always a site corresponding to the URL. Therefore, if there is no corresponding site, a determination of NO is made in S654, control returns to S651, and S651-
The process of S653 is repeated.

By going through the loop of S561 to S564, if there is a site corresponding to the randomly generated URL, YES is determined in S654 and the process proceeds to S655, where the site to be accessed is It is determined whether or not it is within a preset access allowable range. The user, for example, R
An allowable range in which access may be made to the user agent stored in the P IC terminal 19R is input and set. For example, enter and set the access allowable range, such as allowing sites other than sex business related sites. In S655, the user agent stored in the RP IC terminal 19R connected to the browser phone 30 is checked to see if the site to be accessed is within the preset allowable access range. Perform inquiry processing. If it is not within the access allowable range, the control returns to S651 again, and the generation of the URL by the random number and the access to the URL are tried again.

If it is determined in S655 that the access is within the allowable access range, the control advances to S662, in which the RP IC terminal 19R calls a cookie to access the site together with the cookie.

Next, the control advances to S656, where the site is accessed and at the same time randomly acted, and the address, name and fake preference information of the RP are provided to the site as much as possible. It This processing is performed in cooperation with the user agent in the RP IC terminal 19R connected to the browser phone 30.
Next, the control advances to S660, and it is judged whether or not the cookie has been transmitted from the site side. If not, S6
The control advances to 57, but if there is, the control advances to S661, and the transmitted cookie is sent to the RP IC terminal 1
After the processing of storing in 9R is performed, the process proceeds to S657.

Next, in S657, a process for terminating the access to the site is performed, and in S658, it is determined whether or not the predetermined time has elapsed. If the predetermined time has not yet elapsed, the process returns to S651 again. If it is determined that the predetermined time has elapsed, this subroutine program ends.

Referring to FIG. 37 (a), the VP IC terminal 1
The 9V performs the personal identification number check processing in S253. Next, proceeding to S254, cookie processing is performed. Next, the process proceeds to S255, and identity verification processing is performed. Then S256
Proceed to and perform data input processing. Next, proceeding to S257, user agent operation processing is performed. Then S25
Proceed to step 8 to perform the reload amount usage process. Then S2
Proceed to 59 to perform signature processing. Next, in S615,
Trap type VP processing is performed. This process will be described later with reference to FIG.

Referring to FIG. 37 (b), the RP IC terminal 19R carries out a personal identification number checking process in S260, an identity verification process in S262, and S26.
The data input processing is performed by 3, and by S264,
A user agent operation process is performed, and a reload amount use process is performed in S265. Next, in S266, signature processing is performed.

FIG. 38 (a) is a flow chart showing a subroutine program of the personal identification number check processing shown in S253 and S260. In S268, it is determined whether or not the personal identification number has been input. If the personal identification number has not been input, the subroutine program ends as it is. On the other hand, if the personal identification number is input, the process proceeds to S269,
A process of collating the input personal identification number with the stored personal identification number is performed. Next, in S270, it is determined whether or not they match as a result of the collation, and if they do not match, S27.
The process proceeds to 1 and a process of transmitting an improper effect to the browser phone 30 is performed. On the other hand, if they match, the process proceeds to S272 and a reply to the effect is sent.

FIG. 38B is a flow chart showing a subroutine program of the cookie processing (for VP) shown in S254. Through S275, it is determined whether or not there is a cookie input. If a cookie is recorded in the browser phone 30 at the time when the IC terminal 19V for the VP is connected to the browser phone 30, as described above, the recorded cookie data is the VP data.
It is transmitted to the IC terminal 19V for use (see S118). Further, even when a site is accessed by the browser phone 30 and a cookie is transmitted from the site, the transmitted cookie data is used as the VP IC terminal 19V.
(S123). In the IC terminal 19V for the VP, if the cookie is transmitted in S118 and S123, a YES determination is made in S275 and S27.
In step 6, the input cookie data is stored in the cookie storage area corresponding to the VP name.

On the other hand, if NO in S275, the process advances to S277 to determine whether or not a cookie is called. When accessing the site using the browser phone 30, the VP IC terminal 19V calls a cookie and accesses the site together with the cookie (see S121). If the cookie calling process is performed, YES is determined in S277 and the process proceeds to S278, in which the cookie data stored in the cookie storage area corresponding to the VP name and the trap type VP name are stored in the browser phone. Processing for outputting to 30 is performed.

FIG. 38C is a flow chart showing a subroutine program of the personal identification processing (for VP) shown in S255. In S280, it is determined whether or not the random number R is input, and if not, this subroutine program ends. When the random number R is input, the process proceeds to S281, and it is determined whether or not it is a VP birth request. In case of VP birth request, S6, S1
As described in 51, the RP is authenticated using the RP authentication key KN.
Need to prove that he is a legitimate person. Therefore, in the case of a VP birth request, the process proceeds to S283, and a process of encrypting the input random number R with the authentication key KN of RP to generate I, that is, a process of calculating I = EKN (R). Then, according to steps 284 and 284, the calculated I is output to the browser phone 30.

On the other hand, if it is not the time for the VP birth request, S
If NO is determined by 281, the process proceeds to S282, and V
Secret of VP to prove that P is a legitimate person
Calculating I by encrypting the random number R input using the key KS
Processing, that is, I = E _SKThe process of calculating (R)
To do. Then, in S248, the calculated I is blocked.
The process of outputting to the rousaphone 30 is performed.

FIG. 38D is a flow chart showing a subroutine program of the personal identification processing (for RP) shown in S262. In S287, it is determined whether or not the random number R is input, and if it is not input, this subroutine program ends. On the other hand, if it is input, the control proceeds to S288, and the RP IC terminal 19
A process of encrypting R input using the authentication key KN stored in R to calculate I, that is, I = E
_KN (R) calculation processing is performed. Next, the process proceeds to S289, and the process of outputting the calculated I to the browser phone 30 is performed.

FIG. 39 (a) is a flow chart showing a subroutine program of the data input processing shown in S256 and S263. Through S293, it is determined whether or not data has been input. As the input data, as described above, the CD-ROM in which the data regarding the VP created by the VP management server 9 is recorded.
Record data, user agent knowledge data (S1
79, S189), withdrawal amount G (S181, S19
1)) etc. When these data are input, the control proceeds to S294, and the process of storing the input data in the storage area corresponding to the input data is performed.

FIG. 39B is a flow chart showing a subroutine program of the user agent operation processing shown in S257 and S264. By S295
It is determined whether or not there is a public key output request. If there is a request to output the public key, the process proceeds to S298 and the stored public key KP is output. S29
If NO is determined in 5, the process proceeds to S296,
It is judged whether or not there is an output request for debit card information. If so, the process proceeds to S299, and the process of outputting the stored debit card information is performed.

[0254] If NO is determined in S296, the flow proceeds to S297, in which it is determined whether or not there is an output request for credit card information. If so, S3
The process proceeds to 00 to output the stored credit card information. Next, in S301, other operation processing is performed. This other operation processing is shown in FIG.
It will be described later based on.

FIG. 39C is a flow chart showing a subroutine program of the processing for using the reload amount shown in S258 and S265. In S302, it is determined whether or not there is a request for withdrawal of the withdrawal amount G, and if not, this subroutine program ends. If there is, the process proceeds to S303 where the stored reload amount is subtracted from G, and the process proceeds to S304 where a withdrawal completion signal is returned.

FIG. 39 (d) is a flowchart showing a subroutine program of the signature processing shown in S259 and S266. In S370, it is determined whether or not the message digest MD is input, and if not, this subroutine program ends. On the other hand, if the MD is transmitted to the IC terminal in S244 or the like, a YES determination is made in S370, the process proceeds to S371, and a process of decrypting the input message digest MD with the secret key KS to generate an electronic signature is performed. It Next, in S372, processing for outputting the electronic signature DKS (MD) is performed.

FIG. 39 (e) is a flow chart showing a subroutine program of the VP signature processing shown in S259. In S999, it is determined whether or not the message digest MD and the VP name are input from the browser phone 30, and if there is no input, this subroutine program ends.

When the MD and the VP name are input, the control advances to S998, where the secret key (KS) is generated from the input VP name. In particular,
The IC terminal 19V for VP searches the cookie data storage area based on the input VP name, and inputs the V
Determine how many times P's name is the real name B13P (see FIG. 11) encrypted. The private key of VP is encrypted with the private key of VP by the number of times of the calculated encryption, and the private key (K
S) is generated.

Next, the control advances to S997, where a process of decrypting the message digest MD using the secret key (KS) to generate a double signature is performed. Then control is S
Proceeding to 998, processing for outputting the double signature D _(KS) (MD) to the browser phone 30 is performed.

FIG. 40 is a flow chart showing a subroutine program of other operation processing described in S301. Through S305, it is determined whether or not a request for transmitting personal information has been received. This personal information is the user agent knowledge data shown in FIG. 10, and is, for example, personal information such as age, occupation, various preference information, and family structure. The address, name, and email address of the VP are processed in S700 and S701. When the user accesses the member store 6, the life support center 8 or other various sites, the site may request personal information. When the request for the personal information is received, the control proceeds to S306, and it is determined whether or not the privacy policy is received. When the site requests personal information, it sends the user a privacy policy that clearly indicates the purpose of collecting the personal information and the scope of use. If the privacy policy is received, the control advances to S307, and it is determined whether or not the personal information may be transmitted.

This judgment is made by the user in advance by the IC terminal 19R.
Alternatively, 19 V is set by inputting in what case personal information may be transmitted, and a determination is made based on the input setting data. If YES is determined in S307 based on the type of personal information to be requested for transmission and the content of the privacy policy, the process proceeds to S310, where the privacy policy and the personal information are combined into an IC.
A process of decrypting with the secret key KS of the terminal 19R or 19V to generate an electronic signature is performed. Next, the processing proceeds to S310, in which the requested personal information and electronic signature are transmitted to the site side.

Next, the control advances to S313, and a process of changing the character of the VP according to the type of the site which has transmitted the personal information transmission request is performed. A program used as a user agent is stored in the VP IC terminal 19V, and a program that is often used in the field of game software that changes the character of the VP according to the type of site accessed by the user. Remembered For example, when a user frequently accesses an academic site as a VP, the personality of the VP becomes a scholarly personality. On the other hand, when a user frequently accesses a site related to sex, the personality of the VP becomes a slutty and broken personality.

If NO in S307, the process proceeds to S308, and it is determined whether the requested personal information cannot be output. If it is determined that the personal information cannot be output, the process proceeds to S311 and the transmission. After the processing of transmitting the refusal to the site is performed, the process proceeds to S313.

If the user agent stored in the IC terminals 19R and 19V cannot judge whether the transmission is possible or not, the control is S309.
Then, the processing is performed in which the personal information and the privacy policy for which the output request is received are output to the display of the browser phone 30 and the user himself or herself is asked for permission to transmit.
The user who sees it inputs from the keyboard whether or not to send. If there is an input to the effect that the data may be transmitted, a YES determination is made in S312 and the process proceeds to S310, but if there is an input that should not be transmitted, S31 is executed.
If NO is determined in step 2, the process proceeds to step S311.

[0265] If the determination is NO in S305, the flow advances to S314 to determine whether or not there is a conversation request from the RP who is the user. The user selects VP (V
If the user wants to have a conversation with the P user agent), he / she inputs an operation for requesting the conversation from the keyboard. Then, YES is determined in S314 and S314a is set.
Then, it becomes possible to have a conversation while reflecting the current accuracy of the VP.

FIG. 41 is a flow chart showing a subroutine program of the trap type VP processing shown in S615. New trap type VP by S620
It is judged whether or not there is a request for generation of No., and if not, the process proceeds to S623, and it is judged whether or not there is an inquiry as to whether or not the trap type VP has been used. finish.

The browser phone 30 outputs V according to S598.
When a new trap type VP generation request is issued to the P IC terminal 19V, YES is determined in S620 and control proceeds to S621. In S621, IC for VP
A process of adding "1" to the encryption count n of the last VP name in the cookie data area of the terminal 19V and encrypting the real name of the VP with the secret key n + 1 times to generate a new trap type VP name is performed. For example, in the case of FIG. 11, the last VP name E ³ (B13P) in the cookie data area has the number of encryptions of 3 times, and “1” is added to this to make the number of encryptions 4
The real name B13P of the VP is encrypted four times to generate a new trap type VP name E ⁴ (B13P).

Next, in S622, the generated trap type VP is output to the browser phone 30 and stored in an empty area next to the last VP name in the cookie data area.

In accordance with S590, the browser phone 30 outputs V
If an inquiry is made to the P IC terminal 19V as to whether or not the site to be accessed is already using the trap type VP, a YES determination is made in S623 and control proceeds to S624. When making this inquiry, the browser phone 30 asks the IC terminal 19V for VP to
The name of the site you are trying to access is also transmitted. In S624, the cookie data area (see FIG. 11)
Is performed. The control advances to S625, and it is determined whether the trap type VP name has been used for the transmitted site name. For example, when the site name transmitted from the browser phone 30 is MEC, referring to FIG. 11, the trap type VP name E
^It can be seen that ² (B13P) has been used.

When it is determined that the trap type VP name has been used, the control advances to S626, where the fact that it has been used is output to the browser phone 30, and S62
7, the process of outputting the trap type VP used and the corresponding cookie data to the browser phone 30 is performed. For example, in the case of FIG. 11, when the transmitted site name is MEC, E ² (B13P) is output to the browser phone 30 as the trap type VP, and the cookie data mec is displayed in the browser phone 30. Is output to.

As a result of searching the cookie data area in FIG. 11, if the trap type VP is not yet used for the site name transmitted from the browser phone 30, S
A NO determination is made by 625, the control advances to S628, and a processing of outputting the unused state to the browser phone 30 is performed.

42 and 43 are flowcharts for explaining the processing operation of the server 16 of the convenience store 2. By S315, it is judged whether the name, e-mail address, or name of the financial institution of the VP is received. If not received, the process proceeds to S316, and it is judged whether the VP has deposited the purchased product. If it is not kept, the process proceeds to S317, and it is determined whether or not there is an operation for picking up the merchandise. If not, the process proceeds to S318.
After performing other processing, the process returns to S315.

When the settlement server 10 sends the name of the VP, the e-mail address, and the name of the financial institution to the convenience store 2 during the circulation of the loop of S315 to S318 (see S18), the process proceeds to S315. If YES is determined and the process proceeds to S319, the legal institution check process is performed, and then the process proceeds to S320.

In S320, it is determined whether or not R = D _KP (L), and if it is not a legal institution, a NO determination is made and the process proceeds to S321, and a warning display indicating that it is not a legal institution is displayed. On the other hand, if it is a legitimate institution, S320
Thus, a YES determination is made, the process proceeds to S322, and the process of registering the received data in the database 17 is performed.

[0275] If the user performs, for example, electronic shopping as the VP, the purchased product is delivered to the convenience store 2 which is the address of the VP, and the convenience store 2 deposits the product, the result of S316 is YE.
When the determination of S is made, the process proceeds to S316a, and a process of storing the information indicating that the product is stored in the address area of the product storage information of the corresponding VP is performed. At that time, information on whether or not the product has been settled is also stored. Next, the control advances to S323, where the e-mail address of the VP is indexed, and the e-mail address indicating that the merchandise has been deposited is transmitted to the e-mail address. By seeing the email, the VP can know that the purchased product has been delivered to the convenience store, and goes to the convenience store to pick up the product.

[0276] If the user goes to the convenience store 2 as a VP and performs an operation for picking up the delivered merchandise, a YES determination is made in S317. Then, the control advances to S324, and the insertion instruction of the VP IC terminal 19V is displayed. The user who sees it sees that his own VP I
The C terminal 19V is connected to the USB port of the terminal 73 by inserting it. Then, the determination of YES is made in S325, the process proceeds to S326, and the personal identification number checking process is performed. The user uses the keyboard provided on the terminal 73 to VP
Enter the security code. On the condition that the personal identification numbers match and are correct, the control advances to S327, and the processing for calling the VP name from the connected VP IC terminal 19V and searching the database 17 based on the VP name is performed. Then, it is judged in S328 whether or not the product deposit information is recorded in the address region of the product deposit information of the corresponding VP. If there is no merchandise deposit information, the process proceeds to S329, and it is displayed that there is no merchandise deposit. On the other hand, if there is merchandise deposit information, the process proceeds to S330, and an output request for an electronic certificate is made to the IC terminal 19V for VP. The VP IC terminal 19V receives it and
The stored electronic certificate is output to the server 16. Then, the determination of YES is made in S331, the process proceeds to S332, the public key KP in the output digital certificate is read, and the identity check process is performed in S333.

The inserted VP IC terminal 19V is
As described above, the electronic certificate for the VP real name is stored, but the electronic certificate for the trap type VP is not stored, and the electronic certificate for the trap type VP is stored in the XML store 50. When electronic shopping or the like is performed using the VP real name and the purchased product is delivered to the convenience store 2, the VP name called according to S327 becomes the VP real name. In that case, the VP IC terminal 19V can output the electronic certificate in accordance with the request of S330. In that case S33
The determination of YES is made by 1 and the control advances to S332. On the other hand, when electronically shopping is performed using the trap type VP name and the purchased product is delivered to the convenience store 2, the product is taken to the convenience store 2 as a trap type VP. In that case, the VP name called from the VP IC terminal 19V in S327 is the trap type VP name. As a result, an output request for an electronic certificate corresponding to the trap type VP name is issued from S330 to the VP IC terminal 19V. In that case, the IC terminal 19V for VP is X
An instruction to order the electronic certificate from the ML store 50 is output.

If there is the output, the control advances to S631, and after the processing for accessing the XML store 50 to obtain the corresponding electronic certificate is performed, the control advances to S332.

Next, in S334, it is determined whether or not R = D _KP (I). Unauthorized spoofing V
If it is P, the determination of NO is made in S334, the process proceeds to S335, and it is displayed that it is improper. On the other hand, if the VP is appropriate, the control proceeds to S336, the stored merchandise number is displayed, and at S337, it is determined whether the merchandise has been settled. If the VP has been settled, S339 is set. However, if the payment has not been completed, the process advances to step S338 to perform a payment process.

[0280] In S339, it is determined whether or not the delivery of the merchandise has been completed. The clerk of the convenience store 2 looks at the deposit item number displayed in S336,
After finding the product of the corresponding number and delivering the product to the customer, the product delivery completion operation is performed. Then, S33
The determination result of 9 is YES, the process proceeds to S340, the address area of the product deposit information of the database 17 is updated, and the product is not stored, the process returns to S315.

The security code check processing of S326 is shown in FIG.
3 (a). At S345, the input instruction of the personal identification number is displayed, and if the user inputs it, the process proceeds to S347, the input personal identification number is transmitted to the IC terminal 19V for the VP connected to the server 16, and whether the personal identification number is proper or not. If the determination result is returned from the IC terminal 19V for VP, the process proceeds to S349. In S349, it is determined whether or not the determination result is proper, and if it is not proper, the improper display is made in S350 and the process returns to S315. If it is proper, this subroutine ends and the control proceeds to S327.

The identity check process of S333 is shown in FIG.
It is shown in (b). By S355, the process of generating the random number R and transmitting it to the IC terminal for VP is performed, and waits until the response data I for the challenge data R is returned from the IC terminal for VP. If I is returned, this subroutine ends.

The settlement processing of S338 is shown in FIG. 43 (c). The processing of displaying the price of the deposited merchandise is performed in S359, and the flow proceeds to S360, in which it is determined whether or not there is a deposit. If not, the process proceeds to S362, it is determined whether or not there is a payment operation with the reload amount, and if not, the process returns to S360. Then, if the user pays in cash and the clerk at the convenience store performs an operation to the effect that the deposit has been made, S360 returns YE.
When the determination of S is made, the process proceeds to S361, the deposit process is performed to the account of the merchandise sales company, and this subroutine program ends.

On the other hand, if the user performs an operation to that effect to make a payment operation using the reload amount stored in the IC terminal 19 for VP, a YES determination is made in S362 and the flow proceeds to S363, where the price is set. Processing for transmitting the G withdrawal request to the VP IC terminal 19V is performed. Then, the processing proceeds to S364, it is determined whether or not the withdrawal completion signal is output from the IC terminal 19V for the VP, and the process waits until it is output. Then, if the withdrawal completion signal is received, the determination of YES is made in S364 and S36.
Go to 1.

Next, another embodiment will be described. This another embodiment is a simple system in which the personal information protection system is completed by the user side terminal such as the browser phone 30 and the user's personal computer, the IC terminal 19 and the website. The difference from the above-described embodiment is that the email address of the trap type VP is the same as the email address of the VP real name. Therefore, it is not necessary for the financial institution 7 to transfer the email addressed to the trap type VP.
As the name of the trap type VP, the name of the site accessed by the trap type VP is encrypted with the secret key used for the real name of the VP. As for the account number and credit number of the trap type VP, the same account number and credit number as the real name used by the VP are used.

FIG. 44 (a) is a diagram showing information stored in the cookie storage area of the EEPROM 26 of the VP IC terminal 19V. This cookie storage area contains VP
As the name, only the real name B13P of the VP is stored, and no trap type VP name is stored. The name of the trap type VP is obtained by encrypting the site accessed as the trap type VP with the secret key KSB of the VP of the real name. The number of times of encryption is not limited to once, but may be a predetermined number of times of two or more. Therefore, by storing only the name of the site accessed by the trap-type VP, the name of the trap-type VP corresponding to the site name need not be stored, and according to the operation formula of E _KSB (site name), as necessary. It can be calculated each time. The secret key of the trap type VP is obtained by decrypting the site name corresponding to the trap type VP with the secret key KSB of the VP of the real name.
Therefore, it is not necessary to store the public key and the secret key in the IC terminal 19V for the VP in correspondence with the trap type VP, and to calculate each time according to the calculation formula of the secret key = D _KSB (site name) as needed. You can Therefore, it is not necessary to store the “cipher count” in the XML store 50.

FIG. 44B is a flow chart showing a subroutine program of the trap type VP processing. This subroutine program is another embodiment of the trap type VP processing shown in FIG. In S960, it is determined whether or not there is a request to generate a new trap type VP from the browser phone 30, and if so, the control proceeds to S959, and the browser phone 30 is requested to input the name of the site to be accessed. . Browser phone 30
If the name of the site to be accessed is transmitted from, the control advances to S957, where the transmitted site name is V
A process of encrypting with the private key KSB of the real name B13P of P and calculating E _KSB (site name) which is a new trap type VP name is performed. Next, the control advances to S956, and the calculated new trap type VP name is set to the browser phone 30.
Is output, and the input site name is stored in the cookie storage area in S954.

S953 to S948 are S shown in FIG.
Since the control is the same as that of S.623-S628, repeated description is omitted.

FIG. 44C is a flow chart showing a subroutine program of the personal information distribution check performed by the IC terminal 19V for VP. In S970, it is determined whether or not an e-mail is received, and if not, this subroutine program ends. When the e-mail addressed to the trap type VP is received, the browser phone 30 inputs the e-mail data into the IC terminal for VP. Then, the control advances to S969, where the input e-mail address is the public key KPB used as the real name of the VP.
The calculation of D _KPB (address) to be decrypted is carried out, and it is judged whether or not the calculation result matches the sender name of the E-mail.

The e-mail address is the trap type VP name, and the trap type VP name uses the site name accessed by the trap type VP encrypted with the private key KSB of the VP. Therefore, if an e-mail is sent to the trap type VP from the site accessed by the trap type VP using the name, the determination of YES should be made in S969. In that case,
In step S968, the fact that it is appropriate is output to the browser phone 30, and the display unit 76 of the browser phone 30 displays the fact. On the other hand, if an e-mail is sent from a site other than the site accessed by the trap type VP using the name, with the trap type VP name as the e-mail address, a negative determination is made in S969 and control is passed to S967. move on. In S967, the processing of decrypting the e-mail address with the public key KPB of the VP having the real name is performed. As a result, the trap type VP name, which is the address of the email, is decrypted with the public key KPB, and the plaintext site name is calculated. This site name is the name of the site accessed as the VP name used for the email address, and it is conceivable that the accessed site illegally distributed personal information to the sender of the email. Therefore, S967
As a result, D _KPB (address) is illegally distributed, and the fact that the sender of the sender name is illegally obtained is output to the browser phone 30. In the browser phone 30, the display unit 76 displays that effect.

When the determination of NO is made in S969, the processes of S494 and S494a in FIG. 17 described above may be performed, and then the process may proceed to S967 only when the determination of NO is made in S494a.

Next, modifications and characteristic points of the above-described embodiment will be listed below. (1) As mentioned above, browser phones (mobile phones)
In the case of a portable transceiver that transmits / receives radio waves to / from the nearest base station such as 30 or PHS (Personal Handy-phone System), the current location of the portable transceiver is to some extent to identify the nearest base station. It is designed to be indexed. When performing a behavior on the network such as accessing a site as a VP by using such a portable transceiver, the position is specified to some extent while using the portable transceiver as the VP. There is a risk that As a result, the statistical result that a certain VP is always located in the same place as a certain RP is determined, and there is a risk that the relationship between the VP and the RP may be discovered.

Therefore, the following means are adopted. It is a portable transceiver that is carried by a user and transmits / receives radio waves to / from the nearest base station and can enter the network through the base station. A real person in the real world is on the network. Virtual person processing function (S100 to S103, S580, S582 to S58) for impersonating a virtual person (virtual person) and acting as the virtual person when acting in
5) is provided, and when the user enters the network as a virtual person by using the virtual person processing function, direct wireless communication (Bluetooth) is performed to the terminal connected to the network, and the base station Virtual person separate route entry means (S60) for performing the process of entering the network from the terminal instead of the entry route from
7 to S613), a portable transceiver (browser phone 30 or the like).

As a result of adopting such means, when the user enters the network as a virtual person,
By using the alternative route entry means for virtual people, it is possible to enter by another route instead of the entry route from the base station,
As a result, it is possible to prevent the inconvenience that the position of the virtual person is specified as much as possible.

The following may be adopted as means for producing such effects. A portable transceiver (browser phone 30) that is carried by the user and can transmit and receive radio waves to and from the nearest base station to enter the network.
And the like) for operating a processor (CPU 197) provided in the processor, and impersonating the processor as a virtual person when the real person in the real world acts on the network. Virtual person processing means (S100 to S10) for performing processing for allowing the user to act as the virtual person.
3, S580, S582 to S585), when the user enters the network as a virtual person by the virtual person processing means, wireless communication is directly performed to a terminal connected to the network, and Another route entry means for virtual persons (S607 to S613) that enters the network from the terminal instead of the entry route of
A program to function as.

(2) The trader side who uses the personal information of the user needs to confirm whether or not the personal information to be provided is really correct.

Therefore, the following means are adopted. When a user requests the predetermined institution to register personal information, the authenticity check processing means (S420) for performing processing for checking the authenticity of the personal information, and the result of the processing by the authenticity check processing means. , Digital signature means (S425) for applying a digital signature of the predetermined institution to the personal information that is judged to be correct, and storing the personal information with the digital signature in a form that can be specified by the user of the personal information. A personal information storage means (S425, database 12a) and a search means for searching the personal information storage means for personal information corresponding to a user name in response to a request from a client. Including a personal information system.

The personal information system may further include the following means. When the client requests the authenticity check of the personal information owned by the client, the personal information corresponding to the personal information owned by the client to be checked is searched from the personal information storage means, and the search is performed. Authenticity check means (S471, S472) for checking the authenticity by comparing the personal information obtained with the personal information of the requester, and a result notification for notifying the requester of the authenticity result by the authenticity check means Means (S487), a digital signature means (S486) for applying a digital signature of the predetermined institution to the personal information when the check result of the authenticity checking means and the personal information of the requester are correct contents, To ask the user corresponding to the personal information that is the target of the authenticity check whether or not the requester may be notified of the result of the authenticity check by the authenticity check means. Means for performing processing (S476, S477), negotiation processing for performing processing for negotiating the price of the purchase when the client makes a purchase request for the personal information stored in the personal information storage means. Means (S504 to S506), a transmitting means (S) for transmitting personal information to be purchased together with the digital signature of the predetermined institution to the purchaser to the purchaser when the negotiation is successful as a result of the negotiation by the negotiation processing means.
509), when the negotiation is successful as a result of the negotiation processing means, the conditions that are satisfied are stored with digital signatures of the user corresponding to the personal information to be purchased, the purchase requester, and the predetermined institution. Means of storage (S50
8).

(3) If the user often acts as a VP on the network, a trader who collects detailed personal information of both the RP and VP performs a thorough matching check on both personal information, and RP with matching personal information
There is a risk that the name and the VP name are calculated and the name of the RP corresponding to the VP is predicted.
Therefore, the following solution is adopted.

Real person in the real world (real person)
A personal information protection device used in a personal information protection method, which enables a user to impersonate a virtual person (virtual person) when acting on the network and act as the virtual person, in response to a request from the real person. A personal information protection device including access means (S651 to S662) for accessing a site that the real person does not intend.

As a result of adopting such a means, it is possible to automatically access a site that the real person does not intend, and it is possible to reduce the reliability of the personal information of the real person. As a result, it is possible to reduce the reliability of the result of the matching check of the personal information of both the real person and the virtual person.

The personal information protection device may further include the following means. In the site accessed by the access unit, an action unit (S656) performing an unintended action by the real person, and an individual performing a process of providing the real name (Taro) of the real person to the site accessed by the access unit. Information provision processing means (S65
6), cookie acceptance processing means (S660, S661) for accepting and storing the identification data (cookie) transmitted to identify the user from the site accessed by the access means, to the access means. An access prohibition means (S655) is provided, which determines whether the site to be accessed is within the access allowable range preset by the user, and does not access if it is not within the access allowable range. In the above-described embodiment, is configured by the user side terminal (browser phone 30 or the like), but the present invention is not limited to this, and, for example, a predetermined RP access processing service is provided in response to a user's request. If a service institution is set up and the user requests the service institution, Access means, action means that you mentioned,
You may make it operate | move like this. Further, preference information different from the preference information of the real person may be provided to the site side.

(4) "Person" and "individual" in the present invention
The term is a broad concept that includes corporations as well as natural persons. In the present invention, “anonymity” is the name of a virtual person (VP), and the name of a virtual person and the anonymity of a real person are the same concept. Therefore, the address, e-mail address, and electronic certificate of the virtual person are the address, e-mail address, and electronic certificate when the real person anonymously acts on the network.

The "personal information protection device" referred to in the present invention is a broad concept including not only the device itself but also a system constructed so that a plurality of devices cooperate to achieve a certain purpose.

(5) As shown in FIG. 1, in the present embodiment, the financial institution 7 is provided with the VP management function, the settlement function, and the authentication function. The VP management function may be taken over by a predetermined organization other than a financial institution that has a confidentiality obligation and is separated and independent. As the prescribed institution that takes the place of the above, a public institution such as a public office may be used. Further, the electronic certificate issuing function for issuing an electronic certificate to the RP or VP may be separated from the financial institution 7 and made independent, and a specialized certificate authority may be taken over.

In this embodiment, the address of the convenience store 2 is the VP address. However, instead of this, for example, a post office or a parcel delivery / collecting place at a physical distribution company may be the VP address. In addition, a dedicated facility serving as a VP address may be newly installed.

In this embodiment, the financial institution 7 as an example of the predetermined institution performs the process of creating a VP. However, the present invention is not limited to this. A VP is born (born) by 30) and the VP information such as the name, address, public key, account number, and email address of the VP is registered in a predetermined institution such as the financial institution 7. May be.

The created VP does not necessarily have to be registered in a predetermined institution. (6) The IC terminal 19R or 19V as an example of the processing device is an IC card, a mobile phone, a PHS, or a PD.
It may be configured by a portable terminal such as A (Personal digital Assistant). When configuring with these portable terminals,
Two types of mobile terminals, one for VP and one for RP, may be prepared, but it is possible to switch between VP mode and RP mode so that one type of mobile terminal is sufficient. You may comprise.

Instead of installing the application software by the IC terminal 19I shown in FIG. 9, the supplier of the application software may download the application software to the browser phone 30 or the like via the network.

(7) In the present embodiment, as shown in FIG. 12, the VP's electronic certificate is automatically created and issued when the VP is born. The electronic certificate of the VP may be created and issued only when the user issues an electronic certificate request.

As shown in FIG. 23 and the like, in the present embodiment, in the case of authenticating the RP, the authentication key K of the RP is used.
Although N is used, if the RP has been issued an electronic certificate, the public key in the electronic certificate may be used to authenticate the identity of the RP.

(8) A personal computer may be used instead of the browser phone 30.

The e-mail address ΔΔΔΔΔ opened by the financial institution 7 for the trap type VP is not only one kind of e-mail address, but a plurality of e-mail addresses may be prepared and used for each trap type VP name. Good. S620 to S62
2 or S960 to S956 constitutes a new anonymous generation means for generating anonymity that has not been used until now when a new anonymous (trap type VP name) generation request is made. By S431 to S441 or S954,
Anonymous registration agency (financial institution 7 or EEPROM 26) that performs the anonymous registration generated by the new anonymous generation means.
On the other hand, when there is a newly created anonymous registration request, an anonymous registration means for registering the anonymous is configured.

Through the above-described steps S450 to S460, when the user requests the registration agency that has registered the personal information of the user to confirm the personal information of the user, the personal authentication means (S452) for authenticating the user. ~ S45
The personal information transmitting means for transmitting the personal information corresponding to the user to the user is provided on condition that the person is confirmed as a result of the personal authentication by 8).

The trap type VP name shown in FIG. 44 (a) may be a composite of the site name and the private key KSB of the VP.

That is, by S957, D_KSB(site
Name) to generate a trap type VP name
Good. In that case, by S969, E_KPB(E-mail
Address) = sender's name
And In S967, E _KPB(Email address) is
Illegal leakage is output and the fact that the sender of the sender name is illegally obtained is output.
Processing.

Anonymity generating means for generating anonymity generated by encrypting or decrypting the name of the site, which is accessed by the user through the network, by the key (secret key KSB) that can be used by the user in S957 described above. Is configured.

Information that can be used to specify the identification information used to specify the site that the user has accessed through the network and provided his / her own personal information, and the person who obtained the personal information is the person who is the owner of the personal information. Although anonymous (trap type VP name) was used in the above-described embodiment as identification information to be included in the email when sending an email, instead of or in addition to this, a plurality of different types of use are used for each site. An email address or an address for direct mail (post office box, etc.) may be used.

(9) A personal information protection system for protecting personal information on a network (wide area / large capacity relay network 43), which is a real person in the real world.
And a virtual person birth processing means (S1 to S12) for performing a process of spoofing a virtual person (virtual person) to create a predetermined virtual person when the person acts on the network. A personal information protection system, comprising: registration processing means (S15) for performing processing of registering information capable of specifying a correspondence relationship between the real person and the virtual person at a predetermined institution that has a confidentiality obligation.

(10) The predetermined institution is the financial institution 7. (11) A personal information protection system for protecting personal information on a network (wide area / large capacity relay network 43), which is a virtual person when a real person (real person) in the real world acts on the network. Virtual person birth processing means (S1 to S12) for performing a process of giving birth to a predetermined virtual person for impersonating (virtual person) and acting as the virtual person, and issuing an electronic certificate for the virtual person And an electronic certificate issuance processing means (S16) for performing the processing for performing.

(12) A personal information protection system for protecting personal information on a network (wide area / large capacity relay network 43), when a real person in the real world acts on the network. , Virtual person birth processing means (S1 to S1) for performing processing to spawn a predetermined virtual person for impersonating a virtual person (virtual person) and acting as the virtual person.
2) and address setting means (S) for performing processing for setting the address of the virtual person to an address different from that of the real person.
9 to S12).

(13) The address of the virtual person is the address of a predetermined convenience store (S9 to S11).

(14) A personal information protection system for protecting personal information on a network (wide area / large capacity relay network 43), when a real person in the real world acts on the network. , Virtual person birth processing means (S1 to S1) for performing processing to spawn a predetermined virtual person for impersonating a virtual person (virtual person) and acting as the virtual person.
2) and credit number issuing processing means (card issuing company 4) for performing processing for issuing the credit number for the virtual person, and using the credit number issued by the credit number issuing processing means. Allowed to pay by credit as the virtual person (S
58, S56, S75 to S78).

(15) A personal information protection system for protecting personal information on a network (wide area / large capacity relay network 43), when a real person in the real world acts on the network. , Virtual person birth processing means (S1 to S12) for performing processing of spoofing a virtual person (virtual person) and creating a predetermined virtual person so that the person can act as the virtual person.
Account opening processing means (S39, S42 to S45) for performing processing for opening a bank account for the virtual person, and the virtual person using the funds in the account opened by the account opening processing means. Payment is made possible (S55 to S57, S60 to S74).

(16) A personal information protection system for protecting personal information on the network (wide area / large capacity relay network 43), when a real person in the real world acts on the network. , Virtual person birth processing means (S1 to S1) for performing processing to spawn a predetermined virtual person for impersonating a virtual person (virtual person) and acting as the virtual person.
2) is included, the reception restriction of the identification data (cookie) transmitted for the site side to identify the user is restricted depending on whether the person acts on the network as the real person and the person acts on the network as the virtual person. It was made possible to be different (S110-S123, S12
5 to S137).

(17) A processing device (VP management server 9) used to protect personal information on a network (wide area / large capacity relay network 43), in which a real person in the real world is a network. When acting on
Request accepting means (S1) for accepting a request to spawn a predetermined virtual person for impersonating a virtual person (virtual person) and acting as the virtual person;
Virtual person birth processing means (S1a to S12) that performs processing for giving birth to a virtual person on condition that the request is received by the request receiving means (condition that YES is determined in S1). A correspondence relationship storage processing means (S15) for performing processing for storing information capable of specifying a correspondence relationship between the virtual person born by the virtual person birth processing means and the real person corresponding to the virtual person as a database. including.

(18) A processor (VP management server 9) for protecting personal information on the network (wide area / large capacity relay network 43), in which a real person in the real world is a network. When acting on
Accept the input of the public key (KB) of a predetermined virtual person created to impersonate the virtual person and act as the virtual person (S1).
4), public key storage processing means (S15) for performing processing for storing the input public key in the database,
An electronic certificate creation / issuing processing means (S16) for creating and issuing an electronic certificate for the virtual person corresponding to the stored public key. On the condition that the information capable of specifying the correspondence relationship between the real person and the virtual person is the registered virtual person registered in a predetermined institution (financial institution 7) having a confidentiality obligation (by S7 If YES is determined), the electronic certificate creation and issue process is performed (the process of S16 is performed).

(19) A processing device (a server of the member store 6) for protecting personal information on the network (wide-area / large-capacity relay network 43), which is a real person in the real world. When acting on the network,
Approval of payment when there is a purchase request by credit payment using a credit number issued to a predetermined virtual person created to impersonate a virtual person (virtual person) and be able to act as the virtual person Payment approval processing means for performing processing (payment approval unit 33)
And a payment request processing unit (payment requesting unit 33) for performing processing for issuing a request for payment by credit approved by the payment approval processing unit to the credit card issuing company 4.
The payment approval processing means confirms the electronic certificate issued for the virtual person, and then approves the payment.

(20) A processing device (settlement server 10) for protecting personal information on the network (wide area / large capacity relay network 43), in which a real person in the real world is on the network. When acting in
To accept a withdrawal request for withdrawing funds in a bank account opened for a given virtual person that was created to impersonate a virtual person (virtual person) so that he / she can act as the virtual person. Withdrawal request acceptance processing means (S55) for carrying out the processing of (1), and withdrawal request accepted by the withdrawal request acceptance processing means,
Withdrawal processing means (S6) for performing processing for indexing a bank account corresponding to the virtual person concerned and withdrawing funds corresponding to the requested amount (G) from funds in the bank account.
9) and are included.

(21) A processor (server 16) for protecting personal information on the network (wide area / large capacity relay network 43), in which a real person (real person) in the real world is on the network. When acting, it is an address of a predetermined virtual person that was created to impersonate a virtual person (virtual person) so that he / she can act as the virtual person, and the address is different from the real person (address of the convenience store 2). ) In which the processing device is installed, and storage processing means (S322) for performing a process for storing in the database 17 information that can identify the virtual person whose address is the installation address of the processing device. ) And a commodity purchased by the virtual person stored in the storage processing means and delivered to the address where the processing device is installed. When a deposit information storage processing unit (S316a) performs a process for storing information that can specify that the deposited product has been deposited in the database, and there is a withdrawal request for the deposited product (YES in S317).
(If S is determined), it is confirmed that the virtual person who issued the delivery request is a virtual person stored in the database (S327), and that the virtual person is handling a product. And the delivery permission processing means (S336) for performing the processing for issuing the delivery permission of the corresponding merchandise on the condition that the confirmation is made (on the condition that YES is determined in S328).

(22) A program for protecting personal information on the network (wide area / large capacity relay network 43) or a recording medium (CD-R) recording the program.
OM31), which allows a computer (personal computer 30) to impersonate a virtual person (virtual person) and act as the virtual person when a real person (real person) in the real world acts on the network. A birth request determining means (S141) for determining whether or not there is a request operation for creating a predetermined virtual person for performing the birth, and when the birth request determining means determines that there is a birth request, Birth request transmission means (S142) for performing processing for transmitting the birth request request of the virtual person to a predetermined institution (financial institution 7), and information capable of specifying the real person making the birth request of the virtual person. Predetermined information transmitting means (S147 to S) for performing processing for transmitting information necessary for the birth of the virtual person to the predetermined institution. 49), and a program for causing the functions or computer-readable recording medium on which the program is stored.

(23) A processing device (VP IC terminal 19V) for protecting personal information on the network (wide area / large capacity relay network 43), the processing device being a user terminal (personal computer). 30) and is configured to exchange information (USB)
The information processing device is configured to be capable of exchanging information via the port 18) and is a portable processing device carried by a user, and the user, who is a real person in the real world, is predetermined on the network. When the identification data (cookie) sent by the site to identify the user is used to impersonate the virtual person and act as the virtual person, the identification data is sent to the terminal. It is configured so that it can be stored instead of the terminal (S276).

(24) Further, when the user accesses the site by the terminal (personal computer 30), the stored identification data (cookie data) is output as needed to output the identification data to the site. It is configured to be able to be transmitted to (S278).

(25) The processing device (IC terminal 19V for VP) has an input / output unit (I / O port 21) for enabling input / output of information to / from the user terminal, and the user terminal. When the identification information is input from (when YES is determined in S275), the identification information storage unit (S2) that stores the input identification information.
76) and are further included.

(26) The processing device (IC terminal 19V for VP) stores when an output command of the identification information is input from the terminal of the user (when YES is determined in S277). An identification information external output unit (S278) for externally outputting the identification information being output is further included.

(27) The processing device (IC terminal 19V for VP) uses the information (name of VP,
The address, the e-mail address of the VP, the public and private keys of the VP, the age of the VP, the occupation, etc.) are stored, and when an output command of information regarding the VP is input (S29).
5, when the determination of YES is made by S305 or the like), it further includes information external output means (S298, S310, etc.) for externally outputting the stored information about the virtual person.

By the above-mentioned legitimate institution proof processing, legitimate institution check processing, identity verification processing, and identity verification processing such as S4 to S7, identity authentication means for confirming identity and preventing impersonation is constituted. ing.

S13 to S16 constitute virtual person electronic certificate issuing means for creating and issuing an electronic certificate for a virtual person (virtual person). S25 ~
S28 constitutes a digital certificate issuing means for a real person that creates and issues a digital certificate for a real person (real person) who actually exists in the real world.

S39 to S45 constitute a bank account creation processing means for carrying out a process for creating a bank account for a virtual person (virtual person).

[0340] S40 to S49 constitute debit card issuing processing means for performing processing for issuing a debit card for a real person (real person) or a virtual person (virtual person). S55 to S69
By this, the processing device (IC terminal 19V for VP) carried by the virtual person (virtual person) is processed to withdraw part of the funds in the bank account of the virtual person (virtual person) and reload it. The means for processing the withdrawal of funds is configured.

By S57 to S74, a debit card settlement processing means for performing a process for making a settlement using the debit card of the virtual person (virtual person) is configured. S57 to S78 constitute credit card payment processing means for performing processing for making a payment using a virtual person's credit card. This credit card payment processing means is a Secure Electronic Transaction (SE
Settle according to T).

(28) In the present embodiment, as shown in FIG. 28, the acceptance of cookies is restricted or rejected. Instead of or in addition to this, when the user re-accesses the site side, In addition, it may be controlled to prohibit or limit the transmission of the already stored cookie to the site side. That is, in the personal information protection system according to the present invention, the identification data transmitted by the site side to identify the user when the person acts on the network as a real person and when the person acts on the network as a virtual person. It is also possible to set different transmission restrictions when transmitting the already stored identification data to the site side.

S140 to S158 constitute a birth request processing means for carrying out a process for the user to make a birth request for his / her own virtual person (virtual person). By S9 to S12, the address determination processing means for performing processing for determining the address of the virtual person (virtual person) to be born and different from the address of the real person (real person) who is the birth requester is configured. Has been done. The address determination processing means determines the address of the convenience store as the address of the virtual person (virtual person). Further, the address determination processing means can determine the address of the convenience store desired by the real person (real person) who is the birth requester as the address of the virtual person (virtual person). Further, the address determination processing means can determine the address of the convenience store, which is close to the address of the real person (real person) who is the birth requester, as the address of the virtual person (virtual person).

Through S305 to S312, the processing device carried by the user (RP IC terminal 19R, VP I terminal
It is provided in the C terminal 19V), and is stored when a request to send personal information as a real person (real person) or personal information as a virtual person (virtual person) of the user who owns the processing device is received. The personal information automatic output means capable of selecting and outputting the corresponding personal information from the stored personal information is configured. This personal information automatic output means automatically discriminates whether or not the personal information that is the subject of the transmission request may be transmitted (S307,
308, 310, 311). The automatic discrimination processing means allows the user to input and set in advance which type of personal information to output, and performs automatic discrimination according to the input setting. Further, if the automatic discrimination processing means cannot automatically discriminate, it outputs the requested personal information and the transmitted privacy policy, and performs processing for asking the user whether to permit transmission (S30).
9).

[0345] By S313, it is provided in the processing device for the virtual person carried by the user.
A virtual person personality change forming unit configured to change a personality of a virtual person formed by the processing device according to a usage state of the processing device is configured. The virtual person personality change forming means changes the personality according to the type of the site accessed by the user as a virtual person (virtual person).

In S314 and S314a, when the user requests a conversation with the virtual person, the conversation with the virtual person reflects the current personality formed by the personality change forming means. Personality-reflecting conversation realization processing means for performing realization is configured.

The convenience store 2 constitutes a merchandise depositing area for depositing merchandise purchased by a virtual person on the network. The database 17 constitutes a virtual person registration means for registering a virtual person (virtual person) who is a target for depositing products at the product deposit area. The virtual person registration means stores the custody specifying information for classifying each virtual person (virtual person) and specifying whether or not the commodity is kept. Further, payment specifying information for specifying whether or not the product has been settled is stored. Further, the virtual person (virtual person) is categorized and the e-mail address of the virtual person (virtual person) is stored.

Through S323, a virtual person (virtual person) who is provided in the product depository and is keeping the product
E-mail transmission processing means for performing processing for transmitting an e-mail indicating that the merchandise has been deposited to the e-mail address. Through S317 to S340, the product delivery processing means that is provided in the product depository and performs a process for delivering the product to the user when the user receives the product as a virtual person (virtual person). It is configured. The commodity delivery processing means carries out the delivery processing on condition that the virtual person (virtual person) of the user who came to the delivery can be confirmed as the person himself / herself. The merchandise delivery processing means determines whether or not the merchandise to be delivered has been settled, and if not settled, the merchandise delivery processing is performed on the condition that the settlement has been made.

The embodiments disclosed this time are to be considered as illustrative in all points and not restrictive. The scope of the present invention is shown not by the above description but by the claims, and is intended to include meanings equivalent to the claims and all modifications within the scope.

[0350]

Specific Examples of Means for Solving the Problems Next, the correspondence between various means for solving the problems and the embodiments will be shown below.

(1) A personal information protection method for protecting personal information on a network using a computer system, in which a user accesses the network (wide area / large capacity relay network 43) and provides his / her own personal information. Identification information used to specify a site to be included in the mail when the person who obtained the personal information sends a mail (e-mail, direct mail) to the user who is the owner of the personal information. Identification for generating identification information (trap type VP name as anonymity, E _KSB (site name) in FIG. 44A, E-mail address used for each site and address for direct mail) using the processor (CPU 24) Information generation step (S620 and S6
21 or S960 to S956), and a personal information providing step (S593, S600, S700, S701) in which the user accesses the site and provides personal information using the identification information generated by the identification information generating step,
The site identified by the identification information included in the email sent by the person who obtained the personal information provided by the personal information providing step to the user who is the personal information owner, and the sender of the email. And a monitoring step (S516 or S969) of monitoring the distribution state of the personal information of the user by determining whether or not

(2) The identification information is anonymity (trap type VP name shown in FIG. 11 and FIG. 44 (a)) of users who are selectively used for each site.

(3) A personal information protection device for protecting personal information on a network by using a computer system, in which a user accesses his / her own personal information through a network (wide area / large capacity relay network 43). It is information that can identify the identification information used to identify the provided site, and is included in the mail when the person who obtained the personal information sends a mail to the user who is the owner of the personal information. Identification information storage means (database that stores the information that can identify the identification information (trap type VP name as anonymity, KSB and site name in FIG. 44 (a), e-mail address used for each site and address for direct mail) 12a, EEPROM 26) and the mail (E-mail) sent by the person who obtained the personal information to the user who is the owner of the personal information. Direct mail) in included with the site specified based on the identification information and the sender of the email is determined whether match monitor the flow state of the personal information of the user monitoring means (S
516, S522, S523).

(4) The monitoring means is within the permissible distribution range of the personal information that the user has consented to when the user provides his / her own personal information to the site specified based on the identification information (in the XML store 50). When the sender of the mail is not included in the distribution allowable range specified by the privacy policy stored in the database 72), it is determined to be inappropriate (NO in S523).

(5) A personal information protection device for protecting personal information on a network (wide area / large capacity relay network 43) by using a computer system, in which a user can access his / her own personal information through the network. This is information that can identify identification information used to identify the provided site, and if the person who obtained the personal information sends a mail (e-mail, direct mail) to the user who is the owner of the personal information, Information that can identify the identification information that will be included in the email (trap type VP as anonymous
Identification information storage means (S622, EEPR) for storing name, KSB of FIG. 44 (a), site name, e-mail address used for each site and address for direct mail)
OM26) and, when the user accesses the site through the network, if the identification information used to identify the site is already stored in the identification information storage means, the stored identification information is stored as A personal information protection device including identification information use control means (S623 to S628) for performing processing for use on a site.

(6) Registration processing means (S440) for performing processing for registering information capable of specifying the correspondence relationship between the user and the identification information used by the user at a predetermined institution (financial institution 7) having a confidentiality obligation. The personal information protection device further includes:

(7) The identification information is anonymity (trap type VP name) used by the user for each site (see FIG. 11).

(8) The personal information protection device performs an electronic certificate issuing process for issuing the anonymous electronic certificate used when the user acts on the network using the anonymity. It further includes means (S441).

(9) The electronic certificate is issued by a prescribed institution (financial institution 7) having a confidentiality obligation, which registers information that can identify the correspondence between the user and the identification information used by the user, It proves that the user who uses the anonymous is a user registered in the predetermined institution.

(10) Address setting means (S11) for performing processing for setting an address when the user acts on the network using the anonymity to an address different from the address of the user (address of the convenience store 2). , S12)
The personal information protection device further includes:

(11) The address setting means sets an address of a predetermined convenience store (S11, S12).
reference).

(12) In the personal information protection apparatus, when the user accesses the site to act on the network using the anonymity, the user acts on the network using his real name (for example, Taro). It further includes identification data control processing means (S590 to S602) for performing processing for preventing the identification data (cookie) transmitted from the site side to identify the user from being transmitted to the site to be accessed.

(13) The identification data control processing means is a site accessed using the anonymity (for example, M
Anonymous corresponding identification data storage means (S595, S276, for storing only the identification data (cookie) sent from TT, MEC, etc.) as the identification data dedicated to the anonymity.
When the user uses the anonymity to access the site specified by the anonymity, the cookie data storage area of the EEPROM 26 (see FIG. 11) will be searched for in the anonymity-corresponding identification data storage means and the Identification data search and transmission means (S623 to S628) for indexing corresponding identification data and transmitting the identification data to the site.
Includes and.

(14) The personal information protection device uses which anonymity as the action history (access history such as which site is accessed) when the user acts on the network using the anonymity. Behavior history data storage means (database 12
a (see FIG. 4)), and the action is performed when the user is requested to provide action history data on the network using another anonymity of the user from the site accessed using the anonymity. Action history data providing processing means (S) for performing a process for searching the history data storage means and providing the action history data using the other anonymous to the site.
530 to S546).

(15) The personal information protection device notifies the action history data providing processing means of anonymity and provides the action history data on the network using another anonymity of the user who uses the anonymity. Is requested (when the user's name has been transmitted and the determination in S535 is YES), whether the requester matches the site specified based on the notified anonymity. It further includes a monitoring unit (S548) that determines whether or not the distribution state of the personal information of the user is monitored. .

(16) Since the personal information protection device stores a common credit number for a plurality of types of anonymity used by a user (credit number of VP real name) in a form that can be indexed from each anonymity. Credit number storage processing means (S438 to S440)
When the user makes a credit settlement on the network using the anonymity, the inquiry about the presence or absence of the credit number corresponding to the anonymity is accepted from the credit company, and the credit number registered by the credit number registration processing means. And a notification unit (S560 to S574) for performing processing for determining whether or not there is a credit number for the anonymous inquired person and notifying the credit company of the determination result.

(17) The personal information protection device receives an electronic mail addressed to the anonymity when the user acts on the network by the anonymity, and the electronic mail can be viewed by a user corresponding to the anonymity. Anonymous e-mail transfer means (S514 to S52) for transferring to an address
2) is further included.

(18) In the personal information protection device, the site specified based on anonymity, which is the address of the electronic mail received by the anonymous electronic mail transfer means, matches the sender of the received electronic mail. The system further includes a monitoring unit that determines whether or not to do so and monitors the distribution state of the personal information of the user.

(19) The monitoring means is installed in a predetermined institution (financial institution 7) that provides a service of determining whether or not it is appropriate for a plurality of users, and the predetermined institution provides the monitoring result by the monitoring means. Reliability calculation means (S550, S) for calculating the reliability of personal information for each site
551) and reliability information providing means (S553) for providing the reliability information calculated by the reliability calculating means.

(20) The anonymity is the name of a site using the anonymity encrypted or decrypted with a key (secret key) that can be used by a user using the anonymity.

(21) A program for protecting personal information on the network (wide-area / large-capacity relay network 43), in which the user accesses the processor (CPU 24) through the network and provides his / her own personal information. Identification information that can be used to identify a site, and if the person who obtained the personal information sends a mail (email, direct mail) to the user who is the owner of the personal information, the information is sent to the mail. Information that can identify the identification information to be included (Trap type VP name, FIG.
Identification information storage means (S622) for storing the KSB shown in (a), the site name, the e-mail address used for each site and the address for direct mail) in the memory (EEPROM 26), and when the user accesses the site through the network. When the identification information used to specify the site is already stored in the memory, the identification information use control means (S62) for performing the process for using the stored identification information for the site.
5 to S627), and a program for functioning.

(22) The identification information is anonymity (trap type VP name) that the user uses for each site,
The processor further identifies the user from the site side when the user acts on the network using the real name (eg Taro) when the user accesses the site to act on the network using the anonymity. The identification data (cookie) transmitted to perform the operation is caused to function as identification data control processing means (S623 to S628) for performing processing for preventing the identification data (cookie) from being transmitted to the site to be accessed.

(23) The identification data control processing means stores only the identification data (cookie) sent from the site accessed using the anonymity in the memory as the identification data dedicated to the anonymity. When the user accesses the site specified by the anonymity using the storage means (S622) and the anonymity thereafter, the memory is searched to identify the identification data stored corresponding to the anonymity. , Identification data search and transmission processing means (S625 to S627) for performing processing for transmitting the identification data to the site.

(24) A program for protecting personal information on the network (wide-area / large-capacity relay network 43), which is the name of the site to which the user accesses the processor (CPU 24) through the network. Is an email address when an anonymous e-mail is received using anonymity (trap type VP name) generated by encrypting or decrypting with a key that can be used by the user (secret key KSB). Anonymous key (public key K
A program for functioning as a conversion unit (S969) for decrypting or encrypting by PB) to return to a plaintext site name.

(25) The processor (CPU 24)
Further, monitoring means (S969, S968) for monitoring the distribution state of the personal information of the user by determining whether or not the name of the site converted by the converting means matches the name of the sender of the received electronic mail. A program that functions as

The present invention is not limited to the above-mentioned (1) to (25), and any combination of two or more selected from (1) to (25) can solve the present invention. It is a means.

[0377]

[Effects of Specific Examples of Means for Solving the Problem] Based on the identification information included in the mail sent to the user who is the owner of the personal information by the person who obtained the user's personal information,
The site that provided the personal information is specified,
It is determined whether the site matches the sender of the mail. If the site that receives the personal information distributes the personal information to other companies and the company that received the personal information sends an e-mail to the user of the personal information, it is included in the e-mail. The site specified based on the existing identification information does not match the name of the vendor who sends the mail. As a result, it is possible to determine that the personal information has been transferred from the first transfer destination site of the user's personal information to another trader.

When the identification information is the anonymity of the user who is properly used for each site, the anonymity is used by the trader who has obtained the personal information to identify the user. The site name of the transfer destination can be specified.

It is inappropriate if the sender of the mail is not included in the permissible distribution range of the personal information that the user consented to when the user provided the personal information to the site specified based on the identification information. If the determination is made, it is possible to perform the appropriateness determination in consideration of the consent of the user's personal information distribution allowable range at the time of transferring the personal information.

When the user accesses the site through the network, if the identification information used to identify the site is already used, a process for using the identification information for the site is performed. Moreover, it is possible to eliminate the waste of using a plurality of types of identification information for the same site.

When the information capable of identifying the correspondence between the user and the identification information used by the user is registered in a predetermined institution that has a confidentiality obligation, for example, between the user and the trader side, the identification of the user and the identification is performed. When a trouble occurs in the correspondence relationship with the information, it becomes possible to refer to the information on the correspondence relationship registered in a predetermined organization.

When the electronic certificate for anonymity is issued, for example, when the user makes a trade, the electronic certificate can be presented to the other party to make an anonymous trade, and the user can be anonymous. It becomes possible to carry out legal acts by using.

If the address used when the user acts on the network using anonymity is set to an address different from the address of the user, the anonymous person who has the address as a clue and the certain user are the same person. It is possible to prevent the inconvenience of being identified as much as possible.

If the address when the user acts on the network using anonymity is the address of the convenience store, the notification destination of the product when the user uses anonymity to perform electronic shopping, for example, becomes the convenience store. Will improve the convenience when going to pick up the product anonymously.

When the user accesses the site by anonymously acting on the network, the identification sent from the site side to identify the user when the user acts on the network by using the real name. Data
If processing is performed to prevent transmission to a site to be accessed, it is possible to prevent the inconvenience of anonymity with the identification data being a clue that a certain user is the same person. it can.

When the identification data sent from the site accessed by using anonymity is stored as identification data dedicated to the anonymity, and the user subsequently accesses the site specified by the anonymity using the anonymity. , When the identification data corresponding to the anonymity is transmitted to the site, the inconvenience that the anonymity with the identification information as a clue and the other anonymity are found to be the same person is prevented as much as possible. be able to.

At that time, if the site accessed by the user using anonymity can provide the action history data using the user's other anonymity to the site, the identification data is a clue. Even if it is possible to prevent the inconvenience that anonymity and other anonymous people are the same person, it is possible to provide behavior history data on the network regarding the same person to the site side, and a more customized user based on the behavior history data. It becomes easier to provide users with desired information and services.

When the user makes a credit settlement on the network by using anonymity, the credit company inquires about the existence of a credit number corresponding to the anonymity, and a common credit number for the anonymity is searched. , It is necessary to register with the credit company up to a common credit number for multiple types of anonymity in order to judge whether or not there is a credit number corresponding to the anonymity inquired and notify the credit company of the judgment result. Therefore, it is possible to prevent the inconvenience that it is possible to detect that the anonymous person who has the common credit number as a clue and the other anonymous person are the same person.

When a user anonymously acts on the network, an e-mail addressed to the anonymity is accepted, and the e-mail is transferred to an e-mail address viewable by the user corresponding to the anonymity. It is possible to prevent the inconvenience of discovering that the anonymous person who has the address as a clue and the other anonymous person are the same person.

When transferring an electronic mail addressed to the anonymity, it is judged whether or not the site specified based on the anonymity which is the address of the electronic mail and the sender of the electronic mail match, and the user's individual Since the distribution state of information is monitored, the monitoring is automatically performed when the electronic mail is transferred, which improves the convenience of the user.

If the reliability regarding the personal information for each site calculated by the reliability calculating means is provided, it becomes a criterion for the user to provide the personal information to the site, and the convenience for the user is improved.

When the site name is encrypted or decrypted with a key that can be used by the user and is made anonymous for the site, the anonymity, which is the address of the mail sent from the trader side, is changed by the key. It can be converted into a site name by decrypting or encrypting.

[Brief description of drawings]

FIG. 1 is a schematic system diagram showing an overall configuration of a personal information protection system.

FIG. 2A is a diagram showing a schematic configuration of a company, and FIG. 2B is a diagram showing a schematic configuration of a user's house.

FIG. 3 is an explanatory diagram showing various data stored in a database installed in a financial institution.

FIG. 4 is an explanatory diagram showing various data stored in a database installed in a financial institution.

FIG. 5 is an explanatory diagram showing various data stored in a database installed in a financial institution.

FIG. 6 is an explanatory diagram showing various data stored in a database installed in a financial institution.

FIG. 7 is an explanatory diagram showing various data stored in a database of an XML store.

FIG. 8 is an explanatory diagram for explaining various kinds of information stored in a database installed in a convenience store.

FIG. 9 is a front view showing a browser phone as an example of a user terminal.

FIG. 10 is a block diagram showing a circuit of a VP IC terminal carried by a user and a diagram showing a breakdown of stored information.

FIG. 11 is a diagram showing a breakdown of cookie data stored in the cookie data storage area of the VP IC terminal.

FIG. 12 is a flowchart showing the processing operation of the VP management server.

FIG. 13A is a flowchart showing a processing operation of the VP management server, and FIG. 13B is a flowchart showing a subroutine program of personal information registration processing.

FIG. 14 is a flowchart showing a subroutine program of trap information registration processing.

FIG. 15 is a flowchart showing a subroutine program of personal information confirmation processing.

FIG. 16 is a flowchart showing a subroutine program for collating personal information and checking distribution.

FIG. 17 (a) is a flowchart showing a subroutine program of personal information collation and distribution check,
(B) is a flowchart showing a subroutine program for selling personal information.

FIG. 18 is a flowchart showing a subroutine program for mail transfer and distribution check.

FIG. 19 is a flowchart showing a subroutine program of another trap type VP access history providing processing.

FIG. 20 is a flowchart showing a subroutine program of a process of collecting and providing reliability ranking information.

FIG. 21 is a flowchart showing the processing operation of the authentication server.

FIG. 22 is a flowchart showing the processing operation of the payment server.

FIG. 23 is a flowchart showing a subroutine program of settlement processing.

FIG. 24A is a flowchart showing a part of a settlement process subroutine, and FIG. 24B is a flowchart showing a legitimate institution certification process subroutine program.

FIG. 25 is a flowchart showing a subroutine program of inquiry processing from the credit card issuing company.

FIG. 26 is a flowchart showing the processing operation of the browser phone.

FIG. 27 is a flowchart showing a subroutine program of VP cookie processing.

28A is a flowchart showing a subroutine program of address, name, and email address transmission processing, and FIG. 28B is a flowchart showing a subroutine program of RP cookie processing.

FIG. 29 is a flowchart showing a subroutine program of VP birth request processing.

FIG. 30A is a flowchart showing a subroutine program of legitimate institution check processing, and FIG. 30B is a flowchart showing a subroutine program of electronic certificate issuance request processing.

FIG. 31A is a flowchart showing a subroutine program of VP input processing, and FIG. 31B is a flowchart showing a subroutine program of RP input processing.

FIG. 32 is an explanatory diagram illustrating an outline of settlement processing by SET.

FIG. 33 is a flowchart showing a subroutine program of VP settlement processing.

FIG. 34 (a) is a flowchart showing a subroutine program of identity verification processing, and FIG. 34 (b) is a flowchart showing a part of a subroutine program of VP settlement processing.

FIG. 35 is a flowchart showing a part of a subroutine program of VP settlement processing.

FIG. 36A is a flowchart showing a subroutine program of a VP Web browser and mail processing, and FIG. 36B is a flowchart showing a subroutine program of false RP access processing.

37A is a flowchart showing a processing operation of the VP IC terminal, and FIG. 37B is a flowchart showing a processing operation of the RP IC terminal.

38A is a flowchart showing a subroutine program of a personal identification number checking process, FIG. 38B is a flowchart showing a subroutine program of a cookie process (for VP), and FIG. 38C is a personal identification process (VP).
(D) is a flowchart showing a subroutine program, and (d) is a flowchart showing a subroutine program of identity verification processing (for RP).

39A is a flowchart showing a subroutine program of data input processing, FIG. 39B is a flowchart showing a subroutine program of user agent operation processing, and FIG. 39C is a subroutine program of usage processing of reload amount. It is a flowchart shown, (d) is a flowchart which shows the subroutine program of RP signature processing, (e) is a flowchart which shows the subroutine program of VP signature processing.

FIG. 40 is a flowchart showing a subroutine program of other operation processing.

FIG. 41 is a flowchart showing a subroutine program of trap type VP processing.

FIG. 42 is a flowchart showing the processing operation of the convenience store server.

43 (a) is a flowchart showing a subroutine program of personal identification number checking processing, FIG. 43 (b) is a flowchart showing a subroutine program of personal identification checking processing, and FIG. 43 (c) is a flowchart showing a subroutine program of settlement processing. is there.

FIG. 44 shows another embodiment, in which (a) shows an I for VP.
It is the trap information stored in the C terminal, (b)
FIG. 7 is a flowchart showing a subroutine program of trap type VP processing, and FIG. 7C is a flowchart showing a control operation of the IC terminal for VP.

[Explanation of symbols]

I is the Internet, 43 is a wide area / large capacity relay network, 1 is a supplier group, 4 is a credit card issuing company group, 7 is a financial institution group, 5 is a member store contract company group, 50 is an XML store, and 2 is a convenience store group. , 45 are companies, 30
Is a browser phone, 54 is a mobile phone network, 55 is a base station,
47 is a user's house, 9 is a VP management server, 10 is a payment server, 11 is an authentication server, 12a and 12b are databases, 72 is a database, 75 is a database, and 19V.
Is an IC terminal for VP, 19R is an IC terminal for RP, and 18 is U
SB port, 26 is EEPROM, 33 is payment approval section,
34 is a payment requesting unit.

Continued front page    (72) Inventor Yutaka Tsukamoto             5-35 Utsukushigaoka, Aoba-ku, Yokohama-shi, Kanagawa             Earth 2 Laurel Intelligence Co., Ltd.             Toto Systems F-term (reference) 5B017 AA07 CA16                 5B085 AA08 AE00

Claims (25)

[Claims] 1. A personal information protection method for protecting personal information on a network by using a computer system, the identification being used by a user to identify a site which is accessed through the network and provides his / her own personal information. An identification information generating step of generating, by using a processor, identification information that is included in the email when the person who has obtained the personal information sends the email to the user who is the personal information owner; A personal information providing step in which a user accesses a site and provides personal information using the identification information generated in the identification information generating step; and a person who has obtained the personal information provided in the personal information providing step The site specified based on the identification information included in the email sent to the user who is the personal information owner And a monitoring step of monitoring whether the distribution state of the personal information of the user is determined by determining whether the sender of the email matches. 2. The personal information protection method according to claim 1, wherein the identification information is anonymity of users who are selectively used for each site. 3. A personal information protection device for protecting personal information on a network using a computer system, the identification being used for identifying a site that a user has accessed through the network and provided his / her personal information. Information that can specify information and that can identify identification information that will be included in the mail when the person who obtained the personal information sends a mail to the user who is the owner of the personal information Identification information storage means, the site specified based on the identification information included in the email sent by the person who obtained the personal information to the user who is the personal information owner, and the sender of the email match. A personal information protection device, comprising: a monitoring unit that determines whether or not to do so and monitors the distribution state of the personal information of the user. 4. The monitoring means is arranged such that the sender of the mail is within the allowable distribution range of the personal information that the user has consented to when the user provides his / her own personal information to the site specified based on the identification information. The personal information protection device according to claim 3, wherein when it is not included, it is determined that it is inappropriate. 5. A personal information protection device for protecting personal information on a network using a computer system, the identification being used for identifying a site that a user has accessed through the network and provided his / her personal information. Information that can specify information and that can identify identification information that will be included in the mail when the person who obtained the personal information sends a mail to the user who is the owner of the personal information is stored. If the identification information storage means and the identification information used to identify the site when the user accesses the site through the network are already stored in the identification information storage means, the stored identification information A personal information protection device, including: identification information use control means for performing a process for using the above information for the site. 6. The method according to claim 3, further comprising registration processing means for performing processing of registering information capable of specifying a correspondence relationship between a user and the identification information used by the user at a predetermined institution that has a confidentiality obligation. Item 6. The personal information protection device according to any one of items 5. 7. The personal information protection apparatus according to claim 3, wherein the identification information is anonymity used by the user for each site. 8. The electronic certificate issuance processing means for performing a process for issuing the anonymity electronic certificate used when the user acts on the network using the anonymity. Personal information protection device described in. 9. The electronic certificate is issued by a prescribed institution that has a confidentiality obligation and registers information that can identify a correspondence relationship between a user and the identification information used by the user,
The personal information protection device according to claim 8, which proves that the user who uses the anonymity is a user registered in the predetermined institution. 10. The method according to claim 7, further comprising an address setting unit configured to set an address when the user acts on the network using the anonymity to an address different from the address of the user. 9. The personal information protection device according to any one of 9. 11. The personal information protection apparatus according to claim 10, wherein the address setting unit sets an address of a predetermined convenience store. 12. When the user accesses the site to act on the network using the anonymity, the site side transmits the user to identify the user when the user acts on the network using the real name. 12. The personal information protection apparatus according to claim 7, further comprising an identification data control processing unit that performs processing for preventing the transmitted identification data from being transmitted to an access site. 13. The identification data control processing means stores anonymity-corresponding identification data storage means for storing only the identification data sent from a site accessed using the anonymity as identification data dedicated to the anonymity, and a user thereafter. When using the anonymity to access the site specified by the anonymity, the anonymity-corresponding identification data storage means is searched to identify the identification data corresponding to the anonymity, and the identification data is transmitted to the site. The personal information protection device according to any one of claims 7 to 12, further comprising: identification data search and transmission means. 14. An action history data storage means for storing an action history when a user acts on a network using the anonymity in a form that can specify which anonymity is used, and a user uses the anonymity. From the site side accessed by
When it is requested to provide action history data on the network using another anonymity of the user, the action history data storage means is searched to obtain the action history data using the other anonymity on the site. And a behavior history data providing processing unit that performs a process for providing the action history data.
The personal information protection device described in 3. 15. When the action history data providing processing means is notified of anonymity and requested to provide action history data on a network using another anonymity of the user who uses the anonymity, 15. The monitoring device according to claim 14, further comprising a monitoring unit that determines whether or not the requester and the site specified based on the notified anonymity match and monitors the distribution state of the personal information of the user. Personal information protection device. 16. A credit number storage processing unit for performing processing for storing a common credit number for anonymity of a plurality of types used by a user in a form that can be indexed from each anonymity; When credit settlement is performed on the network using anonymity, the inquiry about the presence or absence of the credit number corresponding to the anonymity is accepted from the credit company, and the credit number registered by the credit number registration processing means is searched to retrieve the credit number. 16. A notification unit for determining whether or not there is a credit number corresponding to anonymity inquired and notifying the credit company of the determination result. Personal information protection device. 17. An anonymous addressee, which accepts an electronic mail addressed to the anonymous when the user acts on the network by the anonymity, and transfers the electronic mail to an electronic mail address viewable by a user corresponding to the anonymous name. The personal information protection apparatus according to any one of claims 7 to 16, further comprising a mail transfer unit. 18. A determination is made as to whether or not the site specified based on anonymity, which is the address of the electronic mail received by the anonymous electronic mail transfer means, matches the sender of the received electronic mail. The personal information protection apparatus according to claim 17, further comprising a monitoring unit that monitors a distribution state of the personal information of the user. 19. The monitoring means is installed in a predetermined institution that provides a personal information monitoring service to a plurality of users,
A reliability calculation means for collecting the monitoring results of the monitoring means to calculate the reliability of personal information for each site, and a reliability for providing the reliability information calculated by the reliability calculation means to the predetermined organization. The personal information protection apparatus according to any one of claims 3 to 18, further comprising: an information providing unit. 20. The anonymity is obtained by encrypting or decrypting a name of a site that uses the anonymity with a key that can be used by a user who uses the anonymity.
9. The personal information protection device according to any one of 9. 21. A program for protecting personal information on a network, the processor being capable of identifying identification information used for identifying a site that a user has accessed through the network and provided his / her own personal information. Identification information storage for storing, in a memory, information that can identify the identification information to be included in the mail when the person who obtained the personal information sends a mail to the user who is the personal information owner Means and, when the user accesses the site through the network, if the identification information used to identify the site is already stored in the memory, the stored identification information is stored for the site. Identification information use control means for performing processing for use, and a program for causing it to function. 22. The identification information is anonymity used by the user for each site, and if the user further accesses the site to act on the network using the anonymity, the user uses the real name. A function as an identification data control processing means for performing a process of preventing the identification data transmitted from the site side to identify the user when acting on the network using 21. The program according to 21. 23. Anonymity-corresponding identification data storage means for storing, in the memory, only the identification data sent from a site accessed using the anonymity in the memory as identification data dedicated to the anonymity. When the user subsequently uses the anonymity to access the site specified by the anonymity, the user searches the memory to identify the identification data stored corresponding to the anonymity, 23. The program according to claim 22, further comprising identification data search and transmission processing means for performing processing for transmission to a site. 24. A program for protecting personal information on a network, wherein a processor encrypts or decrypts a name of a site accessed by a user through the network with a key usable by the user. When using anonymity generated by using the above, when receiving an e-mail addressed to anonymity, it functions as a conversion means to decrypt or encrypt the anonymity that is the address of the e-mail with a key and return it to the plaintext site name A program to let you. 25. The processor further determines whether or not the name of the site converted by the conversion means and the name of the sender of the received electronic mail match to determine the distribution status of the personal information of the user. The program according to claim 24, which is caused to function as monitoring means for monitoring.